Blue Flower

Bill

Bill

Sometimes messages come across that list that Spamassassin considers spam.
Then the question is should I relearn it as ham, or leave it as spam,
because it obviously has characteristics of a spam (because someone
has FW'd a real spam), but also has characteristics of a ham as well.
The recommendation from the Spamassassin folk is to not have spamassasin
scan emails from this list.

I checked out the header and saw that the messages always come from
hermes.apache.org ( 209.237.227.199 ). I edited /etc/tcp.smtp and added:

209.237.227.199:allow, QMAILQUEUE="/var/qmail/bin/qmail-queue"

After rebuilding the tcp.smtpd.cdb file, this told qmail-smtpd to skip
qmail-scanner-queue.pl and to just run qmail-queue right away. This
worked, and I was now not scanning the message for spam. However, its
bypassing clamav as well. This was not acceptable.

I checked out the source of qmail-scanner-queue.pl and found this as
part of the sub spamassassin and sub spamassassin_alt routines:

#Only run SA if mail is from a "remote" SMTP client, or QS_SPAMASSASSIN
#is defined via tcpserver...
if (defined($ENV{'RELAYCLIENT'}) && !defined($ENV{'QS_SPAMASSASSIN'})) {
&debug("spamassassin: don't scan as RELAYCLIENT implies this was
sent by a local user");
&minidebug("SA: don't scan as RELAYCLIENT implies this was sent by a
local user");
return;
}

So I added the following peice right below the above code:

if (defined($ENV{'IGNORE_SA'})) {
&debug("spamassassin: don't scan as IGNORE_SA is set");
&minidebug("SA: don't scan as IGNORE_SA is set");
return;
}

Make sure you change it in both routines.

Saved the file, edited /etc/tcp.smtp to instead say:

209.237.227.199:allow,IGNORE_SA="yes"

Recompile tcp.smtp.cdb, and you're done! Now any mail coming from that
IP will bypass your spam filters. Since that server is run by apache and
the spamassassin guys, I figure its save to bypass the spam filter for
other mails that may possibly come from there.

Hope this might be useful to someone..

Special thanks to Roman Volf
Also avalabile as a patch at http://thevolf.com/qmail/patches/qmail-scanner-skip-sa.patch

Monday, 06 July 2015 00:31

SPF Checking with SpamAssassin 3.x

To install SPF, do the following:

If you are using John Simpsons qmail-smtpd-run script SPF Checking is now done within his script at the SMTP level. See his web page for additional configuration information.

cd /downloads/qmailrocks/
wget http://www.goodcleanemail.com/files/tarballs/Mail-SPF-Query-1.997.tar.gz
tar xvzf Mail-SPF-Query-1.997.tar.gz
cd Mail-SPF-Query-1.997
perl Makefile.PL && make && make install

You can test this installation (and that PER5LIB is set correctly) with perl -e 'require Mail::SPF::Query'.

Now we can let spamassassin check for SPF headers

Without Set-UID enabled in Perl (All distos) and the libwww-perl module (For RedHat or Fedora Users) installed, SpamAssassin and Qmail-Scanner inevitably don't work properly. Usually this is indicated by qq temporary problem 4.3.0 or simply by spam subjects not getting tagged.

The solution proven to work on FreeBSD, RedHat and Fedora 2 is to make sure that these modules are installed and then reinstalling ClamAV, SpamAssassin and Qmail-Scanner.

FreeBSD

# chmod 4511 /usr/bin/suidperl

The above command enables setuid which is disabled by default,or

Enter the line "ENABLE_SUIDPERL=true" in /etc/make.conf. If that file does not exist, create it. After doing a cvsup on ports which is explained here, go to /usr/ports/lang/perl5.8 and run make deinstall && make reinstall.

For RedHat or Fedora Users

rpm --Uvh /downloads/qmailrocks/patches/rpms/perl-suidperl-x.x.x-xx.x.i386.rpm
to install the setuid module for perl
search rpmfind.net or your favorite rpm repository for perl-libwww-perl

Install the RPM and afterward run updatedb to be sure your rpm database is consistent.

For Debian Users

Run apt-get install perl-suid

Once you have both modules installed and enabled continue with or reinstall qmailrocks step 14 and 15 to install Clamav, Spamassassin and qmail-scanner with setuid enabled.

Friday, 17 June 2016 16:46

Enabling SpamDyke for qmail

Spamdyke is a filter for monitoring and intercepting SMTP connections between a remote host and a qmail server. Spam is blocked while the remote server (spammer) is still connected; no additional processing or storage is needed. In addition to all of its anti-spam filters, spamdyke also includes a number of features to enhance qmail. Best of all, using spamdyke does not require patching or recompiling qmail!

Lets install the port.


# cd /usr/ports/mail/spamdyke
# make install clean

Make sure the following boxes are checked:

DEBUG
DOCS
TLS

Now we need to edit the spamdyke.conf to enable logging.


