Search:  
Gentoo Wiki

QmailRocksOnGentoo

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc


Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article


Split-arrows.gifIt has been suggested that this article be split into multiple articles accessible from a disambiguation or index page.   (Discuss)

Image:QmailLogo.jpg

Qmail Gentoo-Wiki How-To's

The Site: Qmail.org

Other Gentoo-wiki Qmail

edit

Contents

Introduction

This How-To is now complete. The only things I'll add are extras.
--s0undt3ch 01:05, 10 September 2005 (GMT)

It started from my need to install Qmail on Gentoo, based on QmailRocks, using Gentoo's ebuilds. After trying without success, I found out that someone already had done this, but using MySQL. I didn't wan't to use MySQL so that was the begining of this How-To. Feel free to add your experience to this How-To.

Sourced Articles

This how-to is based on several other how-to's and scattered resources across the net:

Related Articles

Note:

I haven't maintained this how to for quite a while because I'm moving to Postfix/Courier managed by ISPMan. It's not that I'm not happy with it, I just need to move along, the needs these days are different. The rsync server will stil be up, but I won't maintain the custom packages any more. If anyone wishes to continue the needed support for those packages, let me know and I'll grant you the needed perms. --s0undt3ch 09:06, 25 January 2007 (UTC)

Supported ebuilds

These were the current ebuilds used when writing this guide. Note that on some lists, not all of the supporting dependencies are listed. List last updated on: 3/5/2007

sys-apps/ucspi-tcp-0.88-r16
net-mail/dot-forward-0.71-r2
sys-process/daemontools-0.76-r5
net-mail/queue-fix-1.4-r2
virtual/qmail-1.03
net-mail/cmd5checkpw-0.30
net-mail/checkpassword-0.90-r2
mail-mta/qmail-1.03-r16
net-mail/queue-repair-0.9.0
net-mail/dot-forward-0.71-r2
sys-process/daemontools-0.76-r5
sys-apps/ucspi-tcp-0.88-r16
net-mail/cmd5checkpw-0.30
net-mail/checkpassword-0.90-r2
mail-mta/netqmail-1.05-r5
net-mail/relay-ctrl-3.1.1-r2
net-mail/vpopmail-5.4.6-r1
net-libs/courier-authlib-0.59.1
net-mail/courier-imap-4.1.2
app-admin/gamin-0.1.8
net-mail/courierpassd-1.1.0 [provided new ebuild]
net-mail/ezmlm-idx-0.40-r2
net-mail/autorespond-2.0.4
net-mail/qmail-autoresponder-0.96.2
net-mail/qmailadmin-1.2.3 [provided new ebuild]
net-mail/vqadmin-2.3.6
perl-core/Time-HiRes-1.82
virtual/perl-Time-HiRes-1.82
virtual/perl-net-ping-2.31
dev-perl/Digest-Nilsimsa-0.06-r1
mail-filter/razor-2.81
dev-perl/Sys-Hostname-Long-1.2
dev-perl/Net-CIDR-Lite-0.18
dev-perl/Mail-SPF-Query-1.998
dev-perl/Compress-Zlib-1.41
dev-perl/IO-Zlib-1.04
virtual/perl-PodParser-1.30
dev-perl/Net-IP-1.24
dev-perl/Socket6-0.17
dev-perl/IO-Socket-INET6-2.51
virtual/perl-MIME-Base64-3.05
virtual/perl-Digest-MD5-2.33
perl-core/digest-base-1.13
dev-perl/Digest-SHA1-2.11
virtual/perl-digest-base-1.13
dev-perl/Digest-HMAC-1.01-r1
dev-perl/Net-DNS-0.53-r1
virtual/perl-Test-Harness-2.4
dev-perl/IO-String-1.08
dev-perl/Archive-Tar-1.28
perl-core/Storable-2.15
virtual/perl-Storable-2.15
virtual/perl-libnet-1.19
dev-perl/Crypt-SSLeay-0.51
dev-perl/HTML-Tagset-3.10
dev-perl/HTML-Parser-3.48
dev-perl/URI-1.35
dev-perl/HTML-Tree-3.19.01
dev-perl/libwww-perl-5.803-r1
dev-perl/Net-SSLeay-1.25
dev-perl/IO-Socket-SSL-0.97
perl-core/DB_File-1.814
virtual/perl-DB_File-1.814
mail-filter/spamassassin-3.1.0
dev-python/pyzor-0.4.0-r2
mail-filter/dcc-1.3.24
mail-client/mailx-support-20030215
net-libs/liblockfile-1.06
mail-client/mailx-8.1.2.20040524-r1
mail-filter/spamassassin-ruledujour-20051123
dev-libs/gmp-4.1.4-r3
net-misc/curl-7.15.1-r1
app-antivirus/clamav-0.88.2
app-arch/zip [optional]
app-arch/zoo [optional]
app-arch/lha [optional]
app-arch/rar [optional]
app-arch/unrar [optional]
app-antivirus/bitdefender-console [optional]
app-antivirus/f-prot [optional]
net-mail/qlogtools-3.1 [If using custom ebuild]
net-mail/qmailanalog-0.70-r1 [If using custom ebuild]
net-mail/qms-analog-0.4.4-r1 [If using custom ebuild]
net-mail/ripmime-1.4.0.6
app-arch/unzip-5.52
net-mail/tnef-1.3.4
mail-filter/qmail-scanner-1.25-r3 [provided custom ebuild]
mail-filter/qms-analog-0.4.4-r1 [provided new ebuild]
mail-client/squirrelmail-1.4.5
app-portage/gentoolkit-dev-0.2.5

Now, lets get started.

Ensure Proper USE Flags Are Set

There are two ways of doing this, one is to edit your /etc/make.conf and set the global flags globally, the second, set them to be installed on a per package basis. Using the per package method will prevent packages from being built with the wrong USE flags, for example during an world or system update.

vi /etc/make.conf
USE="apache2 maildir valias vhosts ssl imap authdaemond -selinux"

This is the way we'll proceed in this how-to. The general format for constructing per package commands that will be added to your /etc/portage/package.use file is as follows:

echo [PackageCategory/PackageName] [flags] >> /etc/portage/package.use

For example:

echo "mail-mta/qmail apache2 maildir valias vhosts ssl imap authdaemond -selinux" >> /etc/portage/package.use

The selinux package interferes with vpopmail and vqadmin's abilitiy to function correctly, so add -selinux to your make.conf USE flags.

IF during troubleshooting there was a problem with qmail-scanner communicating with clamav, try re-emerging perl with suid support. Specifically if you get permission denied errors when writing to /var/spool/qscan/working/*

echo "dev-lang/perl perlsuid" >> /etc/portage/package.use
emerge perl

Install Qmail

First of all, make sure that you unmerge the other mail handlers that may be installed, such as ssmtp, sendmail, or postfix:

emerge -C ssmtp sendmail postfix
Note:

Currently, sys-apps/ucspi-tcp-0.88-r14 doesn't support SSL with IPv6 enabled, so, make your choice:

echo sys-apps/ucspi-tcp -ipv6 >> /etc/portage/package.use

OR:

echo sys-apps/ucspi-tcp -ssl >> /etc/portage/package.use

I'm using the first approach, ie, disable IPv6 support.

emerge qmail
env-update && source /etc/profile

Let's customize Qmail's Certificate(customize to fit you're personal information). Change the [req_dn] part.

vi /var/qmail/control/servercert.cnf

I've been bitten several times in the past years with forgetting to renew the certificate. New boxes I install I now load up the following script to handle expired certificates and regenerate them automatically so I won't have to do the manual work in the future.

cp /var/qmail/bin/mkservercert /var/qmail/bin/mkservercert-noprompt
nano /var/qmail/bin/mkservercert-noprompt

and comment out the lines:

