REDHAT + QMAIL + OPENSSL + APACHE + PHP + MYSQL + VPOPMAIL (MYSQL accounts) + COURIER-IMAP + SQUIRRELMAIL (MYSQL Prefs/AddrBook)

Notes :

All the commands shown below have been run as root
We used RedHat 7.2 for our O/S
Follow these notes at your own risk

I would recommend you 1st learn qmail via www.lifewithqmail.org, then learn about vpopmail toaster using Bill Shupp's Linux Qmail Toaster notes. Then once you understand all that, and want to integrate mysql backends plus squirrelmail webmail, perhaps come back and read this doc.

Jeremy Oddo has also written another great toaster page

REDHAT 7.2 NOTES

IPCHAINS :

Redhat installs ipchains firewall software by default. For this server you will need to make sure you have opened access on at least the following ports :

smtp:tcp

www.tcp

https:tcp

pop3:tcp

Note that we arent going to open the imap:tcp port, as we are not offering IMAP services to our clients. We will be running an IMAP server, but the only program talking to it will be the squirrelmail software which is also running on this same box.

You can examine/modify the ipchains config by working on the file :
	/etc/sysconfig/ipchains
If you make any changes to this file, you will need to restart the ipchains software :
	/etc/rc.d/init.d/ipchains restart

SETUP TIME SYNCHRONISATION :

Mail servers need to have their clocks set correctly. If you dont have their time sync'ed, you can experience strange problems.

Redhat comes with the ntpd package which is easy to setup
vi /etc/ntp.conf
look for the "# --- OUR TIMESERVERS -----" section
and then put in the following lines :
restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery
server xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the ip address of your (or your upstream's) ntp server
After making the changes, you will need to restart the ntpd service :
	/etc/rc.d/init.d/ntpd restart
Use the ntsysv program and make sure the ntpd service is enabled at bootup time

SETUP DNS MX RECORDS :

For any email domains that you are going to host on this server, you will need to make sure that you set the appropriate MX records in the DNS. How to do this is beyond the scope of this article.

MYSQL

www.mysql.com

We will be using mysql to store all the domain and account information for vpopmail. Also we are going to use it to store the squirrelmail user preferences and address books

Setup an account for the mysql server to run under

groupadd mysql
useradd -g mysql mysql

Download the latest binaries to /usr/local/src. In this example I have used the file:

mysql-max-3.23.49a-pc-linux-gnu-i686.tar.gz

Unzip / configure the binaries so they get installed to /usr/local/mysql

cd /usr/local
tar xzf /usr/local/src/mysql-max-3.23.49a-pc-linux-gnu-i686.tar.gz
ln -s mysql-max-3.23.49a-pc-linux-gnu-i686 mysql

cd mysql
scripts/mysql_install_db
cd ..

# following line is needed if you are going to use mysql's innodb tables
# You can read more about innodb on the mysql web site
#  
mkdir mysql/var

# setup permissions on the mysql dirs
chown -R root.mysql mysql-max-3.23.49a-pc-linux-gnu-i686
chmod -R 640 mysql
chmod -R u+X,g+X mysql
chmod -R ug+x mysql/bin
chmod -R g+w mysql/data
chmod -R g+w mysql/var

Tell the mysql server how many resources etc it can have

# choose an appropriate config file from the samples provided
cp /usr/local/mysql/support-files/my-medium.cnf /usr/local/mysql/data/my.cnf
# adjust the permissions on the file so that mysql daemon can read the contents
chgrp mysql /usr/local/mysql/data/my.cnf

Fire up the server

/usr/local/mysql/bin/safe_mysqld --user=mysql &

If you get errors, look in the file /usr/local/mysql/data/hostname.err for more info

Otherwise, if all looks good, setup a password for the mysql root user

/usr/local/mysql/bin/mysqladmin -u root password 'mysql-root-pwd'

Configure the sql to start at boot time by

cp /usr/local/mysql/support-files/mysql.server /etc/rc.d/init.d/mysql
chmod 744 /etc/rc.d/init.d/mysql

Run ntsysv or chkconfig to setup runlevels etc

the installation instructions below for openssl, mm, mod_ssl & apache have been based in the text in the mod_ssl "INSTALL" file.

OPENSSL

www.openssl.org

This package is optional. It is required if you want your apache software to have SSL support. We have used it because we want our webmail interface to have SSL functionality for the login screens. If you dont want SSL support, you could skip this section

Compile source (installs to /usr/local/ssl)

cd /usr/local/src
tar xzf openssl-0.9.6d.tar.gz
cd openssl-0.9.6d
./config no-threads -fPIC
make
make install

Make a signed testing certificate

cd /usr/local/ssl/private

# generate an 1024-bit RSA private key
openssl genrsa -out webmail.yourdomain.com.key 1024

cd ../certs

# make a certificate request
# fill in the X.509 prompts when they appear on the screen
# make sure you put the web sites name into the common name box eg webmail.yourdomain.com
openssl req -new -key ../private/webmail.yourdomain.com.key -out webmail.yourdomain.com.csr

