Nasim Mansurov

I wrote this guide for a couple of reasons. First, the existing qmail guides that I've found on the net did not provide a complete qmail solution. My first qmail installation was such a pain for me, that I had to go through a tough qmail learning process (yes, qmail can sometimes be a real pain, especially for newbies) and discover some things by myself. Of course, such great Internet resources as mailing lists and other qmail contributions made my life a lot easier :-) Konstantin Riabitsev's "Qmail-Vmailmgr-Courier-Squirrelmail Installation Guide" was the first guide that really helped me out. That's where I borrowed some stuff from while writing this guide -- of course, with his agreement. Second, I simply love qmail and would like to contribute to its development, even a little bit. Third, I think that many admins out there will find this guide useful and practical. And fourth, every once in a while I do install qmail on different servers for various reasons and I simply got tired of carrying installation notes with me all the time. So, in a way, this guide is for myself too ;-)

Full Qmail Installation and Configuration Guide
or
Qmail + Vmailmgr + Tcpserver + RBL + SpamAssassin + Relay-CTRL + Qmail-Scanner + Courier IMAP Guide + POP3S + SMTPS

1) Who should use this guide?
Anyone who wants to install a complete qmail solution.

2) Can this guide be used for productive systems i.e. big servers?
It sure can. I've done some qmail installations in productive environments with many simultaneous users. And it works perfectly!

3) What about security?
Well, security has never been a problem with qmail. I haven't heard of anyone breaking NetQmail version 1.05 (the one we'll be installing). As for everything else we'll be doing here, many people find it pretty secure.

4) On what operating systems has this guide been tested on?
I've done testing mostly on Linux machines (Fedora, Redhat, Debian, Mandrake). So, I could say that everything should work flawlessly on any linux machine. It should also work on BSD systems.

5) Stuff we'll be needing (sources)
Download the following sources to a src directory i.e. /usr/local/src

Qmail-related stuff:
- NetQmail v1.06 from http://www.qmail.org
- Qmail Patches from http://megaz.arbuz.com
- VMailMgr v0.97 from http://untroubled.org
- VMailMgr Tools v0.2 from http://untroubled.org
- Relay-CTRL v3.1.1 from http://untroubled.org
- Qmail-Autoresponder v0.97 from http://untroubled.org
- Ucspi-UNIX v0.36 from http://untroubled.org
- Ucspi-TCP v0.88 from http://cr.yp.to
- Daemontools v0.76 from http://cr.yp.to
- Courier-IMAP v3.0.8 from http://www.courier-mta.org
- MailDrop v2.0.4 from http://www.courier-mta.org
- TNEF v1.4.4 from http://sourceforge.net/projects/tnef
- SpamAssassin v3.2.5 from http://spamassassin.apache.org
- Qmail-Scanner v2.05 from http://qmail-scanner.sourceforge.net
- Stunnel v3.26 from http://www.stunnel.org

For domain administration (via www) *:
- oMail-admin v1.2rc1 from http://omail.omnis.ch/

* I'm assuming that Apache web server and PHP are both installed, configured and fully operational on the machine you are installing qmail on. If you haven't yet installed Apache, there is another guide written by me which covers Apache installation with modules such as PHP. It can be accessed from here.

6) First things first
First, we'll have to get rid of your existing e-mail server. If you have just finished installing Linux on your machine, most probably sendmail is also installed. So, let's remove sendmail from your machine:

# rpm -q -a | grep sendmail
sendmail-8.13.8-2
sendmail-cf-8.13.8-2
sendmail-devel-8.13.8-2 # rpm -e sendmail --nodeps
# rpm -e sendmail-cf --nodeps
# rpm -e sendmail-devel --nodeps

This should get rid of all sendmail files on your machine.

If you have a FreeBSD system, run pkg_info | grep sendmail to see if you have sendmail installed on your system. If you do, run pkg_delete to get rid of sendmail completely.

7) Patch and Install Qmail
All right, now we are going to install Qmail from downloaded sources. We'll apply some necessary patches to Qmail, to make sure that the solution we are going to implement works perfectly.

OK, so first, we untar qmail and change directory to qmail sources. Then, we apply the needed patches to Qmail:

# cd /usr/local/src
# tar zxf netqmail-1.06.tar.gz
# tar zxf qmail_patches.tar.gz
# mv qmail_patches/* netqmail-1.06/
# rmdir ../qmail_patches
# cd netqmail-1.06
# patch < qmail-big-ext-todo.patch
# patch < qmail-big-concurrency.patch
# patch < qmail-doublebounce-trim.patch
# patch < qmail-1.03-dns.patch
# patch < qmail-1.03-mfcheck.4.patch
# patch < qmail-1.03-pop3d-stat.patch
# patch < qmail-bounce.patch
# patch < qmail-bouncecontrol-1.03.patch
# patch < qmail-tarpit.patch
# patch < qmail-badrcptto.patch
# patch < qmail-smtpd-relay-reject.patch
# patch < qmail-accept-5xx.patch
# patch < qmail-nullenvsender.patch

Some of the above patches were modified by me because of some code conflicts. I did not create one big patch for everything since some of you might not want to install a specific patch. If you are interested in what each of the above patches does, here is some info:

