Configuring qmail

June 17, 2020 Roberto Puzzanghera49 comments

Defining alias and control files

echo 3 > /var/qmail/control/spfbehavior
echo "| /home/vpopmail/bin/vdelivermail '' delete" > /var/qmail/control/defaultdelivery
echo 20 > /var/qmail/control/concurrencyincoming
echo postmaster > /var/qmail/control/bouncefrom
echo 20000000 > /var/qmail/control/databytes
echo yourdomain.net > /var/qmail/control/doublebouncehost
echo postmaster > /var/qmail/control/doublebounceto
echo 272800 > /var/qmail/control/queuelifetime
echo 30000000 > /var/qmail/control/softlimit
echo 100 > /var/qmail/control/maxrcpt

cd /usr/local/src/netqmail-1.06
./config-fast yourdomain.net

When you run ./config-fast it will automatically populate these files: defaultdomain, locals, me, plusdomain, rcpthosts.

  • defaultdomain when you have many domains on the same server (defined later in the virtualhost file) this is the default domain
  • locals domains that we deliver locally (qmail-send via qmail-lspawn program). Other domains are spawned by qmail-rspawn and delivered to other MTAs. The domains listed in locals should not be confused with virtualdomains; infact, qmail-send doesn't even read virtualdomains if the recipient domain is already listed in locals and in that case you'll get a "no mailbox" error message.
  • me the name of the server. This is the domain name that appers in the from field when you receive system messages, for instance
  • plusdomain domain substituted for trailing "+"
  • rcpthosts Domains that we accept mail for. Later you will see how chkuser rejects incoming emails for non existing recipients.
  • spfbehavior concerns the spf patch.
  • softlimit sets soft resource limits for qmail-smtpd
  • databytes is the max number of bytes in message (0=no limit)
  • doublebounceto is the account which will receive double-bounce messages. If you’re using my combined patch, you can erase the first line of /var/qmail/control/doublebounceto to delete these unwanted messages before they’re injected into the local queue.
  • defaultdelivery is the default .qmail file. It tells qmail how to deliver the email. In this case Maildir is our choice. In case you didn't understand yet how delivery is done, please read at this point the relaying chapter of Life with qmail and expecially the README.vdelivermail that comes with vpopmail, which explains how the .qmail files are used.

You can find an exhaustive presentation of all control configuration files on Life with qmail book http://www.lifewithqmail.org/lwq.html#configuration

Setup the primary administrator's email address. This address will receive mail for root, postmaster, and mailer-daemon.  Replace "postmaster@yourdomain.net" with the administrator email address (postmaster):

cd /var/qmail/alias
echo "postmaster@yourdomain.net" > .qmail-postmaster
ln -s .qmail-postmaster .qmail-mailer-daemon
ln -s .qmail-postmaster .qmail-root
chmod 644 .qmail*

Setup the log dirs

The log dirs belong to qmaill.nofiles user and should not be accessible by other users

mkdir -p /var/log/qmail

cd /var/log/qmail
chown -R qmaill.nofiles .
chgrp root .
chmod -R og-wrx .
chmod g+rx .

Defining supervise scripts

Download the startup scripts from here and untar

cd /var/qmail 
wget https://notes.sagredo.eu/files/qmail/supervise.tar.gz 
tar xzf supervise.tar.gz
rm supervise.tar.gz
chown -R root.root rc supervise

You can see the rc excutable, which is the qmail-start script, and the supervise folder:

-supervise
| 
|----qmail-smtpd/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----qmail-submission/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----qmail-send/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----vpopmaild/
|    |
|    |-----run
|    |-----log/
           |
           |---run

When you create symbolic links to a supervise directory in the /service dir, the run command will be executed at boot time when /command/svcscanboot is launched

cd /service
ln -s /var/qmail/supervise/qmail-smtpd
ln -s /var/qmail/supervise/qmail-send
ln -s /var/qmail/supervise/vpopmaild

And if you’re going to build an SMTP relay, you may want to run a separate SMTP instance for authentication on port 587:

ln -s /var/qmail/supervise/qmail-submission

File qmail/rc

#!/bin/sh

# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

#DKIMDOMAIN=`cat /var/qmail/control/dkimdomain`

# declaring NODK disables domainkey
# declaring NODKIM disables DKIM

# DKIM 2048 key sign at qmail-remote level
#exec env - PATH="/var/qmail/bin:$PATH" \
#QMAILREMOTE=/var/qmail/bin/spawn-filter \
#DKIMSIGNOPTIONS="-z 2" \
#DKIMDOMAIN="$DKIMDOMAIN" \
#NODK=1 \
#FILTERARGS=/var/qmail/bin/dk-filter \
#qmail-start "`cat /var/qmail/control/defaultdelivery`"

exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

Ignore the commented lines for the moment, which concern the DKIM settings. We will cover that topic later in this guide.

File qmail/supervise/qmail-smtpd/run

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
LOCAL=`head -1 /var/qmail/control/me`

# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
#export SURBL=1                               # Comment out to enable SURBL filtering
#export QMAILQUEUE=/var/qmail/bin/surblqueue  # executes surblfilter
#export SURBLQUEUE=/var/qmail/bin/qmail-dkim  # executes qmail-dkim afer sublfilter
#export DKIMQUEUE=/var/qmail/bin/simscan      # simscan is executed after qmail-dkim
# DKIM verification. Use carefully 
#export DKIMVERIFY="FGHKLMNOQRTVWp"
# This is to allow msg without "subject" in the h= list
# export UNSIGNED_SUBJECT=1
# This is to avoid verification of outgoing messages
#export RELAYCLIENT_NODKIMVERIFY=1

# This turns off TLS on port 25
export DISABLETLS="1"

# Requires that authenticated user and 'mail from' are identical
#export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT="1"

# This enables simscan debug
#export SIMSCAN_DEBUG=4

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -R -l "$LOCAL" \
    -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
    /var/qmail/bin/qmail-smtpd 2>&1

Note that the standard smtp (port 25) does not allow the authentication.

You have to adjust the resource limit (softlimit in bytes). Each system is different, and has different requirements. Life with qmail suggests just 2MB. You have to experiment the correct value increasing by steps of 1MB, especially once you have loaded spamassassin, clamAV and simscan (the mail scanner).

We'll cover GREETDELAY, RBL and DKIM later.

