qmail setup
Configuring qmail
Submitted by roberto puzzanghera on Sun, 01/06/2013 - 11:23
• More info on Life with qmail
•README.vdelivermail
Defining alias and control files
echo 3 > /var/qmail/control/spfbehavior
echo "| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox" > /var/qmail/control/defaultdelivery
echo 20 > /var/qmail/control/concurrencyincoming
===================
echo postmaster@yourdomain.net > /var/qmail/control/bouncefrom
* Change when default domain is changed *
===================
echo 20000000 > /var/qmail/control/databytes
echo yourdomain.net > /var/qmail/control/doublebouncehost
echo postmaster > /var/qmail/control/doublebounceto
echo 272800 > /var/qmail/control/queuelifetime
echo 30000000 > /var/qmail/control/softlimit
cd /usr/local/src/netqmail-1.06
./config-fast yourdomain.net
When you run ./config-fast it will automatically populate these files: defaultdomain, locals, me, plusdomain, rcpthosts.
•defaultdomain when you have many domains on the same server (defined later in the virtualhost file) this is the default domain
•locals domains that we deliver locally (qmail-send via qmail-lspawn program). Other domains are spawned by qmail-rspawn and delivered to other MTAs.
•me the name of the server. This is the domain name that appers in the from field when you receive system messages, for instance
•plusdomain domain substituted for trailing "+"
•rcpthosts Domains that we accept mail for. Later you will see how simscan/chkuser reject incoming emails for non existing recipients.
•spfbehavior concerns the spf patch.
•softlimit sets soft resource limits for qmail-smtpd
•databytes is the max number of bytes in message (0=no limit)
•doublebounceto is the account which will receive double-bounce messages. If you’re using my combined patch, you can erase the first line of /var/qmail/control/doublebounceto to delete these unwanted messages before they’re injected into the local queue.
defaultdelivery is the default .qmail file. It tells qmail how to deliver the email. In this case Maildir is our choice. In case you didn't understand yet how delivery is done, please read at this point the relaying chapter of Life with qmail and expecially the README.vdelivermail that comes with vpopmail, which explains how the .qmail files are used.
You can find an exhaustive presentation of all control configuration file on Life with qmail book http://www.lifewithqmail.org/lwq.html#configuration
Setup the primary administrator's email address. This address will receive mail for root, postmaster, and mailer-daemon. Replace "postmaster@yourdomain.net" with the administrator email address (postmaster):
cd /var/qmail/alias
echo "postmaster@yourdomain.net" > .qmail-postmaster
ln -s .qmail-postmaster .qmail-mailer-daemon
ln -s .qmail-postmaster .qmail-root
chmod 644 .qmail*
Setup the log dirs
The log dirs belong to qmaill.nofiles user and should not be accessible by other users
mkdir -p /var/log/qmail
cd /var/log/qmail
chown -R qmaill.nofiles .
chgrp root .
chmod -R og-wrx .
chmod g+rx .
Defining supervise scripts
References: tcpserver page, Bill Shupp's toaster
Download the startup scripts from here and untar
cd /var/qmail
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/supervise.tar.gz
tar xzf supervise.tar.gz
rm supervise.tar.gz
chown -R root.root rc supervise
You can see the rc excutable, which is the qmail-start script, and the supervise folder:
-supervise
|
|----qmail-smtpd/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----qmail-submission/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----qmail-send/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----vpopmaild/
| |
| |-----run
| |-----log/
|
|---run
When you create symbolic links to a supervise directory in the /service dir, the run command will be executed at boot time when /command/svcscanboot is launched
cd /service
ln -s /var/qmail/supervise/qmail-smtpd
ln -s /var/qmail/supervise/qmail-send
ln -s /var/qmail/supervise/vpopmaild
And if you’re going to build an SMTP relay, you may want to run a separate SMTP instance for authentication on port 587:
ln -s /var/qmail/supervise/qmail-submission
File qmail/rc
#!/bin/sh
# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"
File qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
# This enables greetdelay for qmail-smtpd. Put 0 if you decide to delay rblsmtpd instead.
export SMTPD_GREETDELAY=0
# This enables greetdelay for rblsmtpd
export GREETDELAY=15
# This disables rblsmtpd reject
#export RBLSMTPD=""
# This enables chkuser
export CHKUSER_START=ALWAYS
# DKIM configuration
#export QMAILQUEUE=/var/qmail/bin/qmail-dkim
#export DKIMQUEUE=/var/qmail/bin/simscan
#export DKIMKEY=/usr/local/etc/domainkeys/%/default
# DKIM verification. Use carefully
#export DKIMVERIFY="FGHIKLMNORTUVW"
# This enables simscan debug
#export SIMSCAN_DEBUG=2
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
/usr/local/bin/rblsmtpd \
-r zen.spamhaus.org \
-r bl.spamcop.org \
/var/qmail/bin/qmail-smtpd 2>&1
Note that the standard smtp (port 25) does not allow the authentication.
