Blue Flower

Bill

Bill

Sunday, 27 September 2015 03:20

Troubleshooting

Alternate AMD64 installation

I  have had trouble with the AMD installation from time to time. If you have trouble sending or receiving please try this alternate method:

# cd ~root
# fetch http://freebsdrocks.net/qmail2/netqmail-valid.tgz
# cd netqmail-1.06
# qmailctl stop
# make man
# make setup check

Now lets reinstall qmail

# cd /usr/ports/mail/qmail
# make reinstall

Once you're finished lets start qmail

# qmailctl start

Sending or Receiving issues

If you are having issues sending or receiving please check the following logs:

qmail-send logs

# tail -f /var/log/qmail/qmail-send/current | tai64nlocal

qmail-smtpd logs

# tail -f /var/log/qmail/qmail-smtpd/current | tai64nlocal

qmail-smtpd-ssl (Port 465)

# tail -f /var/log/qmail/qmail-smtpd-ssl/current | tai64nlocal

dovecot

# tail -f /var/log/qmail/dovecot/current | tai64nlocal

spamd

# tail -f /var/log/qmail/qspamd/current | tai64nlocal

clamav

# tail -f /var/log/qmail/clamav/current | tai64nlocal

451 qq Temporary problem

if you get the dreaded 451 qq temporary problem click here

 

 

Sunday, 27 September 2015 03:01

Adding Junk/Not Junk Features to Roundcube

In this walkthrough we will add the Junk/Not Junk buttons to the Roundcube interface. This will allow users to report spam and also report non-spam. There is also an included variable; Once the users have read the Junk mail you will be able to see the files in a predetermined spam box. This is completely optional but will give you more control over what users report.

First lets download the plugin and install it.


# cd /usr/local/www/roundcube/plugins
# fetch https://github.com/JohnDoh/Roundcube-Plugin-Mark-as-Junk-2/archive/master.zip
# unzip master.zip
# mv Roundcube-Plugin-Mark-as-Junk-2-master markasjunk2
# cd /usr/local/www/roundcube/config
# vi config.inc.php

look for plugins array:

$config['plugins'] = array(
    'archive',
    'zipdownload',
    'managesieve',
    'jqueryui',
    'recipient_to_contact',

add

    'markasjunk2'

Looks like

 'archive',
    'zipdownload',
    'managesieve',
    'jqueryui',
    'recipient_to_contact',
    'markasjunk2'

Save and Exit. Now copy the default config.inc.php so this will work properly.


# cd /usr/local/www/roundcube/plugins/markasjunk2
# cp config.inc.php.dist config.inc.php

The defaults are fine. No changes are needed. When you mark an email as Spam it will try to move it to a Junk folder which will not exist. To make this seamless for your users we will need to create a symbolic link for .Junk to point to spam. We can do this in the ~vpopmail/skel folder as follows:


# cd ~vpopmail/skel/Maildir
# ln -s .Spam/ .Junk

The following section is optional. If you would like to see users' read Spam messages you can direct the read messages to a master spambox or just put this in a postmaster mailbox. It's entirely up to you.

Lets add This email address is being protected from spambots. You need JavaScript enabled to view it. first


# ~vpopmail/bin/vadduser This email address is being protected from spambots. You need JavaScript enabled to view it.

Now lets create a symbolic link to the spambox Junk folder.


# cd ~vpopmail/skel/Maildir/.Junk
# rm -R cur

change spambox to the sa-learn catchall user for all domains


# ln -s /usr/home/vpopmail/domains/testdomain.com/spambox/Maildir/cur cur

Special thanks to Steve Donohue

Tuesday, 11 August 2015 18:14

Installing Qmailadmin

QmailAdmin is a cgi program for administering Qmail with vchkpw. It provides a web interface to create users, aliases, install ezmlm lists and also configure mailing robots. For more information, Please see http://www.inter7.com/qmailadmin/

We need to enable the cgi setting in the httpd.conf file as follows:


# vi /usr/local/etc/apache24/httpd.conf

Uncomment this line:


LoadModule cgi_module libexec/apache24/mod_cgi.so

Now restart apache:


# /usr/local/etc/rc.d/apache24 restart

We will want to extract qmailadmin and apply John Simpsons onchange patch. Since qmailadmin doesn't support onchange out of the box, We need to add support for it:


# cd ~root
# fetch http://freebsdrocks.net/qmail2/qmailadmin-1.2.16.tar.gz
# tar zxvf qmailadmin-1.2.16.tar.gz
# cd qmailadmin-1.2.16
# fetch http://freebsdrocks.net/qmail2/qmailadmin-1.2.12-onchange.3.patch
# patch < qmailadmin-1.2.12-onchange.3.patch

Don't be too concerned about the version conflicts. The patch applies cleanly without errors. You should get a fairly short output.