File qmail/supervise/qmail-smtpd/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16000000 n200 /var/log/qmail/smtpd

You may want to have a dir (/var/log/qmail/smtpd/qlog) which saves separately just the "qlogenvelope" lines as follows:

@400000005855db3028811e24 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp= pid=11928
@400000005855db322a892324 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts= size=2689 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp=11934 pid=11928

then replace the contents of the above qmail/supervise/qmail-smtpd/log/run file with as follows

#!/bin/sh
LOGUSER="qmaill"
LOGDIR="/var/log/qmail/smtpd"
LOGDIRQLOG="/var/log/qmail/smtpd/qlog"
exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t s16000000 n200  $LOGDIR \
  n10 s16000000 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

now create the archive_qmail_qlog

cat > /usr/local/bin/archive_qmail_qlog << __EOF__
#!/bin/sh
tai64nlocal >> /var/log/qmail/smtpd/qlog/qmail-smtpd.log
__EOF__

and assign the +x flag

chmod +x /usr/local/bin/archive_qmail_qlog

In this way we have the /var/log/qmail/smtpd/qmail-smtpd.log file with just the qlog lines in human-readable time format:

2016-01-29 13:15:17.677946500 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp= pid=11928
2016-01-29 13:15:17.677946500 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts= size=2689 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp=11934 pid=11928

You may want to rotate this log file saving a "qlog" file like this in your logrotate configuration (/etc/logrotate.d/qlog in my Slackware):

/var/log/qmail/smtpd/qlog/qmail-smtpd.log {
missingok
notifempty
delaycompress
rotate 50
daily
minsize 2M
create 0644 qmaill root
}

File qmail/supervise/qmail-send/run

#!/bin/sh
exec /var/qmail/rc

File qmail/supervise/qmail-send/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16000000 n200 /var/log/qmail/send

File qmail/supervise/qmail-submission/run

This service makes the MTA also act as an outgoing relay, but the user must authenticate (with TLS encryption).

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
LOCAL=`head -1 /var/qmail/control/me`

# You MUST export this, otherwise you'd get a 30 sec timeout
# "!" if you want the submission feature (auth required)
export SMTPAUTH="!"

# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=3
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This makes qmail to allow connections without TLS (default 1)
#export FORCETLS=0

# This turns off TLS on port 587 (default 0)
#export DISABLETLS=1

# Requires that authenticated user and 'mail from' are identical (default 0)
export FORCEAUTHMAILFROM=1

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
#export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh
#export RCPTCHECKRELAYCLIENT=1

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -R -l "$LOCAL" \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

Note the use of vchkpw in conjunction with qmail-smtpd to ensure authentication. The connection requires TLS enabled. This is the reason why we opened a separate secure connection on port 587 to allow remote clients to use our MTA as a relay.

The variable SMTPAUTH is related to the auth patch. You are invited to take a look to the README.auth file for further details.

File qmail/supervise/qmail-submission/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16000000 n200 /var/log/qmail/submission

File qmail/supervise/vpopmaild/run

#!/bin/sh
QMAILDUID=`id -u root`
NOFILESGID=`id -g root`

exec /usr/local/bin/softlimit -m 30000000 \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 89 \
    /home/vpopmail/bin/vpopmaild 2>&1

vpopmaild is important when connecting to vpopmail via webmail to change the password, for instance.

File qmail/supervise/vpopmaild/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/vpopmaild

cronjobs

To backup the log files from the qmail services we'll use the convert-multilog script from John Simpson (thanks to the author and to Marc for the suggestion) who describes the script function as follows:

convert-multilog is a script which searches "/service/*/log/main" for any "@4*" files (the automatic cut-off files generated by multilog), converts their timestamps from tai64n to human-readable format, and writes them to /var/log/{service}.{date}. Once the lines from a given "@4*" file have been converted, the file is deleted.

The log files are saved separated by date, for example

-rw-r--r-- 1 root   root   259558 Aug 24 12:21 qmail-smtpd.2014-08-20
-rw-r--r-- 1 root   root   806917 Aug 24 12:21 qmail-smtpd.2014-08-21
-rw-r--r-- 1 root   root  1523116 Aug 24 12:21 qmail-smtpd.2014-08-22
-rw-r--r-- 1 root   root   364022 Aug 24 12:21 qmail-smtpd.2014-08-23

Inside each file the date is now human-readable

2014-08-23 00:31:49.503947500 tcpserver: status: 1/20

This is very useful when you have to do quick searches.

Install like this:

mkdir -p /var/log/qmail/backup
cd /usr/local/bin
wget https://notes.sagredo.eu/files/qmail/convert-multilog
chmod +x convert-multilog

cd /service/qmail-send/log/
ln -s /var/log/qmail/send main
cd /service/qmail-smtpd/log/
ln -s /var/log/qmail/smtpd main
cd /service/qmail-submission/log/
ln -s /var/log/qmail/submission main
cd /service/vpopmaild/log/
ln -s /var/log/qmail/vpopmaild main

Now set up a cronjob once a day (crontab -e):

59 2 * * * /usr/local/bin/convert-multilog 1> /dev/null

And since we want to convert each log file every day, we have to rotate them on a daily basis. So we'll add something like this to our crontab:

0 0 * * * /usr/local/bin/svc -a /service/qmail-submission/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log
0 0 * * * /usr/local/bin/svc -a /service/vpopmaild/log

qmailctl script

As usual we will put the script in /usr/local/bin and give it the +x flag.

cd /usr/local/bin
wget https://notes.sagredo.eu/files/qmail/qmailctl
chmod +x qmailctl

The startup script below does the following:

  • Starts/stops the services
  • Calls tcprules to reload tcp.smtp.cdb and tcp.submission.cdb
  • Shows the status of the services and the queue
  • Shows the up/down status of some other related daemons
  • Shows the the date of the clamav database

Note that it starts and stops vpopmaild also, and starts both normal SMTP on port 25, and the submission service on port 587, where SMTP authentication is required to perform outgoing relay for remote users. In any event, be sure to review the service list to make sure it reflects the services you want to provide.

