INFORMAO PUBLICIDADE LTDA - TECNOLOGIA DA INFORMAO

Tutorial Instalao e Configurao Servidor de E-mail

Qmail Spamassasin Vpopmail Clamav Roundcube SSL

i-Comunicao e Faros Educacional Andr Gonalves Araujo andre.araujo@icomunicacao.com.br Suporte a Redes de Computadores

Braslia, 20 de setembro de 2011

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Ambiente Teste

Sistema Operacional Debian Squeeze Hardware Mquina Virtual Vmware Player HD: 20GB MEM: 512

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Pr Instalao Download dos pacotes necessrios para a instalao e configurao de todo servidor.

Install Daemontools and ucspi-tcp

aptitude install ucspi-tcp daemontools daemontools-run

Install Courier packages

aptitude install courier-base courier-authdaemon courier-authlib courier-authlibmysql courier-imap courier-imap-ssl courier-pop-ssl courier-pop courierpassd courier-maildrop gamin You should accept all the default answers

Install needed compiler, tools and library

aptitude install cpp g++ gcc make automake wget telnet libtool patch patchutils logrotate dh-make-perl libltdl7 libcdb1 equivs expect openssl libssl-dev libgmp3dev libgdbm-dev libpcre++-dev libpcre-ocaml libpcre-ocaml-dev For security reason, it's a good idea to remove the compilers (cpp, g++, gcc and make) after your complete this guide

Install MySQL database and libraries

aptitude install mysql-common mysql-server-5.1 mysql-client-5.1 mysql-servercore-5.1 libmysqlclient16 libmysqlclient-dev Remember your root MySQL password (described as MySQL_root_password later in this guide)

Install Apache & PHP

aptitude install apache2 php5 php5-common libapache2-mod-php5 php5-mysql Accept the default proposal about apache2-mpm-worker

Install antispam and antivirus

aptitude install spamassassin spamc pyzor razor clamav clamav-daemon clamavdocs

Install un-archiver tools

aptitude install arj unrar lha unzip bzip2 tar tnef

Install perl modules

aptitude install perl-suid spf-tools-perl libmailtools-perl libnet-cidr-lite-perl libnetdaemon-perl libtest-distribution-perl libmail-spf-perl libperl-dev aptitude install libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtmltree-perl perl-doc libdate-manip-perl libio-string-perl libio-socket-ssl-perl libnetident-perl libsys-syslog-perl libencode-detect-perl

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

aptitude install libnet-dns-perl libplrpc-perl libtimedate-perl libcompress-zlib-perl libdigest-hmac-perl libdigest-sha1-perl libparse-syslog-perl libmail-dkim-perl libcrypt-openssl-bignum-perl

Install debug / manipulation tools

Those last ones are not mandatory but are useful if you need to debug aptitude install dnsutils whois findutils pciutils less net-tools tcpdump iptraf lsof dstat iotop htop mc locate

Para todo o procedimento de instalao estaremos trabalhando com todos os packages dentro do diretrio /download. mkdir /downloads cd /downloads wget http://qmailrocks.thibs.com/downloads/debian-qmr.tar.gz tar zxvf debian-qmr.tar.gz apt-get install libgamin0

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Criao de Grupos e Usurios Aps o download dos arquivos necessrio criar os usurios e grupos que iro realizar a operao do servio de e-mail. O Qmail um conjunto de programas menores que trabalham em grupo para prover os servios de envio e recebimento de e-mails. Para que todo esse processo seja realizado com segurana de extrema importncia que todos os arquivos e diretrios trabalhem com seus devidos donos e grupos. importante salientar que caso seja necessrio reinstalar o servidor de e-mail realizando ento o procedimento de backup e restore necessrio garantir que o UID e o GID (numricos) dos usurios sejam mantidos. A relevncia disto que os programas so compilados com os UIDs e GIDs especficos informados neste tutorial. Caso deseje mudar esses valores necessrios alterar a configurao courier-authlib. groupadd -g 161 nofiles groupadd -g 162 qmail groupadd -g 163 qscand groupadd -g 89 vchkpw useradd -u 161 -g nofiles -d /var/qmail/alias -s /sbin/nologin -p* -c 'QMail alias user' alias useradd -u 162 -g nofiles -d /var/qmail -s /sbin/nologin -p* -c 'QMail daemon user' qmaild useradd -u 163 -g nofiles -d /var/qmail -s /sbin/nologin -p* -c 'QMail log user' qmaill useradd -u 164 -g nofiles -d /var/qmail -s /sbin/nologin -p* -c 'QMail password user' qmailp useradd -u 165 -g qmail -d /var/qmail -s /sbin/nologin -p* -c 'QMail queue user' qmailq useradd -u 166 -g qmail -d /var/qmail -s /sbin/nologin -p* -c 'QMail remote user' qmailr useradd -u 167 -g qmail -d /var/qmail -s /sbin/nologin -p* -c 'QMail send user' qmails useradd -u 89 -g vchkpw -d /home/vpopmail -s /sbin/nologin -p* -c 'Vpopmail (virtual domains) user' vpopmail useradd -u 168 -g qscand -d /bin/false -s /sbin/nologin -p* -c 'Antivirus user' qscand

