# HOWTO: qmail vpopmail courier-imap qmail-scanner (02/2007)

## petterg

This guide is an update of the guide from september 2005 located at

https://forums.gentoo.org/viewtopic-t-382072-start-0.html

That was written as an updated version of the guide originaly posted by Sabrex at

https://forums.gentoo.org/viewtopic-t-171499-start-0.html

Contributions posted by readers of both of those threads are included.

This guide uses some masked packages and some unofficial bugfixes. If you don't feel like being experimental you'll probably be better of using Mobiusproject's updated guide at

https://forums.gentoo.org/viewtopic-t-527246.html

There have been some ppl reporting bugs. Bugs are corrected in the guide as soon as someone find a solution. I server have now been running in production for 6 weeks without any significant problems.

Some advantages when using this guide over the old ones:

- Mails sent using smtp-auth are not scanned by spamassassin (faster sending)

- Webmailusers get accesss to a list of what the mailscanner have done with their mails

- Mail to accounts not on this server are rejected BEFORE it's passed trough the mailfilter

I've also got inspiration from another guides located at 

http://gentoo-wiki.com/QmailRocksOnGentoo

and

http://gentoo-wiki.com/Qmail_Anti-Spam_Configuration

Please check the bug sumary at the bottom of the guide. (will be created when bugs are discovered)

Changelog

2007.02.17: posted link and edited installation notes for qms-loganalyzer

2007.02.18: posted link and edited installation notes for chkuser_pg smtp plugin

2007.02.21: step 4: fixed line to append to /etc/sudoers (using visudo)

2007.02.21: added this changelog

2007.02.27: new version of chkuser_pg

2007.02.27: removed status "pre-tested"

2007.03.08: added note regarding outbound mail from server when connection is filtered by ISP

2007.03.31: new version of chkuser_pg - fix the dot-issue

2007.04.04: added trick Stripe regarding doublebounce

2007.07.09: swaped two lines for razor-admin to avoid a warning

Packagelisting

Packages and USE flags used in this guide:

```

[b]emerge -pv netqmail vpopmail courier-imap pyzor razor dcc spamassassin clamav[/b]

net-mail/queue-repair-0.9.0  13 kB

net-mail/dot-forward-0.71-r2  0 kB

sys-process/daemontools-0.76-r5  USE="-doc (-selinux) -static" 0 kB

net-mail/cmd5checkpw-0.30  0 kB

net-mail/checkpassword-0.90-r2  USE="-static" 0 kB

[b]mail-mta/netqmail-1.05-r4[/b]  USE="highvolume qmail-spp ssl -gencertdaily -mailwrapper -noauthcram -vanilla" 408 kB

virtual/qmail-1.03  0 kB

[b]net-mail/vpopmail-5.4.16[/b]  USE="mysql -clearpasswd -ipalias" 442 kB

net-libs/courier-authlib-0.58  USE="berkdb crypt gdbm ldap mysql pam -debug -postgres" 1,959 kB

dev-libs/glib-2.12.4-r1  USE="hardened -debug -doc" 2,801 kB

app-admin/gamin-0.1.7  USE="-debug -doc" 529 kB

[b]net-mail/courier-imap-4.0.4[/b]  USE="berkdb fam gdbm nls -debug -ipv6 (-selinux)" 3,082 kB

[b]dev-python/pyzor-0.4.0-r2[/b]  40 kB

virtual/perl-net-ping-2.31  0 kB

dev-perl/Digest-Nilsimsa-0.06-r1  77 kB

virtual/perl-Digest-MD5-2.36  0 kB

virtual/perl-MIME-Base64-3.07  0 kB

perl-core/digest-base-1.13  7 kB

virtual/perl-digest-base-1.13  0 kB

dev-perl/Digest-SHA1-2.11  37 kB

dev-perl/Digest-HMAC-1.01-r1  13 kB

dev-perl/Net-IP-1.24  25 kB

dev-perl/Net-DNS-0.53-r1  USE="-ipv6" 116 kB

virtual/perl-Time-HiRes-1.86  0 kB

dev-perl/URI-1.35  93 kB

[b]mail-filter/razor-2.82[/b]  77 kB

[b]mail-filter/dcc-1.3.24[/b]  USE="-ipv6 -rrdtool" 1,360 kB

dev-perl/Compress-Raw-Zlib-2.001  201 kB

virtual/perl-Scalar-List-Utils-1.18  0 kB

dev-perl/IO-Compress-Base-2.001  87 kB

dev-perl/IO-Compress-Zlib-2.001  128 kB

dev-perl/Compress-Zlib-2.001  60 kB

dev-perl/IO-Zlib-1.04  9 kB

dev-libs/libassuan-0.6.10  251 kB

dev-libs/pth-1.4.0  434 kB

dev-libs/libksba-0.9.14  480 kB

app-crypt/gnupg-1.4.6  USE="bzip2 curl ldap nls readline zlib -X -bindist -ecc -idea (-selinux) -smartcard -static -usb" LINGUAS="-ru" 3,075 kB

app-crypt/gnupg-1.9.20-r3  USE="caps ldap nls -X -gpg2-experimental (-selinux) -smartcard" 1,767 kB

virtual/perl-Test-Harness-2.56  0 kB

dev-perl/IO-String-1.08  7 kB

dev-perl/Archive-Tar-1.28  35 kB

virtual/perl-PodParser-1.34  0 kB

dev-perl/HTML-Tagset-3.10  7 kB

dev-perl/HTML-Parser-3.48  USE="unicode" 80 kB

virtual/perl-libnet-1.19  0 kB

dev-perl/HTML-Tree-3.19.01  116 kB

dev-perl/Crypt-SSLeay-0.51-r1  114 kB

dev-perl/libwww-perl-5.803-r1  USE="ssl" 229 kB

dev-perl/Net-SSLeay-1.25  75 kB

dev-perl/IO-Socket-SSL-0.97  31 kB

dev-perl/Convert-ASN1-0.19  60 kB

dev-perl/Authen-SASL-2.09  25 kB

dev-perl/XML-Parser-2.34  224 kB

dev-perl/perl-ldap-0.33  USE="sasl ssl xml" 222 kB

virtual/perl-DB_File-1.814  0 kB

[b]mail-filter/spamassassin-3.1.3[/b]  USE="berkdb ldap mysql qmail ssl -doc -ipv6 -postgres -sqlite -tools" 952 kB

[b]app-antivirus/clamav-0.88.7[/b]  USE="crypt -mailwrapper -milter (-selinux)" 9,287 kB

[b]emerge qmail-scanner[/b]

net-mail/ripmime-1.4.0.6  159 kB

net-mail/tnef-1.3.4  1,603 kB

[b]mail-filter/qmail-scanner-2.01[/b]  USE="spamassassin" 318 kB

[b]emerge ezmlm-idx-mysql-0.40-r2[/b]

net-mail/ezmlm-idx-mysql-0.40-r2

[b]emerge qmailadmin squirrelmail[/b]

net-mail/autorespond-2.0.4

dev-php/PEAR-PEAR-1.4.11

dev-php/PEAR-DB-1.7.6-r1

app-admin/webapp-config-1.50.15

net-mail/qmailadmin-1.2.10  USE="-maildrop"

mail-client/squirrelmail-1.4.9a  USE="crypt ldap mysql nls spell ssl vhosts -filter -postgres"

```

Asumes these packages (or similar) are installed, configured and running:

```

apache-2.0.55-r1

php-5.1.2

mysql-5.0.19

```

Before you start it might be a good idea to run

```
emerge sync
```

Firewall configuration

Ports used:

DCC	6277	UDP

Pyzor	24441 TCP/UDP

Razor	2703	TCP

SMTP	25	TCP

POP3	110	TCP

POP3S	995	TCP

IMAP	143	TCP

IMAPS	993	TCP

HTTP	80	TCP

HTTPS	443	TCP

1) Ensure that the proper USE flags are set

```

> nano -w /etc/make.conf

```

Compare your USE flags to those shown in the emerge -pv listings above.

+ipalias is useful if you're setting up the server without having an domain for it. Say you have another server running on the domain you're going to use, but don't want to set this server into production before it's well tested. If you have a (sub)domain for testing purposes you don't need to enable this. I have domain and testdomains, so I don't use this.

-ipv6 disables use of IPv6. It's been making problems for quite a few ppl. If you're not using IPv6, why have it enabled? As of 2005.1 ipv6 has been enabled by default in Gentoo. Disable to save yourself some problems.

+ssl if you want SSL support

+fam According to the Courier-imap documentation Famd will use less resources than the similar function buildt into Courier. 

qmail-spp required to make the chkuser qmail patch run

2)Installing qmail

```

> emerge -pv netqmail

```

You might see something blocking for the instalation of netqmail. Unemerge them:

```

> emerge -C (append name of blocking package(s) here!)

```

Patch qmail for only_auth_after_tls

I could have made a diff file for this, but I will assume there will be a new ebuild out, and I don't feel like keeping the diff updated at all times.

Make sure you have PORTDIR_OVERLAY=/usr/local/portage in your /etc/make.conf

```

> mkdir -p /usr/local/portage/mail-mta/netqmail

> cp -a /usr/portage/mail-mta/netqmail/* /usr/local/portage/mail-mta/netqmail/

> cd /usr/local/portage/mail-mta/netqmail

> nano -w netqmail-1.05-r4.ebuild

Append " notlsbeforeauth" to the line starting with "IUSE="

Find the line

   if [[ -n "${QMAIL_PATCH_DIR}" && -d "${QMAIL_PATCH_DIR}" ]]

insert these lines [b]before[/b] that line:

   if use ssl; then

      epatch ${FILESDIR}/qmail-smtpd-tlsbeforeauth.patch

   fi

Find the line

   use ssl && append-flags -DTLS

insert these lines [b]after[/b] that line:

   if use ssl; then

      if ! use notlsbeforeauth; then

         einfo "Enabling STARTTLS before SMTP AUTH"

         append-flags -DTLS_BEFORE_AUTH

      else

         einfo "Disabling STARTTLS before SMTP AUTH"

      fi

   fi

> cd files

> wget http://bugs.gentoo.org/attachment.cgi?id=89342

> mv attachment.cgi\?id\=89342 qmail-smtpd-tlsbeforeauth.patch

> ebuild /usr/local/portage/mail-mta/netqmail/netqmail-1.05-r4.ebuild digest

> emerge -pv netqmail

```

This should return

mail-mta/netqmail-1.05-r4  USE="highvolume qmail-spp ssl -gencertdaily -mailwrapper -noauthcram -notlsbeforeauth% -vanilla" 0 kB [1]

Make sure you get the -notlsbeforeauth% flag and the [1] at the end. If you don't get this emerge is not using the ebuild from the overlay directory.

```

> emerge netqmail

```

3) Install most stuff in one go

```

> emerge vpopmail courier-imap pyzor razor dcc spamassassin clamav

```

4) Install the chkuser patch

emerge app-admin/sudo if you don't have it installed

Setup sudo:

```

> visudo

Append this line:

qmaild          ALL=(vpopmail)  NOPASSWD: /var/qmail/plugins/chkuser_pg/vpopchk.sh

```

Download and unpack the plugin https://sourceforge.net/projects/vpop-chkuser-pg

Unpack to /var/qmail/plugins/

```

> nano -w /var/qmail/control/smtpplugins

add this line after the [rcpt]:

plugins/chkuser_pg/rcptchk-pg.sh

```

5) Configure qmail

```

> nano -w /var/qmail/control/servercert.cnf

Modify to whatever suits your needs and save/exit

> emerge --config netqmail

Press [enter] to continue whenever it asks you to modify /var/qmail/control/servercert.cnf. You've done that.

```

Setup/start smtp service

```

> ln -s /var/qmail/supervise/qmail-send /service/qmail-send 

> ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd

> rc-update add svscan default 

> /etc/init.d/svscan start

```

Make mails to root, postmaster, mailer-daemon@localhost go somewhere

```

echo some_mail@some_domain > /var/qmail/alias/.qmail-root

echo some_mail@some_domain > /var/qmail/alias/.qmail-postmaster

echo some_mail@some_domain > /var/qmail/alias/.qmail-mailer-daemon

ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous

chmod 644 /var/qmail/alias/.qmail*

```

6) Setup vpopmail

Create the vpopmail database.

```

Login to the mysql server (as a user with permissions to create databases and add users)

mysql> create database vpopmail; 

mysql> grant select, insert, update, delete, create, drop on vpopmail.* to vpopmail@localhost identified by 'your vpopmail password'; 

mysql> flush privileges;

mysql> quit

```

Choose a vpopmail password that is not used anywhere else. The password has to be saved in cleartext! You'll never need to remember it after you're done with the instalation.

If your mysql server is not running on localhost, change the vpopmail@hostname accordingly.

Edit vpopmail.conf.

```

> nano -w /etc/vpopmail.conf

Modify these lines - insert you vpopmail password:

# Read-only DB

localhost|0|vpopmail|your vpopmail password|vpopmail

# Write DB

localhost|0|vpopmail|your vpopmail password|vpopmail

```

save/exit

Make sure the vpopmail.conf is readable for the vpopmail user. Default is ownership = root:vpopmail with 640 permissions

7) Configure imap and pop3 server

Make courier use vpop for authentication

```

> nano -w /etc/courier/authlib/authdaemonrc

edit the line authmodulelist=.. to read:

authmodulelist="authvchkpw"

```

save/exit

Thunderbird defaults to having 5 imap connections for caching purposes, but courier-imap only allows 4 connections per ip. This can cause some errors in thunderbird (possible data loss). Its easier to just allow 5 connections per ip rather than have everyone change thunderbird, so: 

Modify /etc/courier-imap/imapd Code:

```

> nano /etc/courier-imap/imapd 

edit:

MAXPERIP=5

```

Create certificates

```

> nano -w /etc/courier-imap/imapd.cnf

Edit according to your server/location/domain

```

save/exit

```

> nano -w /etc/courier-imap/pop3d.cnf

Edit according to your server/location/domain

```

save/exit

Generate certificates: 

```

(only if you're going to run imap-ssl server)

> mkimapdcert

(only if you're going to run pop3-ssl server)

> mkpop3dcert

```

Start the servers (all or just some of them)

```

for x in courier-imapd courier-pop3d courier-imapd-ssl courier-pop3d-ssl; do /etc/init.d/$x start && rc-update add $x default ; done

```

I'm running all 4 servers. Users may decide if they want imap or pop3. A firewall makes sure that the non-ssl servers is unavailable for users located outside the local network.

