FindPage
View Source:
NetQmail
Note:
You are viewing an old version of this page.
View the current version.
!!! Netqmail enhancements ! Prerequisites * [DaemonTools|http://cr.yp.to/daemontools.html] * [UCSPI-tcp|http://cr.yp.to/ucspi-tcp.html] * [libspf - The Sender Policy Framework|http://www.openspf.org/] * [SPP Framework|http://qmail-spp.sourceforge.net/] * [netqmail-1.05|http://www.qmail.org/netqmail/] * [netqmail-1.05-smtpauth-tls.patch|http://shupp.org/smtp-auth-tls/] * [oversize-dns.patch|http://www.ckdhr.com/ckd/qmail-103.patch] * [big-concurrency.patch|http://qmail.org/big-concurrency.patch] * [netqmail-maildir++ patch|http://shupp.org/patches/netqmail-maildir++.patch] For authentication, either use chkpassword or vpopmail. ! Installation * daemontools I wanna find a way to install this that doesn't involve completely ignoring [FHS|http://www.pathname.com/fhs]. <verbatim> mkdir /package chmod 1755 /package cd /package wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz tar -zxvf daemontools-0.76.tar.gz mv admin/daemontools-0.76/ daemontools-0.76 rmdir admin/ wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/daemontools-0.76.errno.patch patch -p0 < daemontools-0.76.errno.patch cd daemontools-0.76/ ./package/install cd .. rm daemontools-0.76.tar.gz daemontools-0.76.errno.patch </verbatim> * UCSPI-TCP <verbatim> wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz tar -zxvf ucspi-tcp-0.88.tar.gz cd ucspi-tcp-0.88 wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.a_record.patch patch -p1 < ucspi-tcp-0.88.a_record.patch wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.errno.patch patch -p1 < ucspi-tcp-0.88.errno.patch wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.nobase.patch patch -p1 < ucspi-tcp-0.88.nobase.patch make make setup check </verbatim> * Build and install libspf-v1. A default build is fine. <verbatim> tar jxvf libspf-1.0.0-p3.tar.bz2 cd libspf-1.0.0p3 ./configure && make && make install </verbatim> * Extract the SPP patches <verbatim> tar zxvf qmail-spp.tar.gz </verbatim> * Extract netqmail and prepare it. <verbatim> tar zxvf netqmail-1.05.tar.gz cd netqmail-1.05 ./collate.sh cd netqmail-1.05 </verbatim> * Apply the patches <verbatim> patch -Np1 -i ../../netqmail-1.05-tls-smtpauth-20060105.patch patch -Np1 -i ../../netqmail-maildir++.patch patch -Np1 -i ../../qmail-1.03-oversize-dns.patch patch -Np1 -i ../../big-concurrency.patch patch -Np0 -i ../../qmail-spp-0.41/netqmail-spp-smtpauth-tls.diff </verbatim> * Modify build-time configuration <verbatim> echo "500" > conf-spawn echo "199" > conf-split </verbatim> * Create the users <verbatim> pw groupadd nofiles pw useradd alias -g nofiles -d /var/qmail/alias -s /sbin/nologin pw useradd qmaild -g nofiles -d /var/qmail -s /sbin/nologin pw useradd qmaill -g nofiles -d /var/qmail -s /sbin/nologin pw useradd qmailp -g nofiles -d /var/qmail -s /sbin/nologin pw groupadd qmail pw useradd qmailq -g qmail -d /var/qmail -s /sbin/nologin pw useradd qmailr -g qmail -d /var/qmail -s /sbin/nologin pw useradd qmails -g qmail -d /var/qmail -s /sbin/nologin </verbatim> * Build and install netqmail <verbatim> make make setup check make cert make tmprsadh touch /var/qmail/control/smtpplugins </verbatim> At this point, you probably need to pick which startup script you want from /var/qmail/boot and copy it to /var/qmail/rc <verbatim> cp /var/qmail/boot/home /var/qmail/rc </verbatim> Most configuration instructions pulled from http://sylvestre.ledru.info/howto/howto_qmail_vpopmail.php with intelligent interpretation and modification. * Configure