Once You Know, You Newegg
Home FAQ Qmail Upgrading qmailrocks using John Simpsons Combined Patch
Upgrading qmailrocks using John Simpsons Combined Patch PDF Print E-mail
Tuesday, 07 April 2009 01:15

Updated 2/9/10: Fixed up links that were broken on this page.

There are a few reasons why you would want to upgrade your qmailrocks package.  The first is security by being able to use TLS or SSL encryption. The default qmailrocks setup does authentication via plain text passwords.  It's not that difficult for a malicious user to sniff out that text as it passes between your clients and the server.  

Before you continue on, There are 2 things you need to know about. First I think you should check out Johns "Upgrading from qmailrocks" page which is at

http://qmail.jms1.net/upgrade-qmr.shtml

Second, When you do the upgrade from qmailrocks to Johns combined patch, smtp-auth will not work with plain text passwords. It will only work with TLS as setup in this doc or via SSL which is explained at the bottom of this page. I would suggest having a migration plan setup ahead of time so this doesn't upset anyone. If you really need a smtp server setup with plain-text passwords, setup another box to do smtp only.

Probably the biggest reason to switch is John Simpson's validrcptto patch. It drops invalid recipients at the smtp level by checking a database of valid email addresses on your server before the email is processed.  This causes less load on the server and can make a tremendous difference if your domain is getting bombarded with spam to invalid users.

Lastly, When I setup new clients for qmail, I do it via the freebsdrocks.net site. Basically what you do when you set it up is it only allows incoming connections on port 25 and outbound connections on ssl (port 465) or TLS (Port 585). This will allow you to enable things on port 25 like jgreylist, rbls and validrcptto. What most people don't understand is you cannot enable clients to send mail on the same port you're accepting mail. Incoming mail won't have a problem but when clients try to send mail on port 25, they're going to timeout because of all the checks (like jgreylisting, rbls, validrcptto)

Plus there are many other patches included in Johns Combined patch that will enhance your server's performance and security.  For details go to:

http://qmail.jms1.net/patches/combined-details.shtml

The first step is to download the new qmail-smtpd/run file so we can get it prepped and ready to go. PLEASE NOTE: We are *NOT* going to replace the run file until AFTER we patch the system first. Changing the file won't take very long after we run the patch.

# cd /service/qmail-smtpd/
# cp run bak_run
# fetch http://qmail.jms1.net/scripts/service-qmail-smtpd-run
# vi service-qmail-smtpd-run

Now the list of available options for service-qmail-smtpd-run is listed below

http://qmail.jms1.net/tls-auth.shtml

If you ONLY want to accept messages on port 25 and not enable smtp-auth, use the following commands. Once this is done, you can turn on jgreylisting, rbls and validrcptto.

IP=1.2.3.4 Substitute your own IP address. Do not leave this set to 0 without a good reason.
PORT=25 Set the port number we will be listening on.
SSL=0 Do not run an SSL-only service.
FORCE_TLS=0 Refuse to accept mail from clients who have not done STARTTLS.
DENY_TLS=0 Refuse to process the STARTTLS command.
AUTH=0 DENY the AUTH command after STARTTLS has been completed.
REQUIRE_AUTH=0 Refuse to accept mail from clients who have not done AUTH.

However, if you HAVE to have auth on port 25, use the following commands to enable TLS. I would NOT RECOMMEND turning on jgreylisting, rbls or validrcptto.

IP=1.2.3.4 Substitute your own IP address. Do not leave this set to 0 without a good reason.
PORT=25 Set the port number we will be listening on.
SSL=0 Do not run an SSL-only service.
FORCE_TLS=0 Refuse to accept mail from clients who have not done STARTTLS.
DENY_TLS=0 Do not refuse to process the STARTTLS command.
AUTH=1 Allow the AUTH command after STARTTLS has been completed.
REQUIRE_AUTH=0 Refuse to accept mail from clients who have not done AUTH.

I would suggest setting the IP to your private, internal IP (If applicable). Then tell your firewall/router to pass port 25(smtp) and 110(pop) to your FreeBSD box internally.

