Installing and configuring vpopmail

Inter7's original page
vpopmail version: 5.4.33
Combined patch v. 2022.08.09
Changelog
More info here
README.vdelivermail

Vpopmail provides an easy way to manage virtual email domains and non /etc/passwd email accounts on your mail servers.

The purpose of this note is to show how to use Mysql as the authentication system. Having a users database also offers the advantage of communicating with the database via PHP, and creating web-based user interfaces to manage accounts.

Patch details

The patch we'll apply is the result of the following bunch of patches:

sql-aliasdomains patch, which makes vpopmail save the aliasdomains to MySQL. This makes the dovecot sql auth driver aware of the aliasdomains, provided that you modify the sql query as well (see the dovecot page for more info).
defaultdelivery patch, which makes vpopmail to copy your favourite delivery agent (stored in QMAILDIR/control/defauldelivery) into the .qmail-default file of any newly created domain, overriding the default vpopmail's behaviour, where vpopmail copies its delivery agent vdelivermail. You have to configure with --enable-defaultdelivery to enable this.
If the functionality is disabled (--disable-defaultdelivery, which is the default option) vdelivermail is installed with the "delete" option instead of "bounce-no-mailbox", which is not reasonable anymore.
dovecot-sql-procedures patch
If you want to use the dovecot's sql auth driver with one table for each domain (--disable-many-domains) you have to heavily customize your queries to the sql database. With this patch vpopmail installs the sql procedures and functions in the database when you create a new domain. The procedures can be called by dovecot to perform the auth.
The sql stuff supports aliasdomains and mysql limits and will be loaded from ~/vpopmail/etc/disable-many-domains_procedures.sql. You can customize the sql procedure editing this file.
You have to configure with --enable-mysql-bin=PATH as we have to install the procedures calling the mysql bin as a shell command (no way to load an sql query from a file in C language, comments welcome).
vusaged configure patch
It seems that at least on Debian 11 vusaged refuses to run the configure successfully, as the mysql libraries are not linked (configure: error: No vauth_getpw in libvpopmail). After some inspection, I noticed that avoiding the break of the configure command, the following make command will find libmysqlclient and compile with no problems, and the program works as expected.
NB: an autoreconf -f -i into the vusaged directory is needed before configuring, as the configure.ac script was modified.
recipient check patch. It can be used with Erwin Hoffmann's s/qmail to accomplish the recipient check. Not important in my installation, look at doc/README.vrcptcheck for more info.
gcc-10-compat patch, which gets vpopmail to compile with gcc-10

Setup

Create the vpopmail user and group. Be aware that the home directory below is going to be the one where vpopmail will be installed, so you can change it if you want to have vpopmail elsewhere.

groupadd -g 89 vchkpw
useradd -g vchkpw -u 89 -d /home/vpopmail vpopmail

Before proceeding on Debian 11 (and maybe also in Ubuntu) you may have to install a couple of packages:

apt install build-essential autoconf automake libmariadb-dev default-libmysqlclient-dev

Download the source (original files here: http://sourceforge.net/projects/vpopmail/files/, but you can download my local copy) and configure.

NB you may have to replace --enable-incdir=/usr/include/mysql with --enable-incdir=/usr/include/mariadb in Debian and related.

cd /usr/local/src
wget https://notes.sagredo.eu/files/qmail/tar/vpopmail-5.4.33.tar.gz
wget https://notes.sagredo.eu/files/qmail/patches/vpopmail/roberto_vpopmail-5.4.33.patch
tar xzf vpopmail-5.4.33.tar.gz
cd vpopmail-5.4.33
chown -R root.root .
patch -p1 < ../roberto_vpopmail-5.4.33.patch

autoreconf -f -i
./configure \
        --enable-qmaildir=/var/qmail/ \
        --enable-qmail-newu=/var/qmail/bin/qmail-newu \
        --enable-qmail-inject=/var/qmail/bin/qmail-inject \
        --enable-qmail-newmrh=/var/qmail/bin/qmail-newmrh \
        --disable-roaming-users \
        --enable-auth-module=mysql \
        --enable-incdir=/usr/include/mysql \
        --enable-libdir=/usr/lib64 \
        --enable-logging=p \
        --disable-clear-passwd \
        --enable-auth-logging \
        --enable-sql-logging \
        --disable-valias \
        --disable-passwd \
        --enable-qmail-ext \
        --enable-learn-passwords \
        --enable-mysql-limits \
        --enable-sql-aliasdomains \
        --enable-defaultdelivery

--disable-roaming-users roaming users will be disabled, since we don't want to use POP before SMTP authorization. We will patch qmail with smtp-auth instead.

--enable-auth-module=mysql builds mysql support and stores virtual users accounts into a mysql database.