You have to adjust the resource limit (softlimit in bytes). Each system is different, and has different requirements. Life with qmail suggests just 2MB. You have to experiment the correct value increasing by steps of 1MB, especially once you have loaded spamassassin, clamAV and simscan (the mail scanner).
The variable SMTPAUTH is related to the auth patch. You are invited to take a look to the README.auth file for further details.
We'll cover GREETDELAY, RBL and DKIM later.
File qmail/supervise/qmail-smtpd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd
File qmail/supervise/qmail-send/run
#!/bin/sh
exec /var/qmail/rc
File qmail/supervise/qmail-send/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/send
File qmail/supervise/qmail-submission/run
This service makes the MTA also act as an outgoing relay, but the user must authenticate (with TLS encryption).
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
# You MUST export this, otherwise you'd get a 30 sec timeout
export SMTPAUTH=""
# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=5
# This enables chkuser
export CHKUSER_START=ALWAYS
# This enables simscan debug
#export SIMSCAN_DEBUG=2
# DKIM configuration
#export QMAILQUEUE=/var/qmail/bin/qmail-dkim
#export DKIMKEY=/usr/local/etc/domainkeys/%/default
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1
Note the use of vchkpw in conjunction with qmail-smtp to ensure authentication. The connection requires TLS enabled. This is the reason why we opened a separate secure connection on port 587 to allow remote clients to use our MTA as a relay.
We will discuss about DKIM, GREETDELAY and RBL later.
File qmail/supervise/qmail-submission/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/submission
File qmail/supervise/vpopmaild/run
#!/bin/sh
QMAILDUID=`id -u root`
NOFILESGID=`id -g root`
exec /usr/local/bin/softlimit -m 25000000 \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-u "$QMAILDUID" -g "$NOFILESGID" 0 89 \
/home/vpopmail/bin/vpopmaild 2>&1
vpopmaild is important when connecting to vpopmail via webmail to change the password, for instance.
File qmail/supervise/vpopmaild/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/vpopmaild
cronjobs
In order to rotate the log files add this to the crontab (crontab -e):
# QMAIL
# the following 3 lines rotate the qmail log files daily
0 0 * * * /usr/local/bin/svc -a /service/qmail-submission/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log
0 0 * * * /usr/local/bin/svc -a /service/vpopmaild/log
qmailctl script
• Reference: Life with qmail
• Download qmailctl
Submitted by roberto puzzanghera on Sun, 01/06/2013 - 11:23
• More info on Life with qmail
•README.vdelivermail
Defining alias and control files
echo 3 > /var/qmail/control/spfbehavior
echo "| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox" > /var/qmail/control/defaultdelivery
echo 20 > /var/qmail/control/concurrencyincoming
===================
echo postmaster@yourdomain.net > /var/qmail/control/bouncefrom
* Change when default domain is changed *
===================
echo 20000000 > /var/qmail/control/databytes
echo yourdomain.net > /var/qmail/control/doublebouncehost
echo postmaster > /var/qmail/control/doublebounceto
echo 272800 > /var/qmail/control/queuelifetime
echo 30000000 > /var/qmail/control/softlimit
cd /usr/local/src/netqmail-1.06
./config-fast yourdomain.net
When you run ./config-fast it will automatically populate these files: defaultdomain, locals, me, plusdomain, rcpthosts.
•defaultdomain when you have many domains on the same server (defined later in the virtualhost file) this is the default domain
•locals domains that we deliver locally (qmail-send via qmail-lspawn program). Other domains are spawned by qmail-rspawn and delivered to other MTAs.
•me the name of the server. This is the domain name that appers in the from field when you receive system messages, for instance
•plusdomain domain substituted for trailing "+"
•rcpthosts Domains that we accept mail for. Later you will see how simscan/chkuser reject incoming emails for non existing recipients.
•spfbehavior concerns the spf patch.
•softlimit sets soft resource limits for qmail-smtpd
•databytes is the max number of bytes in message (0=no limit)
•doublebounceto is the account which will receive double-bounce messages. If you’re using my combined patch, you can erase the first line of /var/qmail/control/doublebounceto to delete these unwanted messages before they’re injected into the local queue.
defaultdelivery is the default .qmail file. It tells qmail how to deliver the email. In this case Maildir is our choice. In case you didn't understand yet how delivery is done, please read at this point the relaying chapter of Life with qmail and expecially the README.vdelivermail that comes with vpopmail, which explains how the .qmail files are used.
