Blue Flower



Sunday, 05 July 2015 13:21

Installing ClamAV

Clam Antivirus is command line virus scanner written entirely in C and its database is kept up to date. For more information, Please see:

Installing clamav

# cd /usr/ports/security/clamav
# make install clean

Make sure the following are checked:

IPV6 (Optional)

Now we want to create the clamav and freshclam service scripts:

# mkdir -m 1755 /var/qmail/supervise/clamav
# mkdir -m 1755 /var/qmail/supervise/freshclam
# mkdir -m 755 /var/qmail/supervise/clamav/log
# mkdir -m 755 /var/qmail/supervise/freshclam/log
# mkdir -m 1755 /var/log/qmail/clamav
# mkdir -m 1755 /var/log/qmail/freshclam
# cd /var/qmail/supervise/clamav
# fetch
# mv clamav-run run
# chmod 755 run
# cd log
# fetch
# mv log-run run
# chmod 755 run
# vi run

Change the last line to read /var/log/qmail/clamav like so

exec /usr/local/bin/multilog t n20 s1048576 /var/log/qmail/clamav

# cd /var/qmail/supervise/freshclam
# fetch
# mv freshclam-run run
# chmod 755 run
# cd log
# fetch
# mv log-run run
# chmod 755 run
# vi run

Change the last line to read /var/log/qmail/clamav like so

exec /usr/local/bin/multilog t n20 s1048576 /var/log/qmail/freshclam

Now we need to edit the clamd.conf file so it will run correctly via daemontools:

# vi /usr/local/etc/clamd.conf

#Example - must be commented out or removed
#LogFile - multilog will handle logging
#LogSysLog no - see LogFile
PidFile /var/run/clamav/
DatabaseDirectory /var/db/clamav
FixStaleSocket yes - optional
User - should be uncommented and set to qscand
Foreground yes - required to run clamav via daemontools

Now we need to edit the freshclam.conf file so it will run correctly via daemontools:

# vi /usr/local/etc/freshclam.conf

# Example
DatabaseDirectory /var/db/clamav
# UpdateLogFile - multilog will handle logging
# LogSyslog no - see UpdateLogFile
PidFile /var/run/clamav/
DatabaseOwner - change from clamav to qscand
Foreground yes - required to run freshclam via daemontools

For your information when this is setup, freshclam is going to run every 2 hours by default. If you want to change it so it more or less frequent, just change this section in freshclam.conf

# Number of database checks per day.
# Default: 12 (every two hours)
# Checks 24

Now to set some file permissions before we start clamav:

# chown -R qscand:qscand /var/log/clamav
# chown -R qscand:qscand /var/run/clamav/
# chown qscand:qscand /var/db/clamav/

Now to create the symlinks to the service:

# ln -s /var/qmail/supervise/clamav /service/
# ln -s /var/qmail/supervise/freshclam /service/

Note: I want to point out before you run the next command that it could take some time for the clamav service to come up due to the updates for freshclam being downloaded. This is normal and it could take several seconds or several minutes for freshclam to update clamav. Don't panic if clamav is stuck at 0 or 1. Just check the freshclam logs to find out when the download is complete and it says it has notified clamav of the database update.

Check to see if clamav and freshclam are running:

# svstat /service/clamav/ /service/clamav/log

/service/clamav: up (pid 82396) 63 seconds
/service/clamav/log: up (pid 82446) 25 seconds

# svstat /service/freshclam/ /service/freshclam/log

/service/freshclam/: up (pid 82409) 69 seconds
/service/freshclam/log: up (pid 82410) 69 seconds

Now to remove the startup scripts:

# rm /usr/local/etc/rc.d/clamav-clamd
# rm /usr/local/etc/rc.d/clamav-freshclam

Sunday, 05 July 2015 13:21

Installing SpamAssassin

SpamAssassin is a mail filter which attempts to identify spam using text analysis and several internet-based realtime blacklists.