• qmail-big-ext-todo.patch: The exttodo patch addresses a problem known as the silly qmail (queue) problem. This problem is found only on systems with high injection rates. qmail with a big local and remote concurrency could deliver a tremendous amount of messages but normally this can not be achieved because qmail-send becomes a bottleneck on those high volume servers. qmail-send preprocesses all new messages before distributing them for local or remote delivering. In one run qmail-send does one todo run but has the ability to close multiple jobs. Because of this layout qmail-send can not feed all the new available (local/remote) delivery slots and therefore it is not possible to achieve the maximum throughput. This would be a minor problem if one qmail-send run could be done in extreme short time but because of many file system calls (fsync and (un)link) a todo run is expensive and throttles the throughput. The exttodo patch tries to solve the problem by moving the todo routine into an external program. This reduces the run time in qmail-send.
• qmail-big-concurrency.patch: Allows qmail to use a concurrency greater than 240 (current qmail limit). It has been reported to work well in almost all environments and might be handy if you are expecting high volumes of mail traffic.
• qmail-doublebounce-trim.patch: I decided to integrate this patch because I got sick of double bounce messages sitting in qmail queue forever. Spammers usually fake the from field with an invalid email address, which results in thousands of bounce messages. This patch allows you to complete discard all double bounce messages to save server load and traffic.
• qmail-1.03-dns.patch: Christopher Davis's oversize DNS patch -- it makes qmail accept oversized DNS packets. If you do not want some of the legitimate mail to get lost, I would recommend you to use this patch.
• qmail-1.03-mfcheck.4.patch: I consider this patch mandatory for any qmail installation. A lot of spammers use fake domain names in their messages -- this patch checks if the domain in "from" field exists. If it doesn't, the email simply gets rejected.
• qmail-1.03-pop3d-stat.patch: This patch changes the number of messages returned in qmail-pop3d's reponse to STAT. The patch makes qmail fully compliant with RFC 1939, which specifies that deleted messages aren't counted in total.
• qmail-bounce.patch: Allows you to specify the limit for bounce messages in /var/qmail/control/bouncemaxbytes.
• qmail-bouncecontrol-1.03.patch: Allows you to control the appearance of bounce messages. Very handy if you want to change the default bounce message or add a message in another language.
• qmail-tarpit.patch: The tarpit patch is targeted towards spammers who try to bomb your mail server with a long list of recipients. It inserts small delays in an smtp session for each recipient in the mail message (after some set number of recipients). This slows down their session, resulting in timeouts in spammer's mail software.
• qmail-badrcptto.patch: Lets you reject e-mail at the smtp envelope (rcpt) phase, which can produce a considerable bandwidth saving when a lot of e-mail is directed at non-existing users. Instead of receiving the body of the e-mail and then rejecting it in qmail-send, you can reject it before receiving the body. This can be very useful in a setup where you have one qmail box accepting all the e-mail, which then passes it on to another (q)mail box behind it.
• qmail-smtpd-relay-reject.patch: Russell Nelson's patch to reject relay probes generated by "anti-spammers". These relay probes have '!', '%' and '@' in the local (username) part of the address. The patch detects them and issues a 553 error "we don't relay".
• qmail-accept-5xx.patch: Adrian Ho's patch to increase qmail-remote's compliance with RFC2821. Some smtp servers are now emitting 5xx responses from the get-go, and mere RFC821 behavior doesn't deal well with them.
• qmail-nullenvsender.patch: A lot of your spam will be arriving with a null envelope sender. When those spam messages have multiple envelope recipients, they cannot be bounce messages. This patch rejects emails addressed to multiple recipients with a null envelope sender.

Right now qmail is fully patched. All we need to do is install it. Before running make, we'll first create necessary user accounts and groups that qmail needs for running. We will also create a qmail directory /var/qmail. Make sure that you have enough space in that partition.

# mkdir /var/qmail
# cd /usr/local/src/netqmail-1.05/netqmail-1.05
# groupadd -g 5000 nofiles
# groupadd -g 5001 qmail
# useradd -u 5000 -g nofiles -d /var/qmail/alias alias
# useradd -u 5001 -g nofiles -d /var/qmail qmaild
# useradd -u 5002 -g nofiles -d /var/qmail qmaill
# useradd -u 5003 -g nofiles -d /var/qmail qmailp
# useradd -u 5004 -g qmail -d /var/qmail qmailq
# useradd -u 5005 -g qmail -d /var/qmail qmailr
# useradd -u 5006 -g qmail -d /var/qmail qmails

If you have a FreeBSD system, the above won't work. You will have to add groups and users manually into /etc/groups and /etc/master.passwd and then remake the user database by issuing pwd_mkdb -p /etc/master.passwd. Here is what you would have to do under FreeBSD:

# cd /etc
# echo "nofiles:*:5000:" >> group
# echo "qmail:*:5001:" >> group
# echo "alias:*:5000:5000::0:0::/var/qmail/alias:" >> master.passwd
# echo "qmaild:*:5001:5000::0:0::/var/qmail:" >> master.passwd
# echo "qmaill:*:5002:5000::0:0::/var/qmail:" >> master.passwd
# echo "qmailp:*:5003:5000::0:0::/var/qmail:" >> master.passwd
# echo "qmailq:*:5004:5001::0:0::/var/qmail:" >> master.passwd
# echo "qmailr:*:5005:5001::0:0::/var/qmail:" >> master.passwd
# echo "qmails:*:5006:5001::0:0::/var/qmail:" >> master.passwd
# pwd_mkdb -p /etc/master.passwd

Pages: 1 2 3 4 5 6

Posted by MegaZ on December 20, 2002.

Guides and Howtos