# vi /usr/local/etc/spamdyke.conf

Now change the following values under logging.

log-level=verbose
log-target=stderr
full-log-dir=/var/log/spamdyke

Now lets create the directory and set permissions:


mkdir /var/log/qmail/spamdyke
chown -R qmaild:wheel /var/log/spamdyke


I have re-written the qmail-smtpd/run file as of 6/21/16. If you have downloaded that file before this date you will need to copy the new file over. To download it here is what you will need to do:


# cd ~root
# mkdir qmail
# cd qmail
# fetch http://freebsdrocks.net/qmail2/scripts4.tgz
# tar zxvf scripts4.tgz
# rm scripts4.tgz

Now you'll want to edit the new smtpd_run. Please pay attention to anything you have already enabled and uncomment the lines. For instance if you're using validrcptto you'll want to un-comment the appropriate validrcptto lines, etc.


# vi smtpd_run

Change the IP first

Under the RBL section uncomment the following line:

RBLCMD2="/usr/local/bin/spamdyke -f /usr/local/etc/spamdyke.conf"

exit the file then we will copy it over:


# cd /service/qmail-smtpd
# cp run bak.run
# cp ~root/qmail/smtpd_run run
# chmod 755 run

and then restart the qmail-smtpd service.


# svc -t /service/qmail-smtpd

Now check the service and make sure it's running.


# svstat /service/qmail-smtpd
/service/qmail-smtpd: up (pid 20708) 12 seconds

Optional: Adding Spamdyke recipient validation

Parts of this article were modified from this page:

http://www.spamdyke.org/documentation/README_spamdyke_qrv.html

It's impossible to overstate the complexity of qmail's recipient validation procedure. It is inexcusably complex, far beyond the point where anyone can be certain qmail's implementation is correct (and secure) in all cases. If you want to get a glimpse at how bad it is, take at look at the flowchart here. You'll see the flowchart is big, but the number of possible configurations is describes enormous: there are just under 165 thousand different paths through it (even more if the loops are followed multiple times). Fully testing spamdyke's reject-recipient filter requires checking every one of those paths -- this takes weeks to finish using spamdyke's test scripts. spamdyke-qrv begins its work at step 7 in the flowchart (steps 1, 2, 5 and 6 are assumed to have been performed by spamdyke before spamdyke-qrv was started).

spamdyke-qrv is intended to be run as root by marking the binary "setuid root". This is necessary because spamdyke typically runs as a non-root user and doesn't have access to all of the files needed to validate an address without root access.

Now lets start the installation:


# cd /usr/local/bin
# ln -s gcc46 gcc
# ln -s g++46 g++
# cd /usr/ports/distfiles/
# tar -xzvf spamdyke-5.0.1.tgz
# cd spamdyke-5.0.1/spamdyke-qrv
# ./configure --with-excessive-output --with-vpopmail-support VALIAS_PATH=/usr/home/vpopmail/bin/valias VUSERINFO_PATH=/usr/home/vpopmail/bin/vuserinfo
# Make
# make install

Check the install with:


spamdyke-qrv -v -v domain.com username

Monday, 06 July 2015 01:02

Setting up a secondary qmail server

The purpose of this document is to provide information for the user to make a decision about creating a backup mail server. The first question should be how many messages will be arriving on a daily basis? The next question is how important are my messages to my company or organization? Managing servers can be hard but if your messages are lost or bouncing when your server is down than a secondary or queuing server is the answer. The purpose of this is to have the secondary
server sitting in front of your qmail server just passing the messages along. When (and if) you are having a problem with the qmail server the secondary server will queue the messages.

Ensuring the setup of the secondary server is quite simple; Just a very minimal qmail setup on a freebsd will work fine. All you need to do is install FreeBSD 10.2 and make sure ports are updated. Then run the following steps for just the secondary server:

Preinstall Checklist (Excluding Apache and Mysql)
Installing Qmail
Installing Daemontools 
Installing UCSPI-TCP 
Installing Autorespond 
Disabling Sendmail
Configuring Qmail 

Additions to Configuring Qmail:

When you edit the smtpd_run file please adjust following settings:

This is to announce your hostname This is optional.

SMTPGREETING="$LOCAL NO UCE"

You can turn on GREETDELAY. GREETDELAY will not only save you for spam mails, but unlike Greylisting and/or filtering a la SpamAssassin, this is the only mean to really reduce the overall amount of spam because the timeslot required for the spam sender to deliver messages (whether successfully or unsuccessfully) is raised from typically one second to (<=) GREETDELAY seconds. I typically have good luck with a value of 15.

