Copyright 2006-2008
Patrick R. McDonald <marlowe@antagonism.org> (GPG key)This document last modified (none)
Qmailrocks (http://www.qmailrocks.org), started in June 2003, is an attempt to contribute an open source resource for people who desire help with installation and configuration of a mail server running qmail and serveral other associated pieces of software.
I created this FAQ due to Eric Siegel, QMR's founder, essentially abandoning the qmailrocks projects. He provides and his guides refer to, out of date software, in some cases software which has critical security vulnerabilities, and provide instructions which are either no longer relevant due to software updates or are just plain wrong. The mailing list archive is broken, the site mirroring is down, so even if Eric updated the site, the changes wouldn't propagate and the support has been left in the care of those willing to pick it up.
Please note this is not intended to be an attack on Eric in any way, shape or form. I completely understand there are other things which take priority over a volunteer project. However, I feel he does the community a disservice by not allowing others to update his work, thereby keeping the community growing and alive.
Please send an email with your request to qmrfaq@antagonism.org. I will attempt to process your requests in a timely manner. Please note, this is not the place to send questions which do not deal with an addition and/or modification of this FAQ. There are support facilities below which handle those questions
This page (http://www.antagonism.org/admin/djb-man.shtml) details downloading and installing the daemontools man pages.
This page (http://www.antagonism.org/admin/djb-man.shtml) details downloading and installing the ucspi-tcp man pages.
tcpserver (http://cr.yp.to/ucspi-tcp/tcpserver.html) by default performs reverse lookups (-h). To disable reverse lookups, provide the -H option to your tcpserver command line.
If you see this error message, the problem is another program is bound to the address/port combination to which you wish to bind your program. Stop the revelant service with the svc command and verify it is down with the svstat command. The below example uses qmail-smtpd.
# svc -d /service/qmail-smtpd
# svstat /service/qmail-smtpd
The service should show as down. Next run the following command to verify another program has bound to the port using the netstat and grep commands. The below example continues with the qmail-smtpd service. Please make sure to substitute the appropriate port number. If the command returns something, then another program is bound to that address/port combination.
# netstat -an | grep 1.2.3.4:25
After determining something is indeed bound to the address, determine what the program is with the lsof command.
# lsof -n -i:25
The output of lsof will tell you what program is running on that port. You need to stop that program and remove it and its related start scripts. Once this is completed, you can restart the serivce by using the svc command and verify the error is resolved by tailing the log file.
# svc -u /service/qmail-smtpd
# tail -f /service/qmail-smtpd/log/main/current
qmail (http://cr.yp.to/qmail.html) is a mail transfer agent (MTA) (http://en.wikipedia.org/wiki/Mail_transfer_agent), written by Dr. Daniel J. Bernstein (djb) (http://cr.yp.to). djb wrote qmail as a more secure, speedy alternative to Sendmail (http://www.sendmail.org).
DJB included the man pages for qmail, however the man pages are not in the MANPATH variable. To change this, add the following to /etc/man.config.
MANPATH /var/qmail/man
You should now be able to access the qmail man pages with a simple man command. I highly encourage all users of qmail to follow the above instructions and make heavy use of the man pages.
The following page (http://qmail.jms1.net/smtp-service.shtml) covers setting up qmail-smtpd service(s) along with an explanation of the run script (http://qmail.jms1.net/scripts/service-qmail-smtpd-run) options for John's qmail-smtpd run script.
This page (http://qmail.jms1.net/relaying.shtml) covers how relaying works with qmail.
You are doing nothing wrong. The tests are broken. The tests assume if the MTA accepts a message, it is an open relay. However, an MTA is only an open relay if the message is delivered (it relays the message). The following page (http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-erroneous-open-relay-tests.html) discusses the issue in greater detail. For a true test regarding whether you are in open relay, see this page (http://www.njabl.org/method.html) and follow the instructions under the requested testing section. What makes NJABL (http://www.njabl.org) different is the below:
"Our relay test messages utilize an encrypted message which makes them nearly impossible to forge. Our reception of the intact open relay test message and decryption of the message body indicates the system it was sent through is an open relay and results in that IP being added to the list. Servers that accept the message but do not relay it, are not falsely detected as open relays. Our system must receive and successfully decrypt the test message in order to detect an open relay." [1] (http://www.njabl.org/method.shtml)
The following page (http://qmail.jms1.net/test-auth.shtml) covers the methodology to test SMTP AUTH.