--enable-incdir=/usr/include/mysql Your MySQL include dir (use just in case you installed mysql from binaries or source in a non standard location. Mount mysql dir somewhere if it is installed in a different machine).

--enable-libdir=/usr/lib64 Your MySQL lib dir. Obviously it might be /usr/lib on 32b systems

--disable-valias Do not store aliases in MySQL, but as dot-qmail files.
Note: it appears that dovecot-lda continues to look for .qmail-alias files also when you enable this. So this option is useless if you deliver via dovecot-lda

--disable-passwd Don't include /etc/passwd support. I don't want to manage real users, this is just a web server.

--disable-clear-passwd Clear password will be not be saved to database for security reasons. If you don't want to have problems when users forget their passwords and you want to recover them quickly switch this to --enable-clear-passwd.

--enable-sql-logging Maintain the vlog table in MySQL (shows failed authentication requests).

--enable-auth-logging Maintain a lastauth table in MySQL (shows when / how a user last accessed their email)

--enable-mysql-limits MySQL stores domain limits instead of .qmailadmin-limits files.

--enable-qmail-ext Enable qmail email address extension support (emails containing dots).

--enable-sql-aliasdomains (default) saves domain aliases to MySQL in order to validate the authentication for domain aliases when using the dovecot's sql driver, provided that you modify the password_query accordingly.

--enable-defaultdelivery installs the delivery agent stored in /var/qmail/control/defaultdelivery into the .qmail-default file of each newly created domain.

Compile and install:

make install-strip

vusaged

vusaged looks up every vpopmail user and tracks how much storage space they’re using. It requires libev.

Installing libev

Download latest version from http://dist.schmorp.de/libev/

cd /usr/local/src
wget  http://dist.schmorp.de/libev/libev-4.33.tar.gz
tar xzvf libev-4.33.tar.gz
cd libev-4.33
chown -R root.root .
./configure
make
make install
ldconfig

Installing and configuring `vusaged`

cd /usr/local/src/vpopmail-5.4.33/vusaged
LIBS=`head -1 /home/vpopmail/etc/lib_deps` ./configure --with-vpopmail=/home/vpopmail
make
cp -f vusaged /home/vpopmail/bin
cp -f etc/vusaged.conf /home/vpopmail/etc

Now copy the startup script ro /etc/rc.d (Slackware) or init.d and run it. This is a Slackware example:

cp contrib/rc.vusaged /etc/rc.d/
/etc/rc.d/rc.vusaged start

Troubleshooting

If you get an error like this after the configure command

configure: error: No vauth_getpw in libvpopmail

try to rebuild the configure script in this way:

autoreconf -f -i

and then proceed to configure and compile. I patched the configure.ac to avoid the break. This is actually a work around. If you solve the library linking error let me know.

Take a look to the discussion in the comments, as Luca suggested a different solution, which didn't solve for me but that I'm suggesting above in this page.

Configuring

Now create your ~vpopmail/etc/tcp.smtp file. This file should list all the static IPs of your machines that you want to allow to relay out to the internet. For example: to allow relaying for localhost and the localnet 10.0.0.x edit your ~vpopmail/etc/tcp.smtp as follows:

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

add any other IP later, whenever you want. To give a client relay access, add an entry to ~vpopmail/etc/tcp.smtp like:

IP address of client:allow,RELAYCLIENT=""

Now build the tcp.smtp.cdb. This command must be run every time you modify tcp.smtp

cd ~vpopmail/etc
tcprules tcp.smtp.cdb tcp.smtp.tmp < tcp.smtp

Now setup a quota warning that will be delivered to users when they are at 90% quota

# nano ~vpopmail/domains/quotawarn.msg

From: SomeCompany Postmaster <postmaster@yourdomain.com>
Reply-To: postmaster@yourdomain.com
To: SomeCompany User:;
Subject: Mail quota warning
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Your mailbox on the server is now more than 90% full.

So that you can continue to receive mail,
you need to remove some messages from your mailbox.

If you require assistance with this,
please contact our support department :

  email : support@yourdomain.com
  Tel   : xx xxxx xx

chmod 600 ~vpopmail/domains/quotawarn.msg
chown vpopmail.vchkpw ~vpopmail/domains/quotawarn.msg

Now adjust ~vpopmail/etc/vlimits.default. I use to limit the default user quota to 100MB (in bytes):

default_quota           104857600

Configuring `mysql` back end

Create the vpopmail user and database. Grant all privileges to the vpopmail user. Then quit out of MySQL and save the authentication information for the vpopmail account into the vpopmail.mysql config file:

> mysql [-h mysql-IP] -u root -p 

CREATE USER 'vpopmail'@'mailserver-IP' IDENTIFIED BY 'vpopmailpwd'; 

GRANT USAGE ON * . * TO 'vpopmail'@'mailserver-IP' IDENTIFIED BY 'vpopmailpwd' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS `vpopmail` ;
GRANT ALL PRIVILEGES ON `vpopmail` . * TO 'vpopmail'@'mailserver-IP';

> echo "mysql-IP|0|vpopmail|vpopmailpwd|vpopmail" > ~vpopmail/etc/vpopmail.mysql

where mysql-IP is the IP of the server which runs mysqld, and mailserver-IP is the IP address where qmail is running. Usually you can specify ‘localhost’ or 0.0.0.0 for both.

