| Revision History | ||
|---|---|---|
| Revision 1.2 | 2004-8-18 | gea |
| I have decided that since G Pape will not answer email, I can no longer recommend his debian distribution of qmail since I can not tell if his qmail is patced with some basic safeguards. I NOW RECOMMEDN YOU USE NETQMAIL. Please see the appropriate seciton below. | ||
| Revision 1.1 | 2004-05-13 | gea |
| I am now running the SARGE distribution and have dome testing to see if this now works. | ||
| Revision 0.9 | 2004-01-31 | gea |
| Tested with clean install with tmda-1.0 release and tmda-cgi-0.12 release. Added some gotcha's and information of running tmda from an internal server with no static (real world) IP | ||
| Revision 0.7 | 2003-09-4 | gea |
| Added Basic cook-book instructions for tmda.cgi | ||
| Revision 0.6 | 2003-09-2 | gea |
| Cleaned up the TMDA install section, esp the tmda-ofmipd, which wasn't very good when I tried to install again. Spell checked | ||
| Revision 0.4.2 | 2003-08-02 | gea |
| improved readability and included appendix on upgrading | ||
| Revision 0.4 | 2003-06-28 | gea |
| made document more self sufficient by including a summary of pape's commands to make the Qmail Debian package more source compatible | ||
| Revision 0.3 | 2003-06-07 | gea |
| Included instruction on TMDA (spam killer) set up | ||
| Revision 0.2 | 2003-06-01 | gea |
| Nita cleaned up some misspells and grammar use. thanks | ||
| Revision 0.1 | 2003-05-31 | gea |
| Initial writ | ||
Abstract
A cookbook to set up a Debian-based Qmail servers that allows virtual emails and SMTP after POP authentication, and TMDA/TMDAcgi
Table of Contents
The most recent updates are at mung[dot]net. If you mirror this document, please try to keep it the most recent one.
These are things that still need to be included and on which
I would appreciate any input. Send input to <dude@mung.net>
Get Web Based Email Reading and Sending working
I have written this cookbook to address a very specific need. I am helping a non-profit webhosting company set up their Linux email server. They had certain requirements
Provide emails for the domains they hosted
Allow POP3 email downloading of hosted domains.
NOT provide real user accounts on the email server.
Give total control of the customer's email to the customer
allow domain owner to create new email accounts
allow owner to decide what happens to mail, for example forwarding and such
allow POP3 download of these newly created email accounts
Allows TMDA (spam killer) setup.
The amount of work to get Qmail working with virtual hosts made me seriously question just apt-T'ang postfix. But in the end, Qmail is actually very END user friendly which is really what it is all about. AND it is system admin friendly in that it does make sense and is very very secure and stable.
I used the stable version of Debian (in this case, woody). Why?
Because when Debian says it's stable
It. Is. Stable.
This is a Good Thing™ when it comes to email servers.
Please read these. This is what I used to write this mini-how-to
http://www.lifewithqmail.org/lwq.html#installation
This is the best source of information for the NetQmail installation. Read that! and follow it to the letter. It works with the rest of the debian install I have set up here
http://mail.socha.net/story/2002/5/17/63812/6164
http://www.inter7.com/vpopmail/install.txt
http://smarden.org/pape/Debian/qmail/qmail-run.html
http://smarden.org/pape/Debian/qmail/lwq.html
http://www.lifewithqmail.org/lwq.html
http://www.tmda.net and the tmda-users and tmda-workers mailing list
I now recommned that you go to http://www.lifewithqmail.org/lwq.html#installation and follow the instructions there. I have installed it using the instructions there and everyone works fine. Also the rest of the document works with the NetQmail installation as that is what I have now
G. Pape provides and maintains the Qmail Debian packages.
There are no official DEBIAN packages. You could build
Qmail from source via DEBIAN by apt-get install qmail-source but G. Pape's packages are well
designed and work.
To Install Qmail as the primary MTA[1]
you will need to update you /etc/apt/source.list by:
adding
deb http://smarden.org/pape/Debian woody unofficial
deb-src http://smarden.org/pape/Debian woody unofficial
Then type these command to update your Debian system
apt-get update
apt-get install qmail-run
At the end of the install, qmail is now your primary MTA. At this
point I would apt-get install mutt
for testing purposes (receiving and sending).
