|[[tighar:root|linux setup notes]]| |[[tighar:qmail|qmail command notes]]| I'm working on getting qmail set up for [[http://tighar.org|TIGHAR]] on a Fedora 9 system. I'm taking the manly approach: configuring, making, installing, and configuring by hand. (//At times, I think I've had enough of manliness. Next time, may well start with yum and see how far it can take me.//) Besides qmail, I've installed: * [[http://www.hermes-project.com/|Hermes antispam proxy]]: couldn't get it working correctly. The way I had it set up, it was allowing everything to relay--that's not right! * [[http://www.inter7.com/index.php?page=vpopmail|vpopmail]]: working well. * [[http://www.courier-mta.org/imap/| Courier IMAP]]: taught me a lot about the linux world; then I found out that the author apparently [[http://osdir.com/ml/mail.qmail.vpopmail.devel/2008-05/msg00002.html|does not want to support qmail any longer]]. * [[http://www.greylite.net/|greylite]]: no joy. It's possible that I've learned enough since then to make it work. * [[http://wiki.dovecot.org|Dovecot]]. Working well. * [[http://sourceforge.net/projects/qmailadmin/|qmailadmin]]. Working well. Does what it is supposed to do. Old school interface. ====== Helpful links ====== These links are here to help me keep track of what I'm doing. * [[http://www.lifewithqmail.org/|Dave Sill's "Life with Qmail"]] * [[http://www.ornl.gov/lists/mailing-lists/qmail/| qmail mailing list]] * [[http://tech.groups.yahoo.com/group/djb-qmail/?refstop=1|djb-qmail Yahoo group]] * [[http://securepoint.com/lists/html/Qmail/]] * [[http://cr.yp.to/qmail.html| the official qmail home page]] * [[http://www.qmail.org| the unofficial qmail home page]]. Contains lots of information about add-ons and patches, and links to many good qmail web pages on other sites. * [[http://www.flounder.net/qmail/qmail-howto.html| Adam McKenna's HOWTO]]. * [[http://qmailwiki.org/index.php/Main_Page|qmail wiki]] * [[http://forum.qmailrocks.org/index.php|qmailrocks]] * [[http://qmail.jms1.net/|John Simpson's site with monster patch.]] * [[http://marc.info/?l=qmail|searchable archive for the qmail mailing list.]] ===== Source files ===== The fundamentals: * qmail: [[http://www.qmail.org/netqmail-1.06.tar.gz]] * ucspi-tcp: [[http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz]] * daemontools: [[http://cr.yp.to/daemontools/daemontools-0.76.tar.gz]] Add-ons: * smtp-auth patch: [[http://www.shupp.org/smtp-auth-tls/]] * courier-imap: [[http://www.courier-mta.org/imap/]] ====== Some lessons learned ====== ===== qmail ===== ==== Two books are better than one ==== I've got Dave Sill's //qmail Handbook// as well as John R. Levine's //qmail//. Both have been helpful. ==== Don't mess with directory permissions ==== Qmail and vpopmail are very sensitive to ownership and permissions. I don't know how I messed things up as badly as I did, but I spent a couple of worried hours finding out what would work. The great breakthrough was the suggestion someone made to su to vpopmail and try changing directories. I made great progress after that. Don't ''chmod -R'' qmail or vpopmail directories. You'll be sorry! I was anyway. ==== Starting svscan without rebooting ==== After following all of Dave's instructions, nothing was happening. I had to run ''/command/svscanboot &'' to kick things off. Worked like a charm. Folks who know linux know stuff like that. They don't have to searching for it. ==== Fake MTA? ==== * [[http://toaster.godshell.com/index.php/Software/FakeMTA]] is designed to protect qmail from overly aggressive updating that might try to install sendmail. I don't know whether I need it or not. It does install and uninstall OK. * [[http://qmail.jms1.net/fake-smtp.shtml|John Simpson's take on the issue and his version of FakeMTA.]] * For now, I've just set **etc/yum.conf** to ignore updates for sendmail: exclude=php* sendmail* ==== What does that ampersand mean? ==== This must be another thing that's just so obvious that nobody talks about it. In a .qmail file, ''&moleski@canisius.edu'' means "forward mail to that address." A line in the qmail file without an ampersand means "deliver directly to that mailbox on the local system." At least that's how it seems to me. The books and websites sometimes use the ampersand and sometimes don't--without explaining what they're doing. I wanted to be able to have one copy left in my Maildir and one sent elsewhere. This .qmail in my home directory did the trick: # ./Maildir/ &martin.moleski@gmail.com ==== iptables (firewall) and qmail ==== I had to fool around with the firewall--there seemed to be some odd interactions. * Open port 110 for the POP server: -A OUTPUT -s 173.45.236.139/32 -p tcp -m tcp --sport 110 --dport 1024:65535 -m state --state * Open port 2525 for Hermes: -A INPUT -p tcp -m tcp --dport 2525 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT * Open port 3306 for mysql: -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT ==== Getting svscan to start after a reboot (Fedora 9)==== I tried using "yum install" on daemontools. The installation script ends by saying, "Adding svscanboot to inittab... init should start svscan now." But in Fedora, inittab has been usurped by Upstart: * [[http://fxp0.org.ua/2006/oct/28/upstart-and-daemontools-ubuntu-edgy-eft/|Write a script for Upstart to use.]] * [[http://www.nabble.com/Fedora-9-deamontools-td19013868.html|Fedora 9 daemontools]] ===== vpopmail ===== ==== cron job for clearopensmtp ==== **/etc/cron.hourly/clearopensmtp.cron** #!/bin/bash /home/vpopmail/bin/clearopensmtp ==== set sticky bit for vchkpw ==== [[http://blog.kurthbemis.com/2008/11/24/vpopmail-netqmail-106-and-smtp-auth-patches/]] chown vpopmail:vchkpw ~vpopmail/bin/vchkpw chmod 4711 ~vpopmail/bin/vchkpw chmod u+s ~vpopmail/bin/vchkpw ==== vchkpw "can't write SQL logs" ==== In the daemontools log, the associated error message is: "vmysql: can't read settings from /home/vpopmail/etc/vpopmail.mysql". **~vpopmail/etc/vpopmail.mysql** is where the configuration is written for vpopmail to access the MySQL database. Relaxing permissions on that file lets vchkpw access the file for smtp-auth. ==== "vpopmail user not found" ==== Reset the sticky bit on vchkpw (see above). ==== vchkpw fails ==== Error message: ''setgid 89 failed errno 1''. [[http://www.mail-archive.com/vchkpw@inter7.com/msg11497.html|Peter Palmreuther]]: "Either you compiled vpopmail with user vpopmail belonging to group with ID 89 and changed the group id some times later or vchkpw is executed with a UID not allowed to setgid(89)." [[http://qmail.jms1.net/scripts/vfixpermissions|John Simpson's vfixpermissions script]] solves this problem--//but hexes imap-auth!// What I did as a workaround was to change the ownership of **/home/vpopmail/bin/vchkpw** to root (''chown root.root vchkpw'') as well as setting the sticky bit (''chmod 4711 vchkpw''). The problem is to satisfy the demands of two different contexts with a single set of ownerships and permissions: * vchkpw for IMAP and POP access to mailboxes. * vchkpw for SMTP-auth to send mail from remote computers--needs to setuid and setgid to execute next program. I don't understand the problem. It does seem that vchkpw sets its uid and gid to 89 (otherwise, where else would the error message in the MySQL log come from?), so once it reaches that part of the program, security is restored. I suppose what I really need to do is go read some code. **vchkpw.c** suggests that the //setgid// command is preparatory for executing the next program in line after //vchkpw//: /* The user is authenticated, now setup the environment */ /* Set the