The official SpamAssassin website is at

When we install SpamAssassin from ports, it installs all the required Perl Modules for us which makes installing SpamAssassin really, Really easy! Start be doing the following:

# cd /usr/ports/mail/spamassassin
# make install

When you run this, You will get a pop-up box asking to enable a few things. Lets just make sure the settings below are checked. To check the setting, Just hit the spacebar when the cursor is over the selected option:


We will now want to double-check the perl dependancies after SpamAssassin is installed. When you install SpamAssassin via ports, it will check to see if it needs to install any of the required perl dependancies which makes things easy to install and setup. Please change the version of SpamAssassin in the command below. For instance if you are running SpamAssassin 3.1.0, you would substitute 3.1.0 for the 3.x.x in the following command:

# /usr/ports/mail/spamassassin/work/Mail-SpamAssassin-3.x.x/build/check_dependencies

You will get a pretty large output. Don't worry about any optional modules unless you want to install and use them. The optional modules are configured in /usr/local/etc/mail/spamassassin/v310.pre. All you need to do is install the perl module for it and then uncomment it in v310.pre. Pretty easy to do. I have you run this because if it shows something OTHER than the optional modules, you may just want to reinstall the spamassassin port again. If you reinstall and it still doesn't work, I would suggest looking at the support options on the left.

here are the port locations for the optional plugins:

Digest::SHA1 - /usr/ports/security/p5-Digest-SHA1
Mail::SPF - /usr/ports/mail/p5-Mail-SPF
Geo::IP - /usr/ports/net/p5-Geo-IP
Net::CIDR::Lite - /usr/ports/net/p5-Net-CIDR-Lite
IO::Socket::INET6 - /usr/ports/net/p5-IO-Socket-INET6
Mail::DKIM - /usr/ports/mail/p5-Mail-DKIM
DBI - /usr/ports/databases/p5-DBI
LWP::UserAgent - /usr/ports/www/p5-LWP-UserAgent-POE
Net::Patricia - /usr/ports/net/p5-Net-Patricia

After running the above command, lets clean up the install:

# cd /usr/ports/mail/spamassassin
# make clean

Configuring SpamAssassin

If you cd to /usr/local/etc/mail/spamassassin/, you will see 4 files. Two of them are .sample files and the 2 others are your SpamAssassin global options. init.pre and v310.pre have many different options to choose from. Enable them at your leisure. We will not be going over them as they are optional settings.

What we need to do is get setup so run the following:

# cd /usr/local/etc/mail/spamassassin/
# cp
# vi

In we want to set a few options in here. I will list them individually:

rewrite_header Subject - Leave this commented (#). We will configure qmail-scanner to rewrite the subject for us.
report_safe - Leave this commented. This just leaves the message as Spam or Ham and does not save it as an attachment.
trusted_networks - Leave this commented. We define this globally in qmail in the /etc/tcp/smtp file.
lock_method flock - Leave this commented.
required_score - Uncomment this and set this to around 4.3 or so. I have mine set at 3.9 right now and seems to be catching a lot of spams.
use_bayes - Leave this commented. We will get to this later.

We are now going to run SpamAssassin via daemontools:

# mkdir -m 1755 /var/qmail/supervise/spamd
# mkdir -m 755 /var/qmail/supervise/spamd/log
# cd /var/qmail/supervise/spamd
# fetch
# mv spamd-run run
# chmod 755 run
# cd log
# fetch
# mv log-run run
# chmod 755 run
# mkdir /var/log/qmail/spamd
# vi run

In the run file change the last line to match the following:

exec /usr/local/bin/multilog t n20 s1048576 /var/log/qmail/spamd

Before we run the symlink to the SpamAssassin service, you are required to do an initial run of sa-update before doing so. Run the following command:

# /usr/local/bin/sa-update

Now we can create the service:

# ln -s /var/qmail/supervise/spamd /service/

After a few seconds run:

# svstat /service/spamd/ /service/spamd/log/

And you should see something like:

/service/spamd/: up (pid 50481) 4 seconds
/service/spamd/log/: up (pid 50482) 4 seconds

We now want to check and see if spamassassin has any errors. Run the following command:

# spamassassin --lint

The first time you run it, you might see

warn: config: created user preferences file: /tmp/.spamassassin/user_prefs

This error is fine. it's just telling you it's creating a user_prefs file for username qscand.

