Configuring qmail

November 27, 2024 by Roberto Puzzanghera 103 comments

Changelog

  • Jul 31, 2024
    multilog uses "d" flag as default to gain compatibility with the readable datetime format of multilog in daemontools-0.78. Change it with the "t" flag if you prefer to have timestamps.
  • Jul 6, 2024
    enabled auth and turned off STARTTLS on port 465 (tx Alexandre Chaves Fonceca)
  • Mar 8, 2024
    qmail-smtpd/run and qmail-smtpsd/run files: check if simscan is installed in order to run qmail also in that case
  • Feb 4, 2023
    rc file: the DKIM_ON variable was not evaluated correctly, so DKIM was always active. Fixed
    -if [ -r ${QMAILDIR}/control/filterargs ] && [ -n $DKIM_ON ]; then
    +if [ -r ${QMAILDIR}/control/filterargs ] && [ -n "$DKIM_ON" ]; then
  • Jan 21, 2024
    tcprules files moved to qmail/control

Index

Defining alias and control files

QMAILDIR=/var/qmail
echo 3 > $QMAILDIR/control/spfbehavior
echo "| ~vpopmail/bin/vdelivermail '' delete" > $QMAILDIR/control/defaultdelivery
echo 200 > $QMAILDIR/control/concurrencyincoming
echo noreply > $QMAILDIR/control/bouncefrom
echo 20000000 > $QMAILDIR/control/databytes
echo 272800 > $QMAILDIR/control/queuelifetime
echo 30000000 > $QMAILDIR/control/softlimit
echo 100 > $QMAILDIR/control/maxrcpt
echo 2 > $QMAILDIR/control/brtlimit
echo 'HIGH:MEDIUM:!MD5:!RC4:!3DES:!LOW:!SSLv2:!SSLv3' > /var/qmail/control/tlsserverciphers

cd /usr/local/src/netqmail-1.06
./config-fast smtp.mydomain.tld

When you run ./config-fast it will automatically populate these files: defaultdomain, locals, me, plusdomain, rcpthosts. smtp.yourdomain.tld will be the name of your MTA and it must have a valid MX record.

  • defaultdomain when you have many domains on the same server (defined later in the virtualhost file) this is the default domain
  • locals domains that we deliver locally (qmail-send via qmail-lspawn program). Other domains are spawned by qmail-rspawn and delivered to other MTAs. The domains listed in locals should not be confused with virtualdomains; infact, qmail-send doesn't even read virtualdomains if the recipient domain is already listed in locals and in that case you'll get a "no mailbox" error message. This is the reason why it's not a good idea to use a virtualdomain as the name of the MTA.
  • me the name of the server. This is the domain name that appers in the from field when you receive system messages, for instance. It's also the domain used in the HELO (i.e. the greeting at the very beginning of the SMTP conversation). It must have a valid MX record in our DNS, and also the SPF and DKIM records as we'll see later. Also, me should be your reverse DNS domain, as some provider may block you if the HELO domain is not associated with the IP address.
  • plusdomain domain substituted for trailing "+"
  • rcpthosts Domains that we accept mail for. Later you will see how chkuser rejects incoming emails for non existing recipients.
  • spfbehavior concerns the SPF configuration.
  • softlimit sets soft resource limits for qmail-smtpd
  • bouncefrom is the username of bounce sender. You may want to define bouncefrom as well, i.e. the domain of bounce sender, which defaults to me.
  • databytes is the max number of bytes in message (0=no limit).
  • queuelifetime are the seconds a message can remain in queue.
  • maxrcpt sets a limit on how many recipients are specified for any one email message (qmail-maxrcpt patch).
  • brtlimit is the maximum allowed numer of not found recipients. The connection with the remote host will be closed if this number is exceeded (brtlimit patch)
  • defaultdelivery is the default .qmail file. It tells qmail how to deliver the email. In case you didn't understand yet how the delivery is done, please read at this point the relaying chapter of Life with qmail and expecially the README.vdelivermail that comes with vpopmail, which explains how the .qmail files are used.
  • tlsserverciphers sets the allowed cipher suite in the TLS connection. In this configuration SSL is denied, while TLS v. 1 and 1.1 (deprecated) are allowed. If you want to allow TLS v. 1 and 1.1 as well add :!TLSv1 at the end of the line.

You can find an exhaustive presentation of all control configuration files on Life with qmail book http://www.lifewithqmail.org/lwq.html#configuration

Setup the primary administrator's email address. This address will receive mail for root, postmaster, and mailer-daemon.  Replace postmaster@yourdomain.tld with the administrator email address (postmaster):

cd $QMAILDIR/alias
echo "postmaster@mydomain.tld" > .qmail-postmaster
ln -s .qmail-postmaster .qmail-mailer-daemon
ln -s .qmail-postmaster .qmail-root
chmod 644 .qmail*

Setup the log dirs

The log dirs belong to qmaill.nofiles user and should not be accessible by other users

mkdir -p /var/log/qmail

chown -R qmaill:nofiles /var/log/qmail
chgrp root /var/log/qmail
chmod -R og-wrx /var/log/qmail
chmod g+rx /var/log/qmail

Defining the supervise scripts

Download the startup scripts from here and untar

cd $QMAILDIR 
wget https://notes.sagredo.eu/files/qmail/supervise.tar.gz 
tar xzf supervise.tar.gz
chown -R root:root rc supervise
rm supervise.tar.gz

You can see the rc excutable, which is the qmail-start script, and the supervise folder:

rc
supervise/
| 
|----qmail-smtpd/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----qmail-smtpsd/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----qmail-submission/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----qmail-send/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----vpopmaild/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----vusaged/
     |
     |-----run
     |-----log/
           |
           |---run

When you create symbolic links to a supervise directory in the /service dir, the run command will be executed at boot time when /command/svcscanboot is launched, i.e. at boot time.

QMAILDIR=/var/qmail
ln -s $QMAILDIR/supervise/qmail-smtpd      /service
ln -s $QMAILDIR/supervise/qmail-smtpsd     /service
ln -s $QMAILDIR/supervise/qmail-submission /service
ln -s $QMAILDIR/supervise/qmail-send       /service
ln -s $QMAILDIR/supervise/vpopmaild        /service
ln -s $QMAILDIR/supervise/vusaged          /service
ln -s $QMAILDIR/supervise/clear            /service

Let's see more in detail the supervise scripts that we have downloaded. Many lines are still commented out because concern features that will be activated later. For the moment only the basic functionalities remain active.

File qmail/rc

#!/bin/sh 

QMAILDIR=/var/qmail 

# Comment out DKIM_ON=1 to disable dkim sign at qmail-remote level 
# You have to define your variables in control/filterargs (DKIM page for more info)
# echo "*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2" > /var/qmail/control/filterargs

#DKIM_ON=1 

if [ -r $QMAILDIR/control/filterargs ] && [ -n "$DKIM_ON" ]; then 
  # DKIM sign at qmail-remote level
  exec env - PATH="$QMAILDIR/bin:$PATH" \
  QMAILREMOTE=$QMAILDIR/bin/spawn-filter \
  qmail-start "`cat $QMAILDIR/control/defaultdelivery`" 
else 
  # Use this if you are signing at qmail-smtpd level or you don't want to sign at all 
  exec env - PATH="$QMAILDIR/bin:$PATH" \
  qmail-start "`cat $QMAILDIR/control/defaultdelivery`" 
fi

Do not bother of the lines concerning the DKIM settings. The server can work with those lines active. We will cover that topic later in this guide.

File qmail/supervise/qmail-smtpd/run

#!/bin/sh

QMAILDIR=/var/qmail
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=/var/qmail/control

#export REJECTNULLSENDERS=1
#export SMTPAUTH="!cram"

# qmail-spp plugins
#export ENABLE_SPP=1
#export HELO_DNS_CHECK=PLRIV

# enable greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# greylisting
#export JGREYLIST_DIR="$QMAILDIR/jgreylist"
#export JGREYLIST_LOG_SMTP=1

# enable chkuser
export CHKUSER_START=ALWAYS

################### DKIM - SURBL configuration #################################
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering

# If simscan is not installed yet, do not assign QMAILQUEUE
# so that the installation works at the beginning stage as well
if [ -x $QMAILDIR/bin/simscan ]; then
  export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter
  export SURBLQUEUE=$QMAILDIR/bin/simscan    # executes simscan after SURBL
  #export QMAILQUEUE=$QMAILDIR/bin/simscan # do not execute SURBL nor DKIM filtering

  #### qmail-dkim disabled => no dkim verification
  #### to have verification active export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim. Othewise the following will be ignored
  #export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim # executes qmail-dkim after surblfilter

  export DKIMQUEUE=$QMAILDIR/bin/simscan     # simscan is executed after qmail-dkim

  # DKIM verification. Use carefully
  export DKIMVERIFY="FGHKLMNOQRTVWp"
  # allow msg without "subject" in the h= list
  export UNSIGNED_SUBJECT=1
  # avoid verification of outgoing messages
  export RELAYCLIENT_NODKIMVERIFY=1
fi
################################################################################

# turn off TLS on port 25
#export DISABLETLS="1"

# require that authenticated user and 'mail from' are identical
export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
if [ -x $QMAILDIR/bin/rcptcheck-overlimit.sh ]; then
  export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
  export RCPTCHECKRELAYCLIENT="1"
fi

# enable simscan debug
#export SIMSCAN_DEBUG=4
#export SIMSCAN_DEBUG_FILES=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -R -l "$LOCAL" \
    -x $TCPRULES_DIR/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
    $QMAILDIR/bin/qmail-smtpd /bin/true 2>&1

Note that the standard smtp (port 25) does not allow the authentication.

You have to adjust the resource limit (softlimit in bytes). Each system is different, and has different requirements. Life with qmail suggests just 2MB. You have to experiment the correct value increasing by steps of 1MB, especially once you have loaded spamassassin, clamAV and simscan (the mail scanner).