Country Name (2 letter code) [AU]:AU 
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Pty Ltd
Organizational Unit Name (eg, section) []:Internet Services
Common Name (eg, your name or your server's hostname) []:webmail.yourdomain.com
Email Address []:postmaster@yourdomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yoursecretpasswd
An optional company name []:

# send the cert.csr file to a signing authority for processing...(eg thawte)
# when you receive it back, place it at /usr/local/ssl/certs/webmail.yourdomain.com.crt

# or alternately here we will sign it ourself so we can do some testing!
openssl x509 -req -days 30 -in webmail.yourdomain.com.csr -out webmail.yourdomain.com.crt -signkey ../private/webmail.yourdomain.com.key

chown -R root /usr/local/ssl/private/*
chmod -R 600 /usr/local/ssl/private/*

If you get the Thawte keys later, all you have to do is update your apache httpd.conf file with the following lines :

    SSLCertificateFile /usr/local/ssl/certs/webmail.yourdomain.com.crt 
    SSLCertificateKeyFile /usr/local/ssl/private/webmail.yourdomain.com.key

MM SHARED MEMORY MODULE

This module is only required if you are building mod_ssl for apache. It allows mod_ssl to use a high-speed ram based session cache rather than a slower disk-based cache

http://www.ossp.org/pkg/lib/mm/

Compile Source

cd /usr/local/src
tar xzf mm-1.1.3.tar.gz
cd mm-1.1.3
./configure --disable-shared
make

APACHE WEB SERVER (WITH MOD_SSL & PHP4 AS DSO MODULES)

Text with green background is only required if you are building in support for mod_ssl

Uninstall apache if it is installed already

rpm -e --nodeps apache

Unpack the apache source

http://httpd.apache.org

Extract the apache source
cd /usr/local/src
tar xzf apache_1.3.26.tar.gz
Create an account and group for the web server to run under
groupadd www
useradd -g www www 

Now merge in the mod_ssl source

Extract the mod_ssl source (www.modssl.org),

cd /usr/local/src
tar xzf mod_ssl-2.8.10-1.3.26.tar.gz
cd mod_ssl-2.8.10-1.3.26

and use the configure script to patch the apache source tree

./configure \
  --with-apache=../apache_1.3.26 \
  --with-crt=/usr/local/ssl/certs/webmail.yourdomain.com.crt \
  --with-key=/usr/local/ssl/private/webmail.yourdomain.com.key

Now compile the apache source

cd /usr/local/src
cd apache_1.3.26
SSL_BASE=../openssl-0.9.6d \
EAPI_MM=../mm-1.1.3 \
./configure \
  --prefix=/usr/local/apache \
  --enable-module=so \
  --enable-module=ssl \
  --enable-shared=ssl \
  --disable-rule=SSL_COMPAT \
  --server-uid=www \
  --server-gid=www

make
make install

Now setup php support

Extract the php source (www.php.net)

cd /usr/local/src
tar xzf php-4.1.2.tar.gz
cd php-4.1.2

and use the configure script to patch the apache source tree

./configure \
  --with-mysql=/usr/local/mysql \
  --with-apxs=/usr/local/apache/bin/apxs \
  --with-zlib <--fix for bug "libphp4.so: undefined symbol: uncompress" in apache startup
make
make install

Copy your php.ini file

cp php.ini-dist /usr/local/lib/php.ini

Setup your /usr/local/lib/php/php.ini file

max_execution_time=60
memory_limit=10M
post_max_size=8M
upload_max_filesize=8M
file_uploads=On

Tighten security on php dir

#since we have installed php as a module, it will run in our chosen "www" context
#we will now tighten up the permissions on the php directory to allow only root and www users access

chown -R root.www /usr/local/lib/php
chmod -R g-w,o-rwx /usr/local/lib/php

Finish the Apache configuration

Edit the /usr/local/apache/conf/httpd.conf file

User www
Group www

ServerAdmin postmaster@yourdomain.com

# Following line should be present already as it would be inserted by the PHP make
# It move it outside of the IfDefineSSL section if the make put it there
LoadModule php4_module libexec/libphp4.so

# Following line should be present already as it would be inserted by the PHP make
# It is only required if the httpd.conf contains a 'ClearModuleList' line
# It move it outside of the IfDefineSSL section if the make put it there
AddModule mod_php4.c

# uncomment (or add) the following line
AddType application/x-httpd-php .php

# Add the index.php into this line so apache will use this file as a default in addition to index.html
DirectoryIndex index.php index.html

# Go towards the end of the httpd.conf and look for the "SSL Virtual Host Context"
ServerName webmail.yourdomain.com
ServerAdmin postmaster@yourdomain.com

tidy up the default apache contents dir

rm -Rf /usr/local/apache/htdocs/*
rm -f /usr/local/apache/index.html.*

tidy up the default apache cgi-bin dir

rm -Rf /usr/local/apache/cgi-bin/*

Setup permissions on the apache dirs

cd /usr/local

# make root.root own the entire apache tree
chown -R root.root apache

# setup permissions on the apachedir.
# Because it is owned by root.root, we need to make sure the world permissions bits
# allow rx so that the www group in particular can get access to the apacheroot
chmod 755 apache