  1. ewarn "Please customize ${conffile} before continuing!"
  2. einfo "Press ENTER to continue, or CTRL-C to stop now."
  3. read

then save and quit make a file in /etc/cron.daily/qmail-update-certificate

#!/bin/sh
COUNT=`openssl verify /var/qmail/control/servercert.pem  |grep expired|wc -c`
if  [[${COUNT} -gt 1]] ; then
rm /var/qmail/control/servercert.pem
/var/qmail/bin/mkservercert-noprompt
/etc/init.d/svscan restart
fi

chmod +x /etc/cron.daily/qmail-update-certificate

ebuild /var/db/pkg/mail-mta/qmail-1.03-r16/qmail-1.03-r16.ebuild config

(or ebuild /var/db/pkg/mail-mta/netqmail-1.05-r8/netqmail-1.05-r8.ebuild config )

mkdir /service
ln -s /var/qmail/supervise/qmail-send /service/qmail-send
ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd

Now we create the common system aliases. These aliases are going to tell Qmail what to do with common server-generated mails. Stuff like bouncebacks, cron daily output and various other systemic sources. It's a good idea to redirect these aliases to a mailbox that you are going to check on a regular basis. You don't want to have your systemic mails piling up in some deep dark corner of your server doing no good and slowly filling your disk up.

echo some_address > /var/qmail/alias/.qmail-root
echo some_address > /var/qmail/alias/.qmail-postmaster
echo some_address > /var/qmail/alias/.qmail-mailer-daemon
ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous
chmod 644 /var/qmail/alias/.qmail*

Add to /var/qmail/control/locals, some might already be there:

<TheMachine'sHostName>
localhost
domain.com
<TheMachine'sHostName>.domain.com
localhost.domain.com

Of course, dont forguet to change <TheMachine'sHostName> into YOUR machine's hostname ;)

Now let's make Qmail start at boot time, and start it:

source /etc/profile
rc-update add svscan default
/etc/init.d/svscan start

And that's all! Now you have a mail system that will handle mail for your local machine and the system daemons/users who utilize it.

Install RELAY-CTRL

Using relay-ctrl is a simple and straightforward way to allow us to send email with email clients from anywhere.

emerge relay-ctrl -va

Now edit the various /etc/tcprules.d/tcp.qmail-*, info is all there, so should be you're IP's. You can also make your :allow line look like:

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

This will only be used when you install Qmail-Scanner, but won't hurt to be there now...

After that execute

tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp

with the appropriate files so that your changes will be saved. Or even better:

cd /etc/tcprules.d
make *

If you did set a very restrictive umask (like 077) on your system you should correct the permissions of /etc/tcprules.d/*.cdb with

chmod 644 *.cdb

Now you are ready to restart qmail.

/etc/init.d/svscan restart


IMPORTANT! If you can receive mails to your mailbox BUT cannot send, and reason is like "sorry, that domain isn't in my list of allowed rcpthosts", then try to add this lines to this file:

localhost:allow,RELAYCLIENT="",RBLSMTPD=""
domain.com:allow,RELAYCLIENT="",RBLSMTPD=""
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

NOTE: Easiest way how to forbid any outgoing messages from your SMTP (don't become a public SMTP!) and allow only "localroute" (send mail only from/to domains, that are listed/added by vQadmin):

:allow,RBLSMTPD="-Reason_here"

Exactly after this if you will try to send mail to some other mail, you'll get "sorry, that domain isn't in my list of allowed rcpthosts".

SMTP with encryption support is automatically installed if you compiled qmail with ssl.

NOTE: If you get an error like this:

20656:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:473:

Your qmail install might need the cipher lists.

   openssl ciphers > /var/qmail/control/tlsclientciphers
   openssl ciphers > /var/qmail/control/tlsserverciphers

To test our SSL/TLS connections, use openssl's s_client tool to handle encryption.

   # for pop:
   openssl s_client -connect localhost:995
   # for imap:
   openssl s_client -connect localhost:993
   # for smtp/tls:
   openssl s_client -crlf -starttls smtp -connect localhost:25

Install VpopMail

echo  net-mail/vpopmail -mysql >> /etc/portage/package.use
emerge vpopmail -va

Now let's create a domain:

vadddomain blah.com

If this step results in a command not found do:

env-update && source /etc/profile

Add a user:

vadduser user@blah.com

Delete a user:

vdeluser user@blah.com

You can also wait until you install vQadmin to add user(s) and/or domain(s).
Thats it. Vpopmail is all setup.

IMPORTANT: Don't forget to add any new domain to /var/qmail/control/rcpthosts.

Install Courier-IMAP

Now let's Install Courier-IMAP as IMAP & POP3 Server.

echo net-libs/courier-authlib -mysql >> /etc/portage/package.use
emerge courier-imap -va

When you see a message like this:

* Failed Running autoconf !
*
* Include in your bugreport the contents of:
*
* /var/tmp/portage/courier-authlib-0.58/temp/autoconf-20592.out

and the autoconf-20592.outcontains:

***** autoconf *****
configure.in:26: error: possibly undefined macro: AC_PROG_SYSCONFTOOL
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.

Maybe the useflag gdbm is set, so try:

USE="-gdbm" emerge courier-authlib


We'll configure courier-authlib first.

vi /etc/courier/authlib/authdaemonrc

Ensure these headings look exactly like this in the authdaemonrc file

authmodulelist="authvchkpw"
authmodulelistorig="authvchkpw"

Do not have/leave/put extras in there. Now onto configuring courier-imap.

vi /etc/courier-imap/imapd

Make sure the following entries are put in like this. They may or may not be right next to each other so look around for them in the conf file.

IMAPDSTART=YES
MAXPERIP=20
MAILDIR=.maildir
MAILDIRPATH=.maildir
PRERUN="envdir /etc/relay-ctrl relay-ctrl-chdir"
LOGINRUN="relay-ctrl-allow"

Repeat process for imapd-ssl, pop3d, pop3d-ssl files as well, except instead of IMAPDSTART you'll want to look for POP3DSTART or whatevers appropriate depending on the file. Lets configure...

Now lets add courier to our bootup scripts so it launches when we fire up Gentoo.

rc-update add courier-authlib default
rc-update add courier-imapd default
rc-update add courier-pop3d default

If you want to use SSL and TLS, you'll need to make SSL certs for them. Fill out State, City, Organization name etc etc etc. For the Common Name (CN) of your server make sure its mail.yourservername.com.

vi /etc/courier-imap/imapd.cnf
vi /etc/courier-imap/pop3d.cnf

Now let's create the certificates:

mkimapdcert
mkpop3dcert

Let's add these services to boot time

rc-update add courier-imapd-ssl default
rc-update add courier-pop3d-ssl default

Last thing: once started, you can totally stop and start the whole courier suite by recycling courier-authlib. Like this:

/etc/init.d/courier-authlib restart

Now let's install a useful tool, Courierpassd. It will allow a user to change it's password from within SquirelMail. Since there's no ebuild for it, I've made a custom one, and to have it we need a small package, app-portage/gentoolkit-dev:

emerge gentoolkit-dev -va

Why are we using this? Because I've setup a support site for my ebuilds, all bugs/new features should go there co's these ebuilds aren't supported by Gentoo, and also an rsync server for you to sync from in order to have my ebuilds.
First of all, after emerging app-portage/gentoolkit-dev of course, you'll need a .synsource so gensync can know where to sync from:

cd /etc/gensync/
wget http://dev.ufsoft.org/qmr-portage/attachment/wiki/WikiStart/qmr-portage.syncsource?format=raw -O qmr-portage.syncsource

The defaults are good, but you can check /etc/gensync/gensync.conf and /etc/gensync/qmr-portage.syncsource.
Now, if you kept the default settings on the above files, you'll need to add my overlay to your /etc/make.conf. It should look like:

PORTDIR_OVERLAY="/usr/local/overlays/qmr-portage"

If you have an overlay already, seperate both by a blank space:

PORTDIR_OVERLAY="/your/old/overlay /usr/local/overlays/qmr-portage"

Now it's as simple as:

gensync qmr-portage

And you have all my ebuilds. Let's start installing them:

emerge courierpassd -va

Make sure you take a look at the only_from on /etc/xinetd.d/courierpassd to see if you want to add more.