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

mkdir /var/qmail mkdir /usr/src/qmail mkdir -p /var/log/qmail/qmail-send mkdir -p /var/log/qmail/qmail-smtpd mkdir -p /var/log/qmail/qmail-smtpdssl chown -R qmaill:root /var/log/qmail chmod -R 750 /var/log/qmail Instalao Qmail, ucspi-tcp e ucspi-ssl Existe nos repositrios do Debian o package fonte do Qmail, entretanto o motivo pelo qual no iremos utilizar ele simples, aps instalado os arquivos so enviados para diversos locais diferentes o que acaba dificultando um pouco a documentao e entendimento da estrutura do Qmail. Extraindo os fontes cd /usr/src/qmail tar -zxvf /downloads/qmail-1.03.tar.gz Patch it with John M. Simpson's combined patches (includes every patch which is part of netqmail-1.05 ... but also some others!) cd /usr/src/qmail/qmail-1.03 patch < /downloads/patches/qmail-1.03-jms1-7.10.patch

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Install Ezmlm-idx Ezmlm-idx uma lista de discusso, um add-on para Qmail. Aps instalado o Qmailadmin, voc ver que ezmlm-idx integra perfeitamente no Qmailadmin para proporcionar uma lista de discusso com uma interface de gerenciamento muito amigvel das listas. Como um bnus adicionado, Vpopmail (que vamos instalar tambm) vai permitir controlar o que os usurios podem e no podem usar nas listas de discusso! Sua pgina na internet esta aqui: http://www.ezmlm.org/ cd /downloads/ tar zxvfp ezmlm-idx-7.1.1.tar.gz cd /downloads/ezmlm-idx-7.1.1 ln -s /downloads/ezmlm-idx-7.1.1/lang/en_US/ /downloads/ezmlm-idx-7.1.1/lang/default make clean make; make man ./ezmlm-test Voc deve ter receber mensagens como esta abaixo: ezmlm-make: OK Using subdb plugin: std ezmlm-reject: OK ezmlm-[un|is]sub[n]: OK ezmlm-checksub: OK ezmlm-send: OK ezmlm-tstdig: OK ezmlm-weed: OK ezmlmrc contents: OK ezmlm-clean: OK ezmlm-store: OK

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

ezmlm-return: OK ezmlm-warn (1/2): OK ezmlm-manage (1/2): OK ezmlm-request: OK ezmlm-split: OK ezmlm-gate: OK ezmlm-idx: OK ezmlm-get (index): OK ezmlm-get (get): OK ezmlm-get (thread): OK ezmlm-get (digest): OK ezmlm-manage (2/2): OK ezmlm-moderate: OK ezmlm-warn (2/2): OK ezmlm-archive: OK ezmlm-dispatch: OK dispatch editor: OK decode sender: OK Verifying message header and body contents... flags and substs: OK messages: OK subscribe probe: OK unsubscribe probe: OK subscribe: OK unsubscribe: OK moderated subscribe: OK moderated unsub: OK subscribe by mod: OK unsubscribe by mod: OK copylines: OK ezmlm-send: OK Cleaning up... Edite o arquivo /downloads/ezmlm-idx-7.1.1/conf-ld e substitua a primeira linha por: cc -g -B /usr/lib/mysql/ Criando a base de dados

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

A senha de root do Mysql deve ser a que configuramos no passo 3. Ela no deve ser a mesma senha para ezmlmuser (EZMLM_PASSWORD). mysql -pMySQL_root_password CREATE DATABASE ezmlm; GRANT ALL PRIVILEGES ON ezmlm.* TO ezmlmuser@localhost IDENTIFIED BY 'EZMLM_PASSWORD'; FLUSH PRIVILEGES; quit; Vamos testar a conta criada: mysql -uezmlmuser -pEZMLM_PASSWORD exit; Voc deve receber como resposta: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39 Server version: 5.0.51a-24+lenny4-log (Debian) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql>exit; Instalando e testando o suporte ao mysql: cd /downloads/ezmlm-idx-7.1.1 make mysql ./ezmlm-test -s mysql -u ezmlmuser -p EZMLM_PASSWORD -h localhost Voc deve receber uma resposta com esta: ezmlm-make: OK Using subdb plugin: mysql ezmlm-reject: OK ezmlm-[un|is]sub[n]: OK ezmlm-checksub: OK ezmlm non-SQL: OK

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

ezmlm SQL: OK ... Finalizando a instalao. make install Ezmlm-0.53 is a qmail-based mailing list manager written by Dan J. Bernstein (qmail's author) ; ezmlm-idx originated as an add-on to it. It now exists as a complete package on its own, but can still be considered essentially as an extension to ezmlm.

