Blue Flower

Sunday, 05 July 2015 13:18

Installing Dovecot

Written by

Dovecot Server Information

Before we continue let me say that I have tried for about a month to get Roundcube to communicate with Dovecot via SSL with lots of failures. Using the standard IMAP part it works fine but 8/10 times it wouldn't work with SSL. For the time being this will be an unsecure connection. Having said that if Roundcube is communicating with Dovecot locally I don't believe this is a security issue.

Dovecot is an open-source IMAP, IMAP-SSL and POP3 server. It was written with security as one of its primary goals, and is flexible enough to work with just about any kind of back-end mailbox storage system, including vpopmail's folder structure. It also works with a large number of authentication back-ends, again including vpopmail. In this walkthrough we are only going to configure Dovecot 2 with IMAP-SSL and POP3-SSL and managesieve.

The first step is to install Dovecot 2 from ports.

# cd /usr/ports/mail/dovecot
# make install

When you run make install it will give you the various configure options available. Make sure the following options are checked:


Configuring Dovecot

Dovecot itself uses the dovecot.conf for the main configuration file. What I am going to do here is provide a working dovecot.conf that has all options configured for you that use POP3D-SSL and also IMAPD-SSL for the most secure setup possible. Managesieve is enabled for filtering. Feel free to take a look at dovecot.conf before enabling dovecot.

# cd /usr/local/etc
# mv dovecot.conf bak_dovecot.conf
# cp /root/qmail/dovecot.conf.sample dovecot.conf
# mkdir /var/qmail/supervise/dovecot/log
# cd /var/qmail/supervise/dovecot/log
# fetch
# mv service-any-log-run run
# chmod 0755 run
# vi run

In the run file change the second-to-last line to match the following:

multilog t n1024 s1048576 /var/log/qmail/dovecot \

# cd /var/qmail/supervise/dovecot/
# fetch
# mv dovecot-run run
# chmod 0755 run

Now lets start the dovecot service:

# ln -s /var/qmail/supervise/dovecot /service/

Wait about ten seconds and then run the following command to make sure there are no issues:

# svstat /service/dovecot /service/dovecot/log

Sunday, 26 July 2015 00:52

Optimizing the system to catch spams

Written by

Post Install configuration tips for Qmail-Scanner

Although Qmail-Scanner should work pretty much "out of the box" so to speak, you can make some customization to it's configuration by editing the script located at /var/qmail/bin/ The script controls a lot of the functionality of both Clam AV and Spamassassin. Check it out for yourself and you will see that there are quite a few items you have control over. I wouldn't recommend touching most of them. In fact, the only setting that I changed in mine is in the Spamassassin section:

You can delete certain emails over a certain Spamassassin threshold. Edit the /var/qmail/bin/ l file and find the following line:

my $sa_delete='0';

Now replace the '0' with a number that represents how far above your SpamAssassin "required_hits" variable that Qmail-scanner should start deleting messages at. For example, if you SpamAssassin required_hits variable is set to "5" and you set the "sa_delete" variable to "1.0", then any message that has a spam score of 1.0 over the "5" mark would be deleted. In other words, any mail with a score of 6 or more would be trashed automatically. So for this example, you would change the "sa_delete" variable as follows:

my $sa_delete='1.0';

Spamassassin has been tested to have up to a 99% accuracy rating in terms of detecting real spam and leaving legitimate e-mail alone. I've been using it for over a year now and have never gotten a false positive. Therefore, I feel safe in telling it to just delete the stuff.

There are a host of other Spam and Virus handling directives that can be customized with the file.

Post Install configuration tips for Qmail

There are a majority of ways to thwart spam on the smtp level; RBL's, Greylisting and Greetdelay.

Greetdelay is by far the easiest to get working. Just open up /service/qmail-smtpd/run and look for GREETDELAY. Give it a setting anywhere between 0 and 30 seconds. Most people find that 15 seconds is sufficient enough to thwart most spam.

To have qmail start using RBLs just edit the following settings under /service/qmail-smtpd/run.


Greylisting in detail

When a server receives an incoming connection from a client, it checks the client's IP address against a list. Depending on what it finds...

    If the IP address has never been seen before, a record is created for the IP address and the client is given the "soft error" message, which tells it that the message will not be accepted right now, but the client should try again later.

