Blue Flower

Sunday, 05 July 2015 13:28

Installing Autorespond

Written by

Autorespond is a program that allows you to setup responders for forwarding and mailing robots in qmailadmin.

Installing from ports just can't get any easier than this:


# cd /usr/ports/mail/autorespond
# make install clean

Autorespond is installed!

Sunday, 05 July 2015 13:28

Installing EZMLM

Written by

Ezmlm-idx is a mailing list addon. It is the best (In my opinion) mailing list option out there. It works quite well with qmailadmin, which we will install later in the guide, and works seamlessly with qmail. For more information, Please see http://www.ezmlm.org/

Now to install the port:


# cd /usr/ports/mail/ezmlm-idx
# make install clean

If this runs without errors, We will proceed to the next step.

Before you can use the programs, you should copy the "ezmlmglrc.sample", "ezmlmrc.sample" and "ezmlmsubrc.sample" files in /usr/local/etc/ezmlm to "ezmlmglrc", "ezmlmrc" and "ezmlmsubrc" respectively.


# cp /usr/local/etc/ezmlm/ezmlmglrc.sample /usr/local/etc/ezmlm/ezmlmglrc
# cp /usr/local/etc/ezmlm/ezmlmrc.sample /usr/local/etc/ezmlm/ezmlmrc
# cp /usr/local/etc/ezmlm/ezmlmsubrc.sample /usr/local/etc/ezmlm/ezmlmsubrc

When that is done, ezmlm is installed!

Sunday, 05 July 2015 13:50

Installing UCSPI-TCP

Written by

UCSPI-TCP is a set of command-line tools for building TCP-based client/server applications. They are compliant to UCSPI, the UNIX Client-Server Program Interface. UCSPI tools are available for several different types of networks. For more information, please see http://cr.yp.to/ucspi-tcp.html

Installing ucspi-tcp is pretty straighforward:


# cd /usr/ports/sysutils/ucspi-tcp
# make install clean

Please make sure the SSL Protocol support box is checked.

When you run that command, you have 4 options. I would highly suggest installing the man pages. If you would like to use rblsmtp with uscpi, that is completely up to you. By experience alone, I can tell you enabling rbls will dramatically decrease the amount of spams you get. If you have or plan to have a large email server, this will definitely help in the long run.

Sunday, 05 July 2015 13:51

Installing Daemontools

Written by

Daemontools is a small set of very useful utilities, from Dan Bernstein. They are mainly used for controlling processes, and maintaining logfiles. For more information, please see http://cr.yp.to/daemontools.html


# cd /usr/ports/sysutils/daemontools
# make install clean

If you get a pop-up window when you do this, Just hit TAB and then click OK.

We now need to create the /service directory to get svscan running. We do that by:


# mkdir /service

You will now want to start the svscan server by running:


# csh -cf '/usr/local/bin/svscanboot &'

If you run ps -auxw | grep svscan, you will or should see something like this:


root 384 0.0 0.0 1652 8 con- I 16Jul05 0:00.01 /bin/sh /command/svscanboot
root 404 0.0 0.0 1244 140 con- S 16Jul05 9:04.68 svscan /service

We now need to tell FreeBSD to start daemontools on startup. Here is the command that tells freebsd to do that:


# echo "csh -cf '/usr/local/bin/svscanboot &'" >> /etc/rc.local

Before we continue on, we want to delete the startup script thats created when we installed daemontools:


# rm /usr/local/etc/rc.d/svscan

Sunday, 19 July 2015 01:41

Preinstallation Checklist

Written by

Qmail 2.0 will give you the best possible installation for a secure Mail Transfer Agent. This guide will provide the following services

POP3D-SSL (Port 995)
SMTP-SSL (Port 465)
SMTP-TLS (Port 587)
SMTP (Incoming only Port 25)
Secure Webmail running on Apache 2.4 and Roundcube for Webmail

There are two requirements for this guide:

At 23:59 UTC, December 31, 2016, FreeBSD 9.3, 10.1 and 10.2 will reach
end-of-life and will no longer be supported by the FreeBSD Security Officers
Team.  Users of FreeBSD 9.3, 10.1 and 10.2 are strongly encouraged to
upgrade to a newer release as soon as possible.

The guide supports 10.3 and 11.0

You will need to make sure your ports system is up-to-date.

If you are using IPv4 and not IPv6 you can disable the IPv6 checkmark from any port by running the following command:


# echo 'OPTIONS_UNSET=IPV6' >> /etc/make.conf

The following ports will need to be installed:

Curl - /usr/ports/ftp/curl
Perl 5.24 - /usr/ports/lang/perl5.24
Bash Shell - /usr/ports/shells/bash
Gmake – /usr/ports/devel/gmake
Unzip - /usr/ports/archivers/unzip
Wget - /usr/ports/ftp/wget
Bind Tools - /usr/ports/dns/bind-tools/

The following ports will need to be installed if you want to enable webmail on your server:

Apache 2.4 or better with SSL (SSL is HIGHLY recommended)
Mysql Server 5.6 or Higher

If you would like to create a queuing server please check out the following link:

http://freebsdrocks.net/index.php/documents/13-useful-qmail-utilities/140-how-to-create-a-secondary-or-queueing-qmail-server-2

A few of John Simpson's scripts use a link to perl which doesn't exist on FreeBSD so we need to create a symlink to it as follows:


# cd /usr/bin
# mv perl bak_perl
# ln -s /usr/local/bin/perl perl

Sunday, 05 July 2015 13:15

Upgrading and Maintaining the Qmail System

Written by

Upgrading your ports and maintaining them are pretty easy. The first thing I would recommend is installing portupgrade from /usr/ports/sysutils/portupgrade. Once that is installed, you can run man portupgrade or just run portupgrade -r name. The -r switch means to upgrade everything recursively. Recurvisly meaning all of it's dependancies, or more simply, anything the program requires. You can do this for anything else not related to qmail or any of its programs. So for instance portupgrade -r kde, it will upgrade kde and all it's dependancies.

