KLUDGE v0.5 EMAIL SERVER - A DETAILED HOWTO

AUTHOR - Chris Berry chris_berry@jm-associates.com
MAILING LIST - kludge_list@jm-associates.com
To subscribe just send a blank message to kludge_list-subscribe@jm-associates.com

TABLE OF CONTENTS

Reasoning
Legal Disclaimer
Special Thanks
Conventions
Components
Reference Documents
Setup - Stage 0 , Hardware , Operating System , Basic Setup , Download Software , Security Settings
Setup - Stage 1 , qmail
Setup - Stage 2 , vmailmgr , Courier-IMAP , Mozilla , OpenSSL
Setup - Stage 3 , rblsmtpd , Spamassassin , TMDA
Setup - Stage 4 , TMDA-OFMIPD , cdb , Mailfront
Setup - Stage 5 , ClamAV , qmail-scanner
Setup - Stage 6 , mailquotacheck.sh , relay-ctrl , djbdns
Setup - Stage 7Digital Signatures , Mailing Lists , Admin Scripts
Setup - Stage 8 , Ezmlm-idx , dot-qmail Based Groups
FAQS
Things to do
Reported Bugs
Changelog

REASONING

This project was born when our business got tired of the inadequacies of Hotmail and AOL for business email. I started looking around for a solution, and nobody had all the features we needed in cost effective form. Given a low budget (read zero) and demanding reliability requirements, I turned to open source software. After looking around I came to the realization that there is no such thing as an open source "email server" as a complete package. So even though all I knew about email was how to click the send button, I set out to piece together a total system from widely available programs. Here are my requirements in order:

1) Free (as in beer, though speech is nice too)
2) Rock solid stability
3) Paranoid security
4) Serious Anti-Spam measures
5) Maintainability

LEGAL DISCLAIMER
While these instructions work for me, and I hope they're helpful for you, I don't guarantee anything.

Creative Commons License    This work is licensed under a Creative Commons License.

SPECIAL THANKS

The members of OCLUG for putting up with a years worth of email related linux questions.
The members of the qmail mailing list, bless their cantankerous little hearts, for steering me in the right direction even when that required the vicious use of truncheons..
Tim Legant for his help in getting vmailmgr and tmda working together.
Charles Cazabon for his help with the local mail only problem.
The producers of all this wonderful FREE software that makes me look good for my boss.

If I used your doc, faq, program, scripts, etc. or you helped out and I forgot to give you credit, please let me know and I'll make sure to update my page.

CONVENTIONS

1) Greater than less than symbols will surround key presses.  So if you are to press the carriage return it will look like: <enter>
2) Text to be actually typed will be listed in red while expected output will be listed in green.  I know this makes it harder if you print out the material but it seems like the easiest way to make it explicitly clear, I can't count the number of times when I wasn't sure if I was supposed to enter the quotes or not when reading someone else's docs.
3) Text that needs to be replaced with something that is specific to your particular installation will be shown in standard bash variable format with purple letters like this $VARIABLE.
4) Warnings will be larger and shown in yellow.
5) All instructions are to be performed as root unless otherwise specified.
6 )I personally hate vi, but I realize that it's pretty much THE universal editor for *nix based operating systems.  I used emacs to do most of my editing on this project, but you can use pretty much whatever you like.  For the remainder of this HOWTO, I'm going to assume that you're using emacs, if  you're not, then just replace the emacs commands with whatever is appropriate for your editor.  Here are a few EMACS tips in case you are a total newbie
    I) To open a file just type emacs $FILENAME replacing $FILENAME with the name of the file you want to edit or create.  (Remember to include the path if it's not in your current directory)
    II) To save the file you're working on just hold down the CTRL key and press <x> <s>
    III) To exit a file just hold down <CTRL>  and press <x> <c>
    IV) To delete an entire line press <CTRL> <k>
    V) To copy and paste go to the beginning of the region and hit <CTRL> <SPACE>, use the arrow keys to select the region, the press <CTRL> <w> to cut or <ALT> <w> to copy, go to the destination and press <CTRL> <y> to paste.
    That should be plenty for what you're going to do in this project.
7) I've tried to comply with the file system hierarchy listed here: http://www.pathname.com/fhs/pub/fhs-2.3.html but I'm pretty new to Linux so if you find something out of place, please let me know