We'll cover GREETDELAY and DKIM later.

multilog considerations

As already mentioned in the daemontools page, you can get multilog to print loglines with timestamps, as the original program's behaviour does, or with a human readable datetime format. The usage changes as far as the very first argument is concerned, as timestamp goes with t while the readable datetime goes with a d.

So, these is the usage for datetime:

multilog d <other-arguments> <script>

which prints something like

2024-07-31 18:06:03.823254532 tcpserver: status: 0/200/0

and this is for timestamps

multilog t <other-arguments> <script>

which prints something like

@4000000066aa062d281ba97c tcpserver: status: 0/200/0

This guide uses datetime as default.

File qmail/supervise/qmail-smtpd/log/run

#!/bin/sh

LOGUSER="qmaill"
LOGDIR="/var/log/qmail/smtpd"
LOGDIRQLOG="/var/log/qmail/smtpd/qlog"

if [ -x /usr/local/bin/archive_qmail_qlog ]; then
  exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog d n5 s16777215 $LOGDIR \
  	n5 s16777215 '-*' '+*qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG
else
  exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog d s16777215 $LOGDIR
fi

If you want to print timestamps instead of readable datimes that qlog line above has to be changed as follows (note the additional blank space):

        n5 s16777215 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

If you want to have a dir (/var/log/qmail/smtpd/qlog) which saves separately just the "qlogenvelope" lines as follows:

@400000005855db3028811e24 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp= pid=11928
@400000005855db322a892324 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts= size=2689 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp=11934 pid=11928

then create the archive_qmail_qlog

cat > /usr/local/bin/archive_qmail_qlog << __EOF__
#!/bin/sh
tai64nlocal >> /var/log/qmail/smtpd/qlog/qmail-smtpd.log
# let's prepare the same for qmail-smtpsd
tai64nlocal >> /var/log/qmail/smtpsd/qlog/qmail-smtpsd.log
__EOF__
chmod +x /usr/local/bin/archive_qmail_qlog

In this way we have the /var/log/qmail/smtpd/qmail-smtpd.log file with just the qlog lines in human-readable time format:

2016-01-29 13:15:17.677946500 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp= pid=11928
2016-01-29 13:15:17.677946500 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts= size=2689 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp=11934 pid=11928

You may want to rotate this log file saving a "qlog" file like this in your logrotate configuration (/etc/logrotate.d/qlog in my Slackware):

cat > /etc/logrotate.d/qlog << __EOF__
/var/log/qmail/smtpd/qlog/qmail-smtpd.log /var/log/qmail/smtpsd/qlog/qmail-smtpsd.log {
missingok
notifempty
delaycompress
rotate 50
daily
minsize 2M
create 0644 qmaill root
}
__EOF__

File /var/qmail/supervise/qmail-smtpsd/run

#!/bin/sh

QMAILDIR=/var/qmail
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=/var/qmail/control

SSL_DIR="$QMAILDIR/control"
SSL_CHROOT="$SSL_DIR"
SSL_UID=$QMAILDUID
SSL_GID=$NOFILESGID
CERTFILE="$SSL_DIR/servercert.pem"
KEYFILE="$SSL_DIR/servercert.pem"
DHFILE="$SSL_DIR/dh4096.pem"
export SSL_UID SSL_GID SSL_CHROOT
export CERTFILE KEYFILE DHFILE

#export REJECTNULLSENDERS=1
export SMTPAUTH="!"

# qmail-spp plugins
#export ENABLE_SPP=1
#export HELO_DNS_CHECK=PLRIV

# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# greylisting
#export JGREYLIST_DIR="$QMAILDIR/jgreylist"
#export JGREYLIST_LOG_SMTP=1

# enable chkuser
export CHKUSER_START=ALWAYS

################### DKIM - SURBL configuration #################################
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering

# If simscan is not installed yet, do not assign QMAILQUEUE
# so that the installation works at the beginning stage as well
if [ -x $QMAILDIR/bin/simscan ]; then
  export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter
  export SURBLQUEUE=$QMAILDIR/bin/simscan    # executes simscan after SURBL
  #export QMAILQUEUE=$QMAILDIR/bin/simscan # do not execute SURBL nor DKIM filtering

  #### qmail-dkim disabled => no dkim verification
  #### to have verification active export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim. Othewise the following will be ignored
  #export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim # executes qmail-dkim after surblfilter

  export DKIMQUEUE=$QMAILDIR/bin/simscan     # simscan is executed after qmail-dkim

  # DKIM verification. Use carefully
  export DKIMVERIFY="FGHKLMNOQRTVWp"
  # allow msg without "subject" in the h= list
  export UNSIGNED_SUBJECT=1
  # avoid verification of outgoing messages
  export RELAYCLIENT_NODKIMVERIFY=1
fi
################################################################################

# turn off TLS on port 465
export DISABLETLS=1
export FORCETLS=0

# require that authenticated user and 'mail from' are identical
export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
if [ -x $QMAILDIR/bin/rcptcheck-overlimit.sh ]; then
  export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
  export RCPTCHECKRELAYCLIENT="1"
fi

# enable simscan debug
#export SIMSCAN_DEBUG=4
#export SIMSCAN_DEBUG_FILES=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/sslserver -seV -Rp -l "$LOCAL" \
    -Xx $TCPRULES_DIR/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
    $QMAILDIR/bin/qmail-smtpd ~vpopmail/bin/vchkpw /bin/true 2>

File qmail/supervise/qmail-smtpsd/log/run

#!/bin/sh

LOGUSER="qmaill"
LOGDIR="/var/log/qmail/smtpsd"
LOGDIRQLOG="/var/log/qmail/smtpsd/qlog"

if [ -x /usr/local/bin/archive_qmail_qlog ]; then
  exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog d n5 s16777215 $LOGDIR \
  	n5 s16777215 '-*' '+*qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG
else
  exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog d s16777215 $LOGDIR
fi

Again, if you want to print timestamps instead of readable datimes that qlog line above has to be changed as follows (note the additional blank space):

        n5 s16777215 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

File qmail/supervise/qmail-send/run

#!/bin/sh
exec /var/qmail/rc

File qmail/supervise/qmail-send/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog d s16000000 n200 /var/log/qmail/send

File qmail/supervise/qmail-submission/run

This service makes the MTA also act as an outgoing relay, but the user must authenticate (with TLS encryption).

#!/bin/sh

QMAILDIR=/var/qmail
​QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=/var/qmail/control

# You MUST export this, otherwise you'd get a 30 sec timeout
# "!" if you want the submission feature (auth required)
export SMTPAUTH="!"

# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=3
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This makes qmail to allow connections without TLS (default 1)
#export FORCETLS=0

# This turns off TLS on port 587 (default 0)
#export DISABLETLS=1

# Requires that authenticated user and 'mail from' are identical (default 0)
export FORCEAUTHMAILFROM=1

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
#export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
#export RCPTCHECKRELAYCLIENT=1

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -R -l "$LOCAL" \
    -x $TCPRULES_DIR/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $QMAILDIR/bin/qmail-smtpd \
    ~vpopmail/bin/vchkpw /bin/true 2>&1

Note the use of vchkpw in conjunction with qmail-smtpd to ensure authentication. The connection requires TLS enabled. This is the reason why we opened a separate secure connection on port 587 to allow remote clients to use our MTA as a relay.

The SMTPAUTH variable is related to the authentication patch. You are invited to take a look to the README.auth file for further details.

File qmail/supervise/qmail-submission/log/run

#!/bin/sh

LOGUSER="qmaill"
LOGDIR="/var/log/qmail/submission"

exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog d s16000000 n200 $LOGDIR

File qmail/supervise/vpopmaild/run

#!/bin/sh
QMAILDUID=`id -u root`
NOFILESGID=`id -g root`
VPOPMAILID=`id -g vpopmail`

exec /usr/local/bin/softlimit -m 30000000 \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -u $QMAILDUID -g $NOFILESGID 0 $VPOPMAILID \
    ~vpopmail/bin/vpopmaild 2>&1

vpopmaild is important when connecting to vpopmail via webmail to change the password, for instance.

File qmail/supervise/vpopmaild/log/run

#!/bin/sh

LOGUSER="qmaill"
LOGDIR="/var/log/qmail/vpopmail"

exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog d $LOGDIR

File qmail/supervise/vusaged/run

#!/bin/sh
exec ~vpopmail/bin/vusaged 2>&1

File qmail/supervise/vusaged/log/run

#!/bin/sh
exec setuidgid qmaill /usr/local/bin/multilog d /var/log/qmail/vusaged

cronjobs

To backup the log files of the qmail services we'll use the convert-multilog script from John Simpson (thanks to the author and to Marc for the suggestion) who describes the script as follows:

convert-multilog is a script which searches "/service/*/log/main" for any "@4*" files (the automatic cut-off files generated by multilog), converts their timestamps from tai64n to human-readable format, and writes them to /var/log/{service}.{date}. Once the lines from a given "@4*" file have been converted, the file is deleted.

The log files are saved separated by date, for example

-rw-r--r-- 1 root   root   259558 Aug 24 12:21 qmail-smtpd.2014-08-20
-rw-r--r-- 1 root   root   806917 Aug 24 12:21 qmail-smtpd.2014-08-21
-rw-r--r-- 1 root   root  1523116 Aug 24 12:21 qmail-smtpd.2014-08-22
-rw-r--r-- 1 root   root   364022 Aug 24 12:21 qmail-smtpd.2014-08-23

Inside each file the date is now human-readable

2014-08-23 00:31:49.503947500 tcpserver: status: 1/20

This is very useful when you have to do quick searches.