The following page (http://qmail.jms1.net/logfiles.shtml) covers how to find your log files and what the various parts of the qmail-send and qmail-smtpd logfiles mean. Also it provides mtrack (http://qmail.jms1.net/scripts/#mtrack) for tracking messages through the qmail-send log and strack (http://qmail.jms1.net/scripts/#strack) for tracking messages through the qmail-smtpd log.
The following page (http://qmail.jms1.net/scripts/qfixq.shtml) covers fixing a corrupted queue using qfixq (http://qmail.jms1.net/scripts/qfixq). NOTE, make sure to read and follow the instructions exactly.
Save the following files:
/var/qmail/alias
/var/qmail/control
/var/qmail/users
/service/*/run (any qmail-related services, i.e. qmail-smtpd)
/etc/tcp (or whereever you keep your tcpcontrol files)
The following user (UID) and group ID (GID) MUST HAVE THE SAME NUMERIC VALUE ON BOTH SERVERS.
users:
alias
qmaild
qmaill
qmailp
qmailq
qmailr
qmails
groups:
nofiles
qmail
This page (http://www.antagonism.org/mail/secondary-mx-qmail.shtml) covers creating a secondary MX with qmail.
The locals file contains domains which reside locally on the machine. This means accounts listed in locals should have shell accounts on the machine. If you use vpopmail, your locals file should be empty but exist. This problem is prevalent in many qmailrocks installs as the instruction set wrongly instructs users to configure qmail using the "config-fast" shell script. Unless the user desires email accounts for his shell accounts the is not the correct method. The following commands correct this error.
If /var/qmail/control/locals exists, run the first command. If not, you may
skip to the second command.
# rm /var/qmail/control/locals
# touch /var/qmail/control/locals
# chmod 644 /var/qmail/control/locals
# chown root.root /var/qmail/control/locals
The rcpthosts file contains the domains for which qmail-smtpd will accept email. The rcpthosts file should contain the domain names only. Do not put in email addresses, hostnames or IP addresses into this file.
Vpopmail (http://inter7.com/index.php?page=vpopmail) is a software package provided by Inter7 (http://inter7.com) which allows for virtual user functionality with qmail. It uses its own auth system rather than relying on system accounts and its associated /etc/passwd and /etc/shadow.
Run the commands below to fix vpopmail's permissions.
# chown -R vpopmail.vchkpw ~vpopmail
# chmod -R go=u-w ~vpopmail
# chmod -R go= ~vpopmail/domains
# chmod 6111 ~vpopmail/bin/vchkpw
This script, vfixpermissions (http://qmail.jms1.net/scripts/vfixpermissions) provides the same functionality as the commands above.
Save the following directories.
~vpopmail/domains
~vpopmail/etc (everything expect inc_deps or lib_deps)
The following user (UID) and group ID (GID) MUST HAVE THE SAME NUMERIC VALUE ON BOTH SERVERS.
users:
vpopmail
groups:
vchkpw
First locate the mailboxes themselves. The below example will use the users, newuser and olduser and the domains, newdomain.xyz and olddomain.xyz. Please substitute your values, accordingly.
# vuserinfo -d olduser@olddomain.xyz
/home/vpopmail/domains/olddomain.xyz/olduser
# vuserinfo -d newuser@newdomain.xyz
/home/vpopmail/domains/newdomain.xyz/newuser
Next, in the old user's mailbox, find the message(s) you want to move.
# cd /home/vpopmail/domains/olddomain.xyz/olduser/Maildir/cur
# grep 'something' * something is word or phrase which allows
you to identify the message
1116979292.12141.server.xyz:2,S
Move the file(s) to the new mailbox with the following command. By placing the file(s) in the Maildir/new directory, you allow the next client (IMAP or POP3) to see the file(s) as a new message.