COMPONENTS

Mandrake Linux - Base operating system
REASON: I've found that Mandrake is very easy for new Linux users to install, use, and learn on. If you're reading this that probably includes you.
qmail MTA- Lets you send and recieve mail via SMTP (plus daemontools and ucspi-tcp)
REASON: I carefully examined the five big open source (I use this term loosely as they all have different licenses) mail transfer agents(sendmail,exim,courier,qmail, postfix), and qmail seemed to have the most paranoid security setup.  daemontools and ucspi-tcp are required in the standard life with qmail setup that the experts recommend.
Courier-IMAP - Allows remote mail retrieval without need for command line access
REASON: Natively supports maildirs, unlike POP it keeps all messages on the server, is faster/less complicated than both Cyrus-IMAP and UW-IMAP, the author gives excellent support on his mailing list, and it was originally designed to work with qmail so there aren't any compatibility problems or sendmailisms.
OpenSSL - Used to encrypt the communications between the mail client and the IMAP server
REASON: My policy is to encrypt everything and ask questions later, clear text transmissions are to be avoided at all costs, especially when transmitting passwords. I didn't like StartTLS because of the way it's implemented in Courier-IMAP, a compromise in the OpenSSL package would lead to root access for an attacker.
Vmailmgr - Removes the need for shell accounts.
REASON: This server is a mail hub, there are no "local" users in the old Unix sense of the word. I chose Vmailmgr over Vpopmail because it's easy to set up, more "qmailish" in design, and it was highly recommended by Charles Cazabon, the Technical Reviewer for "The qmail Handbook" one of the few offline books on qmail.
rblsmtpd - Blocks spammers using DNS lookups
REASON: Some mail admins are ignorant and/or malicious allowing all sorts of junk mail to be sent from or relayed through their systems. After carefully looking around I decided on three conservative blacklists that seemed both popular, and very concerned with accuracy. I chose sbl.spamhaus.org which maintains a list of the worst confirmed spammers, relays.ordb.org which tracks servers which are open relays (though once common, open relaying is no longer recommended due to abuse), and opm.blitzed.org which tracks servers with misconfigured proxies that allow relaying. (Originally I had chosen proxies.relays.monkeys.com for the open proxy blocking but they've been put out of action due to DDoS attacks.)  Blacklisting is only going to be a small portion of our anti-spam setup so I wanted to avoid any sort of aggressive or collateral damage lists.
Spamassassin - Analyzes email according to a list of human built rules and adds a score header
REASON: As any email admin can tell you, blacklisting hasn't been a complete solution for quite a while. This program looks at email and attempts to quantify it's "spammyness", by combining it with several other spam identifiers we can try and seperate the good from the bad.
Bayesian Filtering - Uses word frequency statistics to tell spam (bad mail) from ham (good mail)
REASON: This program allows your filters to become more efficient over time automatically by learning to recognize the difference between what consitutes good and bad mail on your system. Having multiple different ways to recognize spam helps keep down the false positives.
Vipul's Razor - An online database of known spam emails
REASON: I borrowed a concept from NASA and set up my spam identification system like the flight controllers on the space shuttle. There are three seperate filters each with an independant design, this makes the inaccuracies in any one system tend to cancel out.
TMDA - Tagged message deliver agent, a cryptographic message confirmation system
REASON: The worst problem with spam identification systems is false positives/negatives. Usually you can't crank your filters down very tight for fear that you'll reject legitimate mail, and if you loosen them up too much then all the nasty spam starts ending up in your mailbox again. TMDA can send out tagged confirmation messages which must be replied to before mail is delivered. Many users find TMDA by itself to be annoying as it interjects a new step in the email process. What I've done is to combine email filtering and TMDA in such a way that it only triggers on messages which are considered "spammy". The result is that most users mail goes through without needing confirmation, yet you can tighten down your filters without having to worry about false positives since legitimate senders can just confirm and be whitelisted.
TMDA-OFMIPD - Part of the TMDA package, this program allows you to use MUA's that don't invoke the sendmail wrapper included with qmail.  Specifically we'll be using this program to allow us to add dated reply-to addresses which will allow people we correspond with to bypass our spam filters automatically.  This is considered basic net etiquette when using a challenge/response system.
qmailqueue-patch - Allows you to have other programs called when qmail-queue is invoked.
REASON: Although it's a good idea to use a minimalist approach when it comes to patching qmail, this seemed like the best way to activate qmail-scanner so that we can scan for viruses.
qmail-scanner.pl - Can be used to block email attachments with certain file extensions, and as a hook for a virus-scanner
REASON: I liked Russell Nelson's qmail-viruscan-patch better but unfortuneately my use of mailfront precludes that because it acts as a replacement for qmail-smtpd.
Clam-AV - Open source virus scanner with auto-updating
REASON: This project is supposed to be completely free (as in beer) so this looked like the best choice. Although it's not going to catch everything, it should go a long ways towards keeping the virus population down. If you have Windows clients make sure you're running a host based virus scanner as this won't solve all your problems.
Mailfront - Used to prevent joe-jobs and reduce queue load from double bounces to invalid local addresses
REASON: qmail's default behavior is to accept all mail regardless of whether it's for a valid user. While this is polite, and was an appropriate response when qmail was written, nowadays this merely allows spammers, worms, and joe-jobbers to abuse your queue, increasing load on your server. Mailfront allows you to specify a set of rules which will prevent unauthorized smtp transactions, and that means you can use less hardware on your box, which means less money, and we all know how much managment likes that.
mailquotacheck.sh - Helps keep your disk usage reasonable by setting a limit on how much email a user can store
REASON: Many people tend to use email as an alternative to FTP nowadays, and that can take up a prohibitive amount of disk space. This script allows you to set a limit on how much people can store. I had to modify the script somewhat to work with vmailmgr and Mandrake but the changes were pretty minor.
Mozilla Email Client - Cheap, easy, crossplatform mail reading/sorting/composing
REASON: In my personal opinion Microsoft Outlook and Outlook express are poorly written, virus-laden, non-security concious pieces of bug-ridden filth, and should not be authorized in any proper mail system. Mozilla's email client provides a nice free replacement that can easily handle IMAP and the other features we need.
cdb - A simple program for creating constant databases
REASON: This package allows you to take some longer list files we'll be using and compile them into simple databases to improve lookup performance.
Relay-Ctrl - Allows remote users to relay outgoing smtp through the server so that you can support road warriors
REASON:   I like this particular solution because it's limited, temporary, and doesn't require patching qmail, in addition we're already using a bunch of Bruce Guenter's software so it keeps the number of different places to go for support down.
Maildrop - A mail delivery agent.
REASON: Basically this is a complete filtering language that allows you all kinds of custom solutions.  I like the way it works but currently the only thing we're going to be using it for is to implement the qmail-scanner.pl script which requires maildrop's reformime package.
Safecat - A safe maildir delivery program
REASON: We're not using a full fledged MDA, and TMDA  won't be used for our mailing list setup.  This program works great right out of the box.
djbdns - A security concious DNS server, written by the same author as qmail so it's little suprise that they work well together.
REASON - qmail is pretty strict about what kind of DNS replies it recieves.  Some sites nowadays will return a dns response that's greater than 512 bytes which is technically not allowed in the RFC.  When this happens qmail gives a CNAME error in the log and won't process the message.  To work around this, the best solution is to install a caching dns resolver like djbdns which understands and can properly handle those kinds of oversized messages.
ezmlm-idx (OPTIONAL) - A mailing list manager written by the auther of qmail, with some extensions added by various mailing list admins
REASON - There are many situations where it can be convenient to run your own mailing list.  This program offers a secure, low maintenance, no-nonsense way of doing that.

REFERENCE DOCUMENTS & INFORMATION SOURCES
This is most of the stuff I used to help figure out how to do this project:
OS Installation problem workaround
Life With Qmail
The qmail Handbook
Vmailmgr HOWTO
Courier-IMAP Instructions
OpenSSL Howto
rblsmtpd Explanation
TMDA Virtual Domains Howto
qmail-scanner.pl Installation page
Perlscanner file blocking info
qmail environment variables
How to Install cdb
The TMDA FAQ
Local Mail Only Solution
Mailfront directions
Razor Directions
Relay-Ctrl Directions
Nasim Mansurov's qmail Howto
The Clam-AV user manual
Microsoft's list of unsafe file extensions
I'm sure I forgot a few things, but if I remember, I'll be sure to add them to the list.

SETUP - STAGE 0

PART A: Hardware

This will vary widely on your available resources, budget, and projected email volume.  For small to medium sized organizations pretty much any second string workstation should be able to handle the job.
Here are the specs for my email server:
    Matsonic MS7308E Motherboard
    Intel Celeron 600Mhz CPU
    512MB PC133 SDRAM
    Western Digital 120GB 7200RPM Hard Drive  (SCSI drives would be WAY better but I'm on a tight budget)
    SiS 630 PCI Graphic Adapter
    Intel Ethernet Pro 100 Network Card
    Trinitron 17" Monitor
    Keytronic 104 Keyboard
    Logitech two button mouse
    Generic 52x CD-ROM (must be El Torrito compliant)
    Sony 1.44MB Floppy Drive
    ATX Mid Tower Case w/300W Power supply
As you can see, it's not exactly a blazing inferno of speed, but for the purpose it's going to be used for that's plenty.  I highly recommend Arctic Silver III thermal grease as opposed to thermal tape or paste for your cpu cooler heat transfer material.  You should make sure that your system has been blown out with an air can and that all connections are firm before getting started.