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Instalao do Autorespond Autoresponder faz exatamente o que voc est pensando que ele faz. Gera respostas automticas para as caixas de e-mail dos usurios. cd /downloads/ tar zxvf autorespond-2.0.5.tar.gz cd /downloads/autorespond-2.0.5 make && make install

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Instalao do Vpopmail Vpopmail um dos principais componentes desta instalao. Vpopmail nos permite fazer hospedagem de correio virtuais domnio. Possui inumeras ferramentas e funcionalidades compiladas que tornam o trabalho de administrao mais agradvel. Mesmo se voc no quiser hospedar email de vrios domnios, ainda recomendo instalar Vpopmail. Ele s faz o jogo de correio mais fcil. Alm disso, esta instalao gira em torno dele, por isso, se voc no instal-lo voc vai ter uma dor de cabea. Criando a base de dados A MySQL_root_password deve ser a senha escolhida no passo 3 e deve a senha para popmailuser deve ser diferente da senha de root(VPOPMAIL_PASSWORD). mysql -pMySQL_root_password CREATE DATABASE vpopmail; GRANT select,insert,update,delete,create,drop ON vpopmail.* TO vpopmailuser@localhost IDENTIFIED BY 'VPOPMAIL_PASSWORD'; FLUSH PRIVILEGES; quit; Testando a conta criada: mysql -uvpopmailuser -pVPOPMAIL_PASSWORD Voc deve ter uma resposta como esta: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39 Server version: 5.0.51a-24+lenny4-log (Debian) Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

mysql>exit; Preparando a instalao mkdir -p /home/vpopmail/etc chown -R vpopmail:vchkpw /home/vpopmail chmod 770 /home/vpopmail cd /home/vpopmail/etc echo "localhost|0|vpopmailuser|VPOPMAIL_PASSWORD|vpopmail" > ~vpopmail/etc/vpopmail.mysql chown vpopmail:vchkpw ~vpopmail/etc/vpopmail.mysql chmod 640 ~vpopmail/etc/vpopmail.mysql Compilando cd /downloads/ tar zxvf vpopmail-5.4.33.tar.gz cd /downloads/vpopmail-5.4.33 ./configure \ --enable-qmaildir=/var/qmail/ \ --enable-qmail-newu=/var/qmail/bin/qmail-newu \ --enable-qmail-inject=/var/qmail/bin/qmail-inject \ --enable-qmail-newmrh=/var/qmail/bin/qmail-newmrh \ --enable-tcprules-prog=/usr/bin/tcprules \ --enable-tcpserver-file=/etc/tcp.smtp \ --enable-clear-passwd \ --enable-many-domains \ --enable-valias \ --enable-qmail-ext \ --enable-logging=p \ --enable-auth-logging \

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

--enable-sql-logging \ --enable-auth-module=mysql \ --enable-incdir=/usr/include/mysql \ --enable-libdir=/usr/lib/ \ --disable-mysql-limits \ --disable-passwd make && make install-strip A modificao deste arquivo necessria para evitar problemas de falha de segmentao em alguns casos. cat > ~vpopmail/etc/vusagec.conf << __EOF__ Server: Disable = True; __EOF__

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Instalao Qmailadmin Qmailadmin uma ferramenta que prov uma interface web para a administrao do Qmail. Diferentemente do que dito nos tutoriais, ele no possui uma interface amigvel, entretanto com ele possvel realizar diversas operaes como criao de contas de e-mail, aliases, encaminhamentos, e-mail rob e listas de e-mail. cd /downloads/ tar zxvf qmailadmin-1.2.16.tar.gz cd /downloads/qmailadmin-1.2.16 ./configure --enable-cgibindir=/var/www/mail/cgi-bin/ --enable-htmldir=/var/www/mail/cgi-bin/ -enable-imageurl=../../images --enable-imagedir=/var/www/mail/images --enable-domainautofill --enable-ezmlmdir=/usr/local/bin/ezmlm --enable-autorespond=/usr/bin/autorespond make && make install-strip cd /var/www/mail/images rm middleleft1.png wget http://mailadmin.thibs.com/images/middleleft1.png Testaremos ao interface web mais tarde.

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Habilitando as ferramentas web Nas etapas anteriores instalamos duas ferramentas de administrao para o servidor de e-mail, agora vamos habilitar elas. Primeiramente necessrio criar uma entrada no servidor DNS (CNAME ou registro A). Para este ambiente foi criado o domnio mailadmin.intranet.ico apontando para o servidor virtual. Pode ser qualquer nome, menos o hostname do servidor. Ento criamos o virtual host no apache apontando para o domnio registrado. No arquivo /etc/apache2/sites-available/mailadmin.intranet.ico temos os seguintes registros: -----------<VirtualHost *:80> ServerAdmin andre@intranet.ico DocumentRoot /var/www/mail ServerName mailadmin.intranet.ico ErrorLog /var/log/apache2/mailadmin.intranet.ico-error.log CustomLog /var/log/apache2/mailadmin.intranet.ico-access.log common <Directory /var/www/mail/cgi-bin/> Options ExecCGI FollowSymLinks -Indexes ForceType cgi-script AllowOverride All Order allow,deny Allow from all </Directory> <Directory /var/www/mail/cgi-bin/vqadmin/>

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

deny from all Options ExecCGI -Indexes AllowOverride All Order deny,allow </Directory> <Directory /var/www/mail/qmailadmin/> Options -Indexes Order allow,deny Allow from all </Directory> <Directory /var/www/mail/cgi-bin/images/> ForceType Off Options -Indexes Order allow,deny Allow from all </Directory> <Directory /var/www/mail/images/qmailadmin/> ForceType Off Options -Indexes Order allow,deny Allow from all </Directory> <Directory /var/www/mail/images/vqadmin/> ForceType Off Options -Indexes Order allow,deny Allow from all </Directory> </VirtualHost> -----------a2ensite mailadmin.intranet.ico /etc/init.d/apache2 reload E finalmente vamos testar as interfaces web.