Note: You may want to add additional IP's to the only_from setting above, depending on your needs, specially the local ip of the mail server machine, separate ip's by blank spaces.

Append to following line to the /etc/services file:

courierpassd 106/tcp #for /etc/xinetd.d/courierpassd

Let's make xinetd start at boot time:

rc-update add xinetd default
/etc/init.d/xinetd start

Update the SMTPD Config

Let's update the SMTPD Config to Allow SMTP-AUTH Using VPOPMAIL.

vi /var/qmail/control/conf-smtpd

I've tried alot of iterations on this but the easiest and most straight forward way is to completely delete or comment out(better) the contents of your /var/qmail/control/conf-smtpd file and just insert this in.

################## START OF /var/qmail/control/conf-smtpd #######################
#
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"
QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
#
################## END OF /var/qmail/control/conf-smtpd #######################

Important for qmail-1.03-r16 (and later?): If you're using qmail-1.03-r16 you have to change the last line above to QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}" for your server to accept SMTP connections.

Final touches to bring this together...

svc -t /var/qmail/supervise/qmail-smtpd
chmod u+s /var/vpopmail/bin/vchkpw

I've not done it but it was in the last howto and its said that "The following step makes sending mail a lot faster under some circumstances, and I highly recommend that you do the following if you notice delays of 30 to 45 seconds sending mail..." I've never seen any harm in it so it stays.

vi /var/qmail/control/conf-common
TCPSERVER_OPTS="-H -R -l 0" (that's lower-case L followed by zero)

(question?? should we be removing the TCPSERVER_OPTS "-R" option from conf-smtp file? If not, wouldn't it be setting that flag twice?)

Furthermore, if you like logs, don't remove the -v option. without it, qmail-smtpd doesn't log very much at all

Install Ezmlm-idx

EZmlm is a nice mailing list add-on to Qmail. I've used it several times myself and its actually one of the better mailing list programs out there. When we install Qmailadmin later on, you'll see that EZmlm integrates seamlessly into Qmailadmin to provide a very user friendly mailing list management interface. As an added bonus, Vpopmail will let you control what users can and cannot use mailing lists, and you can even use vQadmin's web interface to do it! Can't beat that!

emerge ezmlm-idx -va

Install Qmailadmin

Qmailadmin is going to provide us with a nice web based interface for administering mail accounts once they are setup through Vpopmail (or Vqadmin). From Qmailadmin we can create mailboxes, aliases, fowards, mail robots, mailing lists. You'll also find a few other handy functions as well. Qmailadmin is sort of the icing on the Qmail cake.
The Qmailadmin package will also emerge net-mail/autorespond, which does exactly what you think it does. It allows us to set up autoresponders for mailboxes and so forth.

If haven't already, sync to my rsync server:

gensync qmr-portage

Qmailadmin doesnt support the vhost USE flag and will be installed to /var/www/localhost. If you want it elsewhere:

cp -r /usr/local/overlays/qmr-portage/net-mail/qmailadmin/ /usr/local/overlays/mine/net-mail/

Arround line 47 change dir_vhost to where you want it to be and make sure those dir's exist.
If you changed dir_vhost do:

ebuild /usr/local/overlays/mine/net-mail/qmailadmin/qmailadmin-1.2.3.ebuild digest

Make your mine overlay is before qmr-portage in /etc/make.conf and that qmailadmin is coming from your overlay in case you changed the ebuild and not qmr-portage. Of course you can name you're overlay whatever you want.

emerge qmailadmin -va

To access Qmailadmin go to:

http://www.domain.com/cgi-bin/qmailadmin

If you have errors adding or modifying users, look in apache log files for hints. Common problems are solved by emerging the 1.2.9 ebuild.

Install vQadmin

Now, let's emerge all the packages we need to manage our domains from a web browser. Vqadmin is simply a nice web based interface that will let us manage Vpopmail. Through the interface we can create new domains, new users, net quotas, enable services and much more. Autoresponder does exactly what you think it does. It allows us to set up autoresponders for mailboxes and so forth.

Enough talking, but since vQadmin is masked we need some other steps... Let's set the keyword to "unmask" it and install.

echo net-mail/vqadmin ~x86 >> /etc/portage/package.keywords
emerge vqadmin -va

vQadmin also doesn't support the vhost USE flag and will be installed to /var/www/localhost. If you want it elsewhere:

cp -r /usr/portage/net-mail/vqadmin/ /usr/local/overlays/mine/net-mail/
vi /usr/local/overlays/mine/net-mail/vqadmin/vqadmin-2.3.6.ebuild

Arround line 27 change dir_vhost to where you want it to be and make shure those dir's exist.

ebuild /usr/local/overlays/mine/net-mail/vqadmin/vqadmin-2.3.6.ebuild digest
emerge vqadmin -va

Now let's configure Apache for the default ebuild:

vi /etc/apache2/httpd.conf

Put this inside it:

<Directory "/var/www/localhost/cgi-bin/vqadmin">
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>

Now we generate a pass for our admin user:

htpasswd2 -c /etc/apache2/vqadmin.passwd admin
chmod 644 /etc/apache2/vqadmin.passwd
vi /var/www/localhost/cgi-bin/vqadmin/.htaccess

Make sure it looks like this:

AuthType Basic
AuthUserFile /etc/apache2/vqadmin.passwd
AuthName vQadmin
require valid-user
satisfy any
chown apache /var/www/localhost/cgi-bin/vqadmin/.htaccess
chmod 644 /var/www/localhost/cgi-bin/vqadmin/.htaccess
/etc/init.d/apache2 restart

To access vQadmin:

http://www.domain.com/cgi-bin/vqadmin/vqadmin.cgi

Or you can configure Apache for our custom ebuild:

vi /etc/apache2/vhosts.d/your_vhost_file_here.conf

Put this inside it:

ScriptAlias /cgi-bin/ /var/www/your_vhost_dir/cgi-bin/
<Directory "/var/www/your_vhost_dir/cgi-bin/vqadmin">
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>

Now we generate a pass for our admin user:

htpasswd2 -c /etc/apache2/vqadmin.passwd admin
chmod 644 /etc/apache2/vqadmin.passwd
vi /var/www/your_vhost_dir/cgi-bin/vqadmin/.htaccess

Make sure it looks like this:

AuthType Basic
AuthUserFile /etc/apache2/vqadmin.passwd
AuthName vQadmin
require valid-user
satisfy any
chown apache /var/www/your_vhost_dir/cgi-bin/vqadmin/.htaccess
chmod 644 /var/www/your_vhost_dir/cgi-bin/vqadmin/.htaccess
/etc/init.d/apache2 restart

To access vQadmin:

http://your.vhost.domain.com/cgi-bin/vqadmin/vqadmin.cgi

SpamAssassin

Razor

Razor should be emerged before SpamAssassin, so:

emerge razor -va

And as root do:

razor-admin --home=/etc/mail/spamassassin/.razor -create
razor-admin --home=/etc/mail/spamassassin/.razor -discover
razor-admin --home=/etc/mail/spamassassin/.razor -user=postmaster@domain.com -pass=ThePassword -register

It should then say "Register successful...". (Note that you may need to enter the last command a couple times to reach the registration server; if it says "Error 202", try "razor-admin -register" step again.)

SPF Support

SpamAssassin 3.0 supports SPF to detect and penalize header forgery. Like so, let's emerge it(It also needs to be emerged before spamassassin):

emerge Mail-SPF-Query -va

Install SpamAssassin

Now we install SpamAssassin:

echo mail-filter/spamassassin qmail ssl >> /etc/portage/package.use
emerge spamassassin -va

Now let's configure it.

vi /etc/mail/spamassassin/local.cf

At least put this inside, check documentation for some other tweaks...

required_score 6
skip_rbl_checks 1
rewrite_header Subject *****SPAM*****
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 1
bayes_auto_learn_threshold_spam 14.00

These settings manipulate the bayes learning feature of SpamAssassin. I would recommend setting the threshold to 'learn' high, as otherwise you will get a lot of false positives. A spam score of 14 seems to do a good job for me. Lower & you will see things like many aol.com emails getting marked with a high Bayes score. Also have a look at the files inside /usr/share/spamassassin/ and make any changes you want in /etc/mail/spamassassin/local.cf.