#!/bin/bash
#
# tx Sam Tang

# Put here the services you want to manage
svclist="qmail-send qmail-smtpd vpopmaild qmail-submission"
# Put here the services want monitoring
servicelist="dovecot clamd freshclam spamd httpd mariadb fail2ban"

PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

function show_uptime() {
 org="$(svstat /service/$1 | awk '{print $2,$3,$4;}' | sed 's/up/[ up ]/g' | sed 's/down/[ down ]/g' | sed ''/up/s//`printf "\033[1\;32mup\033[0m"`/'' | sed ''/down/s//`printf "\033[1\;31mdown\033[0m"`/'')"
 sec="$(svstat /service/$1 | awk '{print $5;}')"
 d=$(( $sec / 86400))
 h=$(( $(($sec - $d * 86400)) / 3600 ))
 m=$(( $(($sec -d * 86400 - $h * 3600)) / 60 ))
 s=$(($sec -d * 86400 - $h * 3600 - $m * 60))
 if [ $sec -le 60 ]; then
 printf "%-22s %s %s %s %s %s %s seconds\n" "$1:" $org $s
 else
 printf "%-22s %s %s %s %s %s %3s day(s), %02d:%02d:%02d\n" "$1:" $org $d $h $m $s
 fi
}

case "$1" in
 start)
 echo "Starting qmail"

for svc in $svclist ; do
 if svok /service/$svc ; then
 svc -u /service/$svc
 else
 echo $svc service not running
 fi
 done

if [ -d /var/lock/subsys ]; then
 touch /var/lock/subsys/qmail
 fi
 ;;
 stop)
 echo "Stopping qmail..."
 for svc in $svclist ; do
 echo " $svc"
 svc -d /service/$svc
 done
 if [ -f /var/lock/subsys/qmail ]; then
 rm /var/lock/subsys/qmail
 fi
 ;;
 stat)
 for svc in $svclist ; do
 show_uptime $svc
 show_uptime "$svc/log"
 done
 echo ""
 for service in $servicelist ; do
 printf "%-22s " "$service status:"
 if (( $(ps -ef | grep -v grep | grep $service | wc -l) > 0 ))
 then 
 echo -e "[ \033[1;32mup\033[m ]"
 else
 echo -e "[ \033[1;31mdown\033[m ]"
 fi
 done
 if [ -f /var/qmail/control/simversions.cdb ]; then
    printf "\nClamAV database updated at: "
    stat --printf=%y /var/qmail/control/simversions.cdb | cut -d. -f1
 fi
 if [ -f /var/qmail/users/assign ]; then
    printf "Total Domains: "
    wc -l < /var/qmail/users/assign
 fi
 echo ""
 qmail-qstat
 ;; 
 doqueue|alrm|flush)
 echo "Sending ALRM signal to qmail-send."
 svc -a /service/qmail-send
 ;;
 queue)
 qmail-qstat
 qmail-qread
 ;;
 reload|hup)
 echo "Sending HUP signal to qmail-send."
 svc -h /service/qmail-send
 ;;
 pause)
 for svc in $svclist ; do
 echo "Pausing $svc"
 svc -p /service/$svc
 done
 ;; 
 cont)
 for svc in $svclist ; do
 echo "Continuing $svc"
 svc -c /service/$svc
 done
 ;; 
 restart)
 echo "Restarting qmail:"
 for svc in $svclist ; do
 if [ "$svc" != "qmail-send" ] ; then
 echo "* Stopping $svc."
 svc -d /service/$svc
 fi
 done
 echo "* Sending qmail-send SIGTERM and restarting."
 svc -t /service/qmail-send
 for svc in $svclist ; do
 if [ "$svc" != "qmail-send" ] ; then
 echo "* Restarting $svc."
 svc -u /service/$svc
 fi
 done
 ;;
 cdb)
 if ! grep '\#define POP_AUTH_OPEN_RELAY 1' ~vpopmail/include/config.h >/dev/null; then
 (cd ~vpopmail/etc ; cat tcp.smtp | tcprules tcp.smtp.cdb tcp.smtp.tmp)
 echo "Updated tcp.smtp.cdb."
 (cd ~vpopmail/etc ; cat tcp.submission | tcprules tcp.submission.cdb tcp.submission.tmp)
 echo "Updated tcp.submission.cdb."
 else
 ~vpopmail/bin/clearopensmtp
 echo "Ran clearopensmtp."
 fi
 ;;
 clear)
 echo "Clearing readproctitle service errors with ................."
 svc -o /service/clear
 ;;
 kill)
 echo "First stopping services ... "
 for svc in $svclist ; do
 if svok /service/$svc ; then
 svc -d /service/$svc
 svc -d /service/$svc/log
 fi
 done
 echo "Now sending processes the kill signal ... "
 killall -g svscanboot
 echo "done"
 ;;
 boot)
 echo "Starting qmail"
 /command/svscanboot &
 ;;
 reboot)
 echo "First stopping services ... "
 for svc in $svclist ; do
 if svok /service/$svc ; then
 svc -d /service/$svc
 svc -d /service/$svc/log
 fi
 done
 echo "Now sending processes the kill signal ... "
 killall -g svscanboot
 echo "done"
 echo "Starting qmail"
 /command/svscanboot &
 ;;
 help)
 cat <<HELP
 stop -- stops mail service (smtp connections refused, nothing goes out)
 start -- starts mail service (smtp connection accepted, mail can go out)
 pause -- temporarily stops mail service (connections accepted, nothing leaves)
 cont -- continues paused mail service
 stat -- displays status of mail service
 cdb -- rebuild the tcpserver cdb file for smtp
 restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
 doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
 reload -- sends qmail-send HUP, rereading locals and virtualdomains
 queue -- shows status of queue
 alrm -- same as doqueue
 flush -- same as doqueue
 hup -- same as reload
 clear -- clears the readproctitle service errors with .....................
 kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
 boot -- Boots qmail and all services in /service running /command/svscanboot
 reboot -- kill & boot commands in sequence
HELP
 ;;
 *)
 echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|clear|kill|boot|reboot|help}"
 exit 1
 ;;
esac

exit 0

Usage

# qmailctl help

    stop -- stops mail service (smtp connections refused, nothing goes out)
   start -- starts mail service (smtp connection accepted, mail can go out)
   pause -- temporarily stops mail service (connections accepted, nothing leaves)
    cont -- continues paused mail service
    stat -- displays status of mail service
     cdb -- rebuild the tcpserver cdb file for smtp
 restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
 doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
  reload -- sends qmail-send HUP, rereading locals and virtualdomains
   queue -- shows status of queue
    alrm -- same as doqueue
   flush -- same as doqueue
     hup -- same as reload
   clear -- clears the readproctitle service errors with .....................
    kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
    boot -- Boots qmail and all services in /service running /command/svscanboot
  reboot -- kill & boot commands in sequence

qmailctl can be used to kill all qmail processes and to reboot the server. I use this option inside the rc.6 of my Slackware virtual server to avoid errors messages when stopping or rebooting the guest. You can easily call the clear service as well.

svtools

This is a nice collection of tools to manage daemontools' services that you may want to consider. mlcat is one of those; it can cat a service's log with human readable dates with a short command like:

mlcat qmail-smtpd

I slightly modified that script here, just to use it without the need of the "qmail-" prefix:

mlcat smtpd

Installing

cd /usr/local/src
wget https://github.com/kayahr/svtools/archive/master.zip
unzip master.zip
cd svtools-master
make
make install
mkdir /etc/sv /var/log/sv
chown root.root /etc/sv /var/log/sv
cd /usr/local/bin
rm mlcat
wget https://notes.sagredo.eu/files/qmail/mlcat
chmod +x mlcat

Allowing selected clients to send outgoing messages

Create /home/vpopmail/etc/tcp.smtp and /home/vpopmail/etc/tcp.submission (the latter one in case you want to enable the submission service).

