As of 9/12/15 I have made a few updates to the guide.
The qmail port installation is removed so everything is installed via source.
The permissions on servercert.pem have changed.
There is an additional installation of fakeroot that needs to be installed before vpopmail. This is just a new dependency.
As of this writing qmail 2.0 works on both i386 and amd64 on FreeBSD 10.2
For the past few weeks I have been trying very hard to get dovecot 2 to work on my system. Finally this evening I changed the vpopmail setup from maildrop delivery to dovecot delivery. The maildrop delivery option has been disabled and the vpopmail skeleton file has been updated to use the Dovecot LMDA (Local Mail Delivery Agent) and now uses dovecot rather than maildrop for the filtering. The guides have been updated to reflect the changes.
I have been using qmailsince 1998 and I had a website called nospam.mine.nu where I had a series of articles about how to combat spam in individual articles and also my own qmail guide. The qmail guide was similar to qmailrocks but I mostly focused on running it on FreeBSD (which was 4.11 at the time I believe) and utilizing ports for the installation and upgrades. The most current guide hasn't been updated in some time and POP3 is still running on port 110 and there is no help with combating spam. I am pleased to announce that I am working on an update guide. The new qmail 2.0 guide will feature the following:
Completely secure POP3, SMTP (SSL AND TLS), and Webmail
A new guide on how to combat spam
A guide on how to configure webmail securely using Apache 2.4
This guide will require you to purchase a certificate from godaddy for your domain for SMTP, POP3 and Apache SSL. I will show you how to convert the purchased SSL Certificate to use with qmail.
The testing guide will be available for all registered users.
Originally when I first started modifying the qmailrocks documentation for FreeBSD my goal was to use all the qmail ports to simplify the installation. Since then the qmail port has changed to support netqmail which causes a conflict with qmail. Starting on 2/7/17 I have modified this guide so you are no longer required to install this port. This allows a much cleaner and simplified way to install qmail directly from source.
Lets start with creating groups. users, groups and needed directories:
# pw groupadd nofiles
# pw groupadd vchkpw -g 89
# pw groupadd qscand
# pw useradd vpopmail -u 89 -g vchkpw -m -d /usr/home/vpopmail -s /sbin/nologin
# pw groupadd qnofiles -g 81
# pw groupadd qmail -g 82
# pw useradd qmaild -u 82 -g 81 -m -d /var/qmail -s /nonexistent
# pw useradd alias -u 81 -g 81 -m -d /var/qmail/alias -s /nonexistent
# pw useradd qmaill -u 83 -g 82 -m -d /var/qmail -s /nonexistent
# pw useradd qmailp -u 84 -g 81 -m -d /var/qmail -s /nonexistent
# pw useradd qmailq -u 85 -g 82 -m -d /var/qmail -s /nonexistent
# pw useradd qmailr -u 86 -g 82 -m -d /var/qmail -s /nonexistent
# pw useradd qmails -u 87 -g 82 -m -d /var/qmail -s /nonexistent
# pw useradd qscand -s /sbin/nologin -d /tmp
# mkdir /var/log/qmail
# mkdir /var/log/qmail/qmail-send /var/log/qmail/dovecot /var/log/qmail/qmail-smtpd /var/log/qmail/qmail-smtpd-ssl /var/log/qmail/qmail-smtpd-tls /var/log/qmail/qmail-scanner
# chown -R qmaill:wheel /var/log/qmail
# chmod -R 750 /var/log/qmail
# mkdir -p /var/qmail/supervise
# mkdir /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd-ssl /var/qmail/supervise/qmail-smtpd-ssl/log/ /var/qmail/supervise/dovecot /var/qmail/supervise/qmail-smtpd/log /var/qmail/supervise/qmail-send/log /var/qmail/supervise/qmail-smtpd-tls /var/qmail/supervise/qmail-smtpd-tls/log/
# chmod +t /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd-ssl /var/qmail/supervise/qmail-smtpd-tls /var/qmail/supervise/dovecot
Now download the qmail source so we can patch it:
# cd ~root
# fetch http://www.freebsdrocks.net/qmail2/qmail2-1.03.tar.gz
# tar zxvf qmail2-1.03.tar.gz
This guide has been updated to include the two patches and qmail amd64 hotfix. These are not included in the path directory. John Simpson's site is located at https://qmail.jms1.net/patches/combined-details.shtml . I am including this link because this guide includes his patches but his site has not been updated for quite some time now. Now let's patch qmail with John's patch:
# cd qmail-1.03
# patch < patches/qmail-1.03-jms1.7.08.patch
You will get an output of files that it patched. As long as it says done at the end with no errors you can continue.
Starting with FreeBSD 9.0 the user accounting database has been changed which resulted in an incompatible change to the data structure of the database. The utmp.h header file referenced by qbiff.c no longer exists since it's been replaced by utmpx.h.