program's effective group id */ if ( ConnType != SMTP_CONN && setgid(pw_gid) == -1 ) { snprintf(LogLine, sizeof(LogLine), "%s: setgid %lu failed errno %d %s@%s:%s", VchkpwLogName, (long unsigned)pw_gid, errno, TheUser, TheDomain, IpAddr); vlog(VLOG_ERROR_INTERNAL, TheUser, TheDomain, ThePass, TheName, IpAddr, LogLine); vchkpw_exit(4); } /* Set the program's effective user id */ if ( ConnType != SMTP_CONN && setuid(pw_uid) == -1 ) { snprintf(LogLine, sizeof(LogLine), "%s: setuid %lu failed errno %d %s@%s:%s", VchkpwLogName, (long unsigned)pw_uid, errno, TheUser, TheDomain, IpAddr); vlog(VLOG_ERROR_INTERNAL, TheUser, TheDomain, ThePass, TheName, IpAddr, LogLine); vchkpw_exit(5); } In the case of the run file I'm using to start tcpserver on port 465, the 'program' to be executed is ''/bin/true''--in other words, no program at all. These are the sticky bit settings I tried that didn't solve the problem: |4711|setuid bit is set| |6711|setuid and setgid bits are set| |7711|setuid, setgid, sticky bits are set| \\ ([[http://www.zzee.com/solutions/linux-permissions.shtml|All about linux permissions]].) I didn't try 1711, 2711, 3711, or 5711. Who knows? Maybe one of those would work. ===== courier imap ===== ==== Upstart script for authdaemond ==== [[http://www.courier-mta.org/authlib/INSTALL.html]] Location: /etc/rc.d/init.d/courier-authlib Test the script: /etc/rc.d/init.d/courier-authlib start I think this came out of my (failed) experiments with building the RPMs. It's a nice script. #! /bin/sh # # chkconfig: 2345 15 85 # description: Authlib - Courier authentication library. # # modified by MXM, SJ to match output from source files prefix="/usr" exec_prefix="/usr" sysconfdir="/etc" sbindir="/usr/local/sbin" if test ! -f /usr/local/etc/authlib/authdaemonrc then echo "/usr/local/etc/authlib/authdaemonrc does not exist, forgot make install-configure?" exit 1 fi case "$1" in start) cd / # Start daemons. touch /var/lock/subsys/courier-authlib echo -n "Starting Courier authentication services:" $sbindir/authdaemond start echo " authdaemond" ;; stop) echo -n "Stopping Courier authentication services:" $sbindir/authdaemond stop echo " authdaemond" rm -f /var/lock/subsys/courier-authlib ;; restart) $0 stop $0 start ;; reload) echo -n "Starting Courier authentication services:" $sbindir/authdaemond restart echo " authdaemond" ;; esac exit 0 ==== Contents of "Readme Now or Suffer" ==== The very best laugh I've had this week. ************************************************************** Resist the urge to just run configure, make, then make install ************************************************************** Read INSTALL (the first half of it is good enough), and follow it to the letter. I mean it. I am not kidding. (Many fruitless hours later): Well, I was warned ... This [[http://www.howtoforge.com/installing-courier-imap-courier-authlib-maildrop-fedora-redhat-centos|How to Forge article]] seems to be working better than anything I tried. I had gotten the authlib installed without any difficulty but couldn't pass the "make check-am" test no matter what I tried. It's probably because I'm on an x64 system. Or because I missed the one key line in the INSTALL that makes all the difference. //Curses, foiled again!