8) update the smtpd config to allow smtp-auth using vpopmail

```

> nano -w /var/qmail/control/conf-smtpd

Make the file look like this:

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

 

[[ -n "${QMAIL_SMTP_CHECKPASSWORD}" ]] && {

        [[ -z "${QMAIL_SMTP_POST}" ]] && QMAIL_SMTP_POST=/bin/true

        QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

}

```

save/exit

Prepare for qmailfilter

```

> nano -w /var/qmail/control/conf-common

Modify the SOFTLIMIT to:

SOFTLIMIT_OPTS="-m 32000000"

```

save/exit

The following step makes sending mail a lot faster under some circumstances, and I highly recommend that you do the following if you notice delays of 30 to 45 seconds sending mail: 

```

> nano -w /var/qmail/control/conf-common 

TCPSERVER_OPTS="-H -l 0" (that's lower-case L followed by zero)

```

save/exit

Route all outgoing smtp connections trough your ISP's smtp server. (Some spamfilters requires this to accept the mails passed through the smtp-server.)

```

echo ":smtp.ISP.NET" > /var/qmail/control/smtproutes

```

Reload smtp config

```

> svc -t /var/qmail/supervise/qmail-smtpd

```

9) Configure spam filter and database clients

Configure Razor

(Replace the email and password with whatever suites you)

```

> razor-admin --home=/etc/mail/spamassassin/.razor -discover

> razor-admin --home=/etc/mail/spamassassin/.razor -create

> razor-admin --home=/etc/mail/spamassassin/.razor --user=postmaster@domain.com -pass=ThePassword -register

> echo razorhome = /etc/mail/spamassassin/.razor >> /etc/mail/spamassassin/.razor/razor-agent.conf

```

Configure Pyzor

```

> pyzor --homedir /etc/mail/spamassassin/.pyzor discover

```

SpamAssassin

```

> nano -w /etc/conf.d/spamd

Modify:

SPAMD_OPTS="-x -H /etc/mail/spamassassin/"

```

save/exit

```

> mkdir /var/run/spamd/

> chown vpopmail:vpopmail /var/run/spamd/

```

Enable plugins for spamassassin:

Uncomment the line:

```

> nano /etc/mail/spamassassin/v310.pre 

loadplugin Mail::SpamAssassin::Plugin::DCC

```

Verify the Pyzor and Razor2 plugins are not commented out

save and exit

Uncomment the lines:

```

> nano /etc/mail/spamassassin/init.pre 

loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

loadplugin Mail::SpamAssassin::Plugin::SPF

```

save and exit

```

> nano -w /etc/spamassassin/local.cf

required_score 4

rewrite_header Subject *****SPAM*****

#report_safe 1

# The sender IP adresses considered safe

trusted_networks 192.168.

dns_available yes

use_bayes 1

bayes_path /etc/mail/spamassassin/bayes

bayes_file_mode 0770

bayes_auto_learn 1

bayes_learn_during_report 1

bayes_use_hapaxes 1

bayes_auto_learn_threshold_nonspam 0.2

bayes_auto_learn_threshold_spam 10.00

bayes_ignore_header X-Bogosity

bayes_ignore_header X-Spam-Flag

bayes_ignore_header X-Spam-Status

#   Set file-locking method (flock is not safe over NFS, but is faster)

lock_method flock

```

Remember to modify the "trusted_networks" line to fit the IP's you trust.

Also, if you're sharing spamassassin files over NFS, disable "lock_method flock"

save/exit

Start spamd

```

> /etc/init.d/spamd start

> rc-update add spamd default

```

Build Spamassassin database

```

> sa-learn --sync

```

10) Configure Clamav

```

> nano -w /etc/freshclam.conf

add: UpdateLogFile /var/log/clamav/freshclam.log

update DatabaseMirror to a mirror close to your server

```

save/exit

```

> nano -w /etc/clamd.conf

add: LogFile /var/log/clamav/clamd.log

```

save/exit

Start clamav

```

> /etc/init.d/clamd start

> rc-update add clamd default

```

11) install qmail-scanner

Make sure spamassassin and clamav is running while emerging qmail-scanner.

```

> echo "=mail-filter/qmail-scanner-2.01 ~x86" >> /etc/portage/package.keywords

> emerge qmail-scanner

```

Scroll back about 100-150 lines... look for two things:

1) The lines printed in bold below:

 *Quote:*   

> 
> 
> Searching .....................................
> 
> ==============================================================
> ...

 

If those lines are not there you've missed something in the installation of clamav, spamassassin or ripmime. Look for any handy debug messages and go back to redo whatever needed.

2) "access denied", "permission denied" or "no such file"

There might be a reason why qmail-scanner-2.01.ebuild is ~masked.

I ran into access denied errors or missing file errors at a few places. You might do so as well. So: (if you don't get access denied errors or missing file errors, don't do this step!)

```

> mkdir -p /var/spool/qscan/quarantine/viruses/tmp /var/spool/qscan/quarantine/viruses/cur /var/spool/qscan/quarantine/viruses/new

> mkdir -p /var/spool/qscan/quarantine/spam/tmp /var/spool/qscan/quarantine/spam/cur /var/spool/qscan/quarantine/spam/new

> mkdir -p /var/spool/qscan/quarantine/policy/tmp /var/spool/qscan/quarantine/policy/cur /var/spool/qscan/quarantine/policy/new

> mkdir -p /var/spool/qscan/working/tmp /var/spool/qscan/working/cur /var/spool/qscan/working/new

> mkdir -p /var/spool/qscan/archive/tmp /var/spool/qscan/archive/cur /var/spool/qscan/archive/new

> chown -R qscand:qscand /var/spool/qscan/

FEATURES="keepwork keeptemp" emerge qmail-scanner

cp /var/tmp/portage/mail-filter/qmail-scanner-2.01/work/qmail-scanner-2.01/quarantine-events.txt /var/spool/qscan/

chown -R qscand:qscand /var/spool/qscan/

setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g

setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z

```

Reconfigure SpamAssassin

```

> /etc/init.d/spamd stop

> nano -w /etc/conf.d/spamd

Modify:

SPAMD_OPTS="-m 5 -u qscand -x -H /etc/mail/spamassassin/"

PIDFILE="/var/run/spamd/spamd.pid"

```

save/exit

```

> mkdir /var/run/spamd

> chown qscand:qscand /var/run/spamd

> chown -R qscand:qscand /etc/mail/spamassassin

```

Start spamd

```

> /etc/init.d/spamd start

```

Reconfigure Clamd

```

> nano -w /etc/clamd.conf

Modify:

User qscand

```

save/exit

```

> nano -w /etc/freshclam.conf

Modify:

DatabaseOwner qscand

```

save/exit

```

> chown -R qscand:qscand /var/lib/clamav

> chown -R qscand:qscand /var/run/clamav

> chown -R qscand:qscand /var/log/clamav

> /etc/init.d/clamd start

```

Activate qmail-scanner 

```

> nano -w /etc/tcprules.d/tcp.qmail-smtp

Make sure there are lines like this:

#IPs allowed to relay - don't scan with qmail-scanner

## localhost

127.0.0.:allow,RELAYCLIENT="",RBLSMTPD=""

## Local network

192.168.2.:allow,RELAYCLIENT="",RBLSMTPD=""

## server public IP

123.123.123.123:allow,RELAYCLIENT="",RBLSMTPD=""

# Don't relay from other IPs. Scan with qmail-scanner

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

# Note: As of qmail-scanner 1.20 we use a wrapper - not qmail-scanner-queue.pl

```

save/exit

update the cdb

```

> cd /etc/tcprules.d/

> tcprules tcp.qmail-smtp.cdb tcp.qmail-smtp.tmp < tcp.qmail-smtp

> svc -t /var/qmail/supervise/qmail-smtpd

```

12) Create domain(s)

The first domain to add should be the primary domain of the server.

```

> /var/vpopmail/bin/vadddomain domain.net postmasterpassword

```

Repeat for all virtual domains.

Give the correct HELO. (See note regarding domain registration.)

```

echo host.domain.net > /var/qmail/control/me

```

Set defaultdomain

```

echo defaultdomain.net > /var/qmail/control/defaultdomain

```

If you want your users username@defaultdomain.net to be able to log in using just username as the username (not username@domain.net) do this:

```

echo "defaultdomain.net" > ~vpopmail/etc/defaultdomain

```

If you have a (sub)domain for testing add it as a aliasdomain.

```

> /var/vpopmail/bin/vaddaliasdomain domain.net test.domain.net

```

13) Install ezmlm-idx-mysql

First try to install it the regular way:

```

> emerge ezmlm-idx-mysql

```

If it fails

... with an error like this: https://bugs.gentoo.org/show_bug.cgi?id=152636

Get the patched ebuild for ezmlm-idx-mysql-0.40-r2

(if you don't have layman installed run "emerge layman" now)

```

> layman -f -o http://jaba.mbnet.fi/portage/layman-jmf.xml -a jaba

> echo "source /usr/portage/local/layman/make.conf" >> /etc/make.conf

> env-update && source /etc/profile

> emerge ezmlm-idx-mysql

```

14) Install qmailadmin and squirrelmail

```

> emerge qmailadmin squirrelmail

```

Set up apache for separate alias configs (same kind as used by default for vhosts)

```

> echo "Include /etc/apache2/alias/*.conf" >>  /configs/etc/apache2/httpd.conf

> mkdir /etc/apache2/alias

```

set up qmailadmin for apache vhosts:

```

> echo "Alias /qmailadmin/ /var/www/localhost/htdocs/qmailadmin/" > /etc/apache2/alias/01_alias_qmailadmin.conf

```

set up squirrelmail for apache vhosts:

```

> echo "Alias /mail/ /usr/share/webapps/squirrelmail/1.4.9a/htdocs/" > /etc/apache2/alias/02_alias_squirrelmail.conf

```

(I think this is better than using webapp-config as it gets installed for all vhosts. Also it works when the /user/share and /var/www are not in the same partition. And finally there is only need for one configuration.)

Get useful squirrelmail plugins:

```

> cd /usr/share/webapps/squirrelmail/1.4.9a/htdocs/plugins

> wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Faddress_add-2.1-1.4.0.tar.gz

> wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fabook_import_export-1.0-1.4.4.tar.gz

> wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fbookmarks-2.0.3-1.4.1.tar.gz

> tar -xvzf abook_import_export-1.0-1.4.4.tar.gz

> tar -xvzf address_add-2.1-1.4.0.tar.gz

> tar -xvzf bookmarks-2.0.3-1.4.1.tar.gz

> rm *.gz

```

Additional qmailscanner log analyser plugin for squirrelmail.

This plugin provides a link in squirrelmail where the users may see what have happened to their mails. They'll see a table of mails passing through the qmailscanner and a status {delivered | error | spam [spamlevel | deleted | quarantined] | virus detected | ...}.

At my previous server the users claimed that some mails sent to them never got to their mailbox because of too strict spamfilter. With this plugin they can check if the mail ever reached the smtp server. The log the user will see is filtered to include only mails to/from his account (including alias adresses).

Concider this plugin experimental. It's been running with qmail-scanner-1.16 and 1.25 on a production server without causing any trouble for about 2 years. Still there have been bugs that I've corrected while writing this guide. Turns out that QMS 2.01 is logging slightly different from what QMS 1.25 did, so I'm not sure if this still works with QMS 1.25 after all the changes.

log in as root to your mysql server

```

mysql> create database qmslog;

mysql> grant select, insert, update, delete, create on qmslog.* to qms_loganal@localhost identified by "your_read/write_password";

mysql> grant select on qmslog.* to qms_logview@localhost identified by "your_read_only_password";

mysql> flush privileges;

```

If you don't have lsof installed:

```

> emerge lsof

```

Download the plugin... https://sourceforge.net/projects/qms-loganalyzer/

Read the README (included in the .tar.bz2) file for installation. Should be quite straight forward for gentoo user.

Configure squirrelmail

```

> cd /usr/share/webapps/squirrelmail/1.4.9a/htdocs/plugins

> nano -w secure_login/config.php

set $remain_in_https_if_logged_in_using_https = 1

> cd /usr/share/webapps/squirrelmail/1.4.5/htdocs/config

> perl conf.pl

```

Press D to load the Courier-imap template.

Walk through the config menu to set up to your needs.

Make sure to load the compability and secure_login plugins.

I'm enabeling the following plugins:

 *Quote:*   

> 
> 
>     1. secure_login
> 
>     2. bookmarks
> ...

 

As users inboxes grow, the webmail will become slow. To fix this make sure to enable "Allow server thread sort" and "Allow server-side sort" under General Options. (Wonder why these are off by default. Any security risk?)