Enable outgoing relay in this way:

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
1.2.3.4:deny
:allow

Localhost and 10.0.0.0 subnet can use our MTA as an outgoing relay, 1.2.3.4 is denied, the other IPs can only send messages to the domains listed inside /var/qmail/control/rcpthosts.

tcp.smtp

0.0.0.0:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
:allow,CHKUSER_WRONGRCPTLIMIT="3"

chkuser will ban clients' IP after 3 consecutive failures.

tcp.submission

:allow,CHKUSER_WRONGRCPTLIMIT="3"

Updating cdb files

qmailctl can invoke tcprules to create the cdb file in this way:

# qmailctl cdb
Updated tcp.smtp.cdb.
Updated tcp.submission.cdb.

You must run this command every time you modify tcp.smtp or tcp.submission.

Configuring the standard SMTP service on 25 in tcp.smtp ensures that only localhost and authorized IPs can use the SMTP service as an outgoing relay. We will accept inbound messages from outside as long as the recipient domain is included in the file /var/qmail/control/rcpthosts. When someone sends a message to a domain name not listed in rcpthosts, qmail will respond with “Sorry, that domain isn’t in my list of allowed rcpthosts (#5.7.1)”.

When you enable SMTP authentication on port 587, remote users who successfully authenticate will be allowed to send messages using our MTA.

Patching
Testing
qmail
add a comment

Comments

Qmailctl Script Error

Shailendra Shukla November 21, 2020 13:35

Hi Roberto , 

I followed you installation and got stuck at the qmailctl script . It gives the following error 

/usr/local/bin/qmailctl: line 19: /((86400)): syntax error: operand expected (error token is "/((86400))")

Can you please help me on that . I have downloaded the script as per your guide . Tried by copy and pasting the script but same error message. 

Regards

Shail

Reply | Permalink

Qmailctl Script Error

Shailendra Shukla Shailendra Shukla November 21, 2020 13:54

Sorry the correct error message is 

/usr/local/bin/qmailctl: line 19: / 86400: syntax error: operand expected (error token is "/ 86400")

Regards

Shail

Reply | Permalink

Qmailctl Script Error

Roberto Puzzanghera Shailendra Shukla November 21, 2020 14:00

it seems like the $sec variable is empty. Can you check

which awk
which svstat

Reply | Permalink

Qmailctl Script Error

Shailendra Shukla Roberto Puzzanghera November 21, 2020 14:27

[root@mail ~]# which awk
/bin/awk
[root@mail ~]# which svstat
/usr/local/bin/svstat

Reply | Permalink

Qmailctl Script Error

Roberto Puzzanghera Shailendra Shukla November 21, 2020 14:33

can you copy&paste the content of your qmailctl, please?

Reply | Permalink

Qmailctl Script Error

Anonymous Roberto Puzzanghera November 21, 2020 14:40

I downloaded the script from and I am running Centos6.10

wget https://notes.sagredo.eu/files/qmail/qmailctl

Reply | Permalink

Qmailctl Script Error

Roberto Puzzanghera Anonymous November 21, 2020 14:47

I've no idea, but I know that $sec is empty. I would try to replace $sec with ${sec}

Reply | Permalink

Qmailctl Script Error

Shailendra Shukla Roberto Puzzanghera November 21, 2020 14:50

got it working seems like svscanboot was not working 

started the same with csh -cf '/command/svscanboot &'

and then tried the script started working have added the above command to rc.local . Thanks a lot for your help. 

Reply | Permalink

Small error in guide

Gabriel Torres July 16, 2019 13:59

Hi Roberto,

I found a small mistake in the configuration published above. In this line:

exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t n5 s10000000 $LOGDIR \
 n5 s10000000 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

The 'n' and 's' parameters are too low, and the log files are deleted too soon. To maintain coherency with the rest of the configuration, n should be 200 and s should be 16000000 in both occurrences, like this:

exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t n200 s16000000 $LOGDIR \
 n200 s16000000 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

Please update the guide! :)

Cheers.

Reply | Permalink

Small error in guide

Roberto Puzzanghera Gabriel Torres July 16, 2019 14:37

Thanks for the hint.

s16000000 (or even s16777215 which is the maximum size allowed) is better. Instead I'm going to put n5 everywhere, infact I'm explaining below how to backup the logs every night...

Reply | Permalink

Small error in guide

Gabriel Torres Roberto Puzzanghera July 16, 2019 17:43

Hi Roberto,

Yes, I use the backup option you published, and they are stored at /var/log/qmail/backup

The problem is that -n5 and -s10000000 is not sufficient for us, as we send out newsletters to over 400,000 subscribers. With that, the backup that is generated contains only the log entries starting at around 23h00min, i.e. the older entries are discarded automatically as they are not available at /var/log/qmail/smtpd anymore. Hence the need to increase those numbers... ;)

Cheers.

Reply | Permalink

qmail-remote not working at its full capacity

Gabriel Torres June 27, 2019 02:33

Hi Roberto,

I have a problem here that maybe you or other readers of this guide might have a better understanding about what is going on.

I have concurrencyremote configured with 120. However, qmail-send only sends, at best, 20 emails concurrently. I used to have qmail patched and installed according to a different guide, and decided to redo everything from scratch using your patch/guide to see if the problem would be solved.

While your guide solved a lot of other problems we used to have (e.g., our previous installation would accept any email and then perform any check, and now with chkuser our server only accepts "good" emails and rejects all sorts of junk, making the server to run faster and with lower loads). But it didn't solve this particular issue.

If you see, I send our newsletter this morning, and it is still sending it out. You can see we have almost 100,000 emails in queue:

messages in queue: 94914
messages in queue but not yet preprocessed: 93857

But qmail-send is only sending less than 10 in parallel:

@400000005d140d5b37c9f1bc status: local 0/40 remote 7/120

If we run qmHandle -a, qmail-send starts sending up to 120 emails in parallel, but soon after an initial burst of emails, it goes back to sending up to 20 emails concurrently at best.

