Qmail Mail Server

由 datahunter 在四, 01/12/2011 - 15:32 發表

最後更新: 2018-04-04

Qmail Diagram

 qmail-smtpd --- qmail-queue --- qmail-send --- qmail-rspawn --- qmail-remote
               /                     |      \
qmail-inject _/                 qmail-clean  \_ qmail-lspawn --- qmail-local

Every message is added to a central queue directory by qmail-queue.

qmail-queue is invoked as needed, usually by qmail-inject for locally generated messages,

qmail-smtpd for messages received through SMTP,

qmail-local for forwarded messages, or

qmail-send for bounce messages.

Every message is then delivered by qmail-send,

in cooperation with qmail-lspawn and qmail-rspawn, and

cleaned up by qmail-clean.

These four programs are long-running daemons.

root      3795  0.0  0.0   1612   312 ?        S     2018   0:01 supervise qmail-smtpd
root      3800  0.0  0.0   1612   312 ?        S     2018   0:01 supervise qmail-pop3ds
root      3802  0.0  0.0   1612   308 ?        S     2018   0:00 supervise qmail-pop3d
root      3804  0.0  0.0   1612   304 ?        S     2018   0:00 supervise qmail-send

Queue structure

Each message in the queue is identified by a unique number, let's say "457"

mess/457: the message
todo/457: the envelope

tai64nlocal

tai64nlocal 是 daemontools 的工具來

cat log | tai64nlocal

qmailctl

qmailctl queue # 相當卡 /var/qmail/bin/qmail-qstat 及 /var/qmail/bin/qmail-qread

vpasswd

vpasswd 是 qmail 的用戶資料庫

不過, qmail 不是直接讀取它的, 而是讀取 vpasswd.cdb

所以每次修改完 vpasswd 後, 就要人手 rebuild 一個新的 cdb 出來

cp vpasswd vpasswd.new
vim vpasswd.new
/etc/init.d/svscan stop
cp vpasswd.new vpasswd
rm vpasswd.cdb

指令代勞 (v?user)

vadduser [email protected]
vdeluser [email protected]

p.s.

行指令建立 User 是不用人手更新 cdb 的

清除 Queue 上的 mail (qmail-remove)

[1] 人手一次過清Q

# Qmail queue is stored in /var/qmail/queue

qmailctl stop
cd /var/qmail/queue
find intd todo local remote mess info bounce -type f -print |xargs rm
qmailctl start

[2] By command: qmail-remove

qmail-remove-0.93.tar.gz

/usr/local/sbin

在做任何有關 Qmail 的 queue 的動作前, 記得 Stop 了 qmail 先 !!

i.e:

qmail-remove -p youdomain.local

qmail-remove -d -p youdomain.local

qmail-remove -d -p [email protected] -n 1024

P.S.

remove messages containing a particular string from your Qmail queue.

Mails are *not* deleted from the queue! They are only stored, temporarily, in $qmail-queue/yanked/

qmail-remove [options]

-p                     specify the pattern to search for
-r                      actually remove files, without this we’ll only print them
-n <bytes>        limit our search to the first <bytes> bytes of each file
-d                      actually remove files not yank them, no -p will delete all the messages!
-y directory    to put files yanked from the queue [default: yanked/ ]

Example Output:

93049: yes
remove mess/14/93049
remove remote/14/93049
remove info/14/93049
544585: yes
remove mess/14/544585
remove remote/14/544585
remove info/14/544585

Attachment Size on Qmail

/var/qmail/control/databytes

# default setting for 'databytes' is 20971520

設定案 - tcp.smtp

Format

A rule is one line
comments: lines beginning with # are ignored
Each rule contains an address, a colon, and a list of instructions, with no extra spaces

i.e

# tcp.smtp

127.:allow,RELAYCLIENT=""
:allow,QMAILQUEUE="/var/qmail/bin/simscan"        <-- 當沒有行 clamd 時, 那句會令所有 mail 4xx