Might be convenient to set General Options -> Data Dir = some dir that you include with your daily backup

Add a domain append button to the loginpage. This button appends the hostname of the apache virtual host that is used in the request for the page.

```

> nano -w /usr/share/webapps/squirrelmail/1.4.9a/htdocs/src/login.php

Replace the "," with a "." at the end of this line (ca line 163):

addInput($username_form_name, $loginname_value).

Insert the following line after the line mentioned above:

addInputField("button", "pgbt", "@$pg_virtualdomain", " onclick=\"$username_form_name.value+='@".$pg_virtualdomain."';\""),

Find the line

$custom_css = 'none';

Insert the following two lines after that line:

$pg_virtualdomain = substr($_SERVER['SERVER_NAME'], strrpos(substr($_SERVER['SERVER_NAME'],0,strrpos($_SERVER['SERVER_NAME'], ".")), "."));

if($pg_virtualdomain{0} == ".") { $pg_virtualdomain = substr($pg_virtualdomain,1); }

```

15) Check Qmail controlfiles

Make sure the files in /var/qmail/control got updated. If they are not updated something is wrog. Probably it's related to mysql permissions.

```

These files should contain your primary domain:

defaultdomain, locals, me

This should contain all domains and aliasdomains on separate lines:

rcpthosts

This should contain all domains and aliasdomains on the form of domain.net:domain.net :

virtualdomains

```

16) Installing wapmail interface

will come

17) Client setup

For SMTP client setup: All clients outside your local network need to enable TLS (encryption) and SMTP-auth. For username use the full email-adress. There is a bug with Outlook (and express) XP using TLS. No workaround is known. Use another clientprogram! (I love Opera - now it's even free!)

Notes

Note: Some anti-virus / firewall software block outbund connections to port 25 if they are unable to analyze the datastream. Hence encryptet SMTP may require you to disable this functionality in those programs or put the server on another port.

Note: Some ISP's block connections to port 25 on any server but their own smtp. To get around this put your smtp server on another port.

One way to put the server on another port may be this:

```
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25000 -j DNAT --to-destination 123.123.123.123:25
```

where 25000 is the port you want the server on. 123.123.123.123 is the servers IP.

Note: If you can't send mail from you server to anywhere else than local network you might have a problem with your ISP. Some ISP's block outbound smtp connections to anywhere but their own smtp server. This means you'll need to relay mail trough their server

```
echo ":smtp.ISP.NET" > /var/qmail/control/smtproutes 
```

POP3/IMAP client setup: If you do like me - block port 110 and 143 from outside your localnet with a firewall then clients on the outside need to enable SSL and use port 993 for IMAP-SSL and port 995 for POP3-SSL. Clientes on the local network may use ports 110/143 without SSL enabled. Use the full email-address as username.

Unverified tricks from readers

Here I'll put a collection of good ideas, hints and tricks posted by readers. I have not tried these myself.

 *stripe wrote:*   

> 
> 
>  *Mindstab wrote:*   I've also now found that something like
> 
> ```
> ...

 

To solve problems with bayes not learning:

 *krull wrote:*   

> I donno if this helps, I just added a universal path for bayes in spamassassin's local.cf so far it seems to work:
> 
> ```
> nano -w /etc/spamassassin/local.cf
> 
> ...

 

 *Mindstab wrote:*   

> Um, a possible update for the doc.  They worked well, but I found I had to 
> 
> ```
> 
> valias haplo@mindstab.net root@mindstab.net
> ...

 [/quote]

========================================

I'm aware tcprules.d are deprecated. However I don't see any reason why relay-ctrl would be any better. I have no bad experience with any of them, but relay-ctrl requires more installation and more configuration I'm think there is more stuff that can go wrong with it. The only extra functionality I find in relay-ctrl is IMAP before SMTP authentication. As all mailclients my users use supports SMTP-auth I don't see any reason for relay-ctrl, and stick to the well know tcprules. (More config = more settings to keep track on with every future update)

========================================

I'm not exactly sure about the TCPSERVER_OPTS in conf-common. What I know is that the -R is set by default in conf-smtpd, and I've left it alone there. The -x, -c, -u and -g will be set by the rest of the conf-common file.

The original guide by Sabrex used -H, -R (again) and -l 0. The -p and -v are default.

From what I understand from http://www.rootr.net/man/man/tcpserver/1 the -H and -R will shorten initial delays when sending mail. How much they shorten depends on your DNS connection. If you run a local DNS server you'll probably not notice much difference.

========================================

A common mistake when setting up domains is to point the MX-record to the IP adress of the server. This works, but some spamfilters will think all mail from such domain is spam. The way to setup DNS is the following:

Register an A-record pointing to the IP-adress of the server. This should be the same host.domainname.tld as you used when installing the OS. (A:server1.mydomain.net -> IP:123.123.123.123)

Then you need a C-name pointing to the A-record that your users may use when refering to the server. (Say C:mail.mydomain.net -> A:server1.mydomain.net).

Then you create a MX record that my point to eighter the A-record (MX:mydomain.net -> A:server1.mydomain.net) or the C-name (MX:mydomain.net -> C:mail.mydomain.net).

When you set up another domain you somehow need to point the MX to the A-record of the first domain. Eighter direct or indirect:

MX:otherdomain.net -> A:server1.mydomain.net

MX:otherdomain.net -> C:mail.mydomain.net -> A:server1.mydomain.net

MX:otherdomain.net -> C:mail.otherdomain.net -> C:mail.mydomain.net -> A:server1.mydomain.net

Point is: The A-record the MX finally resolves to should equal the HELO respons from your SMTP server (/var/qmail/control/me), which again should equal the hostname.domainname of the server (/etc/hostname or /etc/conf.d/hostname and /etc/dnsdomainname or /etc/conf.d/domainname)Last edited by petterg on Mon Jul 09, 2007 3:19 pm; edited 15 times in total

----------

## Gentoo-Ed

I hope I won't mess the doc this way, but i do have a few questions regarding this. I want to setup my own mail server for two reasons namely to filter the mail my self among users and for spam in stead of having numerous pop accounts with my ISP (so use a catch-all), and second I want users to be able to SEND and RECIEVE from two domains (logging in seperatly with webclient, or adding them to the client and saying from which account sent. (like possible with outlook))

My questions:

1. Where do you make your users? I saw a alias table which says where root mail goes, I assume you can add all email address you like in that file to point to a user (so if a user has five aliasses I'll add five rules?

2. Where is the mail stored (what location) and can you move it, import for the backup possibilities.

I think what I want is possible with this so I'll propably give it a go when I read more of the links.

----------

## petterg

 *Gentoo-Ed wrote:*   

> I hope I won't mess the doc this way, but i do have a few questions regarding this. I want to setup my own mail server for two reasons namely to filter the mail my self among users and for spam in stead of having numerous pop accounts with my ISP (so use a catch-all), and second I want users to be able to SEND and RECIEVE from two domains (logging in seperatly with webclient, or adding them to the client and saying from which account sent. (like possible with outlook))
> 
> My questions:
> 
> 1. Where do you make your users? I saw a alias table which says where root mail goes, I assume you can add all email address you like in that file to point to a user (so if a user has five aliasses I'll add five rules?
> ...

 

If I got you right, you want to have a mailserver that will collecting mails from a bunch of pop accounts. There are two ways to do this.

A) Make the servers with your pop accounts automatically forward mails to an address on your server (not all ISPs allow this)

B) Have your server log on to your pop accounts and catch all messages every X minutes (cron script) or when you log in to your own server. This guide makes use of maildir for storage. I know there are scripts around that are able to log on to pop servers and store the mails locally in maildirs. Disadvantage of this is that the mails will not pass through the smtp server and get filtered. The filters will not work on mails passed to the smtp server from localhost. You'll have to pass them through the filters in some other way.

You may want to look into the contrib/test_installation script that comes with qmail-scanner to see how to do that.

Incomming mails are stored in /var/vpopmail/domains/somedomain.tld/.maildir/new

Squirrelmail may use multiple identities (mail addresses) when sending out mail. You may set this up by logging into squirrelmail -> [Settings] -> [Personal info] -> [Add Identity]

When done so you'll have a dropdown to select FROM when composing mail.

----------

## jrenraw

Great guide!  Do you have the link or updates for section 4?  I don't have a vpopchk.sh script or a chkuser_pg package.

----------

## Gentoo-Ed

hi I found the chkuser in the forums here, only sorry to say you'll have to search for I don't recall the thread anymore.

----------

## radulucian

i am performing the install right now. here's one correction.

in step 11, point 2 it should read:

```

cp /var/tmp/portage/mail-filter/qmail-scanner-2.01/work/qmail-scanner-2.01/quarantine-events.txt /var/spool/qscan/

```

at least for my installation.

if i find more stuff to correct i'll post it here.

it would be nice if the chkuser stuff would be also finalised!!!

----------

## petterg

Latest news:

Added link to chkuser plugin

Added link to qms-loganalyzer

Corrected cp-command pointed out by Radulucian

----------

## petterg

 *Gentoo-Ed wrote:*   

> hi I found the chkuser in the forums here, only sorry to say you'll have to search for I don't recall the thread anymore.

 

That's a different one. Although a source of inspiration. The one used in this I've written myself and it was first published last night.

----------

## radulucian

one BIG issue.

after doing it all right (ten times over) i still get:

```

server ~ # vadddomain test.ro testpass

vmysql: couldn't create database 'vpopmail ': Can't create database 'vpopmail'; database exists

Error - Success. Initial open.

```

i downgraded mysql to 4.1 i tried everything possible. settings in vpopmail.conf are ok, mysql is running ok, tables are created, still ... no go.

EDIT: SOLVED: the problem was related to an aditional invisible caracter present in /etc/vpopmail.conf

if you encounter this issue simply delete all lines in the vpopmail mysql config file and write them carefully again.Last edited by radulucian on Sat Feb 24, 2007 10:13 am; edited 1 time in total

----------

## petterg

 *radulucian wrote:*   

> one BIG issue.
> 
> after doing it all right (ten times over) i still get:
> 
> ```
> ...

 

I remember I had something similar a long time ago. Probably in 2004 or so.

The cause of this is that the domain you're trying to create eighter exists in the database or in the filesystem (/var/vpopmail/domains/test.ro)

What I think I did was to delete the domain (using vdeldomain) even if it doesn't exist. Then delete it from the filesystem and finally create it again.

If you have not yet created any useful domains and accounts you might even get around with

```

> rm -rf /var/vpopmail/domains/*

mysql> drop database vpopmail

```

Then recreate the db using the mysql commands from the guide.

Your problem may even be as simple as the dbname/user/password/host in /etc/vpopmail.conf is not correct. Try login to mysql using the information in vpopmail.conf to check this.

----------

## CzesLaW

Very nice HOWTO  :Smile: 

I've just completed it, but now I have two issues:

1) SMTP is working fine, I can log in and send an email msg.

The problem is that when I try to log in to receive new msgs from my account - it's impossible. I tried on squirrelmail and thunderbird.

Squirrelmail responds with "Unknown user or password incorrect." I also tried logging in with login@domain and giving only login, also I tried logging in as postmaster. QMailAdmin is working correctly I can manage my accounts.

2) After doing step 11 and running /etc/init.d/spamd start I have an error:

```
[7965] error: no connection to syslog available

[7965] error:  - /dev/log is not a socket at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Logger/Syslog.pm line 80
```

But anyway it's starting and I hope it's not an important error.

I'm a newbe on linux   :Embarassed: 

Greetings and thanks to the author for the HOWTO

----------

## jrenraw

I've completed the install and am happy to report it is working.  I did run into a issue with vpopmail thinking the domains did not exist but this was because I imported a previous vpopmail DB and I guess the domains are stored on disk as well.  The fix was simply to try adding the same domain via vadddomain.  It would fail with duplicate domain, but after that everything worked.

----------

## jrenraw

I noticed that the rcptchk.log has a lot of "This should never run".  From the log:

 *Quote:*   

> 
> 
> qmaild
> 
> /usr/bin/sudo -u vpopmail /var/qmail/plugins/chkuser_pg/vpopchk.sh acaxrmtmatefeugdrtd domain.com
> ...

 

Also, in step 4, seems like there needs to be a step to copy the vpopchk.sh script from /var/qmail/plugins/chkuser_pg/ to /var/vpopmail/bin/ (unless I missed it somewhere else).

----------

## petterg

 *jrenraw wrote:*   

> I noticed that the rcptchk.log has a lot of "This should never run".  From the log:
> 
>  *Quote:*   
> 
> qmaild
> ...

 

Thanks for revealing this leftover from my first installation. I think there is one tiny mistake making problems for you.

The guide is now updated, one line changed:

step 4, after visudo. The line to append is now corrected from /var/vpopmail/... to /var/qmail/...

Please let me know if this helps.

Btw, vpopchk.sh is supposed to be located in /var/qmail/plugins/chkuser_pg only.

----------

## petterg

 *CzesLaW wrote:*   

> Very nice HOWTO :)
> 
> I've just completed it, but now I have two issues:
> 
> 1) SMTP is working fine, I can log in and send an email msg.
> ...

 

1) Is the courier-imap service running?

did you miss the line authmodulelist="authvchkpw" in step 7 of the guide?

2) Have you installed syslog?

----------

## CzesLaW

courier-imapd is running

I have also changed this line from step 7 ...

I have no idea what's going on. I tried to solve it by doing some steps again but it doesn't work. I can't login to squirrelmail and I can't receive messages with thunderbird. It's connecting but then I have error "login failed".

I don't remember installing syslog :/

I have Linux Kernel v2.6.18-hardened but I don't know if it matters ...

EDIT: I've installed syslog-ng... now there is no error  :Wink: 

----------

## petterg

 *CzesLaW wrote:*   

> courier-imapd is running
> 
> I have also changed this line from step 7 ...
> 
> I have no idea what's going on. I tried to solve it by doing some steps again but it doesn't work. I can't login to squirrelmail and I can't receive messages with thunderbird. It's connecting but then I have error "login failed".
> ...

 

Do you have the same problem using pop instead of imap?

Are you able to connect using telnet on the imap/pop ports?