I really don't know what is going on and how to diagnose this. It may be a hardware-related issue (e.g. server in need of more RAM), but I don't want to risk getting a new, more expensive server, or even adding more RAM and the problem ending up being something else.

Our server config is a dedicated quad-core Xeon X3210 with 8 GiB of RAM.

If you have any idea or heard of this issue before, please let me know.

Cheers!

Reply | Permalink

qmailctl with Debian

Gabriel Torres June 19, 2019 06:27

Hi,

This new qmailctl script is awesome, as it also shows the status of whatever additional programs/services we want.

However, in order to make it compatible with Debian, two small adjustments are required.

  1. Replace /bin/sh with /bin/bash in the first line
  2. Remove 'function' from line 16

Cheers

Reply | Permalink

Modified of qmailctl

Sam Tang April 4, 2018 02:17

Hi Roberto, thanks for your great qmail setup guide, your website saving lots of my time.

I would like to share my qmailctl script here, this is what I had updated:

- by default when run "qmailctl stat", it will show all qmail's service uptime by seconds, I made it more readable, now will display something like "0 days, 00 hours 16 mins"

- can assign another service which related qmail for monitoring, like dovecot, clamd, freshclam...

- change "up" and "down" to green and red color.

Download: https://www.phpini.com/qmailctl

once again, thank you for your great work.

Reply | Permalink

Modified of qmailctl

Roberto Puzzanghera Sam Tang April 4, 2018 11:43

Thank you, this is very nice. I'm going to update my script and link this new one in this guide

Reply | Permalink

Modified of qmailctl

Kevin Salt Roberto Puzzanghera August 1, 2018 16:08

It would seem there is a syntax error in the script ... 

/usr/local/bin/qmailctl: 16: /usr/local/bin/qmailctl: Syntax error: "(" unexpected

I tried copy/paste of the text version above, and downloading the versions from this site and the original. All have the same error

Reply | Permalink

Modified of qmailctl

Roberto Puzzanghera Kevin Salt August 2, 2018 08:41

did you cat&paste or downloaded the file? The second is more secure...

Reply | Permalink

Modified of qmailctl

Kevin Salt Roberto Puzzanghera August 2, 2018 08:49

As my comment says,  i tried all the sources.  Copy/pasted the text,  and downloaded from both source location.  I've also found lots of issues with warnings and some errors when coming with gcc 4.8 (especially simscan). 

In the end i just have to and referred to my old installation with upgraded spamassassin and cclamav.  

Reply | Permalink

Modified qmailctl

zinkro Kevin Salt November 26, 2018 18:05

hi,

for sh 4.4 just simply delete 'function' from line 16, is not necessary declare functions with this.

Reply | Permalink

Modified qmailctl

GoofY zinkro April 10, 2019 09:21

THNX a lot, fixed it in my case! (Debian 9.8).

Reply | Permalink

SRS

Kenneth Dalbjerg September 19, 2017 22:05

Hi

I have a little problems with the SRS.

I have configure it, and it also working just, fine, the address got rewrite and so on.

But if we got a bounce back, the mail will not be deliver to the right sender address, it will try deliver it to the SRS rewrite address.

Do anyone know what iam missing?

Reply | Permalink

pop3 port

Steve Conrad April 27, 2017 03:49

One minor typo I noticed was that your supervise script has the pop server running on port 89 (the vpopmail uid) rather than the usual port 110. Probably this wasn't what you had in mind. Thanks for the great guide.

Reply | Permalink

I'm referring to qmail

Steve Conrad Steve Conrad April 29, 2017 22:31

I'm referring to qmail/supervise/vpopmaild/run from your tarball and listed just up the page a bit from here. That last 89 should probably be a 110 instead. Looks like the vpopmail UID got typoed in place of the intended port number.

exec /usr/local/bin/softlimit -m 25000000 \
     /usr/local/bin/tcpserver -v -H -R -l 0 \
     -u "$QMAILDUID" -g "$NOFILESGID" 0 89 \     # You probably want a 110 here instead of an 89
     /home/vpopmail/bin/vpopmaild 2>&1

Not so sure about running vpopmaild as root either. I think you want to be doing that as vpopmail so as to access the maildirs it owns.

#!/bin/sh

QMAILDUID=`id -u root` # wouldn't this be better off as "-u vpopmail"

NOFILESGID=`id -g root` # and "-g vchkpw"?

Reply | Permalink

No it is not the pop3 service

roberto puzzanghera Steve Conrad May 1, 2017 21:29

No it is not the pop3 service (pop3 is served by dovecot in my configuration). vpopmaild is a daemon that you can use to connect and talk with vpopmail. Dovecot and roundcube can use it to change the passwords, for instance

Reply | Permalink

uh.. I don't remember to have

roberto puzzanghera Steve Conrad April 27, 2017 09:20

uh.. I don't remember to have published any note about qmail-pop3d... can you provide a link to the page please?

Reply | Permalink

Hello,

Al March 21, 2017 17:09

Hello,

I set everithing like you wrote in this tutorial and everithing works well, but I have a problem with receieving error message from postmaster when I send email to unknown user.

Instead from postmaster@example.com I get  error message from  "postmaster@mail.example.com"@mail.example.com

Do you know how can I fix that to get message from postfix@domain.net instead of postmaster@fqdn_hostname? 

Thank you,

Al

Reply | Permalink

on qmail the hostname of the

roberto puzzanghera Al March 21, 2017 17:50

on qmail the hostname of the bounce sender is from the control/me file

Reply | Permalink

Hi Roberto,

Al roberto puzzanghera March 22, 2017 10:10

Hi Roberto,

I now realized that I should get system messages from postmaster@FQDN instead postmaster@HOSTNAME(e.g. postmaster@mail.example.com instead postmaster@example.com) just like you wrote in this tutorial.

Also, I changed /control/bouncefrom file and put only "postamster" instead "postmaster@example.com", so now I receive mails from postmaster@mail.example.com instead  "postmaster@mail.example.com"@mail.example.com just like I wanted

Thank you for your support

Reply | Permalink

qmail generating log@myserver.net emails which bounce?

George Cooke October 1, 2015 21:56

Hi Roberto once again thanks for this guide, it's the best Linux guide i've ever seen, so perfect and thourough!

But I have a problem, when I send mail from gmail to a valid vpopmail user at my qmail server, the mail is delivered fine, but the external sender additionally gets a postmaster bounce email from my qmail server about a log@[myserver.net] delivery failure, saying that user doesn't exist like this:

Hi. This is the qmail-send program at [myserver.net].
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<log@[myserver.net]>:
Sorry, no mailbox here by that name. (#5.1.1)

Also, my logs don't seem to have the extra timestamps and message-ID's that yours do, so obviously it's something wrong with logging but I can't figure out what/where the problem is!

