Nice, you are here for the extra mile.
The big picture: Qmail is bundled with a little but effective piece of anti-spam software, rblsmtpd that stands in front of the smptd server and checks DNS-based block lists of host servers known to disseminate spam, phishing attacks and other forms of malicious email. I can’t just put this in front of my main Qmail installation because most of our users send legitimate email trough dynamic ip addresses many of them listed in these lists. So, to be able to use this powerful (and low resources compared with SpamAssassin and Clamav), i will setup another Qmail instance, that i will call ‘mx.domain.com’. This will be the server that will be published in DNS MX records, so the incoming email will be filtered by rblsmtpd then routed (with artificial smtproutes) to the main Qmail that will check the email with Clamav and SpamAssassin. Our users will be continue to to send (and receive) trough the main ‘mail.domain.com’ instance.
As many stuff will be similar to the main Qmail instance it will not be as detailed. So, check the previous page if needed.
17 – Install a jail for the Mail eXchanger
Create a jail, you know how to do that, right? I recommend an excellent article about FreeBSD jails with ezjail…. now, enter into the jail, the next operations if not stated otherwise are all inside the newly created jail.
18 – Install daemontools and ucspi-tcp
cd /usr/ports/sysutils/daemontools
make install cleanoptions selected: MAN, S_NORMAL, TESTS
add to /etc/rc.conf
svscan_enable="YES"
svscan_servicedir="/service"make /service directory and start svscan
mkdir /service
/usr/local/etc/rc.d/svscan startucspi-tcp
cd /usr/ports/sysutils/ucspi-tcp
make install cleanoptions selected: LIMITS, MANPAGES, RSS_DIFF
19 – Install Qmail itself
cd /usr/ports/mail/qmail-tls
make install cleanoptions selected: BLOCKEXEC_PATCH , DISCBOUNCES_PATCH, SPF_PATCH
20 – Set-up main alias
Define the root, postmaster and mailer-daemon aliases to a account that you WILL later create
cd /var/qmail/alias
echo "myaccount@mydomain.com" > .qmail-root
echo "myaccount@mydomain.com" > .qmail-postmaster
echo "myaccount@mydomain.com" > .qmail-mailer-daemon21 – Qmail configuration
First the tricky part, we must get lots of values from the main Qmail and keep them in sync, we will use a mount null_fs. Really hope that you choosen the ezjail path (if not adapt to your system).
cd /var/qmail/control
mkdir mainNow exit the jail to the host environment, and if you created the jail with ezjail (i sure hope so), just edit /etc/fstab.mx_domain_com and add a line so ezjail can do the null mount for you.
/var/qmail/control /usr/jails/mx.domain.com/var/qmail/control/main nullfs ro 0 0Restart and log on
/usr/local/etc/rc.d/ezjail restart mx.domain.com
ezjail-admin console mx.domain.comAnd there you go, all the control files of the main Qmail are right in /var/qmail/control/main. Now we need to pull 3 of them with symbolic links (rcpthosts, morercpthosts and morercpthosts.cdb). In a new Qmail install, morercpthosts and morercpthosts.cdb don’t exist, so touch them in the main host environment.
cd /var/qmail/control
rm rcpthosts
ln -s main/rcpthosts ./
ln -s main/morercpthosts ./
ln -s main/morercpthosts.cdb ./Now, take care of other configuration files (in doubt what you are doing check previous page, section 8).
echo "20" > concurrencyincoming
echo "20" > concurrencylocal
echo "30" > concurrencyremote
echo "domain.com" > defaultdomain
echo "domain.com" > envnoathost
echo "domain.com" > plusdomain
cp /dev/null locals
echo "mx.domain.com" > me
echo "172800" > queuelifetime
echo "120" > timeoutsmtpd
echo "120" > timeoutremote
echo "4" > spfbehaviorGenerate the certificate for TLS
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cat server.key server.crt > servercert.pem
chown qmaild servercert.pemAnd available ciphers files
openssl ciphers > /var/qmail/control/tlsclientciphers
openssl ciphers > /var/qmail/control/tlsserverciphersSetup /etc/tcp.smtp, this will be much more simpler that the one in the host environment.
echo :allow,QMAILQUEUE=\"/var/qmail/bin/qmail-queue\" > /etc/tcp.smtp
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtpNow the magic that makes this thing actually work, the smtproutes, a file that let us create artificial SMTP routes. Of all the mail that arrives, we only accept for the domains that are in rcpthosts (and morercpthosts), so we can send all mail to our main Qmail server.
echo ":aaa.bbb.ccc.ddd" > smtproutes22 - Qmail start-up scripts and directories
This is a simplified version of point 9.
cd /var/qmail/
edit rcand copy the rc file content save and mark it executable
chmod +x rccreate the daemontools scripts directories
mkdir -p supervise/qmail-smtpd/log
mkdir -p supervise/qmail-send/logand log directory
mkdir -p /var/log/qmail
chown qmaill /var/log/qmailNow download and place the scripts for qmail-smptd (/var/qmail/supervise/qmail-smptd/run and /var/qmail/supervise/qmail-smptd/log/run) and qmail-send (/var/qmail/supervise/qmail-send/run and /var/qmail/supervise/qmail-send/log/run script). Don't forget to mark all the run scripts executable.
23 - Stop sendmail, replace sendmail with qmail and start qmail
/etc/rc.d/sendmail stopand make it permanently in /etc/rc.conf
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"setup FreeBSD mailwrapper /etc/mail/mailer.conf
sendmail /var/qmail/bin/sendmail
send-mail /var/qmail/bin/sendmail
mailq /var/qmail/bin/qmail-qread
newaliases /var/qmail/bin/newaliases
hoststat /var/qmail/bin/qmail-tcpto
purgestat /var/qmail/bin/qmail-tcpokStart Qmail
ln -s /var/qmail/supervise/* /service/And, yes there you do have a qmailctl tailored to this Qmail installation (without pop3).
24 - Wrapping up and final thoughts
Like in the main server adjust the softlimit in /var/qmail/supervise/qmail-smptd/run (check how to do this in the previous page).
Anytime you create a new domain in the main Qmail, you must reload this instance so it will recognize the domain as local. As a lazy bastard i am, i put this in a root cronjob running once every 15 minutes
*/15 * * * * /usr/local/bin/qmailctl reloadDon't forget to configure the DNS MX record to point to this instance, and to have an A record like mail.domain.com to hand out to users.
The main weakness of this installation, is that if a clever spammer discovers that mail.domain.com accepts incoming emails for local domains, he can spam down your users bypassing the rbl tests.
Any comments, rants, soul pains, random thoughts are appreciated.
2 thoughts on “My Qmail installation guide”