Blue Flower



Sunday, 19 July 2015 01:41

Preinstallation Checklist

Qmail 2.0 will give you the best possible installation for a secure Mail Transfer Agent. This guide will provide the following services

POP3D-SSL (Port 995)
SMTP-SSL (Port 465)
SMTP-TLS (Port 587)
SMTP (Incoming only Port 25)
Secure Webmail running on Apache 2.4 and Roundcube for Webmail

There are two requirements for this guide:

At 23:59 UTC, December 31, 2016, FreeBSD 9.3, 10.1 and 10.2 will reach
end-of-life and will no longer be supported by the FreeBSD Security Officers
Team.  Users of FreeBSD 9.3, 10.1 and 10.2 are strongly encouraged to
upgrade to a newer release as soon as possible.

The guide supports 10.3 and 11.0

You will need to make sure your ports system is up-to-date.

If you are using IPv4 and not IPv6 you can disable the IPv6 checkmark from any port by running the following command:

# echo 'OPTIONS_UNSET=IPV6' >> /etc/make.conf

The following ports will need to be installed:

Curl - /usr/ports/ftp/curl
Perl 5.24 - /usr/ports/lang/perl5.24
Bash Shell - /usr/ports/shells/bash
Gmake – /usr/ports/devel/gmake
Unzip - /usr/ports/archivers/unzip
Wget - /usr/ports/ftp/wget
Bind Tools - /usr/ports/dns/bind-tools/

The following ports will need to be installed if you want to enable webmail on your server:

Apache 2.4 or better with SSL (SSL is HIGHLY recommended)
Mysql Server 5.6 or Higher

If you would like to create a queuing server please check out the following link:

A few of John Simpson's scripts use a link to perl which doesn't exist on FreeBSD so we need to create a symlink to it as follows:

# cd /usr/bin
# mv perl bak_perl
# ln -s /usr/local/bin/perl perl

Upgrading your ports and maintaining them are pretty easy. The first thing I would recommend is installing portupgrade from /usr/ports/sysutils/portupgrade. Once that is installed, you can run man portupgrade or just run portupgrade -r name. The -r switch means to upgrade everything recursively. Recurvisly meaning all of it's dependancies, or more simply, anything the program requires. You can do this for anything else not related to qmail or any of its programs. So for instance portupgrade -r kde, it will upgrade kde and all it's dependancies.

Another thing I would recommend using is portaudit. If you have your system setup correctly, You will get portaudit reports in your daily security logs. This will give you any warnings about any obsolete packages and/or any security warnings in regards to anything being installed.

What I am going to suggest in the next few pages is the recommended way to upgrade programs from ports. Mostly we will be running through backing up .conf files and running portupgrade and then making sure everything is chmodded or chowned correctly.

Qmail - Qmail doesn't require any type of upgrades. Qmail hasn't been upgraded since 1997 or 1998 but it is very stable and very secure.

UCSPI-TCP - Pretty much the same as qmail. I don't think has changed at all. Quite honestly, I have never upgraded it and I haven't ever had a problem with running any old/previous versions.

Daemontools - Again, Pretty much the same as qmail or UCSPI-TCP.

Ezmlm-idx - This can change from time to time. I would first backup your list which resides in ~vpopmail/domains/ before upgrading the port. Then, run portupgrade -r ezmlm-idx and then check to make sure your list is intact before deleting your backup.

Qmail-Autoresponder - As of 8/7/14 you need to create a symlink for delivermail as follows if you have not already. Just run the following command: ln -s /usr/local/bin/maildrop-deliverquota /usr/local/bin/deliverquota. otherwise This can be upgraded when new versions come out. A simple portupgrade -r qmail-autoresponder works fine in most cases.

Vpopmail -

At this point where the skel patch is no more, It is fairly easy to upgrade vpopmail from one version to the next. If your security run output or portaudit commands tell you that vpopmail need to be upgraded, run the following commands:

# cd /usr/ports/mail/vpopmail
# make CONFIGURE_ARGS="--enable-logging=p --enable-onchange-script"
# make deinstall
# make reinstall

Please make sure to run the following after upgrading vpopmail to make sure it works ok with TLS/SSL:

# cd ~vpopmail/bin
# chmod 6711 vchkpw
# chown vpopmail:vchkpw vchkpw

SpamAssassin - When I have run portupgrades with Spamassassin in the past, I usually don't run into any issues except the upgrade from 2.6x to 3.0.1. There were quite a few changes from version to version including some of the required modules that were new, like the SPF addon for it and such. If you do run a portupgrade on Spamassassin, I would go to Spamassassins website and read the README files under the download section of the site. There it will tell you any changes/modifications that have been done since the previos version. I would also check the rules under /usr/local/etc/mail/spamassassin file, specifically, to see if any additions or deletions were made.