+I am also using the netqmail-1.06-exttodo-channels patch: (info, patch file) - I had to patch the failing hunks myself, but it seems to work, hope thats not causing the logging problem), in the log below that's what the suppl[N] queues are for.

You can see what it's doing in the qmail-send log below, it seems to be generating a log@ email for every send, hence the double bounce at the end.

In the below log:
- myserver.net is my qmail server I am setting up (the one I followed your guide on):
- user@gmail.com is the user who sent the mail to my vpopmail user, and who recieves the postmaster bounce email above (about log@myserver.net failing).
- test@myserver.net is the valid vpopmail user who receives the mail from the gmail user ok.

/var/log/qmail/send/current:

@400000005601a2a50551e67c status: local 0/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 supl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4953a8e805c new msg 4854452
@400000005601a4953a8e882c info msg 4854452: bytes 7316 from <user@gmail.com> qp 1728 uid 89
@400000005601a4953a8e8c14 starting delivery 1: msg 4854452 to local myserver.net-log@myserver.net
@400000005601a4953a8e8ffc status: local 1/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4953a8f0914 starting delivery 2: msg 4854452 to local myserver.net-test@myserver.net
@400000005601a4953a8f10e4 status: local 2/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a49600472cb4 delivery 2: success: did_0+0+1/
@400000005601a49600473484 status: local 1/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a49601a8faec delivery 1: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@400000005601a49601abdd34 status: local 0/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a49605b3a9d4 bounce msg 4854452 qp 1737
@400000005601a49605b3adbc end msg 4854452
@400000005601a4960c5ce4e4 new msg 4854781
@400000005601a4960c5ce8cc info msg 4854781: bytes 7878 from <> qp 1737 uid 1007
@400000005601a4960c5cecb4 starting delivery 3: msg 4854781 to local myserver.net-log@myserver.net
@400000005601a4960c5cf09c status: local 1/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4960c5d42a4 starting delivery 4: msg 4854781 to remote user@gmail.com
@400000005601a4960c5d468c status: local 1/20 remote 1/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a4960f48f0e4 delivery 3: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@400000005601a4960f49cba4 status: local 0/20 remote 1/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a496351e32ac delivery 4: success: 173.194.192.26_accepted_message./Remote_host_said:_250_2.0.0_OK_1442948236_t17si3813976ioi.28_-_gsmtp/
@400000005601a496351eceec status: local 0/20 remote 0/100 suppl0 0/20 suppl1 0/20 suppl2 0/20 suppl3 0/20 suppl4 0/20 suppl5 0/20 suppl6 0/20 suppl7 0/20 suppl8 0/20 suppl9 0/20 suppl10 0/20 suppl11 0/20 suppl12 0/20 suppl13 0/20 suppl14 0/20 suppl15 0/20 suppl16 0/20 suppl17 0/20 suppl18 0/20 suppl19 0/20
@400000005601a496352051a4 double bounce: discarding bounce/4854781
@400000005601a4963520b734 end msg 4854781

Thanks!

Reply | Permalink

Hi George, I can't garantee

roberto puzzanghera George Cooke October 1, 2015 21:58

Hi George, I can't garantee that the patch you applayed on top of my package will not interfere in some way..

Anyway, as mentioned above in the "Improved qmail-send log" paragraph, you have an email to log@yourdomain just to record the Message-ID in the qmail-send log. You may want to revert that qmail-queue-extra patch or double check your configuration, in particular the content of the file .qmail-log

Reply | Permalink

Thanks for getting back to me

George Cooke roberto puzzanghera October 1, 2015 22:00

Thanks for getting back to me Roberto it's really appreciated!
I did realise it was something to do with the logging, but now I realise how it actually works, it's smart, you send an internal email to the log@ which is the command to log! So I can tell now, something is thinking log@ doesn't exist and therefore:

1. It's sending a bounce
2. The enhanced logging is not working.

So I just have to figure out why it's deciding log@ doesn't exist when actually it does according to qmail alias config.

Thanks a million, you're work has really helped us!

Reply | Permalink

log alias applies to local domain

Norbert George Cooke October 14, 2015 16:08

I was seeing the same as above. Fixed it by editing the control/locals file. You have to use the local host name, e.g. mx.example.tld rather than example.tld The 'hint' for me was in looking at .qmail-postmaster - this essentially causes postmaster@mx.example.tld to forward to postmaster@example.tld - the domain I configured with ./vadddomain

Reply | Permalink

Alternative way for rotating log files of qmail services

Marc August 23, 2014 14:54

Hello,

as an alternative for rotating the log files from the qmail services i use the convert-multilog script from John Simpson, who describes the script function as follows:

convert-multilog is a script which searches "/service/*/log/main" for any "@4*" files (the automatic cut-off files generated by multilog), converts their timestamps from tai64n to human-readable format, and writes them to /var/log/{service}.{date}. Once the lines from a given "@4*" file have been converted, the file is deleted.

To make the script work with this tutorial, you have to create the following links:

cd /service/qmail-send/log/
ln -s /var/log/qmail/send main
cd /service/qmail-smtpd/log/
ln -s /var/log/qmail/smtpd main
cd /service/qmail-submission/log/
ln -s /var/log/qmail/submission main
cd /service/vpopmaild/log/
ln -s /var/log/qmail/vpopmaild main

Then you have to create a cronjob:

59 23 * * * /usr/local/bin/convert-multilog

I like this one because i have the log files inside my /var/log/ dir and the logfiles have normal timestamps.

Cheers

Reply | Permalink

I modified this page with

roberto puzzanghera Marc August 25, 2014 21:43

I modified this page with your suggestion :)

Reply | Permalink

This is very interesting

roberto puzzanghera Marc August 24, 2014 12:16

This is very interesting. I think I'll use it as soon as possible. Thank you

Reply | Permalink

tcpserver binding on ipv4 & ipv6 machine

Marc August 17, 2014 09:18

I have ipv4 & ipv6 enabled on an Debian wheezy 64 machine and tcpserver binds the services only to ipv6 ports. I have to use the option -4 in the run files to use it with ipv4. But then ipv6 ist not possible anymore. In your standard run files the Option 0 is used which should bind tcpserver to any available IP address on any interface according to the tcpserver doc.  Do you have a clue wyh tcpserver binds the service ports only to ipv6?