What kind of authentication did you set with squirrel and tb?

Any firewall blocking?

you have the no-ssl imap server running for squirrel?

I think telnet will be your friend for debugging. Google the imap/pop protocols to see how to get around after initial connection.

----------

## CzesLaW

 *Quote:*   

> Do you have the same problem using pop instead of imap?

 

Yes, it's the same on pop3 and imap. I am running pop3, imap, pop3-ssl and imap-ssl

 *Quote:*   

> What kind of authentication did you set with squirrel and tb?

 

Type of authentication ? You mean secure or not ? If I set on secure authentication in thunderbird I have msg "server doesn't support secure auth.".

 *Quote:*   

> Any firewall blocking?

 

I'm behind a router but I forwarded all ports You mentioned at the beginning of this HOWTO. I have iptables as well but I haven't set anything there yet.

I'll now try this trick with telnet and I hope I'll fix it. Thank You for your help and I'll write back soon ..

----------

## CzesLaW

I've tried it but it doesn't mean anything to me

pop:

```
czeslaw@localhost ~ $ telnet localhost 110

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

+OK Hello there.

USER czesio@czeslaw.kicks-ass.org

+OK Password required.

PASS *******

-ERR Login failed.
```

imap:

```
czeslaw@localhost ~ $ telnet localhost 143

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.

A01 login czesio@czeslaw.kicks-ass.org *******

A01 NO Login failed.
```

for imap and pop3 with ssl I have the same - no response:

```
czeslaw@localhost ~ $ telnet localhost 995

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.
```

;(

----------

## Gentoo-Ed

For the IMAP part, check my recent post, where I solved my IMAP issue. It looks simular.

https://forums.gentoo.org/viewtopic-t-541008-highlight-.html

----------

## petterg

 *CzesLaW wrote:*   

> 
> 
>  *Quote:*   What kind of authentication did you set with squirrel and tb? 
> 
> Type of authentication ? You mean secure or not ? If I set on secure authentication in thunderbird I have msg "server doesn't support secure auth.".
> ...

 

In Opera I have the following authentication methodes: AUTH-CRAM, AUTH-LOGIN, AUTH-PLAIN, plaintext, none. You'll probably find a few in your app. Try all of them.

 *CzesLaW wrote:*   

> 
> 
>  *Quote:*   Any firewall blocking? 
> 
> I'm behind a router but I forwarded all ports You mentioned at the beginning of this HOWTO. I have iptables as well but I haven't set anything there yet.
> ...

 

Telnet will reveal fw-issues

EDIT: Oh, you've tried telnet. Looks like there is no fw-issues. When login failed using pop there should be an error in some logfile. Often /var/log/messages or /var/log/mail*

----------

## petterg

 *CzesLaW wrote:*   

> courier-imapd is running
> 
> I have also changed this line from step 7 ...
> 
> 

 

You did restart courier-{imap|pop3|authlib} after changing that line?

The solution Gentoo-Ed posted seems to me to be a pam-issue. Vpopmail does not use pam.

Are you able to authenticate using smtp-auth? (to filter out if this is a courier or a vpopmail problem)

----------

## CzesLaW

I can authenticate using smtp and send message.

I think that my server is listening and receiving messages the only problem is that I can't log in :/

I can't find auth methods in thunderbird.

I checked my logs and I found something interesting:

 *Quote:*   

> Feb 22 17:53:38 localhost authdaemond: Installing libauthvchkpw
> 
> Feb 22 17:53:38 localhost authdaemond: libauthvchkpw.so: cannot open shared object file: No such file or directory

 

 *Quote:*   

> You did restart courier-{imap|pop3|authlib} after changing that line?

 

Yes ..

----------

## petterg

 *CzesLaW wrote:*   

>  *Quote:*   Feb 22 17:53:38 localhost authdaemond: Installing libauthvchkpw
> 
> Feb 22 17:53:38 localhost authdaemond: libauthvchkpw.so: cannot open shared object file: No such file or directory 
> 
> 

 

That should have showed up when installing vpopmail or courier-imap. Try reemerging them. Maybe delete all config files for those packages before to make sure you get a fresh start.

You got the latest versions? (remembered to emerge --sync before starting)

----------

## CzesLaW

Ok I've fix it by doing:

```
$ emerge courier-authlib

$ etc-update (option -5 to replace old configs)
```

then I had to repeat step 7  :Smile: 

I'll test it later if it works for 100%

Greetz

----------

## radulucian

i remember i've had this problem and used a solution that was reffering to 

/var/vpopmail/etc/lib_deps

which now, for me, reads: 

```

-L/var/vpopmail/lib -lvpopmail -L/usr/lib/mysql  -lmysqlclient -lz -lm -lcrypt

```

see if it's the same for you  and if not try to move the deps files somewhere else and recompile vpopmail once more.

and i guess you could also try revdep-rebuild, but if the problem it's related to the above file it's probably not going to help.

-----------------------------------

now i have a new issue  :Smile: 

if i enable the plugin i get this in the logs when sending email to the account here:

 *Quote:*   

> 
> 
> qmaild
> 
> /usr/bin/sudo -u vpopmail /var/qmail/plugins/chkuser_pg/vpopchk.sh service.account somedomain.com
> ...

 

and i get back a delivery failure on the other end.

 *Quote:*   

> 
> 
> Delivery to the following recipient failed permanently:
> 
>     service.account@somedomain.com
> ...

 

i guess it's related to the same issue.

what i did to get my mail through (and might be usefull for others for the time being) is disable the plugin altogether . then everything works fine.

any clues?

----------

## petterg

 *radulucian wrote:*   

> 
> 
> now i have a new issue :)
> 
> if i enable the plugin i get this in the logs when sending email to the account here:
> ...

 

Sounds like you've set up some open relay or your server has not taken the settings from /etc/tcprules/tcp-smtp.

Refresh the cdb build and restart the smtp service might be all that is required.

Do you run into the same problem both with and without having the client run smtp-auth?

----------

## PabOu

Nice guide !

However, I've found a problem with chkuser_pg :

I've created only one domain with vadddomain, let's say domain.com. This domain got only one user : postmaster, the default one.

```
pabou@chocolat ~ $ telnet smtphost.domain.com 25

Trying xxx.xxx.xxx.xxx...

Connected to smtphost.domain.com.

Escape character is '^]'.

220 smtphost.domain.com  ESMTP

HELO paboutest.pabou.com

250 smtphost.domain.com

MAIL FROM: anyuser@anydomain.com

250 ok

RCPT TO: postmaster@domain.com

250 ok
```

Result is OK.

another try, new telnet connexion : 

```
RCPT TO: pabou@domain.com

511 Sorry, no mailbox here by that name (#5.1.1)
```

Result is OK, chkuser works great !

another try, new telnet connexion :

```
RCPT TO: pabou@pabou.com

511 Sorry, no mailbox here by that name (#5.1.1)
```

There is the problem. vpopmail doesn't have the domain pabou.com and I'm not registered with smtp-auth --> I can't use this server as a relay server. The error message should be "553 sorry, that domain isn't in my list of allowed rcpthosts" and not 511

----------

## petterg

 *PabOu wrote:*   

> 
> 
> There is the problem. vpopmail doesn't have the domain pabou.com and I'm not registered with smtp-auth --> I can't use this server as a relay server. The error message should be "553 sorry, that domain isn't in my list of allowed rcpthosts" and not 511

 

Fixed - new version of chkuser_pg out on S.F.

Thanx for pointing this out.

----------

## malty

My errors :

@4000000045e8274e23ddb97c delivery 17: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/

----------

## petterg

 *malty wrote:*   

> My errors :
> 
> @4000000045e8274e23ddb97c delivery 17: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/

 

Is that for incomming or outgoing mail?

Try telnet'ing in the same direction from the same host. My first guess is a firewall issue with your ISP.

----------

## malty

That relates to the outgoing mail (smtp), I tested with telnet it walks.

But with my customer email that does not function.

```
cat /var/log/qmail/qmail-send/current
```

```
@4000000045eb1126259c2e74 delivery 51: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/

@4000000045eb1126259c41fc status: local 0/10 remote 0/20

```

I have to carry out the order: 

```
echo teste | /var/qmail/bin/qmail-inject -a nom@domain.com

```

On the other hand locally that functions

----------

## malty

My error :

```
sva-01 files # ebuild /usr/local/portage/mail-mta/netqmail/netqmail-1.05-r4.ebuild digest

/usr/local/portage/mail-mta/netqmail/netqmail-1.05-r4.ebuild: line 284: syntax error near unexpected token `fi'

/usr/local/portage/mail-mta/netqmail/netqmail-1.05-r4.ebuild: line 284: `   fi if use ssl; then'

!!! ERROR: mail-mta/netqmail-1.05-r4 failed.

Call stack:

  ebuild.sh, line 1511:   Called die

!!! error sourcing ebuild

!!! If you need support, post the topmost build error, and the call stack if relevant.
```

----------

## malty

I found the error :

```
Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
```

One should not add :

```
echo ":smtp.ISP.NET" > /var/qmail/control/smtproutes 
```

And all functions perfectly.

----------

## petterg

 *malty wrote:*   

> I found the error :
> 
> ```
> Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
> ```
> ...

 

So, apparently your ISP is blocking outbound smtp connections to anywhere but their own smtp server. I'll put a note about this in the guide

----------

## malty

Why I have this error when I sendings an email?

```
vchkpw-smtp: password fail
```

```

Mar  7 22:30:09 sva-01 vpopmail[15299]: vchkpw-smtp: password fail -----------@------------.com:192.168.1.1

Mar  7 22:30:14 sva-01 vpopmail[15301]: vchkpw-smtp: (PLAIN) login success -----------@-----------.com:192.168.1.1
```

----------

## petterg

 *malty wrote:*   

> Why I have this error when I sendings an email?
> 
> ```
> vchkpw-smtp: password fail
> ```
> ...

 

Set your client to not use cram authentication. It's probably set to auto, then it will try cram first.

The problem is that the server anounces that it supports cram. There should be a way to make it not announce this. I'm not sure how.

----------

## CzesLaW

I have the same problem... it makes sending mails really slow.

Maby USE="noauthcram" when doing emerge netqmail ??

OK I've fix it:

 *Quote:*   

> Setting up clear passwords for vpopmail after the fact
> 
> If you, like me, installed vpopmail without clear passwords and then realized that clear passwords are required for Cram-MD5 encryption for authentication and want to update your database, here is how I did it. Its not automatic, but it works.
> 
> Kod:
> ...

 

I found it here: https://forums.gentoo.org/viewtopic-t-527246-highlight-vchkpw+crammd5.html

----------

## petterg

 *CzesLaW wrote:*   

> 
> 
>  *Quote:*   Setting up clear passwords for vpopmail after the fact
> 
> If you, like me, installed vpopmail without clear passwords and then realized that clear passwords are required for Cram-MD5 encryption for authentication and want to update your database, here is how I did it. Its not automatic, but it works.
> ...

 

That is the way to go to make authcram work. The disadvantage is that passwords are stored in the mysql db in clear text. If there are more users on the server than myself I would not go this way.

The better way is to make the clients not use authcram. Eighter by disabeling the methode in the client config or make the server not announce authcram. The later way would be the better. But I don't know how to do it.

----------

## Wavyx

Just for your interest, I have valias  like "firstname.name@domain.tld". The problem is with the vpopchk.sh, such user are not recognised, and outputs a "101" exit code, meaning bounce no-mailbox. This is due to the "." (dot) in the USER parameter.

ex: /var/qmail/plugins/chkuser_pg/vpopchk.sh firstname.name domain.tld

To fix this, just comment the line 46 in /var/qmail/plugins/chkuser_pg/vpopchk.sh

#Change "." to ":" and all to lowercase

#USER=`echo ${USER} | ${TR} . : `

BTW, thanks a lot for the HOWTO

----------

## CzesLaW

I am using also aliases with dot in the name and I don't have any problems...

But I am confused with the case when I want to use more than one domain with ssl encryption. How can I setup one certificate for every domain ?!?

----------

## Wavyx

Hi,

I guess my problem is probably related to the mysql feature. My valias are stored in the base, and I don't "need" to converte "." to ":" for the usual .qmail files.

About your certificate problem, I get your point but:

1) I'm not sure the courier-imapd is able to use multiple ssl certifs according to the requested TLD (on a specific single IP address)

2) As for Apache, my opinion is you can only have a single SSL certificate by IP. I guess you can still use your main "hosting" domain as valid ssl certificate (like mail.hoster.com) for all your customers.  Or maybe there is a solution with mapping a specific daemon for each IP you've got and distribute your ssl certificates along your IP's.

Does it make sense? I'm waiting for your advices.

----------

## CzesLaW

OK, I am just using one domain for receiving and sending mails because it's a small server ... but thanks for the reply.

About your problem... am I thinking correctly, You are trying to log in using an alias for one of your mailboxes? If yes.. I think there is no option to do it.

----------

## Wavyx

No, I had just some delivering issues with valias containing "." (dots) in the the user part. The real user and simple alias (without dot) works perfectly. But as I said, with mysql valias storage, if you keep the line in vpopchk.sh the "." is replaced by ":" for the check and this never works. So, for eg, every alias with dots like "firstname.name@mydomain.com" would be bounced since vpopchk.sh will not find firstname:name@mydomain.com in the mysql database.

