Blue Flower

Bill

Bill

Monday, 06 July 2015 01:27

How to update ClamAV on Fedora Core

Go to www.clamav.net and browse to binaries and ports under downloads

(or use wget to retrieve them.  I used the ones from Petr Kristof)

Download clamav and clamav-devel rpms
vi /var/qmail/supervise/qmail-smtpd/run - comment out qmailqueue and save
run qmailctl stop - then qmailctl stat.

If qmail-send or others are running kill them
qmailctl start - fresh start without qmail-scanner operating
/etc/init.d/clamav stop
yum update zlib
rpm -e --nodeps clamav-devel
rpm -e --nodeps clamav
(you should see that clamd.conf and freshclam.conf are saved as .rpmsave)
rpm -Uvh clamav-0.84-1.rpm
rpm -Uvh clamav-devel-0.84-1.rpm
mv /etc/clamd.conf /etc/clamd.conf.new
mv /etc/freshclam.conf /etc/freshclam.conf.new
mv /etc/clamd.conf.rpmsave /etc/clamd.conf
mv /etc/freshclam.conf.rpmsave /etc/freshclam.conf
chown -R qscand:qscand /var/lib/clamav
/etc/init.d/clamav/start
/usr/bin/freshclam (make sure it works)
/downloads/qmailrocks/qmail-scanner-1.24/qms-config install
(follow prompts to generate a fresh qmail-scanner-queue.pl file)
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -zg
vi /var/qmail/supervise/qmail-smtpd/run - restore qmailqueue line
qmailctl stop
qmailctl stat (ensure everything stops, if not ... kill it)
qmailct start
some final checks :
tail /var/log/maillog (make sure no errors)
tail /var/spool/qmailscan/qms-events.log (again .. no errors to contend with)
send yourself a test message

Monday, 06 July 2015 01:22

Setting up QmailMRTG

How to display qmail stats using mrtg

How to get the qmail graphs working with mrtg.
graphs inclue rbl, validrcptto, jgreylist, and more
By William Olson http://freebsdrocks.net http://goodcleanemail.com
------------------------------------------------------------------

You will need to install the following 2 ports:


# cd /usr/ports/net-mgmt/mrtg
# make install clean
# cd /usr/ports/mail/qmailmrtg7
# make install clean

Pick the location to download the stats (preferably within your www folder) to and then download the tarball. Replace any of the /path/to folder names with the actual place you are storing qmailstats


# cd /path/to/stats
# fetch http://www.goodcleanemail.com/files/tarballs/qmailmrtg2.tgz
# tar zxvf qmailmrtg2.tgz

Run the following commands to start the graphs at 0


# echo " 0" > /tmp/rbl-found
# echo " 0" > /tmp/valid-found
# echo " 0" > /tmp/jgrey-found
# echo " 0" > /tmp/vir-found

Edit the following files and change the "hostname" to your hostname in each file at the bottom.


mrtg-clam
mrtg-jgrey
mrtg-rbl
mrtg-valid

Now to set the correct file permissions:


# chmod 755 mrtg-clam
# chmod 755 mrtg-jgrey
# chmod 755 mrtg-rbl
# chmod 755 mrtg-valid

Now open up qmailmrtg.cfg and change the WorkDir at the top to the folder where the qmailmrtg will be saved
Change each instance of myhostname to your mailserver name or ip or whatever. Easiest way is to do it like so:

:%s/myhostname/newhostname/g

This is just a find and replace script. What this does is it replaces all instances of myhostname with newhostname

Scroll down to the end of qmailmrtg.cfg and change the following lines:


Target[clam]: `/path/to/stats/mrtg-clam`
Target[valid]: `/path/to/stats/mrtg-valid`
Target[rbl]: `/path/to/stats/mrtg-rbl`
Target[jgrey]: `/path/to/stats/mrtg-jgrey`

run /usr/local/bin/mrtg qmailmrtg.cfg and just make sure you don't have any errors.

Now to put the stats in cron:

*/5 * * * * /usr/local/bin/mrtg /path/to/qmailmrtg.cfg > /dev/null 2>&1

After about 15-20 minutes you should start seeing graphs.