Install like this:

mkdir -p /var/log/qmail/backup
wget -O  /usr/local/bin/convert-multilog https://notes.sagredo.eu/files/qmail/convert-multilog
chmod +x /usr/local/bin/convert-multilog

ln -s /var/log/qmail/send       /service/qmail-send/log/main 
ln -s /var/log/qmail/smtpd      /service/qmail-smtpd/log/main 
ln -s /var/log/qmail/smtpsd     /service/qmail-smtpsd/log/main
ln -s /var/log/qmail/submission /service/qmail-submission/log/main

NB: the script that you have downloaded is my patched version, which gains compatibility with the readable datetime format (daemontools' multilog_readable-datetime patch). If you decided to use timestamps, then download the original convert-multilog program.

Now set up a cronjob once a day (crontab -e):

59 2 * * * /usr/local/bin/convert-multilog 1> /dev/null

Since we want to convert each log file every day, we have to rotate them on a daily basis. So we'll add something like this to our crontab:

0 0 * * * /usr/local/bin/svc -a /service/qmail-submission/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpsd/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log
0 0 * * * /usr/local/bin/svc -a /service/vpopmaild/log
0 0 * * * /usr/local/bin/svc -a /service/vusaged/log

qmailctl script

As usual we will put the script in /usr/local/bin and give it the +x flag.

wget -O /usr/local/bin/qmailctl https://notes.sagredo.eu/files/qmail/qmailctl
chmod +x /usr/local/bin/qmailctl

The startup script below does the following:

  • Starts/stops the services
  • Calls tcprules to reload tcp.smtp.cdb and tcp.submission.cdb
  • Shows the status of the services and the queue
  • Shows the up/down status of some other related daemons
  • Shows the the date of the clamav database

Note that it starts and stops vpopmaild also, and starts both normal SMTP on port 25, and the submission service on port 587, where SMTP authentication is required to perform outgoing relay for remote users. In any event, be sure to review the service list to make sure it reflects the services you want to provide.

#!/bin/bash
#
# tx Sam Tang
#
# May 25, 2022
# a few modifications by Roberto Puzzanghera to avoid error strings in the service uptime when service is stopped
#
# Aug 07, 2022
# now the script exits if services are not started with svscanboot or the supervise script is missing
#

# Put here the services you want to manage
svclist="qmail-smtpd qmail-smtpsd qmail-submission qmail-send vpopmaild vusaged"
# Put here the services want monitoring
servicelist="dovecot clamd freshclam spamd solr httpd mariadb fail2ban"

QMAILDIR=/var/qmail
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
TCPRULES_DIR=/var/qmail/control

PATH=$QMAILDIR/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH 

function show_uptime() {
	re='^[0-9]+$'
	org="$(svstat /service/$1 | awk '{print $2,$3,$4;}' | sed 's/up/[ up ]/g' | sed 's/down/[ down ]/g' | sed ''/up/s//`printf "\033[1\;32mup\033[0m"`/'' | sed ''/down/s//`printf "\033[1\;31mdown\033[0m"`/'')"
	sec="$(svstat /service/$1 | awk '{print $5;}')"
	if ! [[ $sec =~ $re ]]; then
		sec="$(svstat /service/$1 | awk '{print $3;}')"
    fi
	d=$(( $sec / 86400))
	h=$(( $(($sec - $d * 86400)) / 3600 ))
	m=$(( $(($sec -d * 86400 - $h * 3600)) / 60 ))
	s=$(($sec -d * 86400 - $h * 3600 - $m * 60))

	if [ $sec -le 60 ]; then
		if [[ "$(svstat /service/qmail-smtpd | awk '{print $2}')" = 'down' ]]; then
			printf "%-22s %s %s %s %s %s\n" "$1:" $org
		else
			printf "%-22s %s %s %s %s %s %s seconds\n" "$1:" $org $s
		fi
	else
		printf "%-22s %s %s %s %s %s %3s day(s), %02d:%02d:%02d\n" "$1:" $org $d $h $m $s
	fi
}

# check if qmail has been sttarted at boot time
function svscan_check() {
	if ! pgrep -x "svscanboot" > /dev/null; then
		echo "/command/svscanboot not running. Please stat qmail running:"
		echo "qmailctl boot"
		echo "or"
		echo "/command/svscanboot"
		exit 1
	fi
}

case "$1" in
  start)
    svscan_check
    echo "Starting qmail"

    for svc in $svclist ; do
	if [ ! -x /service/$svc ]; then
	  echo $svc service script not found
    	elif svok /service/$svc ; then
     	  svc -u /service/$svc
     	else
     	  echo $svc service not running
     	fi
    done

    if [ -d /var/lock/subsys ]; then
      touch /var/lock/subsys/qmail
    fi
    ;;
  stop)
    svscan_check
    echo "Stopping qmail..."
    for svc in $svclist ; do
      if [ ! -x /service/$svc ]; then
        echo $svc service script not found
	  else
      	echo " $svc"
      	svc -d /service/$svc
	  fi
    done
    if [ -f /var/lock/subsys/qmail ]; then
    rm /var/lock/subsys/qmail
    fi
    ;;
  stat)
    svscan_check
    for svc in $svclist ; do
      if [ ! -x /service/$svc ]; then
		echo $svc service script not found
	  else
        show_uptime $svc
        show_uptime "$svc/log"
	  fi
    done
    echo ""
    for service in $servicelist ; do
      printf "%-22s " "$service status:"
      if (( $(ps -ef | grep -v grep | grep $service | wc -l) > 0 ))
      then
          echo -e "[ \033[1;32mup\033[m ]"
      else
          echo -e "[ \033[1;31mdown\033[m ]"
      fi
    done
    if [ -f $QMAILDIR/control/simversions.cdb ]; then
    	printf "\nClamAV database updated at: "
	stat --printf=%y $QMAILDIR/control/simversions.cdb | cut -d. -f1
    fi
    if [ -f $QMAILDIR/users/assign ]; then
	printf "Total Domains: "
	wc -l < $QMAILDIR/users/assign
    fi
    echo ""
    qmail-qstat
    ;;
  doqueue|alrm|flush)
    svscan_check
    echo "Sending ALRM signal to qmail-send."
    svc -a /service/qmail-send
    ;;
  queue)
    svscan_check
    qmail-qstat
    qmail-qread
    ;;
  reload|hup)
    svscan_check
    echo "Sending HUP signal to qmail-send."
    svc -h /service/qmail-send
    ;;
  pause)
    svscan_check
    for svc in $svclist ; do
      echo "Pausing $svc"
      svc -p /service/$svc
    done
    ;;
  cont)
    svscan_check
    for svc in $svclist ; do
      echo "Continuing $svc"
      svc -c /service/$svc
    done
    ;;
  restart)
    svscan_check
    echo "Restarting qmail:"
    for svc in $svclist ; do
      if [ "$svc" != "qmail-send" ] ; then
        echo "* Stopping $svc."
        svc -d /service/$svc
      fi
    done
    echo "* Sending qmail-send SIGTERM and restarting."
    svc -t /service/qmail-send
    for svc in $svclist ; do
      if [ "$svc" != "qmail-send" ] ; then
        echo "* Restarting $svc."
        svc -u /service/$svc
      fi
    done
    ;;
  cdb)
    if ! grep '\#define POP_AUTH_OPEN_RELAY 1' ~vpopmail/include/config.h >/dev/null; then
      (cd $TCPRULES_DIR ; cat tcp.smtp | tcprules tcp.smtp.cdb tcp.smtp.tmp)
      echo "Updated tcp.smtp.cdb."
      (cd $TCPRULES_DIR ; cat tcp.submission | tcprules tcp.submission.cdb tcp.submission.tmp)
      echo "Updated tcp.submission.cdb."
    else
      ~vpopmail/bin/clearopensmtp
      echo "Ran clearopensmtp."
    fi
    ;;
  clear)
    svscan_check
    echo "Clearing readproctitle service errors with ................."
    svc -o /service/clear
    ;;
  kill)
    svscan_check
    echo "First stopping services ... "
    for svc in $svclist ; do
    	if svok /service/$svc ; then
            svc -d /service/$svc
            svc -d /service/$svc/log
    	fi
    done
    echo "Now sending processes the kill signal ... "
        killall -g svscanboot
    echo "done"
    ;;
  boot)
    echo "Starting qmail"
    /command/svscanboot &
    ;;
  reboot)
    $0 kill
    sleep 5
    $0 boot
    ;;
  help)
    cat <<HELP
    stop -- stops mail service (smtp connections refused, nothing goes out)
   start -- starts mail service (smtp connection accepted, mail can go out)
   pause -- temporarily stops mail service (connections accepted, nothing leaves)
    cont -- continues paused mail service
    stat -- displays status of mail service
     cdb -- rebuild the tcpserver cdb file for smtp
 restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
 doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
  reload -- sends qmail-send HUP, rereading locals and virtualdomains
   queue -- shows status of queue
    alrm -- same as doqueue
   flush -- same as doqueue
     hup -- same as reload
   clear -- clears the readproctitle service errors with .....................
    kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
    boot -- Boots qmail and all services in /service running /command/svscanboot
  reboot -- kill & boot commands in sequence
HELP
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|clear|kill|boot|reboot|help}"
    exit 1
    ;;
esac

exit 0

Usage

# qmailctl help

    stop -- stops mail service (smtp connections refused, nothing goes out)
   start -- starts mail service (smtp connection accepted, mail can go out)
   pause -- temporarily stops mail service (connections accepted, nothing leaves)
    cont -- continues paused mail service
    stat -- displays status of mail service
     cdb -- rebuild the tcpserver cdb file for smtp
 restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
 doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
  reload -- sends qmail-send HUP, rereading locals and virtualdomains
   queue -- shows status of queue
    alrm -- same as doqueue
   flush -- same as doqueue
     hup -- same as reload
   clear -- clears the readproctitle service errors with .....................
    kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
    boot -- Boots qmail and all services in /service running /command/svscanboot
  reboot -- kill & boot commands in sequence

qmailctl can be used to kill all qmail processes and to reboot the server. I use this option inside the rc.6 of my Slackware virtual server to avoid errors messages when stopping or rebooting the guest. You can easily call the clear service as well.