Another "bug" is about the clamav configuration. Since we changed the owner/group of /var/log/clamav to qscand:qscand, we should update the logrotate configuration as well:

```

nano -w /etc/logrotate.d/clamav

/var/log/clamav/clamd.log {

        missingok

        create 640 qscand qscand

        postrotate

             /bin/kill -HUP `cat /var/run/clamav/clamd.pid 2> /dev/null` 2>/dev/null || true

        endscript

}

/var/log/clamav/freshclam.log {

        missingok

        create 640 qscand qscand

        postrotate

                /bin/kill -HUP `cat /var/run/clamav/freshclam.pid 2> /dev/null` 2>/dev/null || true

        endscript

}

```

----------

## malty

My errors :

```
Mar 22 02:04:04 sva-01 spamd[5719]: bayes: locker: safe_lock: cannot create lockfile /etc/mail/spamassassin/bayes.mutex: Permission denied
```

----------

## CzesLaW

I'm thinking that my spamassassin is not working at all... but my qmail-scanner installation went all right :/

I don't see any msgs marked with X-Spam header or with changed topic name ... strange :/

How to check if it's ok ?!Last edited by CzesLaW on Thu Mar 22, 2007 10:30 am; edited 1 time in total

----------

## malty

thank you it goes

----------

## malty

I have another problem, when I sendings of the emails only on hotmail.fr I have an error:

```
@40000000460258f90dbf37ec info msg 311496: bytes 1128 from <postmaster@cremantec.com> qp 10509 uid 201

@40000000460258f90e652094 starting delivery 1: msg 311496 to remote ______@hotmail.fr

@40000000460258f90e653034 status: local 0/10 remote 1/20

@40000000460258fd0d51b8ac delivery 1: success: 205.248.106.64_accepted_message./Remote_host_said:_250_2.6.0_<460258EB.2040002@cremantec.com>_Queued_mail_for_delivery/

@40000000460258fd0d51cc34 status: local 0/10 remote 0/20

```

----------

## vklimovs

petterg,great guide. Everything is fine. But, i think there is a slight problem in script:

```

mail chkuser_pg # ./rcptchk-pg.sh ivars.bruveris@domain.lv

E511 Sorry, no mailbox here by that name (#5.1.1)

mail chkuser_pg # vuserinfo ivars.bruveris@domain.lv

name:   ivars.bruveris

passwd: $1$5MsKnvuH$slq5Vy4YxzfGs2hpyHyVw.

clear passwd: cpwd

comment/gecos: Ivars Bruveris

uid:    0

gid:    0

flags:  0

gecos: Ivars Bruveris

limits: No user limits set.

dir:       /var/vpopmail/domains/domain.lv/0/ivars.bruveris

quota:     524288000S

usage:     0%

last auth: Mon Mar 26 18:23:36 2007

last auth ip: pop3

mail chkuser_pg #

```

As you see, checking does not work for usernames which contain dot.

----------

## petterg

I'll look into the valias "dot" check. I think the way to go is to make sure it returns OK for valias before the part when changing . to :

Hopefully i'll find time this weekend.

Regarding mulit-certificates on one IP - it is not posible. The reason is that the hostname that the client is connecting to has to be decrypted using the certificate.

Regarding those permission denied problems - try su to the user the process is runing as, and see if the user actually has access. I've noticed that permission denied errors sometimes occure when using symlinks.

----------

## Wavyx

 *Wavyx wrote:*   

> Just for your interest, I have valias  like "firstname.name@domain.tld". The problem is with the vpopchk.sh, such user are not recognised, and outputs a "101" exit code, meaning bounce no-mailbox. This is due to the "." (dot) in the USER parameter.
> 
> ex: /var/qmail/plugins/chkuser_pg/vpopchk.sh firstname.name domain.tld
> 
> To fix this, just comment the line 46 in /var/qmail/plugins/chkuser_pg/vpopchk.sh
> ...

 

I suggest you the following solution (in my little post  :Wink: 

----------

## vklimovs

 *Wavyx wrote:*   

>  *Wavyx wrote:*   Just for your interest, I have valias  like "firstname.name@domain.tld". The problem is with the vpopchk.sh, such user are not recognised, and outputs a "101" exit code, meaning bounce no-mailbox. This is due to the "." (dot) in the USER parameter.
> 
> ex: /var/qmail/plugins/chkuser_pg/vpopchk.sh firstname.name domain.tld
> 
> To fix this, just comment the line 46 in /var/qmail/plugins/chkuser_pg/vpopchk.sh
> ...

 

I tried that one. Can not explain why, but after that scripts starts to accept (or better say, verify) every address on domain.

----------

## Wavyx

not sure about your last comment...

this is the very goal of this script: to check if user/alias is correct for a domain.

the explanation of the "dot problem", is that when you use a mysql database you the "." in aliases are not translated into ":" (but this is the regular way for .qmail configuration files: .qmail-firstname:name )

Sounds good ?

----------

## juiceseep

i really badly need you help.. i followed the previous how tos configuring qmail and it worked out "no smtp authentication"

only allowing certain ips in my /etc/tcprules.d/tcp.qmail-smtp

```

#CREATED NOV 7 2006

#LOOPBACK ADDRESS

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/simscan"

216.86.153.124:allow,RELAYCLIENT="",RBLSMTPD=""

#SPAMMER IP ADDRESSES

210.213.157.73:deny,RELAYCLIENT=""

210.213.252.137:deny,RELAYCLIENT=""

210.213.76.35:deny,RELAYCLIENT=""

124.104.103.:deny,RELAYCLIENT=""

#SIMSCAN SCANNER

:allow,QMAILQUEUE="/var/qmail/bin/simscan"

#EXPLICIT ALLO POLICY

:allow

```

But now we have remote users (using there laptop) and they are using MS Outlook and its bugging me 

2weeks ago how to deal with SMTP authentication.. there the boss so i must fix it right a way.. if i make my

mail server open.. (i just did once) we were bombarded by alot of spammers (another pain) but now

i revert from the original configuration.

```

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

[[ -n "${QMAIL_SMTP_CHECKPASSWORD}" ]] && {

        [[ -z "${QMAIL_SMTP_POST}" ]] && QMAIL_SMTP_POST=/bin/true

        QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

```

also adding this line to my conf-smtpd seems no effect, i have enabled TSL (in thunderbird) and using MS Outlook 2003 the TSL but seems it wont get thru

could you help me step by step what is what to install and its configs that i have to enable.. 

in the installation there are options like ssl and enabling this and this... seems optional and i cant find a way in smtp authentication.

hope you help me before i get laid off

thanks

----------

## petterg

 *juiceseep wrote:*   

> i really badly need you help.. i followed the previous how tos configuring qmail and it worked out "no smtp authentication"
> 
> only allowing certain ips in my /etc/tcprules.d/tcp.qmail-smtp
> 
> 

 

You'll need to recompile qmail with smtp-auth enabled. Then configure smtp-auth according to the guide. If you have an old version of qmail installed you should concider recompiling with the same version for a temporary fast solution. When you get the time, do a fresh install.

----------

## petterg

New release of chkuser is out.

Should fix the issues related to mailaddresses including dots before the @

----------

## vklimovs

Ok, great, dots get accepted. Thank you!

I found a little issue, which may not be an issue at all, i do not know. Here is part of SMTP dialogue:

>>> RSET

<<< 250 flushed

>>> MAIL FROM: <spamtest@mail.mydomain.lv>

<<< 250 ok

>>> RCPT TO: <"relaytest%antispam-ufrj.pads.ufrj.br">

<<< invalid addressformat

As you see, "invalid addressformat" message does not have error number at the start of the string. That is perfectly ok with real spamers, but for some reason it does break some open relay testers, like

http://www.abuse.net/relay.html

http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

----------

## stripe

 *Quote:*   

> Unverified tricks from readers
> 
> Here I'll put a collection of good ideas, hints and tricks posted by readers. I have not tried these myself.
> 
> Mindstab wrote:
> ...

 

Should be clean first line instead. This will prevent to queue the doublebounces at all.

If you enter "#" sign, Qmail will queue the bounces to #@defaultdomain.tld. This has two effects:

a) very huge load of local queue with result no existing user for delivery

b) if you have enabled catching all incoming email addresses in default domain to some user, he will get thousands of bounces

This trick comes from Qmail control files manual

```

doublebounceto

    User to receive double-bounces. Default: postmaster. If a single-bounce notice is permanently undeliverable, qmail-send sends a double-bounce notice to doublebounceto@doublebouncehost. (If that bounces, qmail-send gives up.) As a special case, if the first line of doublebounceto is blank (contains a single linefeed), qmail-send will not queue the double-bounce at all.

```

----------

## petterg

 *NS wrote:*   

> 
> 
> As you see, "invalid addressformat" message does not have error number at the start of the string. That is perfectly ok with real spamers, but for some reason it does break some open relay testers, like
> 
> 

 

That is a "me" bug. The idea is to give error on characters not listed as accepted to prevent injection of commands to the scripts. (similar to sql injects)

Would there be any reason to accept the <, >, " and % charachters?

Which error code would be appropiate for invalide charachters?

Edit: Temparary I set error 511.... new release out. If anyone think other code is better, let me know.Last edited by petterg on Wed Apr 04, 2007 8:44 pm; edited 1 time in total

----------

## petterg

 *stripe wrote:*   

> 
> 
> Should be clean first line instead. This will prevent to queue the doublebounces at all.
> 
> If you enter "#" sign, Qmail will queue the bounces to #@defaultdomain.tld. This has two effects:
> ...

 

Updated. Thanks

----------

## olau

When I installed my server in dec 2005. I'd not install mysql support in vqmail.  Is it possible to uppgrade?

the qmail-scanner ebuilt is beeing bloked

```

emerge qmail-scanner -va

[ebuild  N    ] mail-mta/qmail-mysql-1.03  57 kB

[ebuild     U ] mail-filter/qmail-scanner-2.01 [1.25-r2] USE="spamassassin (-qmailstats%*)" 222 kB [1]

[blocks B     ] mail-mta/qmail-mysql (is blocking mail-mta/qmail-1.03-r16)

[blocks B     ] mail-mta/qmail (is blocking mail-mta/qmail-mysql-1.03)
```

I have compared the qmail-scanner-2.01 manualy.

----------

## petterg

 *olau wrote:*   

> When I installed my server in dec 2005. I'd not install mysql support in vqmail.  Is it possible to uppgrade?
> 
> the qmail-scanner ebuilt is beeing bloked
> 
> 

 

I would guess you could just unemerge qmail before you upgrade. I'm sure there are some flags to emerge to only unemerge qmail, not everything that depends on it. (Run with -p first to make sure)

Anyhow, I would not upgrade to qmail-scanner-2 without upgrading to net-qmail and upgrade all dependencies. Basically do a clean install of the mailserver related software.

----------

## Vieri

 *petterg wrote:*   

> 
> 
> 2) "access denied", "permission denied" or "no such file"
> 
> There might be a reason why qmail-scanner-2.01.ebuild is ~masked.
> ...

 

Wouldn't it be simpler and cleaner NOT to create /var/spool/qscan and just modify /var/qmail/bin/qmail-scanner-queue.pl and search&replace the following lines?

```

my $scandir = '/var/spool/qmailscan';

my $configdir = '/var/spool/qmailscan';

my $logdir = '/var/spool/qmailscan';

```

Then just add

```

doins quarantine-events.txt

```

to the ebuild postinst function. Then digest and re-emerge it.

Actually the ebuild should be reviewed and all /var/spool/qmailscan should be replaced with /var/spool/qscan.

Also, files such as quarantine-attachments.txt don't seem to exist anymore.

----------

## olau

OK, but how do I get the user acconts form a non MySQL to a instalation with MySQL.

Has any one done this?

 *petterg wrote:*   

>  *olau wrote:*   When I installed my server in dec 2005. I'd not install mysql support in vqmail.  Is it possible to uppgrade?
> 
> the qmail-scanner ebuilt is beeing bloked
> 
>  
> ...

 

----------

## Cottonee

Hi everyone

I have a problem after following up this guide. SMTP is not working but I can see smtp port 25 opening from "nmap" command also with imaps and pop3s. Both imaps and pop3s are working great I can access server from local network and from Internet. So I think my vpopmail is working.  Here is the problem with smtp:

1) smtp can send mail relay via my ISP's  smtp server

2) smtp cannot receive any mail from outside, it said connection timeout. (send-receive local mail is fine)

qmail didn't produce any error log from smtp connection. So, I have no idea where to checking problem. 

Any suggestion? ...   :Crying or Very sad: 

----------

## vklimovs

Check rules of tcp server.

```
nano -w /etc/tcprules.d/tcp.qmail-smtp
```

----------

## Cottonee

 *NS wrote:*   

> Check rules of tcp server.
> 
> ```
> nano -w /etc/tcprules.d/tcp.qmail-smtp
> ```
> ...

 

Here is my smtp rule: my local IP is 192.168.1.x and my smtp server IP is aaa.aaa.aaa.aaa

```

127.0.0.:allow,RELAYCLIENT="",RBLSMTPD="" 

192.168.1.:allow,RELAYCLIENT="",RBLSMTPD="" 

aaa.aaa.aaa.aaa:allow,RELAYCLIENT="",RBLSMTPD="" 

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" 

```

Is it correct?

----------

## vklimovs

Yes, it looks correct. Do you think there may be a firewall between you box and internet, which may block connections to port 25?

----------

## Cottonee

 *NS wrote:*   

> Yes, it looks correct. Do you think there may be a firewall between you box and internet, which may block connections to port 25?

 

I have setup my router to open and forward port 25, 993, 995 to local smtp server. As I mentioned in my previous mail that pop3s and imaps work from Internet. I am suspecting that my ISP might block incoming to port 25. In guide, he suggest to change smtp port to other port.  However, the question is if I change smtp port to other rather than 25. How could other smtp server send mail to my smtp server? How could they know that my smtp is on what port?...

----------

## vklimovs

If you change port, other smtp servers will not be able to connect. And, if ISP blocks incoming connections to port 25, which is probably the case, you can not do much about that. Personally you still can use your server from outside, either on port or over STARTTLS.