Restart Spamassassin and then we will need to update the qmail-scanner database by running the following commands:

# setuidgid qscand /var/qmail/bin/ -z
# setuidgid qscand /var/qmail/bin/ -g
# setuidgid qscand /var/qmail/bin/ -p (If you're running qms 2.x)

This will update the header info and the qmail-scanner database and keep everything up to date.

ClamAV - ClamAV is probably the worst one out of all of them all but I make it easy for you, ClamAV changes almost every three months, possibly sooner. I would recommend backing up the clamd.conf and freshclam.conf in /usr/local/etc and then run portupgrade -r clamav. Then chown the following folders:

# chown -R qscand:qscand /var/log/clamav
# chown -R qscand:qscand /var/run/clamav/
# chown qscand:qscand /var/db/clamav/

I would then copy the backups of clamd.conf and freshclam.conf back to /usr/local/etc and then run freshclam to make sure evrything is working perfectly. Restart clamd and then we will need to update the qmail-scanner database by running the following commands:

# setuidgid qscand /var/qmail/bin/ -z
# setuidgid qscand /var/qmail/bin/ -g
# setuidgid qscand /var/qmail/bin/ -p (If you're running qms 2.x)

This will update the header info and the qmail-scanner database and keep everything up to date.

You will want to restart ClamAV.

Qmail-scanner - At the time of this writing, I would NOT recommend doing a portupgrade of qmail-scanner. There are a few reasons why. First, It does not even reqister with the packages system as we run the configure commands manually. Second we manually patch it with the qms-analog patch to get the nifty qmail-analog reports. So if a new vesion of qmail-scanner is released, I will update the documentation within a few days of it being released.

Qmailadmin - This is something else I wouldn't recommend doing a portupgrade on. When the new version comes out just make deinstall on the port and run through the guide as normal only using the newest version from ports. It just can't get any easier than that!

vqAdmin - Nothing needs to be backed up here. Just make deinstall the port and then follow the guide when the the new version comes out.

Squirrelmail - This one is a rarity but every so often a squirrelmail upgrade does come up and if it does, backup your squirrelmail folder and then run a portupgrade -r squirrelmail and then double-check to make sure your conf files are setup correctly as they might change.


it probably wouldn't be a bad idea to rotate the qmail-scanner logs as they can get huge. These logs are stored in /var/spool/qmailscan and I would suggest adding the following to your /etc/newsyslog.conf:

/var/spool/qmailscan/qmail-queue.log qscand:qscand 600 5 256 * JC
/var/spool/qmailscan/qms-events.log qscand:qscand 600 5 256 * JC
/var/spool/qmailscan/quarantine.log qscand:qscand 660 7 * @T00 JC

If you would like a description of what each section does, do this:

# man 5 newsyslog.conf

The /var/log/mallog file is already rotated in newsyslog.conf once a day.

Monday, 06 July 2015 01:30

How to teach Bayes your users Spams

This doc will show you how to scan each users .Spam folder, teach them as spam and/or ham and then delete them within x days

First we will want to download the to a bin folder. I usually put all my scripts in ~root/bin but you
can put them anywhere you want:

# cd ~root/bin
# fetch
# vi

The first 2 settings SAPROG and SAFLAGS should be ok the way they are provided you're using FreeBSD.
The DOMAIN_BASE_PATH is the default path of vpopmail.
The DOMAINS setting is A list of your local domains which you would like to use this script to learn against. Make sure the
Domains are seperated by spaces!
The next three settings are if you have a catchall setup. If you do, go ahead and uncomment them and set them as you see fit.
The next three settings are if you quarantine spam. If you do, go ahead and uncomment them and set them as you see fit.
CHECK_USERS is just how you tell Bayes to train. I set this to 2 myself. I never teach my system hams.
USER_SPAM_DIRS and USER_HAM_DIRS is the default setting. Do not change unless you changed the skel setup.
DELETE_USER_SPAM and DELETE_SPAM are optional. As it is set right now, it is set to delete spams older than 30 days.
The last 2 setttings are optional. Depends on how you want the output of the script changes. I would leave them as they are
unless you are having problems.