PART B: Operating System

1) Go to the Mandrake website and download the Mandrake 9.2 ISOs from a neaby mirror.

2) Burn ISOs onto CDR, I used Nero on my win2kpro workstation, but whatever works for you should be fine.  (If you're going to be running things remotely from a windows box the way I am, I highly recommend using Putty as your SSH client)

3) Make sure your hard drive is wiped clean by using fdisk and format

4) Insert the first CD into your email server and boot using the CD (you may have to change your BIOS settings to accomplish this)

5) Follow the setup instructions

    Choose English(American)
    Agree to the license
    Configure your mouse
    Choose High Security (paranoid is too restrictive unless you really know what you're doing)
    Set the security admin to $TEST_USER@$DOMAIN
    Use free space partitioning
    Select the following package groups:
        Office Workstation
        Internet Station
        Network Computer Client
        Configuration
        Console Tools
        Development
        Documentation
        LSB
        Network Computer Server
        KDE Workstation

This is not the minimalist way to do this but all the interdependencies were driving me nuts at first, make sure to remove unneeded software as part of your lockdown procedure.
    Select yes to agree to selected servers
    Swap the cd's when requested
    Enter a root password
    Create a regular user with su priveledge
    Set the hardware clock to GMT
    Choose your NTP server, I liked ntp.nasa.gov  Make sure to open port 123 on your firewall
    Choose not to run updates at this time
    Reboot when instructed to do so

PART C: Basic Setup


1) Adjust the run level

Boot into standard linux kernel
Log in as root at the KDE prompt
Open a terminal
emacs /etc/inittab
Change the runlevel to 3
<CTRL> <x> <s>
<CTRL> <x> <c>
Reboot by typing shutdown -r now

2) Some basic configuration

Log in as your test user
su -
enter root password
updatedb
emacs /etc/hosts
make an entry for your machine, using tabs between the ip address and the host name
<CTRL> <x> <s>
<CTRL> <x> <c>
drakconnect
fill in all of your network info
shutdown -r now
Boot into the linux-secure kernel

3) Add an A and MX record to your DNS server

4) Setup the remote control software

ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S32sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc5.d/S32sshd
/etc/rc.d/init.d/sshd start
emacs /etc/hosts.allow
Add this line
sshd : ALL : ALLOW
<CTRL> <x> <s>
<CTRL> <x> <c>
Set up putty or ssh on your workstation, and move there for the rest of this document.

5) Edit the standard user profile

emacs /etc/profile
After this line
HISTSIZE=1000
Add these two
EDITOR=/usr/bin/emacs
PS1="[\u@\h \w]$ "
And change your export lines to look like this
export PATH PS1 USER LOGNAME MAIL HOSTNAME INPUTRC NLSPATH
export HISTCONTROL HISTSIZE EDITOR
<CTRL> <x> <s>
<CTRL> <x> <c>

6) Setup urpmi

Make sure you have a default gateway pointing towards your firewall/proxy/router internet connection.
If not, add it like this route add default gw $IP_ADDRESS
urpmi.removemedia -a
Go here http://plf.zarb.org/~nanardon/urpmiweb.php and get custom urpmi setup instructions, then implement them.  (main and security sources only)
urpmi.update -a
urpmi --auto-select

7) Create new directories to hold our config scripts

mkdir /usr/local/src/kludge-scripts
mkdir /etc/kludge

8) Make sure that /etc/ntp.conf  and /etc/ntp/step-tickers contain ntp.nasa.gov (or whatever your choice was)

cat /etc/ntp.conf
cat /etc/ntp/step-tickers

PART D: Download the software

Make sure to put all of this software in /usr/local/src
I used wget for most of this, basically just go into the /usr/local/src directory and type wget and the address of the package you're trying to download.
http://www.qmail.org/netqmail-1.05.tar.gz - qmail releases are pretty slow so I'd be very surprised if 1.05 isn't the newest when you read this
ftp://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
ftp://cr.yp.to/daemontools/daemontools-0.76.tar.gz
Courier-IMAP tar.bz - I used 2.2.1
Vmailmgr RPM - I used 0.096.9-2
Vmailmgr-Courier-IMAP RPM - I used 0.96.9-2
rblsmtpd comes with qmail you don't need to download anything
SpamAssassin src RPM - I used 2.61-1
The SpamBayes module comes with SpamAssassin, you don't need to download anything
Vipul's Razor tar.gz - I used sdk 2.03 and agents 2.36
TMDA tgz - I used 1.0
tmda-ofmipd - Already included in the main TMDA package.
qmail-scanner tgz - I used 1.20
TNEF unpacker RPM - I used 1.2.1-1mdk
Clam-AV tar.gz - I used 0.65
Mailfront src RPM - I used 0.88-1
Mozilla Email Client - I used 1.5 (you need this on the client machine, not the server)
cdb tar.gz - I used 0.75
cdb errno patch
relay-ctrl src RPM - I used 3.1.1-1
Maildrop RPM - I used 1.6.1-1mdk
wget http://www.jm-associates.com/admin/downloads/kludge-scripts-$VERSION.tar.gz    The version number is the same as the howto document
wget http://lifewithqmail.org/inst_check
bglibs src RPM - I used 1.011-1
cvm-vmailmgr src RPM - I used 0.18-1
wget http://budney.homeunix.net:8080/users/budney/linux/software/safecat/safecat-1.11.tar.gz
djbdns tar.gz - I used 1.05
djbdns errno patch

You can check the kludge-scripts tarball using md5
md5sum /usr/local/src/kludge-scripts-0.5.tar.gz
c27a278ff653eac478302384088cbeaf  kludge-scripts-0.5.tar.gz

PART E: Modify the security settings
1) Copy level.local and reset

cp /usr/local/src/kludge-scripts/level.local /etc/security/msec
msec 4

Here is a copy of my level.local

THIS IS THE END OF STAGE 0, YOU'RE READY TO START

SETUP - STAGE 1

PART A: Install qmail
We're going to do a modified LWQ/qmail handbook install, changing as little as possible so that we can get help from the qmail mailing list.  Due to the unique license on qmail, we're going to install from source code rather than use an unauthorized rpm.