Reply | Permalink

ucspi-tcp6

roberto puzzanghera Marc August 17, 2014 10:19

Are you using the new e.h.'s tcpserver program http://www.fehcom.de/ipnet/ucspi-tcp6/tcpserver.html? In that case I would try to test the -6 option.

Reply | Permalink

hi roberto, thanks for

Marc roberto puzzanghera August 17, 2014 11:41

hi roberto, thanks for answering so fast. i'm using the package ucspi-tcp6-1.00. I have tried  the -6 option and the result is the same as without the option (binding only to ipv6). For now i will use the -4 option so that i can use the installation with ip4. When i have more time i will take a closer look. Thank you for this tutorial. It  has helped me much.
 

Reply | Permalink

Why GREETDELAY in qmail-submission/run?

Otto Dandenell August 14, 2014 12:47

Hi,

First off, thanks for your excellent notes / turial. I am building a new server 10 years after the last time I did it. It's so wonderful to have these step-by-step instructions, and all the patches consolidated.

I am curious about the 5 second greet delay in the submission service. Even that low number causes IT stress when I test tghe outgoing mail using Thunderbird.

Since the submission service requires STARTTLS and authentication, spammers are stopped anyway, aren't they?

Regards

/ Otto Dandenell, Sweden

Reply | Permalink

Hi Otto, thanks for your

roberto puzzanghera Otto Dandenell August 14, 2014 19:35

Hi Otto, thanks for your comment.

From time to time I get heavy attacks on port 587 due to spammers who tries to guess users' passwords. Last time it was 2 days with 1 attempt avery few seconds. I see them in /var/log/maillog

I think that 5 seconds is a little stress for users, but a verrrry big loss of cpu time for spammers, if you multiply 5s times the number of attempts spanned in a couple of days :-)

anyway it's much better to have a firewall filter like fail2ban and avoid to use that GREETDELAY (http://notes.sagredo.eu/node/170). Maybe it's better to comment out that line on the run script and advise to use it just in case fail2ban is not active.

And time ago I read that a lot of spammers drop the connection if a GREETDELAY of just a couple of seconds is set, but comments are welcome on the purpose

best regards

Roberto

Reply | Permalink

Roberto, Thanks for clearing

Otto Dandenell roberto puzzanghera August 15, 2014 09:55

Roberto,

Thanks for clearing that up. I'll have a look at fail2ban.

Regards

/ Otto

 

Reply | Permalink

Minor tweak for your supervise/vpopmaild/run script

Aaron November 27, 2012 22:03

I appreciate that you are keeping your documentation referencing /var/qmail for the most part.  The supervise/vpopmaild/run script has a reference to "/usr/local/qmail/..." instead of "/var/qmail/.."  while the rest of your scripts reference "/var/qmail".  Up to you if you want to fix it, of course.  I caught it because I don't use /usr/loca/qmail and it was causing an error in readproctitle.

Thanks for the great work!

Reply | Permalink

Thanks

roberto puzzanghera Aaron November 27, 2012 22:24

Thanks, Aaron. Actually the variable MAXSMTPD was not used by tcprules and I have corrected the vpopmaild/run script

Reply | Permalink

Forcetls error....

Anonymous September 15, 2011 21:10

Hi I have a problem with Gmail & roberto-netqmail-1.06.patch-2011.07.27 Problem concerns Forcetls patch: The history of the disease: tcprules:

root
# make + Rebuilding tcp.qmail-smtp from tcp.qmail-smtp tcprules tcp.qmail-smtp.cdb tcp.qmail-smtp.cdb.tmp < tcp.qmail-smtp root
# chmod 644 * root
# egrep -v '^$|#' /etc/tcprules.d/tcp.qmail-smtp 127.0.0.1:allow,RELAYCLIENT=""

Qmail run script (Submission):

#!/bin/sh 
SERVICE=submission 
QMAILDUID='201' 
NOFILESGID='200' 
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` 
SOFTLIMIT=`cat /var/qmail/control/softlimit` 
export FORCETLS="1" 
export CRAM_MD5="1" 
export GREETDELAY="0" 
export RBLSMTPD_GREETDELAY="1" 
# This enables chkuser 
export CHKUSER_START=ALWAYS 
export CHKUSER_WRONGRCPTLIMIT="3" 
# DKIM configuration 
export QMAILQUEUE="/var/qmail/bin/qmail-dkim" 
export DKIMKEY="/etc/domainkey/wampir7.pl/default" 
export DKIMQUEUE="/var/qmail/bin/qmail-scanner-queue" 
export DKIMSIGNOPTIONS="-b 1 -l -q -z 2" 
export DKIMVERIFY="FGHIKLMNORTUVW" 
exec /usr/bin/softlimit -m "$SOFTLIMIT" \ 
/usr/bin/tcpserver -v -H -R -l 0 \ 
-x /etc/tcprules.d/tcp.qmail-smtp.cdb -c "$MAXSMTPD" \ 
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ 
/usr/bin/spamdyke -f /etc/spamdyke/spamdyke.conf \ 
/var/qmail/bin/qmail-smtpd \ 
/var/vpopmail/bin/vchkpw /bin/true 2>&1;

The server is working properly:

qmaild 1314 0.0 0.0 1736 244 ? S 20:48 0:00 /usr/bin/tcpserver -v -H -R -l 0 -x /etc/tcprules.d/tcp.qmail-smtp.cdb -c 20 -u 201 -g 200 0 587 /usr/bin/spamdyke -f /etc/spamdyke/spamdyke.conf /var/qmail/bin/qmail-smtpd /var/vpopmail/bin/vchkpw /bin/true

Result (swaks):

swaks -t postmaster@example.com -f test@example.com -p587 --tls -s example.com -au test@example.com -ap q 

=== Trying example.com:587...
=== Connected to example.com. 
<- 220 example.com ESMTP 
-> EHLO example.com 
<- 250-example.com 
<- 250-STARTTLS
<- 250-PIPELINING 
<- 250-8BITMIME 
<- 250-SIZE 67108864 
<- 250 AUTH LOGIN PLAIN CRAM-MD5 
-> STARTTLS 
<- 220 Proceed. 
=== TLS started w/ cipher AES256-SHA 
=== TLS peer subject DN="/C=IT/ST=PL/L=Silesia/O=Test/OU=IMAP server/CN=example.com/emailAddress=postmaster@example.com" 
~> EHLO example.com 
<~ 250-example.com 
<~ 250-PIPELINING
<~ 250-8BITMIME 
<~ 250-SIZE 67108864 
<~ 250 AUTH LOGIN PLAIN CRAM-MD5 
~> AUTH CRAM-MD5 
<~* 538 auth not available without TLS (#5.3.3) 
~> AUTH LOGIN <~* 538 auth not available without TLS (#5.3.3) 
~> AUTH PLAIN AHRlc3RAZXhhbXBsZS5jb20AcQ== 
<~* 538 auth not available without TLS (#5.3.3) 
*** No authentication type succeeded 
~> QUIT 
<~ 221 example.com 
=== Connection closed with remote host.