# now set the rest of the apacheroot to only allow root to rw. Everything else blocked
# we will selectively go and open permissions as needed
chmod -R 600 apache/*

# give owner (root) search/access permissions on all directories in the apacheroot
chmod -R u+X apache

cd apache

# bin dir contains binaries, so grant execute permissions to owner (root)
chmod -R u+x bin

# cgi-bin contains binaries. Allow either owner (root), or group (web server (www)) to execute these
chgrp -R www cgi-bin
chmod -R u+x,g+x cgi-bin

# the web server needs read access the icons dir
chgrp -R www icons
chmod -R g+rX icons

# Web server log files can be written by the service processes
# but the log files cannot be read or served as web content.
# Web server log files can be read only by adminsitration processes 
chgrp -R www logs
chmod g+wX logs


# public web files needs to be able to be read, but not written to by the web service processes
# Also the directories where public web content is stored must not be writable by web services processes
# Also public web content files can be written only by processes authorised for web server admin (only root in our case)
chgrp -R www htdocs
chmod -R g+rX htdocs

# will need to grant execute permissions to any scripts such as php
# for example 
# chmod -R g+x htdocs/dircontainingscripts

OPTIONAL : ADD MOD_GZIP SUPPORT

http://www.remotecommunications.com/apache/mod_gzip/

download the mod_gzip.c file to /usr/local/src

cd /usr/local/src
/usr/local/apache/bin/apxs -i -a -c mod_gzip.c

vi /usr/local/apache/conf/httpd.conf

LoadModule gzip_module LibExec/mod_gzip.so  <-- (DSO versions) should be installed automatically

<IfModule mod_gzip.c>

mod_gzip_on Yes
mod_gzip_keep_workfiles No
mod_gzip_dechunk yes
mod_gzip_temp_dir /tmp
mod_gzip_minimum_file_size 300
mod_gzip_maximum_file_size 0
mod_gzip_maximum_inmem_size 100000

mod_gzip_item_include file \.htm$
mod_gzip_item_include file \.html$
mod_gzip_item_include file \.php$
mod_gzip_item_include file \.txt$

mod_gzip_item_include mime text/.*
mod_gzip_item_include mime "application/x-httpd-php.*"
mod_gzip_item_include mime httpd/unix-directory

mod_gzip_item_exclude file "\.css$"
mod_gzip_item_exclude file "\.js$"
mod_gzip_item_exclude file "\.wml$"

LogFormat "%h %l %u %t \"%r\" %>s %b mod_gzip: %{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info1
# CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info1

LogFormat "%h %l %u %t \"%V %r\" %>s %b mod_gzip: %{mod_gzip_result}n In:%{mod_gzip_input_size}n Out:%{mod_gzip_output_size}n:%{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info2
CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info2

</IfModule>

CRANK IT UP!

start the apache server
/usr/local/apache/bin/apachectl configtest
# if you are using SSL :
/usr/local/apache/bin/apachectl startssl
#if you arent using SSL
/usr/local/apache/bin/apachectl start
add the apachectl line to /etc/rc.d/rc.local

QMAIL

I recommend that you follow the instruction guide at www.lifewithqmail.org

However, if you really want to see how we did it, here are the steps :

INSTALL UCSPI-TCP

cd /src/local/src
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz 
wget http://www.qmail.org/ucspi-rss.diff 
tar xzf ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88

# patch rblsmtpd so that it can be used with all the newer rbl zones
# this patch also lets you specify a customer error message to be returned to the customer
patch -p0 rblsmtpd.c < ../ucspi-rss.diff

# modify rblsmtpd.c to increase the maximum size of the error text that is allowed
# to be returned to the customer from 200 to 500 chars
# this allows you to create some nice and descriptive text to send to people who 
# are being blocked by your rbl filters
vi rblsmtpd.c

go to line 166 and change it from
if (text.len > 200) text.len = 200;
to
if (text.len > 500) text.len = 500;

make
make setup check

INSTALL DAEMONTOOLS

cd /usr/local/src
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz

mkdir -p /package
chmod 1755 /package
cd /package

tar xzfp /usr/local/src/daemontools-0.76.tar.gz
cd admin/daemontools-0.76

package/install

INSTALL QMAIL

cd /usr/local/src
wget http://cr.yp.to/software/qmail-1.03.tar.gz
wget http://www.ckdhr.com/ckd/qmail-103.patch 
wget http://www.qmail.org/qmailqueue-patch 
wget http://shupp.org/patches/qmail-pop3d-maildirquota.patch.gz 
wget ftp://ftp.yourdomain.com/PipeInt/Sources/Linux/qmail/qmail-date-localtime.patch.txt 
wget ftp://ftp.yourdomain.com/pipeint/sources/linux/WebMail/qmailctl.txt

gunzip qmail-pop3d-maildirquota.patch.gz

tar xzf qmail-1.03.tar.gz
mkdir /var/qmail

groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails

cd qmail-1.03

# apply oversize dns patch
patch -p1 < ../qmail-103.patch

# apply qmailqueue patch
# this patch gives you the required support for other popular addons like qmail-scanner
patch -p1 < ../qmailqueue-patch