GREETDELAY=15

You can disable mfcheck:

MFCHECK=0

Disable validrcptto by commenting the following lines:

#VALIDRCPTTO_CDB="$VQ/control/validrcptto.cdb"
#VALIDRCPTTO_LIMIT=10
#VALIDRCPTTO_LOG=2

NOTE: If you would like your queuing server to filter valid emails, You could setup a cronjob to fetch the validrcptto.cdb file to your secondary server and then restart qmail-smtpd. You would need to enable validrcptto in the qmail guide.

I typically turn off the 3 following SPF settings:

#SPFBEHAVIOR=0
#SPF_LOG=1
#SPF_BLOCK_PLUS_ALL=1

Disable qmail-scanner

#QMAILQUEUE="$VQ/bin/qmail-scanner-queue.pl"

You will also need to run through the Setting up SSL Certs and starting Qmail guide as well. Even though you're not relaying mail you still need to have a certificate setup for qmail. You can skip the sections for creating the qmail-smtpd-ssl service.

We need to do a few things first to make sure messages arrive correctly:

Make sure /var/qmail/control/rcpthosts has a list of your qmail domains

Now setup the correct routing with /var/qmail/control/smtproutes per the examples below:

If you want to route mail from one domain to another, you would do it like so:

domain_you_want_to_route:primary-server.domain.com
another_domain_you_want_to_route:another-server.domain.com

If you want to route all mail and then you should have the line like:

:primary-server.domain.com

At this point qmail will be installed. I have created a new qmailtcl that just controls qmail-send and qmail-smtpd. You can download it here:

# cd /var/qmail/bin
# mv qmailctl bak_qmailctl
# fetch http://freebsdrocks.net/qmail2/qmailctlqueueonly.tgz
# tar zxvf qmailctlqueueonly.tgz
# rm qmailctlqueueonly.tgz

Now we can restart qmail

# qmailctl restart

Once this is done you can change your MX record to the secondary server and then it should pass the messages directly to your qmail server.

Qmail-Scanner (st patch) configure options

Qmail-Scanner-2.10st (st patch) ./configure options

The following shows what options the Qmail-Scanner-2.10st (st patch) installation supports:

 ./configure --help

valid options:

  --qs-user <username>            (default: qscand)
                   User that Qmail-Scanner runs as

  --qs-group <usergroup>          (default: same as qs-user)
                   Group that Qmail-Scanner runs as, qs-user must
                   be member of this group.

  --qmaildir <top of qmail>       (defaults to /var/qmail/)

  --spooldir <spooldir>           (defaults to /var/spool/qscan/)

  --bindir <installdir>           (defaults to /var/qmail/bin/)
                   Where to install qmail-scanner-queue.pl

  --setuidgid-path <path to setuidgid program>
                   Defaults to nothing, the configure script will
                   search for it, this option is only necessary if
                   'setuidgid' from daemontools packet is installed
                   in an unusual path.

  --admin <username>              (default: root)
                   User to Email alerts to

  --domain <domain name>
                   "user"@"domain" makes up Email address to Email alerts to

  --admin-description <"description">  (default: "System Anti-Virus Administrator")
                   From line  information used when making reports, the input
                   must be quoted. i.e. --admin-description "Antivirus Admin"

  --local-domains "one.domain,two.domain"
                   Defaults to the value of the "--domain" setting.
                   Comma-separated list (no spaces!)  of domains that are
                   classified as "local". This is needed to ensure alerts
                   are only sent to local users and not remote when
                   '--notify "recips"' is chosen. This will drastically
                   reduce the chance of alerts being sent to mailing-lists.

  --scanners <list of installed content scanners>
                   Defaults to "auto" - will use whatever scanners are found
                   on system.
                   Use this option to override "auto" - set to one or more
                   of the following:

                   [auto|none|clamscan,clamdscan,sweep,sophie,vscan,trophie,
                   uvscan,csav,antivir,kavscanner,AvpLinux,kavdaemon,
                   AvpDaemonClient,fsav,fprot,inocucmd,vexira,bitdefender,
                   verbose_spamassassin,fast_spamassassin]

                   Note the special-case "none". This will disable all but
                   the internal perlscanner module.

  --skip-text-msgs [yes|no]       (defaults to "yes")
                   Q-S will skip running any anti-virus scanner on any messages
                   it works out are text-only. i.e. don't have any attachments.
                   Set to "no" if you want them to be scanned anyway.

  --normalize [yes|no]            (defaults to "yes")
                   This decides if base64/qp attachment 
                   filenames and/or Subject: headers should 
                   be "normalized" back to their decoded form 
                   before being checked against entries in
                   quarantine-events.txt.

  --notify [none|sender|recips|precips|admin|nmladm|nmlvadm|all] (defaults to "psender,nmlvadm")
                   Comma-separated list (no spaces!) of addresses to which
                   alerts should be sent to. "nmladm" means only notify
                   admin for "user infections", 
                   i.e. non-mailing-list mail.
                   "nmlvadm" is the same as nmladm - except that it also doesn't
                   notify for viral e-mails.
                   i.e. just "policy" quarantines get e-mails.
                   This allows you to still notify people when an e-mail is
                   blocked due to a policy decision (such as blocking
                   password-protected zip files), but a message tagged as viral
                   by an AV system will *not* trigger notification.
                   Similarly, "psender" means notify the sender only if their
                   e-mail was blocked for policy reasons.
                   i.e. if an AV system found a virus, then don't notify the
                   sender as the address was probably forged.

