Installazione Qmail e Spamdyke

Il nostro server si chiama mx.gufi.org e riceverà email per il dominio gufi.org.

• Procediamo all'installazione di mail/qmail;
• Inseriamo in /etc/make.conf i seguenti knob:

WITH_CLEAR_PASSWD=yo
WITHOUT_MD5_PASSWORDS=yo
WITHOUT_USERS_BIG_DIR=yo

• Installiamo mail/vpopmail;
• Scarichiamo l'ultima release di spamdyke (attualmente la 4.0.4 reperibile qui);
• Compiliamo spamdyke (consiglio ./configure –without-debug-output –disable-config-test);
• Copiamo il binario spamdyke compilato al punto precedente in /usr/local/bin.

• Lanciamo lo script /var/qmail/scripts/enable-qmail;
• L'installazione del port ha già configurato preliminarmente qmail, mancano però sicuramente alcuni files:

# cat /var/qmail/control/concurrencyincoming
300
# cat /var/qmail/control/defaultdelivery
./Maildir/
#

• Creiamo il file /var/service/qmail-smtpd/run:

#!/bin/sh

QUID=`id -u vpopmail`
QGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
  echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
  echo /var/qmail/supervise/qmail-smtpd/run
  exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
  echo "No /var/qmail/control/rcpthosts!"
  echo "Refusing to start SMTP listener because it'll create an open relay"
  exit 1
fi

exec /usr/local/bin/softlimit -m 40000000 \
  /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" -u "$QUID" \
  -g "$QGID" 0 smtp /usr/local/vbin/spamdyke --run-as-user "$QUID":"$QGID" \
  -f /usr/local/etc/spamdyke.conf /var/qmail/bin/qmail-smtpd 2>&1

• Creiamo il file /etc/tcp.smtp:

# cd /etc
# more tcp.smtp
127.0.0.1:allow,RELAYCLIENT=""
:allow
# tcprules tcp.smtp.cdb tcp.tmp < tcp.smtp
#

• Creiamo il file /var/service/qmail-smtpd/log/run:

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog \
  t s10000000 n1024 /usr/local/logs/qmail/smtpd

• Creiamo la directory /usr/local/logs/qmail/smtpd:

# mkdir -p /usr/local/logs/qmail/smtpd
# chown -R qmaill:qnofiles /usr/local/logs/qmail
#

• Configuriamo vpopmail per la gestione del dominio gufi.org col comando:

# /usr/local/vpopmail/bin/vadddomain gufi.org
Please enter password for postmaster: 
enter password again: 
#

• Aggiungiamo un utente al dominio:

# /usr/local/vpopmail/bin/vadduser dave@gufi.org
Please enter password for dave@gufi.org: 
enter password again: 
#

• Configuriamo spamdyke, creando inizialmente la directory dove salveremo la maggior parte delle impostazioni di spamdyke:

# mkdir -p /var/db/spamdyke/graylist
# chown -R vpopmail:vchkpw /var/db/spamdyke
#

• Creiamo il file /usr/local/etc/spamdyke.conf…:

#Logging
log-level=info
log-target=stderr

#Temporizzazioni
greeting-delay-secs=5
max-recipients=10
connection-timeout-secs=600
idle-timeout-secs=30

#Graylisting
graylist-dir=/var/db/spamdyke/graylist
graylist-level=always
graylist-min-secs=300
graylist-max-secs=1814400

#SMTP Auth e Permessi di accesso
access-file=/etc/tcp.smtp
local-domains-file=/var/qmail/control/rcpthosts
local-domains-file=/var/qmail/control/morercpthosts
smtp-auth-command=/usr/local/vpopmail/bin/vchkpw /usr/bin/true
smtp-auth-level=always-encrypted
tls-level=smtp
tls-certificate-file=/usr/local/vpopmail/servercert.pem

#Check
reject-missing-sender-mx

filter-level=normal
relay-level=normal
max-recipients=40
hostname=mx.gufi.org
policy-url=http://www.gufi.org/report/

ip-blacklist-file=/var/db/spamdyke/ip_blacklist.txt
sender-blacklist-file=/var/db/spamdyke/sender_blacklist.txt
sender-whitelist-file=/var/db/spamdyke/sender_whitelist.txt
ip-whitelist-file=/var/db/spamdyke/ip_whitelist.txt
dns-blacklist-file=/var/db/spamdyke/dnsrbl.txt
dns-whitelist-file=/var/db/spamdyke/dns_whitelist.txt
rdns-blacklist-file=/var/db/spamdyke/rdns_blacklist.txt