// /bin/sh ./smaptestsuite | ./testsuitefix.pl | sort | cmp -s - ./smaptestsuite.txt make[2]: *** [check-am] Error 1 make[2]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.5.1/imap' make[1]: *** [check] Error 2 make[1]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.5.1/imap' make: *** [check-recursive] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.19598 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.19598 (%build) Back to compiling from the source. Looked intently on where make check was failing. Searched. Found that I could configure without SMAP. Passed the make check test! ./configure \ --with-mailuser=courier \ --with-mailgroup=courier \ --with-mysql-libs=/usr/lib64/mysql \ --with-mysql-includes=/usr/include/mysql \ --with-authmysql --with-authmysql=yes \ --with-authvchkpw \ --without-authldap \ --without-smap ==== Missing paren in courier-authlib README ==== /usr/local/src/courier-authlib-0.62.4|README.authmysql.html left a closing paren out of the SQL query. CREATE TABLE passwd ( id char(128) DEFAULT '' NOT NULL, crypt char(128) DEFAULT '' NOT NULL, clear char(128) DEFAULT '' NOT NULL, name char(128) DEFAULT '' NOT NULL, uid int(10) unsigned DEFAULT '65534' NOT NULL, gid int(10) unsigned DEFAULT '65534' NOT NULL, home char(255) DEFAULT '' NOT NULL, maildir char(255) DEFAULT '' NOT NULL, defaultdelivery char(255) DEFAULT '' NOT NULL, quota char(255) DEFAULT '' NOT NULL, options char(255) DEFAULT '' NOT NULL, KEY id (id(128))); ===== Dovecot ===== ===== qmailadmin ===== ==== Missing Forwards after Qmailadmin upgrade ==== I started with qmailadmin-1.2.0, then upgraded it to qmailadmin-1.2.12. 1.2.0 showed the vpopmail .qmail-{name} aliases correctly--it was thrilling! After the upgrade, none of the forwards were visible to me, but I could not redefine them. Qmailadmin knew they were there. I think the problem is that I compiled qmailadmin with valias. At a guess, 1.2.0 was more relaxed about mixing the old system with the new. I just deleted all of the .qmail-{name} files //that I so laboriously created from the linux alias file earlier this week,// and then re-entered them through qmailadmin, one at a time. For multiple forwarding addresses, first create an alias with one forwarding address; then edit it and tack on another address as needed until the forwarding list is complete. ===== ucspi-ssl -- sslserver ===== ==== EXTERN.h not in include path ==== package/compile for ucspi-ssl-0.70 stops with this error: "EXTERN.h: No such file or directory". EXTERN.h is here: **/usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi/CORE/** They say it is a [[http://www.network-theory.co.uk/docs/gccintro/gccintro_21.html|common problem.]] I'm hoping that a sim link from the real location to the default search directories might solve the problem. But right now, it's nap time! ln -s /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi/CORE/ /usr/lib/perl5 Nope. Still not found. Time to read some source code. It's not complicated. All it says is to include EXTERN.h. ln -s /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi/CORE/EXTERN.h \ /usr/local/src/ucspi-ssl+tls/host/superscript.com/net/ucspi-ssl-0.70/src/EXTERN.h OK. In src/conf-perl, this line worked to get the message across: perl -I/usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi/CORE/EXTERN.h Then the error message showed that the message was received: @INC contains: /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi ... Another part of the error messages suggested I needed another RPM. yum install perl-ExtUtils-Embed That got rid of one error message. Still no joy with EXTERN.h. Get rid of my links before I forget about them: rm /usr/local/src/ucspi-ssl+tls/host/superscript.com/net/ucspi-ssl-0.70/src/EXTERN.h rm /usr/lib/perl5/CORE Took the -I parameter out of perl-conf. Then it worked, albeit with some warnings. "O, great mystery of being!" ===== testing qmail installation ===== ==== My ISP blocks port 25 ==== This was a big //**DOH!