Another thing I would recommend using is portaudit. If you have your system setup correctly, You will get portaudit reports in your daily security logs. This will give you any warnings about any obsolete packages and/or any security warnings in regards to anything being installed.

What I am going to suggest in the next few pages is the recommended way to upgrade programs from ports. Mostly we will be running through backing up .conf files and running portupgrade and then making sure everything is chmodded or chowned correctly.

Qmail - Qmail doesn't require any type of upgrades. Qmail hasn't been upgraded since 1997 or 1998 but it is very stable and very secure.

UCSPI-TCP - Pretty much the same as qmail. I don't think has changed at all. Quite honestly, I have never upgraded it and I haven't ever had a problem with running any old/previous versions.

Daemontools - Again, Pretty much the same as qmail or UCSPI-TCP.

Ezmlm-idx - This can change from time to time. I would first backup your list which resides in ~vpopmail/domains/domain.xxx/listname before upgrading the port. Then, run portupgrade -r ezmlm-idx and then check to make sure your list is intact before deleting your backup.

Qmail-Autoresponder - As of 8/7/14 you need to create a symlink for delivermail as follows if you have not already. Just run the following command: ln -s /usr/local/bin/maildrop-deliverquota /usr/local/bin/deliverquota. otherwise This can be upgraded when new versions come out. A simple portupgrade -r qmail-autoresponder works fine in most cases.

Vpopmail -

At this point where the skel patch is no more, It is fairly easy to upgrade vpopmail from one version to the next. If your security run output or portaudit commands tell you that vpopmail need to be upgraded, run the following commands:

# cd /usr/ports/mail/vpopmail
# make CONFIGURE_ARGS="--enable-logging=p --enable-onchange-script"
# make deinstall
# make reinstall

Please make sure to run the following after upgrading vpopmail to make sure it works ok with TLS/SSL:

# cd ~vpopmail/bin
# chmod 6711 vchkpw
# chown vpopmail:vchkpw vchkpw

SpamAssassin - When I have run portupgrades with Spamassassin in the past, I usually don't run into any issues except the upgrade from 2.6x to 3.0.1. There were quite a few changes from version to version including some of the required modules that were new, like the SPF addon for it and such. If you do run a portupgrade on Spamassassin, I would go to Spamassassins website http://www.spamassassin.org and read the README files under the download section of the site. There it will tell you any changes/modifications that have been done since the previos version. I would also check the rules under /usr/local/etc/mail/spamassassin file, specifically local.cf, to see if any additions or deletions were made.

Restart Spamassassin and then we will need to update the qmail-scanner database by running the following commands:

# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -p (If you're running qms 2.x)

This will update the header info and the qmail-scanner database and keep everything up to date.

ClamAV - ClamAV is probably the worst one out of all of them all but I make it easy for you, ClamAV changes almost every three months, possibly sooner. I would recommend backing up the clamd.conf and freshclam.conf in /usr/local/etc and then run portupgrade -r clamav. Then chown the following folders:

# chown -R qscand:qscand /var/log/clamav
# chown -R qscand:qscand /var/run/clamav/
# chown qscand:qscand /var/db/clamav/

I would then copy the backups of clamd.conf and freshclam.conf back to /usr/local/etc and then run freshclam to make sure evrything is working perfectly. Restart clamd and then we will need to update the qmail-scanner database by running the following commands:

# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -p (If you're running qms 2.x)

This will update the header info and the qmail-scanner database and keep everything up to date.

You will want to restart ClamAV.

Qmail-scanner - At the time of this writing, I would NOT recommend doing a portupgrade of qmail-scanner. There are a few reasons why. First, It does not even reqister with the packages system as we run the configure commands manually. Second we manually patch it with the qms-analog patch to get the nifty qmail-analog reports. So if a new vesion of qmail-scanner is released, I will update the documentation within a few days of it being released.

Qmailadmin - This is something else I wouldn't recommend doing a portupgrade on. When the new version comes out just make deinstall on the port and run through the guide as normal only using the newest version from ports. It just can't get any easier than that!

vqAdmin - Nothing needs to be backed up here. Just make deinstall the port and then follow the guide when the the new version comes out.

Squirrelmail - This one is a rarity but every so often a squirrelmail upgrade does come up and if it does, backup your squirrelmail folder and then run a portupgrade -r squirrelmail and then double-check to make sure your conf files are setup correctly as they might change.

Logs

it probably wouldn't be a bad idea to rotate the qmail-scanner logs as they can get huge. These logs are stored in /var/spool/qmailscan and I would suggest adding the following to your /etc/newsyslog.conf:

/var/spool/qmailscan/qmail-queue.log qscand:qscand 600 5 256 * JC
/var/spool/qmailscan/qms-events.log qscand:qscand 600 5 256 * JC
/var/spool/qmailscan/quarantine.log qscand:qscand 660 7 * @T00 JC

If you would like a description of what each section does, do this:

# man 5 newsyslog.conf

The /var/log/mallog file is already rotated in newsyslog.conf once a day.

Page 7 of 23