Add it to boot time.

rc-update add spamd default
/etc/init.d/spamd start

Enable SPF Support

Add to /etc/mail/spamassassin/local.cf

loadplugin     Mail::SpamAssassin::Plugin::SPF

For more info check the SpamAssassin docs or in this particular case here.

Enable Razor Support

Add to /etc/mail/spamassassin/local.cf:

loadplugin     Mail::SpamAssassin::Plugin::Razor2
use_razor2 1

For more info check the SpamAssassin docs or in this particular case here. Some of the usual steps/options are discribed bellow.

Now we might need to tell SpamAssassin where to look for razor's config. Newest ebuilds put the directory in the right place. We can check this by doing:

ls -ail /etc/mail/spamassassin/.razor

If we found nothing there then we need to copy it (assuming previous location):

cp /etc/razor/razor-agent.conf /etc/mail/spamassassin/.razor

Now let's add it to /etc/mail/spamassassin/local.cf, in my case:

razor_config /etc/mail/spamassassin/.razor/razor-agent.conf

Tell razor where it lives, add to /etc/mail/spamassassin/.razor/razor-agent.conf:

razorhome = /etc/mail/spamassassin/.razor/

Here's how mine looks:

#
# Razor2 config file
#
# Autogenerated by Razor-Agents v2.75
# Sun Jul 24 19:43:42 2005
# Non-default values taken from /etc/razor/razor-agent.conf
#
# see razor-agent.conf(5) man page
#
razorhome = /etc/mail/spamassassin/.razor/
debuglevel             = 3
identity               = identity
ignorelist             = 0
listfile_catalogue     = servers.catalogue.lst
listfile_discovery     = servers.discovery.lst
listfile_nomination    = servers.nomination.lst
logfile                = razor-agent.log
logic_method           = 4
min_cf                 = ac
razordiscovery         = discovery.spamnet.com
razorzone              = razor2.cloudmark.com
rediscovery_wait       = 172800
report_headers         = 1
sort_by_distance       = 0
turn_off_discovery     = 0
use_engines            = 4,8
whitelist              = razor-whitelist

Attention: Razor needs TCP port 2703 outbound open.

Pyzor Support

emerge pyzor -va

And as root do:

pyzor --homedir /etc/mail/spamassassin/.pyzor discover

Make sure you add to /etc/mail/spamassassin/local.cf:

loadplugin     Mail::SpamAssassin::Plugin::Pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1 # optional
pyzor_timeout 15 # optional, default 10 seconds

For more info check the SpamAssassin docs or in this particular case here.

Note: Newest ebuilds put pyzor in /usr/sbin/. May want to check where it is on your system and change pyzor_path to reflect accordingly.

Some have noticed that the default server provided by the 'discover' command is slow and often times out. There is an alternate mirror you can setup by putting '82.94.255.100:24441' in your /etc/mail/spamassassin/.pyzor/servers file.

DCC Support

emerge dcc -va

Don't forget to open port 6277 UDP on your firewall, because DCC uses UDP packets when replying, which are blocked by most firewalls by default.

Make sure you add to /etc/mail/spamassassin/local.cf:

loadplugin     Mail::SpamAssassin::Plugin::DCC
use_dcc 1
dcc_home /var/dcc
dcc_path /usr/bin/dccproc
dcc_dccifd_path /usr/sbin/dccifd
#ddc_add_header 1 # optional: Does this option exist? -- no it doesn't
                  # it's deprecated since sa 3.0
add_header all DCC _DCCB_: _DCCR_ # see http://spamassassinbook.packtpub.com/chapter11_preview.htm 
                                  # section "dcc headers"
dcc_timeout 15 # optional, default 10 seconds

I'm confused, shouldn't the above line 'ddc_add_header' be 'dcc_add_header' instead? -> I neither found the option 'dcc_add_header' nor 'ddc_add_header' in the documentation mentioned below, so I commented the line.

For more info check the SpamAssassin docs or in this particular case here.
DCC also provides some CGI's for some stuff that even I am gathering info about. So, If you know what their for(I know, I can read the docs), provide some info here.

Those CGI's are installed by default on /var/www/localhost, if you wan't them on a VHost:

cp -R /usr/portage/mail-filter/dcc/ /usr/local/portage/mail-filter/
vi /usr/local/portage/mail-filter/dcc/dcc-1.3.16.ebuild

Change on line 26 dcc_cgibin to whatever VHost you'd like it to be.

ebuild /usr/local/portage/mail-filter/dcc/dcc-1.3.16.ebuild digest
emerge dcc -va

My SpamAssassin local.cf

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################

# Sensitive data, such as database connection info, should
# be stored in /etc/mail/spamassassin/secrets.cf with
# appropriate permissions
###########################################################################
loadplugin     Mail::SpamAssassin::Plugin::DCC
loadplugin     Mail::SpamAssassin::Plugin::Pyzor
loadplugin     Mail::SpamAssassin::Plugin::Razor2
loadplugin     Mail::SpamAssassin::Plugin::SPF
###########################################################################
required_score 10 #6
skip_rbl_checks 0
rbl_timeout 5 # default 15 secs
rewrite_header subject *****SPAM*****

score PYZOR_CHECK 1
score RCVD_IN_BL_SPAMCOP_NET 2.0

######################
report_safe 1
######################
use_bayes 1
bayes_path /etc/mail/spamassassin/bayes
bayes_file_mode 0770
bayes_auto_learn 1
bayes_min_ham_num 400
bayes_min_spam_num 400
bayes_learn_during_report 1
bayes_use_hapaxes 1
bayes_auto_learn_threshold_nonspam 1
bayes_auto_learn_threshold_spam 14.00
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

# Razor
use_razor2 1
razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
# DCC
use_dcc 1
dcc_home /var/dcc
dcc_path /usr/bin/dccproc
dcc_dccifd_path /usr/sbin/dccifd
dcc_timeout 15 # optional, default 10 seconds
# Pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_timeout 15 # optional, default 10 seconds
##########################################################

# My Modified Headers
clear_headers
add_header all Pyzor _PYZOR_
add_header all Level _STARS(*)_
add_header all Score _HITS_
add_header all Flag _YESNO_
remove_header all Report

#add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ dcc=_DCCR_ pyzor=_PYZOR_ rbl=_RBL_ autolearn=_AUTOLEARN_ version=_VERSION_"
#add_header all Spammy "_SPAMMYTOKENS(2,short)_"
#add_header all Hammy "_HAMMYTOKENS(2,short)_"
trusted_networks 10.1.0
internal_networks 10.1.0

dcc_dccifd_path /usr/sbin/dccifd appears to be wrong.

"dcc_dccifd_path should not be the path to the dccifd binary, it should be the path to the dccifd SOCKET that dccifd creates when it is running."