Now to set the correct permissions and then run it:

# chmod 755
# ./

If you are comfortable with the way it runs, Go ahead and put it into cron (man 5 crontab for more info) and you should be all set!

When you first install SpamAssassin from either source, rpm or Ports, The default setup for SpamAssassin still allows a lot of spams to still get through. The following are a few recommended things to use to help SpamAssassin filter more spams out for you.

If you happen to get a lot of spams to invalid users, I would highly suggest taking a look at john Simpsons validrcptto patch. This is included with his combined patch as well. If you use his patch, you will also need to replace the original qmail-smtpd/run script with Johns as it breaks smtp-auth. Take a look at the following URLs

If you would like to enable jgreylist, follow this website:

The next thing I would recommend is to enable the Bayes Database. Take a look at:

 I would suggest adding rules to SpamAssassin to mark up messages better. The only thing I have found about some of these rules is that when you run spamassassin --lint, You do get some errors from time to time. 

You can also enable razor/pryzor here:

Another good thing to use is SpamAssassin Auto-Learning with Site-Wide Bayes and User Feedback. This will allow your users to send spams or hams via forwarding as an attachment to report them to bayes as ham or spams.

If you implemented the site-wide bayes with feeedback, adding the Squirrelmail spam or ham reporting option makes reporting via Squirrelmail really simplistic.

There are some new spams going around that are gifs. Here is a link on how to get rid of those types of spams:

The object of this howto is getting your SpamAssassin 3.0.x Bayes Database
effective system-wide and allow your users to feed mis-tagged spam back to the
server where a script automatically runs sa-learn on it.  In order to use this
method you need the following:

A properly working email server with Spamassassin 3.0.x
RipMIME from
You can install the FreeBSD port: /usr/ports/mail/ripmime
An email account on your server (i.e. This email address is being protected from spambots. You need JavaScript enabled to view it. )
for the users to send the spam to
The learnspam script included in this package 
Users must send the spam emails as ATTACHMENTS to your thisisspam email address

This howto is based on a qmail server setup according to
Other servers will be similar but you must adjust directories and accounts accordingly.

Please note: If you are running the freebsdrocks setup, you do not need to change the spamd service to run as a different user. It is already running as user qscand.

STEP 1 - The System Account:

The System-wide Bayes Database and spamassassin need to operate as the same user.
Normally that would be spamd as set in /etc/sysconfig/spamassin (or similar)
But the Autolearn script must be able to R/W the mail directories on the server
and the Bayes Database.  Spamd cannot R/W mail directories so you must run the
script as either root (cron.daily) or vpopmail.  However, Vpopmail does not have
R/W permissions to the Bayes Database if spamd is running spamassassin. 
For those who do not wish to risk running the script as root, simply change
the spamd user to qscand by setting the -u and -h options in
/etc/sysconfig/spamassin from spamd to qscand.
Then when you restart spamassassin, ps aux should show spamd running as
qscnad who is able to R/W the Bayes Directory. 

Once you decide which account
will run spamassassin and the autolearn script, choose where in that account's
home directory to put the database, the default is
/home/(account name)/.spamassassin

STEP 2 - Setting up Bayes and Autolearning in Spamassassin:

Edit /usr/local/etc/mail/spamassassin/ and insert the following lines:

bayes_path /path/to/your/bayes/directory ( as you chose in Step 1)
use_bayes 1
bayes_auto_learn 1

Save the file and restart spamassassin
Run sa-learn --sync to resync the database
Run sa-learn --dump magic and you should see nham and nspam at 0

You need 200 ham and 200 spam in your database for Bayes to autolearn.
If you have good emails in your users' /cur directories do the following:

# find /home/vpopmail/domains -type d -name cur -exec sa-learn --nosync --ham {}/* ;

Then run sa-learn --sync and sa-learn --dump magic to see that they are there.
Otherwise gather some legit email from your users or other sources into a
directory on the server and run sa-learn --nosync --ham on them, then --sync again.

Find some spam to force feed the database - drop it into a folder and run
#sa-learn --nosync --spam /path/to/spam/*
Then run sa-learn --sync and sa-learn --dump magic again
to make sure the database is growing.  You should see numbers climbing steadily
as spamassassin automatically learns spam and ham as mail flows through the server.