If you are running testing or sarge do the safe as above but Pape provides with links to sarge
you will need to update you /etc/apt/source.list by:
adding
deb http://smarden.org/pape/Debian sarge unofficial
deb-src http://smarden.org/pape/Debian sarge unofficial
Then type these command to update your Debian system
apt-get update
apt-get install qmail-run
G. Pape's qmail-run Debian packages do a good job of setting all your uids and gids. It' still a very good idea to read life with qmail to understand what the packages do. However, since we are going to be other applications from source, we will need to make the Debian installed version of qmail as consistent as the original source install of qmail would be.
This means Read Pape's page http://smarden.org/pape/Debian/qmail/lwq.html on the various differences and how to correct them. Essentially this means reading the page and either confirming that the package created the dir(and/or)file and the appropriate symbolic links where made. This means read http://smarden.org/pape/Debian/qmail/lwq.html and follow his instructions TO THE LETTER
YOU WANT FULL COMPATIBILITY WITH THE ORIGINAL QMAIL[1]
You need to run these commands (best to just copy and paste)
cp /usr/share/doc/qmail-run/examples/defaultdelivery /var/qmail/control/defaultdelivery
cp /usr/share/doc/qmail-run/examples/qmail-rc /var/qmail/rc
svc -t /service/qmail-send
mkdir /var/qmail/supervise
ln -sf /etc/qmail/qmail-send
/var/qmail/supervise/
ln -sf /etc/qmail/qmail-smtpd
/var/qmail/supervise/
ln -sf /var/log/qmail-send /var/log/qmail
ln -sf /var/log/qmail-smtpd
/var/log/qmail/smtpd
ln -sf /etc/qmail/tcp.smtp /etc/
ln -sf /etc/qmail/tcp.smtp.cdb /etc/
download source of Vpopmail from http://inter7.com/vpopmail.html
Follow the instructions listed on http://inter7.com/vpopmail/install.txt[1]
Notes on the Vpopmail install instructions
in Step 2 of the install instructions, you cant copy and paste in step 2, the useradd command does not work
This command will work so use it instead:
useradd -u 89 -g vchkpw -d /home/vpopmail -m vpopmail
In step 3, This is the configuration options i used to build Vpopmail.[1]. Just copy and paste this and run it as a command. They work and provide what we needed:
./configure --enable-vpopuser=vpopmail --enable-vpopgroup=vchkpw --enable-roaming-users=y --enable-clear-passwd=y --enable-qmail-ext=y
then type
make
then type
make install-strip
IMPORTANT: SCRIPT NEEDED TO MAKE EVERYTHING WORK.
this one script made me go nuts.[2]
This is the install script. I have highlighted some important notes
#!/bin/sh env - PATH="/var/qmail/bin:/usr/local/bin" \ tcpserver -H -R 0 pop-3 \ /var/qmail/bin/qmail-popup mail.example.com \ /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir &
Substitute mail.example.com with your fully qualified domain name. This means the name of your computer (it's HOST name) and the Domain name. What you have to be clear about is that if you own the domain example.com, your computer is NOT test.com, but a host on the network. You might name your computer mail and so your fully qualified domain name would be mail.test.com[3]
Installing the Script
You will need to install this script into /etc/init.d
we named it vpopmail-start
You will need to make sure it gets started when you computer starts[3] or you can run it manually, be sure to chmod 755 the script.
As far as I can tell TMDA and Qmailadmin play well together.
Qmailadmin is a wonderful web-based application to allow your users total control over the email accounts associated with their domains
Find and Download autoresponder from http://inter7.com/osfree.html
Follow instructions and install. It is quite easy. In fact it is so easy I can reproduce almost the entire set of install instructions here. When in autoresponder's directory:
type make
type make install
Find and Download ezmlm-idx from http://inter7.com/osfree.html
Again, follow the instructions in the INSTALL file, you got it when you downloaded the source. Be sure to follow an complete all instructions including the testing ones.