  --silent-viruses "virus1,virus2"     (defaults to "auto")
                   This option allows you to tell  Qmail-Scanner *not* to
                   notify senders when it quarantines one of these viruses.
                   Viruses such as Klez alter the sender address so that it
                   has no relation to the actual sender - so there's no point
                   in responding to Klez messages - it just confuses people.
                   The admin and recips will still be notified as set
                   by "--notify". Use this option to override "auto".
                   By default this is set to:
                   "klez,bugbear,hybris,yaha,braid,nimda,tanatos,sobig,winevar,
                   palyh,fizzer,gibe,cailont,lovelorn,swen,dumaru,sober,hawawi,
                   hawaii,holar-i,mimail,poffer,bagle,worm.galil,mydoom,worm.sco,
                   tanx,novarg,\@mm,cissy,cissi,qizy,bugler,dloade,netsky,spam"

  --dlp-monitor "string1|string2"      (defaults to "none")
                   Using this will cause Q-S to *not* block events that match
                   this regex.
                   Typically used in environments where you want to track the 
                   movement of sensitive files/etc outside of your
                   environment, without blocking

  --lang <lang>                   (defaults to en_GB)
                  "af_ZA cs_CZ de_DE en_GB enlt_LT enlt_LT_short en_PL es_ES
                   fr_FR it_IT ja_JP.EUC nl_NL no_NO pl_PL pt_BR pt_PT sv_SE
                   tr_TR tr_TR_ascii tw_BIG5"

  --archive [yes|no|regex]        (defaults to "no")
                   Whether to archive mail after it as been processed.
                   If "yes", all copies of processed mail will be moved into
                   the maildir "/var/spool/qmailscan/archives/".
                   Any other string besides "yes" and "no" will be treated
                   as a REGEX. Only mail from or to an address that contains
                   that regex will be archived. e.g. "jhaar|harry" or
                   "\@our.domain".
                   Be careful with this option, a badly written regex
                   will cause Qmail-Scanner to crash.

  --redundant [yes|no]            (defaults to "yes")
                   Whether or not to let the scanners also scan any zip files
                   and the original "raw" Email file.

  --unzip    [yes|no]             (defaults to "no" - off)
                   Whether or not to forcibly unzip all zip files.
                   Off by default as most AV's do unzip'ping themselves.

  --max-zip-size <number-bytes>   (defaults to 1 Gbytes)
                   This setting allows you to control the maximum size you
                   are willing to allow zip file attachments to unpack to.
                   This is to enable you to limit DoS attacks against your
                   Qmail-Scanner installation (someone could send you a small
                   zip file that unpacks to Gbytes of useless files - filling
                   your harddisk). Set to whatever value you think is
                   appropriate for your system. The default value of 1Gb is
                   set so large so as not to assume anything about your
                   system - YOU WILL NEED TO SET THIS VALUE IN ORDER TO GAIN
                   ANY PROTECTION.
                   Something like "100000000" (100 Mb) might be appropriate.

  --max-unpacked-files <number-files>   (defaults to 10000 files)

  --max-scan-size <number-bytes>        (defaults to 100 Mbytes)
                   Email messages (raw size) larger than this 
                   number (in bytes) will skip all AV and Spam 
                   scanning checks. It's to stop Q-S scanning
                   300Mbyte TIFF file messages and the like.

  --log-crypto [yes|no]           (defaults to "no")
                   Whether or not to log the presence
                   of cryptographic (both signing and encrypting)
                   technologies in the "log-details". Q-S can flag
                   PGP, S/MIME and password-protected zip files. This
                   is informational logging only.

  --fix-mime [yes|no|num]         (defaults to "2")
                   Whether or not to attempt to "fix" broken MIME messages
                   before doing anything else. Should be safe, but *may* break
                   some strange, old mailers (none known yet).
                   Defaults to "2" enables a bunch of extra MIME checks that
                   have proven to be very useful.

  --ignore-eol-check [yes|no]     (defaults to "no")
                   Making this "yes" stops Qmail-Scanner
                   from treating "\r" or "\0" chars in the headers of 
                   MIME mail messages as being suspicious enough to quarantine
                   mail over. Some sites receive so much broken e-mail that this
                   option has been created so that they can still receive such
                   messages without having to be as drastic as to "--fix-mime no"
                   which disables all sorts of other good stuff.
                   Use only if you have to.