Creating virtual domains and virtual users

cd ~vpopmail/bin/

To add/delete a virtual domain

./vadddomain yourdomain.net [./vdeldomain yourdomain.net]

To add/delete a virtual user

./vadduser user@yourdomain.net [./vdeluser user@yourdomain.net]

To view information about user email accounts:

./vuserinfo user@yourdomain.net

name:   user
passwd: xxxxxxxxxxxx
clear passwd: xxxxxxxxx
comment/gecos: Name Surname
uid:    0
gid:    0
flags:  0
gecos: Name Surname
limits: No user limits set.
dir:       /home/vpopmail/domains/yourdomain.net/user
quota:     104857600S

These commands can be useful. But it will be much easier to manage domains and accounts when we install the vqadmin and qmailadmin web interfaces later.

You may be interested to take a look to this page concerning vpopmail testing.

Domain aliases when using the `dovecot`'s sql auth driver

If you don't have domain aliases or this is a fresh installation you can skip this step.

If you already have domain aliases and want to switch to the dovecot's sql auth driver, don't forget to read carefully the page where the vpopmail/dovecot setup concerning domain aliases is explained, as you'll have to save your existing alias/domains pairs to MySQL.

In short, you can quickly save all your domain aliases to MySQL in this way

vsavealiasdomains -A

Type

vsavealiasdomains -h

for more options.

The database record will be saved by vpopmail for the new aliases that you will create from now on.

qmail

Patching

add a comment

Comments

vpopmail.c assumes database server to be mysql with non standard mode.

Yasuo Ohgaki September 10, 2022 12:54

I'm using PostgreSQL for database and I noticed vpopmail's SQL escape is not good at all. PostgreSQL(and Oracle) follows ANSI SQL standard string literal. Even MySQL has ANSI_QUOTES mode.

https://dev.mysql.com/doc/refman/8.0/en/string-literals.html

Therefore, vpopmail can be vulnerable to SQL injection. I've requested CVE for this.

This is a quick and dirty patch to disable injections.

diff --git a/vpopmail.c b/vpopmail.c
index a2bdc0b..a7aa9ca 100644
--- a/vpopmail.c
+++ b/vpopmail.c
@@ -3984,8 +3984,6 @@ char *maildir_to_email (const char *maildir)
return email;
}

-/* escape these characters out of strings: ', \, " */
-#define ESCAPE_CHARS "'\"\\"

/* qnprintf - Custom version of snprintf for creating SQL queries with escaped
* strings.
@@ -4113,9 +4111,25 @@ int qnprintf (char *buffer, size_t size, const char *format, ...)

}
while (*s != '\0') {
- if (strchr (ESCAPE_CHARS, *s) != NULL) {
- if (++printed < (int)size) *b++ = '\\';
- }
+ /*
+ Standard SQL literal string requires '(single quote) escape. e.g. It's => It''s
+ Standard SQL identifier string requires "(double quote) escape. e.g. It"s => It""s
+ Original qnprintf() was using #define ESCAPE_CHARS "'\"" and escape meta by '\\' which is invalid and useless for standard SQL.
+ Since qnprintf() may be used for SQL identifers, both ' and " are escaped as literal/identifier for better mitigation.
+ MySQL may escape ' by \, so \ is escaped as well. This is the reason why database specific escape function must be used.
+ */
+ switch (*s) {
+ case '\'':
+ if (++printed < (int)size) *b++ = '\'';
+ break;
+ case '"':
+ if (++printed < (int)size) *b++ = '"';
+ break;
+ case '\\':
+ if (++printed < (int)size) *b++ = '\\';
+ break;
+ default:
+ }
if (++printed < (int)size) *b++ = *s;
s++;
}

This may result in broken string (e.g. pw_clear_passwd), but it much better than injections.

Installing and configuring vpopmail

Patch details

Setup

vusaged

Installing libev

Installing and configuring vusaged

Troubleshooting

Configuring

Configuring mysql back end

Creating virtual domains and virtual users

Domain aliases when using the dovecot's sql auth driver

Comments

qmail notes

Other contents

Recent comments

Recent posts

Installing and configuring `vusaged`

Configuring `mysql` back end

Domain aliases when using the `dovecot`'s sql auth driver