----------

## petterg

 *Cottonee wrote:*   

>  *NS wrote:*   Yes, it looks correct. Do you think there may be a firewall between you box and internet, which may block connections to port 25? 
> 
> I have setup my router to open and forward port 25, 993, 995 to local smtp server. As I mentioned in my previous mail that pop3s and imaps work from Internet. I am suspecting that my ISP might block incoming to port 25. In guide, he suggest to change smtp port to other port.  However, the question is if I change smtp port to other rather than 25. How could other smtp server send mail to my smtp server? How could they know that my smtp is on what port?...

 

Try telnet from the internet to your server on port 25. If it does not work try the same from the wan side of your router.

(Your ISP might block port 25.)

----------

## Cottonee

 *petterg wrote:*   

>  *Cottonee wrote:*    *NS wrote:*   Yes, it looks correct. Do you think there may be a firewall between you box and internet, which may block connections to port 25? 
> 
> I have setup my router to open and forward port 25, 993, 995 to local smtp server. As I mentioned in my previous mail that pop3s and imaps work from Internet. I am suspecting that my ISP might block incoming to port 25. In guide, he suggest to change smtp port to other port.  However, the question is if I change smtp port to other rather than 25. How could other smtp server send mail to my smtp server? How could they know that my smtp is on what port?... 
> 
> Try telnet from the internet to your server on port 25. If it does not work try the same from the wan side of your router.
> ...

 

Thanks a lot guys, I found out that my ISP has blacked port 25.   :Sad:  that how they can make money form mail server.

----------

## petterg

Honestly, I think all ISP's should block port 25 for private customers. There are so many unprotected networks / hosts on this kind of connections.

----------

## harlanb

Hello Everyone,

  I have been arguing with this setup for more than a week.

  I've edited the tcp.qmail-smtp file, below:

127.0.0.:allow,RELAYCLIENT="",RBLSMTPD=""

10.8.0.:allow,RELAYCLIENT="",RBLSMTPD=""

192.168.0.200:allow,RELAYCLIENT="",RBLSMTPD=""

192.168.0.201:allow,RELAYCLIENT="",RBLSMTPD=""

172.16.0.:allow,RELAYCLIENT="",RBLSMTPD=""

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

$ telnet mail.<server>.org 8001

Trying 12.214.202.15...

Connected to mail.<server>.org.

Escape character is '^]'.

I have intentionally changed the port; I'm using a service to get around the cable blocking problem.  I did have a working server at one time, so cable is not the issue and this telnet is from outside my cable provider; I decided to upgrade to the current qmail software and followed this guide - I messed up the backups, so restoring is not an option.

A few times, I was able to get an SMTP reply from the server, but just to test, I restarted netqmail, and I can longer connect.  Even when it connected, there were errors, but I need to get a reliable connection going, then I'll post about the errors.

I believe that I have smtp-auth compiled in, but I'm not 100% sure of that.  Here is the settings from emerge:

# ACCEPT_KEYWORDS="~x86" emerge -pv netqmail

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] mail-mta/netqmail-1.05-r7  USE="qmail-spp ssl -gencertdaily -highvolume -mailwrapper -noauthcram -vanilla" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

If you need any more information, please post and I'll provide what I can.

Any ideas or suggestions?

Thanks,

Harlan...

----------

## biatch0

I'm probably going to update my old mailserver to run netqmail in a couple of days... is there anything I should know before doing so? I'm hoping that just doing an "emerge --unmerge qmail" and then following the guide will give me a working mailserver...

----------

## petterg

 *biatch0 wrote:*   

> I'm probably going to update my old mailserver to run netqmail in a couple of days... is there anything I should know before doing so? I'm hoping that just doing an "emerge --unmerge qmail" and then following the guide will give me a working mailserver...

 

I would backup all config files and remove them from the original location - just to make sure old configs are out of the way, then use the old configs as reference when modifying the new default files.

----------

## petterg

 *harlanb wrote:*   

> 
> 
> $ telnet mail.<server>.org 8001
> 
> Trying 12.214.202.15...
> ...

 

As a first go, try telneting from a pc connected at the same subnet as the server (and same switch). Then you'll know for sure the ISP connection is not making any trouble for testing. If that is a problem too, try telnet to the servers public IP from localhost. If you can't do that eighter put the server on default port, then repeat all this steps.

Now we get so many if's. Try this first and post what you find out.

----------

## harlanb

[quote="petterg"][quote="harlanb"]

$ telnet mail.<server>.org 8001

Trying 12.214.202.15...

Connected to mail.<server>.org.

Escape character is '^]'.

[/quote]

As a first go, try telneting from a pc connected at the same subnet as the server (and same switch). Then you'll know for sure the ISP connection is not making any trouble for testing. If that is a problem too, try telnet to the servers public IP from localhost. If you can't do that eighter put the server on default port, then repeat all this steps.

Now we get so many if's. Try this first and post what you find out.[/quote]

Thanks for the pointer.  I was able to get my email system running again!

I found a program still running, that I thought I had killed, that was causing quite a few problems.  I was able to get back to "normal", at least running again.

Thanks for your help.

Harlan...

----------

## malty

 *malty wrote:*   

> I have another problem, when I sendings of the emails only on hotmail.fr I have an error:
> 
> ```
> @40000000460258f90dbf37ec info msg 311496: bytes 1128 from <postmaster@domain.com> qp 10509 uid 201
> 
> ...

 

----------

## petterg

 *malty wrote:*   

>  *malty wrote:*   I have another problem, when I sendings of the emails only on hotmail.fr I have an error:
> 
> ```
> @40000000460258f90dbf37ec info msg 311496: bytes 1128 from <postmaster@domain.com> qp 10509 uid 201
> 
> ...

 

is that supposed to show an error?

----------

## stiret

Greetings,

Thanks for the howto and all the help you've given everyone else.  I have learned much.  I'm having a problem with rcptchk.  I have the latest version and it appears to work for the domain, but not for the user.  Any user@mydomain.com is allowed.  

Any suggestions would be appreciated.

ns1 chkuser_pg # ./rcptchk-pg.sh anyone@notmydomain.com    

E553 Sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3)

ns1 chkuser_pg # ./rcptchk-pg.sh notvaliduser@mydomain.com

ns1 chkuser_pg # 

Thanks again,

Scott

----------

## a_me

 *Quote:*   

> 
> 
> 2) "access denied", "permission denied" or "no such file"
> 
> There might be a reason why qmail-scanner-2.01.ebuild is ~masked.
> ...

 

THANKS for the great guide! after fiddling a bit i got it working finally.

i just want to add something to the above, as it prevented me to receive mail.

qmail-scanner-2.01 installed without a problem just afterwards i recognized that 

 *Quote:*   

> > tail -f /var/log/mail.err
> 
> May 16 03:09:17 qmail-scanner-queue.pl: X-Qmail-Scanner-2.01st:[] cannot create /var/spool/qscan/tmp - No such file or directory
> 
> 

 gave me the described errors.

i did not create these folders and files because they were already created but with a different name:

 *Quote:*   

> > /var/spool/qmailscan $ ls
> 
> archive  quarantine  quarantine.log  tmp  viruses.log  working

 

instead i edited nano -w /var/qmail/bin/qmail-scanner-queue.pl and changed the three places where it pointed to the wrong directory.

to finish i had to initialsie the system by runnung

 *Quote:*   

> > /var/qmail/bin/qmail-scanner-queue.pl -z
> 
> > chown qscand:qscand qmail-scanner-queue-version.txt
> 
> > /var/qmail/bin/qmail-scanner-queue.pl -g
> ...

  as well as restarting the services.

it might be trivial, but it might help somebody...

thanks again!   :Very Happy: 

EDIT:

these steps i described did not solve all the problems, so i ended up creating the directories as described.

----------

## petterg

 *stiret wrote:*   

> Greetings,
> 
> Thanks for the howto and all the help you've given everyone else.  I have learned much.  I'm having a problem with rcptchk.  I have the latest version and it appears to work for the domain, but not for the user.  Any user@mydomain.com is allowed.  
> 
> Any suggestions would be appreciated.
> ...

 

I'm sorry, I'm not able to create that problem. My box returns:

 *Quote:*   

> 
> 
> # ./rcptchk-pg.sh notvaliduser@mydomain.com  ; echo $?
> 
> E511 Sorry, no mailbox here by that name (#5.1.1)
> ...

 

Are anyone else experiencing problems like "stiret"? Please try run the commands below as root or qmaild and post the two lines it returns. (replace mydomain.com with whatever domain you're hosting on your server)

```

# cd /var/qmail/plugins/chkuser_pg/

# ./rcptchk-pg.sh notvaliduser@mydomain.com  ; echo $?

```

----------

## stiret

Hello again,

I've done some more investigating on this.  The binaries appear to be working correctly as shown below.  The vpopchk.sh script does not work as expected....at least not as I expected.  Is there any other information which may help track this down?  I don't mind just deleting everything to the catchall account, in fact that might be more appropriate anyway.

ns1 chkuser_pg # /var/vpopmail/bin/vuserinfo -n validuser@mydomain.com ; echo $?

validuser

0

ns1 chkuser_pg # /var/vpopmail/bin/vuserinfo -n notavaliduser@mydomain.com ; echo $?

no such user notavaliduser@mydomain.com

255

ns1 chkuser_pg # /var/vpopmail/bin/vuserinfo -n aliasuser@mydomain.com ; echo $?

no such user aliasuser@mydomain.com

255

ns1 chkuser_pg # /var/vpopmail/bin/valias aliasuser@mydomain.com ; echo $?

aliasuser@mydomain.com -> &validuser@mydomain.com

0

ns1 chkuser_pg # ./vpopchk.sh aliasuser@mydomain.com ; echo $?

255

ns1 chkuser_pg # ./vpopchk.sh notavaliduser@notmydomain.com ; echo $?

255

ns1 chkuser_pg # ./vpopchk.sh validuser@mydomain.com ; echo $?

255

Here are the permissions on the scripts:

ns1 chkuser_pg # ls -al

total 24

drwxr-xr-x 2 root   root     4096 May 17 07:39 .

drwxr-xr-x 3 qmaill root     4096 May 14 07:58 ..

-rw-r--r-- 1 root   root     2449 Jan 28 18:50 COPYRIGHT

-rw-r--r-- 1 root   root     2068 Feb 19 14:22 README

-rwxr-xr-x 1 root   vpopmail 3716 Apr  4 16:23 rcptchk-pg.sh

-rwxr-x--- 1 root   vpopmail 2796 May 17 07:39 vpopchk.sh

and the visudo setup

# Vpopmail/Qmail check user

qmaild          ALL=(vpopmail)  NOPASSWD: /var/qmail/plugins/chkuser_pg/vpopchk.sh

Thanks again for any help you can provide.

Scott

----------

## br41n

hello,

i'd like to know how can i add an extra patch ( http://www.qmail.org/qmail-1.03-dk-0.54.patch ) in my Gentoo qmail install so if anybody can give me some hints on doing this i would appreciate it

thanks.

----------

## CzesLaW

Hello,

I've emerged netqmail 1.05-r8 and now I have problem with my smtp.

It's sending e-mails without authentication. If I select in my mail client not to authenticate then it's sending e-mails (and it shouldn't).

But if I select to auth. and I give wrong username and pass it's not allowing to send.

Please help me to fix this issue because my server is now an open relay !!  :Sad: 

----------

## petterg

 *CzesLaW wrote:*   

> Hello,
> 
> I've emerged netqmail 1.05-r8 and now I have problem with my smtp.
> 
> It's sending e-mails without authentication. If I select in my mail client not to authenticate then it's sending e-mails (and it shouldn't).
> ...

 

Did you check the settings in /etc/tcprules.d/tcp.qmail-smtp and reload the rules after the upgrade?

----------

## petterg

 *stiret wrote:*   

> 
> 
> ns1 chkuser_pg # ./vpopchk.sh aliasuser@mydomain.com ; echo $?
> 
> 255
> ...

 

First, I assume you are logged in as root when you do the tests?

Try change the vpopchk.sh to add some debugoutput:

After the lines

```

USER=$1

DOMAIN=$2

```

insert the following line: (should be about line 34)

```

echo ${USER} - ${DOMAIN}

```

Then rerun the tests. Does it print out the correct user and domain acording to the adress you give as parameter?

The only reason I can see that would return 255 is that it doesn't understand the given address. Are you using some non-english letters or characters that may confuse the script?

----------

## CzesLaW

```

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

```

is it correct ?

yes, I've updated the rules after I've made changes ...

----------

## petterg

 *CzesLaW wrote:*   

> 
> 
> ```
> 
> 127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
> ...

 

I have no idea what may cause your problem. Try update the tcprules again

```

> cd /etc/tcprules.d/ 

> tcprules tcp.qmail-smtp.cdb tcp.qmail-smtp.tmp < tcp.qmail-smtp 

> svc -t /var/qmail/supervise/qmail-smtpd

```

you could try to disable the chkuser smtp plugin in case that is causeing any trouble.

----------

## CzesLaW

Ok, I think I've fix it.

The problem was that tcpserver was relaying 127.0.0.1 connections and I'm using stunnel to allow my users to connect on other port using SSL.

Stunnel is then connecting to port 25 (from localhost) so it's relay client.