We now want run the configure command for qmailadmin. Please change the sections cgibindir, htmldir and imagedir to the cgi, html and image paths on your system.

Please type the make CONFIGURE_ARGS line in as ONE COMPLETE LINE!!!


./configure --enable-modify-spam=Y --enable-spam-command='|preline -f /usr/local/bin/maildrop mailfilter' --enable-htmldir=/usr/local/www/apache24/data --enable-cgibindir=/usr/local/www/apache24/cgi-bin --enable-imagedir=/usr/local/www/apache24/data/images --enable-qmaildir=/var/qmail --enable-vpopuser=vpopmail --enable-vpopgroup=vchkpw --enable-autoresponder-path=/usr/local/bin --enable-ezmlmdir=/usr/local/bin/ezmlm --enable-modify-quota --disable-ezmlm-mysql

Run the following to install qmailadmin:


# make
# make install-strip

If that compiles with no errors, qmailadmin is installed.

Copying image files

We need to copy the image files so they appear on the qmailadmin page:


# mkdir /usr/local/www/apache24/data/images /usr/local/www/apache24/data/images/qmailadmin/ (You may or may not need to run this command)
# cp -Rp /root/qmailadmin-1.2.16/images/* /usr/local/www/apache24/data/images/qmailadmin/

Configuring qmailadmin

When we add new users via qmailadmin, we want Spam Fighting turned on by default. Edit the following:


# vi /usr/local/share/qmailadmin/html/add_user.html

and then do a search for

<input type="checkbox" name="spamcheck">

and change it to

<input type="checkbox" name="spamcheck" checked>

This allows the "Spam Detection" box in the users email-account to automatically be checked when each user in qmailadmin is created.

That is it for configuring qmailadmin! If you go to http://www.domain.xxx/cgi-bin/qmailadmin you should see the logon screen. You can create some mailboxes for your domain if you like. If you need to add a domain, I would use the command line tool at ~vpopmail/bin/vadddomain

Sunday, 05 July 2015 13:17

Installing Roundcube

Requirements:

Apache 2.4+, Mysql Server 5.1+ and php5.6. Anything that depends on php5 not already installed the port will install for you.

The Roundcube webmail software is available in FreeBSD ports. If you want to learn more about FreeBSD packages and ports, please read The FreeBSD Handbook, chapter 4.

The ports for Roundcube webmail is available in /usr/ports/mail/roundcube. To install roundcube, you will need to type the following:


# cd /usr/ports/mail/roundcube
# make install clean

Make sure the following options are checked:

[X] DOCS
[X] SSL
[X] MYSQL

You will also want to install the following ports if they are not installed already.


# cd /usr/ports/graphics/php56-exif
# make install clean
# cd /usr/ports/security/php56-openssl
# make install clean
# cd /usr/ports/security/php56-mcrypt
# make install clean
# cd /usr/ports/sysutils/php56-fileinfo
# make install clean

By default, roundcube is installed in /usr/local/www/roundcube/

Now, I’m going to symlink the roundcube folder as follows:


# cd /usr/local/www/apache24/data
# ln -s /usr/local/www/roundcube/ .

To create a database in mysql do the following:


# mysql -u root -p

Type in your password at the prompt. Then lets create the roundcube database.