  --add-dscr-hdrs [yes|no|all]    (defaults to "no")
                   This adds the now old-fashion X-Qmail-Scanner headers to the
                   message. "all" adds the "rcpt to" headers too - this is a
                   privacy hole.

  --dscr-hdrs-text <"Descrip-Headers-Text">   (defaults to "X-Qmail-Scanner")
                   Input must be quoted.
                   i.e. --dscr-hdrs-text "X-Antivirus-MYDOMAIN"

  --log-details [yes|syslog|no]   (defaults to "syslog")
                   Whether or not to log to mailstats.csv/via syslog the
                   attachment structure of every Email message.

  --debug [0|1|2|3|4|5]           (defaults:1)
                   Whether or not debugging is turned on. Can be also set to
                   a number. Numbers over 100 cause Q-S to not cleanup working
                   files. Thus allowing for offline debugging...
                   debug >= 5, all info is logged.

  --batch
                   Do not confirm configure information (mainly for scripting)

  --install
                   Create directory paths, install perl script, and
                   change ownerships to match.

  --mime-unpacker "reformime"     (defaults to "reformime")

  --spamdir <maildir name>        (defaults to "spam")
                   This will be the maildir directory structure
                   into which spam mails are quarantined 
                   (under /var/spool/qscan/quarantine/spam)
                   It is possible to set it per user/domain enabling the
                   feature settings-per-domain, see the docs.

  --sa-timeout [num]              (defaults to "30")
                   This is the max number of seconds
                   you will allow spamc to take on processing
                   a mail message. Anything longer implies
                   spamd has hung on some narly DNS lookup
                   or the like, and will cause QS to give
                   the message a SPAM score of (?/?)

  --sa-faulttolerant [yes|no]     (defaults to "no")
                   This can be used in addition to sa-timeout
                   as a way of telling Qmail-Scanner to let
                   SA "have another go" at processing a message
                   if it was unable to get it right the first time.
                   It will cause Q-S to run SA up to THREE TIMES
                   on a particular email - if SA fails to return any
                   value (in the past this used to lead to Q-S reporting
                   (?/?)). This can get around emails from far-off domains
                   that "hang" SA due to DNS lookups - and *may* allow SA
                   to operate correctly the next time it is called on the same
                   message. See "--sa-tempfail" for even more
                   reliability options

  --sa-maxsize [num]              (defaults to "256000")
                   This size (in bytes) sets the
                   max size email that will be
                   processed by SpamAssassin.

  --sa-tempfail [yes|no]          (defaults to "yes")
                   Should Qmail-Scanner treat SpamAssassin
                   like AV products and tempfail if it 
                   fails to return a score?

  --settings-per-domain [yes|no]        (defaults to "no")
                   Enable or disable the domain-wise mode, each user/domain
                   will have a customized settings (@scanner_array and
                   sa_settings). If the user/domain haven't a custom 
                   settings, qmail-scanner will fall to the defaults
                   site settings (@scanner_array and sa_site_settings).

  --virus-to-delete [yes|no]      (defaults to "no")
                   Enable this option if you want to delete some viruses
                   (i.e. mydoom) without notifying anyone. If you don't enable
                   it now, you can later edit qmail-scanner-queue.pl and add
                   the virus you want to the list virus_to_delete.

  --sa-sql [yes|no]               (defaults to "no")
                   Whether to run spamassassin with the 'rcpt to' as option,
                   only useful if you are running spamassassin with user
                   settings in mysql.
                   If you enable 'settings-per-domain' a message with multiples
                   recipients will be scanned for each recipient with his
                   own spamassassin settings.

  --sa-delta [num]                (default: 0)
                   If $spamc_subject is defined, and fast_spamassassin mode is
                   selected, a tag will be added to the subject indicating how
                   the message is to be considered as spam, in this way:
                   LOW: required_hits < score < required_hits + sa_delta
                   MEDIUM: required_hits + sa_delta < score < required_hits + 2 * sa_delta
                   HIGH: required_hits + 2 * sa_delta < score
                   Be aware, sa_max+2*sa_delta must be lower than sa_quarantine.
                   'required_hits' is the value set in the SpamAssassin
                   configuration file.

  --sa-subject <"some text">   (defaults to nothing)
                   This is an alternative way to set the tag that qmail-scanner
                   add to subject of spam mails, to some text.
                   Spamassassin must be working in *fast_spamassassin* mode
                   Be sure that is better to tag the subject, of spam messages,
                   through qmail-scanner than with the rewrite_subject
                   of SpamAssassin.
                   The input must be quoted i.e. "SPAM *** ". 

  --sa-forward <username@domain>     (default: nothing)
                   User to redirect spam mails 'being quarantined' for
                   admin purposes...
                   The message is forwarded almost unmodified so you can
                   use 'sa-learn' with it.
                   If you prefer that the message includes the spam headers
                   enable the next option.
                   (i.e.  --sa-forward This email address is being protected from spambots. You need JavaScript enabled to view it.)