If you don't get any errors, SpamAssassin is configured correctly!

Now we need to remove the startup script in /usr/local/etc/rc.d:

# rm /usr/local/etc/rc.d/sa-spamd

Thats it! SpamAssassin is installed, configured and also running.

Sunday, 05 July 2015 13:24

Configuring Qmail

Getting this part of qmail going is, well, going to be a little rough. We need to download the scripts for qmail-smtpd, qmail-smtpd-ssl and qmail-send. We will start with making all the needed directories and stuff like that so lets get to it!

# cd ~root/qmail

The only change we will need to make in the smtpd_run file is the IP address. Change this to the local address of the server (or just the listening IP). All authentication services are disabled. By the end of this walkthrough you will have 2 secure SSL and TLS services. All mail will be filtered using RBLs, greylistiing and qmail-scanner to help thwart spam.

You will need to edit smtpd_run and change the IP Address:


Now lets make the supervise directory and get everything copied over. The below has about 30 commands on copying the appropriate files into the correct folders. Please feel free to take a look at the file to see exactly what it's doing. It is copying all qmail-smtpd, qmail-smtpd-ssl and qmail-send run files for the service and log.

# ./

Now lets setup some qmail aliases. Replace This email address is being protected from spambots. You need JavaScript enabled to view it. in the next three lines with the address you want the emails to go to:

# echo This email address is being protected from spambots. You need JavaScript enabled to view it. > /var/qmail/alias/.qmail-root
# echo This email address is being protected from spambots. You need JavaScript enabled to view it. > /var/qmail/alias/.qmail-postmaster
# echo This email address is being protected from spambots. You need JavaScript enabled to view it. > /var/qmail/alias/.qmail-mailer-daemon

Now we want to setup selective relaying:

# mkdir /etc/tcp/
# cd /etc/tcp
# fetch
# mv etc-tcp-makefile Makefile

Now we need to create the smtp file

At this point it should be ready to go. All you need to do is create the "smtp" file, containing the normal access control list. You may want to add the IP of the server you specified in the /var/qmail/supervise/qmail-smtpd/run file in the /etc/tcp/smtp file. Lets say the IP you used was The line should look like this:,RELAYCLIENT=""

This is what a typical smtp file should look like:

# vi /etc/tcp/smtp

Add the following to /etc/tcp/smtp:


Now run:

# gmake

and you should get an output saying:

tcprules smtp.cdb smtp.tmp < smtp
chmod 644 smtp.cdb smtp

Now to continue on.

Sunday, 05 July 2015 13:24

Disabling Sendmail

Type in the following commands to eliminate sendmail from being called on your box:

# killall sendmail
# mv /usr/sbin/sendmail /usr/sbin/sendmail.old
# chmod 0 /usr/sbin/sendmail.old

To tell FreeBSD not to tell sendmail to start on boot, add this to /etc/rc.conf like so:

# echo "sendmail_enable=NONE" >> /etc/rc.conf
# echo "sendmail_submit_enable=NO" >> /etc/rc.conf
# echo "sendmail_outbound_enable=NO" >> /etc/rc.conf
# echo "sendmail_msp_queue_enable=NO" >> /etc/rc.conf

Now to tell sendmail not to interfere with your qmail setup, add this to your /etc/make.conf like so:

# echo "NO_SENDMAIL=yes" >> /etc/make.conf
# echo "NO_MAILWRAPPER=yes" >> /etc/make.conf

Now lets tell anything that calls sendmail from the common location that we want it to send to qmail instead:

# ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
# ln -s /var/qmail/bin/sendmail /usr/lib/sendmail

If you are using periodic.conf for your system messages you should also disable clean-purgestat from it. Open up /etc/periodic.conf and edit the following line as follows:

# 150.clean-hoststat
daily_clean_hoststat_enable="NO"                        # Purge sendmail host

That is it. Sendmail is uninstalled!