STEP 3 - Setting up the Feedback Autolearn Script

After setting up your spam account and installing RipMIME,
Edit the learnspam script variables per your preferences and system.

The system account the script runs as must have /usr/local/bin in their $PATH to find
RipMIME. If you chose to run the script as root (from cron.daily) you will need to
insert this line in the script:   PATH="$PATH":/usr/local/bin
Remember, however, that running anything as root has risks - do so at your own risk.
Forward some spam email to the thisisspam account and run the script to test it. 
Make sure that the logfile shows that the emails were RipMIME'd and that they were
learned by sa-learn.  If sa-learn has seen them before it will not learn them again
unless it forgets them first, so do not be suprised it you see more examined
than learned. Once the script is tested, enter the cron job for it and watch your
logs for activity.

Maintenance - LogRotate does a fine job of rotating the logs on the system.  A recommended
entry for the salearn.log is:

# AutoLearn Spam Log
# This should rotate the log every week
# and keep one month's worth of logs archived
/var/log/salearn.log {
rotate 4

You can download the following related files: and salearn.log


Monday, 06 July 2015 00:34

How to add rules to SpamAssassin

This page has been updated 7/18/2016.

These are additional rulesets you can add to SpamAssassin to help improve spam detection. Please review each rule before you implement this. This walkthrough is optimizied for FreeBSD 10.2 RELEASE or STABLE.

Please note: I have removed the sa-blacklist rules as they can cause memory issues. Please see

First we need to choose a backup path. This path should reside outside the standard spamassasssin directory. Lets use /usr/local/etc/mail/spambackup

# mkdir /usr/local/etc/mail/spambackup

Now lets copy all the files that are in the /usr/local/etc/mail/spamassassin folder. We want to preserve the file history in this case.

# cd /usr/local/etc/mail/spambackup
# cp -Rp /usr/local/etc/mail/spamassassin/ /usr/local/etc/mail/spambackup

We will add rules that are no longer updated and then we will add a script to update additional rules. First we need to fetch the rules along with the cfupdates script:

# mkdir ~root/rules
# cd ~root/rules
# fetch
# tar zxvf cfupdates2.tgz
# rm cfupdates2.tgz

Now lets copy over the non-updated rules to the spamassassin folder first:

# cp -Rp ~root/rules/*.cf /usr/local/etc/mail/spamassassin
# rm *.cf

Now you will want to copy the cfupdates to a bin folder. I keep mine in ~root/bin so lets use that. Feel free to use any path you choose.

# mkdir ~root/bin
# cp ~root/rules/ ~root/bin
# cd ~root/bin
# chmod 755

Here is my crontab entry to run at 3AM every day. It is not advised to run this script than any more than once in a 24 hour period.

0 3,15 * * * ~root/bin/ > /dev/null 2>&1

Additional notes:

If you are using bayes this script will also backup your bayes folder. Run the following first

# mkdir /usr/local/etc/mail/spambackup/.spamassassin

Uncomment the two bayes sections in

You can also add your own rules. I provided as an example. Take a look at the following:

body WEEKLY_STOCK_SPAMS /\bWeekly Stock Report\b/i
describe WEEKLY_STOCK_SPAMS     This is a Stock Spam

The first section you need to give a description which is part of the score and describe. This needs to be the same in all 3 sections. The next part in the body /\bWeekly Stock Report\b/i
is what you want to "tag" for spamassassin to see.
The score is what you need to determine. If you're using sa-delete please take this into account.
The last section is just the description of the rule. That's all there is to scoring a message.

You can also additional rules from the /usr/ports/mail/spamass-rules port. Just run make installl clean.

More rules are located here:

Special thanks to Steve Donohue

Monday, 06 July 2015 00:34

FuzzyOCR Walkthrough

FreeBSD FuzzyOCR SA Plugin for FreeBSD

Required ports to install are netpbm, gocr, imagemagick, giflib and the String::Approx Perl module.