# apply patch for local timestamps.
# This will make the headers of the email be written in localtime rather than GMT
patch -s -p1 < ../qmail-date-localtime.patch.txt

# apply patch to add maildir quota support to qmail-pop3d
patch < ../qmail-pop3d-maildirquota.patch

vi qmail-smtpd.c and change the code on the straynewline function on line 50 from 451 to 553
Without this you will get nasty loops forming when a remote servers sends you an message with invalid formatting. By default qmail will says something like "I am not going to accept that message at the moment, you can try again later". However in my experience the sending server will try sending the message again shortly later and this will go around and around in a loop for days on end - consuming valuable bandwidth and resources. By changing the error code to 553, it is making the error be permanent ie "I am not going to accept that message, dont try sending it again"

make setup check
./config
cd ..

cp /usr/local/src/qmailctl.txt /var/qmail/bin/qmailctl
chmod 755 /var/qmail/bin/qmailctl

ln -s /var/qmail/bin/qmailctl /etc/rc.d/init.d/qmail
ln -s ../init.d/qmail /etc/rc.d/rc0.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc1.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc2.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc3.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc4.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc5.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc6.d/K30qmail

ln -s /var/qmail/bin/qmailctl /usr/bin

mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-pop3d/log
chmod +t /var/qmail/supervise/qmail-send
chmod +t /var/qmail/supervise/qmail-smtpd
chmod +t /var/qmail/supervise/qmail-pop3d

vi /var/qmail/supervise/qmail-send/run

#!/bin/sh
exec env - PATH="/var/qmail/bin:$PATH" qmail-start ./Maildir/

vi /var/qmail/supervise/qmail-send/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n50 /var/log/qmail/send

vi /var/qmail/supervise/qmail-smtpd/run

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

# tcp server parameters
# -c : max num of simultaneous connections
#

exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 30 -R \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
-r 'relays.ordb.org:Your message was rejected because the mail server you use is configured to allow OPEN RELAY - More detailed information regarding this problem is available from http://www.ordb.org/lookup/?%IP% - Please forward this error through to your email server support staff for easy resolution.' \
-r 'inputs.relays.osirusoft.com:Your message was rejected because the mail server you use is either configured to allow OPEN RELAY - More information regarding this problems is available at http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr=%IP% - Please forward this error to your email server support staff for resolution.' \
-r 'proxies.relays.monkeys.com:Your message was rejected because the message was sent from an OPEN PROXY (%IP%) - More information regarding this problems is available at http://www.monkeys.com/anti-spam/filtering/proxies.html - Please forward this error to your email server support staff for resolution.' \
/var/qmail/bin/qmail-smtpd 2>&1

# for a linux gateway pc running fake ips etc, you should turn off dns lookups with
# -H -l hostname.yourdomain.com \

vi /var/qmail/supervise/qmail-smtpd/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n50 /var/log/qmail/smtpd

vi /var/qmail/supervise/qmail-pop3d/run

#!/bin/sh
exec /usr/local/bin/softlimit -m 3000000 \
/usr/local/bin/tcpserver -v -x /etc/tcp.pop3.cdb -c 50 -R 0 pop3 \
/var/qmail/bin/qmail-popup hostname.yourdomain.com \
/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1

#
# for a linux gateway pc running fake ips etc, you should turn off dns lookups with
# -H -l hostname.yourdomain.com \

vi /var/qmail/supervise/qmail-pop3d/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n50 /var/log/qmail/pop3d

chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
chmod 755 /var/qmail/supervise/qmail-pop3d/run
chmod 755 /var/qmail/supervise/qmail-pop3d/log/run

mkdir /var/log/qmail
mkdir /var/log/qmail/smtpd
mkdir /var/log/qmail/send
mkdir /var/log/qmail/pop3d

chown -R qmaill /var/log/qmail

ln -s /var/qmail/supervise/qmail-send /service
ln -s /var/qmail/supervise/qmail-smtpd /service
ln -s /var/qmail/supervise/qmail-pop3d /service

Now we want to setup the /etc/tcp.smtp file
This file controls who is allowed to send and/or relay mail on this server
An example configuration follows :