If I disable FORCETLS (export FORCETLS="1"), login works fine. My OS: Gentoo Hardened with grsec / Pax

cc-v 
Using built-in specs. 
Target: i686-pc-linux-gnu 
Configured with: / var/tmp/portage/sys-devel/gcc-4.4.5/work/gcc-4.4.5/configure - prefix = / usr - bindir = / usr/i686-pc-linux-gnu / gcc-bin/4.4.5 - includedir = / usr/lib/gcc/i686-pc-linux-gnu/4.4.5/include - datadir = / usr/share/gcc-data/i686-pc-linux- gnu/4.4.5 - mandir = / usr/share/gcc-data/i686-pc-linux-gnu/4.4.5/man - infodir = / usr/share/gcc-data/i686-pc-linux- gnu/4.4.5/info - with-Gxx-include-dir = / usr/lib/gcc/i686-pc-linux-gnu/4.4.5/include/g + +-v4 - host = i686-pc-linux -gnu - build = i686-pc-linux-gnu - disable-AltiVec - disable-fixed-point - without-ppl - without-cloog - enable-nls - without-included-gettext - with -system-zlib - disable-werror - enable-secureplt - disable-multilib - enable-libmudflap - disable-libssp - enable-esp - enable-libgomp - with-python-dir = / share / gcc-data/i686-pc-linux-gnu/4.4.5/python - enable-checking = release - disable-libgcj - with-arch = i686 - enable-languages ??= c, c + +, fortran - enable -shared - enable-threads = posix - enable-__cxa_atexit - enable-CLocale = gnu - with-bugurl = http://bugs.gentoo.org/ - with-pkgversion = 'Gentoo Hardened 4.4.5 p1 .3, pie-0.4.5 ' 
Thread model: posix 
gcc version 4.4.5 (Gentoo Hardened 4.4.5 P1.3, pie-0.4.5)

Fortunately, for the moment I test the server in his home, but soon I'm going to run it on a server at work (~ 300 users)

Can I count on any suggestions to solve the problem?

Cheers ;)

Reply | Permalink

RE: force-tls

roberto puzzanghera Anonymous September 17, 2011 12:14

I haven't tested my patch in conjunction with spamdyke. I would try to do a test disabling it.

Reply | Permalink

Thanks

Jacekalex roberto puzzanghera September 17, 2011 17:46

Indeed, he was guilty Spamdyke.
How Spamdyke compiled with the flag -tls, the problem disappeared.

Thank You

Cheers
:)

Reply | Permalink

Nn mi mette la posta su vpopmail

Remo Jacekalex February 18, 2013 18:45

Ciao Roberto, grazie per le info che hai messo, pero' nn mi mette la posta su new sotto vpopmail. i logs mostrano che arriva pero' nn si vede, inoltre nn mi fa connettere su 587 o 25 per mandare la posta suggerimenti?

Grazie

Reply | Permalink

SMTPAUTH

roberto puzzanghera Remo February 18, 2013 21:57

riguardo al problema dell'invio da remoto, la qmail-auth path richiede che vanga esportata  la variabile SMTPAUTH nel run file. Se viene lasciata vuota č possibile autenticarsi con LOGIN o PLAIN

Reply | Permalink

Ciao Remo,stai seguendo la

roberto puzzanghera Remo February 18, 2013 20:47

Ciao Remo,

stai seguendo la mia guida passo passo? che LDA stai usando?

per quanto riguarda l'invio da remoto, come certamente sai č necessario accoppiare qmail-smtpd a vchkpw nel tuo run file, vedi se vuoi gli esempi nella pagina sulla configurazione, ma sono dei run file molto standard, come vedi. Stai usando la mia patch, con qmail-auth di E.Hoffmann?

Se vuoi posta i log, se preferisci mandameli in privato (tsasto contact su in alto)

Roberto

Reply | Permalink

add a comment
qmail notes

General notes

daemontools

ucspi-tcp6

qmail

vpopmail

Patching

Configuring

Testing

autorespond

ezmlm-idx

qmailadmin

Add-ons

RBL

Greetdelay

tcprules

SPF

DKIM

SURBL

Limiting per user/domain/IP outgoing emails

qmail-taps-extended

moreipme

qmHandle

queue-repair

vQadmin

ezmlm-browse

ezmlm-web

rblsmtpd

qmail-rblchk

Dovecot

Running

Testing

Filtering

Expunging

vpopmail-auth driver removal

Spamassassin

Userprefs

TxRep and Bayesean

DMARC

Roundcube

Plugins

ClamAV

clamav-unofficial-sigs

simscan

Testing

fail2ban

Installing a valid SSL certificate

Need help?

ChangeLog

Pay me a coffee:

PayPal - The safer, easier way to pay online.

Other contents

Linux-VServer on Slackware

Migrating from Linux-VServer to LXC (Slackware)

Running OpenBoard in a window

Running two php on the same server

rsync backup via ssh

Securing proftpd

Installing mariaDB

Setting up MySQL

SEO friendly URLs with apache mod_rewrite

Building your ownCloud

Building your own mozilla-sync server

Setting up Tex on Mediawiki

Slackware RSS feeds

English
Italiano
Recent comments

Qmailctl Script Error
November 21, 2020 14:50

Qmailctl Script Error
November 21, 2020 14:47

Qmailctl Script Error
November 21, 2020 14:40

Qmailctl Script Error
November 21, 2020 14:33

Qmailctl Script Error
November 21, 2020 14:27

Qmailctl Script Error
November 21, 2020 14:00

Qmailctl Script Error
November 21, 2020 13:54

Qmailctl Script Error
November 21, 2020 13:35

tcprules problem
November 16, 2020 18:38

tcprules problem
November 16, 2020 17:50

Tags

apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin

Recent posts

Installing and configuring Spamassassin

Adding clamav-unofficial-sigs

ClamAV

ChangeLog

Setting DMARC filter in Spamassassin

Running OpenBoard in a window

Limiting the number of emails sent by a given auth-user/domain/IP

Roundcube webmail

Spamassassin TxRep Reputation and Bayesean (SQL)

qmailadmin

RSS feeds