1) Stops postfix

/etc/init.d/postfix stop

2) Removes postfix

rpm -ev --nodeps $POSTFIX_VERSION

3) Test to make sure we have a compiler

gcc
gcc:no input files

4)Ensure files and directories are publicly accessable by default

umask 022

5) Extract tarballs

cd /usr/local/src
tar -xvzf netqmail-1.05.tar.gz
cd netqmail-1.05
./collate.sh
cd ..
tar -xvzf ucspi-tcp-0.88.tar.gz
mkdir /package
chmod 1755 /package
tar -xvz -C /package -f daemontools-0.76.tar.gz
tar -xvz -C /usr/local/src/kludge-scripts -f kludge-scripts-$VERSION.tar.gz

6) Creating the qmail directory

mkdir /var/qmail

7) Adding the necessary users and groups

chmod 700 /usr/local/src/kludge-scripts/gu_setup.sh
/usr/local/src/kludge-scripts/gu_setup.sh

Here is a copy of my gu_setup.sh

8) Verify that users were properly added

tail -n 7 /etc/passwd

9) Build qmail

cd /usr/local/src/netqmail-1.05/netqmail-1.05
make setup check
./config

10) Build ucspi-tcp

cd /usr/local/src/ucspi-tcp-0.88
patch < /usr/local/src/netqmail-1.05/other-patches/ucspi-tcp-0.88.errno.patch
make
make setup check

11) Fix and build daemontools

cd /package/admin/daemontools-0.76/src
perl -p -i -e 's/<sys\/time.h>/<time.h>/' tai64nlocal.c
patch < /usr/local/src/netqmail-1.05/other-patches/daemontools-0.76.errno.patch
cd ..
package/install
chmod 700 /service

12) Test to make sure svscan is running

ps -ef | grep svscan

root      1038     1  0  2003 ?        00:00:00 /bin/sh /command/svscanboot
root      1040  1038  0  2003 ?        00:04:55 svscan /service
root     12388 10907  0 13:08 pts/0    00:00:00 grep svscan

13) Puts a copy of rc startup script where it needs to be

cp /usr/local/src/kludge-scripts/var-qmail-rc /var/qmail/rc
chmod 755 /var/qmail/rc

You can see a copy here var-qmail-rc

14) Sets up qmail to deliver to Maildirs

echo ./Maildir/ > /var/qmail/control/defaultdelivery

15) Puts the qmailctl script where it needs to be, and sets the permissions

cp /usr/local/src/kludge-scripts/qmailctl /var/qmail/bin
chmod 755 /var/qmail/bin/qmailctl
ln -s /var/qmail/bin/qmailctl /usr/bin

You can see a copy here qmailctl

16) Creates logging directories

mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-smtpd2/log

In most corporate environments only a select subset of employees are allowed to email outside of the organization, rather than have two servers, we've going to setup a second smtpd for the restriced users so that they can only send emails locally.

17) Copies the run files to where we need them and make them executable

cd /usr/local/src/kludge-scripts
chmod 755 run_setup.sh
./run_setup.sh

You can see a copy here run_setup.sh
You can see a copy here qmail-send-run
You can see a copy here qmail-send-log-run
You can see a copy here qmail-smtpd-run-stage1
You can see a copy here qmail-smtpd-log-run
You can see a copy here qmail-smtpd2-run
You can see a copy here qmail-smtpd2-log-run

18) Creates the incoming control file

cd /var/qmail/control
echo 20 > /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming

19) Modify the locals and rcpthosts files

echo $DOMAIN_NAME >> /var/qmail/control/locals
echo $DOMAIN_NAME >> /var/qmail/control/rcpthosts

20) Set up the logging directories

mkdir -p /var/log/qmail/smtpd
mkdir /var/log/qmail/smtpd2
chown -R qmaill /var/log/qmail

21) Link the services into /service

ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-smtpd2 /service
qmailctl stop

22) Allow local host relay

cd /etc
echo '127.:allow,RELAYCLIENT=""' > /etc/tcp.smtp
echo '$YOUR_SUBNET.:allow,RELAYCLIENT="" >> /etc/tcp.smtp
Where $YOUR_SUBNET is the address space you're going to allow to relay from your LAN, for me that's 192.168.

echo '127.:allow,RELAYCLIENT="", > /etc/tcp2.smtp

qmailctl cdb

Reloaded /etc/tcp.smtp.
Reloaded /etc/tcp2.smtp.

23) Create required aliases

Replace $FQDN with your domain name
echo \&$TEST_USER@$FQDN > /var/qmail/alias/.qmail-postmaster
ln -s .qmail-postmaster /var/qmail/alias/.qmail-root
ln -s .qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon
chmod 644 /var/qmail/alias/.qmail-postmaster

24) Creating sendmail replacements

ln -s /var/qmail/bin/sendmail /usr/lib
ln -s /var/qmail/bin/sendmail /usr/sbin

25) Set the greeting

echo 'mail.$DOMAIN.com --No Unsolicited Bulk Email--' > /var/qmail/control/smtpgreeting

26) Check out your installation

cd /usr/local/src
chmod 700 inst_check
./inst_check

27) Starts qmail

qmailctl start

28) Call your ISP and tell them to set up an MX record for mail.$FQDN (replace $FQDN with your domain name) with the IP address of your email server (or firewall forwarding address).  They generally will not do this until you have something listening on port 25.

29) Setup a test mailbox

su - $TEST_USER
cd ~
/var/qmail/bin/maildirmake Maildir

29) Send a test message to and fro.

telnet 127.0.0.1 25
helo dude
mail from:<$TEST_USER@$DOMAIN_NAME>
rcpt to:<$MY_FREE_ACCOUNT@hotmail.com>
data
Subject: Testing

This is a test
.
quit

Now login to your hotmail account and check your mail, then send a reply.

cd /home/$TEST_USER/Maildir/new
ls

There should be an email here, use the cat command to read it.

THIS IS THE END OF STAGE 1, THE SMTP SERVICE IS RUNNING

THE BASICS - STAGE 2

PART A: Setup Vmailmgr

Ok, now we're going to set things up so that our email users won't need local or shell accounts, everything will be remote as a good mail hub should be.

1) Install Vmailmgr

cd /usr/local/src
Replace $VERSION with the version numbers for your package
urpmi vmailmgr-$VMAILMGR_VERSION.i386.rpm

2) Setup the group, user, and directory

groupadd virtual
md /home/virtual
chgrp virtual /home/virtual
useradd -g virtual -d /home/virtual vmail -s /bin/bash
chown vmail /home/virtual
Replace $VMAIL_PASSWORD with your vmail password
passwd vmail $VMAIL_PASSWORD
su - vmail
/usr/bin/vsetup
Replace $TEST_USER_PASSWORD with your test user password
vadduser $TEST_USER $TEST_USER_PASSWORD
Enter password
exit

3) Reconfigure qmail

Replace $FQDN with your domain name
echo $FQDN:vmail > /var/qmail/control/virtualdomains
echo $HOST_NAME:vmail >> /var/qmail/control/virtualdomains
Make sure to use the full host name.
This allows CRON to email you.
Double check /var/qmail/control/locals, nothing can be in there except localhost (Remove host and fqdn)
qmailctl restart

4) Send yourself a test message from the free hotmail account.

5) Setup .qmail files (postmaster, root, mailer-daemon, abuse)

cd /home/virtual
echo \&$TEST_USER@$DOMAIN > .qmail-postmaster
echo \&$TEST_USER@$DOMAIN > .qmail-root
echo \&$TEST_USER@$DOMAIN > .qmail-mailer-daemon
echo \&$TEST_USER@$DOMAIN > .qmail-abuse

PART B: Setup Courier-IMAP
My users have a number of requirements including roaming and shared folders that mean they need to keep messages on the server rather than downloading them so IMAP was an obvious choice over POP.