Daemontools <verbatim> mkdir /service chmod 755 /service mkdir /var/qmail/supervise chmod 755 /var/qmail/supervise mkdir /var/qmail/supervise/qmail-smtpd mkdir /var/qmail/supervise/qmail-smtpd/log chmod +t /var/qmail/supervise/qmail-smtpd mkdir /var/qmail/supervise/qmail-send mkdir /var/qmail/supervise/qmail-send/log chmod +t /var/qmail/supervise/qmail-send mkdir /var/qmail/supervise/qmail-pop3d mkdir /var/qmail/supervise/qmail-pop3d/log chmod +t /var/qmail/supervise/qmail-pop3d ln -s /var/qmail/supervise/* /service/ </verbatim> * Configure services /var/qmail/supervise/qmail-send/run: <verbatim> #!/bin/sh exec env - PATH="/var/qmail/bin:/usr/local/bin" qmail-start ./Maildir/ </verbatim> /var/qmail/supervise/qmail-send/log/run: <verbatim> #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-send 2>&1 </verbatim> /var/qmail/supervise/qmail-smtpd/run <verbatim> #!/bin/sh # Without SMTPAUTH user 92 is qmaild, group 91 is nofiles #exec /usr/local/bin/tcpserver -x/usr/home/admin/siteban/tcp.smtp.cdb -p -R -u92 -g91 -v -c100 0 smtp rblsmtpd -r relays.ordb.org /var/qmail/bin/qmail-smtpd 2>&1 # With SMTPAUTH, using vchkpw. Group 98 is vchkpw exec /usr/local/bin/tcpserver -x/usr/home/admin/siteban/tcp.smtp.cdb -p -R -u92 -g98 -v -c100 0 smtp rblsmtpd -r relays.ordb.org /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1 </verbatim> /var/qmail/supervise/qmail-smtpd/log/run <verbatim> #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-smtpd 2>&1 </verbatim> /var/qmail/supervise/qmail-pop3d/run <verbatim> #!/bin/sh # Without SMTPAUTH #exec /usr/local/bin/tcpserver -H -R -v -c100 0 pop3 /var/qmail/bin/qmail-popup pizzabox.cyberleo.net /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1 # The modifications to allow SMTPAUTH to work require a setuid binary, which must not be world-execute. # So we group this, even though it runs as root and would work anyways, just to be thorough. /usr/local/bin/tcpserver -H -R -v -c100 -g98 0 pop3 /var/qmail/bin/qmail-popup pizzabox.cyberleo.net /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1 </verbatim> /var/qmail/supervise/qmail-pop3d/log/run <verbatim> #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-pop3d 2>&1 </verbatim> Make sure all run files are executable (they are shellscripts, after all) and make sure that the directories in /var/log/qmail exist and are writable by the user specified in the log/run script (qmaill). * Install the necessary plugins * Enable svscan if not done already. /etc/inittab: Getting the various authentication schemes working was really a pain. * pop3d/imapd auth - These run as root, so there's no need to modify permissions to run vchkpw * smtpd auth - This runs as qmaild, so qmaild must be added to group vchkpw and tcpserver must -g vchkpw to run vchkpw * vpopmail_check_user.sh - This runs as qmaild/vchkpw, and requires read access to vdominfo, vuserinfo, valias and ~vpopmail/domains. * *NOTE* vpopmail_check_user.sh has been rewritten into a C program that can be setuid root, to remove the need for loose permissions in ~vpopmail. [vpopmail_check_user.c] In the end: <verbatim> -rws--x--- vpopmail vchkpw ~vpopmail/bin/valias -rws--x--- vpopmail vchkpw ~vpopmail/bin/vchkpw -rws--x--- vpopmail vchkpw ~vpopmail/bin/vdominfo -rws--x--- root vchkpw ~vpopmail/bin/vuserinfo <-- ??? If owned vpopmail, 'Error: unable to setuid' -rwxr-x--- vpopmail vchkpw ~vpopmail/domains/ <-- Children permissions similar. </verbatim> Needed: <verbatim> IP blacklist, domain blacklist hide addresses from external users plugins store email in /var/mail </verbatim>