    If the IP address was first seen very recently (usually within the past three to five minutes), the client will be given the same "soft error" message and no mail will be accepted.

    Otherwise, the message will be accepted normally.

The other consideration is that the database of when each IP address was first seen can eventually grow large enough to fill up the storage space available on the system. In order to prevent this from happening, a second timer is kept- one which is updated every time the client connects. Every so often the server will "clean" the database by deleting all record of any IP which has not been seen in a long time (usually 30 days or more.)

Edit /var/qmail/supervise/qmail-smtpd/run and change the following lines


Now run the following commands:

# mkdir /root/scripts/
# fetch
# fetch
# cp jgreylist /var/qmail/bin
# cp jgreylist-clean /usr/local/sbin
# chown root:vchkpw /var/qmail/bin/jgreylist
# chmod 0750 /var/qmail/bin/jgreylist
# chown root:wheel /usr/local/sbin/jgreylist-clean
# chmod 0755 /usr/local/sbin/jgreylist-clean
# mkdir -m 0700 /var/qmail/jgreylist
# chown vpopmail:vchkpw /var/qmail/jgreylist

Now we need to add the jgreylist clean to cron. Run crontab -e and add the following line to run at 6PM everyday:

0 18 * * * /usr/local/sbin/jgreylist-clean 2>&1 > /dev/null

Now restart qmail.

# qmailctl restart

The following articles are optional:

How to teach Bayes your users' Spams

How to add additional rules to SpamAssassin

Sunday, 05 July 2015 13:20

Installing Qmailscanner

Written by

Qmail-Scanner is an e-mail content scanner that enables a qmail server to scan all messages it receives for certain characteristics (normally viruses), and react accordingly. For more information see

Before you continue you will want to make sure that clamav and spamassain are running before you continue with this step. You can get the status of all services by running:

# svstat /service/* /service/*/log

First we will need to download qmail-scanner and then extract it.

# cd ~root
# fetch
# tar zxvf q-s-2.11st-20130319.tgz

Before I continue on with this installation I wanted to let you know I am using a minimum of configuration options for qmail-scanner. There are many different options to choose from as well as changing some of the options within my qs-configure script. For a complete list of qmail-scanner options for the ST patch see the following URL below:

We need to tell the system where the correct unzip file is. If we don't you will get a qmail-scanner error. Please run the following commands:

# cd /usr/bin
# mv unzip unzip.bak
# ln -s /usr/local/bin/unzip /usr/bin/

We will want to run the first configure line as a test first without installing it. This will give you a chance to fix any errors that come up (If any) before you install it. Change domain.local to your domain. Change the domain to just the prefix of your domain or just an abbreviation.

# cd /root/qmail-scanner-2.11st/contrib
# cc -o qmail-scanner-queue qmail-scanner-queue.c << IF YOU GET ERRORS ON THIS STEP PLEASE IGNORE AND CONTINUE ON
# mv qmail-scanner-queue /var/qmail/bin/
# chown qscand:qscand /var/qmail/bin/qmail-scanner-queue
# chmod 6755 /var/qmail/bin/qmail-scanner-queue
# cd ~root/qmail-scanner-2.11st/
# ./configure --domain domain.local --dscr-hdrs-text "X-Antivirus-domain" --admin postmaster --add-dscr-hdrs yes --ignore-eol-check yes --sa-quarantine 0 --sa-delete 0 --sa-reject no --sa-subject ":SPAM:" --sa-alt yes --sa-debug no --notify admin --redundant yes --skip-setuid-test --logdir /var/log/qmail/qmail-scanner

Provided the script above didn't result in any errors we can now install qmail-scanner. This will be exactly like the line we just tested above only with adding --install 1 at the end. This tells the port to install qmail-scanner:

This is what the configure line should look like:

# cd ~root/qmail-scanner-2.11st/
# ./configure --domain domain.local --dscr-hdrs-text "X-Antivirus-domain" --admin postmaster --add-dscr-hdrs yes --ignore-eol-check yes --sa-quarantine 0 --sa-delete 0 --sa-reject no --sa-subject ":SPAM:" --sa-alt yes --sa-debug no --notify admin --redundant yes --skip-setuid-test --logdir /var/log/qmail/qmail-scanner --install 1

Answer YES to all questions

# vi /var/qmail/bin/

Then change the first line of /var/qmail/bin/
to "#!/usr/bin/perl (in other words, remove the "-T" from the perl call.)