Now to clean up the install:


# cd /path/to/stats
# rm qmailmrtg2.tgz
# rm install-*

Monday, 06 July 2015 01:20

Converting apache ssl certs to qmail

This is a document to help you convert your apache certs to qmail.

Please note that the common name you used needs to match the server name in order for your clients not to get the nag screen when they send emails via SSL or TLS.

In order to convert your apache cert, it is important to create the cert correctly. Here is how to do it:

First, We create the key:


# openssl genrsa -out domain.xxx.key 2048

You can substitute 2048 with 4096 for stronger encryption and make sure you replace YOURDOMAIN with your actual domain name.

Next, We need to add a password. Go ahead and type it and confirm.

Now create a csr:


# openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr

It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mailserver name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.

This is the csr you can you to generate your cert when asked by the domain you buy your cert from.

First lets backup the current /var/qmail/control folder first:


# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control

Please copy the .crt, .csr and the .key to the root folder. Then run the following to make a signed cert:


# cat /root/cert.key > /var/qmail/control/servercert.pem
# cat /root/cert.crt >> /var/qmail/control/servercert.pem
# cat /root/intermediate.crt >> /var/qmail/control/servercert.pem

And now lets set the permissions on the servercert.pem:


# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Now lets create the clientcert.pem file and the permissions:


# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem

Now restart qmail in order to make the changes take effect:


# qmailctl restart

If you have any other services that reference the servercert.pem, you will want to restart those services as well. Such services could include smtpd-ssl and smtpd-tls (Just as an example)

Now if you decided to run imap, You can use the following to create imap certs as well.


# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/imapd.pem
# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/pop3d.pem

Now to restart the service(s)


# svc -t /service/courier-*

That will restart ALL the courier- services.

Now your customers will not get the annoying nag screen when people send mail via smtp-ssl, smtp-tls or via imap!

SSL Cert Generation and export

For primary server issuing the CSR -
Generate CSR for Godaddy:
Create a newcert directory
cd to newcert directory

# openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

Start cert generation or renewal on GoDaddy
In console cat the CSR to enter in GoDaddy

# cat mydomain.csr

Select and copy the text, paste into CSR box on GoDaddy
Add other servers to the list of SANs
Submit and wait for cert to be generated

Save the zip file with the cert and bundle to the primary server in newcert directory
Create an oldcert directory and copy old cert files into it for backup
Copy new key, crt and bundle.crt files into /etc/certs/
change filenames to suit and confirm they match the settings in httpd_ssl.conf

Confirm setting using apachectl configtest
Correct any errors until you get Syntax OK
Restart apache with apachectl restart
Tail the apache error log to ensure it resumed normal operations.
Bring web page up in browser - do a Ctrl+Refresh to ensure you get a clean load
Verify the Certificate information from the Lock icon

Provided all is good export the cert to Qmail (sslserver)

# cat mydomain.key > mydomain.pem
# cat mydomain.crt >> mydomain.pem
# cat gd_bundle.crt >> mydomain.pem
# chmod 640 mydomain.pem

Verify in your run script for the SSL SMTP Service
/var/qmail/supervise/ssl-smtpd/run

that the file name for the SSL Certificate matches
restart Qmail and tail smtpd-ssl current log to ensure it loaded the key

For WWW - copy the key and crt file to the server.
DO NOT use the bundle.crt file that is only for the server that issued the CSR.
follow same proceedure, match the file names in the httpd_ssl.conf file
check config and restart and verify load
 
For secondary qmail servers create pem file using only the crt and key, not the bundle file
then follow the same proceedure for installing.
Also ensure the key and crt files match in Dovecot.conf too
Special thanks to Cavin Green for the documentation

The easiest way is via command line. The following is one line:

/var/qmail/bin/qmail-inject This email address is being protected from spambots. You need JavaScript enabled to view it. <  /var/spool/qmailscan/quarantine/new/mail1101806345562014465

Change the This email address is being protected from spambots. You need JavaScript enabled to view it. to the right email account and change the quarantine-message to the right filename.