Find and Download qmailadmin http://www.inter7.com/qmailadmin.html
Notes in qmailadmin install
Read the INSTALL instructions
You cgi-bin is located in /usr/lib/cgi-bin/[4]
your htmldir is /var/www
To correctly configure Qmailadmin you will need to configure using this command:
./configure --enable-htmldir=/var/www --enable-cgibindir=/usr/lib/cgi-bin/
At this point, ./configure should have processed
correctly and you next steps are to type make and make install-strip and you are set.
You can access Qmailadmin by browsing to http://mail.example.com/cgi-bin/qmailadmin
Perhaps the hottest thing in email and spam is Tagged Message Delivery Agent (TMDA). It is a spam filter that doesn't make you go nuts trying to teach it what you like and don't like. It makes the sender of the potential spam do all the work. It causes just a little bit of annoyance to legitimate e-mail senders. Luckily the authors of TMDA find qmail to be the base on which to build TMDA. The instructions are not complicated but there are a few loops holes you might encounter (or create as in my case)
The home page for TMDA is http:///tmda.net It has cogently laid out and well written instructions.
I do not intend to re-write them, but just give hints and caveats about the troubles I ran into.
The configuration pages give a detailed run down of what do to in case you do not use Qmail. But we do and this makes things almost configuration free. Actually, I recommend you read through the configuration section, but not actually do anything it says, as this will cause confusion latter on. Once you see a created tmda account, you can go back and understand what is really going on.
Instead skip down to the HOW-to section. Again reading these make things a bit confusing at first (again the reason I am writing this how-to so I don't have to go through it all *over* again). Anyway Here is what you need to do:
They requirements are met by typing:
The most recent stable release of TMDA recommends python2.3. If you are running Debian stable, then you are ok to keep running python2.2, but if you are running testing/Sarge then run python2.3
apt-get install python2.3This is not strictly true. The TMDA files are all written to invoke the python interpreter by
#!/usr/bin/env pythonat the beginning of each file. If you have a very clean Debian install, like I do and did not
apt-get install pythonthen several tmda file will not be able to run because they can not find the python interpreter. ie env is not defined.
The two solutions are
Find out file that tmda need to run and replace
#!/usr/bin/env pythonwith
#!/usr/bin/python2.3which I did and don't recommend or
apt-get install pythonwhich will install python2.1[8] and then going to
/usr/bin/. You should see after doing
ls -la, this
dude@brick:/usr/bin$ ls -la python* lrwxr-xr-x 1 root root 9 Aug 9 14:51 python -> python2.1 -rwxr-xr-x 1 root root 522648 Jul 4 2003 python2.1 -rwxr-xr-x 1 root root 806744 Jul 5 2003 python2.2Since TMDA recommends python2.3, you should
rm pythonwhich is just a symbolic link to python2.1 and replace it with
ln -s python2.3 pythonwhich should give you this output after
ls
-la
tinkies:/usr/bin# ls -la python* lrwxrwxrwx 1 root root 9 Jan 31 12:25 python -> python2.3 -rwxr-xr-x 1 root root 522504 Sep 7 2002 python2.1 -rwxr-xr-x 1 root root 742568 Sep 7 2002 python2.3
Download the most current TMDA source[8]. You can download it from http://tmda.net/releases/ In this how-to I use version tmda-0.83.tgz
I recommend you untar it.[9] it into
/usr/local/srcRename tmda-* to just tmda by typing:
mv tmda-* tmdaThis allows the carefully crafted scripts to work.
Read the instructions at http://tmda.net/install.html Just follow the first two steps.[11]
You should be in the directory
/usr/local/src/tmdaNow type
./compileall
set up vtmdarc
cp /usr/local/src/tmda/contrib/vtmdarc /home/vpopmail/etc/
chown vpopmail:vchkpw /home/vpopmail/etc/vtmdarc
chmod 755 /home/vpopmail/etc/vtmdarc/
Copy the file
/usr/local/src/tmda/contrib/vadduser-tmda
/home/vpopmail/bin/
Open and edit the file
/home/vpopmail/bin/vadduser-tmdaThe bits we need to diddle are the Configuration Variables. You will want to make it look like this:[12]
################################################## # Configuration Variables# TMDAROOT="/usr/local/src/tmda" VPOPROOT="/home/vpopmail" PATH="$VPOPROOT/bin:$TMDAROOT/bin:$PATH" VTMDARC="$VPOPROOT/etc/vtmdarc" # # ##################################################
What's that? The short answer is it lets you securely send mail! by having you authenticate yourself to tmda-ofmipd, which then injects the mail into you SMTP server.