# chmod 0755 /var/qmail/bin/

And now all that's left for qmail-scanner is to initiate the version file and the perlscanner database. We'll initialize the version file. This command also helps to keep your server's /var/spool/qmailscan folder clear of rogue files that can develop when SMTP sessions are dropped. You may want to stick this command into your server's crontab and run it once a day. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial. So let's run it:

# setuidgid qscand /var/qmail/bin/ -z

And now we will generate a new perlscanner database for qmailp-scanner. For future reference, it's a good idea to run this next command whenever you upgrade qmail-scanner. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial. So let's do it:

# setuidgid qscand /var/qmail/bin/ -g

A successful database build should produce the following output:

perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
perlscanner: total of 35 entries.

And now one final ownership check...

# chown -R qscand:qscand /var/spool/qscan

Woohoo, qmail-scanner is installed! Now it's time to tie qmail-scanner into qmail itself.

# vi /var/qmail/supervise/qmail-smtpd/run

Look for the line that says:


and remove the # in front of the line like so:


Once you've got the qmail-smtpd file modified, save the changes and exit from the file. Now we will finalize the qmail-scanner installation by going over some post-install configuration options. After that, we'll fire everything up and take qmail-scanner for a test drive.

To activate all the changes we just made, we're going to have to completely stop and restart qmail.

Run qmailctl stop


run qmailctl start

And a quick check of the qmail processes, just to be safe.

# qmailctl stat

Before we run the qmail-scanner test we need to make sure we're using dovecot for the local delivery. Lets say you used mydomain.local for the domain name. You will want to run the following command in your postmaster account:

# cd ~vpopmail/domains/mydomain.local/postmaster
# cp -Rp ~vpopmail/skel/* .
# cp -Rp ~vpopmail/skel/.qmail .

Now it's time to test the whole damn thing to see if Qmail-Scanner, Spamassassin and Clam AV are all working correctly. Fortunately, Qmail-Scanner comes with it's own testing script that does a fantastic job. So let's test it!

# cd /root/qmail-scanner-2.11st/contrib/
# chmod 755
# ./ -doit

A successful test should produce the following output. 2 messages should be quarantined by Clam Antivirus in /var/spool/quarantine/new and 2 messages should be set to whatever mailbox you specified in the Qmail-scanner configuration script. Don't worry if you don't get virus notification emails. The normal notification emails that get sent out upon virus detection usually don't work during the test.

setting QMAILQUEUE to /var/qmail/bin/ for this test...

Sending standard test message - no viruses...

Sending eicar test virus - should be caught by perlscanner module...

Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin...

Finished test. Now go and check Email for This email address is being protected from spambots. You need JavaScript enabled to view it.

You should now get a total of 4 messages:

1 clean message in the This email address is being protected from spambots. You need JavaScript enabled to view it.

1 spam message in the This email address is being protected from spambots. You need JavaScript enabled to view it. (postmaster accounts do not have spam protection automatically. You can manually copy the contents of ~vpopmail/skel into the postmaster/Maildir account)

1 policy message in /var/spool/qscan/quarantine/policy/new


1 virus message in /var/spool/qscan/quarantine/viruses/new/

Monday, 06 July 2015 01:20

Converting your apache certificate to qmail

Written by

This is a document to help you convert your apache certs to qmail. This step is completely optional BUT I want to note that the common name you used needs to match the server name in order for your clients not to get the nag screen when they check their POP3 account or send emails via SSL or TLS.

You will need to do one of the following; You will either need to purchase a certificate from a signing authority or re-key a current certificate if you're moving servers. In order to convert your apache cert, it is important to create the cert correctly. Here is how to do it:

First, We create the key:

# mkdir /root/certs
# cd /root/certs
# openssl genrsa -out domain.key 2048

You can substitute 2048 with 4096 for stronger encryption and make sure you replace domain with your actual domain name.

Next, We need to add a password. Go ahead and type it and confirm.

Now create a csr:

# openssl req -new -key domain.key -out domain.csr

It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mail server name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.

