Once You Know, You Newegg
Home FAQ Qmail Setting up SMTP with TLS
Setting up SMTP with TLS PDF Print E-mail
Sunday, 31 May 2009 21:09

Updated 2/9/10: Fixed all broken links and changed all references from smtprelay to qmail-smtpd-tls to give it a better qmail reference in services.

Copied with permission from:
John Simpson
http://qmail.jms1.net/smtp-service.shtml
http://qmail.jms1.net/tls-auth.shtml

This service only accepts mail from authorized clients- it requires the AUTH command before accepting any messages. It also requires STARTTLS before the AUTH command may be entered. This makes an ideal "SMTP relay service" for your authorized users.

You must be using John Simpsons qmail patch in order for this to function properly.

# cd /var/qmail/supervise
# mkdir -m 1755 qmail-smtpd-tls
# cd qmail-smtpd-tls
# fetch http://goodcleanemail.com/files/run.smtp.sslserver
# mv run.smtp.sslserver run
# vi run

This will start up a text editor on the script. I prefer nano, but you are free to use pico, vi, emacs, or any other text editor you like. Set the options as needed for your service. The file itself contains documentation on the options you can set.

You should set the following values:

IP=1.2.3.4  Substitute your own IP address. Do not leave this set to 0 without a good reason.
PORT=587  Set the port number we will be listening on.
SSL=0  Do not run an SSL-only service.
FORCE_TLS=1  Refuse to accept mail from clients who have not done STARTTLS.
DENY_TLS=0  Do not refuse to process the STARTTLS command.
AUTH=1  Allow the AUTH command after STARTTLS has been completed.
REQUIRE_AUTH=1  Refuse to accept mail from clients who have not done AUTH.

Once you are finished editing and have saved the file...

# chmod 700 run
# mkdir -m 755 log
# cd log
# fetch http://goodcleanemail.com/files/service-any-log-run
# mv run.log run
# chmod 700 run

Setting up the tcpserver access files

If you have already setup the Makefile, skip down to Creating the smtp file

I do something a little different with my tcpserver access control files than most other people. Instead of calling the files /etc/tcp.smtp and /etc/tcp.smtp.cdb (the files are in /etc/ and have names which start with "tcp.") I call them /etc/tcp/smtp and /etc/tcp/smtp.cdb. The idea is that /etc/tcp is a directory containing all of my tcpserver access control files, along with a Makefile which rebuilds any out-of-date cdb files whenever their source text files have been updated.

If you use the "run" scripts from my web site, you will find them written this way. Of course you can edit the scripts and change the filenames if you like, but I have found this to be a much easier way to administer the control files (I use tcpserver for a lot more than just qmail.)

To set this up on your own server...

These commands should be run as root.
# mkdir -m 755 /etc/tcp
# cd /etc/tcp
# fetch http://goodcleanemail.com/files/etc-tcp-makefile
# mv etc-tcp-makefile Makefile

Creating the smtp file

At this point it should be ready to go- all you need to do is create the "smtp" file, containing the normal access control list. It may look something like this:

127.:allow,RELAYCLIENT=""
:allow

run

# gmake

or if you're not using FreeBSD

# make

Finally:

# cd ~vpopmail/bin
# chown vpopmail:vchkpw vchkpw
# chmod 6711 vchkpw

The final step is to start the service running.

# ln -s /var/qmail/supervise/qmail-smtpd-tls /service/

Wait about ten seconds, and then make sure the service is running correctly.

# svstat /service/qmail-smtpd-tls
/service/qmail-smtpd-tls: up (pid 25183) 6 seconds

The number of seconds should be two or greater, and if you re-run the same command again, you should see the count going up rather than cycling back to zero. If the count never passes three, or if the service is not listed as "up" to start with, check the logs to see what's going on.

# tail log/main/current

 


Last Updated on Tuesday, 09 February 2010 10:58