• Download qmail-dnsbl patch (local copy)
• Code and logic from rblsmtpd and qmail-dnsbl patch by Fabio Busatto
• Added support for whitelists, TXT and A queries, configurable return codes 451 or 553 with custom messages (by Luca Franceschini)

This patch replaces the djb's rblsmtpd program. It incorporates into qmail-smtpd the rbl stuff with the advantage that you can see the envelope in the logs. Registering the envelope as well as the sender ip is important to always know what happened to not received messages.

An additional improvement with respect to the use of the RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned; this means that we are able to switch on the filter on the 587 submission port as well :)

To activate the rbl check just add your favourite block lists in the dnsbllist control file (one per line).

cat > /var/qmail/control/dnsbllist << __EOF__
zen.spamhaus.org
bl.spamcop.net
__EOF__

Now restart qmail and check that the RBL lists have been parsed:

> qmailctl restart
> qmail-showctl |grep dnsbl
dnsbllist: 
List at zen.spamhaus.org configured for dnsbl check.
List at bl.spamcop.net configured for dnsbl check.

Improvements with respect to the original qmail-dnsbl patch

• default file control/dnsbllist can be overridden with env variable DNSBLLIST
• if DNSBLSKIP env variable is set, qmail-smtpd skips the rbl check
• if control/dnsblfailclosed or DNSBLFAILCLOSED are defined, qmail-smtpd considers the source ip as blacklisted even in case of lookup failures (check rblsmtpd man page for more details)
• support for environment variable RBLSMTPD (check rblsmtpd man page for more details)
• dnsbllist can contain empty lines and comments with '#' at start or end of lines; leading and trailing spaces are automatically removed

Examples and formats

Query rbl for TXT records, return code 451: "451 http://www.spamhaus.org/query/bl?ip=30.50.20.3"

zen.spamhaus.org

Query rbl for TXT records, return code 553: "553 http://www.spamhaus.org/query/bl?ip=30.50.20.3"

-zen.spamhaus.org

 Query rbl for A records, custom return message with ret code 451: "451 Message rejected"

zen.spamhaus.org:Message rejected

 Query rbl for A records, custom return message with ret code 553: "553 Message rejected", the following syntaxes are allowed:

-zen.spamhaus.org:Message rejected
zen.spamhaus.org:-Message rejected
-zen.spamhaus.org:-Message rejected

Query rbl for A records, custom return message with IP variable, replaced by remote ip:

zen.spamhaus.org:Message blocked from %IP%

dns whitelist A query:

+white.dnsbl.local:Whitelist test
+white.dnsbl.local

The following syntaxes are NOT ALLOWED:

zen.spamhaus.org:
zen.spamhaus.org:-

Howto avoid being "cut off" by spamhaus.org

At the end of this guide I will show how to set up fail2ban in order to ban malicious IPs in order to decrease the amount of connections to the RBL lists and to avoid to be banned consequently.

As an alternative, you may be interested to take a look to the idea of Costel Balta, which is addressed to solve the same problem.

Check your IP's reputation

When you buy an IP address, you know that it's not new and you inherit its reputation. So the first thing you may want to do is to check if it's listed in some RBL here: http://multirbl.valli.org

The qmail-taps-extended patch by Inter7 (extension by Michai Secasiu) provides the ability to save each email which flows through the system. You could decide to log only the messages which have the From or To address set to a local account.

You just have to create a new control file /var/qmail/control/taps which contains a regex style list of addresses to tap and the email address of where you want the copy sent to.

Examples:

if you only want to log the messages with the From address @domain.com you would set the configuration like this:

F:.*@domain.com:copy@example.com

If you want to log only those with the To address @domain.com

T:.*@domain.com:copy@example.com

if you want the same behavior as the original Inter7's patch:

A:.*@domain.com:copy@example.com

• More info on Life with qmail
• README.vdelivermail

Defining alias and control files

echo 3 > /var/qmail/control/spfbehavior
echo "| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox" > /var/qmail/control/defaultdelivery
echo 20 > /var/qmail/control/concurrencyincoming
echo postmaster@yourdomain.net > /var/qmail/control/bouncefrom
echo 20000000 > /var/qmail/control/databytes
echo yourdomain.net > /var/qmail/control/doublebouncehost
echo postmaster > /var/qmail/control/doublebounceto
echo 272800 > /var/qmail/control/queuelifetime
echo 30000000 > /var/qmail/control/softlimit
echo 100 > /var/qmail/control/maxrcpt

cd /usr/local/src/netqmail-1.06
./config-fast yourdomain.net

When you run ./config-fast it will automatically populate these files: defaultdomain, locals, me, plusdomain, rcpthosts.