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Coloque o seguinte endereo no browser http://mailadmin.intranet.ico/cgi-bin/qmailadmin para testar qmailadmin.

Remove installed MTA Exim is the default installed MTA on Debian. Stop and remove Exim /etc/init.d/exim4 stop dpkg --ignore-depends=exim4 -r exim4 dpkg --ignore-depends=exim4-daemon-light -r exim4-daemon-light If you are using sendmail or postfix : dpkg --purge --ignore-depends=postfix postfix dpkg --purge sendmail sendmail-base sendmail-bin sendmail-cf Install a pseudo MTA to avoid problem within Debian system dpkg -i /downloads/deb-packages/mta-local_1.0_all.deb Create Symilnk to use Qmail instead of the default MTA rm -f /usr/lib/sendmail rm -f /usr/sbin/sendmail ln -s /var/qmail/bin/sendmail /usr/lib/sendmail ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Configure Qmail It's time to configure Qmail ... Copy the script to its proper locations cp /downloads/scripts/qmailctl /var/qmail/bin/qmailctl (View the script qmailctl) Adapt script permission chmod 755 /var/qmail/bin/qmailctl The script /var/qmail/rc (View here) is no longer used. In original qmailrocks installation guide, it was used in script send_run replaced by service-sendrun (from John M.Simpson) in this guide. Create needed symlinks ln -s /var/qmail/bin/qmailctl /usr/bin Set Maildir as default mailbox type (./Mailbox for mbox type) echo ./Maildir > /var/qmail/control/defaultdelivery Set some configuration (You can find more on http://www.lifewithqmail.com/lwq.html#configuration) echo 255 > /var/qmail/control/concurrencyremote echo 30 > /var/qmail/control/concurrencyincoming echo 30 > /var/qmail/control/timeoutsmtpd echo 3 > /var/qmail/control/spfbehavior

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

echo postmaster@yourdomain.tld > /var/qmail/control/bouncefrom echo yourdomain.tld > /var/qmail/control/doublebouncehost echo postmaster > /var/qmail/control/doublebounceto cd /var/qmail/control/ chmod 644 bouncefrom doublebouncehost doublebounceto concurrencyremote concurrencyincoming spfbehavior Set maximum message size to be 8Mb echo '8000000' > /var/qmail/control/databytes Allows localhost to send mails echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp qmailctl cdb If you use backup MX servers or if this server is acting as smart host for others, I advice you to add execute command : echo 'OTHER-SERVER-IP:allow,RELAYCLIENT="",QS_SPAMASSASSIN="1"' >> /etc/tcp.smtp qmailctl cdb If you want to learn other available options, take a look on this sample. Create mail aliases echo some_address > /var/qmail/alias/.qmail-root echo some_address > /var/qmail/alias/.qmail-postmaster echo some_address > /var/qmail/alias/.qmail-mailer-daemon Where some_address is the system user or email address you want these addresses aliased to chmod 644 /var/qmail/alias/.qmail* Final configuration cd /usr/src/qmail/qmail-1.03 ./config-fast YOUR_SERVER_NAME Edit /var/qmail/control/locals and remove YOUR_SERVER_NAME

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Configure Daemontools

Daemontools is a collection of Unix tools for managing services. Its home page is here: http://cr.yp.to/daemontools.html If you don't want to read about it, just remember that it allows to automatically restart a crashing service (but it allows a lot of other things and I really advice you to read about it...) It has already been installed with a Debian package In this guide version, we'll use it only to manage the processes qmail-smtpd, qmail-send and qmail-smtpdssl. I however plan to manage other services in a next release. Create the needed directories with appropriates permissions mkdir -p /var/qmail/supervise/qmail-smtpd/log mkdir -p /var/qmail/supervise/qmail-send/log mkdir -p /var/qmail/supervise/qmail-smtpdssl/log cd /var/qmail/supervise chmod +t qmail-smtpd qmail-send qmail-smtpdssl Copy the scripts to their proper locations (service-qmail-send-run,send_log,service-qmail-smtpd-run,smtpd_log,service-qmail-smtpdsslrun,smtpdssl_log) cp /downloads/scripts/service-qmail-send-run /var/qmail/supervise/qmail-send/run cp /downloads/scripts/send_log /var/qmail/supervise/qmail-send/log/run cp /downloads/scripts/service-qmail-smtpd-run /var/qmail/supervise/qmail-smtpd/run cp /downloads/scripts/smtpd_log /var/qmail/supervise/qmail-smtpd/log/run