Thus, I believe it should be set like this:

dcc_dccifd_path /var/dcc/dccifd

That's where my socket is created, not in /usr/sbin/ Can someone please confirm this? jpm: Thats how I configured it confirmed again --Ghettodev 21:23, 19 May 2008 (UTC)

[9268] info: config: failed to parse line, skipping: pyzor_add_header 1

The pyzor_add_header directive was removed in SpamAssassin >= 3.0. For later versions, this line should be changed to:

add_header all Pyzor _PYZOR_

[9268] info: config: failed to parse line, skipping: dcc_add_header 1

This was removed as well, and the standard add_header call should be used instead:

add_header all DCC _DCCB_: _DCCR_

Test SpamAssassin Installation

First create your Bayes database:

sa-learn --sync

You should now have all the packages you need installed. First get the samples provided by Spamassassin.

cd /root
wget http://ufsoft.org/ebuilds/qmailrocks/sample-nonspam.txt

You can test this by entering:

spamassassin -D < /root/sample-nonspam.txt

Look for:

debug: bayes: found bayes db version 3
debug: is DNS available? 1
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8cb56b8)
debug: Razor2 is available
debug: Pyzor is available: /usr/bin/pyzor
debug: DCC is available: /usr/bin/dccproc

I could only see the above if I do:

spamassassin -r -D < /root/sample-nonspam.txt

If you have the debug: is DNS available? 1, then add to your local.cf:

dns_available yes

Pyzor and DCC will not show if you use the example local.cf. To get the debug to show them comment out the PYZOR_CHECK and DCC_CHECK lines.

If you wan't to you can also test with a spam email found here:

Some things to consider

The -r option in SpamAssassin tell's it to submit the signatures of the messages to the online Razor, Pyzor, and DCC databases if we have those configured, and update both the local AWL and Bayesian databases. However, when a user submits ham, I personally don't want any chance that the body of that message will leave my network. For that reason, I suggest using sa-learn --local, which will only update local databases.

Spamassassin Optional Steps

You can make Spamassassin learn a bit from the others experience.

mkdir /root/spam
cd /root/spam
wget ftp://mirrors.blueyonder.co.uk/sites/ftp.spamarchive.org/pub/archives/submit/*
gunzip *
screen -AmS learning
sa-learn --spam -C /etc/mail/spamassassin --showdots --debug-level --dir /root/spam/

If you get "out of memory" errors try this instead.

for i in /root/spam/* ; do sa-learn --spam -C /etc/mail/spamassassin --showdots --debug-level $i ; done

This will only process one file at a time and be less intense on memory.

You can now hit CTRL+a d to detach screen session and go to sleep or whatever(to get back to the screen session, with the same user do screen -dr), it WILL take some while. For someone with a P4 3000 MHz something around 12 hours .... May be less, but it took pretty long :-)

Well, I have news on this subject, on my P3 450 MHz with 512 Ram, it broke my spamassasin bayes db with 660.r2 to 669.r2(had to re-emerge spamassassin), with all others it hanged my computer at the middle of the night, so I guess my Bayes only learned from a few(Do note that I had aMule running also ;) ). I'll leave this step to your consideration, besides, from what I've read around, if these spam messages are mostly old, you can lead bayes to thinks old messages are spam.

It seems that this step also eats up memory like I've never seen before. On a server with 768Mb of RAM and 512 of swap, sa-learn crashed with a Out of Memory message before finishing the first lot of spam...

Auto update SA Rules

[was: Install Rules du jour]

Warning: rulesdujour is deprecated.

here's what robbat2 has to say about it:


Subject: 	[gentoo-dev] Pending death of mail-filter/spamassassin-ruledujour
   Date: 	Thu, 2 Aug 2007 17:07:23 -0700
   From: 	Robin H. Johnson
     To: 	gentoo-dev@lists.gentoo.org 
Heya,
The upstream rules_du_jour folk have had issues over the last few months with DDoS and other attacks. Additionally, the nature of their original update mechanism causes a lot of traffic.
Everybody that is using rules_du_jour is strongly encouraged to move to using the sa-update mechanism that is included with recent versions of SpamAssassin.
Here is a guide to using SARE rulesets with sa-update: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
mail-filter/spamassassin-ruledujour will be p.masked on August 4th, and removed one month thereafter.
-- Robin Hugh Johnson Gentoo Linux Developer & Council Member E-Mail  : [removed] GnuPG FP  : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

Install Clam Antivirus

emerge clamav -va
Note: Clamav crashes

Clamav tends to crash quite often, which is bad because smtp access to qmail will not work with a crashed clamav daemon. The package daemontools which is also used by qmail provides a program which watches services and restarts them if they crashed. I strongly advise using daemontools with Clamav (phillip (dot) sky (@t) gmx (dot) de).

Let's Configure it.

Configuration with daemontools (recommended)

vi /etc/conf.d/clamd

Set START_CLAMD=no (we will start clamd via daemontools)
Set START_FRESHCLAM=yes if you plan to use freshclam below.
Setup stuff the way you want it on clamd.conf. Don't forget to check if the line that says Example is commented out.

vi /etc/clamd.conf

As an quick out of the box configuration, make sure you have this(it's on multiple lines and might not be followed so look in the entire document):

#Example
LogTime yes
LogSyslog yes
ScanMail yes
MaxThreads 30
Foreground yes
User qscand
vi /etc/freshclam.conf

As an quick out of the box configuration, make sure you have this(it's on multiple lines and might not be followed so look in the entire document):

#Example
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
DatabaseMirror db.XX.clamav.net
DatabaseMirror database.clamav.net
DatabaseOwner qscand

Change XX with your country, see Iana.org CCLD Whois for the full list.

Follow the rest of the guide at http://productguide.itmanagersjournal.com/base/ldp/howto/Qmail-ClamAV-HOWTO/x142.html You have to check all filesystem paths in the script. Executables in Gentoo do not reside under /usr/local/bin but /usr/bin often. If you want to use the Gentoo's clamd log directory (which is /var/log/clamav) you have to change these paths, too. The new logfile in the log directory will be named current and will be automatically rotated. For correct showing of timestamps filter the logfile through tai64nlocal like this:

cat current | tai64nlocal | less
Note: Clamav permissions issues

Clamd and Freshclam need to be run by the user/group qscand:qscand which still does not exist on the system. We could, of course, create the user and group qscand, but the mail-filter/qmail-scanner ebuild does this for us, yet it's not the time to do a full emerge of it. So, my suggestion is, emerge mail-filter/qmail-scanner and cancel the emerge after the user ids are all created, only then you can proceed with the steps below.

echo mail-filter/qmail-scanner spamassassin >> /etc/portage/package.use
emerge mail-filter/qmail-scanner -va

Don't forget to cancel right after the user id's are created.

Now we'll need to fix some permissions for clamd to be able to run as qscand and for qmail-scanner not to complain about it:

chown -R qscand:qscand /var/lib/clamav
chown -R qscand:qscand /var/run/clamav
chown -R qscand:qscand /var/log/clamav

Let's update the virus database, run:

/usr/bin/freshclam -l /var/log/clamav/clam-update.log

And explanation on why we do the above is here.

Let's add it to boot time. The clamd script only starts freshclam because of the settings in /etc/conf.d/clamd which we changed above.

rc-update add clamd default
/etc/init.d/clamd start

Clamd will be started via service scan which will be running for qmail anyway. If you want to test if it is running you can do a

/etc/init.d/svscan status

If you want to check the clamav daemon alone you have to use clamdctl from now on.


Standard Configuration (not recommended)

vi /etc/conf.d/clamd

Set START_CLAMD=yes. Set START_FRESHCLAM=yes if you plan to use freshclam below.
Setup stuff the way you want it on clamd.conf. Don't forget to check if the line that says Example is commented out.

vi /etc/clamd.conf

As an quick out of the box configuration, make sure you have this(it's on multiple lines and might not be followed so look in the entire document):

#Example
LogFile /var/log/clamav/clamd.log
LogTime yes
LogSyslog yes
ScanMail yes
User qscand
vi /etc/freshclam.conf

As an quick out of the box configuration, make sure you have this(it's on multiple lines and might not be followed so look in the entire document):

#Example
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
DatabaseMirror db.XX.clamav.net
DatabaseMirror database.clamav.net
DatabaseOwner qscand

Change XX with your country, see Iana.org CCLD Whois for the full list.