Sunday, 05 July 2015 13:25

Installing Maildrop

Maildrop is a replacement for your local mail delivery agent. I have configured maildrop (in my previous qmail installs) to filter all Spam related emails to go directly to the users Maildir/Spam folder. This no longer works. We now just need to install maildrop for qmail-scanner support. Mails are now filtered via dovecot 2. For more information, please see

Lets install maildrop:

# cd /usr/ports/mail/maildrop
# make install clean

Make sure the following option is checked:

[X] AUTH_VCHKPW  popmail/vchkpw support

We need to run a quick fix for vdeliverquota

# ln -s /usr/local/bin/maildrop-deliverquota /usr/local/bin/deliverquota

You can now proceed to the next step!

Sunday, 05 July 2015 13:26

Configuring Validrcptto to fight spam

Configuring validrcptto

The most common questions I receive about the validrcptto.cdb patch involve how to create the validrcptto.cdb file in the first place, or how to use the same file on multiple servers. The mkvalidrcptto script can be a major part of the answer to both questions. This web page will show how I'm using mkvalidrcptto on my own server.

It should be noted that you are not required to use mkvalidrcptto in order to benefit from the validrcptto.cdb patch- any mechanism which produces a list of all valid email addresses on your system will work, even something as simple as manually editing a text file with one email address on each line. As long as you correctly turn this text file into a cdb file, it will work.

Before you install the script, there are a few other packages which need to be installed on the system. The first is djb's cdb library and tools, which contains the cdbmake-12 program, which converts a text file into a cdb file. This package should be installed using the directions on djb's web site. A quick walk-through is shown here:

So lets install it!

# cd /usr/ports/databases/cdb
# make install clean

Installing the CDB_File module

The mkvalidrcptto script reads several cdb files in order to do its job, which means that you need to install the CDB_File perl module, available through CPAN, the Comprehensive Perl Archive Network, which is an archive of Perl modules which are not included with Perl itself, but which others have decided to share in the hope that they will prove useful.

This is a quick walk-through of how to install the module.

# perl -MCPAN -e shell

If you have never run the CPAN shell before, just hit enter a few times and it will drop you right to the CPAN prompt.

cpan> install CDB_File

cpan> exit
# exit

Now to copy over validrcptto:

# cd /usr/local/bin
# cp ~root/qmail/mkvalidrcptto .
# chmod 755 mkvalidrcptto

One thing that wouldn't hurt is to make sure that your installation of perl is happy with the script and can find the modules. You can do this by running this command as a non-root user:

# perl -c /usr/local/bin/mkvalidrcptto
/usr/local/bin/mkvalidrcptto syntax OK

You should then run it once as root and make sure the output makes sense for your system. The output should be a list of every valid email address on your system, one on each line.

# mkvalidrcptto
This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.
This email address is being protected from spambots. You need JavaScript enabled to view it.

Scripting for one system

The mkvalidrcptto script itself just reads the information it needs from your system and prints a list of email addresses. The other half of the equation is turning that list of email addresses into a validrcptto.cdb file, so that qmail-smtpd can use it. The original versions of mkvalidrcptto worked by simply printing the list of email addresses, and relied on another program called cdbmake-12 to produce the actual validrcptto.cdb file. However, as of 2007-06-06, mkvalidrcptto can write the validrcptto.cdb file by itself. This makes the scripting much simpler. The most basic way to create the validrcptto.cdb file would look like this:

# cd /var/qmail/control
# mkvalidrcptto -c validrcptto.cdb

The idea situation would be to have vpopmail run a certain command whenever it changes something. When John Simpson originally wrote this page, vpopmail did not have that kind of hook, however I have since written a patch for vpopmail called the ONCHANGE patch, which is officially part of vpopmail as of vpopmail version 5.4.15.

It is possible to write a script like the one below, which can run as a cron job, in response to an ONCHANGE event, or as part of a general qmail-updater service, to rebuild the validrcptto.cdb file.


umask 022
mkvalidrcptto -c /var/qmail/control/validrcptto.cdb

If you're reading this and understand how onchange works, you only need to run the "mkvalidrcptto -c validrcptto.cdb" inside the /var/qmail/control directory just once as once onchange is enabled, it will take care of any of the updates. I just wanted you as the user to understand how validrcptto works and understand it.