Compiling the tcprules

If not done yet compile your tcprules files:

> qmailctl cdb

Updated tcp.smtp.cdb. 
Updated tcp.submission.cdb.

You have to recompile the tcprules each time you modify tcp.smtp or tcp.submission. There's no need to restart qmail.

svtools

This is a nice collection of tools to manage daemontools' services that you may want to consider. mlcat is one of those; it can cat a service's log with human readable dates with a short command like:

mlcat qmail-smtpd

I slightly modified that script here, just to use it without the need of the "qmail-" prefix:

mlcat smtpd

Installing

cd /usr/local/src
wget https://github.com/kayahr/svtools/archive/master.zip
unzip master.zip
cd svtools-master
make
make install
mkdir /etc/sv /var/log/sv
chown root:root /etc/sv /var/log/sv
cd /usr/local/bin
rm mlcat
wget https://notes.sagredo.eu/files/qmail/mlcat
chmod +x mlcat

Running qmail at boot time

The command /command/svcscanboot has been inserted in your /etc/inittab at the time you installed daemontools, or you have installed a daemontools systemd service, as already explained in the here.

Comments

Disable TLS 1.0 and 1.1 because of an automated vulnerability scan that is required

Hi,

I'm trying to find a way to disable TLS versions 1.0 and 1.1 in qmail because I am required to pass some automated vulnerability scan and this is the last item that still pops up.

I can't find a way! I've read a lot from this site, from the github repo, etc.

I tried finding an environment variable for this. I tried finding a configuration file for this. I tried updating the OS, changing the openssl conf at /etc/ssl/openssl.cnf to require a minimum protocol version of TLS 1.2. I tried recompiling qmail from the latest source as found in your github, hoping that would honour the openssl system-wide conf.

Nothing works. I can't find any way. I have no clue if I'm doing something wrong or if qmail just doesn't care about /etc/ssl/openssl.cnf.

Your input will be very much appreciated!

Regards,
Plamen

Reply |

Disable TLS 1.0 and 1.1 because of an automated vulnerability scan that is required

Hi Plamen, can you try

echo 'HIGH:MEDIUM:!MD5:!RC4:!3DES:!LOW:!SSLv2:!SSLv3:!TLSv1' > /var/qmail/control/tlsserverciphers 

and restart qmail?

Also run the testssl.sh program suggested at the bottom of the "testing" page in this site to confirm that TLS v1 has been denied.

Reply |

Keep the email while user over quota

Hi Roberto,

May i check with you, if the user mailbox is full, can system auto keep the email in a folder or forward to an email address then later we can check that folder and forward back to the user?

Thx

Regards,

Kenny

Reply |

Keep the email while user over quota

Hi Kenny, as far as I know there is no possibility with qmail

Reply |

some bugs?

Hello, I found some bugs that I think deserve attention:

1)

In the file /var/qmail/supervise/qmail-smtpsd/run, instead of:

exec ...
$QMAILDIR/bin/qmail-smtpd /bin/true 2>&1

shouldn't it be:

exec ...
$QMAILDIR/bin/qmail-smtpd \
~vpopmail/bin/vchkpw /bin/true 2>&1

Because with /bin/true as a parameter of qmail-smtpd without vchkpw, you get invalid auth giving "235 ok, go ahead."

2)

Still in /var/qmail/supervise/qmail-smtpsd/run, in your default configuration, since the TLS connection is made by sslserver, but qmail-smtp doesn't know this... you need:

export DISABLETLS=1
export FORCETLS=0

Otherwise, auth is deactivated until you run a STARTTLS, which doesn't make sense because the connection is already encrypted.

Since the connection was already encrypted before qmail-smtpd, for it, the connection is transparent, and it should allow auth without TLS and not offer the STARTTLS option at all.

3)

There is a bug in the function "void smtp_auth(arg)" of qmail-smtpd.c that when you try to give "auth" without a parameter (or using an invalid one), instead of giving the error of not implemented (or not available), it kills the connection due to a segfault in qmail-smtpd.

At https://www.fehcom.de/sqmail/sqmail.html  they mention this:

[20230931#1/4.3.02] qmail-smtpd may segfault in case of invalid AUTH method input.

Maybe this patch needs updating here too?

Regards,

Reply |

some bugs?

you have a testing branch with the invalid-auth issue cured here https://github.com/sagredo-dev/qmail/tree/authinvalid. Can you give it a try?

commit: https://github.com/sagredo-dev/qmail/compare/main...authinvalid

Reply |

some bugs?

I applied this patch, and it worked for submission (587), but in 465 we still have a segfault with invalid auths. I don't understand why the err_authinvalid function you added doesn't work for it.

Reply |

some bugs?

Now it should work with both 587 and 465 ports

Reply |

some bugs?

It worked perfectly! tks...

Reply |

some bugs?

Hello,

1) This is intentional as I'm not allowing the auth on port 25 for security reasons

2) yes, I'll correct the qmail-smtps/run accordingly

3) I'll have a look at it, but I'm not sure I can update the auth feature, as s/qmail doesn't publish the exact modifications related to each commit

Reply |

some bugs?

Regarding item 1, I am indeed referring to qmail-smtpsd (port 465), not the smtpd on port 25.

Reply |

some bugs?

Ok, I'll do that. Thanks for the hint

Reply |

Configuration Files

Hi Roberto,
regarding your /var/qmail/rc, /var/qmail/supervise/qmail-smtpd/run and /var/qmail/supervise/qmail-submission/run files, can i have the files configure only for beginning stage? coz now inside your files got included those application which not yet setup like simscan, DKIM, SPP and other checking...

maybe we can enable those command while we hit that stage only? so that our testing on SMTP and 587 are workable.

Thank you

Reply |

Configuration Files

Hi Kenny,

all features that may fault at the beginning stage are disabled by default. For example, DKIM_ON is commented out in your rc and qmail-dkim is not launched in your qmail-smtpd run file.  rcptcheck-overlimit is ignored if not configured yet, while greylisting and qmail-spp are commented out.

The only features that are enabled by default are greetdelay, chkuser and SURBL, which don't need any attention. You can comment out those lines.

Reply |

Configuration Files

you are right concerning simscan. If not configured yet you have to comment out these lines

export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter
export SURBLQUEUE=$QMAILDIR/bin/simscan # executes simscan after SURBL

I'll do a modification to check if simscan is installed as soon as I have time

Reply |

Configuration Files

I did the modification. Check it out

Reply |

TCPRULES_DIR

Hi Roberto,

regarding your qmail/supervise/qmail-smtpd/run file

TCPRULES_DIR=/var/qmail/control

if follow your steps, the tcp.smtp.cdb is located at /home/vpopmail/etc/ ,right?

Reply |

TCPRULES_DIR

Hi Kenny, you have to put in TCPRULES_DIR the location of the tcp.smtp.cdb file, so in your case it will be

TCPRULES_DIR=/home/vpopmail/etc

you have to adjust the qmailctl script as well

Reply |

authentication issues on port 587

Hi Roberto, thank you so much for this guide. 

I've followed the guide step by step, and I keep on getting the error "421 unable to read controls (#4.3.0)" when testing port 587 authentication

I've tried researching the issue, and I can't seem to fix the issue. 

Where might I be going wrong? 

Reply |

authentication issues on port 587

Hi jeff, perhaps you enabled SPP and forgot to create the smtpplugins control file?

Reply |

question regarding SRS

Maybe dumb question but I haven't found an answer till now:

If I have a server with multiple virtual EMail-Domains - do I need SRS configuration for only the main domain or every virtual domain.

And if yes - how is the sytax for /var/qmail/control/srs_domain?

Every domain in a new line?

Thanks in advance!

Regards,

Herbert

Reply |

question regarding SRS

it's not a dumb question at all :)

I have just "srs.sagredo.eu" in my srs_domain control file

libsrs2 site says https://www.libsrs2.org/docs/mta-users.html

srs_domain (string)

A domain to use in rewritten addresses. This must point only to machines which know the encoding secret used by this system since any bounces will go to the MX for this domain. This is primarily of use when a system forwards mail for multiple virtual domains, or multiple mail servers forward mail for a single domain using different secrets. It may default to something sensible on some MTAs where appropriate information is available to the SRS subsystem.

Reply |

question regarding SRS

Hi Roberto,

my question was because of a problem I have with a mailserver.
Google is imho one of the most restrictive EMailproviders and with Google mailservers SRS works like a charm in my "Multidomainenvironment" with one SRS Domain for all EMaildomains I have.
But when I last checked the maillogs a mailserver complained about "forged EMail".
So I can treat this as an error from the other EMailserver not "understanding" SRS rewrites?

And besides that I recognized that spf.pobox.com is not working anymore?
Could you or anyone check if this is true and if yes maybe you could change the error message for SPF error response in the sourcecode?

Thank's in advance for your help!

Herbert

Reply |

question regarding SRS

Be aware that you can always overwrite the default SPF explanation by means of the /var/qmail/control/spfexp file. BTW I'll change it with a generic explanation in the next patch release

Reply |

question regarding SRS

ah - ok - didn't know this...maybe this solves some problems - I'm curious :-)

Regards,

Herbert

Reply |

question regarding SRS

Hi Herbert,

> Google is imho one of the most restrictive EMailproviders and with Google mailservers SRS works like a charm in my "Multidomainenvironment" with one SRS Domain for all EMaildomains I have.

I can confirm that

> But when I last checked the maillogs a mailserver complained about "forged EMail".
> So I can treat this as an error from the other EMailserver not "understanding" SRS rewrites?

I presume that this is the answer. I haven't done tests with providers without srs.

Did you set the SPF record for your srsdomain? When I do tests with google I pass the SPF, but the DKIM sign fails, as the message is signed by the remote receiver. So it's possible that it is classified as "forged" when both SPF and DKIM fail and DMARC with them

> And besides that I recognized that spf.pobox.com is not working anymore?
> Could you or anyone check if this is true and if yes maybe you could change the error message for SPF error response in the sourcecode?