Note: Clamav permissions issues

Clamd and Freshclam need to be run by the user/group qscand:qscand which still does not exist on the system. We could, of course, create the user and group qscand, but the mail-filter/qmail-scanner ebuild does this for us, yet it's not the time to do a full emerge of it. So, my suggestion is, emerge mail-filter/qmail-scanner and cancel the emerge after the user ids are all created, only then you can proceed with the steps below.

echo mail-filter/qmail-scanner spamassassin >> /etc/portage/package.use
emerge mail-filter/qmail-scanner -va

Don't forget to cancel right after the user id's are created.

Now we'll need to fix some permissions for clamd to be able to run as qscand and for qmail-scanner not to complain about it:

chown -R qscand:qscand /var/lib/clamav
chown -R qscand:qscand /var/run/clamav
chown -R qscand:qscand /var/log/clamav

Let's update the virus database, run:

/usr/bin/freshclam -l /var/log/clamav/clam-update.log

And explanation on why we do the above is here.

Let's add it to boot time.

rc-update add clamd default
/etc/init.d/clamd start

Install Qmail-Scanner

Important: The build process of qmail-scanner is quite ugly. In order to support packages, they must already be on your system. This means you will have to emerge SpamAssassin and/or Clam AntiVirus before you emerge qmail-scanner.

In order to provide some stats we have to use two custom ebuilds, one for QMS-Analog and another for Qmail-Scanner to include the qms-analog's patch to use qmailstats which provides us with some nice statistics.

I'm even making the process uglier from ferringb's point of view at #gentoo-portage IRC channel ;)
I'll add a variable to /etc/make.conf, MAIL_VHOSTS, which will setup qmail-scanner-queue.pl correctly for qmailstats reports.

If you haven't sync to my rsync server yet:

gensync qmr-portage

Now the uggly part, add to /etc/make.conf:

MAIL_VHOSTS="host1,host2,host3"

You could also emerge app-arch/zip, app-arch/zoo, app-arch/lha, app-arch/rar, app-arch/unrar, app-antivirus/bitdefender-console and app-antivirus/f-prot among others, if you do, qmail-scanner will use them. Note that most of these antivirus are only needed if you also serve W*ndows machines. Note(2): bitdefender & f-prot are only free to use in a home/personal environment; in a business environment a license must be purchased first.

Let's install it.

echo mail-filter/qmail-scanner spamassassin qmailstats >> /etc/portage/package.use
echo =net-mail/qlogtools-3.1 >> /etc/portage/package.keywords
emerge qmail-scanner -va

First of all, let's make sure spamd has no permissions problem, reading SpamAssassin's settings:

chown -R qscand:qscand /etc/mail/spamassassin/

Change the Queuer

vi /var/qmail/control/conf-common

At least have this in it:

export QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue

Also check /etc/tcprules.d/tcp.qmail-smtp, config it to your needs.

Here's how mine looks:

File: /etc/tcprules.d/tcp.qmail-smtp
# to update the database after changing this file, run:
# tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp
#------------------------------------------------------
# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS
#
# If you set 'allow', this means that our mail server will allow
# the specified IP range to make a TCP connection to our server
#
# If you set 'deny', this means that our mail server will not allow
# the specified IP range to make a TCP connection to our server
#
# If you set RELAYCLIENT="", this means that the listed IP range is
# allowed to relay mail through our server
#
# If you dont set RELAYCLIENT="", this means that the listed IP range
# will not be able to relay mail through our server
#
# If you set RBLSMTPD="", this means that the listed IP ranges will
# not be checked against any of the RBL databases
#
# If you set RBLSMTPD="some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 4xx temp error message
#
# If you set RBLSMTPD="-some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 5xx perm error message
#
# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup
# will be performed. If the lookup is successful, then RBLSMTPD will
# return your custom error message (as specified in the -r parameter
# in smtpd supervise script)
#
#-----------------------------------------------------
# HERE ARE THE RULES! :
#-----------------------------------------------------
# BYPASS OPEN RELAY CHECKING FOR THESE IPS :
#
# These IPs are ones that we have setup so that they arent RBL checked.
# We have done this because these particular servers are RBL listed,
# and for whatever reason they can't/won't fix their open relay problem,
# and we still want to be able to receive mail from them..
#
# reminder text goes here for this entry so we know the story...
#111.111.111.111:allow,RBLSMTPD=""
# reminder text goes here for this entry so we know the story...
#222.222.222.222:allow,RBLSMTPD=""
#
#-----------------------------------------------------------------
# DONT ALLOW THESE IPS TO SEND MAIL TO US :
#
# mailXX.offermail.net connecting regularly and sending invalid
# format messages causing exit with status 256 (bare linefeed normally)
# entry added 15/12/2001
# after looking at the mail coming from these servers it was found to be spam
216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
#
# heaps of spam from replyto of *@freeamateurhotties.com dec2001
64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#
#-----------------------------------------------------------------
# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER
#
# Local class-c's from our LAN are allowed to relay,
# and we wont bother doing any RBL checking.
#123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""
#123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""
#
# Connections from localhost are allowed to relay
# (because the WebMail server runs on localhost),
# and obviously there is no point trying to perform an RBL check.
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue",QS_SPAMASSASSIN="on"
#127.:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
#
#-----------------------------------------------------------------
# ALLOW EVERYONE ELSE TO SEND US MAIL
#
# Everyone else can make connections to our server,
# but not allowed to relay
# RBL lookups are performed
#:allow

# If you are using qmail-scanner, this line here is the correct one to use
# instead (comment out the above ':allow' line FIRST) and applies that script
# to any mail coming in that is not from a host allowed to relay. You can
# change the value of the variable to any other value you desire to use custom
# scripts for example.
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
#192.168.1.2:allow,RELAYCLIENT="",RBLSMTPD=""
#10.1.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue",QS_SPAMASSASSIN="on"
10.1.0.:allow,RELAYCLIENT=""
#10.:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
#81.193.177.141:allow,RELAYCLIENT="",RBLSMTPD=""

After editing do:

cd /etc/tcprules.d/
make tcp.qmail-smtp

You can also rebuild all by doing:

cd /etc/tcprules.d/
make *

Now let's check some stuff:

vi /var/qmail/bin/qmail-scanner-queue.pl

Make sure the $spamc_binary variable is set to '/usr/bin/spamc', $clamscan_binary variable is set to '/usr/bin/clamscan'. You can also think of changing $V_FROM to 'postmaster@domain.com' or whatever you want arround line 103, $QUARANTINE_CC arround line 107.

If ClamAV reports memory problems try rasing the softlimit on /var/qmail/control/conf-common.

Test it

To test it, qmail-scanner comes with a handy script:

bunzip2 /usr/share/doc/qmail-scanner-2.01/contrib/test_installation.sh.bz2
chmod 755 /usr/share/doc/qmail-scanner-2.01/contrib/test_installation.sh
/usr/share/doc/qmail-scanner-2.01/contrib/test_installation.sh -doit

NOTE: If this fails with error "clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status" - check your clamd priveleges OR see the below note regarding running the script as root OR if desperate, set clamd user in /etc/clamd.conf:

User root

Log in into your root user's account, if you have set the alias like me(show above on qmail installation), it should be postmaster@domain.com. If you now have 2 messages inside, you're good to go. Optionally you can also check /var/spool/qmailscan/quarantine/new/:

ls /var/spool/qmailscan/quarantine/new/

There should be 2 messages inside, the ones, that got cought. ;)

You could also try http://www.webmail.us/testvirus to send you some harmless virus...

I believe there is a problem running the test_installation.sh script as root. You need to run it as user qscand in order for it to write temporary files owned by qscand to /var/spool/qmailscan/tmp instead of being owned by root. I quickly changed the login shell of user qscand to /bin/bash, did 'su qscand' and ran it again. I no longer got clamdscan: corrupt or unknown .... errors. Alternatively, you can use `setuidguid` to run the script without changing shell information. Example: `setuidgid qscand ./test_installation.sh -doit`.

Under normal operation qmail-scanner is not run as root, but as the user qscand, so this simulates the run-time enviornment more accurately.