# cd /usr/ports/graphics/netpbm && make install clean
# cd /usr/ports/graphics/gocr && make install clean
# cd /usr/ports/graphics/ImageMagick && make install clean
# cd /usr/ports/devel/p5-String-Approx && make install clean
# cd /usr/local/etc/mail/spamassassin
# fetch
# tar zxvf fuzzyocr-latest.tar.gz
# cd FuzzyOcr-version

edit and change all "/etc/mail/spamassassin/" to "/usr/local/etc/mail/spamassassin/"

I set my focr_logfile to /var/log/FuzzyOcr.log

also edit the file.  Search for "$logfile", and you will notice a line calling the log file again.  I just pointed it to the same location.  Not sure why it's called twice.

Now we finish up.

also in the file you will need to change the paths of the "Helper Applications" located around line 41.  Change them to the following unless you installed them to /usr/bin/.

focr_bin_giffix /usr/local/bin/giffix
focr_bin_giftext /usr/local/bin/giftext
focr_bin_gifasm /usr/local/bin/gifasm
focr_bin_gifinter /usr/local/bin/gifinter
focr_bin_giftopnm /usr/local/bin/giftopnm
focr_bin_jpegtopnm /usr/local/bin/jpegtopnm
focr_bin_pngtopnm /usr/local/bin/pngtopnm
focr_bin_ppmhist /usr/local/bin/ppmhist
focr_bin_convert /usr/local/bin/convert
focr_bin_identify /usr/local/bin/identify
focr_bin_gocr /usr/local/bin/gocr

Be sure they are all uncommented.

# cp FuzzyOcr.* /usr/local/etc/mail/spamassassin/
# cd /usr/local/etc/mail/spamassassin/
# mv FuzzyOcr.words.sample FuzzyOcr.words
# /usr/local/etc/rc.d/ restart

If you are using w0ls0n's cfupdates script, you should remove the rm *.* or otherwise your Fuzzy confs will go bye bye.

#* Writen By mintee 10/17/2007 *

Updated 10-18-05

Download the following script below:

# wget

# chmod 755

Run it and you will get a nice output :-)

Now add it to cron like so:

0 1 * * * /path/to/

This will send that report to root@hostname at 1A

Stop spamassassin/spamd (ie: you don't want it to be running during the upgrade).

Run "sa-learn --rebuild", this will sync your journal. if you skip this step, any data from the journal will be lost when the DB is upgraded.

Run "sa-learn --sync", which will cause the db format to be upgraded. If you want to see what is going on, you can add the "-D" option.

Test the new database by running some sample mails through SpamAssassin, and/or at least running "sa-learn --dump" to make sure the data looks valid.

Start running spamassassin/spamd again.

Sometimes messages come across that list that Spamassassin considers spam.
Then the question is should I relearn it as ham, or leave it as spam,
because it obviously has characteristics of a spam (because someone
has FW'd a real spam), but also has characteristics of a ham as well.
The recommendation from the Spamassassin folk is to not have spamassasin
scan emails from this list.

I checked out the header and saw that the messages always come from ( ). I edited /etc/tcp.smtp and added:, QMAILQUEUE="/var/qmail/bin/qmail-queue"

After rebuilding the tcp.smtpd.cdb file, this told qmail-smtpd to skip and to just run qmail-queue right away. This
worked, and I was now not scanning the message for spam. However, its
bypassing clamav as well. This was not acceptable.

I checked out the source of and found this as
part of the sub spamassassin and sub spamassassin_alt routines:

#Only run SA if mail is from a "remote" SMTP client, or QS_SPAMASSASSIN
#is defined via tcpserver...
if (defined($ENV{'RELAYCLIENT'}) && !defined($ENV{'QS_SPAMASSASSIN'})) {
&debug("spamassassin: don't scan as RELAYCLIENT implies this was
sent by a local user");
&minidebug("SA: don't scan as RELAYCLIENT implies this was sent by a
local user");

So I added the following peice right below the above code:

if (defined($ENV{'IGNORE_SA'})) {
&debug("spamassassin: don't scan as IGNORE_SA is set");
&minidebug("SA: don't scan as IGNORE_SA is set");

Make sure you change it in both routines.

Saved the file, edited /etc/tcp.smtp to instead say:,IGNORE_SA="yes"

Recompile tcp.smtp.cdb, and you're done! Now any mail coming from that
IP will bypass your spam filters. Since that server is run by apache and
the spamassassin guys, I figure its save to bypass the spam filter for
other mails that may possibly come from there.

Hope this might be useful to someone..

Special thanks to Roman Volf
Also avalabile as a patch at

Page 5 of 14