# create database Roundcube;

Now we need to run the following 3 commands:


GRANT select,insert,update,delete,create,drop ON Roundcube.* TO myusername@localhost IDENTIFIED BY 'mypassword';
FLUSH PRIVILEGES;
quit

Now lets copy the default dovecot configuration file:


# cd /usr/local/www/roundcube/config
# cp /root/qmail/rc.config.inc.php.sample config.inc.php

Now we will want to open config.inc.php and change the following settings:

$config['dbdsnw'] = 'mysql://username:secretpass@localhost/database';

$config['default_host'] = 'localhost';

$config['smtp_port'] = 465;

Now lets edit some of the roundcube defaults to make things easier for new users:


# cd /usr/local/www/roundcube/config
# vi defaults.inc.php

Now we will want to open defaults.inc.php and change the following settings:

$config['show_images'] = 1;

$config['preview_pane'] = true;

Now, you need to import the database structure into your roundcube database. You can copy and paste them into phpMyAdmin or you can use the following command:


# cd /usr/local/www/roundcube/SQL
# mysql -u user -p database < mysql.initial.sql

All done, congratulations! You have installed roundcube on your server. You can access your roundcube webmail on

http://localhost/roundcube/ (You can change your localhost to your hostname).

You can now login with your username and password on your IMAP server.

This plugin is HIGHLY RECOMMENDED!!

The antiBruteForce Plugin is to prevent brute force user and pass attempts on Rouncube Webmail - Autoban feature with White List feature.


# cd /usr/local/www/roundcube/plugins
# fetch http://freebsdrocks.net/qmail2/antiBruteForce_v2.0.tar.gz
# tar zxvf antiBruteForce_v2.0.tar.gz
# cd /usr/local/www/roundcube/config
# vi config.inc.php

Under plugins add the antibruteforce plugin line:

'antiBruteForce',

Now your plugins should look like:

    'archive',
    'zipdownload',
    'managesieve',
    'antiBruteForce',

Now let's restart apache for good measure:


# /usr/local/etc/rc.d/apache24 restart

Enabling the Roundcube Recipient To Contact Plugin

Recipient To Contact is a plugin to quickly add new contacts to address books. When sending an email to recipients that aren't in the address book, this plugin displays a form to quickly save these contacts. Inspired by Automatic Addressbook plugin.

We need to enable the jqueryui plugin first and then download the Recipient-To-Contact plugin and then enable both plugins.


# cd /usr/local/www/roundcube/plugins/jqueryui
# cp config.inc.php.dist config.inc.php
# cd ~root
# fetch http://freebsdrocks.net/qmail2/Recipient-To-Contact-master.zip
# unzip Recipient-To-Contact-master.zip
# cd Roundcube-Plugin-Recipient-To-Contact-master/
# mv recipient_to_contact/ /usr/local/www/roundcube/plugins/
# cd /usr/local/www/roundcube/config
# vi config.inc.php

Now under the '// List of active plugins (in plugins/ directory)' section of the config.inc.php add the two sections below:


    'jqueryui',
    'recipient_to_contact',

It should now appear like the following:


// List of active plugins (in plugins/ directory)
$config['plugins'] = array(
    'archive',
    'zipdownload',
    'jqueryui',
    'recipient_to_contact',
    'managesieve',
);

If you log out and log back into roundcube it should work fine.

You can find additional roundcube plugins here http://trac.roundcube.net/wiki/Plugin_Repository

Sunday, 05 July 2015 13:18

Installing Dovecot

Dovecot Server Information

Before we continue let me say that I have tried for about a month to get Roundcube to communicate with Dovecot via SSL with lots of failures. Using the standard IMAP part it works fine but 8/10 times it wouldn't work with SSL. For the time being this will be an unsecure connection. Having said that if Roundcube is communicating with Dovecot locally I don't believe this is a security issue.

Dovecot is an open-source IMAP, IMAP-SSL and POP3 server. It was written with security as one of its primary goals, and is flexible enough to work with just about any kind of back-end mailbox storage system, including vpopmail's folder structure. It also works with a large number of authentication back-ends, again including vpopmail. In this walkthrough we are only going to configure Dovecot 2 with IMAP-SSL and POP3-SSL and managesieve.

The first step is to install Dovecot 2 from ports.


# cd /usr/ports/mail/dovecot
# make install

When you run make install it will give you the various configure options available. Make sure the following options are checked:

DOCS
KQUEUE
MANAGESIEVE
SSL
VPOPMAIL

Configuring Dovecot

Dovecot itself uses the dovecot.conf for the main configuration file. What I am going to do here is provide a working dovecot.conf that has all options configured for you that use POP3D-SSL and also IMAPD-SSL for the most secure setup possible. Managesieve is enabled for filtering. Feel free to take a look at dovecot.conf before enabling dovecot.