  --sa-fwd-verbose [yes|no]       (default: no)
                   Whether to add the X-Spam headers to the forwarded message.

  --sa-quarantine [num]           (default: 0)
                   Spam messages with a score higher than
                   (required_hits + sa_quarantine) should be quarantined.
                   Only relevant if SpamAssassin is used.
                   Score of 0 means deliver all messages.

  --sa-delete [num]               (default: 0)
                   Spam messages with a score higher than
                   (required_hits + sa_delete) should be deleted.
                   Only relevant if SpamAssassin is used.
                   Score of 0 means deliver all messages.

  --sa-reject [yes|no]            (default: no)
  --quarantine-reject [yes|no]
                   If you enable sa-reject and sa-delete is properly set,
                   messages with a score higher than sa-delete will be rejected
                   before the smtp session is closed. Otherwise they are just
                   dropped silently. (1/0)
                   Different from the official version, only spam mails are
                   rejected, if your installation has the 'custom error patch'
                   a nice little text message is sent, those without just
                   produce a generic Qmail error. BE CAREFUL IF ENABLING AND
                   YOUR Q-S SERVER ISN'T DIRECTLY FACING THE INTERNET

  --sa-alt [yes|no]               (default: no)
                   Use the alternative subroutine for spamassassin, it runs in
                   *fast_spamassassin* mode and doesn't pass the '-u' option
                   to spamc. (1/0)

  --sa-debug [yes|no]             (default: no)
                   If sa-alt is enabled an you enable this option, you will
                   have a beautiful log with the tests and the scores of
                   spamassassin in the file qmail-queue.log (1/0)

  --sa-report [yes|no]            (default: no)
                   If sa-alt is enabled you can add the X-Spam-Report header
                   to the messages enabling this option.

  --sa-socket     (defaults to nothing)
                   Actually the configure script can automatically discover
                   if spamd is running in unix-socket mode, but,
                   if for some reasson the socket couldn't be
                   found properly you can set the path with this option.
                   i.e. --sa-socket /var/run/spamd

  --sa-remote remote.spamd.host[,port]  (defaults to nothing)
                   You can use the hostname or the ip address, if not specified
                   the default port is 783

       ****************
         Rarely Used
       ****************

  --no-QQ-check
                   Do not check that the QMAILQUEUE patch is installed.
                   This explicitly disables any "--install" reference
                   as that is NOT POSSIBLE with a manual install.
                   Use ONLY IF YOU MUST. The QMAILQUEUE patch is REALLY
                   a GOOD THING!!!!

  --skip-setuid-test
                   don't test for setuid perl. Only of use for those wanting
                   to run the C-wrapper version.

  --qmail-queue-binary
                   Set this to the FULL PATH to the Qmail qmail-queue
                   binary. This is only EVER set when doing a manual install.


This script must be run as root so it can detect problems with setuid
perl scripts!

 


Back

Salvatore Toribio

20111118

 

Monday, 06 July 2015 01:34

Installing Squirrelmail

SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no Javascript) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has a all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation. For more information, Please see http://www.squirrelmail.org

To install squirrelmail port, run the following command:


# cd /usr/ports/mail/squirrelmail
# make install clean

This will install Squirrelmail in /usr/local/www and install all required modules. Now what we will want to do is symlink the webmail location. The reason why we are doing it this way is because we won't want to move the squirrelmail folder to your webmail location as that will make portupgrading harder for you. If we symlink it, It's kinda like an alias.


# ln -s /usr/local/www/squirrelmail/ /usr/local/www/apache22/data/webmail

Configuring Squirrelmail

Now we need to configure squirrelmail. Run the following commands to get into setup mode:


# cd /path/to/webmail/config
# ./conf.pl

You will be presented with a menu. Under 1 - Organization Preferences, Any one of the setings inside this window are optional. When you are done, hit S to save and then hit Enter and then hit R to go back to the Main Menu.

Now we want to go to 2 - Server settings. Hit 1 for Domain and hit Enter on the keyboard. You can type the name of the server or the local IP or public IP, whichever you prefer. If your mailserver is behind a router/firewall, I use the local IP. If you are on the public side of things, the hostname or the static IP will work fine. If you are using a dyndns service like dyndns.org, I would highly suggest using the local ip and putting your qmail server behind a router/firewall.

Under Server settings we want to use the following. Please change x.x.x.x to the IP of your mail server:

1. Domain : x.x.x.x
2. Invert Time : false
3. Sendmail or SMTP : Sendmail

A. Update IMAP Settings : localhost:143 (other)
B. Change Sendmail Config : /var/qmail/bin/sendmail

Hit Y and then hit Enter. Hit S to save and then hit Enter again. Hit Q to quit and exit the menu.

