|
|
| (50 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| | [[Main_Page#Configuration|Back]] |
| == [[ Initial Configuration ]] == | | == [[ Initial Configuration ]] == |
|
| |
|
| Line 24: |
Line 25: |
|
| |
|
|
| |
|
| | === [[Control Files List]] === |
| === [[Control Files by Name]] === | | === [[Control Files by Name]] === |
| Table of Control Files organized alphabetically with default values, included with Qmail-Toaster, and used by information. | | Table of Control Files organized alphabetically with default values, included with Qmail-Toaster, and used by information. |
| Line 41: |
Line 43: |
|
| |
|
| === Post Receipt === | | === Post Receipt === |
| ==== [[domainkeys]] ==== | | ==== [[Simscan]] ==== |
|
| |
|
| ==== [[simscan]] ==== | | ==== [[Clamav]] ==== |
|
| |
|
| ==== [[clamav]] ==== | | ==== [[Spamassassin]] ==== |
| | |
| ==== [[spamassassin]] ====
| |
|
| |
|
| ==== [[Amavis]] ==== | | ==== [[Amavis]] ==== |
|
| |
|
| For testing until production stability proven.
| | ==== [[Spam Throttle]] ==== |
|
| |
|
| Get Amavis Qmail queue
| | ==== [[SURBL]] ==== |
| # grep "release 7" /etc/centos-release
| |
| # [ "$?" = "0" ] && cos=7 || cos=8
| |
| # echo $cos
| |
| # wget -O /var/qmail/bin/qmail-queue.smtp https://github.com/qmtoaster/amavis/blob/main/qmail-queue.smtp.cos${cos}?raw=true
| |
| # chown qmailq:qmail /var/qmail/bin/qmail-queue.smtp
| |
| # chmod 4711 /var/qmail/bin/qmail-queue.smtp
| |
|
| |
|
| Build Your Own qmail-queue.smtp
| | ==== [[Dspam|Dspam]] ==== |
|
| |
|
| Install Amavis & edit config, run clamd under Amavis, start both services
| | ===== [[Dspam w/PostgreSQL]] ===== |
| # yum --enablerepo=epel,PowerTools -y install amavisd-new lz4 perl-Digest-SHA1 perl-IO-stringy
| |
| # yum --enablerepo=fedora cabextract
| |
| # wget https://www.rarlab.com/rar/rarlinux-x64-6.0.b1.tar.gz
| |
| # tar zxvf rarlinux-x64-6.0.b1.tar.gz
| |
| # cd rar
| |
| # cp rar unrar /usr/local/bin
| |
| # sed -i 's/%i.conf/amavisd.conf/' /usr/lib/systemd/system/clamd@.service
| |
| # systemctl daemon-reload
| |
| # systemctl restart clamd@scan
| |
| # vi /etc/amavisd/amavisd.conf
| |
| $mydomain = 'domain.tld';
| |
| $myhostname = 'mx.domain.tld';
| |
| $notify_method = 'smtp:[127.0.0.1]:10025';
| |
| $forward_method = 'smtp:[127.0.0.1]:10025';
| |
| # systemctl enable --now amavisd
| |
|
| |
|
| Create tcp rules for qmail smtp & qmail amavis
| | ==== [[Domainkeys]] <span style="color:red">***Obsolete***</span> ==== |
| # mv /etc/tcprules.d/tcp.smtp /etc/tcprules.d/tcp.smtp.bak
| |
|
| |
|
| tee /etc/tcprules.d/tcp.amavis.smtp > /dev/null <<EOT
| | == Networking == |
| 127.:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
| | === [[DNS Server]] === |
| :allow,CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue.smtp",NOP0FCHECK="1"
| |
| EOT
| |
|
| |
|
| tee /etc/tcprules.d/tcp.smtp > /dev/null <<EOT
| | ===[[SRS]]=== |
| 127.:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1"
| |
| :allow,CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/qmail-queue",NOP0FCHECK="1"
| |
| EOT
| |
|
| |
|
| Edit/Create run files for qmail smtp & qmail amavis
| | === [[tcp.smtp]] === |
