|
Project: Linux  Articles
qmail: A fast secure mail server
By Mayank Sarup <mayank@freeos.com>
Posted: ( 2000-09-27 13:36:05 EST by mayank )
qmail is now the mail server of choice for many. It is stable, fast,
standards complaint and more importantly, secure. This article will
take you through the setup of qmail on your system.
Sendmail is the grand-daddy of all mail servers and it is showing its
age. It's buggy, insecure and it is slow. Updating sendmail to fix the
new bugs is a weekly affair. A sysadmin's scariest dream come true. Enter
qmail - the faster, smaller and way more secure option. qmail ( *not*
Qmail ) is written by Dan J Bernstein and it the new mail server of choice
for many. qmail was written from the ground up with high security in mind
and fulfills this goal right away. qmail has not been cracked even
once. Not that there was any lack of enthusiasm. There has been a 1000$
prize for anyone who can crack qmail but no one has grabbed the prize as
yet. If you want a secure mail server then look no further. As an added
bonus qmail is lighter, faster and easier to configure. Here's a little HOWTO for the newbie looking to install qmail on his
system. First up you need to get the qmail distribution source code here
( http://cr.yp.to/software/qmail-1.03.tar.gz ) or if you prefer RPMs then
get them here ( ftp://moni.msci.memphis.edu/pub/qmail ) You will also need the following packages. Do read through all the
documentation on the site otherwise you will not be able to understand
what the procedure below. Specifically read about svscan, supervise, svc
and multilog from the daemontools suite. From ucspi-tcp read about
tcpserver and tcprules. If you want to setup POP3 access then you should
read through checkpassword documentation. daemontools ( http://cr.yp.to/daemontools.html ),
ucspi-tcp ( http://cr.yp.to/ucspi-tcp.html ) and
checkpassword ( http://cr.yp.to/checkpassword.html ) Extract qmail source code with the following. tar zxvf qmail-1.03.tar.gz Do the same for daemontools, checkpassword and ucspi-tcp tar zxvf daemontools-0.70.tar.gz
tar zxvf ucspi-tcp-0.88.tar.gz
tar zxvf checkpassword-0.81.tar.gz This will create sub-directories named qmail-1.03, daemontools-0.70,
ucspi-tcp-0.88 and checkpassword-0.81. Create the base qmail directory mkdir /var/qmail qmail will require certain users and groups to be setup with the following
commands. groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails Compile and install qmail. make
make setup check You need to tell qmail your full hostname so that it will receive mail
for those hosts. If the hostname is not given or given wrong then qmail
will simply refuse to accept mail for your server. If you have a working DNS setup then you can just run ./config and
qmail will lookup your hostname and put it in the control/locals and
control/rcpthosts files. qmail requires a working DNS for normal operation
so you should make sure you have a working DNS setup. If DNS is not available or not working then you can say
./config-fast your.full.host.name to accomplish the same. Next qmail aliases for the system need to be setup. Aliases are a
powerful system of mail delivery in qmail. You can setup aliases or
pseudonyms for users. So email for qmail@freeos.com and
qmailadmin@freeos.com would go to the same user. qmail and qmailadmin
need not be valid users on the system. All email directed to those email
addresses can be redirected to a existing local user or forwarded to an
external mail address. The .qmail-newbie file contains the delivery instruction for user
newbie. Enter a local user(s) or e-mail address(es) that the mail is to
be delivered to. Each address or user needs to be on a seperate
line. qmail setup requires 3 aliases to be created. Postmaster - This will be the mail administrator for your system so this
file needs to be carry the name of the mail administrator of your system. Mailer-Daemon - This is not a required alias but as it defines the
standard recipient for bounce messages that users sometime reply to. Root - qmail never sends mail to root. The sysadmin will be using a local
non-root account and this alias should point to that user. Here the same user mayank is mail as well as system administrator. So
the following commands will set it up so qmail sends all mail addressed to
postmaster, mailer-daemon, root to local user mayank. cd ~alias touch .qmail-postmaster
touch .qmail-mailer-daemon
touch .qmail-root echo mayank > .qmail-postmaster
echo mayank > .qmail-mailer-daemon
echo mayank > .qmail-root chmod 644 .qmail* Time to install the support utilities. Enter the directories created when you untarred the sources for
daemontools, ucspi-tcp, and checkpassword. Run the following commands to