Since it would take more time or interest than I have to change qbiff to be compatible with the change, I just removed all references to qbiff in hier.c, install-big.c, and the make file. The loss of qbiff functionality isn't significant for me since it is just for mail notifications for local system users. The following commands fixes this accounting issue:
# tar zxvf patches/qmail_fix2.tgz
If you are running FreeBSD 10.3 or 11.0 on AMD64 run the following. Everyone else skip this step:
# patch < patches/qmail64patch
Now run the following commands:
# make man
# make setup check
Lets get qmail setup for your local hostname. If your local hostname is bsd.localhost, use the following:
# ./config-fast bsd.localhost
You will get a output saying it is going to add that hostname to specific qmail control files. If you would like more information as to what these specific files control, please take a look at http://www.lifewithqmail.org/lwq.html#config-files
Now we need to run a few more qmail fixes:
# cd ~root
# mkdir qmail
# cd qmail
# fetch http://freebsdrocks.net/qmail2/scripts4.tgz
# tar zxvf scripts4.tgz
# rm scripts4.tgz
# cd /var/qmail/bin
# tar zxvf ~root/qmail/qmail_bin.tgz
# cd /var/qmail/queue
# touch /var/qmail/queue/lock/sendmutex
# chown qmails:qmail /var/qmail/queue/lock/sendmutex
At this point I would not recommend deleting any of the qmail files. They really don't take up a lot of room but if you ever delete anything by accident or need to rebuild you queue, you can stop qmail and then run make setup check and then start qmail again. This by any means won't fix everything but leaving the qmail files there won't hurt a bit.
One last thing to recommend is going into /var/qmail/control/locals and making sure that file is empty. If you need a good explanation as to why to do this:
rcpthosts is used for domains that we accept mail for - mostly used for vpopmail virtual domains that reside in /home/vpopmail/domains
If rcpthosts does not exist, you are an open relay. If it exists and is empty and there is no "morercpthosts.cdb" file as well, then your server will reject all incoming mail.
locals - domains that we deliver locally - mostly used for local delivery /home/$USER/Maildir
This will be an up-to-date list of all changes to the qmail install. This is effective 2/12/2017:
2/12/2017: Originally when I first started modifying the qmailrocks documentation for FreeBSD, my goal was to use all the qmail ports to simplify the installation. Since then the qmail port has changed to support netqmail which causes a conflict with qmail. Starting on 2/7/17 I have modified this guide so you are no longer required to install this port. This allows a much cleaner and simplified way to install qmail directly from source.
2/6/2017: At 23:59 UTC, December 31, 2016, FreeBSD 9.3, 10.1 and 10.2 will reach end-of-life and will no longer be supported by the FreeBSD Security Officers Team. Users of FreeBSD 9.3, 10.1 and 10.2 are strongly encouraged to
upgrade to a newer release as soon as possible. This guide supports 10.3 and 11.0.
10/17/2016: On the configuring validrcptto page I have changed the fetch mkvalidrcptto location to now be included in the scripts4.tgz file. I am unsure how long John Simpsons site will be up and have attemtped to relocate anything that was on his site to mine. I plan on supporting qmail until it completely breaks.
7/13/16: Updated the Roundcube docs to support php 5.6
6/21/16: I updated the qmail-smtpd/run file to include the following changes:
* included a section for spamdyke within the run file
* Removed the qmail-scanner-queue.pl line as it's no longer being used
* Updated the RBL Listing
* Changed the MFCHECK line to 0 from 1
* Enabled the SMTP greeting by default
Special thanks to Steve Donohue for getting spamdyke working before I could.
6/8/16: Removed the reference of qmail-scanner-queue.pl from the qmail_smtpd_run file. I also added a log directory for qmail-scanner in /var/log/qmail and added the default log directory in the qmail-scanner documentation. This is to maintain consistency.
5/14/16: The qmail installation method has been heavily modified because of a few reasons. When installing the qmail port it actually installs netqmail not qmail. Also this causes a conflict with the /var/qmail/queue and also the files within /var/qmail/bin. I have modified the documentation to reflect these changes.
This was the first post about qmail 2.0
As of May 16, 2016 after about 50+ qmail installations I am happy to report that the qmail guide supports TLS on port 587. Many people may not realize this but port 587 is required for most apple devices. This guide fully supports secure POP3 on port 995 (dovecot), Secure SSL on port 465 (qmail) and secure TLS on port 587 (qmail). Once your qmail system is setup you can follow my optimization techniques to help thwart spam from arriving in your user's inbox.
I am planning on adding more spam related services to the qmail guide as a secondary expansion. Think of it as optimizing qmail part 2. This will include guide for razor, pryzor, adding even more rules to spamassassin and a new guide for enabling spamdyke.
Enjoy and as always please consider a donation to keep the site going.
Setting up the TLS Service on port 587 is not absolutely necessary but a lot of apple devices require this. The folders and run files are in place so all we need to do is setup the IP and then setup the service. I have also created a new qmailctl script that can handle the TLS service.
# cd /var/qmail/supervise/qmail-smtpd-tls
# vi run
You should set the following value:
IP=18.104.22.168 Substitute your own IP address. Do not leave this set to 0 without a good reason.
Save and then create the TLS Service by running the following command:
# ln -s /var/qmail/supervise/qmail-smtpd-tls /service/
Then check the service
# svstat /service/qmail-smtpd-tls/ /service/qmail-smtpd-tls/log/
/service/qmail-smtpd-tls/: up (pid 37035) 9 seconds
/service/qmail-smtpd-tls/log/: up (pid 37036) 9 seconds
it is important to note that if you use Microsoft Outlook to send mail via TLS you set the port to 587 but then under the section "Use the following type of encrypted connecttion" set this to AUTO.
If you want the qmailctl file to handle the TLS service copy this file:
# cd /var/qmail/bin
# cp qmailctl_tls qmailctl
When you run qmailctl it should now show the tls service.