#------------------------------------------------------
# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS
#
# If you set 'allow', this means that our mail server will allow
# the specified ip range to make a TCP connection to our server
#
# If you set 'deny', this means that our mail server will not allow
# the specified ip range to make a TCP connection to our server
#
# If you set RELAYCLIENT="", this means that the listed IP range is 
# allowed to relay mail through our server
#
# If you dont set RELAYCLIENT="", this means that the listed IP range
# will not be able to relay mail through our server
#
# If you set RBLSMTPD="", this means that the listed IP ranges will
# not be checked against any of the RBL databases
#
# If you set RBLSMTPD="some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 4xx temp error message
#
# If you set RBLSMTPD="-some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 5xx perm error message
#
# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup
# will be performed. If the lookup is successfull, then RBLSMTPD will
# return your custom error message (as specified in the -r parameter
# in smtpd supervise script)
#-----------------------------------------------------
# HERE ARE THE RULES :
#----------------------------------------------------------------
# local class-c's allowed to relay WITHOUT RBL checking
123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""
123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""
#----------------------------------------------------------------
# these ips are ones that we have setup so that they arent rbl checked
# usually because we have spoken with the owners of the mail server
# in question and for one reason or another they cannot update their
# config, and we still want to be able to receive mail from them.
# 
# reminder text here for this entry so we know the story...
111.111.111.:allow,RBLSMTPD=""
# reminder text here for this entry so we know the story...
222.222.222.222:allow,RBLSMTPD=""
#-----------------------------------------------------------------
# mailXX.offermail.net connecting regularly and sending invalid
# format messages causing exit with status 256 (bare linefeed normally)
# entry added 15/12/2001
# after looking at the mail coming from these servers it was found to be spam
216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
#
#-----------------------------------------------------------------
# heaps of spam from replyto of *@freeamateurhotties.com dec2001
64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.96.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.97.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.98.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
209.151.131.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#-----------------------------------------------------------------
# himailer spam 15/7/02
61.230.72-75.:allow,RBLSMTPD="-Connections refused due to spam from HiMailer.com"
#
#-----------------------------------------------------------------
# Allow connections from localhost, and dont do rbl lookup 
127.0.0.1:allow,RBLSMTPD=""
#-----------------------------------------------------------------
# Everyone else can make connections to our server, but not allowed to relay
# RBL lookups are performed
:allow

# Allow any client to connect to us via POP3
# If people are abusing POP3 such as denial-of-service on POP3, 
# you can add their ips here to block them out
echo ':allow' > /etc/tcp.pop3

qmailctl cdb

rpm -e --nodeps sendmail
ln -s /var/qmail/bin/sendmail /usr/lib
ln -s /var/qmail/bin/sendmail /usr/sbin

# use postmaster@hostname.yourdomain.com as sender in bounce messages
echo 'postmaster'      > /var/qmail/control/bouncefrom

# send double-bounces to doublebounce@yourdomain.com
echo 'doublebounce' > /var/qmail/control/doublebounceto
echo 'yourdomain.com' > /var/qmail/control/doublebouncehost

# set maximum message size to be 10Mb
echo '10000000' > /var/qmail/control/databytes

# queue mail for up to 4 days
echo '345600' > /var/qmail/control/queuelifetime

# setup the default domain for use where an address does not have a domain specified
echo 'yourdomain.com' > /var/qmail/control/defaultdomain

# following command is optional!
# SEND ALL OUTBOUND MAIL VIA SMARTHOST
echo ':yoursmarthost.yourdomain.com' > /var/qmail/control/smtproutes

# now setup aliases here for any mails sent to someone@thishost.yourdomain.com
echo 'postmaster@yourdomain.com' > ~alias/.qmail-root
echo 'postmaster@yourdomain.com' > ~alias/.qmail-postmaster
echo 'postmaster@yourdomain.com' > ~alias/.qmail-mailer-daemon
chmod 644 ~alias/.qmail-*

Setup logfile rotation

crontab the following for midnight

crontab -e

0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-pop3d/log

VPOPMAIL

http://www.inter7.com/vpopmail

Make the user accounts

groupadd -g 89 vchkpw
useradd -g vchkpw -u 89 vpopmail

Download the source file to /usr/local/src. In this case I have used the file

vpopmail-5.2.1.tar.gz

Unpack the source

cd /usr/local/src
tar xzf vpopmail-5.2.1.tar.gz
cd vpopmail-5.2.1

Setup the sql support in the vpopmail sources

# we are going to enter the sql username/password into this file in cleartext
# so we had better not leave it sitting with permissions that allow anyone to
# view it
chown root.root vmysql.h
chmod 600 vmysql.h

# define a username/password that you will use when you want to communicate
# with the mysql server
vi vmysql.h

MYSQL_UPDATE_USER="vpopmailuser"
MYSQL_UPDATE_PASSWD="vpoppasswd"

MYSQL_READ_USER="vpopmailuser"
MYSQL_READ_PASSWD="vpoppasswd"

# log into mysql as the mysql root user
# and then create the databases for vpopmail to use
# and then setup permissions on the database
/usr/local/mysql/bin/mysql --password="mysql-root-pwd"

CREATE DATABASE vpopmail;

GRANT select,insert,update,delete,create,drop ON vpopmail.*
TO vpopmailuser@localhost IDENTIFIED BY 'vpoppasswd';

quit

Now, build the program

./configure \
  --enable-roaming-users=n \
  --enable-default-domain=yourdomain.com \
  --enable-admin-email=postmaster@yourdomain.com \
  --enable-logging=p \
  --enable-defaultquota=20000000S \
  --enable-ip-alias-domains=n \
  --enable-passwd=n \
  --enable-clear-passwd=y \
  --enable-mysql=y \
  --enable-incdir=/usr/local/mysql/include \
  --enable-libdir=/usr/local/mysql/lib \
  --enable-many-domains=n \
  --enable-auth-logging=y \
  --enable-mysql-logging=y \
  --enable-valias=y