#Traduzioni
rejection-text-access-denied="Accesso negato."
rejection-text-auth-failure="Autenticazione fallita."
rejection-text-auth-unknown="Metodo di autenticazione non supportato."
rejection-text-earlytalker="Violato il protocollo SMTP."
rejection-text-empty-rdns="Non hai un reverse DNS valido."
rejection-text-graylist="Sei in graylist. Riprova piu' tardi."
rejection-text-ip-blacklist="Ti ho messo in blacklist."
rejection-text-ip-in-cc-rdns="Non hai un reverse DNS di mio gradimento."
rejection-text-ip-in-rdns-keyword-blacklist="Hai un reverse DNS davvero brutto."
rejection-text-local-recipient="Indirizzo destinatario non valido."
rejection-text-max-recipients="Troppi destinatari."
rejection-text-missing-sender-mx="Non hai un record MX valido"
rejection-text-rdns-blacklist="Il tuo dominio e' in blacklist"
rejection-text-recipient-blacklist="Non accetto mail dal tuo indirizzo."
rejection-text-reject-all="Mail non accettata."
rejection-text-relaying-denied="Relaying non consentito dal tuo IP."
rejection-text-sender-blacklist="Indirizzo mittente in blacklist."
rejection-text-smtp-auth-required="Autenticazione richiesta."
rejection-text-timeout="Timeout. Digita piu' in fretta la prossima volta."
rejection-text-tls-failure="Negoziazione TLS fallita."
rejection-text-unresolvable-rdns="Dove e' finito il tuo rDNS?"
rejection-text-zero-recipients="Devi specificare almeno un destinatario valido."

• … e i suoi relativi files in /var/db/spamdyke:

# cat /var/db/spamdyke/dnsrbl.txt 
sbl-xbl.spamhaus.org
korea.services.net
dul.dnsbl.sorbs.net
cbl.abuseat.org
combined.njabl.org
list.dsbl.org
# cat /var/db/spamdyke/rdns_blacklist.txt 
.*dynamic.*
# touch ip_whitelist.txt
# touch ip_blacklist.txt
# touch dns_whitelist.txt
# 

Analogamente a qmail-smtpd, creiamo gli script di supervise per qmail-send e qmail-pop3d.

# cat /var/service/qmail-send/run
#!/bin/sh
exec /var/qmail/rc
# cat /var/service/qmail-send/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog \
  t s10000000 n1024 /usr/local/logs/qmail/send
# cat /var/service/qmail-pop3d/run 
#!/bin/sh
exec /usr/local/bin/softlimit -m 40000000 \
  /usr/local/bin/tcpserver -v -R -H -l 0 0 110 \
  /var/qmail/bin/qmail-popup mx.gufi.org \
  /usr/local/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1
# cat /var/service/qmail-pop3d/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog \
  t s10000000 n1024 /usr/local/logs/qmail/pop3d
#

Dove /var/qmail/rc è il seguente:

#!/bin/sh

exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

Per abilitare i protocolli ssmtp e pop3sd, possiamo utilizzare il port security/stunnel.
Per la configurazione di stunnel, creare il file /usr/local/etc/stunnel/stunnel.conf:

cert = /usr/local/vpopmail/servercert.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = nogroup
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 1
output = /var/log/stunnel.log

[pop3s]
accept  = 995
connect = 110

[ssmtp]
accept  = 465
connect = 25

; vim:ft=dosini

Per un problema nello script di avvio di stunnel, applicare al file /usr/local/etc/rc.d/stunnel questa patch:

--- stunnel.orig	2008-10-07 08:38:54.000000000 +0200
+++ stunnel	2008-10-07 08:38:09.000000000 +0200
@@ -35,7 +35,12 @@
 command="/usr/local/bin/stunnel"
 command_args=${stunnel_config}
 pidfile=${stunnel_pidfile}
+stop_postcmd="stunnel_stop_post"

required_files="${stunnel_config}"

+stunnel_stop_post () {
+    pkill "${name}"
+}
+
 run_rc_command "$1"

• Per avviare i servizi, inserire in /etc/rc.conf.local la riga:

svscan_enable="YES"
stunnel_enable="YES"

quindi lanciare:

# /usr/local/etc/rc.d/svscan start
Starting svscan.
# /usr/local/etc/rc.d/stunnel start
Starting stunnel.
#

I seguenti script devono essere eseguibili:

• /var/service/qmail-smtpd/run
• /var/service/qmail-smtpd/log/run
• /var/service/qmail-send/run
• /var/service/qmail-send/log/run
• /var/service/qmail-pop3d/run
• /var/service/qmail-pop3d/log/run
• /var/qmail/rc