Setup Qmailstats

emerge -va qms-analog

As of net-mail/qms-analog-0.4.4-r1, there's no need to edit /var/qmail/bin/qmailstats, to change the To and From email addresses, you only need to edit it if you want other value than the default, which is postmaster@localhost.

This script is a solid script that sends an email to the server administrator with both the qmailanalog output as well as qms-analog's readout of qmail-scanner's activities and runs every night, check /etc/cron.daily/qmailstats. Pretty sweet, huh?

Even though you don't need to change the addresses on /var/qmail/bin/qmailstats, you might want to take a look at it, and change whatever you might find necessary:

vi /var/qmail/bin/qmailstats

VERY IMPORTANT:
Previously, in order for the /var/qmail/bin/qmailstats script give you the statistics correctly, you had to change the /var/qmail/bin/qmail-scanner-queue.pl, arround line 126:

my $local_domains_string="'localhost'";

To all the domains you host, for example:

my $local_domains_string="'localhost','domain.com','virtual.domain.com','domain1','virtual.domain1.com'";

Man, I was after this solution for such a long time!

You also, needed to change lines 115 and 119, the my $V_FROM and my $QUARANTINE_CC to, for example postmaster@domain.com.

You needed to make these changes EVERY time you emerged qmail-scanner.

Now with my MAIL_VHOSTS variable, it's done automaticaly at every new emerge. Of, course, everytime you add a new domain, you need to add it to MAIL_VHOSTS in /etc/make.conf and re-emerge qmail-scanner. Or, you can edit /var/qmail/bin/qmail-scanner-queue.pl and make the changes as said above, but still add it to /etc/make.conf for the next time you emerge world.

Install SquirrelMail

Let's install a webmail client to make mail accessible via a web browser. My choice for this was Squirrelmail. Squirrelmail is both easy to install and it has lots of nice plugins to broaden its abilities. With it a lot of packages will also be installed and we'll need to set some flags for those.

echo media-gfx/xloadimage jpeg >> /etc/portage/package.use
echo app-crypt/gnupg -X bzip2 >> /etc/portage/package.use
echo mail-client/squirrelmail virus-scan spell ssl vhosts -mysql >> /etc/portage/package.use
emerge -va xloadimage gnupg squirrelmail

As you might have noticed, webapp-config was installed, that's a handy tool to install web applications, so lets install SquirrelMail to http://mail.domain.com.

 webapp-config -I -h mail.domain.com -d / squirrelmail {yourversionhere}
Note: Substitute mail.domain.com for your web server domain. In most cases, this will be localhost.

You'll notice an output of severall files that need to be edited. Let's start

cd /var/www/mail.domain.com/htdocs

Configure Plugins

Config Retrieve User Data

vi plugins/retrieveuserdata/config.php

Comment out $SQRUD_RETRIEVE_DATA_FROM = "ldap.php";, arround line 32, like this:

//$SQRUD_RETRIEVE_DATA_FROM = "ldap.php";

And uncomment some lines down:

$SQRUD_RETRIEVE_DATA_FROM = "vpopmail.php";

Arround line 150, uncoment $SQRUD_VPOP_VUSERINFO = "/mail/bin/vuserinfo"; and make it look like:

$SQRUD_VPOP_VUSERINFO = "/var/vpopmail/bin/vuserinfo";
vi plugins/retrieveuserdata/vpopmail.php

Arround line 36 set it to an absolute path:

require_once("/var/www/mail.domain.com/htdocs/plugins/retrieveuserdata/config.php");

Config Virus Scan

vi plugins/virus_scan/config.php

Tweak it to your needs.

Config GnuPG

vi plugins/gpg/gpg_local_prefs.txt

Tweak it to your needs.

If this one fails to work, make shure you have on you're apache ssl mail vhost config the following:

SSLEngine on
SSLOptions	+StdEnvVars

In order for our gpg_plugin to work correctly when retrieving key's from keyserver we have to set allow_url_fopen to on, it's off on /etc/apache2/php.ini for security reasons, so we still keep that security on and only allow it on that ssl vhost.

So, add to your vhost config:

php_admin_flag allow_url_fopen on

Config Show SSL Link

vi plugins/show_ssl_link/config.php

Tweak it to your needs.

Config Secure Login

vi plugins/secure_login/config.php

Tweak it to your needs.

Config SquirrelSpell

If squirrelmail emerges aspell, you need to change plugins/squirrelspell/sqspell_config.php, if you had ispell installed previously, no need to do anything.

Whenever you find ispell inside, change that to aspell.

vi plugins/squirrelspell/sqspell_config.php

Here's how mine looks, the parts that interest:

$SQSPELL_APP = array('English' => 'aspell -a',
                        'Spanish' => 'aspell -d spanish -a');
$SQSPELL_APP_DEFAULT = 'English';
$SQSPELL_WORDS_FILE =
   getHashedFile($username, $data_dir, "$username.words");

$SQSPELL_EREG = 'ereg';
Note: If you don't want aspell at all, emerge ispell before squirrelmail.

Install Change Pass

This one will alow users to change their own password.

cd /var/www/mail.domain.com/htdocs/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http://www.squirrelmail.org/plugins/change_pass-2.7-1.4.x.tar.gz
tar zxvf change_pass-2.7-1.4.x.tar.gz
rm change_pass-2.7-1.4.x.tar.gz

Configure SquirrelMail

cd /var/www/mail.domain.com/htdocs/config
./conf.pl

Let's configure the main options. Do fell free to see the other options and tweak them to your needs.

You might also want to set the admins of squirrelmail, to be able to use the administration plugin. Those emails entered on /var/www/mail.domain.com/htdocs/config/admins, will have access to the administration plugin when they log into squirrelmail.

Want to speed SquirrelMail when sending messages??? ;)
Set squirrel to use sendmail instead of smtp, and set the path to sendmail to /bin/true, add to courrier imapd or imapd-ssl config in /etc/courier-imap:

##NAME: OUTBOX:0
#
# The next set of options deal with the "Outbox" enhancement.
# Uncomment the following setting to create a special folder, named
# INBOX.Outbox
#
#OUTBOX=.Outbox
OUTBOX=.Sent

##NAME: SENDMAIL:0
#
# If OUTBOX is defined, mail can be sent via the IMAP connection by copying
# a message to the INBOX.Outbox folder.  For all practical matters,
# INBOX.Outbox looks and behaves just like any other IMAP folder.  If this
# folder doesn't exist it must be created by the IMAP mail client, just
# like any other IMAP folder.  The kicker: any message copied or moved to
# this folder is will be E-mailed by the Courier-IMAP server, by running
# the SENDMAIL program.  Therefore, messages copied or moved to this
# folder must be well-formed RFC-2822 messages, with the recipient list
# specified in the To:, Cc:, and Bcc: headers.  Courier-IMAP relies on
# SENDMAIL to read the recipient list from these headers (and delete the Bcc:
# header) by running the command "$SENDMAIL -oi -t -f $SENDER", with the
# message piped on standard input.  $SENDER will be the return address
# of the message, which is set by the authentication module.
#
# DO NOT MODIFY SENDMAIL, below, unless you know what you're doing.
#
SENDMAIL=/usr/sbin/sendmail

##NAME: HEADERFROM:0
#
# For administrative and oversight purposes, the return address, $SENDER
# will also be saved in the X-IMAP-Sender mail header.  This header gets
# added to the sent E-mail (but it doesn't get saved in the copy of the
# message that's saved in the folder)
#
# WARNING - By enabling OUTBOX above, *every* IMAP mail client will receive
# the magic OUTBOX treatment.  Therefore advance LARTing is in order for
# _all_ of your lusers, until every one of them is aware of this.  Otherwise if
# OUTBOX is left at its default setting - a folder name that might be used
# accidentally - some people may be in for a rude surprise.  You can redefine
# the name of the magic folder by changing OUTBOX, above.  You should do that
# and pick a less-obvious name.  Perhaps brand it with your organizational
# name ( OUTBOX=.WidgetsAndSonsOutbox )
HEADERFROM=X-IMAP-Sender

This will make all messages moved to the Sent Magic Folder be emailed trough the existing imap connection, a lot faster!!!!!!
More info on this subject can be found here

Optional

QTrap

A usefull ingredient in this installation is going to be a domain level word filter, which the QmailRocks.org Postmaster named "Qtrap". This script is applied on a per domain basis and serves as a "bad word" scanner to catch any spam that Spamassassin may have missed. This filter serves as the last defense against SPAM before it arrived in your inbox. I like this filter because it helps to get rid of any SPAM that happens to make it by Spamassassin. Without any protection at all, my mailbox gets a shit ton of SPAM every day. Within the first 3 months I enacted the Qtrap filter, Qtrap logged over 9,000 deleted SPAM messages, none of which were legitimate e-mails. My keyboard's delete key was very appreciated the extra rest.