  
<-- We arent building roaming user support in this example


<-- Log pop3 authentication errors to syslog (maillog)
<-- 20Mb disk quota per mailbox
<-- we dont want ip alias domain support for this example
<-- Dont include /etc/passwd support
<-- Enable storing passwords in cleartext
<-- Enable MySQL support
<-- Define the mysql include dir
<-- Define the mysql lib dir
<-- Enable one mysql table per domain
<-- Maintain a lastauth table in MySQL
<-- Maintain the vlog table in MySQL (pretty verbose cause it logs every authentication...)
<-- Enable mySQL valias processing

make
make install-strip

Setup the quota warning message that is sent to users when they are at 90% quota

vi quotawarn.msg

From: SomeCompany Postmaster <postmaster@yourdomain.com>
Reply-To: postmaster@yourdomain.com
To: SomeCompany User:;
Subject: Mail quota warning
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Your mailbox on the server is now more than 90% full.

So that you can continue to receive mail,
you need to remove some messages from your mailbox.

If you require assistance with this,
please contact our support department :

  email : support@somecompany.com
  Tel   : xx xxxx xxxx

cp quotawarn.msg /home/vpopmail/domains/.quotawarn.msg

if you want you can alter the message that gets sent to the sender in an overquota situation

echo "Message rejected. Not enough storage space in user's mailbox to accept message." > /home/vpopmail/domains/.over-quota.msg

AUTORESPONDER

http://inter7.com/qmailadmin/

This package is needed by qmailadmin

Unpack the source

cd /usr/local/src
tar xzf autorespond-2.0.2.tar.gz
cd autorespond-2.0.2

Build the program

make
make install

EZMLM / EZMLM-IDX

ezmlm is mailing list software written by the author of qmail

ezmlm-idx is patch that adds some extra features to the standard ezmlm program.

EZMLM : http://cr.yp.to/ezmlm.html
EZMLM-IDX PATCH : http://www.ezmlm.org

Unpack the ezmlm source

cd /usr/local/src
tar xzf ezmlm-0.53.tar.gz
tar xzf ezmlm-idx-0.40.tar.gz

Merge the sources together

cp -R ezmlm-idx-0.40/* ezmlm-0.53/
cd ezmlm-0.53
patch < idx.patch

Build the program

make
make man
make setup

QMAILADMIN

www.inter7.com/qmailadmin

Description

The domain postmaster can use this tool to view all the accounts on the domain as well as add/remove accounts, forwards, autoresponders etc.

Domains users can use this tool to modify their own user settings only. ie mailbox password, real name, forwards, vacations.

This tool does not let you create new domains.

Unpack the source

cd /usr/local/src
tar xzf qmailadmin-1.0.6.tar.gz
cd qmailadmin-1.0.6

Make a small mod

Go to line 462 of template.c and change it from
pw = vauth_getall(Domain,1,0);
to
pw = vauth_getall(Domain,1,1);
This makes sure the dropdown boxes containing lists of all accounts in that domain are sorted alphabetically.
This mod is only needed if you are running MySQL vpopmail backend. If you have cdb, then the dropdowns are already sorted

Build the program

./configure \
  --enable-htmldir=/usr/local/apache/htdocs \
  --enable-cgibindir=/usr/local/apache/cgi-bin \
  --enable-no-cache=y

make
make install-strip

Test to see if it works

http://webmail.yourdomain.com/cgi-bin/qmailadmin

Setup limits on any domains where required by putting a ./qmailadmin-limits file into the domain's virtual dir (/home/vpopmail/domains/yourdomain.com). Make sure vpopmail user has read permissions for this file.

Syntax of qmailadmin-limits file is as follows :

maxpopaccounts X
maxaliases X
maxforwards X
maxmailinglists X
maxautoresponders X

Set X to be the maximum desired number for that feature
Set X to be 0 if you want to disable that feature + menu item

COURIER IMAP

www.inter7.com/courierimap

Unpack the source

cd /usr/local/src
tar xzf courier-imap-1.5.2.tar.gz
chown root.root courier-imap-1.5.2
cd courier-imap-1.5.2

Make a slight mod

Courierimap is capable of purging mail that is older than a certain date. The coding by default considers the file "change date". This is a bit misleading for users for example if you had a message in the inbox and then choose to delete it, it is moved to the .Trash folder . This resets the change date to "now", but leaves the modify date at the date the message was received. This means that the message will stay in trash for 7 days from today rather than being purged if it is already older than 7 days. Also if you change the properties of a message such a read/unread, it resets the modify date to today which gives the mail more time before purge. I suppose it doesn't really matter if you are happy with this default behavior, but we found it a bit too confusing considering we told our customers that "mail in the trash folder that is older than 7 days will be automatically deleted".

