Configuring Qmail

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

PLEASE READ:

I have now removed outgoing auth on port 25. You can go to John Simpsons site and look up the options to turn this back on if you like. I would HIGHLY SUGGEST that you leave SMTP-AUTH on port 25 off and go on with the rest of the documentation. The next step is setting up SMTP with SSL. This is an alternate means to having your users sending mail. This way, You can turn on validrcptto, RBLs, jgreylist and the like without having your clients email programs time out on you. If they send mail via SSL, this will skip all these checks. Please let me know if you have any questions or problems by posting in the Forums on the left.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Getting this part of qmail going is, well, going to be a little rough. We need to download the scripts for qmail-smtpd, qmail-send and qmail-pop3d. We will start with making all the needed directories and stuff like that so lets get to it!


# cd /downloads/qmailrocks
# mkdir qmail
# cd qmail
# tar zxvf /downloads/qmailrocks/scripts.tgz

Double check the following in smtpd_run:

IP=1.2.3.4 Substitute your own IP address. Do not leave this set to 0 without a good reason.
PORT=25 Set the port number we will be listening on.
SSL=0 Do not run an SSL-only service.
FORCE_TLS=0 Refuse to accept mail from clients who have not done STARTTLS.
DENY_TLS=0 Do not refuse to process the STARTTLS command.
AUTH=0 We are turning off auth on port 25 and ONLY allow incoming mail.
REQUIRE_AUTH=0 Refuse to accept mail from clients who have not done AUTH.

Now lets make the supervise directory and get everything copied over:

PLEASE NOTE: Since there are a lot of commands here, I decided to make a little script for it.


# ./qmail.sh
# cd /downloads/qmailrocks/
# rm -dfr qmail

Now lets setup some qmail aliases. Replace postmaster@domain.xxx in the next three lines with the address you want the emails to go to:


# echo postmaster@domain.xxx > /var/qmail/alias/.qmail-root
# echo postmaster@domain.xxx > /var/qmail/alias/.qmail-postmaster
# echo postmaster@domain.xxx > /var/qmail/alias/.qmail-mailer-daemon

The worst is over! Now we need to tell the pop3d run file the name of your server. Edit the following file and replace the section mail.domain.xxx with your mail server:


# vi /var/qmail/supervise/qmail-pop3d/run

Now we want to setup selective relaying:


# mkdir /etc/tcp/
# cd /etc/tcp
# cp /downloads/qmailrocks/etc-tcp-makefile Makefile

Now we need to create the smtp file

At this point it should be ready to go. All you need to do is create the "smtp" file, containing the normal access control list. You may want to add the IP of the server you specified in the /var/qmail/supervise/qmail-smtpd/run file in the /etc/tcp/smtp file. Lets say the IP you used was 192.168.9.1. The line should look like this: 

192.168.9.1:allow,RELAYCLIENT=""

This is what a typical smtp file should look like: 


# vi /etc/tcp/smtp

Add the following to /etc/tcp/smtp: 

192.168.9.:allow,RELAYCLIENT=""
:allow

Now run: 


# gmake

and you should get an output saying:


tcprules smtp.cdb smtp.tmp < smtp
chmod 644 smtp.cdb smtp

Installing UCSPI-SSL

We need to install ucspi-ssl so qmail will accept smtp connections with ssl. We can do that like so:


# cd /usr/ports/sysutils/ucspi-ssl
# make install clean

Shortly after this starts installing, you will get a popup box that has in it

Options for ca_root_nss 3.11.9_2
[ ] ETCSYMLINK  Add symlink to /etc/ssl/cert.pem

Make sure that box is checked by hitting the space bar and then hit tab and hit enter.

Creating an SSL key file

If you are setting up an SSL or TLS server, you will need to create a /var/qmail/control/servercert.pem file. This file contains the public and private keys used to set up SSL or TLS encryption. It should be readable to the userid which your "qmail-smtpd" program runs as (which is normally the "qmaild" user.)

Part of the file is a "certificate", which is the public key with a signature applied to it. This is the same kind of signature used when you create an SSL key for use with a secure web site- in fact, if you already have such a certificate from an SSL web site, you can use it (with the matching ".key" file) to build this .pem file. As long as the key and the certificate are both stored in PEM-encoded format, you can "cat" the files together and save the result as "servercert.pem", and it will work.

If you don't have such a key, you can create a key and then sign it using itself (also known as a "self-signed" certificate.) Clients will complain about the certificate not being signed by a trusted certificate authority, but the encryption is just as secure. The following example shows how to create a self-signed certificate which expires ten years from the date it was created.

Lets start with creating the key:


# cd /var/qmail/control
# openssl req -newkey rsa:1024 -x509 -nodes -days 3650 -out servercert.pem -keyout servercert.pem

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you just hit Enter, the field will be left blank. Please note: The common name must be the name of the mail server so make sure you enter it on that line:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: THIS IS YOUR EMAIL SERVER NAME
Email Address []:user@domain.xxx

Now lets give proper ownership to the files:


# chown root:qnofiles servercert.pem

The "nofiles" group is the group which "qmaild" belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key, but not change or delete it.


# chmod 640 servercert.pem
# cp servercert.pem clientcert.pem
# chown root:qmail clientcert.pem

The "qmail" group is the group with the "qmailr" user belongs to. This user should be able to read, but not write, the "clientcert.pem" file.


# chmod 640 clientcert.pem


Starting qmail


Okay, lets start qmail!  (The rehash command may or may not work. it really depends on your shell)


# rehash
# qmailctl start

You should get an output like so:


Starting qmail...

Starting qmail-send
Starting qmail-smtpd
Starting qmail-pop3d

Lets check to make sure qmail is running okay: 


# qmailctl stat

You should get the following output:


/service/qmail-send: up (pid 87953) 344 seconds
/service/qmail-send/log: up (pid 87955) 344 seconds
/service/qmail-smtpd: up (pid 87957) 344 seconds
/service/qmail-smtpd/log: up (pid 87958) 344 seconds
/service/qmail-pop3d: up (pid 87954) 344 seconds
/service/qmail-pop3d/log: up (pid 87956) 344 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

Thats it! We are now done finalizing qmail! 

Setting up smtp with SSL