Now your validrcptto is setup and configured. Now to setup maildrop!

Sunday, 05 July 2015 13:26

Installing vpopmail with onchange

This documentation will attempt to take you through a step-by-step installation of John Simpson's qmail-updater service with vpopmail. If you don't know what this service does please visit the qmail-updater site here.

The qmail-updater service is actually very easy to install. The instructions given by John Simpson on his site are very easy to follow. The problem is the services won't work once you have all the right pieces in place. For convenience, I have transposed John Simpson's documentation to this documentation with his permission and also a special thanks to Jason King for the modified documentation he wrote specifically for FreeBSD.

For convenience, I have transposed John Simpson's documentation to this documentation with his permission and also a special thanks to Jason King for the modified documentation he wrote specifically for FreeBSD.

Let's get things started:

One of the first things we need to do is fetch the tarball which contains the vpopmail skel(eton) files. Why do we need this you say? In layman's terms, rather than having vpopmail make a basic Maildir with new, cur and tmp in it, we are going to replace that with a completely customized Maildir. The next few commands will fetch the tarball, extract it in the correct place and then chown and chmod it.

# cd ~vpopmail
# fetch
# tar zxvf skel4.tgz
# chown -R vpopmail:vchkpw skel/
# chmod -R 700 skel/
# rm skel4.tgz

We now need to change where vpopmail is located in FreeBSD. The location where ports will try to install it is /usr/local/vpopmail so we're going to delete that folder and symlink it to ~vpopmail. Please change the section /home/vpopmail below if you have changed the default location of the vpopmail home directory. If you didn't or you're not sure it will be ok to proceed with the command below. Otherwise edit to taste :-)

# cd /usr/local
# ln -s /home/vpopmail /usr/local/vpopmail

You will need to set the service up to run under daemontools. This process is very painless. Just copy
and paste commands into the command line and everything will be fine. (Steps copied from

# cd /var/qmail/supervise
# mkdir -m 1755 qmail-updater
# mkdir -m 755 qmail-updater/log
# mkdir /var/log/qmail/qmail-updater
# cd qmail-updater/log
# fetch
# mv service-any-log-run run
# chmod 755 run
# vi run

Change this line (2nd from the bottom) in the run file:

multilog t n1024 s1048576 ./main

To this:

multilog t n1024 s1048576 /var/log/qmail/qmail-updater

# cd /var/qmail/supervise/qmail-updater
# fetch
# fetch
# fetch
# mv service-qmail-updater-run run
# chmod 755 pipe-watcher update-qmail run

The pipe-watcher script has some variables you can adjust for your own purposes. I found no reason to change anything on my installation so you can keep them the way they are if you wish.

The last step is to simply link the qmail-updater directory in the /service directory so daemontools can run it.

# ln -s /var/qmail/supervise/qmail-updater /service/

Wait a few seconds then run:

# svstat /service/qmail-updater /service/qmail-updater/log

You should see output similar to the following:

/service/qmail-updater: up (pid 5087) 6 seconds
/service/qmail-updater/log: up (pid 5087) 6 seconds

After you've finished linking the service into daemontools, you're done. The service is running and you are ready to test it.

The qmail-updater service works by watching a file for data, once the service sees data on that file, it runs a script which updates the validrcptto database. To test you will need to open two sessions into your server so you can watch a log file and perform an action on a file at the same time. Next, We need to install fakeroot and then go to the vpopmail port and then enable onchange and logging and then install vpopmail!

# cd /usr/ports/security/fakeroot
# make install clean
# cd /usr/ports/mail/vpopmail
# make CONFIGURE_ARGS="--enable-logging=p --enable-onchange-script"

When the options box pops up make sure the following boxes are checked:


Now lets install the vpopmail port:

# make install clean

If that runs without errors, vpopmail is configured and installed. At this point I would add a domain and make sure it adds it okay.

Your users will be very happy they will have the ability to turn on or off their spam protection, change their passwords and all kinds of other fun stuff.