• defaultdomain when you have many domains on the same server (defined later in the virtualhost file) this is the default domain
• locals domains that we deliver locally (qmail-send via qmail-lspawn program). Other domains are spawned by qmail-rspawn and delivered to other MTAs.
• me the name of the server. This is the domain name that appers in the from field when you receive system messages, for instance
• plusdomain domain substituted for trailing "+"
• rcpthosts Domains that we accept mail for. Later you will see how simscan/chkuser reject incoming emails for non existing recipients.
• spfbehavior concerns the spf patch.
• softlimit sets soft resource limits for qmail-smtpd
• databytes is the max number of bytes in message (0=no limit)
• doublebounceto is the account which will receive double-bounce messages. If you’re using my combined patch, you can erase the first line of /var/qmail/control/doublebounceto to delete these unwanted messages before they’re injected into the local queue.

defaultdelivery is the default .qmail file. It tells qmail how to deliver the email. In this case Maildir is our choice. In case you didn't understand yet how delivery is done, please read at this point the relaying chapter of Life with qmail and expecially the README.vdelivermail that comes with vpopmail, which explains how the .qmail files are used.

You can find an exhaustive presentation of all control configuration file on Life with qmail book http://www.lifewithqmail.org/lwq.html#configuration

Setup the primary administrator's email address. This address will receive mail for root, postmaster, and mailer-daemon.  Replace "postmaster@yourdomain.net" with the administrator email address (postmaster):

cd /var/qmail/alias
echo "postmaster@yourdomain.net" > .qmail-postmaster
ln -s .qmail-postmaster .qmail-mailer-daemon
ln -s .qmail-postmaster .qmail-root
chmod 644 .qmail*

Setup the log dirs

The log dirs belong to qmaill.nofiles user and should not be accessible by other users

mkdir -p /var/log/qmail

cd /var/log/qmail
chown -R qmaill.nofiles .
chgrp root .
chmod -R og-wrx .
chmod g+rx .

Defining supervise scripts

References: tcpserver page

Download the startup scripts from here and untar

cd /var/qmail 
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/supervise.tar.gz 
tar xzf supervise.tar.gz
rm supervise.tar.gz
chown -R root.root rc supervise

You can see the rc excutable, which is the qmail-start script, and the supervise folder:

-supervise
| 
|----qmail-smtpd/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----qmail-submission/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----qmail-send/
|    |
|    |-----run
|    |-----log/
|          |
|          |---run
|
|----vpopmaild/
|    |
|    |-----run
|    |-----log/
           |
           |---run

When you create symbolic links to a supervise directory in the /service dir, the run command will be executed at boot time when /command/svcscanboot is launched

cd /service
ln -s /var/qmail/supervise/qmail-smtpd
ln -s /var/qmail/supervise/qmail-send
ln -s /var/qmail/supervise/vpopmaild

And if you’re going to build an SMTP relay, you may want to run a separate SMTP instance for authentication on port 587:

ln -s /var/qmail/supervise/qmail-submission

File qmail/rc

#!/bin/sh

# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

# DKIM signign
#exec env - PATH="/var/qmail/bin:$PATH" \
#QMAILREMOTE=/var/qmail/bin/spawn-filter  \
#FILTERARGS=/var/qmail/bin/dk-filter \
#qmail-start "`cat /var/qmail/control/defaultdelivery`"

exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

File qmail/supervise/qmail-smtpd/run

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# This enables greetdelay for qmail-smtpd. Put 0 if you decide to delay rblsmtpd instead.
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# This enables greetdelay for rblsmtpd
#export GREETDELAY=15
# This disables rblsmtpd reject
#export RBLSMTPD=""