The longer answer is:
tmda-ofmipd is an async I/O based authenticated ofmip proxy for TMDA. This allows users of any mail client capable of SMTP Authentication (e.g, Outlook, Eudora, Mozilla) to "tag" their outgoing mail as described in the Client Configuration section.
The script is (much thanks to the tmda user's list):
su vpopmail -c '/usr/local/src/tmda/bin/tmda-ofmipd -A "/home/vpopmail/bin/vchkpw /bin/true" -S /usr/local/src/tmda/contrib/vpopmail-vdir.sh'
I call it the tmda-start script.
You will need to install it into the directory
/etc/init.dand have it start automatically.
I want to dissect the ofmipd in more detail. A lot of what it can do is not documented in the tmda.net site or in the tmda-ofmipd how-to. You can only get the illuminating information buy running option -h, like so
tinkies:/usr/local/src/tmda/bin# ./tmda-ofmipd -h
The key ingredients of the tmda-start script are:
su - vpopmail -cThis will runs the script as user vpopmail. This keeps tmda-ofmipd from being run as root. The
-coption will run the command in single quotes
-A "/usr/local/vpopmail/bin/vchkpw /usr/bin/true"runs the Authentication program. in this case we are using vpopmail's vchkpw to do the job of authentication the username with their right password.
If we don't use the option "-A", then tmda-ofmipd will look for the user's .tmda directory and look for a file tofmipd to authenticate.
In this case, since we
su vpopmailtmda-ofmipd will look for the
/home/vpopmail/.tmda/tofmipdfile with which to authenticate.
The format of tofmipd file is simply
bobby:FooBar chloe:baz_bap johndoe:8i9/hjuy+33
This can allow for different POP3 and SMTP password. I discuss this later
The tofmipdfile has a couple of requirements
It must be owned by the user running tmda-ofmipd app. Hence
chown vpopmail:vchkpw /home/vpopmail/.tmda/tofmipd
It must be
chmod 600 /home/vpopmail/.tmda/tofmipdit can also be chmod 400
Possibilities Note that in effect, you can have two different passwords. One for your POP3 login and one for your SMTP authentication. Of course, none of them are encrypted but I will be seeing how to do this in the next revision
-S /usr/local/src/tmda/contrib/vpopmail-vdir.shprints out the virtual emails user's home directory. It allows tmda-ofmipd to find the user's .tmda directory and read options from it
Note that this is provided by tmda.
Foreground option: -f
This allows you test the script in real-time and combined with following option gives you immediate feedback to see if the script is working
DO NOT RUN THE SCRIPT AT START UP WITH THE -f OPTION as it will not allow you computer to finish the initial boot up. :)
debug option: -dVery useful to see what is happening when you test. So if you are using this how-to and want to test the script up. I would run it like this
su vpopmail -c '/usr/local/src/tmda/bin/tmda-ofmipd -f -d -A "/home/vpopmail/bin/vchkpw /bin/true" -S /usr/local/src/tmda/contrib/vpopmail-vdir.sh'
Send some email and watch it work in real time. Remember to use port 8025 as your smtp server
Proxyport option: -p host:port
--proxyport host:port
The host:port to listen for incoming connections on. The default is FQDN:8025 (i.e, port 8025 on the fully qualified domain name for the local host).