| # cp -Rp /var/qmail/supervise/smtp /var/qmail/supervise/smtp2
| |
|
| |
|
| tee /var/qmail/supervise/smtp/run > /dev/null <<EOT
| | === [[tcpserver]] === |
| #!/bin/sh
| |
| QMAILDUID=`id -u vpopmail`
| |
| NOFILESGID=`id -g vpopmail`
| |
| MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
| |
| SMTPD="/var/qmail/bin/qmail-smtpd"
| |
| TCP_CDB="/etc/tcprules.d/tcp.amavis.smtp.cdb"
| |
| HOSTNAME=`hostname`
| |
| VCHKPW="/home/vpopmail/bin/vchkpw"
| |
| export SMTPAUTH="-"
| |
|
| |
|
| exec /usr/bin/softlimit -m 64000000 \
| | === [[DKIM]] === |
| /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
| |
| -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
| |
| $SMTPD $VCHKPW /bin/true 2>&1
| |
|
| |
|
| EOT
| | == Security == |
| | === [[Certificate]] === |
|
| |
|
| tee /var/qmail/supervise/smtp2/run > /dev/null <<EOT
| | === [[eMPF]] === |
| #!/bin/sh
| |
| QMAILDUID=`id -u vpopmail`
| |
| NOFILESGID=`id -g vpopmail`
| |
| MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
| |
| SMTPD="/var/qmail/bin/qmail-smtpd"
| |
| TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
| |
| HOSTNAME=`hostname`
| |
| VCHKPW="/home/vpopmail/bin/vchkpw"
| |
| export SMTPAUTH="-"
| |
| export FORCETLS=0
| |
|
| |
|
| exec /usr/bin/softlimit -m 64000000 \
| | === [[Fail2ban]] === |
| /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
| |
| -u "$QMAILDUID" -g "$NOFILESGID" 0 10025 \
| |
| $SMTPD $VCHKPW /bin/true 2>&1
| |
|
| |
|
| EOT
| | === [[SMTPS]] === |
|
| |
|
| tee /var/qmail/supervise/smtp2/log/run > /dev/null <<EOT
| | === [[Submission]] === |
| #!/bin/sh
| |
| LOGSIZE=`cat /var/qmail/control/logsize`
| |
| LOGCOUNT=`cat /var/qmail/control/logcount`
| |
| exec /usr/bin/setuidgid qmaill \
| |
| /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
| |
| /var/log/qmail/smtp2 2>&1
| |
|
| |
|
| EOT
| | === [[Securing SquirrelMail|SquirrelMail]] === |
| | |
| Add Amavis Dspam support
| |
| | |
| Install Dspam (skip 'install per domain')
| |
| # wget https://raw.githubusercontent.com/qmtoaster/dspam/master/dspamdb.sh
| |
| # chmod 755 dspamdb.sh
| |
| # ./dpsamdb.sh
| |
| | |
| Add Under $dspam = 'dspam'
| |
| # vi /etc/amavisd/amavisd.conf
| |
| | |
| @spam_scanners = (
| |
| ['DSPAM', 'Amavis::SpamControl::ExtProg', 'dspam',
| |
| [ qw(--user amavis --deliver=stdout) ],
| |
| ],
| |
| );
| |
| | |
| Add under 'Trust vpopmail'
| |
| # vi /etc/dspam.conf
| |
| Trust amavis
| |
| | |
| Start & stat qmail
| |
| # qmailctl start
| |
| # qmailctl stat
| |
| | |
| send: up (pid 253068) 97100 seconds
| |
| smtp: up (pid 253065) 97100 seconds
| |
| smtp2: up (pid 253071) 97100 seconds
| |
| smtps: up (pid 253067) 97100 seconds
| |
| submission: up (pid 253073) 97100 seconds
| |
| send/log: up (pid 253064) 97100 seconds
| |
| smtp2/log: up (pid 253070) 97100 seconds
| |
| smtp/log: up (pid 253066) 97100 seconds
| |
| smtps/log: up (pid 253072) 97100 seconds
| |
| submission/log: up (pid 253069) 97100 seconds
| |
| | |
| Test with Swaks
| |
| # swaks --to myuser@domain.tld,myuser2@domain.tld --from myuser@remotedomain.tld --server mx.domain.tld -tls
| |
| === Trying 192.168.16.75:25...