Change maildir/maildirpurgetmp.c from
&& stat_buf.st_ctime < current_time - nage)
to
&& stat_buf.st_mtime < current_time - nage)

Build the program

./configure \
  --prefix=/usr/local/courier-imap \
  --disable-root-check \
  --without-authpam \
  --without-authldap \
  --without-authpwd \
  --without-authmysql \
  --without-authpgsql \
  --without-authshadow \
  --without-authuserdb \
  --without-authcustom \
  --without-authcram \
  --without-authdaemon \
  --with-authvchkpw \
  --with-ssl

make
make install
make install-configure

Verify the SERVER / SERVICES configuration.

The courier-imap package includes 4 servers that can be individually enabled/disabled (imap, imap-ssl, pop3, pop3ssl). In this example, we are only using the IMAP server.

IMAP server :
# IMAP services...
# Configuration settings are stored in courier-imap/etc/imapd
vi /usr/local/courier-imap/etc/imapd
MAXDAEMONS=50
MAXPERIP=100
AUTHMODULES="authvchkpw"
IMAP_EMPTYTRASH=Trash:7,Sent:30
<-- Max number of IMAP daemons
<-- All connections will be coming from single ip (squirrelmail on localhost)
<-- We are using authvchkpw for password authentication
<-- enable automatic purging of mail from these folders
The courier package also comes with a sysv style startup/shutdown script that can start/stop any or all of the above daemons. To use it you would do the following :
cp /usr/local/src/courier-imap-1.5.2/courier-imap.sysvinit /etc/rc.d/init.d/courier-imap
chmod 744 /etc/rc.d/init.d/courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc0.d/K30courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc1.d/K30courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc2.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc3.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc4.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc5.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc6.d/K30courier-imap
if you want to the above script to start/stop imap, then edit courier-imap/etc/imapd
Change IMAPDSTART=NO to IMAPDSTART=YES
Configure courier-imap to run as vpopmail.vchkpw

Edit /usr/local/courier-imap/libexec/imapd.rc

Change the line : /usr/local/courier-imap/libexec/couriertcpd

to include : -user=vpopmail -group=vchkpw

SQUIRRELMAIL

www.squirrelmail.org

the text with yellow background is specific to using mysql backend. if you dont want to use mysql backend, then just skip over these sections....

cd /usr/local/apache/htdocs
tar xzf /usr/local/src/squirrelmail-1.2.8.tar.gz
chown -R root.www squirrelmail-1.2.8
chmod -R 750 squirrelmail-1.2.8
ln -s squirrelmail-1.2.8 squirrelmail

mkdir /var/squirrelmail
# create the data dir. This is where users personal preferences are stored if not using mysql backend
mkdir /var/squirrelmail/data
# create the attach dir. This is where temp files for emails in progress are store
mkdir /var/squirrelmail/attach

cd squirrelmail
cp data/default_pref /var/squirrelmail/data
chown -R root.www /var/squirrelmail
chmod -R 0770 /var/squirrelmail/data
chmod -R 0730 /var/squirrelmail/attach

cp /usr/local/src/yourcompanylogo-*.gif /usr/local/apache/htdocs/images

cd config
perl conf.pl

ORGANIZATION PREFERENCES
Organization name            : YourCompany WebMail
Organization Logo            : ../../images/yourcompanylogo-100.gif
Or. Logo Height/Width        : 100/100
Organization title           : YourCompany WebMail (v$version)

SERVER SETTINGS
Domain                       : yourdomain.com
SMTP server                  : 127.0.0.1
Server                       : courier

FOLDER OPTIONS
List Special Folders First   : false
Default Unseen Type          : 2

GENERAL OPTIONS
Data directory               : /var/squirrelmail/data
Attachment directory         : /var/squirrelmail/attach
Usernames in lower case      : true
Hide squirrelmail attributions : true
Allow server-side sorting    : true

ADDRESS BOOKS
User Javascript Address Book : True

DATABASE
DSN for address book : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
DSN for preferences : mysql://squirreluser:squirrelpassword@localhost/squirrelmail

DONT PRESS D TO CHOOSE PRE-DEFINED SETTINGS FOR COURIER

Now, If you want to use on-disk preferences, you can adjust the defaults by changing the file /var/squirrelmail/data/default_pref :

show_html_default=1
language=en_US
use_javascript_addr_book=1
left_size=140
left_refresh=120
show_username=1
show_username_pos=top

OPTIONALLY YOU CAN IMPLEMENT SQL BACKEND:

cd /usr/local/mysql/bin

./mysql --password="mysql-root-pwd"

CREATE DATABASE squirrelmail;

GRANT select,insert,update,delete ON squirrelmail.*
TO squirreluser@localhost IDENTIFIED BY 'squirrelpassword';

USE squirrelmail;

CREATE TABLE address (
  owner varchar(128) DEFAULT '' NOT NULL,
  nickname varchar(16) DEFAULT '' NOT NULL,
  firstname varchar(128) DEFAULT '' NOT NULL,
  lastname varchar(128) DEFAULT '' NOT NULL,
  email varchar(128) DEFAULT '' NOT NULL,
  label varchar(255),
  PRIMARY KEY (owner,nickname),
  KEY firstname (firstname,lastname)
);