1) Install dependencies

urpmi libgdbm2-devel

If you get a warning message like the line below, ignore it as it won't affect the mail server.
install-info: warning: no info dir entry in '/usr/share/info/gdbm.info.bz2'

If you know how to fix this please email me as I'd like to know, just for completeness.

2) Create a special user and group to run ClamAV so that our perm.local won't spit out error messages

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

3) Unpack the source code

cd /usr/local/src

The courier package cannot be unpacked and built by root, you must be a regular user.

useradd courier -d /home/courier
chown root.adm /usr/local/src
emacs /etc/group   Add courier to the adm and rpm group

A group with no users looks like this:

adm:x:4:

A group with one user looks like this:

adm:x:4:courier

A group with two users looks like this:

adm:x:4:courier,ldap

cp /usr/local/src/kludge-scripts/perm.local /etc/security/msec
msec 4
su - courier
mkdir /home/courier/rpm
mkdir /home/courier/rpm/SOURCES
mkdir /home/courier/rpm/SPECS
mkdir /home/courier/rpm/BUILD
mkdir /home/courier/rpm/SRPMS
mkdir /home/courier/rpm/RPMS
mkdir /home/courier/rpm/RPMS/i386
echo "%_topdir    /home/courier/rpm" >> /home/courier/.rpmmacros
Replace $IMAP_VERSION with the version numbers for your package
rpm -ta courier-imap-$IMAP_VERSION.tar.bz2
cd /home/courier/RPM/RPMS/i586
urpmi courier-imap-$VERSION.mdk.i586.rpm

4) Edit /usr/lib/courier-imap/etc/imapd

cd /usr/lib/courier-imap
emacs /etc/imapd
Change the listening address to the IP address of your machine
Change MAXPERIP to 20
Change authmodules to "authvmailmgr"
<CTRL> <x> <s>
<CTRL> <x> <c>

Here is a copy of my imapd

5) Start IMAP

/usr/lib/courier-imap/lib/imapd.rc start

6) Create some links so that courier will start automatically upon boot

cd /usr/local/src/kludge-scripts
./courier_links.sh

Here is a copy of my courier_links.sh

7) Setup the virtual IMAP authentication

Replace $VMAILMGR_IMAP_VERSION with the version numbers for your package
urpmi /usr/local/src/vmailmgr-courier-imap-$VMAILMGR_IMAP_VERSION.i386.rpm

8) Install vmailmgr-courier-imap, and create the symlink

cd /usr/local/src
rpm --ivh vmailmgr-courier-imap-$VERSION.i368.rpm
ln -s /usr/lib/courier-imap/libexec/authlib/authvmailmgr /usr/lib/courier-imap/lib/authlib/authvmailmgr

PART C: Setting up the mail client (Mozilla)
This section will detail how to configure the Mozilla email client to work with the email server.  I'm assuming that your MUA install will be on a seperate machine, and that you can handle that part yourself.

You can download a file with pictures of my FINAL settings in openoffice.org format here Mozilla Settings Pics  (I also now set Compact folders when it will save over 1000kb in edit preferences/mail and newsgroups/offline and disk space)

1) Create an Account

Open Mozilla Mail and Newsgroups
Click add account
Select email account
Enter your name

$FULL_NAME

Enter your new email eddress

$EMAIL_ADDRESS

Select IMAP
Enter the DNS name of the incoming mail server

$HOSTNAME

Enter the user name

$USER_NAME

Enter an account name

$ACCOUNT_NAME

2) Server Settings

Enter Port 143
Check Check for new messages on startup
Check Check for new messages every 5 Minutes
Click Advanced
Check Show only subscribed folders
Check Server supports folders that contain sub-folders and messages
Maximum number of server connections to cache = 5
Personal Namespace = "INBOX."  There is a dot there, don't forget it!
Public (shared) = "shared."  There is a dot there, don't forget it!
Check allow server to override these namespaces

3) Outgoing Server SMTP

Enter DNS server name

$HOSTNAME

Port = 25
Check Use name and password
User name = $USERNAME@$DOMAIN

4) Send a test email to and from your free web account

PART D: Install OpenSSL and configure Courier-IMAP to use an encrypted channel
Ok, now we're going to make sure that the bad guys can't listen in when we're reading our email or transmitting our passwords.

1) Install the necessary package (sometimes I think I'm going to start seeing packages in my sleep)

urpmi mod_ssl  Make sure you pick mod_perl if given some options

2) Create a local certificate authority

mkdir /etc/kludge/crypt
cd /etc/kludge/crypt
openssl genrsa -des3 -out ca.key 2048

Generating RSA private key, 2048 bit long modulus
.....+++
.........................+++
e is 65537 (0x10001)
Enter PEM pass phrase: enter a password here
Verifying password - Enter PEM pass phrase: re-enter your password here

As you can see above it's going to ask you for a PEM pass phrase, I recommend using an MTR-3006 password or something else equally random. (ok, for those crypto purists out there, I'm aware that this isn't TRULY random, but it's a heck of alot better than using something like "password")
Then you'll have re-enter your pass phrase
This will create a 2048 bit RSA key stored in ca.key

3) Create a self-signed CA Certificate

openssl req -new -x509 -days 3652 -key ca.key -out ca.crt

Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase: $KEY_PASSWORD
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: $COUNTRY
State or Province Name (full name) [Some-State]: $STATE
Locality Name (eg, city) []: $CITY
Organization Name (eg, company) [Internet Widgits Pty Ltd]: $COMPANY
Organizational Unit Name (eg, section) []: $DEPARTMENT
Common Name (eg, YOUR name) []: $TITLE
Email Address []: $EMAIL

Replace $KEY_PASSWORD with your PEM password chosen in the previous step
Replace $COUNTRY with the two letter code for the country you live in
Replace $STATE with the state you live in
Replace $CITY with the name of the city you live in
Replace $COMPANY with the name of the company or organization you're working for
Replace $DEPARTMENT with the name your department
Replace $TITLE with your job title
Replace $EMAIL with your current email address
This will create a self-signed certificate called ca.crt valid for 10 years.

4) Create a certificate request for the IMAP server

openssl genrsa -out imapd.key 2048

This will create a 2048 bit RSA key that doesn't require you to enter the password when the imapd-ssl server starts

5) Generate a Certificate Signing Request (CSR)

openssl req -new -key imapd.key -out imapd.csr

Using configuration from /usr/lib/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: $COUNTRY
State or Province Name (full name) [Some-State]: $STATE
Locality Name (eg, city) []: $CITY
Organization Name (eg, company) [Internet Widgits Pty Ltd]: $COMPANY
Organizational Unit Name (eg, section) []: Email
Common Name (eg, YOUR name) []: $SERVER_NAME
Email Address []: $EMAIL

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Organizational unit name of base and server certs CANNOT match!