I know... anyone can suggest a free spf checker?

Reply |

smtps port 465 or submission port 587 support multiple domains ssl cert

Hi,

Would like to know the smtps port 465 or submission port 587 support multiple domains ssl cert ?

Beside using the letsencrypt to create the multiple ssl cert in single flie.

Reply |

smtps port 465 or submission port 587 support multiple domains ssl cert

Yes. There's no need for a specific support for multiple domains cert. It will accept the connection if the cert is valid

Reply |

typo in smtpsd log script

hi, I think there's a minor typo in the smtpsd log part: (I noticed it when running qmailctl stat -> log of smtpd was always 1 or 0. But the actual typo seems to be in smtpsd

#!/bin/sh

LOGUSER="qmaill"
LOGDIR="/var/log/qmail/smtpsd"
LOGDIRQLOG="/var/log/qmail/smtpsd/qlog"

if [ -x /usr/local/bin/archive_qmail_qlog ]; then
  exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t n5 s16777215 $LOGDIR \
  	n5 s16777215 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG
else
  exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16777215 /var/log/qmail/smtpd  <-- should be smtpsd
fi

Reply |

typo in smtpsd log script

Yes you are right. Corrected. I'll correct the tar file as well later

Reply |

Typo?

Hi Roberto,

I think you have typo in your manual:

cd /service/qmail-send/log/
ln -s /var/log/qmail/send /service/qmail-send/log/main 
ln -s /var/log/qmail/smtpd /service/qmail-smtpd/log/main 
ln -s /var/log/qmail/submission /service/qmail-submission/log/main 
ln -s /var/log/qmail/vpopmaild /service/qmail-submission/log/main

Imho the last line should look like this:

ln -s /var/log/qmail/vpopmaild /service/vpopmaild/log/main

and shouldn't be the "clear-service" also under /service?

lrwxrwxrwx 1 root root 22 Feb 2 12:43 clear -> /var/qmail/admin/clear
lrwxrwxrwx 1 root root 31 Jan 31 08:27 qmail-send -> /var/qmail/supervise/qmail-send
lrwxrwxrwx 1 root root 32 Jan 31 08:27 qmail-smtpd -> /var/qmail/supervise/qmail-smtpd
lrwxrwxrwx 1 root root 33 Jan 31 08:27 qmail-smtpsd -> /var/qmail/supervise/qmail-smtpsd
lrwxrwxrwx 1 root root 37 Jan 31 08:27 qmail-submission -> /var/qmail/supervise/qmail-submission
lrwxrwxrwx 1 root root 30 Jan 31 08:27 vpopmaild -> /var/qmail/supervise/vpopmaild

Regards,

Herbert

Reply |

Typo?

Yes, absolutely. Thank you, corrected

Reply |

qmailctl stat erro

when running qmailctl stat we get the following error

qmailctl stat
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
qmail-smtpd: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
qmail-smtpd/log: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: not: integer expression expected
qmail-smtpsd: s[ up ]ervise not running 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
qmail-smtpsd/log: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
qmail-submission: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
qmail-submission/log: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
qmail-send: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
qmail-send/log: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
vpopmaild: unable to open 0 0 0 day(s), 00:00:00
/usr/local/bin/qmailctl: line 31: [: to: integer expression expected
vpopmaild/log: unable to open 0 0 0 day(s), 00:00:00

dovecot status: [ down ]
clamd status: [ down ]
freshclam status: [ down ]
spamd status: [ down ]
vusaged status: [ up ]
httpd status: [ down ]
mariadb status: [ up ]
fail2ban status: [ down ]
Total Domains: 2

messages in queue: 0
messages in queue but not yet preprocessed:

Reply |

qmailctl stat erro

Look at this modified version https://notes.sagredo.eu/files/qmail/qmailctl which will output a more intelligible error message

Reply |

qmailctl stat erro

Thank you Roberto Puzzanghera

Really with this qmailctl the errors are more intelligible
follow now

# qmailctl stat
qmail-smtpd service script not found
qmail-smtpsd service script not found
qmail-submission service script not found
qmail-send service script not found
vpopmaild service script not found

dovecot status: [ down ]
clamd status: [ down ]
freshclam status: [ down ]
spamd status: [ down ]
vusaged status: [ up ]
httpd status: [ down ]
mariadb status: [ up ]
fail2ban status: [ down ]
Total Domains: 2

messages in queue: 0
messages in queue but not yet preprocessed: 0

But services exist in /service/

# ls -la /service/
total 0
drwxr-xr-x. 7 root root 104 Aug 2 18:00 .
dr-xr-xr-x. 20 root root 265 Jun 20 18:36 ..
drwxr-xr-x. 4 root root 45 Aug 2 2009 qmail-send
drwxr-xr-x. 4 root root 45 Aug 2 18:00 qmail-smtpd
drwxr-xr-x. 4 root root 45 May 9 15:42 qmail-smtpsd
drwxr-xr-x. 4 root root 45 Aug 2 15:04 qmail-submission
drwxr-xr-x. 3 root root 28 Aug 2 15:04 vpopmaild

Reply |

qmailctl stat erro

Can you check that those listed symbolic links point to existing files and that those scripts are executables?

Reply |

qmailctl stat erro

Symbolic links are present in /service/

ls -la /service/
total 8
drwxr-xr-x 2 root root 4096 Aug 3 20:30 ./
drwxr-xr-x 24 root root 4096 Aug 3 19:53 ../
lrwxrwxrwx 1 root root 31 Aug 3 20:30 qmail-send -> /var/qmail/supervise/qmail-send/
lrwxrwxrwx 1 root root 32 Aug 3 20:30 qmail-smtpd -> /var/qmail/supervise/qmail-smtpd/
lrwxrwxrwx 1 root root 33 Aug 3 20:30 qmail-smtpsd -> /var/qmail/supervise/qmail-smtpsd/
lrwxrwxrwx 1 root root 37 Aug 3 20:30 qmail-submission -> /var/qmail/supervise/qmail-submission/
lrwxrwxrwx 1 root root 30 Aug 3 20:30 vpopmaild -> /var/qmail/supervise/vpopmaild/
ls -la /var/qmail/supervise/*
/var/qmail/supervise/qmail-send:
total 20
drwxr-xr-x 4 root root 4096 Aug 2 2009 ./
drwxr-xr-x 8 root root 4096 May 9 15:40 ../
drwxr-xr-x 3 root root 4096 Aug 3 20:37 log/
-rwxr-xr-x 1 root root 29 Sep 23 2017 run*
drwx------ 2 root root 4096 Aug 3 21:38 supervise/
/var/qmail/supervise/qmail-smtpd:
total 20
drwxr-xr-x 4 root root 4096 Aug 3 20:31 ./
drwxr-xr-x 8 root root 4096 May 9 15:40 ../
drwxr-xr-x 3 root root 4096 Aug 3 20:37 log/
-rwxr-xr-x 1 root root 1567 May 6 16:25 run*
drwx------ 2 root root 4096 Aug 3 21:26 supervise/
/var/qmail/supervise/qmail-smtpsd:
total 20
drwxr-xr-x 4 root root 4096 Aug 3 20:34 ./
drwxr-xr-x 8 root root 4096 May 9 15:40 ../
drwxr-xr-x 3 root root 4096 Aug 3 20:35 log/
-rwxr-xr-x 1 root root 2561 May 9 14:55 run*
drwx------ 2 root root 4096 Aug 3 21:38 supervise/
/var/qmail/supervise/qmail-submission:
total 28
drwxr-xr-x 4 root root 4096 Aug 3 20:36 ./
drwxr-xr-x 8 root root 4096 May 9 15:40 ../
-rwxr-x--- 1 root root 559 Aug 3 20:36 .run.un~*
drwxr-xr-x 3 root root 4096 Aug 3 20:37 log/
-rwxr-x--- 1 root root 1186 Aug 3 20:36 run*
-rwxr-x--- 1 root root 1187 Jun 17 2020 run~*
drwxr-x--- 2 root root 4096 Aug 3 21:26 supervise/
/var/qmail/supervise/vpopmaild:
total 32
drwxr-xr-x 4 root root 4096 Aug 3 20:37 ./
drwxr-xr-x 8 root root 4096 May 9 15:40 ../
-rwxr-xr-x 1 root root 4551 Aug 3 20:37 .run.un~*
drwxr-xr-x 3 root root 4096 Aug 3 20:37 log/
-rwxr-xr-x 1 root root 229 Aug 3 20:37 run*
-rwxr-xr-x 1 root root 230 Sep 23 2017 run~*
drwx------ 2 root root 4096 Aug 3 21:26 supervise/

Reply |

qmailctl stat erro

Weird... Qmailctl is not finding the executables...

Let's see if the services start/stop 

svc -u /service/qmail-smtpd
svc -d /service/qmail-smtpd

Reply |

qmailctl stat erro

The commands svc -u /service/qmail-smtpd and svc -d /service/qmail-smtpd are executed but return nothing, neither executed successfully nor executed with failure

root@---------:~# svc -u /service/qmail-smtpd
root@---------:~# svc -d /service/qmail-smtpd
root@---------:~#

Reply |

qmailctl stat erro

Let's see if they are running.

