Nasim Mansurov

12) Installing Relay-CTRL
You might wonder what Relay-CTRL is. Well, this small program performs smtp authorization. Basically, it serves those clients who want to send email messages through our server. It will protect the mail server from thousands of abusers who send unsolicited mail through open-relay servers. Not only does Relay-CTRL solve the relaying problem, but it also verifies that only local accounts are able to send mail to outside servers.

The install procedure is fairly easy. This is what you have to do:

# cd /usr/local/src
# tar zxf relay-ctrl-3.1.1.tar.gz
# cd relay-ctrl-3.1.1
# make
# ./installer
# mkdir /var/qmail/relay-ctrl
# mkdir /var/qmail/relay-ctrl/allow
# chmod 700 /var/qmail/relay-ctrl
# chmod 777 /var/qmail/relay-ctrl/allow
# mkdir /etc/relay-ctrl
# echo /var/qmail/relay-ctrl/allow > /etc/relay-ctrl/RELAY_CTRL_DIR
# echo 900 > /etc/relay-ctrl/expiry
# echo /etc/tcp.smtp.cdb > /etc/relay-ctrl/smtpcdb
# echo /var/qmail/relay-ctrl > /etc/relay-ctrl/spooldir
# echo /usr/local/bin/tcprules > /etc/relay-ctrl/tcprules

What are we doing here? After installing relay-ctrl, we are setting up “/var/qmail/relay-ctrl/allow” as the directory where temporary access files will be written. If a user with IP “100.100.100.10″ is successfully authenticated, a file called “100.100.100.10″ is created in this directory. The file will contain “USER=yourdomain.com” (yourdomain.com being the domain that the user belongs to). The user is now able to send messages but only for a specified amount of time (expiry). The expiry is located in /etc/relay-ctrl/expiry. In this guide, the expiry time is 900 seconds, which means that after 15 minutes the user will no longer be able to send messages through the mail server, unless he/she authenticates again.

Also, don’t forget to add the following cron job to your system. You can either put the line into /etc/crontab or create a file relay-ctrl in /etc/cron.d

* * * * * root /usr/local/bin/envdir /etc/relay-ctrl /usr/local/bin/relay-ctrl-age

Restart the cron daemon for changes to take effect.

13) Preparing POP3 and SMTP startup environment
Qmail is useless without POP3 and SMTP protocols. You can’t send and receive e-mail from remote hosts without running these services. We have already installed most of the stuff now. It is a good idea to test our accomplishments so far, by running Qmail with POP3 and SMTP.

Download the file “runmail” from this server and place it in /usr/local/bin.

This script will definitely confuse many of you. But don’t worry, I am here to explain you what each line of the above code does :-) The script can be divided into three parts - the first one runs vmailmgr daemon, the second one runs an smtp server and the third one runs a pop3 server. Remember, that you’ll be needing both smtp and pop3 servers if you want to be able to send and receive mail. The vmailmgr daemon is needed for web-based administration, which I will be covering in “oMail-admin” section below.

Again, the first two lines specify the paths to executables to make our lives easier and our script smaller. The third line changes the directory to root. Softlimit -m 10000000 sets the maximum memory usage to 10MB. You can limit it to a smaller amount of memory, if you want to. Just make sure that the limit is reasonable - otherwise the program could simply fail to execute because of memory limitations. The next line executes vmailmgr daemon, which is needed if you want to be able to add/remove/modify mail users through a web interface. We run vmailmgrd through unixserver, which creates a socket and waits for incoming connections. All vmailmgrd connections are logged in /var/qmail/logs/vmailmgrd. The second part of the script runs an SMTP server. Again, we limit the memory usage to 10MB via softlimit. The envdir lines set the config directory to /etc/relay-ctrl for relay-ctrl. The next line starting with tcpserver is rather compicated. The “-v” switch given to tcpserver makes sure that all error and status messages are printed out (if they occur). The “-H” switch disables DNS lookups. We don’t need to do DNS lookups, since our patched qmail already does that. The “-R” switch will stop tcpserver from attempting to obtain $TCPREMOTEINFO variable from remote hosts (we don’t need it). The “-l $HOSTNAME” switch will force tcpserver not to lookup local host name in DNS (no need to resolve ourselves). The “-x /etc/tcp.smtp.cdb” switch forces tcpserver to follow the rules compiled by our tcprulesedit script. The “-c200″ switch limits the maximum number of simultaneous connections to 200. The “-u5002″ switch sets tcpserver user id to “qmaill” and “-g5000″ sets group id to “nofiles”. Next 0 and smtp simply tell tcpserver to listen on any available interface on port 25. The “rblsmtpd -b -r relays.ordb.org rblsmtpd -r sbl.spamhaus.org” command executes anti-spam filter for denying blacklisted servers on the Internet. If the first blacklist server fails, the second one (sbl.spamhaus.org) takes over. You can check whether your blacklist settings work by sending a test message to nelson-sbl-test@crynwr.com. If you receive only one message with “Terminating conversation” message at the end, settings are good to go. If you receive two messages with one saying “Uh-oh, your SBL block is not working!”, it means that either the relay servers are unreachable at the moment or something is wrong with your settings. The “fixcrio” command will insert missing CRs at the end of messages. Some old mail servers send messages that contain bare linefeeds and fixcrio will deal with those. It’s very unlikely that such servers exist, but adding this executable will make sure that we are not denying messages from some old non-blacklisted servers. The next “relay-ctrl-check” command checks if the mail user has already been authenticated. If /var/qmail/relay-ctrl/allow directory does not contain sender’s IP address, the message is rejected with 553 error message “sorry, that domain isn’t in my list of allowed rcpthosts”. If everything is good and the user did authenticate before, the message is successfully delivered through “qmail-smtpd”, which is the next command we are executing. The “setuidgid qmaill” makes multilog execute under “qmaill” user. I’ve already explained multilog switches above, so I will not go through that part again.