P.S: All the I are from the QmailRocks.org Postmaster, this text was extracted from his how-to's for other *nix'es

Any emails that are scanned and contain a banned word will be automatically deleted and logged by the qtrap script. A whitelist feature now exists so that individual addresses or domains can be exempt from the qtrap scan.

So let's install it...

cd /var/vpopmail
mkdir -p qtrap/logs
cd qtrap
vi qtrap.sh

Put this inside

#!/bin/sh
#################################
#        _                      #
#       | |                     #
#   __ _| |_ _ __ __ _ _ __     #
#  / _` | __| '__/ _` | '_ \    #
# | (_| | |_| | | (_| | |_) |   #
#  \__, |\__|_|  \__,_| .__/    #
#     | |             | |       #
#     |_|             |_| v2.0.0#
#################################
#Release 2.0.0 - June 24th, 2004
#Hacked by Eric Siegel

# Qmailrocks.org presents qtrap v2.0.0. A simple, yet effective domain level e-mail content filter.
# This script, as is is now, is a hacked up rendition of a subject scanning script I found on the web.
# However, instead of only scanning the subject of the email, this script scans the whole damn thing.
# Additionally, I added some extra logging features to the script.

# --- How Qtrap works ---
# Incoming mail to a qtrap enabled domain is scanned up on arrival. If the sender's address
# is found is the qtrap whitelist, the messaged allowed to pass unhindered and the action is logeed.
# If the sender is not in the whitelist, the message is then scanned against an array of "banned" words
# that is set by the system administrator. If the message does not contain a banned word, it is
# allowed to go on its way. If it contains a banned word, the message is deleted and the action
# is logged in the Qtrap log.
# -----------------------

# --- How qtrap logs ---
# There are 2 logging features here:

# 1. Log entry to the qmail-send log
# This script, when it deletes a message, will insert and entry into the qmail-send log
# The format of the entry is:  "MESSAGE DROPPED from someone@somewhere.com because of some_bad_word"
# This feature comes in handy when analyzing your qmail logs. Duh.

# 2. Log entry to independent qtrap log file
# This script, when it deletes a message, will insert and entry into the designated qtrap log.
# The format of the entry is: "MESSAGE DROPPED from someone@somewhere.com because of
# some_bad_word on some_date & time"
# The log is also written to when an email is allowed to pass due to its presence in the whitelist.
# ------------------------

# --- Future plans for qtrap ---
# This script will eventually be converted to Perl
# at which time I will probably add MySQL functionality,
# thus allowing for web based, on the fly, content filter
# management.
# ------------------------------

# --- qtrap filter rules ---
# 1. The filter is case sensitive. So "Porn" is different from "porn".
#
# 2. Wildcards are possible. For example: porn* would block the word "porn" but would also
# block the word "pornography".
#
# 3. Banned words and whitelist addresses must be seperated by a |. NEVER end the array with a |.
#---------------------------



#The whitelist configuration block

whitelist_check () {
 case $WHITELIST in
 address@somewhere.com|address@somewhereelse.com)
 echo $SENDER found in whitelist on `date "+%D %H:%M:%S"` >> \
 /var/vpopmail/qtrap/logs/qtrap.log
 exit 0;;
  *)
   ;;
  esac
}

# The banned word list configuration block

checkall () {
 case $BANNED_WORDS in
 porn|PORN|Sex|SEX)
   echo MESSAGE DROPPED from $SENDER because of $BANNED_WORDS on `date "+%D %H:%M:%S"` >> \
 /var/vpopmail/qtrap/logs/qtrap.log
   exit 99;;
  *)
   ;;
  esac
}

#Do not edit below here

WHITECHECK=$SENDER
for WHITELIST in $WHITECHECK
do
 whitelist_check $WHITELIST
done

CONTENT=`(cat)`
for BANNED_WORDS in $CONTENT
do
 checkall $BANNED_WORDS
done
exit 0

Defnining your whitelist: On qtrap.sh you will see a block of code for the whitelist that looks like this:

whitelist_check () {
case $WHITELIST in
"address@somewhere.com|address@somewhereelse.com|*entiredomain.com)
echo $SENDER found in whitelist on `date "+%D %H:%M:%S"` >> \
/var/vpopmail/qtrap/logs/qtrap.log
exit 0;;
*)
;;
esac
}

The email addresses in the bold text above should be substituted with any email addresses that you wish to whitelist against the qtrap filter process. Whitelisted addresses will be allowed to send you mail that contains "banned" words. Un-whitelisted address will be scanned and their message deleted if it contains a banned word. As you can see above, you can specify an individual address (address@somewhere.com) or you can simply whitelist an entire domain (*entiredomain.com).

Defining your "banned word" list:

within the qtrap.sh script you should see another section, below the whitelist section of code, that looks like this:

checkall () {
case $BANNED_WORDS in
porn|PORN|Sex|SEX)
printout $BANNED_WORDS
echo MESSAGE DROPPED from $SENDER because of $BANNED_WORDS on `date "+%D %H:%M:%S"` >> \
/var/vpopmail/qtrap/logs/qtrap.log
exit 99;;
*)
;;
esac
}

The portion of the above section that I've highlighted in BOLD is the array of "banned" words. Edit this array to your satisfaction. Make sure that each word is seperated by a pipe "|" and keep in mind that the array is case sensitive. So the words "SEX" and "Sex" are 2 different words. Also, excercise caution here. You don't want to ban words that are used in everyday e-mails. For example, you wouldn't want to ban the word "hello" or something like that. You should only ban words that you are 100% sure you would never see in a legitimate e-mail.

Now let's set up the logging directory...

chmod +x /var/vpopmail/qtrap/qtrap.sh
touch /var/vpopmail/qtrap/logs/qtrap.log
chown -R vpopmail:mail /var/vpopmail/qtrap
chmod -R 755 /var/vpopmail/qtrap

Now we will add this script into the mail path for a domain on our server.

cd /var/vpopmail/domains/yourdomain.com
vi .qmail-default

add the following line above the line that is already there

| /var/vpopmail/qtrap/qtrap.sh

Here's an example:

.qmail-default before:

| /var/vpopmail/bin/vdelivermail '' delete

.qmail-default after:

| /var/vpopmail/qtrap/qtrap.sh
| /var/vpopmail/bin/vdelivermail '' delete

Save these changes and that should be it. You don't have to restart anything. To test this last rule, try sending an e-mail to your mailbox and make sure that the test e-mail contains one of the words that you entered into the "bad word" list in the Qtrap script. If the filter is working right, the message should NOT arrive in your inbox. You should then be able to view the log file at /var/vpopmail/qtrap/logs/qtrap.log and see a log of the dropeed message corresponding to the time at which you sent the test message. The drop log should look something like this:

MESSAGE DROPPED from someone@somewhere.com because of some_banned_word on on 06/13/03 02:37:51

If the test was successfull, then that's it!

Retrieved from "http://www.gentoo-wiki.info/QmailRocksOnGentoo"

Last modified: Wed, 21 May 2008 11:35:00 +0000 Hits: 41,771