Start the server

svc -u /service/qmail-smtpd

Check if it is up

netstat -plunt|grep 25

or even

ps axf

Reply |

qmailctl stat erro

# svc -u /service/qmail-smtpd
svc: warning: unable to control /service/qmail-smtpd: file does not exist

netstat does not return anything

Reply |

qmailctl stat erro

It appears that the smtpd run file Is missing. I suggest to double check the supervise installation

Reply |

qmailctl stat erro

the run file exists follows the ls -la of all folders in the /var/qmail/supervise directory with their respective run files

root@----------:/var/qmail/supervise# ls -la *
qmail-send:
total 16
drwxr-xr-x 3 root root 4096 Aug 5 12:55 .
drwxr-xr-x 8 root root 4096 May 9 15:40 ..
drwxr-xr-x 3 root root 4096 Aug 5 11:53 log
-rwxr-xr-x 1 root root 29 Sep 23 2017 run
qmail-smtpd:
total 16
drwxr-xr-x 3 root root 4096 Aug 5 12:55 .
drwxr-xr-x 8 root root 4096 May 9 15:40 ..
drwxr-xr-x 3 root root 4096 Aug 5 11:53 log
-rwxrwxrwx 1 root root 1567 May 6 16:25 run
qmail-smtpsd:
total 16
drwxr-xr-x 3 root root 4096 Aug 5 12:55 .
drwxr-xr-x 8 root root 4096 May 9 15:40 ..
drwxr-xr-x 3 root root 4096 May 9 15:44 log
-rwxr-xr-x 1 root root 2560 Aug 5 11:51 run
qmail-submission:
total 16
drwxr-xr-x 3 root root 4096 Aug 5 12:55 .
drwxr-xr-x 8 root root 4096 May 9 15:40 ..
drwxr-xr-x 3 root root 4096 Aug 5 11:53 log
-rwxr-x--- 1 root root 1185 Aug 5 11:52 run
vpopmaild:
total 16
drwxr-xr-x 3 root root 4096 Aug 5 11:53 .
drwxr-xr-x 8 root root 4096 May 9 15:40 ..
drwxr-xr-x 3 root root 4096 Aug 5 11:53 log
-rwxr-xr-x 1 root root 229 Aug 5 11:53 run

Reply |

qmailctl stat erro

I modified again the qmailctl script. Now it checks that svscanboot is already running. I also added a note at the bottom of the "Configuring" page to advice systemd user to run /command/svscanboot at boot

Reply |

qmailctl stat erro

Weird.. your tests are contraddictory...

Did you installed the rc file in /var/qmail? If yes try to start qmail manually

/command/svcscanboot

Reply |

qmailctl stat erro

this is because the supervise scripts are missing...

Reply |

Received "delivery 303: failure: User_over_quota._(#5.1.1)¨ if MAILDIR used in .qmail-"

Hello,

I have performed my installation following your guide. MANY THANKS !!!!!

I would like to use direct Maildirs in the .qmail- files. In this way, I can redidect email easily to my sub-maildirs and use the ifspamh tool.

I have set the following files:

# cat .qmail-default
| /home/vpopmail/bin/ifspamh isspamuser@mydomain.org
| /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/mydomain.org/myuser

# cat .qmail-isspamuser
/home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam/

My problem is that any email to "isspamuser@mydomain.org" is rejected with the following error:

delivery 278: failure: User_over_quota._(#5.1.1)/

I came to the conclusion that qmail-local rejects the delivery because I am not using vdelivermail in the .qmail-isspamuser file. Instead I use the regular Maildir.

My alternative is to use vdeliver but it understands the path as a "user path" and adds Maildir at the end:

# cat .qmail-isspamuser
| /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam/

delivery 298: deferral: user_does_not_exist,_but_will_deliver_to_/home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam//can_not_open_new_email_file_errno=2_file=/home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam/Maildir/tmp/1644311037.167234.host,S=16793/system_error/

Has anyone had a similar issue ?

Any idea on how to get this done ?

Thanks in advance

Reply |

Qmailctl Script Error

Hi Roberto , 

I followed you installation and got stuck at the qmailctl script . It gives the following error 

/usr/local/bin/qmailctl: line 19: /((86400)): syntax error: operand expected (error token is "/((86400))")

Can you please help me on that . I have downloaded the script as per your guide . Tried by copy and pasting the script but same error message. 

Regards

Shail

Reply |

Qmailctl Script Error

Sorry the correct error message is 

/usr/local/bin/qmailctl: line 19: / 86400: syntax error: operand expected (error token is "/ 86400")

Regards

Shail

Reply |

Qmailctl Script Error

it seems like the $sec variable is empty. Can you check

which awk
which svstat

Reply |

Qmailctl Script Error

[root@mail ~]# which awk
/bin/awk
[root@mail ~]# which svstat
/usr/local/bin/svstat

Reply |

Qmailctl Script Error

can you copy&paste the content of your qmailctl, please?

Reply |

Qmailctl Script Error

I downloaded the script from and I am running Centos6.10

wget https://notes.sagredo.eu/files/qmail/qmailctl

Reply |

Qmailctl Script Error

I've no idea, but I know that $sec is empty. I would try to replace $sec with ${sec}

Reply |

Qmailctl Script Error

got it working seems like svscanboot was not working 

started the same with csh -cf '/command/svscanboot &'

and then tried the script started working have added the above command to rc.local . Thanks a lot for your help. 

Reply |

Qmailctl Script Error

I have a same problem with svscanboot. 

Can u tell me where exacly did you copy command:

csh -cf '/command/svscanboot &' 

in file rc.local?

I tried added it the above/below "exit" and svscan still dont work after reboot :(

Reply |

Qmailctl Script Error

Is your rc.local working for all the other programs that you start at boot time?

Reply |

Qmailctl Script Error

i got there only vpopmail there but it isnt working too ater boot

Reply |

Qmailctl Script Error

Are you sure that your systemd is set to run your rc.local? I'm not expert of systemd because slackware doesn't use it, but I guess that there could be other ways to run a script at boot..

Reply |

Qmailctl Script Error

Fixed it.

It seems it is not possible to enable rc.local at startup using SystemD on Ubuntu 20.04 and u have to do it another way

Reply |

Qmailctl Script Error

I managed to do it in a debian 10 with systemd.

Anyhow, please, can you write a note on how you solved?

Reply |

Qmailctl Script Error

Of course :)

To enable rc-local service you have to:

1) Manually create a systemd service

sudo vi /etc/systemd/system/rc-local.serviceCopy

Now enter the following text, save and close the file.

[Unit]
 Description=/etc/rc.local Compatibility
 ConditionPathExists=/etc/rc.local

[Service]
 Type=forking
 ExecStart=/etc/rc.local start
 TimeoutSec=0
 StandardOutput=tty
 RemainAfterExit=yes
 SysVStartPriority=99

[Install]
 WantedBy=multi-user.target

2) Enable the service on boot (enable rc.local with systemd on Ubuntu 20.04)

sudo systemctl enable rc-local

Next you reboot and check status:

sudo systemctl status rc-local

it should be active

Reply |

Small error in guide

Hi Roberto,

I found a small mistake in the configuration published above. In this line:

exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t n5 s10000000 $LOGDIR \
n5 s10000000 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

The 'n' and 's' parameters are too low, and the log files are deleted too soon. To maintain coherency with the rest of the configuration, n should be 200 and s should be 16000000 in both occurrences, like this:

exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t n200 s16000000 $LOGDIR \
n200 s16000000 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

Please update the guide! :)

Cheers.

Reply |

Small error in guide

Thanks for the hint.

s16000000 (or even s16777215 which is the maximum size allowed) is better. Instead I'm going to put n5 everywhere, infact I'm explaining below how to backup the logs every night...

Reply |

Small error in guide

Hi Roberto,

Yes, I use the backup option you published, and they are stored at /var/log/qmail/backup

The problem is that -n5 and -s10000000 is not sufficient for us, as we send out newsletters to over 400,000 subscribers. With that, the backup that is generated contains only the log entries starting at around 23h00min, i.e. the older entries are discarded automatically as they are not available at /var/log/qmail/smtpd anymore. Hence the need to increase those numbers... ;)

Cheers.

Reply |

qmail-remote not working at its full capacity

Hi Roberto,

I have a problem here that maybe you or other readers of this guide might have a better understanding about what is going on.

I have concurrencyremote configured with 120. However, qmail-send only sends, at best, 20 emails concurrently. I used to have qmail patched and installed according to a different guide, and decided to redo everything from scratch using your patch/guide to see if the problem would be solved.

While your guide solved a lot of other problems we used to have (e.g., our previous installation would accept any email and then perform any check, and now with chkuser our server only accepts "good" emails and rejects all sorts of junk, making the server to run faster and with lower loads). But it didn't solve this particular issue.

If you see, I send our newsletter this morning, and it is still sending it out. You can see we have almost 100,000 emails in queue:

messages in queue: 94914
messages in queue but not yet preprocessed: 93857

But qmail-send is only sending less than 10 in parallel:

@400000005d140d5b37c9f1bc status: local 0/40 remote 7/120

If we run qmHandle -a, qmail-send starts sending up to 120 emails in parallel, but soon after an initial burst of emails, it goes back to sending up to 20 emails concurrently at best.

I really don't know what is going on and how to diagnose this. It may be a hardware-related issue (e.g. server in need of more RAM), but I don't want to risk getting a new, more expensive server, or even adding more RAM and the problem ending up being something else.

Our server config is a dedicated quad-core Xeon X3210 with 8 GiB of RAM.

If you have any idea or heard of this issue before, please let me know.

Cheers!

Reply |

qmailctl with Debian

Hi,

This new qmailctl script is awesome, as it also shows the status of whatever additional programs/services we want.

However, in order to make it compatible with Debian, two small adjustments are required.

  1. Replace /bin/sh with /bin/bash in the first line
  2. Remove 'function' from line 16

Cheers

Reply |

Modified of qmailctl

Hi Roberto, thanks for your great qmail setup guide, your website saving lots of my time.

I would like to share my qmailctl script here, this is what I had updated:

- by default when run "qmailctl stat", it will show all qmail's service uptime by seconds, I made it more readable, now will display something like "0 days, 00 hours 16 mins"

- can assign another service which related qmail for monitoring, like dovecot, clamd, freshclam...

- change "up" and "down" to green and red color.

Download: https://www.phpini.com/qmailctl

once again, thank you for your great work.