修改後要行以下 CMD 更新成 .cdb 檔 (tcp.smtp.cdb)

qmailctl cdb

Instructions

allow # 純粹為了設定 environment variables
deny # tells tcpserver to drop the connection without running anything

tcprules

tcprules 是一個 program 來

它負責將 rules(tcp.smtp) 轉成 binary(tcp.smtp.cdb)

tcpserver 讀取 binary 的 rules

tcprules reads rules from its stdin and writes them into filename cdb
(It does this by first writing the rules to tmp and then moving tmp on top of cdb)

tcprules tcp.smtp.cdb tcp.smtp.temp < /etc/tcp.smtp

* tcprules can be used while tcpserver is running

它可以用來控制各 plugin 的行為

example:

18.23.0.32:deny

設定

127.:allow,RELAYCLIENT=""
:allow,QMAILQUEUE="/var/qmail/bin/simscan"

":" 相當於 if
"allow" instruction to "allowed to connect", 此設定另有 "deny"
RELAYCLIENT environment variable
set = relay email through the qmail server without authentication.
QMAILQUEUE environment variable

Qmail startup Script

/service/qmail-smtpd/run

#!/bin/sh

MAILHOSTNAME=`hostname`         # Set the hostname for mail service.
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MEMORYLIMIT=14680064            # 14MB
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
PERIPLIMIT=16
BINDIPADDR=0                    # 0 = any
BINDIPPORT=25                   # Port name or number

exec /usr/local/bin/softlimit -m $MEMORYLIMIT \
     /usr/local/bin/tcpserver -v -H -R -l $MAILHOSTNAME -s $PERIPLIMIT \
     -x /home/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD \
     -u $QMAILDUID -g $NOFILESGID $BINDIPADDR $BINDIPPORT \
     /usr/local/bin/rblsmtpd -r bl.spamcop.net -r sbl.spamhaus.org -r cbl.abuseat.org \
     /var/qmail/bin/qmail-smtpd \
     /home/vpopmail/bin/vchkpw /bin/true 2>&1

Environment Variable

RELAYCLIENT=""

The environment variable "RELAYCLIENT" set to null

If the environment variable RELAYCLIENT is set,
qmail-smtpd will ignore rcpthosts,
and will append the value of RELAYCLIENT to each incoming recipient address.

rcpthosts is file that contains list of all domains which your server will accept mail for

If you need to allow mail relaying from a selected group of IP addresses only,
then environment variable RELAYCLIENT can be used.

QMAILQUEUE="/var/qmail/bin/simscan"

# Instuction how and where to run it through simscan (thus spam/clam/attach) before delivery

i.e. No Qmail-Scanner at all for mail from 127.0.0.1

127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"

Allin1 example setting

127.:allow,RELAYCLIENT=""
:allow,QMAILQUEUE="/var/qmail/bin/simscan"
s.s.s.s:allow,RBLSMTPD="halt thy spam!"

Testing:

client:

telnet d.d.d.d

server log: /var/log/qmail/smtpd/current

@4000000053c4bca91e31937c tcpserver: status: 1/20
@4000000053c4bca91e319f34 tcpserver: pid 10082 from s.s.s.s
@4000000053c4bca91e31a704 tcpserver: ok 10082 mail.xxx.com.hk:d.d.d.d:25 :s.s.s.s::51689
@4000000053c4bca91e31aed4 rblsmtpd: s.s.s.s pid 10082: 451 halt thy spam!

Block Domain

/var/qmail/control/badmailfrom

@domain.tld

qmail-smtpd will reject every recipient address for a message

P.S.

所有 Domain 是不用加 "*" 上去的

查看 Queue 內的 msg

qmailctl queue

10 May 2016 08:03:45 GMT  #928119  1221  <x@x>  bouncing

find /var/qmail/queue -name 928119 | xargs cat | less

pop3s

stunnel 的設定檔

/var/qmail/control/pop3s.conf

cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup my.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir

exec = file execute local inetd-type program
execargs = arguments for 'exec' (including $0)

service 的設定檔

/service/qmail-pop3ds/run

#!/bin/sh

MAILHOSTNAME=`hostname`         # Set the hostname for mail service.
VPOPMAILUID=`id -u vpopmail`
VPOPMAILGID=`id -g vpopmail`
PERIPLIMIT=20
BINDIPADDR=0                    # 0=any
BINDIPPORT=995                  # Port
MEMORYLIMIT=14680064            # 14MB

exec /usr/local/bin/softlimit -m $MEMORYLIMIT \
    /usr/local/bin/tcpserver -l $MAILHOSTNAME -R -H -v -s $PERIPLIMIT -c 120 \
    -u $VPOPMAILUID -g $VPOPMAILGID $BINDIPADDR $BINDIPPORT \
    /usr/sbin/stunnel /var/qmail/control/pop3s.conf 2>&1