This option is useful for changing the IP address that tmda-ofmipd listen on. see Running TMDA from an Internal Network (below)
My requirements changed. I now run OpenBSD as my web server. I am limited to one IP address. I still want to run tmda on Linux since Linux is more useful for me in other applications. Here is what I did, since initially tmda-ofmipd will by default bind the hostname FQDN, but since the main gateway server, OpenBSD is that, tmda could not bind correctly. Also, since my tmda server is tinkies.mung.net and it no longer has a static IP address tmda-ofmipd can not bind the address properly
The answer was the -p option. Here is what my tmda-start script now looks like
su vpopmail -c '/usr/local/src/tmda/bin/tmda-ofmipd -p 192.168.1.4:8025 -A "/home/vpopmail/bin/vchkpw /bin/true" -S /usr/local/src/tmda/contrib/vpopmail-vdir.sh'
Where '192.168.1.4' is my internal address and ':8025' defines the tmda-ofmipd port. The rest required forwarding ports 25, 110 and 8025, which can be found in my mini-how-to cook book on setting up OpenBSD as firewall, gateway and port forwarding which I wrote to help me out.
You must be root. You should be in the directory:
/home/vpopmail/bin/
Create the virtual domain by
./vadddomain example.com
Create the virtual TMDA email account by
./vadduser-tmda user@example.com[13]
Set up your Mail User Agent to use port 8025. If you don't, an interesting thing happens. TMDA accounts don't work with each other. Tim Legant[13] succinctly explains
When user1 sends mail to user2, user2's TMDA sends a challenge back to user1. The problem is that user1 doesn't have user2 in his whitelist[14] and so the challenge email gets stuck in the pending directory. That means user1 never sees it and can't respond.
When TMDA sends a challenge, it sends it to the envelope sender address. The easiest way to make sure you can receive challenges from other TMDA users is to make your envelope sender a dated address. In your .tmda/filters/outgoing file[14] , put this line at the very end:
to * tag envelope dated=10d from bareIf user1 had that line in his outgoing filter, the challenge sent by user2's TMDA would have gone directly to his Maildir and not into pending. Then user1 could have replied to the challenge, been added to user2's whitelist and his message would have been delivered to user2.
More information about this is discussed in FAQs 4.12, 5.4 and 5.5. You'll want to make sure you read the filter documentation so you can add more rules as necessary, both to your incoming filter and your outgoing filter.
http://tmda.net/config-filter.html
You will note that non-tmda accounts work fine, the reason is
... if the non-TMDA user (user1) sends mail to the TMDA user (user2), user2's TMDA sends back a challenge. Since user1 is not using TMDA, the challenge goes right to user1's Maildir and he can reply, causing his message to be delivered to user2.
It appears TMDA and Qmailadmin don't modify the same .qmail files.
TMDA sets up the .qmail files in
/home/vpopmail/domains/example.com/.qmail-user
/home/vpopmail/domains/example.com/.qmail-user-default (which is a link to .qmail-user)
And Qmailadmin futzes with the files in:
/home/vpopmail/domains/example.com/user/.qmail
Create a user account with ./vadduser-tmda as above
Access Qmailadmin via the web. You should see your new account. From testing modifications to a vadduser-tmda created account, Qmailadmin appears to behave. (i think)
TMDA is for the hard core power user of email. It is not exactly for the faint of heart. TMDAcgi helps provide us mere mortals a nice and GUI way to use it. The install instructions are in fact clear, but someone it could be made more explicit. Here I provide explicit instructions.
At this time, the latest stable release 0.13 requires you download an addition package and unpack, be sure to read the read me. But at this time it works great and looks great too.
Obtain the source from tmda.cgi
Unpacked it into
tinkies:/usr/local/src/
Again I rename it with a simple
mv tmda-cgi-* tmda-cgi
I have chosen to copy the graphics into /var/www
cp -R /usr/local/src/tmda-cgi/display/ /var/www/display/
cd /usr/local/src/tmda-cgi/
Configuration
type
cd /usr/local/src/tmda-cgi/then
./configureThis will lead you through an automated install script.