My mistake :/

----------

## stiret

Hello again,

Yes, I am executing the script as root.  No, there are no unusual characters in the email accounts.  The actual binaries in /var/vpopmail/bin work as expected.  The script prints out the correct account information with the additional debugging you suggested.

ns1 chkuser_pg # ./vpopchk.sh valid.user@mydomain.com ; echo $?

valid.user@mydomain.com -

255

ns1 chkuser_pg # ./vpopchk.sh aliasuser@mydomain.com ; echo $?

aliasuser@mydomain.com -

255

ns1 chkuser_pg # ./vpopchk.sh notavaliduser@mydomain.com ; echo $?

notavaliduser@mydomain.com -

255

ns1 chkuser_pg # ./vpopchk.sh anyuser@notmydomain.com ; echo $?

anyuser@notmydomain.com -

255

ns1 chkuser_pg # /var/vpopmail/bin/vuserinfo -n valid.user@mydomain.com ; echo $?

valid.user

0

ns1 chkuser_pg # /var/vpopmail/bin/vuserinfo -n notavaliduser@mydomain.com ; echo $?

no such user notavaliduser@mydomain.com

255

ns1 chkuser_pg # /var/vpopmail/bin/vdominfo -n mydomain.com ; echo $?

mydomain.com

0

ns1 chkuser_pg # /var/vpopmail/bin/vdominfo -n notmydomain.com ; echo $?

Invalid domain name

245

Thanks,

Scott

----------

## petterg

 *stiret wrote:*   

> 
> 
> ns1 chkuser_pg # ./vpopchk.sh valid.user@mydomain.com ; echo $?
> 
> valid.user@mydomain.com -
> ...

 

See, that is NOT the correct output. It's detecting the full address as username, and blank domain.

```
anyuser@notmydomain.com -
```

should be

```
anyuser - notmydomain.com
```

Well, the reason for this is that vpopchk expects the input to not be 

```
vpopchk.sh anyuser@notmydomain.com
```

but

```
vpopchk.sh anyuser notmydomain.com
```

So, please try againg with the correct form for parameters.

----------

## fisherbln

I receive this error every hour via email:

Run parser

Warning: Variable passed to each() is not an array or object in /usr/qms-loganal/qms-loganal.php on line 34

Any ideas how to fix this?

----------

## petterg

 *fisherbln wrote:*   

> I receive this error every hour via email:
> 
> Run parser
> 
> Warning: Variable passed to each() is not an array or object in /usr/qms-loganal/qms-loganal.php on line 34
> ...

 

You could try to output what is put into each() on that line:

insert the following line in front of line 34 (pushing what was #34 down to #35)

```

echo $parr[$pid]['account']."\n";

```

then run the cronscript to see what it outputs. (your server will need to recieve a mail between each run in order to anything have anything to output)

----------

## tekn0mage

Having some issues while sending mail. The problem occurs in both Outlook and Thunderbird. I have SMTP-AUTH enabled (full email address as username, password) with TLS checked off.

Error log shows only this:

```

Jun 24 18:45:42 victory vpopmail[10847]: vchkpw-smtp: (PLAIN) login success matt@victory.signet-ring.com:206.126.9.106

Jun 24 18:45:42 victory vpopmail[10847]: vchkpw-smtp: null user name given :206.126.9.106

```

I've tried without TLS and with. Neither will get the message to send. 

What step did I miss?

----------

## tekn0mage

Update:

I examined the error message "null user name given" which didn't make sense initially. As I thought about it, either A) vchkpw-smtp did not get the username or B) vchkpw-smtp did receive a username from my mail client, but it did not understand the username it was given.

Then I noticed that there were a few methods of authenticating... mainly they differ due to the client used but they all follow the basic auth types of PLAIN, LOGIN, etc... which to me, means SASL.

So the next two things were done:

1. Install cyrus-sasl on my system. I noticed this wasn't installed, and I was quite curious as to how my system would understand the AUTH LOGIN being sent by the mail client without it. Not sure if this was necessary, but I did it anyways.

Once installing cyrus-sasl, I restarted all the qmail services but still got the same error message. At that point I realized more drastic measures were necessary.

2. I blasted away the netqmail installation and tried again. If SASL was not present at the time of build, its possible that the executables were missing necessary libraries to build properly.

I emerge --unmerge'd netqmail-1.05-r4 and then just used the latest ebuild from the gentoo tree (at the time of this post it was netqmail-1.05-r8)

I skipped step 2B "Patch qmail for only_auth_after_tls" because I changed to the newest ebuild, so I wasn't sure if there were any conflicts.

But now I am wondering what exactly only_auth_after_tls is useful for.... and maybe I need to rebuild it with that. Any insights here?

I saw someone else with the same error so I hope this helps.

- tek

----------

## petterg

Thanks for your information tekn0mage. Does it work now, or do you still have problems?

"only_auth_after_tls" makes the smtp server not accept logins before TLS is initiated. This is to force clients to create an encrypted channel before transmitting passwords. Hence smtp-auth should not work if the 'use TLS' option in the mailclient is not used.

Now, when TLS is used for smtp auth there is one more thing that may cause troble on the clientside: anti-virus software with scanning of outbound mail. Norton and Avast for sure doesn't allow any outbound trafic to port 25 if they don't understand the content of the data. When the data is encrypted they don't understand it and will block everything.

What might have been your problem:

with TLS off, the server did not accept the login (requires TLS on)

with TLS on, the local AVsoftware might have stoped the client for sending data (including user/pass)

This is stated in the guide, but not really explained.

If you use Avast you can disable scanning of outbound connections on port 25.

If you use Norton you should try "Norton Removal Tool". (If the removal tool sucseeded you'll get a significantly faster PC. If it didn't succseed you need to reinstall windows) Then install Avast or Comodo.

A workaround for software scanning port 25 and ISPs blocking port 25 is to have a porttranslator (like iptables) on your mailserver so connections on another port (say 2500) will translate to port 25.

----------

## tekn0mage

Actually I don't run any kind of anti-virus on my PC. A bit risky, indeed, but only if one behaves in a risky manner. 

Regarding the error I was noticing about a "null user name", I tried my client in both modes (TLS and non-TLS) and still received the same error.

Now it's possible that through some glitch in the software the changes I made to the authentication mode did not take effect. All in all, things did not work until I performed the above sequence of steps.

The actual use of your guide for me is as a web hosting provider. I host about 130 domains and provide e-mail services to the users using Qmail/Vpopmail, etc.

The software was installed on my primary server by an experienced administrator who is no longer available to assist in administration. Having to get "up to speed" on the presence of Qmail / Vpopmail and qmail-scanner was a priority for me. I've seen and heard of many different implementations, which only compliments Qmail's versatility. This guide, however, was a great startup document for me to get going in a relatively short amount of time. I've been familiar with all the elements for a long time, so I believe I started out with a decent foundation already. 

Something I did differently was to enable per-user configuration files for SpamAssassin. 

In my /etc/conf.d/spamd file I used the following SPAMD Options

SPAMD_OPTS="-c -d -v -s mail -q -u vpopmail --virtual-config-dir=/var/vpopmail/domains/%d/%l/.spamassassin/"

The -c switch and the --virtual-config-dir switch have made it possible to store the .spamassassin directory in the root of the users mail directory.

Not sure if that is entirely necessary but sometimes users want me to go in and tweak their spam settings a little more. Makes it easier to do that.

I just wish there was a plugin so that users can modify their own SpamAssassin settings. I don't know of any decent front-ends that can help with that. 

Other than that, all is working well.

----------

## petterg

Actually I do have a webinterface that allows users to modify stuff on the server. It would be a minor update to make it posible to for them to change personal spamassassin settings. But, this is a complicated thing that is picky at which servers it will run securely on (it's designed explicitly for the kind of serverssetups I use)

My plan was to simplyfy this thing to provide simple and wapmail admin interface, but i'm too short of time. The wapmail part isn't very userfriedly without the admin interface, thats why the guide is not yet completed with wapmail.

----------

## tekn0mage

Anything I can help with?

I'm not much of a programmer but I could provide some useful feedback to implement this in a live environment. I have a production mail server that I'd be willing to offer up.

User-level control over spam just makes them feel better. Dunno why. *shrug*.

----------

## petterg

what it needs is a secure way for virtual users to authenticate and modify files, limited to the files in their own folder.....

The interface I've made has a totally different authentication, as this interface goes to another server process. This process is controlling vpopmail, so when users are created or changing passwords there is a user created in both this and the vpopmail authentication systems.

What I think is the way to go is that each vpopmail account has to be assigned to a chrooted system user account, then apache may be allowed to su-run as this user providing the users password. But then again - we're losing half the point of having virtual mailusers....

Edit: got to think... your needs could probably be fixed with a plugin to squirrelmail. Somewhat the same way as the loganalyzer works, just that it's given access to a file rather than the mysqldb....

(keep in mind - if users are given access to custom filtersetup, be sure they'll figure out how to blacklist the whole world, and you'll be given the blame for them not recieving mail)

----------

## tekn0mage

And that is the joy of what I do  :Smile: 

Billing them for something I warned them about in advance  :Smile: 

They can either pay a little, and learn it up front the right way. Or they can pay a lot, and repeat the same mistake over and over. It really matters not to me.

But yes, a plugin with Squirrelmail would be a far better alternative than what I've seen. The old SA plugin hasn't been updated in years, so there remains a lot to do. I'm not even sure the current version is even viable.

I'll d/l and install it tonight to see what it does. Thankfully a mirrored copy of my production server is great for such things.

----------

## petterg

How did the SA plugin work?

----------

## tekn0mage

I didn't even attempt to install it. The last update was in 2003 prior to SpamAssassin 3.0 

I'm not even gonna bother with it. Just too old to be viable. The config files changed options a few times since SA 1.x (which is what thiis was built around).

Strike out on that one.

----------

## feiticeir0

Hello. I must say: this is the best howto i've seen of qmail.

I have it installed and working perfectly.

I just wonder if anyone has ever put qmail working with LDAP. Any ideias how to do that ?

Cheers,

Bruno

----------

## vult

Thanks again for that guide - everything seems to be working perfectly ;]

----------

## vult

 *vult wrote:*   

> Thanks again for that guide - everything seems to be working perfectly ;]

 

One problem:

I need to force users to authenticate before sending an email. I've done that by removing content from rctphosts file. Now you need to auth with your username and password to send an email to any domain - if you don't you get error: 

Sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3)

Unfortunately when you try to send an email from other server (f.e. gmail) you get this error too.

Is there any solution for this problem?

Thanks for any help

----------

## petterg

 *vult wrote:*   

> 
> 
> One problem:
> 
> I need to force users to authenticate before sending an email. I've done that by removing content from rctphosts file. Now you need to auth with your username and password to send an email to any domain - if you don't you get error: 
> ...

 

Just redo the step with tcprules. Edit the config so that only 127.... is allowed to relay.

----------

## vult

 *petterg wrote:*   

> 
> 
> Just redo the step with tcprules. Edit the config so that only 127.... is allowed to relay.

 

Yup, It helped :] Thanks you very very much  :Smile: 

----------

## anest

I got this error (on another side, from i try to send email):

PERM_FAILURE: SMTP Error (state 13): 511 Sorry, no mailbox here by that name (#5.1.1)

i did two times by this instruction, but get no luck   :Crying or Very sad: 

please help me figure it out

i think this is can be permissions problem but i cant finded where is it.

----------

## petterg

 *anest wrote:*   

> I got this error (on another side, from i try to send email):
> 
> PERM_FAILURE: SMTP Error (state 13): 511 Sorry, no mailbox here by that name (#5.1.1)
> 
> i did two times by this instruction, but get no luck  :cry: 
> ...

 

Did you send to an existing mail-adress?

Are you able to send to the address from localhost? (i.e using webmail)

Are you able to send mail out?

Did you try to telnet your smtp server?

----------

## Uffe

petterg, great guide!

Do you or anyone else have a recommendation for automatically moving mail that gets tagged as spam into junk folders, within the mail environment configured using this guide?  I've seen some maildrop solutions and tinkered with one but it doesn't seem to work right due to "Unable to create a dot-lock" error.  I understand this means it's not finding the directory it's trying to deliver to, or it can't write to it, but I'm not sure what user maildrop would be running as.

Thanks in advance for any pointers around spam sorting solutions!

----------

## vult

Maybe it'll help someone:

I had problem with bayes autolearn=failed.

Needed to comment:

lock_method flock 

in /etc/mail/spamassassin/local.cf file.

Now bayes is learning without problems  :Smile: 

----------

## petterg

 *vult wrote:*   

> Maybe it'll help someone:
> 
> I had problem with bayes autolearn=failed.
> 
> Needed to comment:
> ...

 

Is any files related to the mailsystem accessed over NFS? (If so, thats why. Think I even mentioned it in the guide. Or at least it's in the manual)

----------

## vult

 *petterg wrote:*   

> 
> 
> Is any files related to the mailsystem accessed over NFS? (If so, thats why. Think I even mentioned it in the guide. Or at least it's in the manual)

 

No I don't use NFS. I have separate partition for domains but it's HW RAID only.

----------

## jrenraw

I've had qmail/vpopmail/courier-imap,smtp-auth,spamassassin, and clamav working for a long time (following this how-to) but after upgrading openssl from 0.9.8d to 0.9.8e-r2, SMTP-auth no longer worked and the client trying to send email would get a error.  I downgraded back to 0.9.8d and all is working normally.  The netqmail changelog indicates a fix with openssl 0.9.8e.  This is fixed in netqmail-1.05-r8.  It also appears to have some smtp-auth patches included.  Is anyone running netqmail-1.05-r8 and openssl-0.9.8e-r2 and will they work for this how-to?

----------

## xeon061

Hi there!

I need help or maybe a little input.

I updated from the so called "2006" version with all the stuff mentioned here. (Hopefully all use flags are set correctly )

After a few little problems, it seem to be ok. (Mail from outside is being fetched, qmail-scanner and the stuff seems to be running and working, but finally the mail stuck in queue mail)

 ....

Mon, 08 Oct 2007 06:13:24 CEST:8379: p_s: type is a size!

Mon, 08 Oct 2007 06:13:24 CEST:8379: p_s: skipping auto-generated file textfile0

Mon, 08 Oct 2007 06:13:24 CEST:8379: p_s:  finished scan of dir "/var/spool/qmailscan/tmp/linuxmail11918168047678379" in 0.02 secs

Mon, 08 Oct 2007 06:13:24 CEST:8379: scanloop: finished scan of "/var/spool/qmailscan/tmp/linuxmail11918168047678379"...