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

cp /downloads/scripts/service-qmail-smtpdssl-run /var/qmail/supervise/qmail-smtpdssl/run cp /downloads/scripts/smtpdssl_log /var/qmail/supervise/qmail-smtpdssl/log/run Adapt permissions chmod 751 /var/qmail/supervise/qmail-smtpd/run chmod 751 /var/qmail/supervise/qmail-smtpd/log/run chmod 751 /var/qmail/supervise/qmail-send/run chmod 751 /var/qmail/supervise/qmail-send/log/run chmod 751 /var/qmail/supervise/qmail-smtpdssl/run chmod 751 /var/qmail/supervise/qmail-smtpdssl/log/run Create symlinks in /etc/service directory ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-smtpdssl /etc/service Create a symlink from Debian convention to standard convention ln -s /etc/service /service

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Configure spamassassin

Spamassassin is the antispam system we 'll use Edit /etc/default/spamassassin to change the following options : ENABLED=1 OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u vpopmail -v -x -i -m 5 -c -H -s mail" Edit /etc/spamassassin/local.cf to change the following options : Uncomment following lines required_score 5.0 use_bayes 1 bayes_auto_learn 1 Add following lines use_razor2 1 skip_rbl_checks 1 use_dcc 1 use_pyzor 1 razor_config /etc/razor/razor-agent.conf OPTIONAL : If you want to report spam with the Vipul's Razor spam-reporting system razor-admin -d -home=/etc/razor -create razor-admin -d -home=/etc/razor -register

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Uncomment this in /etc/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::DCC Uncomment this in /etc/spamassassin/v320.pre loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody Install IP::Country::Fast perl package (deb) dpkg -i /downloads/deb-packages/libip-country-perl_2.27-1_all.deb Uncomment this in /etc/spamassassin/init.pre loadplugin Mail::SpamAssassin::Plugin::RelayCountry Create a compiled version of some ruleset sa-compile Test configuration and start the service /usr/bin/spamassassin -D --lint /etc/init.d/spamassassin start

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Configure clamav

Clamav is the antivirus system we 'll use dpkg-reconfigure clamav-base Change clamav user/group to qscand and keep all of the other default settings (Group - Owner) dpkg-reconfigure clamav-freshclam Choose daemon + your location + default answers chown -R qscand:clamav /var/log/clamav /var/lib/clamav /var/run/clamav chown qscand:qscand /etc/clamav/freshclam.conf chmod 600 /etc/clamav/freshclam.conf ln -s /var/log/clamav /var/log/qmail/clamav Edit /etc/clamav/freshclam.conf to change the DatabaseOwner option : DatabaseOwner qscand Change both /etc/logrotate.d/clamav-freshclam and /etc/logrotate.d/clamav-daemon to create the log file with correct identity : create 640 qscand qscand Restart the services /etc/init.d/clamav-daemon restart /etc/init.d/clamav-freshclam restart

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Configure courier and courier-authlib

Adapt automatically generated SSL certificate During package installation, all the needed courier packages have been installed. Nevertheless, the generated SSL certificates probably do not match your needs. We 'll simply regenerate it. Edit the files /etc/courier/imapd.cnf and /etc/courier/pop3d.cnf to match your settings : [ req_dn ] C=BE ST=Brussels L=Brussels O=Courier Mail Server OU=POP3/IMAP SSL key CN=Your FQDN server emailAddress=Your e-mail adress Re-generate certificates with correct information and with validity time of 10 years rm -f /usr/lib/courier/*.pem rm -f /etc/courier/*.pem sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkimapdcert sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkpop3dcert dpkg-reconfigure courier-imap-ssl

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

dpkg-reconfigure courier-pop-ssl ln -s /usr/lib/courier/pop3d.pem /etc/courier/pop3d.pem ln -s /usr/lib/courier/imapd.pem /etc/courier/imapd.pem

Configure courier-authlib Courier-authlib is the authentification library used by all the courier components. We 'll use the MySQL database used by vpopmail (which already contains the authentification info) instead of vchkpw method used in previous QMR guide (because it's no longer implemented/supported since version 0.60) Please remember the settings used in step 4, you 'll need to use it again. As courier-authlib and courier-authlib-mysql have been installed with Debian packages, we only have to configure it Edit /etc/courier/authdaemonrc and change line 27 to match the following : authmodulelist="authmysql" Edit /etc/courier/authmysqlrc and adapt variables to match the following (Put the password chosen in step 4) MYSQL_SERVER MYSQL_USERNAME MYSQL_PASSWORD MYSQL_DATABASE localhost vpopmailuser VPOPMAIL_PASSWORD vpopmail SELECT CONCAT(pw_name, '@', pw_domain) AS username, \ \ \ \ \ \ \

MYSQL_SELECT_CLAUSE

pw_passwd AS cryptpw, pw_clear_passwd AS clearpw, '89' AS uid, '89' AS gid, pw_dir AS home, '' AS maildir,

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

pw_shell AS quota, pw_gecos AS fullname, FROM vpopmail WHERE AND \ \ \ \ pw_name = '$(local_part)' pw_domain = '$(domain)'; \ \ \ \

'disablewebmail=0,disablepop3=0,disableimap=0' AS options

Eventually replace 89 by the alternate UID:GID chosen in Part 1 Restart the service to take those modifications into account /etc/init.d/courier-authdaemon restart