Reply |

Modified of qmailctl

Thank you, this is very nice. I'm going to update my script and link this new one in this guide

Reply |

Modified of qmailctl

It would seem there is a syntax error in the script ... 

/usr/local/bin/qmailctl: 16: /usr/local/bin/qmailctl: Syntax error: "(" unexpected

I tried copy/paste of the text version above, and downloading the versions from this site and the original. All have the same error

Reply |

Modified of qmailctl

did you cat&paste or downloaded the file? The second is more secure...

Reply |

Modified of qmailctl

As my comment says,  i tried all the sources.  Copy/pasted the text,  and downloaded from both source location.  I've also found lots of issues with warnings and some errors when coming with gcc 4.8 (especially simscan). 

In the end i just have to and referred to my old installation with upgraded spamassassin and cclamav.  

Reply |

Modified qmailctl

hi,

for sh 4.4 just simply delete 'function' from line 16, is not necessary declare functions with this.

Reply |

Modified qmailctl

THNX a lot, fixed it in my case! (Debian 9.8).

Reply |

SRS

Hi

I have a little problems with the SRS.

I have configure it, and it also working just, fine, the address got rewrite and so on.

But if we got a bounce back, the mail will not be deliver to the right sender address, it will try deliver it to the SRS rewrite address.

Do anyone know what iam missing?

Reply |

pop3 port

One minor typo I noticed was that your supervise script has the pop server running on port 89 (the vpopmail uid) rather than the usual port 110. Probably this wasn't what you had in mind. Thanks for the great guide.

Reply |

I'm referring to qmail

I'm referring to qmail/supervise/vpopmaild/run from your tarball and listed just up the page a bit from here. That last 89 should probably be a 110 instead. Looks like the vpopmail UID got typoed in place of the intended port number.

exec /usr/local/bin/softlimit -m 25000000 \
     /usr/local/bin/tcpserver -v -H -R -l 0 \
     -u "$QMAILDUID" -g "$NOFILESGID" 0 89 \     # You probably want a 110 here instead of an 89
     /home/vpopmail/bin/vpopmaild 2>&1

Not so sure about running vpopmaild as root either. I think you want to be doing that as vpopmail so as to access the maildirs it owns.

#!/bin/sh

QMAILDUID=`id -u root` # wouldn't this be better off as "-u vpopmail"

NOFILESGID=`id -g root` # and "-g vchkpw"?

Reply |

No it is not the pop3 service

No it is not the pop3 service (pop3 is served by dovecot in my configuration). vpopmaild is a daemon that you can use to connect and talk with vpopmail. Dovecot and roundcube can use it to change the passwords, for instance

Reply |

uh.. I don't remember to have

uh.. I don't remember to have published any note about qmail-pop3d... can you provide a link to the page please?

Reply |

Hello,

Hello,

I set everithing like you wrote in this tutorial and everithing works well, but I have a problem with receieving error message from postmaster when I send email to unknown user.

Instead from postmaster@example.com I get  error message from  "postmaster@mail.example.com"@mail.example.com

Do you know how can I fix that to get message from postfix@domain.net instead of postmaster@fqdn_hostname? 

Thank you,

Al

Reply |

on qmail the hostname of the

on qmail the bounce sender is from the control/bouncefrom file, which is postmaster in my configuration. postmaster is defined by the alias .qmail-postmaster as explained above 

Reply |

Hi Roberto,

Hi Roberto,

I now realized that I should get system messages from postmaster@FQDN instead postmaster@HOSTNAME(e.g. postmaster@mail.example.com instead postmaster@example.com) just like you wrote in this tutorial.

Also, I changed /control/bouncefrom file and put only "postamster" instead "postmaster@example.com", so now I receive mails from postmaster@mail.example.com instead  "postmaster@mail.example.com"@mail.example.com just like I wanted

Thank you for your support

Reply |

qmail generating log@myserver.net emails which bounce?

Hi Roberto once again thanks for this guide, it's the best Linux guide i've ever seen, so perfect and thourough!

But I have a problem, when I send mail from gmail to a valid vpopmail user at my qmail server, the mail is delivered fine, but the external sender additionally gets a postmaster bounce email from my qmail server about a log@[myserver.net] delivery failure, saying that user doesn't exist like this:

Hi. This is the qmail-send program at [myserver.net].
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<log@[myserver.net]>:
Sorry, no mailbox here by that name. (#5.1.1)

Also, my logs don't seem to have the extra timestamps and message-ID's that yours do, so obviously it's something wrong with logging but I can't figure out what/where the problem is!

+I am also using the netqmail-1.06-exttodo-channels patch: (info, patch file) - I had to patch the failing hunks myself, but it seems to work, hope thats not causing the logging problem), in the log below that's what the suppl[N] queues are for.

You can see what it's doing in the qmail-send log below, it seems to be generating a log@ email for every send, hence the double bounce at the end.

In the below log:
- myserver.net is my qmail server I am setting up (the one I followed your guide on):
- user@gmail.com is the user who sent the mail to my vpopmail user, and who recieves the postmaster bounce email above (about log@myserver.net failing).
- test@myserver.net is the valid vpopmail user who receives the mail from the gmail user ok.

/var/log/qmail/send/current:

@400000005601a2a50551e67c status: local 0/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 supl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4953a8e805c new msg 4854452
@400000005601a4953a8e882c info msg 4854452: bytes 7316 from <user@gmail.com> qp 1728 uid 89
@400000005601a4953a8e8c14 starting delivery 1: msg 4854452 to local myserver.net-log@myserver.net
@400000005601a4953a8e8ffc status: local 1/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4953a8f0914 starting delivery 2: msg 4854452 to local myserver.net-test@myserver.net
@400000005601a4953a8f10e4 status: local 2/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a49600472cb4 delivery 2: success: did_0+0+1/
@400000005601a49600473484 status: local 1/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a49601a8faec delivery 1: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@400000005601a49601abdd34 status: local 0/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a49605b3a9d4 bounce msg 4854452 qp 1737
@400000005601a49605b3adbc end msg 4854452
@400000005601a4960c5ce4e4 new msg 4854781
@400000005601a4960c5ce8cc info msg 4854781: bytes 7878 from <> qp 1737 uid 1007
@400000005601a4960c5cecb4 starting delivery 3: msg 4854781 to local myserver.net-log@myserver.net
@400000005601a4960c5cf09c status: local 1/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4960c5d42a4 starting delivery 4: msg 4854781 to remote user@gmail.com
@400000005601a4960c5d468c status: local 1/20 remote 1/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4960f48f0e4 delivery 3: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@400000005601a4960f49cba4 status: local 0/20 remote 1/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a496351e32ac delivery 4: success: 173.194.192.26_accepted_message./Remote_host_said:_250_2.0.0_OK_1442948236_t17si3813976ioi.28_-_gsmtp/
@400000005601a496351eceec status: local 0/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a496352051a4 double bounce: discarding bounce/4854781
@400000005601a4963520b734 end msg 4854781

Thanks!

Reply |

Hi George, I can't garantee

Hi George, I can't garantee that the patch you applayed on top of my package will not interfere in some way..

Anyway, as mentioned above in the "Improved qmail-send log" paragraph, you have an email to log@yourdomain just to record the Message-ID in the qmail-send log. You may want to revert that qmail-queue-extra patch or double check your configuration, in particular the content of the file .qmail-log

Reply |

Thanks for getting back to me

Thanks for getting back to me Roberto it's really appreciated!
I did realise it was something to do with the logging, but now I realise how it actually works, it's smart, you send an internal email to the log@ which is the command to log! So I can tell now, something is thinking log@ doesn't exist and therefore:

1. It's sending a bounce
2. The enhanced logging is not working.

So I just have to figure out why it's deciding log@ doesn't exist when actually it does according to qmail alias config.

Thanks a million, you're work has really helped us!

Reply |

log alias applies to local domain

I was seeing the same as above. Fixed it by editing the control/locals file. You have to use the local host name, e.g. mx.example.tld rather than example.tld The 'hint' for me was in looking at .qmail-postmaster - this essentially causes postmaster@mx.example.tld to forward to postmaster@example.tld - the domain I configured with ./vadddomain

Reply |

Alternative way for rotating log files of qmail services

Hello,

as an alternative for rotating the log files from the qmail services i use the convert-multilog script from John Simpson, who describes the script function as follows:

convert-multilog is a script which searches "/service/*/log/main" for any "@4*" files (the automatic cut-off files generated by multilog), converts their timestamps from tai64n to human-readable format, and writes them to /var/log/{service}.{date}. Once the lines from a given "@4*" file have been converted, the file is deleted.

To make the script work with this tutorial, you have to create the following links:

cd /service/qmail-send/log/
ln -s /var/log/qmail/send main
cd /service/qmail-smtpd/log/
ln -s /var/log/qmail/smtpd main
cd /service/qmail-submission/log/
ln -s /var/log/qmail/submission main
cd /service/vpopmaild/log/
ln -s /var/log/qmail/vpopmaild main

Then you have to create a cronjob:

59 23 * * * /usr/local/bin/convert-multilog

I like this one because i have the log files inside my /var/log/ dir and the logfiles have normal timestamps.

Cheers

Reply |

I modified this page with

I modified this page with your suggestion :)

Reply |

This is very interesting

This is very interesting. I think I'll use it as soon as possible. Thank you

Reply |

tcpserver binding on ipv4 & ipv6 machine

I have ipv4 & ipv6 enabled on an Debian wheezy 64 machine and tcpserver binds the services only to ipv6 ports. I have to use the option -4 in the run files to use it with ipv4. But then ipv6 ist not possible anymore. In your standard run files the Option 0 is used which should bind tcpserver to any available IP address on any interface according to the tcpserver doc.  Do you have a clue wyh tcpserver binds the service ports only to ipv6?