Replace $COUNTRY with the two letter code for the country you live in
Replace $STATE with the state you live in
Replace $CITY with the name of the city you live in
Replace $COMPANY with the name of the company or organization you're working for
Replace $SERVER_NAME with the host name of your server
Replace $EMAIL with your current email address
Leave challenge password and optional company name blank

6) Sign the certificate with the CA certificate

/usr/lib/ssl/mod_ssl/sign.sh imapd.csr

This should print out a bunch of info that matches what you entered earlier, then at the end:

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n]: y
Write out database with 1 new entries
Data Base Updated
CA verifying: imapd.crt <-> CA cert
imapd.crt: OK

7) Create the PEM file

The sign.sh script includes a human-readable description of the key, we want to delete those lines in imapd.crt and have this:

-----BEGIN CERTIFICATE-----
MIIDtzCCAp8CAQEwDQYJKoZIhvcNAQEEBQAwgY4xCzAJBgNVBAYTAlVTMRUwEwYD
VQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xGTAXBgNVBAoTEFdl
.
.
.
BBL3CLqzb6ZMHSm+6eVr2RrsaePChPhb+/1PCgvJESqVEoR4RO5RHywiyg==
-----END CERTIFICATE-----

The dots are just to show continuance.

emacs imapd.crt
<CTRL> <k>  Repeat as many times as necessary (I did it this way because its easier than trying to explain how to set the mark, *nix text editors are from the stone age and are a bit cryptic to say the least)

Combine the key and crt files

cat imapd.key imapd.crt > imapd.pem

Add the Diffie-Hellman code-block that Courier-IMAP wants

openssl gendh >> imapd.pem

Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
..........+.............++*++*++*++*++*++*

Copy the imapd.pem file into the default cerificate directory for Courier-IMAP and make sure that it's not group or world readable.

cp imapd.pem /usr/lib/courier-imap/share
chmod 0600 /usr/lib/courier-imap/share/imapd.pem

The time on your server/workstation MUST match to within 5 minutes!

8) Edit the imapd-ssl file

cd /usr/lib/courier-imap/etc
emacs imapd-ssl

Set SSLADDRESS=$IP_ADDRESS to the IP of your server's NIC
Set IMAPDSSLSTART=YES
Set IMAPDSTARTTLS=NO
CTRL <x> <s>
CTRL <x> <c>

Here is a copy of my imapd-ssl

9) Restart imapd-ssl

/usr/lib/courier-imap/lib/imapd-ssl.rc stop
/usr/lib/courier-imap/lib/imapd-ssl.rc start

10) Test from another machine with openssl

openssl s_client -connect $IP_ADDRESS:993  Cygwin can help you do this from a windows box if necessary

Replace $IP_ADDRESS with the IP of your server's NIC
You should get a standard IMAP login

11) Change your mozilla account server settings

Enter Port 993 instead of 143
Check Use secure connection (SSL)

12) Send a test message to and from your free webmail account

END STAGE 2, YOU NOW HAVE A BASIC EMAIL SERVER

SPAM TRIAGE - STAGE 3

PART A: Setting up our very own black hole (RBLSMTPD)
One of the earliest spam fighting methods still in use today is the realtime-blackhole-list or RBL.  Basically this a dns server which tracks the IP addresses of known spammers or spam friendly networks.  What we're going to do is set it so that the smtpd run script will check with some reasonable RBLs to determine if the people trying to send us mail are the bad guys, and if they are, just like we'd do with a telemarketer, we're going to refuse to talk to them.

1) Basically all you have to do to get qmail to use RBLs is to enter a few lines in your smptd run script that look like this:

/usr/local/bin/rblsmtpd \
-r sbl.spamhaus.org \
-r relays.ordb.org \
-r opm.blitzed.org \

You would enter this as part of your tcpserver invocation, however this has already been done for you if you downloaded the scripts tarball earlier, just copy it into the correct location.

qmailctl stop
cp /usr/local/src/kludge-scripts/qmail-smtpd-run-stage3 /var/qmail/supervise/qmail-smtpd/run
Choose to overwrite when prompted
qmailctl start

Here is a copy of my script qmail-smtpd-run-stage3

PART B: Installing the Ninja (SPAMASSASSIN)
An integral part of our spam fighting system is content filtering.  Spamassassin is a set of rules which attempts to score mail's "spammyness" so that you can decide which mail is legitimate and which isn't semi-automatically.

1) Perform a perl update on an important package

perl -MCPAN -e 'install MIME::QuotedPrint'

If you want to test for the existence of a perl package on your system type the following:
perl -M$MODULE_NAME -e1
If you don't get an error message, you have the module.

2) Build the source RPMs (replace $SPAMASSASSIN_VERSION with the version numbers for your rpms)

cd /usr/local/src
rpm --rebuild  spamassassin-$SPAMASSASSIN_VERSION.src.rpm
cd /usr/src/RPM/RPMS/i586
rpm -ivh perl-Mail-SpamAssassin-$SPAMASSASSIN_VERSION.i586.rpm
rpm -ivh spamassassin-$SPAMASSASSIN_VERSION.i586.rpm
rpm -ivh spamassassin-tools-$SPAMASSASSIN_VERSION.i586.rpm

3) Setup /etc/sysconfig/spamassassin

echo 'SPAMDOPTIONS="-d -c -a -m5 -H -x -u vmail"' > /etc/sysconfig/spamassassin

4) Set up the initialization script and start spamassassin

cd /etc/rc.d/init.d
./spamassassin start

3) Change settings in /etc/mail/spamassassin/local.cf then restart /etc/rc.d/init.d/spamassassin
 
Spamassassin must ignore messages recieved from localhost!

Here is a copy of my file spamassassin-local.cf

4) Setting up the Vipul's razor module

cd /usr/local/src
tar -xvzf  razor-agents-$RAZOR_VERSION.tar.gz
tar -xvzf razor-agents-sdk-$RAZOR_VERSION.tar.gz
cd razor-agents-sdk-$RAZOR_VERSION

Replace $Version with the version numbers of your tarballs.

perl Makefile.PL
make
make test
make install
cd ..
cd razor-agents*

perl Makefile.PL
make
make test
make install
cd ../razor-agents-$VERSION/bin
./razor-client
su vmail
./razor-admin -home=/home/virtual/.razor -create
./razor-admin -register -user=$USER -pass=$PASSWORD

If you get error 202 ignore and resubmit.

exit
cd /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/Razor2
cp /usr/share/doc/spamassassin-2.61/Razor2.patch .
patch -p0 < Razor2.patch

patching file Client/Agent.pm
Hunk #1 succeeded at 981 (offset 12 lines).
patching file Client/Config.pm
Hunk #1 succeeded at 333 (offset 10 lines).
Hunk #2 succeeded at 378 (offset 10 lines).
patching file Client/Core.pm
Hunk #1 succeeded at 218 (offset 2 lines).

cd /usr/local/src/razor-agents-2.36/lib/Razor2
cp /usr/share/doc/spamassassin-2.61/Razor2.patch .
patch -p0 < Razor2.patch

cd /usr/local/src/razor-agents-2.36/blib/lib/Razor2
cp /usr/share/doc/spamassassin-2.61/Razor2.patch .
patch -p0 < Razor2.patch

/etc/init.d/spamassassin restart

5) Make spam and ham learning automatic

cp /usr/local/src/kludge-scripts/spam-learn /etc/cron.daily
cp /usr/local/src/kludge-scripts/ham-learn /etc/cron.daily
cd /etc/cron.daily
chmod 755 ./spam-learn
chmod 755 ./ham-learn

This will automatically scan your users Not_Spam and Actual_Spam folders nightly and learn the messages they've placed within.
FYI we're using a group database for bayesian learning, so a malicious user could theoretically corrupt it by intentionally learning the wrong messages.