| |
| === Connected to 192.168.16.75.
| |
| <- 220 localhost - Welcome to Qmail Toaster Ver. 1.03-3.3.1.qt.md.el8 SMTP Server ESMTP
| |
| -> EHLO mx.domain.tld
| |
| <- 250-localhost - Welcome to Qmail Toaster Ver. 1.03-3.3.1.qt.md.el8 SMTP Server
| |
| <- 250-STARTTLS
| |
| <- 250-PIPELINING
| |
| <- 250-8BITMIME
| |
| <- 250 SIZE 20971520
| |
| -> STARTTLS
| |
| <- 220 ready for tls
| |
| === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
| |
| === TLS no local certificate set
| |
| === TLS peer DN="/O=Qmail Toaster Server/OU=Test Certificate/CN=localhost" | |
| ~> EHLO mx.domain.tld
| |
| <~ 250-localhost - Welcome to Qmail Toaster Ver. 1.03-3.3.1.qt.md.el8 SMTP Server
| |
| <~ 250-PIPELINING
| |
| <~ 250-8BITMIME
| |
| <~ 250 SIZE 20971520
| |
| ~> MAIL FROM:<myuser@remotedomain.tld>
| |
| <~ 250 ok
| |
| ~> RCPT TO:<myuser@domain.tld>
| |
| <~ 250 ok
| |
| ~> RCPT TO:<myuser2@domain.tld>
| |
| <~ 250 ok
| |
| ~> DATA
| |
| <~ 354 go ahead
| |
| ~> Date: Sun, 29 Nov 2020 14:58:40 -0700
| |
| ~> To: myuser@domain.tld,myuser2@domain.tld
| |
| ~> From: myuser@remotedomain.tld
| |
| ~> Subject: test Sun, 29 Nov 2020 14:58:40 -0700
| |
| ~> Message-Id: <20201129145840.009255@mx.domain.tld>
| |
| ~> X-Mailer: swaks v20170101.0 jetmore.org/john/code/swaks/
| |
| ~>
| |
| ~> This is a test mailing
| |
| ~>
| |
| ~> .
| |
| <~ 250 ok 1606687121 qp 308705
| |
| ~> QUIT
| |
| <~ 221 localhost - Welcome to Qmail Toaster Ver. 1.03-3.3.1.qt.md.el8 SMTP Server
| |
| === Connection closed with remote host.
| |
| | |
| All Amavis output is in the maillog (/var/log/maillog).
| |
| | |
| Email headers will contain
| |
| X-Virus-Scanned: amavisd-new at domain.tld
| |
| | |
| Email headers will show Amavis routing
| |
| Return-Path:
| |
| Delivered-To: myemail@domain.tld
| |
| Received: (qmail 266650 invoked by uid 89); 29 Nov 2020 00:43:58 -0000
| |
| Received: from unknown (HELO localhost) (127.0.0.1)
| |
| by localhost.localdomain with SMTP; 29 Nov 2020 00:43:58 -0000
| |
| X-DSPAM-Processed: Sat Nov 28 17:43:58 2020
| |
| X-DSPAM-Confidence: 0.9899
| |
| X-DSPAM-Probability: 0.0000
| |
| X-Virus-Scanned: amavisd-new at domain.tld
| |
| X-DSPAM-Result: Whitelisted
| |
| X-DSPAM-Signature: 1,5fc2eece2666485921812939
| |
| Received: from unknown ([127.0.0.1])
| |
| by localhost (mx.domain.tld [127.0.0.1]) (amavisd-new, port 10024)
| |
| with SMTP id kma806hO5pyA; Sat, 28 Nov 2020 17:43:57 -0700 (MST)
| |
| Received: from unknown (HELO mx.remotedomain.tld) (xxx.xxx.xxx.xxx)
| |
| by localhost.localdomain with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384 encrypted); 29 Nov 2020 00:43:57 -0000
| |
| Received-SPF: none (localhost.localdomain: domain at remotedomain.tld does not designate permitted sender hosts)
| |
| | |
| | |
| | |
| Other spam scanners operable with Amavis
| |
| | |
| @spam_scanners = (
| |
| ['CRM114', 'Amavis::SpamControl::ExtProg', 'crm',
| |
| [ qw(-u /var/amavis/home/.crm114 mailreaver.crm
| |
| --dontstore --report_only --stats_only
| |
| --good_threshold=8 --spam_threshold=-8) ],
| |
| mail_body_size_limit => 64000, score_factor => -0.20,
| |
| ],
| |
| );
| |
| | |
| Other AV scanners operable with Amavis
| |
| ESET NODE32
| |
| Avast
| |
| Trend Micro
| |
| Kaspersky
| |
| Sophos
| |
| F-Secure
| |
| ...