Reply |

ucspi-tcp6

Are you using the new e.h.'s tcpserver program http://www.fehcom.de/ipnet/ucspi-tcp6/tcpserver.html? In that case I would try to test the -6 option.

Reply |

hi roberto, thanks for

hi roberto, thanks for answering so fast. i'm using the package ucspi-tcp6-1.00. I have tried  the -6 option and the result is the same as without the option (binding only to ipv6). For now i will use the -4 option so that i can use the installation with ip4. When i have more time i will take a closer look. Thank you for this tutorial. It  has helped me much.
 

Reply |

Why GREETDELAY in qmail-submission/run?

Hi,

First off, thanks for your excellent notes / turial. I am building a new server 10 years after the last time I did it. It's so wonderful to have these step-by-step instructions, and all the patches consolidated.

I am curious about the 5 second greet delay in the submission service. Even that low number causes IT stress when I test tghe outgoing mail using Thunderbird.

Since the submission service requires STARTTLS and authentication, spammers are stopped anyway, aren't they?

Regards

/ Otto Dandenell, Sweden

Reply |

Hi Otto, thanks for your

Hi Otto, thanks for your comment.

From time to time I get heavy attacks on port 587 due to spammers who tries to guess users' passwords. Last time it was 2 days with 1 attempt every few seconds. I see them in /var/log/maillog

I think that 5 seconds is a little stress for users, but a verrrry big loss of cpu time for spammers, if you multiply 5s times the number of attempts spanned in a couple of days :-)

anyway it's much better to have a firewall filter like fail2ban and avoid to use that GREETDELAY (https://notes.sagredo.eu/en/qmail-notes-185/setting-up-your-firewall-with-fail2ban-170.html). Maybe it's better to comment out that line on the run script and advise to use it just in case fail2ban is not active.

And time ago I read that a lot of spammers drop the connection if a GREETDELAY of just a couple of seconds is set, but comments are welcome on the purpose

best regards

Roberto

Reply |

Roberto,Thanks for clearing

Roberto,

Thanks for clearing that up. I'll have a look at fail2ban.

Regards

/ Otto

Reply |

Minor tweak for your supervise/vpopmaild/run script

I appreciate that you are keeping your documentation referencing /var/qmail for the most part.  The supervise/vpopmaild/run script has a reference to "/usr/local/qmail/..." instead of "/var/qmail/.."  while the rest of your scripts reference "/var/qmail".  Up to you if you want to fix it, of course.  I caught it because I don't use /usr/loca/qmail and it was causing an error in readproctitle.

Thanks for the great work!

Reply |

Thanks

Thanks, Aaron. Actually the variable MAXSMTPD was not used by tcprules and I have corrected the vpopmaild/run script

Reply |

Forcetls error....

Hi I have a problem with Gmail & roberto-netqmail-1.06.patch-2011.07.27 Problem concerns Forcetls patch: The history of the disease: tcprules:

root
# make + Rebuilding tcp.qmail-smtp from tcp.qmail-smtp tcprules tcp.qmail-smtp.cdb tcp.qmail-smtp.cdb.tmp < tcp.qmail-smtp root
# chmod 644 * root
# egrep -v '^$|#' /etc/tcprules.d/tcp.qmail-smtp 127.0.0.1:allow,RELAYCLIENT="" 

Qmail run script (Submission):

#!/bin/sh 
SERVICE=submission 
QMAILDUID='201' 
NOFILESGID='200' 
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` 
SOFTLIMIT=`cat /var/qmail/control/softlimit` 
export FORCETLS="1" 
export CRAM_MD5="1" 
export GREETDELAY="0" 
export RBLSMTPD_GREETDELAY="1" 
# This enables chkuser 
export CHKUSER_START=ALWAYS 
export CHKUSER_WRONGRCPTLIMIT="3" 
# DKIM configuration 
export QMAILQUEUE="/var/qmail/bin/qmail-dkim" 
export DKIMKEY="/etc/domainkey/wampir7.pl/default" 
export DKIMQUEUE="/var/qmail/bin/qmail-scanner-queue" 
export DKIMSIGNOPTIONS="-b 1 -l -q -z 2" 
export DKIMVERIFY="FGHIKLMNORTUVW" 
exec /usr/bin/softlimit -m "$SOFTLIMIT" \ 
/usr/bin/tcpserver -v -H -R -l 0 \ 
-x /etc/tcprules.d/tcp.qmail-smtp.cdb -c "$MAXSMTPD" \ 
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ 
/usr/bin/spamdyke -f /etc/spamdyke/spamdyke.conf \ 
/var/qmail/bin/qmail-smtpd \ 
/var/vpopmail/bin/vchkpw /bin/true 2>&1;

The server is working properly:

qmaild 1314 0.0 0.0 1736 244 ? S 20:48 0:00 /usr/bin/tcpserver -v -H -R -l 0 -x /etc/tcprules.d/tcp.qmail-smtp.cdb -c 20 -u 201 -g 200 0 587 /usr/bin/spamdyke -f /etc/spamdyke/spamdyke.conf /var/qmail/bin/qmail-smtpd /var/vpopmail/bin/vchkpw /bin/true 

Result (swaks):

swaks -t postmaster@example.com -f test@example.com -p587 --tls -s example.com -au test@example.com -ap q 

=== Trying example.com:587...
=== Connected to example.com. 
<- 220 example.com ESMTP 
-> EHLO example.com 
<- 250-example.com 
<- 250-STARTTLS
<- 250-PIPELINING 
<- 250-8BITMIME 
<- 250-SIZE 67108864 
<- 250 AUTH LOGIN PLAIN CRAM-MD5 
-> STARTTLS 
<- 220 Proceed. 
=== TLS started w/ cipher AES256-SHA 
=== TLS peer subject DN="/C=IT/ST=PL/L=Silesia/O=Test/OU=IMAP server/CN=example.com/emailAddress=postmaster@example.com" 
~> EHLO example.com 
<~ 250-example.com 
<~ 250-PIPELINING
<~ 250-8BITMIME 
<~ 250-SIZE 67108864 
<~ 250 AUTH LOGIN PLAIN CRAM-MD5 
~> AUTH CRAM-MD5 
<~* 538 auth not available without TLS (#5.3.3) 
~> AUTH LOGIN <~* 538 auth not available without TLS (#5.3.3) 
~> AUTH PLAIN AHRlc3RAZXhhbXBsZS5jb20AcQ== 
<~* 538 auth not available without TLS (#5.3.3) 
*** No authentication type succeeded 
~> QUIT 
<~ 221 example.com 
=== Connection closed with remote host. 

If I disable FORCETLS (export FORCETLS="1"), login works fine. My OS: Gentoo Hardened with grsec / Pax

cc-v 
Using built-in specs. 
Target: i686-pc-linux-gnu 
Configured with: / var/tmp/portage/sys-devel/gcc-4.4.5/work/gcc-4.4.5/configure - prefix = / usr - bindir = / usr/i686-pc-linux-gnu / gcc-bin/4.4.5 - includedir = / usr/lib/gcc/i686-pc-linux-gnu/4.4.5/include - datadir = / usr/share/gcc-data/i686-pc-linux- gnu/4.4.5 - mandir = / usr/share/gcc-data/i686-pc-linux-gnu/4.4.5/man - infodir = / usr/share/gcc-data/i686-pc-linux- gnu/4.4.5/info - with-Gxx-include-dir = / usr/lib/gcc/i686-pc-linux-gnu/4.4.5/include/g + +-v4 - host = i686-pc-linux -gnu - build = i686-pc-linux-gnu - disable-AltiVec - disable-fixed-point - without-ppl - without-cloog - enable-nls - without-included-gettext - with -system-zlib - disable-werror - enable-secureplt - disable-multilib - enable-libmudflap - disable-libssp - enable-esp - enable-libgomp - with-python-dir = / share / gcc-data/i686-pc-linux-gnu/4.4.5/python - enable-checking = release - disable-libgcj - with-arch = i686 - enable-languages ??= c, c + +, fortran - enable -shared - enable-threads = posix - enable-__cxa_atexit - enable-CLocale = gnu - with-bugurl = http://bugs.gentoo.org/ - with-pkgversion = 'Gentoo Hardened 4.4.5 p1 .3, pie-0.4.5 ' 
Thread model: posix 
gcc version 4.4.5 (Gentoo Hardened 4.4.5 P1.3, pie-0.4.5)

Fortunately, for the moment I test the server in his home, but soon I'm going to run it on a server at work (~ 300 users)

Can I count on any suggestions to solve the problem?

Cheers ;)

Reply |

RE: force-tls

I haven't tested my patch in conjunction with spamdyke. I would try to do a test disabling it.

Reply |

Thanks

Indeed, he was guilty Spamdyke.
How Spamdyke compiled with the flag -tls, the problem disappeared.

Thank You

Cheers
:)

Reply |

Nn mi mette la posta su vpopmail

Ciao Roberto, grazie per le info che hai messo, pero' nn mi mette la posta su new sotto vpopmail. i logs mostrano che arriva pero' nn si vede, inoltre nn mi fa connettere su 587 o 25 per mandare la posta suggerimenti?

Grazie

Reply |

SMTPAUTH

riguardo al problema dell'invio da remoto, la qmail-auth path richiede che vanga esportata  la variabile SMTPAUTH nel run file. Se viene lasciata vuota è possibile autenticarsi con LOGIN o PLAIN

Reply |

Ciao Remo,stai seguendo la

Ciao Remo,

stai seguendo la mia guida passo passo? che LDA stai usando?

per quanto riguarda l'invio da remoto, come certamente sai è necessario accoppiare qmail-smtpd a vchkpw nel tuo run file, vedi se vuoi gli esempi nella pagina sulla configurazione, ma sono dei run file molto standard, come vedi. Stai usando la mia patch, con qmail-auth di E.Hoffmann?

Se vuoi posta i log, se preferisci mandameli in privato (tsasto contact su in alto)

Roberto

Reply |

Recent comments
Recent posts

RSS feeds