PART C: Challenge/Response (TMDA)
Rather than drop suspected spam emails we're going to challenge them to confirm their identity.  The TMDA package allows us to do this easily.

1) Unpack the source

cd /usr/local/src
tar -xvzf tmda-$TMDA_VERSION.tar.gz
cd tmda-$TMDA_VERSION
./compileall

2) Copy the configuration file to the right location

cp /usr/local/src/kludge-scripts/tmdarc /etc/tmdarc

3) Setup our user's tmda configuration

cd /usr/local/src/kludge-scripts
./tmda-user-setup.sh $TEST_USERNAME
Here is a copy of the script tmda-user-setup.sh

4) Add confirming spammers listed on TMDA site, and the qmail list ebay confirmation guy to badmailfrom

echo "@crossnet.se" > /var/qmail/control/badmailfrom
echo "@naver.com" >> /var/qmail/control/badmailfrom
echo "@server145.truehosting.net" >> /var/qmail/control/badmailfrom

5) Setup the default delivery

cp /usr/local/src/kludge-scripts/dot-qmail-default-stage3 /home/virtual/.qmail-default
emacs /usr/local/src/tmda-$TMDA_VERSION/contrib/vmailmgr-vdir.sh
change listvdomain to /usr/bin/listvdomain
change sed to /bin/sed

6) Create the devnull user so that challenge bounces will be discarded

cd /etc/kludge
./kludge-adduser.sh devnull $PASSWORD
emacs /etc/tofmipd
remove devnull using <CTRL><k>
<CTRL><x><s>
<CTRL><x><c>
emacs /var/qmail/control/validusers
remove devnull using <CTRL><k>
<CTRL><x><s>
<CTRL><x><c>
emacs /home/virtual/users/devnull/.tmda/filters/incoming
Add these two lines
#Get rid of messages
to devnull@$DOMAIN drop

7) Send a regular test mail to and from your free webmail account, then try mailing yourself something spammy

END STAGE 3, THE INITIAL SPAM REDUCTION SETUP IS DONE

NOISE REDUCTION - STAGE 4

PART A: TMDA-OFMIPD
This program will allow us to use some of TMDA's more advanced features with MUA's that don't invoke the sendmail wrapper provided with qmail.  The main features we'll be using is dated Reply-To addresses, and dated envelope sender addresses.  This system is going to be installed globally.

1) Create a password file, for simplicity I recommend using the same password as you are for your virtual user. (Later we'll configure Mozilla to enter these automatically)

echo $TEST_USER@$DOMAIN:$PASSWORD > /etc/tofmipd
chmod 600 /etc/tofmipd

2) Set up the directories so we can run tmda-ofmipd under daemontools

mkdir /var/log/qmail/tmda-ofmipd
mkdir -p /var/qmail/supervise/tmda-ofmipd/log

3) Create the /var/qmail/supervise/tmda-ofmipd/run file

#!/bin/sh
exec /usr/local/src/$VERSION/bin/tmda-ofmipd -f -S /usr/local/src/tmda-$TMDA_VERSION/vmailmgr-vdir.sh -u root

4) Create the /var/qmail/supervise/tmda-ofmipd/log/run file

#!/bin/sh
exec /usr/local/bin/multilog t /var/log/qmail/tmda-ofmipd

5) make the scripts executable

chmod 755 /var/qmail/supervise/tmda-ofmipd/run
chmod 755 /var/qmail/supervise/tmda-ofmipd/log/run

6) Start the service

ln -s /var/qmail/supervise/tmda-ofmipd /service/tmda-ofmipd

7) Edit your mozilla account outgoing server SMTP settings

Port = 8025

PART B: Installing CDB
This program allows us to make convenient small databases in place of large text files.

1) Unpacking the tarball

cd /usr/local/src
tar -xvzf  cdb-$CDB_VERSION.tar.gz
cd cdb*

2) Building the program

cp /usr/local/src/cdb-0.75.errno.patch /usr/local/src/cdb-0.75
patch < cdb-0.75.errno.patch
make
make setup check

3) Testing

make rts
./rts > rts.out
This will take a few minutes, it's writing three 4GB databases to /dev/null
cmp rts.out rts.exp
You may get an error that says
rts.out rts.exp differ: byte 3670, line 202
If you do, don't worry about it, it's caused by the way malloc works on Linux as opposed to BSD

PART C: Stopping dictionary attacks and mail to non-existant users (mailfront)
qmail was designed when the internet was a bit friendlier place, and as such was more interested in assissting people than blocking the bad guys.  The mailfront package allows us to block the vast majority of mail which isn't actually for our users, by imposing some simple rules on incoming smtp conversations.

1) Unpacking and installing the support libraries

cd /usr/local/src
rpm --rebuild bglibs-$BGLIBS_VERSION.src.rpm
rpm --rebuild cvm-$CVM_VERSION.src.rpm
cd /usr/src/RPM/RPMS/i586
rpm -ivh bglibs-$BGLIBS_VERSION.i586.rpm
rpm -ivh cvm-devel-$CVM-DEVEL_VERSION.i586.rpm

2) Unpacking and installing the mailfront program

cd /usr/local/src
rpm --rebuild mailfront-$MAILFRONT_VERSION.src.rpm
cd /usr/src/RPM/RPMS/i586
rpm -ivh mailfront-$MAILFRONT_VERSION.i586.rpm

3) Normally you would edit the qmail-smtpd run script, but it's already been done just copy it over

qmailctl stop
cp /usr/local/src/kludge-scripts/qmail-smtpd-run-stage4 /var/qmail/supervise/qmail-smtpd/run
Confirm the overwrite
qmailctl start

Here is a copy of my file qmail-smtpd-run-stage4

4) Copy the mailrules file into the correct location

cp /usr/local/src /var/qmail/control/mailrules

Here is a copy of my file mailrules

Both valid address files must exist.
Make sure you adjust the domain name or you'll be accepting my mail not yours, hehe.