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Install qmail-scanner

qmail-scanner is an alternate queuing system for qmail. Qmail-scanner is going to allow us to integrate Clam Antivirus and SpamAssassin into our qmail server's mail queue. Once qmail-scanner is installed, there will be a master script that is filled with configuration options that help you to tailor the functionality of Clam Antivirus and SpamAssassin to your needs. We have patched qmail source to support it on step 2 and we have implemented it on step 10. It's now time to install it ;-) cd /downloads/ tar zxvf q-s-2.08st-20100626.tgz cd /downloads/qmail-scanner-2.08st ./configure --admin postmaster --domain your_domain --local-domains "your_domain" --saquarantine 5 --ignore-eol-check yes --add-dscr-hdrs yes --notify psender,admin --sa-report yes -fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0 ./configure --admin postmaster --domain your_domain --local-domains "your_domain" --saquarantine 5 --ignore-eol-check yes --add-dscr-hdrs yes --notify psender,admin --sa-report yes -fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0 --install 1 ln -s /var/spool/qscan /var/log/qmail/qscan Let's test it ... First swich to a non-privilegied user account su - non-privilegied_user_account /var/qmail/bin/qmail-scanner-queue.pl -g You should have an answer like this:

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt perlscanner: total of 35 entries. Switch back to root account: exit Add it in the logrotation system cp /downloads/qmail-scanner-2.08st/contrib/logrotate.qmail-scanner /etc/logrotate.d/qmailscanner chmod 644 /etc/logrotate.d/qmail-scanner Launch qmail qmailctl start qmailctl stat You should see something like that: /service/qmail-send: up (pid 17762) 63 seconds /service/qmail-send/log: up (pid 17763) 63 seconds /service/qmail-smtpd: up (pid 18500) 63 seconds /service/qmail-smtpd/log: up (pid 17767) 63 seconds /service/qmail-smtpdssl: up (pid 18496) 63 seconds /service/qmail-smtpdssl/log: up (pid 17773) 63 seconds messages in queue: 0 messages in queue but not yet preprocessed: 0

If you notice than some service stays at 1 second, check the corresponding log to debug it tail /var/log/qmail/qmail-send/current tail /var/log/qmail/qmail-smtpd/current tail /var/log/qmail/qmail-smtpdssl/current Test combinaison of qmail-scanner, spamassassin and clamav

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

cd /downloads/qmail-scanner-2.08st/contrib chmod 755 test_installation.sh ./test_installation.sh -doit You should have an answer like this Sending standard test message - no viruses... 1/4 done! Sending eicar test virus - should be caught by perlscanner module... 2/4 done! Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)... 3/4 done! Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... 4/4 If you have enabled $sa_quarantine, $sa_delete or $sa_reject the spam-message wont't arrive to the recipients. But if you have enabled (good idea!) 'minidebug' or 'debug' you should check /var/spool/qscan/qmail-queue.log (or where ever you have the log).

Done! Finished test. Now go and check Email sent to postmaster@domain.tld and/or the log.. OPTIONAL : You can receive daily statistics echo '/var/spool/qscan/log-report.sh /var/spool/qscan/qmail-queue.log |mail YOUR E-MAIL ADDRESS' > /etc/cron.daily/qmailscanner-report chmod 755 /etc/cron.daily/qmailscanner-report

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Install roundcubemail webmail interface cd /downloads/ tar zxvfp roundcubemail-0.5.3.tar.gz chown -R root:root /downloads/roundcubemail-0.5.3 mv /downloads/roundcubemail-0.5.3 /var/www/mail/ ln -s /var/www/mail/roundcubemail-0.5.3/ /var/www/mail/webmail ln -s /var/www/mail/webmail/logs /var/log/webmail chmod 777 /var/www/mail/webmail/logs/ chmod 777 /var/www/mail/webmail/temp/ Create the needed Database. The used MySQL_root_password should be the password chosen on pre-step 3. It's should not be the same as the password for roundcubemail (ROUNDCUBEMAILPASSWORD). It's not a typo, the MySQL_root_password should really be just aside the -p mysql -pMySQL_root_password CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */; GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'ROUNDCUBEMAILPASSWORD'; quit;

Test your the account you have just created mysql -uroundcube -pROUNDCUBEMAILPASSWORD exit;

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

You should have such response Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39 Server version: 5.0.51a-24+lenny4-log (Debian) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. Let's configure it cd /var/www/mail/webmail mysql -uroundcube -pROUNDCUBEMAILPASSWORD roundcubemail < SQL/mysql.initial.sql cp /var/www/mail/webmail/config/db.inc.php.dist /var/www/mail/webmail/config/db.inc.php cp /var/www/mail/webmail/config/main.inc.php.dist /var/www/mail/webmail/config/main.inc.php Edit the file /var/www/mail/webmail/config/main.inc.php and change the following : $rcmail_config['default_host'] = 'localhost'; Edit the file /var/www/mail/webmail/config/db.inc.php and change the following : $rcmail_config['db_dsnw'] = 'mysql://roundcube:ROUNDCUBEMAILPASSWORD@localhost/roundcubemail'; OPTIONAL : You can specify other parameters through webinterface Point your browser on http://mailadmin.intranet.ico/webmail/installer/ and follow the instructions You can add some packages for optionnals features : aptitude install php5-gd php5-mcrypt php5-intl /etc/init.d/apache2 restart Just a little cleaning ... and use it ! cd /var/www/mail/webmail rm -rf installer/ CHANGELOG INSTALL LICENSE README UPGRADING Point your browser on http://mailadmin.intranet.ico/webmail/ ... and use it!