# This enables chkuser
export CHKUSER_START=ALWAYS

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
#export SURBL=1                               # Comment out to enable SURBL filtering
#export QMAILQUEUE=/var/qmail/bin/surblqueue  # executes surblfilter
#export SURBLQUEUE=/var/qmail/bin/qmail-dkim  # executes qmail-dkim afer sublfilter
#export DKIMQUEUE=/var/qmail/bin/simscan      # simscan is executed after qmail-dkim
# DKIM verification. Use carefully 
#export DKIMVERIFY="FGHKLMNOQRTVW"
# This is to avoid verification of outgoing messages
#export RELAYCLIENT_NODKIMVERIFY=1

# This turns off TLS on port 25
export DISABLETLS="1"

# This enables simscan debug
#export SIMSCAN_DEBUG=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
    /var/qmail/bin/qmail-smtpd 2>&1

Note that the standard smtp (port 25) does not allow the authentication.

You have to adjust the resource limit (softlimit in bytes). Each system is different, and has different requirements. Life with qmail suggests just 2MB. You have to experiment the correct value increasing by steps of 1MB, especially once you have loaded spamassassin, clamAV and simscan (the mail scanner).

We'll cover GREETDELAY, RBL and DKIM later.

File qmail/supervise/qmail-smtpd/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16000000 n200 /var/log/qmail/smtpd

# comment out the following to save the "qlogenvelope" lines also in a separate file
# you must have the file /usr/local/bin/archive_qmail_qlog executable and working!
#LOGUSER="qmaill"
#LOGDIR="/var/log/qmail/smtpd"
#LOGDIRQLOG="/var/log/qmail/smtpd/qlog"
#n5 s10000000 '-*' '+* qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG

If you like, you can have the qlogenvelope lines saved in a separate file as well:

@400000005855db3028811e24 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp= pid=11928
@400000005855db322a892324 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts= size=2689 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp=11934 pid=11928

In this case create the archive_qmail_qlog

cat > /usr/local/bin/archive_qmail_qlog << __EOF__
#!/bin/sh
tai64nlocal >> /var/log/qmail/qmail-smtpd.log
__EOF__

and assign the +x flag

chmod +x /usr/local/bin/archive_qmail_qlog

File qmail/supervise/qmail-send/run

#!/bin/sh
exec /var/qmail/rc

File qmail/supervise/qmail-send/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16000000 n200 /var/log/qmail/send

File qmail/supervise/qmail-submission/run

This service makes the MTA also act as an outgoing relay, but the user must authenticate (with TLS encryption).

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# You MUST export this, otherwise you'd get a 30 sec timeout
# "!" if you want the submission feature (auth required)
export SMTPAUTH="!"

# This enables greetdelay for qmail-smtpd.
# comment out if using fail2ban on port 587
export SMTPD_GREETDELAY=5
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This enables simscan debug
#export SIMSCAN_DEBUG=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

Note the use of vchkpw in conjunction with qmail-smtpd to ensure authentication. The connection requires TLS enabled. This is the reason why we opened a separate secure connection on port 587 to allow remote clients to use our MTA as a relay.

The variable SMTPAUTH is related to the auth patch. You are invited to take a look to the README.auth file for further details.

File qmail/supervise/qmail-submission/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16000000 n200 /var/log/qmail/submission

File qmail/supervise/vpopmaild/run

#!/bin/sh
QMAILDUID=`id -u root`
NOFILESGID=`id -g root`

exec /usr/local/bin/softlimit -m 25000000 \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 89 \
    /home/vpopmail/bin/vpopmaild 2>&1

vpopmaild is important when connecting to vpopmail via webmail to change the password, for instance.

File qmail/supervise/vpopmaild/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/vpopmaild

cronjobs

To backup the log files from the qmail services we'll use the convert-multilog script from John Simpson (thanks to the author and to Marc for the suggestion) who describes the script function as follows:

convert-multilog is a script which searches "/service/*/log/main" for any "@4*" files (the automatic cut-off files generated by multilog), converts their timestamps from tai64n to human-readable format, and writes them to /var/log/{service}.{date}. Once the lines from a given "@4*" file have been converted, the file is deleted.