Now that we have the qmail-smtp/run file prepared, we need to download the current version of the patch from:

http://qmail.jms1.net/patches/combined-details.shtml

For example:

# cd ~root
# fetch http://qmail.jms1.net/patches/qmail-1.03-jms1.7.06.patch

Now lets download the qmail source and extract it

# cd ~root
# wget http://cr.yp.to/software/qmail-1.03.tar.gz
# tar xvzf qmail-1.03.tar.gz
# cd qmail-1.03
# patch < ../qmail-1.03-jms1.7.06.patch

Don't worry about all the code flying by as long as it says 'Done' at the end.  Once the patch is complete we are ready to compile qmail with all the new enhancements. Please make sure there are no messages in the qmail queue when you stop qmail below. The output of qmailctl stat will tell you if there are any local/remote messages in the queue. THIS IS VERY IMPORTANT!! When you stop qmail and run make or make setup check, it may tell you if something is running. If it is, it is safe to kill it.

# make
# qmailctl stop
# ps ax | grep qmail-send
(if it's still running, wait a few seconds and try it again)
# ps ax | egrep qmail-send
...
# make setup check

Before we start qmail again, We now need to copy over the new qmail-smtpd/run file:

# cd /service/qmail-smtpd/
# cp service-qmail-smtpd-run run
# chmod 755 run

We will also replace the qmail-smtpd/log/run file with a new one as well

# cd /service/qmail-smtpd/log
# fetch http://qmail.jms1.net/scripts/service-any-log-run
# cp run bak_run
# cp service-any-log-run run
# chmod 0600 bak_run
# chmod 755 run

Before we start qmail, we need to make sure TLS works with vpopmail so lets run the following:

# chmod 6711 ~vpopmail/bin/vchkpw

Setting up the tcpserver access files

If you have already setup the Makefile, skip down to Creating the smtp file

I do something a little different with my tcpserver access control files than most other people. Instead of calling the files /etc/tcp.smtp and /etc/tcp.smtp.cdb (the files are in /etc/ and have names which start with "tcp.") I call them /etc/tcp/smtp and /etc/tcp/smtp.cdb. The idea is that /etc/tcp is a directory containing all of my tcpserver access control files, along with a Makefile which rebuilds any out-of-date cdb files whenever their source text files have been updated.

If you use the "run" scripts from my web site, you will find them written this way. Of course you can edit the scripts and change the filenames if you like, but I have found this to be a much easier way to administer the control files (I use tcpserver for a lot more than just qmail.)

To set this up on your own server...

These commands should be run as root.
# mkdir -m 755 /etc/tcp
# cd /etc/tcp
# fetch http://goodcleanemail.com/files/etc-tcp-makefile
# mv etc-tcp-makefile Makefile

Creating the smtp file

At this point it should be ready to go- all you need to do is create the "smtp" file, containing the normal access control list. It may look something like this:

192.168.0.:allow,RELAYCLIENT=""
:allow

run

# gmake

or if you're not using FreeBSD

# make

Ok, Everything is set to start so lets start qmail.

# qmailctl start
# svc -u /service/*
# qmailctl stat

Just make sure here that the /service/qmail-smtpd and /service/qmail-smtpd/log ones are up for more than one second. If not, take a look at the log file

# tai64nlocal < /service/qmail-smtpd/log/main/current

Other than that, you are good to go! You now need to tell your users to send smtp via TLS. If you want to setup smtp via SSL, You need to setup a separate service. Take a look at

http://goodcleanemail.com/index.php?option=com_content&view=article&id=59:setting-up-smtp-with-ssl&catid=36:qmail&Itemid=41

or setup SMTP with TLS on a seperate service:

http://goodcleanemail.com/index.php?option=com_content&view=article&id=110:setting-up-smtp-with-tls&catid=36:qmail&Itemid=41

If you want to enable validrcptto, take a look at the following URLs

http://qmail.jms1.net/patches/validrcptto.cdb.shtml
http://qmail.jms1.net/scripts/mkvalidrcptto.shtml

If you would like to enable jgreylist, follow this website:

http://qmail.jms1.net/scripts/jgreylist.shtml

Last Updated on Tuesday, 09 February 2010 11:38