compile and install them. These utilities should then be installed in
/usr/local/bin. make
make setup check ( need to be root for this ) Create a service directory for the qmail daemons. This can be anywhere
on the system but for clarity, make the directory under /var/qmail. Create
a unique directories for the qmail servers that are to be started. mkdir -p /var/qmail/service/qmail/log
mkdir -p /var/qmail/service/smtpd/log
mkdir -p /var/qmail/service/pop3d/log The -p bit ensures that if the parent directory doesn't exist then that is
created too. The log sub-directories will hold the run files for the log
process. The sticky bit needs to be set on the qmail directories. chmod +t /var/qmail/service/* qmail provides extensive logging facility. Stay with the defaults
setup and create the base directory for the log files under /var/log. mkdir /var/log/qmail The base log directory needs to have file permissions set to 2700. chmod 2700 /var/log/qmail Create sub-directories for the different servers being logged. mkdir /var/log/qmail/qmail
mkdir /var/log/qmail/smtpd
mkdir /var/log/qmail/pop3d These directories need to be owned by qmaill. chown -R qmaill /var/log/qmail Now we need to create a file named run for each service that has to
be started. The run file is just a shell script that is executed under
supervise. Each run file should have file permissions set to 755 so after
you create the file do the following on it. chmod 755 run In the /var/qmail/service/qmail directory create a file named run with
the following contents. #!/bin/sh
exec env - PATH="/usr/local/bin:/var/qmail/bin"
qmail-start ./Maildir/ Here you have to choose where mail for a user has to be placed. qmail can
place the mail for a user in the older mbox format as used by sendmail in
~user/Mailbox. The advantage of using this format is that it's supported
by all email clients. The disadvantage is that it is not very reliable. If
you want to stick with this format then you should modify the above
command to the following. qmail-start ./Mailbox Better is to try the newer Maildir format supported by qmail. In the
Maildir format, user mail is stored in their own home directories under a
special directory. This is what I have used here. You will have to create
a new directory under the users home directory. Use the included
maildirmake utility to do this. /var/qmail/bin/maildirmake ~mayank/Maildir This will create the necessary directory structure for user mayank to
receive mail under. Do this for all existing users. Also do the same in
/etc/skel so that a Maildir directory is created for each new user that is
created. /var/qmail/bin/maildirmake /etc/skel/Maildir For more information read INSTALL.maildir in the qmail archive. Now create /var/qmail/service/qmail/log/run with the following contents. #!/bin/sh
exec env - PATH="/usr/local/bin"
setuidgid qmaill multilog t /var/log/qmail/qmail This one goes into /var/qmail/service/smtpd/run #!/bin/sh
exec env - PATH="/usr/local/bin:/var/qmail/bin"
tcpserver -v -x /etc/tcp.smtp.cdb -u 2045 -g 2062 0 25
qmail-smtpd 2>&1 Replace 2045 here with your qmaild user ID and 2062 with your qmail group
ID. id -u qmaild - Gives you the qmaild user id. id -g qmaild - Gives you the qmaild group id. For SMTP you need to create a database of the clients allowed to send mail
through your server. You start out with a plain text file that contains a
list of the IP addresses that can relay mail through your server. Create a file /etc/tcp.smtp with the following contents. Add additional IP
addresses if required. The first entry must definitely be in the file
though. 127.:allow,RELAYCLIENT=""
192.168.:allow,RELAYCLIENT="" The file will need to be compiled into the binary cdb format which allows
for faster lookup. This is done by the tcprules program which is part of
the ucspi-tcp suite. tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp Let's log SMTP too. This file goes in as /var/qmail/service/smtpd/log/run. #!/bin/sh
exec env - PATH="/usr/local/bin"
setuidgid qmaill multilog t /var/log/qmail/smtpd An optional pop3 daemon is included. Create the following run file in /var/qmail/service/pop3d if you want to start this daemon. #!/bin/sh
exec env - PATH="/usr/local/bin:/var/qmail/bin"
tcpserver -v 0 110 qmail-popup pop3.freeos.com
/bin/checkpassword qmail-pop3d Maildir 2>&1 Replace pop3.freeos.com here with the fully qualified domain name of your pop host. Sure! This one also has a run script in /var/qmail/service/pop3d/log/run #!/bin/sh
exec env - PATH="/usr/local/bin"
setuidgid qmaill multilog t /var/log/qmail/pop3d
The setup of qmail is done and now it is time to get rid of your old mail
server, generally sendmail.