The log files are saved separated by date, for example

-rw-r--r-- 1 root   root   259558 Aug 24 12:21 qmail-smtpd.2014-08-20
-rw-r--r-- 1 root   root   806917 Aug 24 12:21 qmail-smtpd.2014-08-21
-rw-r--r-- 1 root   root  1523116 Aug 24 12:21 qmail-smtpd.2014-08-22
-rw-r--r-- 1 root   root   364022 Aug 24 12:21 qmail-smtpd.2014-08-23

Inside each file the date is now human-readable

2014-08-23 00:31:49.503947500 tcpserver: status: 1/20

This is very useful when you have to do quick searches.

Install like this:

mkdir -p /var/log/qmail/backup
cd /usr/local/bin
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/convert-multilog
chmod +x convert-multilog

cd /service/qmail-send/log/
ln -s /var/log/qmail/send main
cd /service/qmail-smtpd/log/
ln -s /var/log/qmail/smtpd main
cd /service/qmail-submission/log/
ln -s /var/log/qmail/submission main
cd /service/vpopmaild/log/
ln -s /var/log/qmail/vpopmaild main

Now set up a cronjob once a day (crontab -e):

59 2 * * * /usr/local/bin/convert-multilog 1> /dev/null

qmailctl script

• Reference: Life with qmail
• Download qmailctl

As usual we will put the script in /usr/local/bin and give it the +x flag.

cd /usr/local/bin
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/qmailctl
chmod +x qmailctl

The startup script below does the following:

• Starts/stops the services
• Calls tcprules to reload tcp.smtp.cdb and tcp.submission.cdb
• Shows the status of the services and the queue

Note that it starts and stops vpopmaild also, and starts both normal SMTP on port 25, and the submission service on port 587, where SMTP authentication is required to perform outgoing relay for remote users. If you decide to disable the submission service, delete qmail-submission from the svclist variable on the 4th line below. In any event, be sure to review the service list to make sure it reflects the services you want to provide.

#!/bin/sh

# Put here the services you want to manage
svclist="qmail-send qmail-smtpd qmail-submission vpopmaild"

PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

case "$1" in
  start)
    echo "Starting qmail"

    for svc in $svclist ; do
    	if svok /service/$svc ; then
     		svc -u /service/$svc
     	else
     		echo $svc service not running
     	fi
    done 