Where is the Python interpreter? (version 2.1+) > /usr/bin/python2.2
When I compile the binary executable, where should I save it? Enter the full path AND filename. Generally, you will use the path to your web-server's cgi-bin directory, but it can be stored elsewhere if you have your web-server configured to run CGI's in other directories. > /usr/lib/cgi-bin/tmda.cgi
Where did you install TMDA? For source installs, this is the directory where you unzipped the archive. You may enter a relative path (relative to the CWD) if you like. If you installed TMDA from an RPM, try: "/usr/lib/python2.2/site-packages". If you installed TMDA from a FreeBSD port, try: "/usr/local/lib/python2.2/site-packages". > /usr/local/src/tmda
Where did you install tmda-cgi? This is typically the CWD. > /usr/local/src/tmda-cgi/
Would you like to override the default config file location? If so, enter a "formula" to specify where to look for the config file. This formula is just a path, but it can include the character "~". This character will be replaced by the user's name during execution. To use the default config file location, enter "None". > None
How should I authentication user logins? [file, program, remote, default] "file" lets you specify a password file. "program" lets you specify the path to a program such as checkpassword "remote" lets you specify a protocol such as imap or pop3 "default" is similar to file, except it looks for password files in the default locations. > program
What is the authentication command? (full path and args) * For more details, see "config --help" option -p * > /home/vpopmail/bin/vchkpw
What is the relative or absolute web path from CGI to display directory? This is discussed in the documentation at: http://tmda.sourceforge.net/tmda-cgi/compile.html#Display > ../display
What mode should the CGI run in? [system-wide, single-user, no-su] > system-wide
Which virtual user stub and parameters should I use for locating virtual users? If your system does not have any virtual users, enter "None". > vpopmail1 /home/vpopmail/bin/vuserinfo ~
What real user name should I use when a virtual user logs in? > vpopmail
Where should I save temporary session files? Please enter a path and file prefix. > /tmp/TMDASession.
How long (in seconds) may a temporary session file be allowed to sit before it risks being cleaned up? > 300
What are the odds of cleanup I should use? (0.01 = 1%) > 0.01
make
make install
to login in to to
www.example.com/cgi-bin/tmda.cgi
Start Outlook. From the menu, select "Tools", then "Accounts".
your account and click "Properties".
Look for tab concerning Servers.
Look for and select a box that says "My server requires authentication"
Make sure the authentication login is the same as your regular log in.
Look for Server port numbers
Change it to 8025
Apply these changes
You will want to keep TMDA with most current stable release. The developers are quite good about making only the stable release easily available. The best way I found to successfully upgrade [19] is to
simply download the new source code.
Unzip it and
mv tmda-NEW-VERSION tmda/
Once again get into the directory
/usr/local/src/tmda
and them compile everything again
./compileall
This should upgrade everything fine with you not having to tweak anything. Note be sure to read the file UPGRADE for additional information
[1] Message Transfer Agent
[1] just to be clear, READ THE PAGE. DO WHAT IT SAYS OR THIS WILL NOT WORK
[1] I found it easiest to just copy and paste.
[1] This works with VPOPMAIL VERSION 5.4.0
[2] Because i was reading so much about getting vpopmail to work with I read that the suggested script in the vpopmail mail instructions did not work. However after several days and multiple eyeballs (thanks Ian!) looked at it, it turns out the sample startup script in vpopmail mail instructions does in fact work! The problem was that the how to i was reading was out of date :)
[3] You will need to know how to update your DNS records appropriately. YOU DONT NEED TO NAME YOUR MAIL SERVER HOST's NAME “MAIL” in my case, its name is tinkies.
[3] you can use update-rc.d for this
[3] I no longer run qmail so this section may be out of date. Please email me, if you run into problems and I can update it.
[4] I found this out by looking at the /etc/apache/httpd.conf and search for cgi-bin
You did
apt-get install apacheDidn't you?!?
[8] Assuming you are using the stable distribution, which you should be
[8] Yes there are Debian packages, but the vadduser-tmda script (which we use) does not work correctly
[9]
tar xvzf tmda-*.tgz
[11] Note I use tar and they use gunzip. No big deal.
[12] Assuming you did everything I told you. And if you did not, Why are you reading this how to?!?
[13]
Do not use ./vadduser
[13] Believe it or not, this is from an email he sent me to help me get TMDA working. More unbelievable was that I had thought I had found a bug and submitted into the developer list: Not only did I not get flamed into Hell, but took an extraordinary amount of time with me
[14] A file the holds your approved list of email addresses
[14] For example, /home/vpopmail/domains/example.com/user1/.tmda/filters/outgoing
[19] I upgraded from 0.80 to 0.82