Now lets setup ownership for squirrelmail attachments:


# chown www:www /var/spool/squirrelmail

And then setup php.ini (If it isin't already):


# cd /usr/local/etc
# cp php.ini-recommended php.ini

Testing Squirrelmail

If you happen to see this error when browsing to the squirrelmail site:

Fatal error: Call to undefined function: preg_replace() in /usr/local/www/apache22/data/functions/global.php on line 165

Install the following port


# cd /usr/ports/devel/php4-pcre
# make install clean

Just to make sure Squirrelmail is working okay, we will want to run the config test. Do this by going to the following url. http://your-squirrelmail-location/src/configtest.php. Replace the your-squirrelmail-location with your ip or your hostname. This will tell you if squirrelmail is setup correctly. If you see this:

ERROR: Error connecting to SMTP server "localhost:25".Server error: (0) Unknown error: 0

This is okay. The server is able to accept messages on port 25 for anything in locals or rcpthosts or relaying via TLS. When you are completed with installing squirrelmail you should install the change_pass-2.7-1.4.x plugin so you can change passwords with courier.

http://squirrelmail.org/plugin_download.php?id=21&rev=1072

This guide will eventually be replaced by dovecot but I will leave this up for archival reasons.

Basically you will want to use qmail-pop3dssl if you want a completely secure setup which includes smtp and pop3 ssl or tls. This section will cover installing pop3d via ssl.

First lets get the scripts copied over:


# cd /var/qmail/supervise/
# mkdir -m 1755 qmail-pop3dssl
# cd qmail-pop3dssl
# fetch http://freebsdrocks.net/files/service-pop3ssl-run
# mv service-pop3ssl-run run
# chmod 755 run
# mkdir -m 1755 log
# cd log
# fetch http://freebsdrocks.net/files/service-any-log-run
# mv service-any-log-run run
# chmod 755 run

Create the pop3d-ssl cert by running the following command:


# cd /usr/local/share/courier-imap
# openssl req -new -x509 -nodes -out pop3d.pem -keyout pop3d.pem -days 3650

When you run this command, It is going to ask you a series of questions. it will ask you for the Country, City or Province, Locality, and Organization name all of which are optional. The next thing it will ask you is very important which is the common name. This will be the name people will be putting into their pop3d ssl server name. For instance, If all your users type pop3.ssl.server into their pop3 server name, then thats what you will want to put into the Common name. If you don't, your users will get a nag screen everytime they open up their mail client which can cause confusion and often upset users.

Now to copy a new conf files:


# cd /usr/local/etc/courier-imap
# cp pop3d.cnf.dist pop3d.cnf
# cp pop3d-ssl.dist pop3d-ssl

Modify /usr/local/etc/courier-imap/pop3d-ssl so it includes the below lines:


POP3DSSLSTART=YES
TLS_CERTFILE=/usr/local/share/courier-imap/pop3d.pem

Now lets start the service:


# ln -s /var/qmail/supervise/qmail-pop3dssl /service/qmail-pop3dssl

Now if you run:


# svstat /service/qmail-pop3dssl /service/qmail-pop3dssl/log

You should get something like:


/service/qmail-pop3dssl: up (pid 26984) 156 seconds
/service/qmail-pop3dssl/log: up (pid 26711) 323 seconds

 

You're done! POP3D-SSL is setup and ready!

Now lets remove the 2 startups scripts in /usr/local/etc/rc.d:


# rm /usr/local/etc/rc.d/courier-imap-pop3d
# rm /usr/local/etc/rc.d/courier-imap-pop3d-ssl

Monday, 06 July 2015 01:29

Installing Courier-Imap

Courier-IMAP is a server that provides IMAP access to Maildir mailboxes. This IMAP server does NOT handle traditional mailbox files (/var/spool/mail, and derivatives), it was written for the specific purpose of providing IMAP access to Maildirs. For more information, please visit http://www.courier-mta.org/imap/


Lets start with installing the port and configuring the options for it:


# echo "WITHOUT_X11=yes" >> /etc/make.conf
# echo "NO_X=yes" >> /etc/make.conf
# cd /usr/ports/lang/expect
# make install clean
# cd /usr/ports/mail/courier-imap
# make install clean

When you run make install clean on courier-imapd, be sure to make sure the following boxes are checked:

IPV6
AUTH_VCHKPW

Once that is done, We will want to install courierpassd:


# cd /usr/ports/security/courierpassd
# make install clean

Now we will want to delete the startup file in the /usr/local/etc/rc.d folder:


# rm /usr/local/etc/rc.d/courier-authdaemond

and make sure that the following line is NOT in /etc/rc.conf:


enable_courier-authdaemond="YES"

Next we need to set up the daemontools directory structure for the courierpasswd service. I use /var/qmail/supervise as the physical location for my service directories, you can use whatever you like except that it cannot be /service itself. The examples below will assume you are using /var/service like I did- if you are using something different, adjust the paths where appropriate.