If you are running Red Hat then use the ntsysv tool to turn off sendmail
startup at boot. ( Works in Mandrake too ). In SuSE edit rc.config and
look for a line smtp=yes and change that to smtp=no. Shutdown sendmail. /etc/rc.d/init.d/sendmail stop Make sendmail non-executable chmod 0 /usr/lib/sendmail
chmod 0 /usr/sbin/sendmail Move sendmail out of the way mv /usr/lib/sendmail /usr/lib/sendmail.bak
mv /usr/sbin/sendmail /usr/sbin/sendmail.bak Doing the above provides you with a backup. If qmail does not work for
some reason then you can just reverse the steps given above to get back to
your old configuration. If you are feeling confident then you can simply delete sendmail. On rpm
based systems rpm -e sendmail should get rid of sendmail. rpm will
probably give dire warnings about other apps that are need a mail
daemon. Simply use rpm -e --nodeps sendmail to get rid of it. qmail provides a sendmail wrapper for programs that still lean on sendmail
for support. This is a good idea so make sure you create the symlinks. ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail Time to check out qmail. svscan /var/qmail/service If you get a stream of error message, press control-C and you will be back
at the prompt. Retrace your steps and see where you went wrong. If everything went well then you can start qmail for keeps with svscan /var/qmail/service & Add the following line to you boot scripts so qmail is started at boot. exec env - PATH="/usr/local/bin:/usr/bin"
svscan /var/qmail/service & Do ps ax | grep qmail You should see a supervise process running as well as tcpserver and
multilog. Given below is what I got. 277 ? S 0:00 svscan /var/qmail/service
302 ? S 0:00 supervise qmail
306 ? S 0:00 tcpserver -v -x /etc/tcp.smtp.cdb -u 2045 -g 2062 0 25
qmail-smtpd
307 ? S 0:00 tcpserver -v 0 110 newbie.rulz.freeos.com checkpassword
qmail-pop3d Maildir
308 ? S 0:00 qmail-send
310 ? S 0:00 qmail-lspawn ./Maildir/
311 ? S 0:00 qmail-rspawn
312 ? S 0:00 qmail-clean
7583 ? S 0:00 multilog t /var/log/qmail/smtpd
7584 ? S 0:00 multilog t /var/log/qmail/pop3d
7585 ? S 0:00 multilog t /var/log/qmail/qmail Test your qmail installation using the instructions in TEST.deliver and
TEST.receive. That was the setup of qmail, but it was geared to getting qmail running on your machine. There are some excellent resources on the web that will give you a look at the more advanced options available. The qmail FAQ is also a good document to look at in case of problem. You will find these links below.
Dan J. Bernstein's page
qmail home
Daemontools
Uscpi-tcp
Checkpassword
Life with qmail
qmail users page
The qmail and ReiserFS integration HOWTO
Other articles by Mayank Sarup
Current Rating: [ 7.84 / 10 ]
Number of Times Rated: [ 25 ]
|