Now that you have the qmail-updater service running, that means you should be able to add a user through qmailadmin or even the command line and the validrcptto database should updated automagically right? Nope, not yet. You don't have anyway of automatically writing data to that watched file yet. That is where the onchange script comes into play. Vpopmail is the program you use to add/del users and domains, but vpopmail doesn't have a hook in that qmail-updater service you just installed so adding a user doesn't write data to that watched file yet. Plus, if you don't have the version of vpopmail that knows to invoke the "onchange" script, it still will not work.

What you here is what we need to do to invoke the onchange script

# cd ~vpopmail/etc
# fetch
# mv onchange-skel onchange

This is the script that vpopmail will execute when a user/domain has been added/deleted from the system. Once you have created this file set the permissions on it:

# chown vpopmail:vchkpw ~vpopmail/etc/onchange
# chmod 750 ~vpopmail/etc/onchange
# chmod +x ~vpopmail/etc/onchange

This last command gives execute permissions to everyone on the file because I've not found a way to get this to work through qmailadmin otherwise.

Now that your onchange script is in place, go ahead and tail the qmail-updater log file again and open up another session to your server:

# tail -f /var/log/qmail/qmail-updater/current | tai64nlocal

Now try adding a domain through the command line and watch your log file to see if stuff appears in it:

# cd ~vpopmail/bin
# ./vadddomain password

If the log file fills up with stuff after you add this domain, congratulations, you are all done with the qmail-updater process. You may also keep the log session open and try to add a user with qmailadmin just to make sure, but it should work fine from there so long as the permission have been set.

If the log file doesn't move, that means your version of vpopmail does not have the onchange patch in it. Read more about the onchange patch at John Simpsons website at .

We need to now make a slight modification to the vchkpw file to make SMTP with SSL work correctly:

# cd ~vpopmail/bin
# chmod 6711 vchkpw
# chown vpopmail:vchkpw vchkpw

If you would like to specify a default username modify or create /var/qmail/control/defaultdomain and /home/vpopmail/etc/defaultdomain to specify your default domain. This will allow your users to just use their username to login rather than their entire email address.

Sunday, 05 July 2015 13:28

Installing Autorespond

Autorespond is a program that allows you to setup responders for forwarding and mailing robots in qmailadmin.

Installing from ports just can't get any easier than this:

# cd /usr/ports/mail/autorespond
# make install clean

Autorespond is installed!

Sunday, 05 July 2015 13:28

Installing EZMLM

Ezmlm-idx is a mailing list addon. It is the best (In my opinion) mailing list option out there. It works quite well with qmailadmin, which we will install later in the guide, and works seamlessly with qmail. For more information, Please see

Now to install the port:

# cd /usr/ports/mail/ezmlm-idx
# make install clean

If this runs without errors, We will proceed to the next step.

Before you can use the programs, you should copy the "ezmlmglrc.sample", "ezmlmrc.sample" and "ezmlmsubrc.sample" files in /usr/local/etc/ezmlm to "ezmlmglrc", "ezmlmrc" and "ezmlmsubrc" respectively.

# cp /usr/local/etc/ezmlm/ezmlmglrc.sample /usr/local/etc/ezmlm/ezmlmglrc
# cp /usr/local/etc/ezmlm/ezmlmrc.sample /usr/local/etc/ezmlm/ezmlmrc
# cp /usr/local/etc/ezmlm/ezmlmsubrc.sample /usr/local/etc/ezmlm/ezmlmsubrc

When that is done, ezmlm is installed!

Sunday, 05 July 2015 13:50

Installing UCSPI-TCP

UCSPI-TCP is a set of command-line tools for building TCP-based client/server applications. They are compliant to UCSPI, the UNIX Client-Server Program Interface. UCSPI tools are available for several different types of networks. For more information, please see

Installing ucspi-tcp is pretty straighforward:

# cd /usr/ports/sysutils/ucspi-tcp
# make install clean

Please make sure the SSL Protocol support box is checked.

When you run that command, you have 4 options. I would highly suggest installing the man pages. If you would like to use rblsmtp with uscpi, that is completely up to you. By experience alone, I can tell you enabling rbls will dramatically decrease the amount of spams you get. If you have or plan to have a large email server, this will definitely help in the long run.

Page 4 of 14