    if [ -d /var/lock/subsys ]; then
      touch /var/lock/subsys/qmail
    fi
    ;;
  stop)
    echo "Stopping qmail..."
    for svc in $svclist ; do
      echo " $svc"
      svc -d /service/$svc
    done
    if [ -f /var/lock/subsys/qmail ]; then
    rm /var/lock/subsys/qmail
    fi
    ;;
  stat)
    for svc in $svclist ; do
      svstat /service/$svc
      svstat /service/$svc/log
    done
    qmail-qstat
    ;; 
  doqueue|alrm|flush)
    echo "Sending ALRM signal to qmail-send."
    svc -a /service/qmail-send
    ;;
  queue)
    qmail-qstat
    qmail-qread
    ;;
  reload|hup)
    echo "Sending HUP signal to qmail-send."
    svc -h /service/qmail-send
    ;;
  pause)
    for svc in $svclist ; do
      echo "Pausing $svc"
      svc -p /service/$svc
    done
    ;; 
  cont)
	  for svc in $svclist ; do
	    echo "Continuing $svc"
	    svc -c /service/$svc
	  done
    ;; 
  restart)
    echo "Restarting qmail:"
    for svc in $svclist ; do
      if [ "$svc" != "qmail-send" ] ; then
        echo "* Stopping $svc."
        svc -d /service/$svc
      fi
    done
    echo "* Sending qmail-send SIGTERM and restarting."
    svc -t /service/qmail-send
    for svc in $svclist ; do
      if [ "$svc" != "qmail-send" ] ; then
        echo "* Restarting $svc."
        svc -u /service/$svc
      fi
    done
    ;;
  cdb)
    if ! grep '\#define POP_AUTH_OPEN_RELAY 1' ~vpopmail/include/config.h >/dev/null; then
      (cd ~vpopmail/etc ; cat tcp.smtp | tcprules tcp.smtp.cdb tcp.smtp.tmp)
      echo "Updated tcp.smtp.cdb."
      (cd ~vpopmail/etc ; cat tcp.submission | tcprules tcp.submission.cdb tcp.submission.tmp)
      echo "Updated tcp.submission.cdb."
    else
      ~vpopmail/bin/clearopensmtp
      echo "Ran clearopensmtp."
    fi
    ;;
  clear)
    echo "Clearing readproctitle service errors with ................."
    svc -o /service/clear
    ;;
  kill)
    echo "First stopping services ... "
    for svc in $svclist ; do
    	if svok /service/$svc ; then
            svc -d /service/$svc
            svc -d /service/$svc/log
    	fi
    done
    echo "Now sending processes the kill signal ... "
        killall -g svscanboot
    echo "done"
    ;;
  boot)
    echo "Starting qmail"
    /command/svscanboot &
    ;;
  reboot)
    echo "First stopping services ... "
    for svc in $svclist ; do
        if svok /service/$svc ; then
            svc -d /service/$svc
            svc -d /service/$svc/log
        fi
    done
    echo "Now sending processes the kill signal ... "
        killall -g svscanboot
    echo "done"
    echo "Starting qmail"
    /command/svscanboot &
    ;;
  help)
    cat <<HELP
    stop -- stops mail service (smtp connections refused, nothing goes out)
   start -- starts mail service (smtp connection accepted, mail can go out)
   pause -- temporarily stops mail service (connections accepted, nothing leaves)
    cont -- continues paused mail service
    stat -- displays status of mail service
     cdb -- rebuild the tcpserver cdb file for smtp
 restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
 doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
  reload -- sends qmail-send HUP, rereading locals and virtualdomains
   queue -- shows status of queue
    alrm -- same as doqueue
   flush -- same as doqueue
     hup -- same as reload
   clear -- clears the readproctitle service errors with .....................
    kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
    boot -- Boots qmail and all services in /service running /command/svscanboot
  reboot -- kill & boot commands in sequence
HELP
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|clear|kill|boot|reboot|help}"
    exit 1
    ;;
esac

exit 0 

Usage

# qmailctl help

    stop -- stops mail service (smtp connections refused, nothing goes out)
   start -- starts mail service (smtp connection accepted, mail can go out)
   pause -- temporarily stops mail service (connections accepted, nothing leaves)
    cont -- continues paused mail service
    stat -- displays status of mail service
     cdb -- rebuild the tcpserver cdb file for smtp
 restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
 doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
  reload -- sends qmail-send HUP, rereading locals and virtualdomains
   queue -- shows status of queue
    alrm -- same as doqueue
   flush -- same as doqueue
     hup -- same as reload
   clear -- clears the readproctitle service errors with .....................
    kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
    boot -- Boots qmail and all services in /service running /command/svscanboot
  reboot -- kill & boot commands in sequence

qmailctl can be used to kill all qmail processes and to reboot the server. I use this option inside the rc.6 of my Slackware virtual server to avoid errors messages when stopping or rebooting the guest. You can easily call the clear service as well.

svtools

• More info: https://github.com/kayahr/svtools
• Author: Klaus Reimer

This is a nice collection of tools to manage daemontools' services that you may want to consider. mlcat is one of those; it can cat a service's log with human readable dates with a short command like:

mlcat qmail-smtpd

I slightly modified that script here, just to use it without the need of the "qmail-" prefix:

mlcat smtpd

Allowing selected clients to send outgoing messages

• Info: http://cr.yp.to/qmail/faq/servers.html

Create /home/vpopmail/etc/tcp.smtp and /home/vpopmail/etc/tcp.submission (the latter one in case you want to enable the submission service).