You can find an exhaustive presentation of all control configuration file on Life with qmail book http://www.lifewithqmail.org/lwq.html#configuration
Setup the primary administrator's email address. This address will receive mail for root, postmaster, and mailer-daemon. Replace "postmaster@yourdomain.net" with the administrator email address (postmaster):
cd /var/qmail/alias
echo "postmaster@yourdomain.net" > .qmail-postmaster
ln -s .qmail-postmaster .qmail-mailer-daemon
ln -s .qmail-postmaster .qmail-root
chmod 644 .qmail*
Setup the log dirs
The log dirs belong to qmaill.nofiles user and should not be accessible by other users
mkdir -p /var/log/qmail
cd /var/log/qmail
chown -R qmaill.nofiles .
chgrp root .
chmod -R og-wrx .
chmod g+rx .
Defining supervise scripts
References: tcpserver page, Bill Shupp's toaster
Download the startup scripts from here and untar
cd /var/qmail
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/supervise.tar.gz
tar xzf supervise.tar.gz
rm supervise.tar.gz
chown -R root.root rc supervise
You can see the rc excutable, which is the qmail-start script, and the supervise folder:
-supervise
|
|----qmail-smtpd/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----qmail-submission/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----qmail-send/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----vpopmaild/
| |
| |-----run
| |-----log/
|
|---run
When you create symbolic links to a supervise directory in the /service dir, the run command will be executed at boot time when /command/svcscanboot is launched
cd /service
ln -s /var/qmail/supervise/qmail-smtpd
ln -s /var/qmail/supervise/qmail-send
ln -s /var/qmail/supervise/vpopmaild
And if you’re going to build an SMTP relay, you may want to run a separate SMTP instance for authentication on port 587:
ln -s /var/qmail/supervise/qmail-submission
File qmail/rc
#!/bin/sh
# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"
File qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
# This enables greetdelay for qmail-smtpd. Put 0 if you decide to delay rblsmtpd instead.
export SMTPD_GREETDELAY=0
# This enables greetdelay for rblsmtpd
export GREETDELAY=15
# This disables rblsmtpd reject
#export RBLSMTPD=""
# This enables chkuser
export CHKUSER_START=ALWAYS
# DKIM configuration
#export QMAILQUEUE=/var/qmail/bin/qmail-dkim
#export DKIMQUEUE=/var/qmail/bin/simscan
#export DKIMKEY=/usr/local/etc/domainkeys/%/default
# DKIM verification. Use carefully
#export DKIMVERIFY="FGHIKLMNORTUVW"
# This enables simscan debug
#export SIMSCAN_DEBUG=2
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
/usr/local/bin/rblsmtpd \
-r zen.spamhaus.org \
-r bl.spamcop.org \
/var/qmail/bin/qmail-smtpd 2>&1
Note that the standard smtp (port 25) does not allow the authentication.
You have to adjust the resource limit (softlimit in bytes). Each system is different, and has different requirements. Life with qmail suggests just 2MB. You have to experiment the correct value increasing by steps of 1MB, especially once you have loaded spamassassin, clamAV and simscan (the mail scanner).
The variable SMTPAUTH is related to the auth patch. You are invited to take a look to the README.auth file for further details.
We'll cover GREETDELAY, RBL and DKIM later.
File qmail/supervise/qmail-smtpd/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd
File qmail/supervise/qmail-send/run
#!/bin/sh
exec /var/qmail/rc
File qmail/supervise/qmail-send/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/send
File qmail/supervise/qmail-submission/run
This service makes the MTA also act as an outgoing relay, but the user must authenticate (with TLS encryption).
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
# You MUST export this, otherwise you'd get a 30 sec timeout
export SMTPAUTH=""
# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=5
# This enables chkuser
export CHKUSER_START=ALWAYS
# This enables simscan debug
#export SIMSCAN_DEBUG=2
# DKIM configuration
#export QMAILQUEUE=/var/qmail/bin/qmail-dkim
#export DKIMKEY=/usr/local/etc/domainkeys/%/default
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1
Note the use of vchkpw in conjunction with qmail-smtp to ensure authentication. The connection requires TLS enabled. This is the reason why we opened a separate secure connection on port 587 to allow remote clients to use our MTA as a relay.
We will discuss about DKIM, GREETDELAY and RBL later.
File qmail/supervise/qmail-submission/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/submission
File qmail/supervise/vpopmaild/run
#!/bin/sh
QMAILDUID=`id -u root`
NOFILESGID=`id -g root`
exec /usr/local/bin/softlimit -m 25000000 \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-u "$QMAILDUID" -g "$NOFILESGID" 0 89 \
/home/vpopmail/bin/vpopmaild 2>&1
vpopmaild is important when connecting to vpopmail via webmail to change the password, for instance.
File qmail/supervise/vpopmaild/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/vpopmaild
cronjobs
In order to rotate the log files add this to the crontab (crontab -e):
# QMAIL
# the following 3 lines rotate the qmail log files daily
0 0 * * * /usr/local/bin/svc -a /service/qmail-submission/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log
0 0 * * * /usr/local/bin/svc -a /service/vpopmaild/log
qmailctl script
• Reference: Life with qmail
• Download qmailctl
留言