# cd /usr/local/etc
# mv dovecot.conf bak_dovecot.conf
# cp /root/qmail/dovecot.conf.sample dovecot.conf
# mkdir /var/qmail/supervise/dovecot/log
# cd /var/qmail/supervise/dovecot/log
# fetch https://freebsdrocks.net/qmail2/service-any-log-run
# mv service-any-log-run run
# chmod 0755 run
# vi run

In the run file change the second-to-last line to match the following:

multilog t n1024 s1048576 /var/log/qmail/dovecot \


# cd /var/qmail/supervise/dovecot/
# fetch http://freebsdrocks.net/qmail2/dovecot-run
# mv dovecot-run run
# chmod 0755 run

Now lets start the dovecot service:


# ln -s /var/qmail/supervise/dovecot /service/

Wait about ten seconds and then run the following command to make sure there are no issues:


# svstat /service/dovecot /service/dovecot/log

Sunday, 26 July 2015 00:52

Optimizing the system to catch spams

Post Install configuration tips for Qmail-Scanner

Although Qmail-Scanner should work pretty much "out of the box" so to speak, you can make some customization to it's configuration by editing the qmail-scanner-queue.pl script located at /var/qmail/bin/qmail-scanner-queue.pl. The qmail-scanner-queue.pl script controls a lot of the functionality of both Clam AV and Spamassassin. Check it out for yourself and you will see that there are quite a few items you have control over. I wouldn't recommend touching most of them. In fact, the only setting that I changed in mine is in the Spamassassin section:

You can delete certain emails over a certain Spamassassin threshold. Edit the /var/qmail/bin/qmail-scanner-queue.pl l file and find the following line:

my $sa_delete='0';

Now replace the '0' with a number that represents how far above your SpamAssassin "required_hits" variable that Qmail-scanner should start deleting messages at. For example, if you SpamAssassin required_hits variable is set to "5" and you set the "sa_delete" variable to "1.0", then any message that has a spam score of 1.0 over the "5" mark would be deleted. In other words, any mail with a score of 6 or more would be trashed automatically. So for this example, you would change the "sa_delete" variable as follows:

my $sa_delete='1.0';

Spamassassin has been tested to have up to a 99% accuracy rating in terms of detecting real spam and leaving legitimate e-mail alone. I've been using it for over a year now and have never gotten a false positive. Therefore, I feel safe in telling it to just delete the stuff.

There are a host of other Spam and Virus handling directives that can be customized with the qmail-scanner.pl file.

Post Install configuration tips for Qmail

There are a majority of ways to thwart spam on the smtp level; RBL's, Greylisting and Greetdelay.

Greetdelay is by far the easiest to get working. Just open up /service/qmail-smtpd/run and look for GREETDELAY. Give it a setting anywhere between 0 and 30 seconds. Most people find that 15 seconds is sufficient enough to thwart most spam.

To have qmail start using RBLs just edit the following settings under /service/qmail-smtpd/run.


RBLSMTPD_PROG="/usr/local/bin/rblsmtpd"
#RBL_GOOD=""
RBL_BAD="zen.spamhaus.org dnsbl.njabl.org dnsbl.sorbs.net bl.spamcop.net"

Greylisting in detail

When a server receives an incoming connection from a client, it checks the client's IP address against a list. Depending on what it finds...

    If the IP address has never been seen before, a record is created for the IP address and the client is given the "soft error" message, which tells it that the message will not be accepted right now, but the client should try again later.

    If the IP address was first seen very recently (usually within the past three to five minutes), the client will be given the same "soft error" message and no mail will be accepted.

    Otherwise, the message will be accepted normally.

The other consideration is that the database of when each IP address was first seen can eventually grow large enough to fill up the storage space available on the system. In order to prevent this from happening, a second timer is kept- one which is updated every time the client connects. Every so often the server will "clean" the database by deleting all record of any IP which has not been seen in a long time (usually 30 days or more.)