The third part of the script deals with running a pop3 server on port 110. Just like we did for smtp server, we execute softlimit followed by envdir for relay-ctrl. This is needed because relay-ctrl must record authenticated user’s IP address and domain into the temp allow directory. Next, we run tcpserver - only this time we execute it under “root” account (the -u0 and -g0 switches). Plus, we now specify port 110 to listen on instead of smtp (port 25). The next command “qmail-popup localhost” will read a POP username and password from the connecting client. You can either specify “localhost” or your fully qualified domain name after “qmail-popup”. The next line starts with “checkvpw” which is the default password authentication utility for vmailmgr. So, all it does is - it checks whether the specified username and password are correct. Of course, if the authentication fails, checkvpw exits causing tcpserver to disconnect the user with a failure message. If the authentication is successful, the next command “relay-ctrl-allow” is executed. It will make sure that the user’s IP address and domain are recorded into a temp file in relay-ctrl’s allow directory. Next, “qmail-pop3d” is run, allowing the user to receive and delete his/her messages from the server. Once more, we are switching to “qmaill” user id for multilog and using /var/qmail/logs/pop3 log directory to log all pop3 connections.

The script is ready. Now, all we need to do is make it executable:

# chmod 755 /usr/local/bin/runmail

14) Testing Qmail installation
Before we go any further, let’s make sure that everything we’ve done so far works properly. For that, we’ll have to execute Qmail, POP3 and SMTP. Then, we will send and receive a couple of test messages. Only then will there be a point in continuing and completing qmail installation.

So, let’s get Qmail, POP3 and SMTP running:

# /var/qmail/rc &
# /usr/local/bin/runmail

If you get a permission error with multilog, type “chown qmaill:nofiles /var/qmail/logs” and “chown qmaill:nofiles /var/qmail/logs/qmail”. Kill running qmail with “killall qmail-lspawn” and then retry running the script with “/var/qmail/rc &”.

Type ps ax | grep qmail in shell prompt. The command should return 8-9 different processes (qmail-send, qmail-rspawn, qmail-clean and etc). The output will look similar to this:

17295 pts/1 S 0:00 qmail-send
17296 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/qmail
17297 pts/1 S 0:00 qmail-lspawn ./Maildir
17298 pts/1 S 0:00 qmail-rspawn
17299 pts/1 S 0:00 qmail-clean
17315 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/vmailmgrd
25459 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/smtp
25461 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/pop3
25736 pts/1 S 0:00 grep qmail

Now type ps ax | grep tcpserver again in shell prompt. The command should return only three lines. The output will look similar to this:

25458 pts/1 S 0:00 tcpserver -v -H -R -l server.com -x /etc/tcp.smtp.cdb…
25460 pts/1 S 0:00 tcpserver -v -H -R -l server.com -x /etc/tcp.smtp.cdb…
25801 pts/1 S 0:00 grep tcpserver

If you have something similar to examples above, your installation is most probably up and running. If you receive an empty output, something went wrong. In that case, check out the “current” log files in /var/qmail/logs.

Our current objective is to test how our system is working. Create an account in your e-mail client (Outlook Express, Bat or whatever you have there) on another computer using the domain, login and password you’ve supplied before. In our case, your login is “test@yourserver.com” and password is the password that you typed in when you issued a “vadduser” command. The settings for both POP3 and SMTP should remain default to e-mail client’s values. For POP3 and SMTP server address, either supply your new mail server’s IP address or its valid hostname. I usually type in an IP address (less DNS queries and faster). Click send/receive and see what happens. If you get an error, see what type of error you get. Make sure that everything you specify in your mail client is valid and working. Sometimes people type in something wrong and then blame it on others. I hope you are not the nut case :-) Anyway, if you get a window that asks you to retype your password, that means that you have either mistyped your password, or supplied a wrong login. By the way, did I mention that you must supply your login and domain for authentication? (type in your full e-mail address as your login - ex: test@yourserver.com).

Warning: Don’t try to send an e-mail to check how everything works yet. You will simply get an error message “unable to exec qq”. This is because we have /var/qmail/bin/qmail-scanner-queue.pl to process the qmail queue and this file simply does not exist!

15) Qmail-Autoresponder Installation
The installation is very easy. All you need to do, is run “make”, copy the compiled binary to /usr/local/bin and make it executable.

# cd /usr/local/src
# tar zxf qmail-autoresponder-0.97.tar.gz
# cd qmail-autoresponder-0.97
# make qmail-autoresponder
# cp qmail-autoresponder /usr/local/bin
# chmod 755 /usr/local/bin/qmail-autoresponder

Create a vdeliver-postdeliver file in /etc/vmailmgr folder and copy-paste the following into it:

#!/bin/sh
if test -s $MAILDIR/autoresponse/message.txt
then
qmail-autoresponder message.txt $MAILDIR/autoresponse
fi

Then make it executable:

# chmod 755 /etc/vmailmgr/vdeliver-postdeliver

Pages: 1 2 3 4 5 6

Posted by MegaZ on 12/20/2002.