# mv 1116979292.12141.server.xyz:2,S /home/vpopmail/domains/newdomain.xyz/newuser/Maildir/new/
This page (http://www.antagonism.org/daemontools/clamav.shtml) details running clamav and freshclam from daemontools.
"One of the problems with clamav, indeed with any virus scanner, is that
it takes time to load and parse all of the virus definitions into memory when
the scanner starts up. For an interactive process it's not usually a big deal,
but for scanning email on a busy server it can slow things down a lot- to the
point where a message might take five seconds to be scanned. That may not sound
like a long time, but imagine having to do that several thousand times an hour.
ClamAV comes with a program called clamd which loads the virus
definitions into memory and then sits in the background, waiting to be told
which files to scan. Having clamd run the actual scan is a lot faster, simply
because it doesn't have to load and parse the virus definitions into memory.
In order to have a file scanned by clamd, you use the program clamdscan
. It takes the same command line parameters as the normal clamscan
command line scanner program, but instead of loading the virus definitions and
doing the work itself, it passes a command to clamd and waits for the results.
...
There are a few web pages on the internet, including at least one version of
the qmailrocks directions, which are
telling people to delete their clamdscan binary and copy the clamscan
binary into its place.
While this will "make it work", this is about as STUPID as buying a new
car every day because you don't know how to put fuel in the tank. What this
does is forces every incoming message to load and parse the virus definitions in
to memory, totally throwing away the advantages of running clamd in the first
place- in particular, the speed advantage.
The process of scanning a typical email for viruses normally takes less than
1/10 of a second on my server- using clamscan instead of clamdscan and clamd raises this time to almost six seconds. DO NOT DO THIS TO YOUR SERVER."
[1]
(http://qmail.jms1.net/clamav-qms.shtml)
Also from the qmail-scanner CHANGES file (http://qmail-scanner.sourceforge.net/CHANGES):
"Added check to ensure clamdscan isn't just a link to clamscan - which some third-party Web sites recommend! Gah! If you want to run clamdscan - THEN SET UP THE DAEMON PROPERLY. Otherwise don't - and you'll get clamscan instead (at 100th the performance) Let me say it again: No-one running ClamAV should be using clamscan."
This page (http://www.antagonism.org/daemontools/spamd.shtml) details how to run SpamAssassin from daemontools.
By default, a 3.x SpamAssassin install already enables Bayes learning. The options in local.cf which enable Bayes learning are:
"use_bayes" tells SpamAssassin to use the native-Bayesian-style classifier. By default, it is enabled (set to 1). You must enable this option to use any of SpamAssassin's Bayesian functionality. "use_bayes_rules" tells SpamAssassin to use rules using the native-Bayesian-style classifier. It's default is set to 1 as well. Lastly, "bayes_auto_learn" automatically feeds high-scoring mail as spam and low-scoring mail as ham into its learning system. This also defaults to 1.
The Bayes system will not activate until SpamAssassin learns the "bayes_min_ham_num" and "bayes_min_spam_num" values. These default to 200.
First, make sure you read and understand provided in the SpamAssasin UPGRADE file (http://svn.apache.org/repos/asf/spamassassin/branches/3.1/UPGRADE). Then install the updated version of SpamAssassin according to the instructions provided in the INSTALL file (http://svn.apache.org/repos/asf/spamassassin/branches/3.1/INSTALL). This page (http://www.antagonism.org/admin/spamassassin-rpm.shtml) covers creating a RPM from the source tarball.
This page (http://wiki.apache.org/spamassassin/ReportingSpam) details how to report spam using SpamAssassin.
TNEF is Transport Neutral Encapsulation Format (TNEF) is a proprietary email attachment use in Microsoft in its Outlook, Outlook Express and Exchange Server. Only Microsoft clients can read the attachments, other clients see an attachment titled winmail.dat or win.dat. The attachment's MIME type will be Application/MS-TNEF.
If you use Mozilla Thunderbird, you can use the LookOut (https://addons.mozilla.org/en-US/thunderbird/addon/4433) extension. The extension runs on both the 1.5x and 2.x branch.
If you do not use Thunderbird and/or you prefer a server side solution, this page (http://www.antagonism.org/mail/tnefclean-maildrop.shtml) describes using TNEFClean (http://www.dread.net/~striker/tnefclean/) with maildrop to provide a server based TNEF filtering solution.