Edit /var/qmail/supervise/qmail-smtpd/run and change the following lines


GREYLIST="/var/qmail/bin/jgreylist"
JGREYLIST_DIR="$VQ/jgreylist"

Now run the following commands:


# mkdir /root/scripts/
# fetch https://qmail.jms1.net/scripts/jgreylist
# fetch https://qmail.jms1.net/scripts/jgreylist-clean
# cp jgreylist /var/qmail/bin
# cp jgreylist-clean /usr/local/sbin
# chown root:vchkpw /var/qmail/bin/jgreylist
# chmod 0750 /var/qmail/bin/jgreylist
# chown root:wheel /usr/local/sbin/jgreylist-clean
# chmod 0755 /usr/local/sbin/jgreylist-clean
# mkdir -m 0700 /var/qmail/jgreylist
# chown vpopmail:vchkpw /var/qmail/jgreylist

Now we need to add the jgreylist clean to cron. Run crontab -e and add the following line to run at 6PM everyday:

0 18 * * * /usr/local/sbin/jgreylist-clean 2>&1 > /dev/null

Now restart qmail.


# qmailctl restart

The following articles are optional:

How to teach Bayes your users' Spams

How to add additional rules to SpamAssassin

Sunday, 05 July 2015 13:20

Installing Qmailscanner

Qmail-Scanner is an e-mail content scanner that enables a qmail server to scan all messages it receives for certain characteristics (normally viruses), and react accordingly. For more information see http://qmail-scanner.sourceforge.net/

Before you continue you will want to make sure that clamav and spamassain are running before you continue with this step. You can get the status of all services by running:


# svstat /service/* /service/*/log

First we will need to download qmail-scanner and then extract it.


# cd ~root
# fetch http://freebsdrocks.net/qmail2/q-s-2.11st-20130319.tgz
# tar zxvf q-s-2.11st-20130319.tgz

Before I continue on with this installation I wanted to let you know I am using a minimum of configuration options for qmail-scanner. There are many different options to choose from as well as changing some of the options within my qs-configure script. For a complete list of qmail-scanner options for the ST patch see the following URL below:

http://freebsdrocks.net/index.php/documents/13-useful-qmail-utilities/106-qmail-scanner-2-10st-st-patch-configure-options

We need to tell the system where the correct unzip file is. If we don't you will get a qmail-scanner error. Please run the following commands:


# cd /usr/bin
# mv unzip unzip.bak
# ln -s /usr/local/bin/unzip /usr/bin/

We will want to run the first configure line as a test first without installing it. This will give you a chance to fix any errors that come up (If any) before you install it. Change domain.local to your domain. Change the domain to just the prefix of your domain or just an abbreviation.


# cd /root/qmail-scanner-2.11st/contrib
# cc -o qmail-scanner-queue qmail-scanner-queue.c << IF YOU GET ERRORS ON THIS STEP PLEASE IGNORE AND CONTINUE ON
# mv qmail-scanner-queue /var/qmail/bin/
# chown qscand:qscand /var/qmail/bin/qmail-scanner-queue
# chmod 6755 /var/qmail/bin/qmail-scanner-queue
# cd ~root/qmail-scanner-2.11st/
# ./configure --domain domain.local --dscr-hdrs-text "X-Antivirus-domain" --admin postmaster --add-dscr-hdrs yes --ignore-eol-check yes --sa-quarantine 0 --sa-delete 0 --sa-reject no --sa-subject ":SPAM:" --sa-alt yes --sa-debug no --notify admin --redundant yes --skip-setuid-test --logdir /var/log/qmail/qmail-scanner

Provided the script above didn't result in any errors we can now install qmail-scanner. This will be exactly like the line we just tested above only with adding --install 1 at the end. This tells the port to install qmail-scanner:

This is what the configure line should look like:


# cd ~root/qmail-scanner-2.11st/
# ./configure --domain domain.local --dscr-hdrs-text "X-Antivirus-domain" --admin postmaster --add-dscr-hdrs yes --ignore-eol-check yes --sa-quarantine 0 --sa-delete 0 --sa-reject no --sa-subject ":SPAM:" --sa-alt yes --sa-debug no --notify admin --redundant yes --skip-setuid-test --logdir /var/log/qmail/qmail-scanner --install 1

Answer YES to all questions


# vi /var/qmail/bin/qmail-scanner-queue.pl

Then change the first line of /var/qmail/bin/qmail-scanner-queue.pl
to "#!/usr/bin/perl (in other words, remove the "-T" from the perl call.)


# chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl

And now all that's left for qmail-scanner is to initiate the version file and the perlscanner database. We'll initialize the version file. This command also helps to keep your server's /var/spool/qmailscan folder clear of rogue files that can develop when SMTP sessions are dropped. You may want to stick this command into your server's crontab and run it once a day. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial. So let's run it:


# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z

And now we will generate a new perlscanner database for qmailp-scanner. For future reference, it's a good idea to run this next command whenever you upgrade qmail-scanner. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial. So let's do it:


# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g

A successful database build should produce the following output:


perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
perlscanner: total of 35 entries.

And now one final ownership check...


# chown -R qscand:qscand /var/spool/qscan

Woohoo, qmail-scanner is installed! Now it's time to tie qmail-scanner into qmail itself.


# vi /var/qmail/supervise/qmail-smtpd/run

Look for the line that says:

#QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

and remove the # in front of the line like so:

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

Once you've got the qmail-smtpd file modified, save the changes and exit from the file. Now we will finalize the qmail-scanner installation by going over some post-install configuration options. After that, we'll fire everything up and take qmail-scanner for a test drive.

To activate all the changes we just made, we're going to have to completely stop and restart qmail.

Run qmailctl stop

then

run qmailctl start

And a quick check of the qmail processes, just to be safe.


# qmailctl stat

Before we run the qmail-scanner test we need to make sure we're using dovecot for the local delivery. Lets say you used mydomain.local for the domain name. You will want to run the following command in your postmaster account:


# cd ~vpopmail/domains/mydomain.local/postmaster
# cp -Rp ~vpopmail/skel/* .
# cp -Rp ~vpopmail/skel/.qmail .

Now it's time to test the whole damn thing to see if Qmail-Scanner, Spamassassin and Clam AV are all working correctly. Fortunately, Qmail-Scanner comes with it's own testing script that does a fantastic job. So let's test it!


# cd /root/qmail-scanner-2.11st/contrib/
# chmod 755 test_installation.sh
# ./test_installation.sh -doit

A successful test should produce the following output. 2 messages should be quarantined by Clam Antivirus in /var/spool/quarantine/new and 2 messages should be set to whatever mailbox you specified in the Qmail-scanner configuration script. Don't worry if you don't get virus notification emails. The normal notification emails that get sent out upon virus detection usually don't work during the test.

setting QMAILQUEUE to /var/qmail/bin/qmail-scanner-queue.pl for this test...

Sending standard test message - no viruses...
done!

Sending eicar test virus - should be caught by perlscanner module...
done!

Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin...
Done!

Finished test. Now go and check Email for This email address is being protected from spambots. You need JavaScript enabled to view it.

You should now get a total of 4 messages:

1 clean message in the This email address is being protected from spambots. You need JavaScript enabled to view it.

1 spam message in the This email address is being protected from spambots. You need JavaScript enabled to view it. (postmaster accounts do not have spam protection automatically. You can manually copy the contents of ~vpopmail/skel into the postmaster/Maildir account)

1 policy message in /var/spool/qscan/quarantine/policy/new

and

1 virus message in /var/spool/qscan/quarantine/viruses/new/

This is a document to help you convert your apache certs to qmail. This step is completely optional BUT I want to note that the common name you used needs to match the server name in order for your clients not to get the nag screen when they check their POP3 account or send emails via SSL or TLS.

You will need to do one of the following; You will either need to purchase a certificate from a signing authority or re-key a current certificate if you're moving servers. In order to convert your apache cert, it is important to create the cert correctly. Here is how to do it:

First, We create the key:


# mkdir /root/certs
# cd /root/certs
# openssl genrsa -out domain.key 2048

You can substitute 2048 with 4096 for stronger encryption and make sure you replace domain with your actual domain name.

Next, We need to add a password. Go ahead and type it and confirm.

Now create a csr:


# openssl req -new -key domain.key -out domain.csr

It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mail server name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.

This is the csr you can you to generate your cert when asked by the domain you buy your cert from. You can use this information to purchase your certificate.