CREATE TABLE userprefs (
  user varchar(128) DEFAULT '' NOT NULL,
  prefkey varchar(64) DEFAULT '' NOT NULL,
  prefval blob DEFAULT '' NOT NULL,
  PRIMARY KEY (user,prefkey)
);

quit

SETUP SUPPORT FOR MYSQL PREFERENCES

vi db_prefs.php

var $default = Array('chosen_theme' => '../themes/default_theme.php',
                     'show_html_default' => '1',
                     'language' => 'en_US',
                     'use_javascript_addr_book' => '1',
                     'left_size' => '140',
                     'left_refresh' => '3600',
                     'show_username' => '1',
                     'show_username_pos' => 'top',
                     'order1' -> '1',
                     'order2' -> '2',
                     'order3' -> '3',
                     'order4' -> '5',
                     'order5' -> '4',
                     'order6' -> '6',
);

Setup SSL mode

It is possible to either encode all webmail access in SSL using the apache's mod_rewrite commands
Otherwise if you just want to encode the login screen, then I made the following changes to squirrelmail/src/login.php:

at the top of the page just under the "/**" comments

/* ------------------------------------------------------------------- */
if ($SERVER_PORT != 443) {
header("Location: https://webmail.yourdomain.com/squirrelmail/src/login.php");
die;
}
/* ------------------------------------------------------------------- */

further down change the form action to be :

echo "<FORM ACTION=\"http://webmail.yourdomain.com/squirrelmail/src/redirect.php\" METHOD=\"POST\" NAME=f>\n";

We Added some code to squirrelmail/src/login.php to add a notes page to the login screen

echo "<BR><CENTER>".
"<TABLE BORDER=1 WIDTH=75%><TR><TD ALIGN=CENTER><FONT FACE=Arial SIZE=2>".
"<P><B><FONT SIZE=3>IMPORTANT NOTES REGARDING THE WEBMAIL SYSTEM</FONT></B></P>".
"<P><B>AUTOMATIC MAIL DELETION</B></P>".
"<P>The mail server will automatically delete mail from the<BR> ".
"following folders after the specified number of days :<br>".
"Trash Folder - 7 days, Sent Folder - 30 days,<BR> All other folders 90 days.</P>".
"<P><B>POP3 MAIL CLIENTS</B></P>".
"<P>If you check your mail using a POP3 mail client (such as Outlook Express),<BR> ".
"it will download and delete the mail from your WebMail inbox.</P>".
"<P>If you want to be able to download the mail using POP3 and also<BR> ".
"leave it on the server so you can see it with WebMail, you will need<BR> ".
"to adjust the settings in your POP3 client to tell it not to delete<BR> ".
"mail after downloading.</P>".
"<P>For example, to configure this in Outlook Express you would go to<br> ".
"<i>Tools -> Accounts -> Mail -> Properties -> Advanced</i><BR> ".
"and then tick the box<BR><i>'Leave a copy of message on server'</i><P>".
"</FONT>".
"</TD><TR></TABLE></CENTER>";

Also modify the squirrelmail/src/login.php and change the wording of "Name:" to "Email address:"

Setup a default document in the web servers root, to redirect our customers through to the squirrelmail login page. That way when people want to access the webmail tool they can point their browser to "http://webmail.yourdomain.com" and they will get automatically redirected through to the squirrelmail directory

vi /usr/local/apache/htdocs/index.html

<HTML>
<HEAD>
<TITLE>Redirect to WebMail login screen...</TITLE>
<META HTTP-EQUIV="refresh" CONTENT="1; url=http://webmail.yourdomain.com/squirrelmail/">
</HEAD>
<BODY>
Redirecting to the WebMail login screen...<br>
<a href=squirrelmail/>Click here if you are not automatically redirected</a>
</BODY>
</HTML>

TIPS :

"ps axf" is your friend. Particularly useful for visualising how the supervise/qmail processes all fit together.
"ps axfu" is good for double checking what accounts that individual server processes are running under

To add a domain :

/home/vpopmail/bin/vadddomain yourdomain.com yourpassword
# this creates the domain and makes a mailbox postmaster@yourdomain.com

To add a mailbox:

/home/vpopmail/bin/vadduser someone@yourdomain.com apassword

To remove a mailbox

/home/vpopmail/bin/vdeldomain someone@yourdomain.com

To remove a domain :

/home/vpopmail/bin/vdeldomain yourdomain.com

To change a users password

/home/vpopmail/bin/vpasswd someone@yourdomain.com newpassword

To lookup info about a user

/home/vpopmail/bin/vuserinfo someone@yourdomain.com
This gives you info such as name, crypted password, cleartext password, dir, quota, usage%, last auth.
It has a number of flags to let you see the individual fields, or you can see them all if you dont use any flags.

It also creates the maildirsize file in the users dir

Written by Michael Bowe. Praise or criticism gladly accepted!

Last updated : 01/10/2002 12:33