# cd /var/qmail/supervise
# mkdir -m 1755 courier-passwd
# cd courier-passwd
# fetch http://freebsdrocks.net/files/service-courierpassd-run
# mv service-courierpassd-run run
# chmod 755 run
# mkdir -m 755 log
# cd log
# fetch http://freebsdrocks.net/files/service-any-log-run
# mv service-any-log-run run
# chmod 755 run

The last step, of course, is to start the service running:


# ln -s /var/qmail/supervise/courier-passwd /service/courier-passwd

You can verify the service is running by typing:


# svstat /service/courier-passwd/ /service/courier-passwd/log/

Now we want to setup a few files:


# cd /usr/local/etc/courier-imap
# cp imapd.cnf.dist imapd.cnf
# cp imapd-ssl.dist imapd-ssl

Now we need to make the imap cert:


# /usr/local/share/courier-imap/mkimapdcert

Now edit the following file:


# vi /usr/local/etc/authlib/authdaemonrc

And change the following section:


authmodulelist="authvchkpw"

Now to setup the courier-authdaemond service:


# cd /var/qmail/supervise
# mkdir -m 1755 courier-authdaemond
# cd courier-authdaemond
# fetch http://freebsdrocks.net/files/courier-authdaemond-run
# mv courier-authdaemond-run run
# chmod 755 run
# mkdir -m 755 log
# cd log
# fetch http://freebsdrocks.net/files/service-any-log-run
# mv service-any-log-run run
# chmod 755 run

and finally link authdaemond to /service:


# ln -s /var/qmail/supervise/courier-authdaemond /service/courier-authdaemond

And now to check to see if courier-authdaemond is running:


# svstat /service/courier-authdaemond/ /service/courier-authdaemond/log/

Now, before we start to work on getting courier running via daemontools rather than using the scripts, we are going to want to delete the scripts in /usr/local/etc/rc.d:


# rm /usr/local/etc/rc.d/courier-imap-imapd
# rm /usr/local/etc/rc.d/courier-imap-imapd-ssl

Make sure the following two lines are deleted from /etc/rc.conf


Enable_courier-imap-imapd="YES"
Enable_courier-imap-imapd-ssl="YES"

This last bit is VERY important, we dont want courier-imap trying to start twice with the next reboot, be sure and take the command to start the service OUT of /etc/rc.conf.

Now we want to make service directories for courier-imap just like you did for courierpassd


# cd /var/qmail/supervise
# mkdir -m 1755 courier-imap
# cd courier-imap
# fetch http://freebsdrocks.net/files/courier-imap-run
# mv courier-imap-run run
# chmod 755 run
# mkdir -m 755 log
# cd log
# fetch http://freebsdrocks.net/files/service-any-log-run
# mv service-any-log-run run
# chmod 755 run

Now we link the courier-imap to service:


# ln -s /var/qmail/supervise/courier-imap /service/courier-imap

Now we need to check and make sure courier-imap is running:


# svstat /service/courier-imap/ /service/courier-imap/log/

If you want to run an imap ssl service you can, but you need to set that up separately from the stock imap service. I use both, I set up the plain imap service bound to the localhost address only, that way only my web mail (and any local service) can access it. the ssl service is for all your public interfaces.


# cd /var/qmail/supervise
# mkdir -m 1755 courier-imap-ssl
# cd courier-imap-ssl
# fetch http://freebsdrocks.net/files/courier-imap-ssl-run
# mv courier-imap-ssl-run run
# chmod 755 run
# mkdir -m 755 log
# cd log
# fetch http://freebsdrocks.net/files/service-any-log-run
# mv service-any-log-run run
# chmod 755 run

Now link your imap-ssl service so daemontools will start it.


# ln -s /var/qmail/supervise/courier-imap-ssl /service/courier-imap-ssl

I have modified the existing qmailctl and called it imapctl. This script will control the imap files. It works quite well and I have been using it for a month now. Here it is:


# cd /var/qmail/bin
# fetch http://freebsdrocks.net/files/imapctl
# chmod 755 imapctl

If you run imapctl stat, you should get a output for imap related services. Very cool, huh?

Once the courier daemons are started, we are all done!

First you will want to download the libcurl rpms. Below is a link:

http://curl.haxx.se/download/

Otherwise, this is what I did to install on Fedora Core 2.


# wget http://curl.haxx.se/download/libcurl3-7.14.0-1.i386.rpm
# wget http://curl.haxx.se/download/libcurl3-devel-7.14.0-1.i386.rpm

# rpm -e curl-devel
# yum install openssl096b.i386
# rpm -ivh libcurl3-7.14.0-1.i386.rpm
# rpm -ivh libcurl3-devel-7.14.0-1.i386.rpm

If all goes well, you should have the following files:

/usr/lib/libcurl.so.3
/usr/lib/libcurl.so.3.0.0

Special thanks to Marnitz Gray

Page 6 of 14