First lets backup the current /var/qmail/control folder first:


# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control

Please copy the .crt you received to the root folder. Then run the following to make a signed cert:


# cd /root/certs
# cat domain.key > /var/qmail/control/servercert.pem
# cat cert.crt >> /var/qmail/control/servercert.pem
# cat intermediate.crt >> /var/qmail/control/servercert.pem

And now lets set the permissions on the servercert.pem:


# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Now lets create the clientcert.pem file and the permissions:


# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem

Now to restart qmail so this will take effect on all services


# qmailctl restart

That will restart ALL the qmail services so the new certificate will take effect.

Now your customers will not get the annoying nag screen when people send mail via smtp-ssl, smtp-tls or via imap!

Thursday, 23 July 2015 02:46

Setting up SSL Certs and starting Qmail

We need to install ucspi-ssl so qmail will accept smtp connections with ssl. We can do that like so:


# cd /usr/ports/sysutils/ucspi-ssl
# make install clean

Shortly after this starts installing, you will get a popup box that has in it

Options for ca_root_nss 3.11.9_2
[X] ETCSYMLINK Add symlink to /etc/ssl/cert.pem

Make sure that box is checked by hitting the space bar and then hit tab and hit enter.

Creating an SSL key file

If you are setting up an SSL or TLS server, you will need to create a /var/qmail/control/servercert.pem file. This file contains the public and private keys used to set up SSL or TLS encryption. It should be readable to the userid which your "qmail-smtpd" program runs as (which is normally the "qmaild" user.)

Part of the file is a "certificate", which is the public key with a signature applied to it. This is the same kind of signature used when you create an SSL key for use with a secure web site- in fact, if you already have such a certificate from an SSL web site, you can use it (with the matching ".key" file) to build this .pem file. As long as the key and the certificate are both stored in PEM-encoded format, you can "cat" the files together and save the result as "servercert.pem", and it will work.

If you don't have such a key, you can create a key and then sign it using itself (also known as a "self-signed" certificate.) Clients will complain about the certificate not being signed by a trusted certificate authority, but the encryption is just as secure. The following example shows how to create a self-signed certificate which expires ten years from the date it was created.

Lets start with creating the key:


# cd /var/qmail/control
# openssl req -newkey rsa:1024 -x509 -nodes -days 3650 -out servercert.pem -keyout servercert.pem

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you just hit Enter, the field will be left blank. Please note: The common name must be the name of the mail server so make sure you enter it on that line:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: THIS IS YOUR EMAIL SERVER NAME
Email Address []:This email address is being protected from spambots. You need JavaScript enabled to view it.

Now lets give proper ownership to the files:


# chown root:nofiles servercert.pem

The "nofiles" group is the group which "qmaild" belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key, but not change or delete it.


# chmod 640 servercert.pem
# cp servercert.pem clientcert.pem
# chown root:qmail clientcert.pem
# chmod a+r /var/qmail/control/servercert.pem

The "qmail" group is the group with the "qmailr" user belongs to. This user should be able to read, but not write, the "clientcert.pem" file.


# chmod 640 clientcert.pem

The next thing we will need to do is configure the qmail-smtpd-ssl run file. The only thing we will need to set here is the IP if the server it will be listening on.


# vi /var/qmail/supervise/qmail-smtpd-ssl/run

You should set the following value:

IP=1.2.3.4 Substitute your own IP address. Do not leave this set to 0 without a good reason.

Before we start qmail we need to setup a few symlinks for tls to work properly:


# cd /usr/lib32
# ln -s libssl.so.8 libssl.so.7
# ln -s libcrypto.so.8 libcrypto.so.7

The final step is to start the service running:


# ln -s /var/qmail/supervise/qmail-smtpd-ssl /service/

Starting the qmail services

Okay, lets start the qmail services.


# svc -t /service/* /service/*/log

Lets check to make sure qmail is running okay:


# svstat /service/* /service/*/log

You should get the following output:


/service/qmail-send: up (pid 96738) 8 seconds
/service/qmail-smtpd: up (pid 96743) 8 seconds
/service/qmail-smtpd-ssl: up (pid 96747) 8 seconds
/service/qmail-updater: up (pid 96739) 8 seconds
/service/qmail-send/log: up (pid 96749) 8 seconds
/service/qmail-smtpd-ssl/log: up (pid 96746) 8 seconds
/service/qmail-smtpd/log: up (pid 96745) 8 seconds
/service/qmail-updater/log: up (pid 96748) 8 seconds

Please note we're not using the qmailctl file. The new qmailctl file includes the services for spamd, freshclam, clamav and dovecot. These programs have not been installed yet. These will start working once the service directories are created. Provided qmail-send, qmail-smtpd and qmail-smtpd-ssl are running that is all we need to be concerned about for now.