Spacial thanks to Andreas H

You can change the way qmail-scanner notifies you by editing your /usr/local/bin/qmail-scanner-queue.pl and changing the line that says:

$NOTIFY_ADDRS='sender,recips';

to

$NOTIFY_ADDRS='none';

If you just want the postmaster to be notified of the virus, use admin like so:

$NOTIFY_ADDRS='admin';

Please note: under $NOTIFY_ADDRS in most cases, sender notifies the sender of the message. THIS IS NOT RECOMMENDED!! The reason for this is most email viruses use bogus email addresses and that can cause bounces and double-bounces filling your postmaster mailbox full of them. The only exception to this is if you set your catchall to deleted. recips is for the postmaster notification which I would leave in there. I have not found a way to change this unless you change it in your qmail-scanner installation.

This will make Qmail-Scanner silently drop all the infected emails without sending any notification.

Save the file and run the following commands for your OS to update qmail-scanner.

# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -p (If you're using qmail-scanner 2.0 per domain)

Test it and then you should be all set.

The instructions below will backup all users and emails. This will NOT copy over ezmlm lists. This may happen in future releases.

On the old mailserver:

fetch http://goodcleanemail.com/files/tarballs/vpopmail_server_import_export.tgz
tar zxvf vpopmail_server_import_export.tgz
cd import
run backupemail.sh > output
create /home/backups/vpopusers
run CreateVPOPUserBK.sh
This places all the backups of vpopmail into the /home/backups/vpopusers dir
before you scp this folder over to the new server, make SURE you chown the user:group to the user you will scp it over to

On the new mailserver run the following commands but before you import the users it would be a good idea to disable validrcptto in qmail-smtpd/run and then restart qmail. Import the users and then enable validrcptto and then rebuild the validrcptto.cdb file as you did in my vpopmail instructions.

fetch http://goodcleanemail.com/files/tarballs/vpopmail_server_import_export.tgz
tar zxvf vpopmail_server_import_export.tgz
cd export
scp over the output file from the old mail server
mkdir /home/backups/vpopusers
Please note: Depending on how many domains/users there are, the next few commands can take several hours. Please plan accordingly.
scp the /home/backups/vpopusers from the old mail server to /home/backups/vpopusers on the new server
run output (This will create all the domains/users)
run RestoreTheUserDir.sh (This will restore all users folders)

I was thinking about how much space was getting used up by inactive e-mail accounts just collecting spam or whatnot and I wondered if there was a tool to remove users that hadn't authenticated with vpopmail in a long time as shown in vqadmin next to each username under the column 'Last Logon' not knowing there was a tool to do this for me I did all of my removals by hand until I just couldn't take it anymore and decided I would just see if there was a binary that came with vpopmail to do this for me which there was! It's easy to use as well and saved me so much time.

You should be able to find the binary here /home/vpopmail/bin/vdeloldusers, you can easily incorporate a crontab to run every week to remove old e-mail accounts like I've done.

Just to remove e-mail accounts that haven't been authenticated in 6 months or 180 days you just execute...

# /home/vpopmail/bin/vdeloldusers -a 180 -e -D (this will remove all e-mail accounts that haven't been used in 180 days or 6 months on every virtual domain you host)

To see what would be removed you can easily just execute...

# /home/vpopmail/bin/vdeloldusers -a 180 -e -V (this will show you every virtual domain that you host with inactive e-mail accounts without removing them)

Just running /home/vpopmail/bin/vdeloldusers will give you all the options you can pass to it so don't be afraid to use this binary! I was a little hesistant at first since I host so many domains but it works like a charm, I didn't know if it would update the last logon when a user is just using webmail/imap authentication but it did and of course it updates when a user does smtp authentication that was what I was kind of skeptic about but it works great!

I needed to figure out how I was using so much disk space and was looking for a quick way to tell me which domain was the culprit to the usage and since I never really did any domain or user quota settings which I should of and still will eventually I was needing a quick way to tell so this is the fastest way I could find and the best output.

# du -ksh /home/vpopmail/domains/*

If you wanted you could pretty much add this to your qmail stats if you wanted to monitor the disk usage for your virtual domains, you can easily get down into the mailboxes disk usage as well just change the command to something like..

# du -ksh /home/vpopmail/domains/myhosteddomain.com/*

Just some helpful things I've found to help myself and hopefully you as well.