Mon, 08 Oct 2007 06:13:24 CEST:8379: ini_sc: scanning message took 0.021654 seconds

Mon, 08 Oct 2007 06:13:24 CEST:8379: q_r: fork off child into /var/qmail/bin/qmail-queue...

Mon, 08 Oct 2007 06:13:24 CEST:8379: q_r: xstatus=0

Mon, 08 Oct 2007 06:13:25 CEST:8379: qmail-scanner: Clear:RC:1(127.0.0.1):      0.03614 1482    blabla@mailadressblabla.de     jor@dom800.local     1234    <47099C1B.3050400@mailadressblabla.de> textfile0:5

Mon, 08 Oct 2007 06:13:25 CEST:8379: cleanup: /bin/rm -rf /var/spool/qmailscan/tmp/linuxmail11918168047678379/ /var/spool/qmailscan/working/new/linuxmail11918168047678379

Mon, 08 Oct 2007 06:13:25 CEST:8379: --- all finished. Total of 0.113461 secs

qmHandle -l

....

12386339 (11, L)

  Return-path: anonymous@linuxmail.dom800.local

  From: root@linuxmail.dom800.local (Cron Daemon)

  To: root@linuxmail.dom800.local

  Subject: Cron <root@linuxmail> test -x /usr/sbin/run-crons && /usr/sbin/run-crons

  Date: 8 Oct 2007 03:05:34 -0000

  Size: 626 bytes

12386371 (20, L)

  Return-path: balbla@mailadressblabla.de

  From: sicher <blabla@mailadressblabla.de>

  To: jor <lokal_address@lokalserver>

  Subject: 1234

  Date: Mon, 08 Oct 2007 04:55:23 +0200

  Size: 1813 bytes

Messages in local queue: 5

Messages in remote queue: 1

More info needed?

Thanks in advance...........

----------

## xeon061

Fixed the problem!

Re-emerged all the things but no solution.

Unmerged all with -C and moved the configurationfiles in an extra directory and emerged all again and it worked.

Maybe there was a wrong sign or entry in the configuration files.

Thanks a lot for the Guide!

----------

## x0b0h

Hi,

I've got a problem with user auth. I installed netqmail package as included in this guide, but there is a problem with user auth. It allways gives auth error "Sending the password did not succeed. Mail Server mydomain.net responded: authorization failed" If I change username to an incorrect, gives me the following " This user has not &HOME/Maildir".

I guess there's a problem with userfile Mailboxes location or something like that...

I've clearly revised all related with vcheckpsw, and related stuff with no success... anyone could help please?

Thanks!

Cesc

 :Smile: 

----------

## jrenraw

Fyi...This took me a while to troubleshoot and resolve so hoping this info will help someone else.  For unknown reasons I started to get the below "Cannot allocate memory" errors whenever a new email came in and vpopchk.sh was run.

 *Quote:*   

> 
> 
> sudo:   qmaild : TTY=unknown ; PWD=/var/qmail ; USER=vpopmail ; COMMAND=/var/qmail/plugins/chkuser_pg/vpopchk.sh user domain.com
> 
> sudo: PAM unable to dlopen(/lib64/security/pam_cracklib.so)
> ...

 

I was able to resolve this by increasing the qmail SOFTLIMIT_OPTS in /var/qmail/control/conf-common.

I was at:

 *Quote:*   

> SOFTLIMIT_OPTS="-m 32000000"

 

and changed it to:

 *Quote:*   

> SOFTLIMIT_OPTS="-m 48000000"

 

Of course svscan needs to be restarted afterward for it to take effect.

 *Quote:*   

> /etc/init.d/svscan restart

 

----------

## petterg

 *x0b0h wrote:*   

> Hi,
> 
> I've got a problem with user auth. I installed netqmail package as included in this guide, but there is a problem with user auth. It allways gives auth error "Sending the password did not succeed. Mail Server mydomain.net responded: authorization failed" If I change username to an incorrect, gives me the following " This user has not &HOME/Maildir".
> 
> I guess there's a problem with userfile Mailboxes location or something like that...
> ...

 

Does authentication work for the POP/IMAP login? Are you able to send/recieve mails using the webmail?

----------

## Uriazh

I know this is redundant, but thanks for this awesome howto, I agree that it's one of the easiest qmail how to's out there, and yet it goes a wee bit under the surface unlike most I've read.

I just used it to upgrade a productional server today and the only problem Im having is that on and off users can't login, but get a "incorrect user/pass" regardless of what the user is trying to connect via (squirrelmail, evolution, roundcube (love that one), outlook or any other mailapp.), nor the protocol (imap(-ssl) or pop3(-ssl)).

The only error I can see is in /var/log/mail/current and it states:

```

Oct 29 19:38:53 [pop3d] Connection, ip=[::ffff:ipaddress]

Oct 29 19:38:53 [authdaemond] vmysql: sql error[3]: MySQL server has gone away

Oct 29 19:38:53 [pop3d] LOGIN FAILED, user=user@domain.tld, ip=[::ffff:ipaddress]

```

The only thing I can think of is courier-authlib, restarting it seems to fix the problem (users can log in straight away) but in a few minutes time users start getting the error again. Kinda like playing russian rulette with mail..

Any thoughts on what could be the problem and/or how to fix this ?

----------

## vult

 *Uriazh wrote:*   

> I know this is redundant, but thanks for this awesome howto, I agree that it's one of the easiest qmail how to's out there, and yet it goes a wee bit under the surface unlike most I've read.
> 
> I just used it to upgrade a productional server today and the only problem Im having is that on and off users can't login, but get a "incorrect user/pass" regardless of what the user is trying to connect via (squirrelmail, evolution, roundcube (love that one), outlook or any other mailapp.), nor the protocol (imap(-ssl) or pop3(-ssl)).
> 
> The only error I can see is in /var/log/mail/current and it states:
> ...

 

Are you sure you have MySQL server up and running? Seems to be down for me.

----------

## Uriazh

It is up, I assure you, I've even been logged into MySQL via CLI when this error occurs.

It seems to me that once in a while the courier-authlib can't establish a connection to MySQL.

I've been googling like a maniac though, found this post which tells that the only workaround for this was to restart courier-authlib hourly, that seems to work for me too, but Im not so keen on having part of the mailserver going down every hour.. =P

The courier-authlib init script restarts not only itself but courier-* (pop3d/-ssl and imapd/-ssl)

I saw on one thread a patch for this, but it was for a much older version of courier-authlib and so I didn't try to patch anything.

----------

## skydion

How can I turn on obligatory smtp auth? I have next problem, when I connect to my smtp server over telnet session

I can send mail without auth command, I don't now how I can turn on this command?

----------

## petterg

 *skydion wrote:*   

> How can I turn on obligatory smtp auth? I have next problem, when I connect to my smtp server over telnet session
> 
> I can send mail without auth command, I don't now how I can turn on this command?

 

I don't remember, but I'm sure it's stated in the guide. Just search for "auth" in the first post of this thread, and you'll find.

----------

## lmegliol

Are there any updates to this HOWTO for netqmail 1.05-r8?

Attempting to edit netqmail 1.05-r8.ebuild following the instructions in step 2 is no longer obvious.  The instructions say to look for "use ssl && append-flags -DTLS" and append some lines after that line.  But that line is now commented out of the ebuild file, and a comment states that "-DTLS is now set by the SSL/TLS patch".  Since I am just blindly following instructions to get this all working, I do not know the implications of these commented out lines.  Should I continue to following the directions and insert the lines that are supposed to follow?

In any case, I have tried that using a fresh Gentoo install, and notlsbeforeauth will not show up on the "emerge -pv netqmail" command that is supposed to verify that the notlsbeforeauth is showing up.

For the record, PORTDIR_OVERLAY is correctly set and I have downloaded the patch.  (Is the patch still valid for r8?)

Thanks.

----------

## lmegliol

OK, so I decided to mask anything higher than the version of netqmail used in this thread.  I've followed all of the instructions to the letter.  Sending email works well.  But for some unknown reason, I cannot log in to POP3 or IMAP.  If I telnet into the POP3 port, I connect to the server.  When I give it the username and password, I get an error.  If I have my mail client try it, also an error.  I turned off iptables to be sure that there are no network problems.

I ran the following to test whether vpopmail has the correct password and is querying correctly:

```

printf "lmegliol@domain.com\0XXXXXXXX\0blah\0" | vchkpw `which id` 3<&0

```

(Obviously I used a real password.)

And the output of that command confirms that it is working correctly.  I've even reinstalled the entire OS, starting from scratch twice now, hoping that there is something that I have just done wrong.  But after all three installations, I end up with the same problem.  Logging into POP3 and IMAP does not work.  

My only thought now is that I only masked netqmail and not any of the other packages.  There may be something in one of the other packages that is causing the problem.  I will try to mask the others and hope for the best.

In the meantime, does anyone have any insights as to what the problem might be?

----------

## Erik Olofsson

I started getting errors in the qms-log_cron script today:

date: invalid date `2007-11-31'

This can be fixed by changing the relevant lines in 'qms-log_cron' to:

```

# Parse the current date

#datestr=`date`

#dom=`date --date="${datestr}" +%d`

#monthnum=`date --date="${datestr}" +%m`

#year=`date --date="${datestr}" +%Y`

#[ "${monthnum}" == "01" ] && monthnum="13" && let "year=${year}-1"

#let "monthnum=${monthnum}-1"

datestr=`date --date="-1 month" +"%a, %d %b %Y"`

```

----------

## maiku

With this configuration, would one be able to set spamassassin rules on a per-user basis?  For example, let's say one user wants to whitelist all messages from a domain or wans his spam score to be different from everybody else's?

----------

## vult

Hello,

sorry for OT but I know you are somehow connected to qmail and maybe you can help.

The question is how to ban some certain IP when they try to f.e. break to an account bruteforcing the password. Log says that IP is trying to send email f.e. 20 times per second. Can I block somehow this tries?

Thanks in advance, and sorry again for OT.

----------

## stiret

Hello again,

I know it's been over a year since I posted on this, but I've just returned from Iraq and I would like to get rcptchk working if possible.  

ns1 chkuser_pg # ./vpopchk.sh notavaliduser notmydomain.com ; echo $? 

notavaliduser - notmydomain.com

111

ns1 chkuser_pg # ./vpopchk.sh notavaliduser mydomain.com ; echo $? 

notavaliduser - mydomain.com

40

ns1 chkuser_pg # ./vpopchk.sh validuser mydomain.com ; echo $? 

validuser - mydomain.com

0

ns1 chkuser_pg # ./vpopchk.sh validalias mydomain.com ; echo $? 

validalias - mydomain.com

4

Thanks,

Scott

----------

## petterg

I'm doing a new server install at the moment, and writing an updated guide while doing it. I don't have much time these days, so it's moving slow.

Some late reply to your questions:

stiret: Isn't the rcptchk running ok? Remember errorlevels is used to signal status. It's not like errorlevel != 0 equals error

vult

I have a loganalyser running on my servers that detects bad password entries in the logfiles. When an IP has provided more than 3 bad passwords within 5 minutes it creates a rule in iptables to block that ip. It works with ssh, smtp, pop, imap and apache.

The idea was good. The problem is that iptables get too many rules and makes the whole system slow. I have no good ideas of how to implement a cleanup for iptables. Rules must be deleted after a while...

The other thing I'd like an implementation for is bounced spam - spammers using an adress on my domain as sender when they send out spam. Hence my server get thousands of bounced spammails, within a short periode of time. All of them from different ip's. This kneels spamassassin and qmail starts to let mail through unchecked.

If anyone would like to work on this stuff, I'll be happy to assist.

maiku

Yes, spamassassin supports individual userrules. Read the spamassassin manual. However, I don't know of any userfriendly interface to administrate this. It should be posible to make as a plugin to squirrelmail or qmailadmin. Actually I'd like most user settings available from squirrelmail... wonder if anyone has created plugins for such?

----------

## Erik Olofsson

The latest emerge left courier-authlib not being able to authenticate against vpopmail. The vpopmail support has been removed and according to this qmail and vpopmail are dying projects:

http://www.usenet-forums.com/courier-imap/392330-courier-users-courier-authlib-vpopmail.html

I was able to get it working again by adding to /etc/portage/package.mask:

>net-libs/courier-authlib-0.58

So the question is what are my options here... Is it easy to migrate the mailboxes to another server solution? Which solution should I aim for?

----------

## maiku

Try qmail without vpopmail.  It is supposed to be able to support virtual domains anyway.  Try emerging webmin to manage your mailboxes and aliases.

----------

## jiri.tyr

Try my HOW-TO:

https://forums.gentoo.org/viewtopic-t-706798-highlight-vpopmail+dovecot.html

----------

## vklimovs

It is possible to use latest versions of courier-authlib, if vpopmail is (was) using MySQL:

http://en.gentoo-wiki.com/wiki/Courier-authlib_with_MySQL

----------

## rockier

I created a new machine and when I installed netqmail everything looked ok but I could not recieve e-mail thru the pop3d.

I followed the steps in this tread. Thanks for the great help on this tread.

What I have found is the courier-authlib is not installing the libauthvchkpw files.

What I have done is copied them from another install and everything started working.

The big question is where is the files and how does one get them if they do not have another machine to get them from?

I hope this helps someone having the same problems.

----------

## vklimovs

 *Quote:*   

> The big question is where is the files and how does one get them if they do not have another machine to get them from? 

 

The authvchkpw is not maintained anymore, hence not installed. But you don't need that. See http://en.gentoo-wiki.com/wiki/Courier-authlib_with_MySQL

----------