To check if a module is installed run the following command as a non-root user. The syntax of the command is the following "perl -MNAME_OF_MODULE -e 1".
If the command returns no output, the module is installed
% perl -MDB_File -e 1
%
However, if the command returns an error message, either the module is not
installed or it is not installed correctly.
% perl -MTime::HiRes -e 1
Can't locate Time/HiRes.pm in @INC (@INC contains:
/usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3
/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl .).
BEGIN failed--compilation aborted.
%
You initially set virus notifications with the use of the "--notify" option for the configure script (http://qmail-scanner.sourceforge.net/configure-options.php). To change the change notifications, you may either rebuild qmail-scanner with the appropriate "--notify" option or you may edit the $NOTIFY_ADDRS variable in qmail-scanner to refelct the appropriate notification addresses. The example below shows notifications set for the value of admin.
#Addresses that should be alerted of any quarantined Email:
my $NOTIFY_ADDRS='admin';
When updating clamav and/or spamassassin, need to let qmail-scanner know of the version change. You accomplish this by calling qmail-scanner with the "-z" option. The "-z" option gathers virus scanner/DAT versions and cleans up old temp files. To have this occur automatically during freshclam updates, set the OnUpdateExecute directive in clamd.conf to call qmail-scanner -z.
The functionality you "lost" was not part of the original qmail-scanner. Rather it is part of a patch (http://toribio.appolinare.org/qmail-scanner) for qmail-scanner. Qmail-scanner incorporated some of functionality. To incorporate the remaining functionality, download the patch which is appropriate for your version and apply it according to the instructions (http://toribio.apollinare.org/qmail-scanner/#n.3). Then compile and install qmail-scanner with the options you desire.
This page (http://www.antagonism.org/mail/policy-qms.shtml) covers applying policy filters with qmail-scanner.
This page (http://qmail.jms1.net/courier-daemontools.shtml) covers running courier-imap from daemontools.
"The courier-authlib package is a set of programs which handle
authenticating login requests from the IMAP and POP3 services which comes with
the courier-imap package. The API (the mechanism by which the IMAP and POP3
servers send their requests, and gather the results) is documented in the
README_authlib.html file which comes with the courier-authlib package.
The courier-authlib package revolves around a program called authdaemond.
When it starts, it reads a configuration file (usually
/etc/authlib/authdaemonrc) and then loads a set of dynamic modules to
support the specific authentication types you need to support on your server.
These modules are usually found in the
/usr/lib/courier-authlib directory." [1]
(http://qmail.jms1.net/courier-authlib.shtml)
This page (http://qmail.jms1.net/courier-authlib.shtml) covers running courier-authlib from daemontools.
This page (http://qmail.jms1.net/courierpassd.shtml) covers running courierpassd from daemontools.
The Debian package does not install with the authvchpw module. This prevents you from authenticating to vpopmail. The recommended course of action is to either compile from source or create your own .dkg package.
You can not see the images because they are not in the directory in which Apache expects to find them. First you need to determine where Apache expects the images with the following command. Substitute your ErrorLog as appropriate.
# cat /var/log/httpd/error_log | grep images
The above command lists the directory where Apache expects the images. There are two resolutions to this issue,
To do option 1, first locate the qmailadmin images
# locate images | grep qmailadmin
The above command returns the directory of the qmailadmin images. Now simply copy the images to the directory which Apache expects them.
To do option 2, you need to compile qmailadmin with the appropriate DocumentRoot. First determine your DocumentRoot, substituting the location of your httpd.conf file as appropriate.
# cat /etc/httpd/conf/httpd.conf | grep DocumentRoot
Insert the value from above with the "--enable-htmldir" option in your qmailadmin configure statement. Recompile and install qmailadmin. Verify your success by access the qmailadmin URL for your site.
To subscribe to the mailing list, send an email to qmr-subscribe@list.qmailrocks.org.
To unsubscribe to the mailing list, send an email to qmr-unsubscribe@list.qmailrocks.org. The unsubscribe address is also in the headers of every mailing list message.
