Go to www.clamav.net and browse to binaries and ports under downloads
(or use wget to retrieve them. I used the ones from Petr Kristof)
Download clamav and clamav-devel rpms
vi /var/qmail/supervise/qmail-smtpd/run - comment out qmailqueue and save
run qmailctl stop - then qmailctl stat.
If qmail-send or others are running kill them
qmailctl start - fresh start without qmail-scanner operating
yum update zlib
rpm -e --nodeps clamav-devel
rpm -e --nodeps clamav
(you should see that clamd.conf and freshclam.conf are saved as .rpmsave)
rpm -Uvh clamav-0.84-1.rpm
rpm -Uvh clamav-devel-0.84-1.rpm
mv /etc/clamd.conf /etc/clamd.conf.new
mv /etc/freshclam.conf /etc/freshclam.conf.new
mv /etc/clamd.conf.rpmsave /etc/clamd.conf
mv /etc/freshclam.conf.rpmsave /etc/freshclam.conf
chown -R qscand:qscand /var/lib/clamav
/usr/bin/freshclam (make sure it works)
(follow prompts to generate a fresh qmail-scanner-queue.pl file)
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -zg
vi /var/qmail/supervise/qmail-smtpd/run - restore qmailqueue line
qmailctl stat (ensure everything stops, if not ... kill it)
some final checks :
tail /var/log/maillog (make sure no errors)
tail /var/spool/qmailscan/qms-events.log (again .. no errors to contend with)
send yourself a test message
How to display qmail stats using mrtg
How to get the qmail graphs working with mrtg.
graphs inclue rbl, validrcptto, jgreylist, and more
By William Olson http://freebsdrocks.net http://goodcleanemail.com
You will need to install the following 2 ports:
# cd /usr/ports/net-mgmt/mrtg
# make install clean
# cd /usr/ports/mail/qmailmrtg7
# make install clean
Pick the location to download the stats (preferably within your www folder) to and then download the tarball. Replace any of the /path/to folder names with the actual place you are storing qmailstats
# cd /path/to/stats
# fetch http://www.goodcleanemail.com/files/tarballs/qmailmrtg2.tgz
# tar zxvf qmailmrtg2.tgz
Run the following commands to start the graphs at 0
# echo " 0" > /tmp/rbl-found
# echo " 0" > /tmp/valid-found
# echo " 0" > /tmp/jgrey-found
# echo " 0" > /tmp/vir-found
Edit the following files and change the "hostname" to your hostname in each file at the bottom.
Now to set the correct file permissions:
# chmod 755 mrtg-clam
# chmod 755 mrtg-jgrey
# chmod 755 mrtg-rbl
# chmod 755 mrtg-valid
Now open up qmailmrtg.cfg and change the WorkDir at the top to the folder where the qmailmrtg will be saved
Change each instance of myhostname to your mailserver name or ip or whatever. Easiest way is to do it like so:
This is just a find and replace script. What this does is it replaces all instances of myhostname with newhostname
Scroll down to the end of qmailmrtg.cfg and change the following lines:
run /usr/local/bin/mrtg qmailmrtg.cfg and just make sure you don't have any errors.
Now to put the stats in cron:
*/5 * * * * /usr/local/bin/mrtg /path/to/qmailmrtg.cfg > /dev/null 2>&1
After about 15-20 minutes you should start seeing graphs.
Now to clean up the install:
# cd /path/to/stats
# rm qmailmrtg2.tgz
# rm install-*
This is a document to help you convert your apache certs to qmail.
Please note that the common name you used needs to match the server name in order for your clients not to get the nag screen when they send emails via SSL or TLS.
In order to convert your apache cert, it is important to create the cert correctly. Here is how to do it:
First, We create the key:
# openssl genrsa -out domain.xxx.key 2048
You can substitute 2048 with 4096 for stronger encryption and make sure you replace YOURDOMAIN with your actual domain name.
Next, We need to add a password. Go ahead and type it and confirm.
Now create a csr:
# openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr
It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) : it is VERY IMPORTANT this field matches what your users are going to use for their mailserver name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.
This is the csr you can you to generate your cert when asked by the domain you buy your cert from.
First lets backup the current /var/qmail/control folder first:
# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control
Please copy the .crt, .csr and the .key to the root folder. Then run the following to make a signed cert:
# cat /root/cert.key > /var/qmail/control/servercert.pem
# cat /root/cert.crt >> /var/qmail/control/servercert.pem
# cat /root/intermediate.crt >> /var/qmail/control/servercert.pem
And now lets set the permissions on the servercert.pem:
# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem
Now lets create the clientcert.pem file and the permissions:
# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem
Now restart qmail in order to make the changes take effect:
# qmailctl restart
If you have any other services that reference the servercert.pem, you will want to restart those services as well. Such services could include smtpd-ssl and smtpd-tls (Just as an example)
Now if you decided to run imap, You can use the following to create imap certs as well.
# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/imapd.pem
# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/pop3d.pem
Now to restart the service(s)
# svc -t /service/courier-*
That will restart ALL the courier- services.
Now your customers will not get the annoying nag screen when people send mail via smtp-ssl, smtp-tls or via imap!
SSL Cert Generation and export
For primary server issuing the CSR -
Generate CSR for Godaddy:
Create a newcert directory
cd to newcert directory
# openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
Start cert generation or renewal on GoDaddy
In console cat the CSR to enter in GoDaddy
# cat mydomain.csr
Select and copy the text, paste into CSR box on GoDaddy
Add other servers to the list of SANs
Submit and wait for cert to be generated
Save the zip file with the cert and bundle to the primary server in newcert directory
Create an oldcert directory and copy old cert files into it for backup
Copy new key, crt and bundle.crt files into /etc/certs/
change filenames to suit and confirm they match the settings in httpd_ssl.conf
Confirm setting using apachectl configtest
Correct any errors until you get Syntax OK
Restart apache with apachectl restart
Tail the apache error log to ensure it resumed normal operations.
Bring web page up in browser - do a Ctrl+Refresh to ensure you get a clean load
Verify the Certificate information from the Lock icon
Provided all is good export the cert to Qmail (sslserver)
# cat mydomain.key > mydomain.pem
# cat mydomain.crt >> mydomain.pem
# cat gd_bundle.crt >> mydomain.pem
# chmod 640 mydomain.pem
Verify in your run script for the SSL SMTP Service
restart Qmail and tail smtpd-ssl current log to ensure it loaded the key
For WWW - copy the key and crt file to the server.
DO NOT use the bundle.crt file that is only for the server that issued the CSR.
follow same proceedure, match the file names in the httpd_ssl.conf file
check config and restart and verify load
then follow the same proceedure for installing.
The easiest way is via command line. The following is one line:
Spacial thanks to Andreas H
You can change the way qmail-scanner notifies you by editing your /usr/local/bin/qmail-scanner-queue.pl and changing the line that says:
If you just want the postmaster to be notified of the virus, use admin like so:
Please note: under $NOTIFY_ADDRS in most cases, sender notifies the sender of the message. THIS IS NOT RECOMMENDED!! The reason for this is most email viruses use bogus email addresses and that can cause bounces and double-bounces filling your postmaster mailbox full of them. The only exception to this is if you set your catchall to deleted. recips is for the postmaster notification which I would leave in there. I have not found a way to change this unless you change it in your qmail-scanner installation.
This will make Qmail-Scanner silently drop all the infected emails without sending any notification.
Save the file and run the following commands for your OS to update qmail-scanner.
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
# setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -p (If you're using qmail-scanner 2.0 per domain)
Test it and then you should be all set.