Sunday, 05 July 2015 13:21

Installing ClamAV

Clam Antivirus is command line virus scanner written entirely in C and its database is kept up to date. For more information, Please see: http://www.clamav.net/

Installing clamav


# cd /usr/ports/security/clamav
# make install clean

Make sure the following are checked:

ARC
ARJ
DMG_XAR
DOCS
IPV6 (Optional)
LHA
LLVM
UNRAR
UNZOO

Now we want to create the clamav and freshclam service scripts:


# mkdir -m 1755 /var/qmail/supervise/clamav
# mkdir -m 1755 /var/qmail/supervise/freshclam
# mkdir -m 755 /var/qmail/supervise/clamav/log
# mkdir -m 755 /var/qmail/supervise/freshclam/log
# mkdir -m 1755 /var/log/qmail/clamav
# mkdir -m 1755 /var/log/qmail/freshclam
# cd /var/qmail/supervise/clamav
# fetch http://freebsdrocks.net/files/clamav-run
# mv clamav-run run
# chmod 755 run
# cd log
# fetch http://freebsdrocks.net/files/log-run
# mv log-run run
# chmod 755 run
# vi run

Change the last line to read /var/log/qmail/clamav like so

exec /usr/local/bin/multilog t n20 s1048576 /var/log/qmail/clamav


# cd /var/qmail/supervise/freshclam
# fetch http://freebsdrocks.net/files/freshclam-run
# mv freshclam-run run
# chmod 755 run
# cd log
# fetch http://freebsdrocks.net/files/log-run
# mv log-run run
# chmod 755 run
# vi run

Change the last line to read /var/log/qmail/clamav like so

exec /usr/local/bin/multilog t n20 s1048576 /var/log/qmail/freshclam

Now we need to edit the clamd.conf file so it will run correctly via daemontools:


# vi /usr/local/etc/clamd.conf

#Example - must be commented out or removed
#LogFile - multilog will handle logging
#LogSysLog no - see LogFile
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/db/clamav
FixStaleSocket yes - optional
User - should be uncommented and set to qscand
Foreground yes - required to run clamav via daemontools

Now we need to edit the freshclam.conf file so it will run correctly via daemontools:


# vi /usr/local/etc/freshclam.conf

# Example
DatabaseDirectory /var/db/clamav
# UpdateLogFile - multilog will handle logging
# LogSyslog no - see UpdateLogFile
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner - change from clamav to qscand
Foreground yes - required to run freshclam via daemontools

For your information when this is setup, freshclam is going to run every 2 hours by default. If you want to change it so it more or less frequent, just change this section in freshclam.conf


# Number of database checks per day.
# Default: 12 (every two hours)
# Checks 24

Now to set some file permissions before we start clamav:


# chown -R qscand:qscand /var/log/clamav
# chown -R qscand:qscand /var/run/clamav/
# chown qscand:qscand /var/db/clamav/

Now to create the symlinks to the service:


# ln -s /var/qmail/supervise/clamav /service/
# ln -s /var/qmail/supervise/freshclam /service/

Note: I want to point out before you run the next command that it could take some time for the clamav service to come up due to the updates for freshclam being downloaded. This is normal and it could take several seconds or several minutes for freshclam to update clamav. Don't panic if clamav is stuck at 0 or 1. Just check the freshclam logs to find out when the download is complete and it says it has notified clamav of the database update.

Check to see if clamav and freshclam are running:


# svstat /service/clamav/ /service/clamav/log

/service/clamav: up (pid 82396) 63 seconds
/service/clamav/log: up (pid 82446) 25 seconds

# svstat /service/freshclam/ /service/freshclam/log

/service/freshclam/: up (pid 82409) 69 seconds
/service/freshclam/log: up (pid 82410) 69 seconds

Now to remove the startup scripts:


# rm /usr/local/etc/rc.d/clamav-clamd
# rm /usr/local/etc/rc.d/clamav-freshclam

Page 3 of 14