Monday, 06 July 2015 01:07

How to backup vpopmail with rsync/ssh

Setting up vpopmail with rsync and ssh

The reason why vpopmail just doesn't work with rsync is mainly because vpopmail has a chmod of 700 which means only the owner, vpopmail, can read it or root if you're logged in that way. Here is how to rsync vpopmail over a ssh connection.

Part of this documentation was taken from http://jms1.net/ssh.shtml and also http://www.qmailinfo.org/index.php/ExampleRsyncScripts and https://wiki.archlinux.org/index.php/SSH_keys#Ed25519

Setting up the ssh keys

On the server, Open up /etc/ssh/sshd_config and add PermitRootLogin without-password. Then you will want to restart sshd by running killall -HUP sshd. You will get kicked out of your terminal. If all is well, You should be able to login again. Root is now allowed to login only via a ssh key. Don't worry, there is some added security in the document as well.

The first thing we will want to do is generate the key on the client, or backup, machine. Run the following command:

ssh-keygen -t ed25519 -b 1024 -f id_dsa_vpopmail -C 'Some comment'

When you see 'Enter passphrase (empty for no passphrase):' Just hit enter and then when you see the confirmation that says 'Enter same passphrase again:' just hit enter again. After a few seconds, it should give you an output similar to the following:

Your identification has been saved in id_dsa_vpopmail.
Your public key has been saved in id_dsa_vpopmail.pub.
The key fingerprint is:
88:da:e8:4c:50:5d:c5:95:b9:1e:6e:8f:96:82:c0:19 Some Comment

Now, the id_dsa_vpopmail.pub is the file we need to ssh over to your server. Here are the steps you will want to follow to get this over to your server to allow root logins via ssh:

# scp id_dsa_vpopmail.pub user@server:
user@server's password:
id_dsa_vpopmail.pub |********************| 0 0:00
# ssh user@server:
user@server's password:
(You have to be root at this point to do the following steps)
# cat id_dsa_vpopmail.pub >> ~root/.ssh/authorized_keys2
# chmod 600 ~root/.ssh/authorized_keys2
# exit

This is not the only way to get the public key file into place. You could also copy it on a floppy disk, or email it to the system administrator and have them install it for you (remember this is the PUBLIC key, there is no security risk in sending it via normal email.)

Note that you can have multiple keys listed in the .ssh/authorized_hosts2 file- this is why the public keys have comments at the end, so you can easily tell which line in the file corresponds to which key.

To add a bit more security on the server, will will want to change the /root/.ssh/authorized_keys2 to look like so:

command="/root/.ssh/rsync-key" ssh-dss AAAAB3NzaAAA4fobEeQMoC6vRInbeNy5PukQ5fAkCc+Vr...

Then this is what is in the /root/.ssh/rsync-key file:

#!/bin/sh
logger -t ssh-command "$SSH_ORIGINAL_COMMAND"
echo $SSH_ORIGINAL_COMMAND > /tmp/work.$$
if ! grep -q '^rsync --server ' /tmp/work.$$
then
logger -t rsync-key INVALID COMMAND ""$SSH_ORIGINAL_COMMAND""
exit 1
fi
rm /tmp/work.$$
exec $SSH_ORIGINAL_COMMAND

Then we need to chmod it properly so it runs:

chmod 755 /root/.ssh/rsync-key

Backing up vpopmail

Now that we have the keys in place for rsync via ssh to work, we can now setup a script to automate this for us and then we can put it into cron. Here is my script for this. I will call this vpopmail-backup.sh:

#!/bin/sh
echo `date` starting >> /var/log/vpopmail-backup.log
rsync -aS --delete -e /path/to/backup-vpopmail-ssh root@HOST:/usr/home/vpopmail/ /backup/vpopmail/location
echo `date` done >> /var/log/vpopmail-backup.log

The '/path/to/backup-vpopmail-ssh' in the above file has this in it:

#!/bin/sh
unset SSH_AUTH_SOCK
exec /usr/bin/ssh -i /path/to/id_dsa_vpopmail $*

Now we want to setup the chmod for the following files:

chmod 755 vpopmail.sh
chmod 755 backup-vpopmail-ssh

Now lets give it a test!

./vpopmail.sh

If all goes well, It should pause there for a minute and then it will come back to the prompt. Check your vpopmail log in /var/log/vpopmail-backup.log and see if it started and stopped correctly.

Page 7 of 14