**// I kept trying to test the new sslserver by telneting from home. It looked like it was dead in the water--no response whatsoever. I played with the site fireall (iptables). I played with my own firewall (Vista SP2). I don't know how many combinations of Thunderbird setup I tried for configuring the SMTP server. Hours went by in obsessive-compulsive efforts to find out what I had done wrong. The butler did it! {insert string of expletives} ==== qmail smtpd log says: "status 25600" ==== === The problem: connection denied === Trying to test Simpson's qmail recipe, I would telnet localhost 25 and get the expected dialogue. Then I would try to telnet to the domain on port 25 and not get connected. In the /var/log/qmail/smtpd/current log, the transaction looked like this immediately after restarting qmail using ''qmailctl restart'': @400000004a59f0b034b5bc7c command-line: exec tcpserver -vR -l tighar.tighar.org -c 30 -u 511 -g 508 -x /home/vpopmail/etc/tcp.smtp.cdb 0 25 recordio qmail-smtpd 2>&1 @400000004a59f0b034f2c964 tcpserver: status: 0/30 @400000004a59f0ba172da5ac tcpserver: status: 1/30 @400000004a59f0ba172da5ac tcpserver: pid 2787 from 173.45.236.139 @400000004a59f0ba172da5ac tcpserver: deny 2787 tighar.tighar.org:173.45.236.139:25 mail.tighar.org:173.45.236.139::40508 @400000004a59f0ba172da5ac tcpserver: end 2787 status 25600 @400000004a59f0ba172da5ac tcpserver: status: 0/30 If status is other than 0, [[http://book.opensourceproject.org.cn/mail/qmail/qmailhand/opensource/5952/fos0048.html|then it indicates an error]]. Looking at the same transaction from the other side, ''telnet tighar.org 25'' failed immediately with "Connection closed by foreign host." === The solution: fix cdb === When I was having trouble configuring qmail last week, I set up **/home/vpopmail/etc/tcp.smtp** to deny all connections other than localhost. I forgot that I had done that. Somewhere along the line, trying to simplify matters and reduce the number of variables in the situation, I had removed the //"-x /home/vpopmail/etc/tcp.smtp.cdb"// parameter from the **/var/qmail/supervise/qmail-smtpd/run** file, so that the only control on relaying came from the **/var/qmail/control/rcpthosts** file. When I compiled and installed John Simpson's version of qmail, I restored the //"-x /home/vpopmail/etc/tcp.smtp.cdb"// parameter. It pointed to the .cdb compiled from **.../tcp.smtp**: # The active tcp.smtp text file and compiled .cdb are: # /home/vpopmail/etc/tcp.smtp # /home/vpopmail/etc/tcp.smtp.cdb # #This rule file is meant to be compiled with: # # cat /home/vpopmail/etc/tcp.smtp | tcprules /home/vpopmail/etc/tcp.smtp.cdb /tmp/tcpsmtp.cdb # #and meant to be used by tcpserver with the -x argument: # # tcpserver -x /home/vpopmail/etc/tcp.smtp.cdb ... # # http://cr.yp.to/ucspi-tcp/tcprules.html # http://cr.yp.to/ucspi-tcp/tcprulescheck.html # # tcprulescheck /home/vpopmail/etc/tcp.smtp.cdb # # tcpserver is called by /service/qmail-smtpd/run # # then use "qmailctl restart" to make the new cdb take effect # 127.:allow,RELAYCLIENT="" =:deny As a consquence, following **//my//** instructions, the smpt daemon denied all connections to everybody else but localhost. I understand why some of the qmail gurus dislike new qmail users. This problem was entirely of my own making. I shot myself in the foot. There are many different ways to do that with qmail. Ah, well. Nothing to do but forge ahead. qmail //does// work. The problem isn't qmail; my problem is me. ===== svc stop/start and svsstat ===== I'm learning how to set up a svs script that will call qmail-smtpd for smtp-auth using vkchkpw. |svc -u /service/qmail-tls|start| |svc -d /service/qmail-tls|stop| |svstat /service/qmail-tls|status| ==== qmailctl ==== **/var/qmail/bin/qmailctl** is a script that provides the proper //svc// calls to start, stop, and report the status of various and sundry qmail components. ===== Simpson's Big Patch & smtp-auth ===== * [[http://qmail.jms1.net/smtp-service.shtml|Simpson: "Setting up an SMTP Service."]] * [[http://www.gossamer-threads.com/lists/qmail/users/136192|Simpson is mildly critical of the code that is giving me segfaults]]: "the fact is that the STARTTLS patch for qmail-smtpd, which puts the SSL code into qmail-smtpd itself, has been working for myself and for thousands of others, for several years." ===== Qmail-TLS patch ===== * [[http://inoa.net/qmail-tls/|patch page]] This works with netqmail 1.06, although it is labeled for 1.05. **/var/qmail/control/servercert.pem** and **/var/qmail/control/clientcert.pem** must contain both the //unencrypted// private key as well as the certificate: -----BEGIN RSA PRIVATE KEY----- ... actual contents of unencrypted private key go here ... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... actual contents of certificate go here ... -----END CERTIFICATE----- The private key has to be unencrypted so that the server can use it without waiting for someone to enter the password for the key. ==== compiler errors ==== qmail-smtpd.c:122: error: conflicting types for 'protocol' qmail-smtpd.c:35: error: previous definition of 'protocol' was here qmail-smtpd.c: In function 'main': qmail-smtpd.c:1020: warning: return type of 'main' is not 'int' make: *** [qmail-smtpd.o] Error 1 Adding this line early on in qmail.smtpd.c solves the problem of the return type for main (I think): void main(int argc,char **argv); The protocol variable looked like this (after a patch): const char *protocol = "SMTP"; I changed it to: char *protocol = "SMTP"; ==== testing Qmail-TLS ==== # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 tighar.tighar.org ESMTP ehlo 250-tighar.tighar.org 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN starttls 220 ready for tls ^] telnet> quit Connection closed. ===== qmail toaster ===== * [[http://www.qmailtoaster.com/|home page]] * [[http://wiki.qmailtoaster.com/index.php/Main_Page|Documentation and wiki]] ====== Log ======
^ date ^ Milestone ^ |2009-06-29|Logged in at 8:47 PM and started obeying instructions.| |2009-06-30|3:01 AM: first e-mail received and delivered to my Maildir at TIGHAR.
Later in the day: Hermes and qmail working; sendmail, xinetd, & milter-greylist removed| |2009-07-01|First piece of mail retrieved from qmail and vpopmail.| |2009-07-02|Did an exceedingly manly build of courier auth & imap. Both demons seem to run. Not tested.| |2009-07-03|
====== pix ======
=== POP working === {{:blog:pop-success.png|}}\\ === qmail admin === {{:blog:qmailadmin.png|}}\\ === IMAP === {{:blog:imap-success.png|}}\\ === both IMAP and POP available === {{:blog:imaps-pops-success.png|}} === SMTP-AUTH (sending mail) === 2009-07-14 08:29:20 info msg 286044: bytes 638 from 08:29:20 starting delivery 3: msg 286044 to remote moleski@canisius.edu 08:29:31 delivery 3: success: ...
====== Note to Dave Sill ====== "Dave, if you ever read this message, let me offer you my undying thanks for everything you've done for qmail over the years" ([[http://qmail.jms1.net/scripts/service-qmail-smtpd-run.shtml|John Simpson)]]. ====== Yes, but ====== ===== vpopmail clearopensmtp problem ===== This really doesn't bother me any more. I set up the clearopensmtp cron job an eternity ago when I was following the old "POP before SMTP" path for SMTP authentication. I'm now headed toward STARTTLS & vkchkpw for smtp-auth. * [[http://bugs.gentoo.org/44080]] ====== Modify quotas ====== ''cd /usr/local/src/vpopmail-5.4.27/'' ''./vmoduser -q NOQUOTA tighar.org'' OR ''./vmoduser -q NOQUOTA someone@tighar.org'' Ignore quotas for tighar.org. //I'm doing this because I didn't patch something to have the quotas work right--stuff wasn't getting subtracted when e-mail was deleted. // ====== Tighten Dovecot security -- imaps & pop3s ====== * [[http://wiki.dovecot.org/SSL/DovecotConfiguration]] ====== Up next ====== * Force https login for SquirrelMail. * John Simpson's [[http://qmail.jms1.net/scripts/jgreylist.shtml|greylist component]] * Update the list of source files