5) Create the valid address files

echo $TEST_USER@$DOMAIN > /var/qmail/control/validusers

Here is a copy of my file validusers

Make sure to use your own users or you'll be allowing what works for me, not what works for you, hehe.

cd /var/qmail/control
Make sure to alter the contents of the mailfront-inputfile by replacing my domain with yours or you'll be accepting the wrong addresses.
Here is a copy of my file mailfront-inputfile
cdbmake-12 morevalidusers.cdb morevalidusers.tmp < /usr/local/src/kludge-scripts/mailfront-inputfile

6) Send a test message to and from your free webmail account

END STAGE 4, THE QUEUE WILL BE MUCH QUIETER NOW

ANTI-VIRUS - STAGE 5

PART A:  Setting up ClamAV
Both to be good net citizens, and to protect any Microsoft OS machines we might have we're going to scan mail for viral signatures.

1) Install a supporting package

cd /usr/local/src
urpmi gmp-devel

2) unpack the tarball

tar -xvzf clam-$CLAMAV_VERSION.tar.gz
cd clam*

3)  Build the software

./configure --sysconfdir=/etc
make
make install

4) Edit the configuration file

emacs /etc/clamav.conf

Here is a copy of my file clamav.conf

5) Test the build by scaning the source directory recursively

clamscan -r -l scan.txt ../clamav-$CLAMAV_VERSION

You should find four test files as infected

6) Test clamd by running it, and then running the scan from the daemon

cd clamd
emacs clamd
Add in tmp fix for Mandrake issue
TMPDIR="/tmp"
export TMPDIR
./clamd
clamdscan -l scan.txt ../clamav-$CLAMAV_VERSION

You should find three infected test files

7) Test the updater

freshclam
touch /var/log/clam-update.log
chmod 600 /var/log/clam-update.log
chown clamav.clamav /var/log/clam-update.log

8) Add the updater as a daily cron job

cd /etc/cron.daily
emacs clamav-update

#!/bin/bash
export http_proxy="$PROXY:$PORT"
/usr/local/bin/freshclam --quiet -l /var/log/clam-update.log
r = $?
if [ $r -le 1 ];
then exit 0
else exit $r
fi

The wierd junk with the exit codes keeps you from getting a notification email from CRON any time the database was already up to date when freshclam was run.

chmod 755 clamav-update

PART B: Installing qmail-scanner.pl
This will set up an interface which will run our virus scanner for us when invoked using qmailqueue.

1) Install some support software

urpmi db3-devel
urpmi mawk
perl -MCPAN -e 'install Time::HiRes'  Say no so that it will autoconfigure
perl -MCPAN -e 'install DB_File'
cd /usr/local/src
rpm -ivh /usr/local/src/tnef-$TNEF_VERSIONmdk.i586.rpm
rpm --rebuild maildrop-$MAILDROP_VERSIONrph.src.rpm
rpm -ivh /usr/src/RPM/RPMS/i586/maildrop-$MAILDROP_VERSIONrph.i586.rpm
rpm -ivh /usr/src/RPM/RPMS/i586/maildrop-devel-$MAILDROP_DEVEL_VERSIONrph.i586.rpm

2)  Unpack qmail-scanner

cd /usr/local/src
tar -xvzf qmail-scanner-$QMAIL_SCANNER_VERSION.tar.gz

3) Run the configure script to see if everything is set properly

groupadd qscand
useradd -c "Qmail-Scanner Account" -g qscand -s /bin/false qscand
cd qmail-scanner*
 ./configure

The configure script takes a LONG time, several minutes at least, you have to wait till it finishes.

4) Run the configure script to install

./configure --notify recips,admin --install

5) Update the test script

cd ./contrib
emacs test_installation.sh
Change RECIP="root" to RECIP="vmail-root"
<CTRL> <x> <s>
<CTRL> <x> <c>

Make sure that your softlimit in /var/qmail/supervise/qmail-smtpd is set to 20000000  (20mb) and that your server has at least 512mb of RAM

./test_installation.sh -doit

6) Set qmail-scanner to use the daemonized version instead of the regular version.

cd /var/qmail/bin
sed -i -e s/clamscan/clamdscan/ qmail-scanner-queue.pl
Test it and repeat sed line if necessary cat qmail-scanner-queue.pl | grep clamscan

7) Edit your /etc/tcp.smtp file

cp /usr/local/src/kludge-scripts/etc-tcp.smtp-stage5 /etc/tcp.smtp
qmailctl cdb

Here is a copy of my file tcp.smtp-stage5

8) Start the scanner

su qmaild -c "/usr/local/src/qmail-scanner-$QMAIL_SCANNER_VERSION/qmail-scanner-queue.pl"

9) Set up a cron job to rotate the logfile

cd /etc/cron.daily
emacs move-qmail-scanner-log

#!/bin/sh
mv -f /var/spool/qmailscan/qmail-queue.log /var/spool/qmailscan/qmail-queue.log.1

<CTRL> <x> <s>
<CTRL> <x> <c>
chmod 755 move-qmail-scanner-log

10) Set the list of quarantine attachments to those listed in Microsoft's Knowledge Base Article 291369

For reference here is the complete list of file types to be denied:
.ad
 .mde .ws
.adp .msc .wsc
.asp .msi .wsf
.bas .msp .wsh
.bat .mst
.chm .pcd
.cmd .pif
.com
 .reg
.cpl .scr
.crt .sct
.exe .shb
.hlp .shs
.hta .url
.inf .vb
.ins .vbe
.isp .vbs
.js .vsd
.jse .vss
.lnk .vst
.mdb .vsw

This is NOT the best way to solve this problem, and I'm looking into setting up something with maildrop and base64 encoded strings, but for now it should work ok.

cd /var/spool/qmailscan
cp /usr/local/src/kludge-scripts/quarantine-attachments.txt

The entries MUST be TAB delimited, normal spaces will not work.

Here is a copy of my file quarantine-attachments.txt

Then rebuild the database
/var/qmail/bin/qmail-scanner-queue.pl -g

11) Send a test message to and from your free webmail account, then try to send yourself an eicar test virus and a banned attachment

END STAGE 5, YOU SHOULD BE ABLE TO REST MUCH EASIER NOW WITH CLEANER INBOXES

ADMIN - STAGE 6

PART A: Setting up mail quotas (mailquotacheck.sh)
This script, modified to work with vmailmgr and Mandrake, allows you to prevent users from recieving mail that would exceed their storage quota

1) Put the script in the right place

cp /usr/local/src/kludge-scripts/mailquotacheck.sh /etc/kludge

Here is a copy of my file mailquotacheck.sh

chmod 700 /etc/kludge/mailquotacheck.sh
chown vmail.virtual /etc/kludge/mailquotacheck.sh

2) Normall you would add the following line to your .qmail file on the first line

| /etc/kludge/mailquotacheck.sh $LOCAL

However, in this case all you have to do is a file copy

cp /usr/local/src/kludge-scripts/.qmail-default-stage6 /home/virtual

Here is a copy of my file dot-qmail-default-stage6

To override the base quota of forty megs, put a .quota file in the user's directory containing the size limit

3) Set up a system to email the user warning messages when their quota limit is near

cp /usr/local/src/kludge-scripts/quota-scan /etc/cron.daily