# 套用新 Setting (restart service)

svc -d qmail-pop3ds

svc -u qmail-pop3ds

svstat qmail-pop3ds

qmail-pop3d: up (pid 7792) 3 seconds

Qmail Smarthost

Qmail 的 Routing 是由 qmail-remote 負責

設定檔:

/var/qmail/control/smtproutes

Format:

domain:relay:port

Example

# 去 example.com 才經 smarthost

echo "example.com:127.0.0.1:3025" > /var/qmail/control/smtproutes

# All outgoing mail via smarthost

echo ":127.0.0.1:3025" > /var/qmail/control/smtproutes

Remark

#1 要有 qmail-remote-auth patch 才支援 smarthost login

desinationdomain.com:relay.server.com username password

#2 smtproutes may include wildcards

# relay may be empty; this tells qmail-remote to look up MX records as usual

# .af.mil (but not af.mil itself) is routed by its MX records

.af.mil:

成功收信的 Log

... tcpserver: ok 32736 vm.MyDomain.com.hk:L.L.L.L:25 :R.R.R.R::35934
... CHKUSER accepted sender: from <U@F::> 
   remote <[192.168.88.150]:unknown:R.R.R.R> 
   rcpt <> : sender accepted                                        # 輸入了 "mail from: "
... CHKUSER accepted any rcpt: from <U@F::> 
   remote <[192.168.88.150]:unknown:R.R.R.R>                        # 輸入了 "rcpt to: "
   rcpt <[email protected]> : accepted any recipient for this domain
... simscan:[32736]:PASSTHRU (0.00/0.00):
   4.1202s:Test attachment:R.R.R.R:U@F:[email protected]   # 入完 data scann

出信的 log

Relay by IP

Deny

... CHKUSER rejected relaying: from <[email protected]::> remote <HELO:unknown:S.S.S.S> rcpt <[email protected]> :
 client not allowed to relay

... CHKUSER relaying rcpt: from <[email protected]::> remote <:unknown:S.S.S.S> rcpt <[email protected]> :
 client allowed to relay

Relay by Login (SASL)

... CHKUSER accepted sender: from <[email protected]:[email protected]:> remote <[HELO]:unknown:S.S.S.S> rcpt <> : sender accepted
... CHKUSER relaying rcpt: from <[email protected]:[email protected]:> remote <[HELO]:unknown:S.S.S.S> rcpt <[email protected]> : client allowed to relay

rblsmtpd

Before the rblsmtpd utility makes any DNS queries,
it first checks its environment for the presence of a variable named "RBLSMTPD":

Settings:

empty: rblsmtpd does not block mail.
not set: rblsmtpd looks up $TCPREMOTEIP in the RBL
nonempty: rblsmtpd blocks mail. It uses $RBLSMTPD as an error message for the client.

Normally, if $RBLSMTPD is set, rblsmtpd uses a 451 error code in its limited SMTP conversation.

If $RBLSMTPD begins with a hyphen, rblsmtpd removes the hyphen and uses a 553 error code.

i.e.

# whitelist
11.22.33.44:allow,RBLSMTPD=""     

# blacklist; error code 451
22.33.44.55:allow,RBLSMTPD="halt thy spam!"

# blacklist; error code 553
33.44.55.66:allow,RBLSMTPD="-halt thy spam!"

SPF

The SPF behavior of your mail server is controlled by the file /var/qmail/control/spfbehavior

0 disabled (Default).

Never do SPF lookups, don't create Received-SPF headers

1 selects 'annotate-only' mode

where qmail-smtpd will annotate incoming email with Received-SPF fields, but will not reject any messages.

2 test mode

will produce temporary failures on DNS lookup problems so you can make sure you always have meaningful Received-SPF headers.

3 selects 'reject' mode

where incoming mail will be rejected if the SPF record says 'fail'.

You can override the value in /var/qmail/control/spfbehavior by setting the SPFBEHAVIOR environment variable (tcp.smtp)