| |
| | |
| Questions, comments, suggestions, corrections...contact Eric on the QMT list
| |
| | |
| ==== [[SURBL]] ====
| |
| | |
| | |
| == Networking ==
| |
| === Domain Name Server ===
| |
| [http://www.oreilly.com/catalog/linuxckbk/ <i>The Linux Cookbook</i> (O'Reilly) by Carla Schroder] has very good recipes for setting up a DNS server. Caching, public and private servers for both bind and djbdns are covered. You can also read it online [http://safari.oreilly.com/0596006403/linuxckbk-PREFACE-2#X2ludGVybmFsX1RvYz94bWxpZD0wNTk2MDA2NDAzL2xpbnV4Y2tiay1DSFAtMjQ= here].
| |
| | |
| ==== bind ====
| |
| A very nice tutorial for bind can be found [http://www.troubleshooters.com/linux/dns.htm here].
| |
| | |
| To install a bind caching name server, you can follow these steps.
| |
| Note: This was done on CentOS 5.4 x86_64, so YMMV.
| |
| Do this all as root.
| |
| | |
| # Install caching name-server
| |
| #* # yum -y install bind caching-nameserver
| |
| # Set named up to run after reboot. And start named
| |
| #* # chkconfig named on
| |
| #* # service named start
| |
| # Edit /etc/resolv.conf and add the following above other entries
| |
| #* nameserver 127.0.0.1
| |
| # Test
| |
| #* # dig qmailtoaster.com | grep "^;; SERVER"
| |
| #* If you get ";; SERVER: 127.0.0.1#53(127.0.0.1)" then you're good to go.
| |
| | |
| ==== djbdns ====
| |
| A very nice tutorial for djbdns can be found [http://www.troubleshooters.com/linux/djbdns/index.htm here].
| |
| | |
| === SRS - [[Configuring SRS on Toaster 1.03-1.3.13+]] ===
| |
|
| |
|
| === [[tcp.smtp]] === | | === [[ Secure /admin-toaster/ ]] === |
|
| |
|
| === [[tcpserver options/flags]] ===
| | == [[Dovecot]] == |
|
| |
|
| == Security ==
| | == [[Vpopmail]] == |
| === [[Certificate]] ===
| |
|
| |
|
| === [[eMPF]] ===
| | == [[PHP]] == |
|
| |
|
| === [[Fail2Ban]] ===
| | == [[Qmail queue]] == |
|
| |
|
| === [[SSL]] ===
| | == [[Qmail Dovecot Authentication]] == |
|
| |
|
| === [[SSL on submission port]] ===
| | == [[Qmail Active Directory Authentication]] == |
|
| |
|
| === [[Securing SquirrelMail|SquirrelMail]] ===
| | == [[Dovecot Active Directory Authentication]] == |
|
| |
|
| === [[ Secure Qmail web administration ]] ===
| | == [[IMAP/SMTP Authentication tests]] == |
|
| |
|
| == [[Redirection]] == | | == [[Redirection]] == |
| Follow this link for information about how to redirect email to different addresses. | | Follow this link for information about how to redirect email to different addresses. |