Enable outgoing relay in this way:

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
1.2.3.4:deny
:allow

Localhost and 10.0.0.0 subnet can use our MTA as an outgoing relay, 1.2.3.4 is denied, the other IPs can only send messages to the domains listed inside /var/qmail/control/rcpthosts.

tcp.smtp

0.0.0.0:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
:allow,CHKUSER_WRONGRCPTLIMIT="3"

chkuser will ban clients' IP after 3 consecutive failures.

tcp.submission

:allow,CHKUSER_WRONGRCPTLIMIT="3"

Updating cdb files

qmailctl can invoke tcprules to create the cdb file in this way:

# qmailctl cdb
Updated tcp.smtp.cdb.
Updated tcp.submission.cdb.

You must run this command every time you modify tcp.smtp or tcp.submission.

Configuring the standard SMTP service on 25 in tcp.smtp ensures that only localhost and authorized IPs can use the SMTP service as an outgoing relay. We will accept inbound messages from outside as long as the recipient domain is included in the file /var/qmail/control/rcpthosts. When someone sends a message to a domain name not listed in rcpthosts, qmail will respond with “Sorry, that domain isn’t in my list of allowed rcpthosts (#5.7.1)”.

When you enable SMTP authentication on port 587, remote users who successfully authenticate will be allowed to send messages using our MTA.

Improved qmail-send log

I modified extra.h in the source code (see the patch here) to record the Message-ID in the qmail-send log as explained here towards the bottom of the page. Therefore an alias ~alias/.qmail-log will be automatically added as well to store the awk command with the regex which retrieves the Message-ID.

Be aware that you must have a valid MX record for your FQDN (look at /var/qmail/control/me), otherwise you will get an error like this:

Sorry, No mailbox here #5.1.1

The qmail-send log now appears as follows. Note that a copy of each mail is apparently sent to the address specified in the alias above.

2014-11-05 12:00:47.930384500 status: local 1/10 remote 1/20
2014-11-05 12:00:47.952694500 delivery 11: success: Received:_(qmail_17359_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17359_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_from_unknown_(HELO_mx.test.net)_(1.2.3.4)/Received:_from_unknown_(HELO_mx.test.net)_(1.2.3.4)/__by_0_with_ESMTPS_(DHE-RSA-AES256-GCM-SHA384_encrypted);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17349_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17349_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_from_unknown_(HELO_mail-wg0-f47.google.com)_(74.125.82.47)/Received:_from_unknown_(HELO_mail-wg0-f47.google.com)_(74.125.82.47)/__by_0_with_ESMTPS_(RC4-SHA_encrypted);_5_Nov_2014_12:00:46_+0100/Received:_by_mail-wg0-f47.google.com_with_SMTP_id_a1so597995wgh.6/Received:_by_mail-wg0-f47.google.com_with_SMTP_id_a1so597995wgh.6/Received:_by_mail-wg0-f47.google.com_with_SMTP_id_a1so597995wgh.6/________for_<info@test.net>;_Wed,_05_Nov_2014_03:00:48_-0800_(PST)/X-Received:_by_10.180.23.98_with_SMTP_id_l2mr4797959wif.51.1415185247978;_Wed,/X-Received:_by_10.180.23.98_with_SMTP_id_l2mr4797959wif.51.1415185247978;_Wed,/Received:_by_10.27.203.139_with_HTTP;_Wed,_5_Nov_2014_03:00:47_-0800_(PST)/Received:_by_10.27.203.139_with_HTTP;_Wed,_5_Nov_2014_03:00:47_-0800_(PST)/Date:_Wed,_5_Nov_2014_12:00:47_+0100/Message-ID:_<CAD=Xf-WdCFwED9DiMqRj=bUR5RsRA9mPah1OXgA-tB1ffk-3sw@mail.gmail.com>/Message-ID:_<CAD=Xf-WdCFwED9DiMqRj=bUR5RsRA9mPah1OXgA-tB1ffk-3sw@mail.gmail.com>/Subject:_dasda/From:_xxx_<someone@@gmail.com>/From:_xxx_<someone@gmail.com>/To:_info@test.net/---/did_0+0+2/
2014-11-05 12:00:47.952726500 status: local 0/10 remote 1/20
2014-11-05 12:00:48.326103500 delivery 12: success: 1.2.3.4_accepted_message./Remote_host_said:_250_ok_1415185248_qp_17366/

DAViCal is a server for calendar sharing. It is an implementation of the CalDAV protocol which is designed for storing calendaring resources (in iCalendar format) on a remote shared server.