This is the csr you can you to generate your cert when asked by the domain you buy your cert from. You can use this information to purchase your certificate.

First lets backup the current /var/qmail/control folder first:

# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control

Please copy the .crt you received to the root folder. Then run the following to make a signed cert:

# cd /root/certs
# cat domain.key > /var/qmail/control/servercert.pem
# cat cert.crt >> /var/qmail/control/servercert.pem
# cat intermediate.crt >> /var/qmail/control/servercert.pem

And now lets set the permissions on the servercert.pem:

# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Now lets create the clientcert.pem file and the permissions:

# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem

Now to restart qmail so this will take effect on all services

# qmailctl restart

That will restart ALL the qmail services so the new certificate will take effect.

Now your customers will not get the annoying nag screen when people send mail via smtp-ssl, smtp-tls or via imap!

Thursday, 23 July 2015 02:46

Setting up SSL Certs and starting Qmail

Written by

We need to install ucspi-ssl so qmail will accept smtp connections with ssl. We can do that like so:

# cd /usr/ports/sysutils/ucspi-ssl
# make install clean

Shortly after this starts installing, you will get a popup box that has in it

Options for ca_root_nss 3.11.9_2
[X] ETCSYMLINK Add symlink to /etc/ssl/cert.pem

Make sure that box is checked by hitting the space bar and then hit tab and hit enter.

Creating an SSL key file

If you are setting up an SSL or TLS server, you will need to create a /var/qmail/control/servercert.pem file. This file contains the public and private keys used to set up SSL or TLS encryption. It should be readable to the userid which your "qmail-smtpd" program runs as (which is normally the "qmaild" user.)

Part of the file is a "certificate", which is the public key with a signature applied to it. This is the same kind of signature used when you create an SSL key for use with a secure web site- in fact, if you already have such a certificate from an SSL web site, you can use it (with the matching ".key" file) to build this .pem file. As long as the key and the certificate are both stored in PEM-encoded format, you can "cat" the files together and save the result as "servercert.pem", and it will work.

If you don't have such a key, you can create a key and then sign it using itself (also known as a "self-signed" certificate.) Clients will complain about the certificate not being signed by a trusted certificate authority, but the encryption is just as secure. The following example shows how to create a self-signed certificate which expires ten years from the date it was created.

Lets start with creating the key:

# cd /var/qmail/control
# openssl req -newkey rsa:1024 -x509 -nodes -days 3650 -out servercert.pem -keyout servercert.pem

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you just hit Enter, the field will be left blank. Please note: The common name must be the name of the mail server so make sure you enter it on that line:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: THIS IS YOUR EMAIL SERVER NAME
Email Address []:This email address is being protected from spambots. You need JavaScript enabled to view it.

Now lets give proper ownership to the files:

# chown root:nofiles servercert.pem

The "nofiles" group is the group which "qmaild" belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key, but not change or delete it.

# chmod 640 servercert.pem
# cp servercert.pem clientcert.pem
# chown root:qmail clientcert.pem
# chmod a+r /var/qmail/control/servercert.pem

The "qmail" group is the group with the "qmailr" user belongs to. This user should be able to read, but not write, the "clientcert.pem" file.

# chmod 640 clientcert.pem

The next thing we will need to do is configure the qmail-smtpd-ssl run file. The only thing we will need to set here is the IP if the server it will be listening on.

# vi /var/qmail/supervise/qmail-smtpd-ssl/run

You should set the following value:

IP= Substitute your own IP address. Do not leave this set to 0 without a good reason.

Before we start qmail we need to setup a few symlinks for tls to work properly:

# cd /usr/lib32
# ln -s
# ln -s

The final step is to start the service running:

# ln -s /var/qmail/supervise/qmail-smtpd-ssl /service/

Starting the qmail services

Okay, lets start the qmail services.