The list archives hosted by QMR are located here. The archive is currently down and there is no ETA on its repair. Another archive is located here
Before doing anything else, read this page. Did you read it? Good, now read it again. Make sure you understand it and practice it. Questions which do not follow the suggestions in this document will be met with a simple answer:
"Read and understand http://www.catb.org/~esr/faqs/smart-questions.html. Then repost your question taking the above into account."
Do not hijack threads. Most email readers track messages by the References header and builds a thread of messages by the message ID. This allow users who are particularly interested in tracking a particular question to see all the emails related to this question. The flip side is it also allows a user uninterested in the question and its responses it ignore the entire thread.
When you reply to a message with a new question, regardless of whether you changed the subject line, you hijacked a thread. You have a tremendous chance of having your question go unanswered, particularly if users have decided to ignore the thread you hijacked. If you have a new question, click your equivalent of the compose key and create a message.
Questions which hijack threads will most likely go unaswered. If they do get answered, it will be to point the user to this FAQ and remind them not to hijack threads.
Do not top post. Top posting is when you reply to a message by posting your reply above the orginal message. This makes it a pain for those of us who read in an up-down manner. Also this makes it difficult for people to follow the dicussion when reading through the list archive. Several useful members of the list will not reply to messages which are top posted. Below is an example of why top posting is painful to read.
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
To avoid top posting, select an email client which has bottom posting enabled by default. This pretty much includes any other email client other than Microsoft Outlook and Outlook Express. This FAQ recommends Thunderbird. It is cross platform, it bottom posts by default and it is not riddled security holes as are the above two products.
There is no excuse for top posting. This is a mailing list for mail server administrators. This means you run a mail server and can use Thunderbird or another MUA regardless of your platform. Also, you have your own webmail application, squirrelmail, which bottom posts by default. This eliminates the excuse of "I use X's webmail which doesn't allow me to configure bottom posting." Use the mailserver and the webmail client which you maintain.
Do not, let me repeat do not hide/obfsucate/alter domain names and other publicly available information. You do not own domain.com, xxx.com, etc. Read this document, understand it and reread it again. If you hide your domain information, your question will either go unanswered or you will receive an answer pointing you to this FAQ.
Do not ask a yes/no question, unless you want a yes/no answer. For example, do not ask "Does qmail do X?", unless you really want to know does qmail do X. Chances are you want to know how to do X with qmail. So a better question and one which will get answered with something other than a yes or no is "How do I do X with qmail?". For further reading, check out this page.
Follow the format guidelines present in ESR's How Ask Questions The Smart Way. In particular, send plain text email, not HTML.
Turn off autoresponders (vacation/out of office messages) and read receipts. For instructions on how to do so, refer to your MUA's documentation. If your MUA does not support turning off this functionality based on an sending email address, then kindly unsubscribe yourself from the list until such time as you return from vacation and/or find a client with the appropriate functionality.
Read Step 3 of 12 Steps to Qmail List Bliss. This covers the most important information you can provide this list.
What did you do? Provide us with a description of your actions (i.e. commands run, exact configuration, local vs. remote run commands, etc).
What did the computer do? Provide exact test results, log contents, error messages, basically provide us with a list of symptoms.
What did you think the computer should have done? How did what happened in the part above differ from what you expected to happen? What did you what to happen?
If your question pertains strictly to qmail as opposed to another portion of QMR, provide the UNEDITED out of the following command.
# /var/qmail/bin/qmail-showctl
It is highly recommened you subscribe to at least the announce equivalents for every major piece of software for your system. This allows you to receive immediate notification when the developers post a new update. Below is a list of recommended lists which to subscribe.
Ensure you subscribe to the users equivalent list for any piece of software with which you are not comfortable or wish to learn more. Lastly, ensure you subscribe to the security mailing list for your particular operating system (OS).
The official server is #qmr on the Freenode Network.
The rules of channel are similar to those of the mailing list with the
following addtion:
Paste of more than four lines should go to the channel pastebot.
The QMR forums are located here.
The rules of the forum are the same as those of the mailing list with
the following addition:
The forum requires registration before you can post to the forum.
Copyright 2006-2008
Patrick R. McDonald <marlowe@antagonism.org> (GPG key)