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Your server is functionnal now !

Test Qmail functionalities We first check if the server listen to the right ports netstat -tupan |grep LISTEN You should have at least the bold ones : tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2218/mysqld tcp 0 0 0.0.0.0:783 0.0.0.0:* LISTEN 2302/spamd.pid tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1901/portmap tcp 0 0 0.0.0.0:49168 0.0.0.0:* LISTEN 1912/rpc.statd tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 3063/sslserver tcp 0 0 127.0.0.1:1013 0.0.0.0:* LISTEN 2957/famd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2141/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3056/tcpserver tcp6 0 0 :::993 :::* LISTEN 2924/couriertcpd tcp6 0 0 :::995 :::* LISTEN 2942/couriertcpd tcp6 0 0 :::110 :::* LISTEN 2930/couriertcpd tcp6 0 0 :::143 :::* LISTEN 2911/couriertcpd tcp6 0 0 :::80 :::* LISTEN 2999/apache2 In this case, Qmail should now be able to send and receives e-mails.

Receiving e-mails telnet localhost 25 You should have an answer like this :

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 servername.localdomain.tld ESMTP mail from: <testmail@test.com> 250 ok rcpt to: <nospam@test.com> 250 ok data 354 go ahead From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a stupid SMTP test Just a test ! . 250 ok 1279384489 qp 3711 quit 221 servername.localdomain.tld Connection closed by foreign host. This demonstrate a successful SMTP connection ! For our tests, we need to create a dummy account /home/vpopmail/bin/vadddomain test.com brol /home/vpopmail/bin/vadduser test@test.com brol2 qmailctl reload We also can create a real account /home/vpopmail/bin/vadddomain your_real_domain.tld your_postmaster_password /home/vpopmail/bin/vadduser an_account@your_real_domain.tld your_account_password qmailctl reload You can of course do the same thing via vqadmin and qmailadmin web interfaces "brol" is a belgian idiom that means "something useless"

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

You can send a test mail to an_account@your_real_domain.tld from you regular mail client. We 'll retrieve it in the next step but if you don't receive a NDR, it's probably already OK Sending e-mail through an authentificate connection : Testing TLS telnet localhost 25 You should have an answer like this: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 servername.domain.tld ESMTP ehlo localhost 250-servername.domain.tld 250-STARTTLS 250-SIZE 0 250-PIPELINING 250 8BITMIME starttls 220 ready for tls quit quit In the above SMTP session, I have higlighted the important aspects in DARK RED. After you give the server the initial "ehlo localhost" command, you should get a response back that lists "250STARTTLS", signaling that the server is in fact equipped for TLS functionality. Then, after you issue the "starttls" command, you should get the :"220 ready for tls" response if the server is able to successfully start the TLS session. If you happen to get an error that states "454 TLS not available: missing RSA private key (#4.3.0)" after you issue the "starttls" command, you will want to check 2 things: 1. Verify that the cert actually exists at /var/qmail/control/servercert.pem. If it's not there, go back to step 2 and repeat the cert creation step. 2. Verify that the cert is owned by vpopmail:qmail. If it's not, then make it so like this : chown vpopmail:qmail /var/qmail/control/servercert.pem Now we have verified that the server supports the STARTTLS command, we can use openssl s_client to connect.

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

openssl s_client -starttls smtp -crlf -connect localhost:25 -quiet This command is equivalent to the previous sequence until the "220 ready for tls" message depth=0 /C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@email.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld verify return:1 250 8BITMIME ehlo testing 250-fqdn 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-SIZE 0 250-PIPELINING 250 8BITMIME auth login 334 VXNlcm5hbWU6 dGVzdEB0ZXN0LmNvbQ== 334 UGFzc3dvcmQ6 YnJvbDI= 235 ok, go ahead (#2.0.0) mail from: <testmail@test.com> 250 ok rcpt to: <nospam@test.com> 250 ok data 354 go ahead From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a simple SMTP TLS test Just a TLS test ! . 250 ok 1279384489 qp 3711

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

quit 221 servername.localdomain.tld Connection closed by foreign host. As you've probably noticed, the login and password are encoded ( " dGVzdEB0ZXN0LmNvbQ==" stands for "test@test.com" and "YnJvbDI=" stands for "brol2")! You can encode yourself with the script base64 perl /downloads/scripts/base64

Press Enter to exit. Input you string: test@test.com Base64 encode is : dGVzdEB0ZXN0LmNvbQ== Input you string: brol2 Base64 encode is : YnJvbDI= Input you string: ^C (means press CTRL+C) Test SMTP-SSL openssl s_client -crlf -connect localhost:465 -quiet It's nearly the same test. In this case, we use an SSL server where we connect to a different port number. We have to establish an SSL connection before the SMTP conversation even starts : depth=0 /C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@email.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld verify return:1 auth login 334 VXNlcm5hbWU6 dGVzdEB0ZXN0LmNvbQ== 334 UGFzc3dvcmQ6 YnJvbDI= 235 ok, go ahead (#2.0.0) mail from: <testmail@test.com> 250 ok