# svc -t /service/* /service/*/log

Lets check to make sure qmail is running okay:

# svstat /service/* /service/*/log

You should get the following output:

/service/qmail-send: up (pid 96738) 8 seconds
/service/qmail-smtpd: up (pid 96743) 8 seconds
/service/qmail-smtpd-ssl: up (pid 96747) 8 seconds
/service/qmail-updater: up (pid 96739) 8 seconds
/service/qmail-send/log: up (pid 96749) 8 seconds
/service/qmail-smtpd-ssl/log: up (pid 96746) 8 seconds
/service/qmail-smtpd/log: up (pid 96745) 8 seconds
/service/qmail-updater/log: up (pid 96748) 8 seconds

Please note we're not using the qmailctl file. The new qmailctl file includes the services for spamd, freshclam, clamav and dovecot. These programs have not been installed yet. These will start working once the service directories are created. Provided qmail-send, qmail-smtpd and qmail-smtpd-ssl are running that is all we need to be concerned about for now.

Sunday, 05 July 2015 13:21

Installing ClamAV

Written by

Clam Antivirus is command line virus scanner written entirely in C and its database is kept up to date. For more information, Please see:

Installing clamav

# cd /usr/ports/security/clamav
# make install clean

Make sure the following are checked:

IPV6 (Optional)

Now we want to create the clamav and freshclam service scripts:

# mkdir -m 1755 /var/qmail/supervise/clamav
# mkdir -m 1755 /var/qmail/supervise/freshclam
# mkdir -m 755 /var/qmail/supervise/clamav/log
# mkdir -m 755 /var/qmail/supervise/freshclam/log
# mkdir -m 1755 /var/log/qmail/clamav
# mkdir -m 1755 /var/log/qmail/freshclam
# cd /var/qmail/supervise/clamav
# fetch
# mv clamav-run run
# chmod 755 run
# cd log
# fetch
# mv log-run run
# chmod 755 run
# vi run

Change the last line to read /var/log/qmail/clamav like so

exec /usr/local/bin/multilog t n20 s1048576 /var/log/qmail/clamav

# cd /var/qmail/supervise/freshclam
# fetch
# mv freshclam-run run
# chmod 755 run
# cd log
# fetch
# mv log-run run
# chmod 755 run
# vi run

Change the last line to read /var/log/qmail/clamav like so

exec /usr/local/bin/multilog t n20 s1048576 /var/log/qmail/freshclam

Now we need to edit the clamd.conf file so it will run correctly via daemontools:

# vi /usr/local/etc/clamd.conf

#Example - must be commented out or removed
#LogFile - multilog will handle logging
#LogSysLog no - see LogFile
PidFile /var/run/clamav/
DatabaseDirectory /var/db/clamav
FixStaleSocket yes - optional
User - should be uncommented and set to qscand
Foreground yes - required to run clamav via daemontools

Now we need to edit the freshclam.conf file so it will run correctly via daemontools:

# vi /usr/local/etc/freshclam.conf

# Example
DatabaseDirectory /var/db/clamav
# UpdateLogFile - multilog will handle logging
# LogSyslog no - see UpdateLogFile
PidFile /var/run/clamav/
DatabaseOwner - change from clamav to qscand
Foreground yes - required to run freshclam via daemontools

For your information when this is setup, freshclam is going to run every 2 hours by default. If you want to change it so it more or less frequent, just change this section in freshclam.conf

# Number of database checks per day.
# Default: 12 (every two hours)
# Checks 24

Now to set some file permissions before we start clamav:

# chown -R qscand:qscand /var/log/clamav
# chown -R qscand:qscand /var/run/clamav/
# chown qscand:qscand /var/db/clamav/

Now to create the symlinks to the service:

# ln -s /var/qmail/supervise/clamav /service/
# ln -s /var/qmail/supervise/freshclam /service/

Note: I want to point out before you run the next command that it could take some time for the clamav service to come up due to the updates for freshclam being downloaded. This is normal and it could take several seconds or several minutes for freshclam to update clamav. Don't panic if clamav is stuck at 0 or 1. Just check the freshclam logs to find out when the download is complete and it says it has notified clamav of the database update.

Check to see if clamav and freshclam are running:

# svstat /service/clamav/ /service/clamav/log

/service/clamav: up (pid 82396) 63 seconds
/service/clamav/log: up (pid 82446) 25 seconds

# svstat /service/freshclam/ /service/freshclam/log

/service/freshclam/: up (pid 82409) 69 seconds
/service/freshclam/log: up (pid 82410) 69 seconds

Now to remove the startup scripts:

# rm /usr/local/etc/rc.d/clamav-clamd
# rm /usr/local/etc/rc.d/clamav-freshclam

Page 5 of 23