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

rcpt to: <nospam@test.com> 250 ok data 354 go ahead From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a simple SMTP-SSL test Just a SMTP-SSL test ! . 250 ok 1279384489 qp 3711 quit 221 servername.localdomain.tld Connection closed by foreign host. Test authentification

Now we should be able to authenticate through POP3, POP3-SSL, IMAP, IMAP-SSL Test courier-authlib I suppose you still have the dummy account created when we've tested qmail Check first if the created account is still there (without testing the authentification) /home/vpopmail/bin/vuserinfo test@test.com You should have an answer like this: name: test passwd: $1$E6ZeM1cj$B6/2kgZgjtycVtHteTPOC1 clear passwd: brol2 comment/gecos: test uid: 0 gid: 0 flags: 0 gecos: test limits: No user limits set.

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

dir: /home/vpopmail/domains/0/test.com/test quota: NOQUOTA usage: NOQUOTA account created: Thu Jul 15 16:02:29 2010 last auth: Never logged in If the account do no exist, please create it by following instructions on the test qmail page Test now the authentification process /usr/sbin/authtest postmaster@test.com brol /usr/sbin/authtest test@test.com brol2 You should have an answer like this: Authenticated: test@test.com (uid 89, gid 89) Home Directory: /home/vpopmail/domains/test.com/test Maildir: (none) Quota: (none) Encrypted Password: $1$Atj/HMvq$UBXjgO0sGl2Jy22b0Du0 Cleartext Password: brol2 Options: disablewebmail=0,disablepop3=0,disableimap=0 This is the sign authlib is working well! HINT : Most of the authentification problems here are due to white space before or after login/password in /etc/courier/authmysqlrc configured in previous step Test POP3 service Let's test your new server's POP3 service... telnet localhost 110 You should see something like this: Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. +OK Hello there. user test@test.com

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

+OK Password required. pass bril -ERR Login failed. pass brol2 +OK logged in. quit +OK Bye-bye. This is the sign of a successfull POP connection to the server! Test POP3-SSL service Let's test your new server's POP3-SSL service... openssl s_client -connect localhost:995 -quiet You should see something like this: depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com verify return:1 +OK Hello there. user test@test.com +OK Password required. pass brol2 +OK logged in. quit +OK Bye-bye. Test IMAP service Let's test your new server's IMAP service... telnet localhost 143 You should see something like this:

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information. a login test@test.com brol2 a OK LOGIN Ok. a logout * BYE Courier-IMAP server shutting down a OK LOGOUT completed This is the sign of a successfull IMAP connection to the server! Hint: The "a" that you see before the login commands is required. Test IMAPS service Let's test your new server's IMAP-SSL service... openssl s_client -connect localhost:993 -quiet You should see something like this: depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com verify return:1 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information. a login test@test.com brol2 a OK LOGIN Ok. a logout * BYE Courier-IMAP server shutting down a OK LOGOUT completed

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

This is the sign of a successfull IMAPS connection to the server! Delete the test acccount /home/vpopmail/bin/vdeluser test@test.com /home/vpopmail/bin/vdeldomain test.com

------------------------------------------ /// ----------------------------------------------Compiling fails with: > make[2]: Entering directory `/home/graf/packages/BUILD/vmailmgr0.97/authenticate' > g++ -DHAVE_CONFIG_H -I. -I. -I.. -I../lib -g -O2 -fno-rtti -fno-exceptions Wall -c checkvpw.cc > checkvpw.cc: In function 'char* strcasestr(const char*, const char*)': > checkvpw.cc:108: error: new declaration 'char* strcasestr(const char*, const char*)' > /usr/include/string.h:367: error: ambiguates old declaration 'const char* strcasestr(const char*, const char*)' > make[2]: *** [checkvpw.o] Error 1 > make[2]: Leaving directory `/home/graf/packages/BUILD/vmailmgr0.97/authenticate' The reason is strcasestr() which is defined in checkvpw.cc, but also exists in glibc. This didn't hurt until now, because both were declared the same way, but now in glibc 2.10 the declaration changed slightly: strcasestr() returns "const char *" instead of "char *", and this results in the above error. The easy fix is to delete strcasestr() from checkvpw.cc, this is what the attached patch does. A check for strcasestr() in configure on the current system would probably better. -Bernhard Graf --- authenticate/checkvpw.cc +++ authenticate/checkvpw.cc @@ -105,15 +105,6 @@ return new auth_data(name, pass, stamp); } -char* strcasestr(const char* haystack, const char* needle) -{ - for(size_t hlength = strlen(haystack), nlength = strlen(needle); hlength >= nlength; hlength--, haystack++) if(!strncasecmp(haystack, needle, nlength)) return (char*)haystack; - return 0; -} unsigned find_maildir(int argc, const char* args[]) { for(int arg = 0; arg < argc; arg++) {

Tutorial Instalao Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Fontes http://www.superscript.com/ucspi-ssl/install.html http://qmailrocks.thibs.com/