• More info here

I will show shorly how to install DAViCal from source on a Slackware machine (tested on 14.2). This how-to can be usefull for other Linux distros with a few adjustments.

Pre-requisites and dependencies

• A webserver which can run PHP (however most of this documentation assumes Apache 2.2 or later)
• PHP: 5.1 or greater (see below details on compilation)
• PostgreSQL: 8.1 or greater
• A couple of Perl modules to execute the database scripts
  • YAML
  • DBD:Pg
  • DBI

Download

cd /usr/local/src
git clone https://gitlab.com/davical-project/davical.git
git clone https://gitlab.com/davical-project/awl.git
rm -rf ./davical/.git/
rm -rf ./awl/.git/

Copy both the davical and the awl dirs where you want:

mkdir -p /path/to/davical
mv davical/ awl/ /path/to/davical

Now you have them in /path/to/davical. Now adjust the priviledges:

chown -R root:apache /path/to/davical

cd /path/to/davical
find ./ -type d -exec chmod u=rwx,g=rx,o= '{}' \;
find ./ -type f -exec chmod u=rw,g=r,o= '{}' \;

Postgresql

Postgres has to be installed from the slackbuils of slackbuild.org. Before creating the package you must have the postgres user and group:

groupadd -g 209 postgres
useradd -u 209 -g 209 -d /var/lib/pgsql postgres

Configuration

cd /var/lib/pgsql/9.6/data/

If your web server and postgres server are on different machines you have to edit postgres.conf to allow connection from you localnet:

listen_addresses = '*'

Now edit pg_hba.conf (documentation) to set up the users and database priviledges:

host davical davical_app 1.2.3.4/32 trust
host davical davical_dba 1.2.3.4/32 trust

host all all 1.2.3.4/32 trust

In my example I'm assuming that 1.2.3.4 is your web server's IP. "davical" is the postgres user claiming access to "davical_app" and "davical_dba" databases.

Perl modules installation

There are a couple of Perl modules we need to install to run the script wich will create the databases for us

perl -MCPAN -e shell
cpan> o conf prerequisites_policy ask
cpan> force notest install YAML DBD::Pg DBI
cpan> quit

Creating the database

cd /path/to/davical/davical/dba

Modify create-database.sh as you need, expecially in case postgres lives in another server. In my case I added this line otherwise the connection will be done towards localhost:

PSQLOPTS="--host=1.2.3.4 --username=postgres"

Also you eventually have to to set the postgres server host into update-davical-database. So if your postres server in not in localhost adjust the $dbhost variable accordingly:

my $dbhost = "1.2.3.4";

Now proceed to setup the db:

./create-database.sh

If you get any error delete the database from the postgres server:

su - postgres
dropdb davical

Php compilation

We need to compile alpine to get c-client.a for IMAP support. You must have the alpine source and slackbuild in the same tree of php.

#!/bin/sh

ALPINE=2.20

IMAPLIBDIR=/usr/local/lib64/c-client

if [ -r $IMAPLIBDIR/lib64/libc-client.a ]; then
  echo "Using IMAP library:"
  ls -l $IMAPLIBDIR/lib64/libc-client.a
  sleep 5
else
  ( cd ../alpine ; ./alpine.SlackBuild || exit 1 ) || exit 1
  ( cd /tmp/alpine-${ALPINE}/imap/c-client
    strip -g c-client.a
    mkdir -p $IMAPLIBDIR/lib64
    cp c-client.a $IMAPLIBDIR/lib64/libc-client.a
    mkdir -p $IMAPLIBDIR/include
    cp *.h $IMAPLIBDIR/include
  )
fi

./configure \
       --with-gettext=/usr \
       --with-pgsql \
       --with-pdo-pgsql
       --with-libdir=lib64 \
       --with-imap-ssl=/usr \
       --with-imap=${IMAPLIBDIR} \
       --with-curl \
       --your-other-config-options

Apache configuration

<VirtualHost *:80 >
  define DAVICAL /path/to/davical/davical

  DocumentRoot ${DAVICAL}/htdocs
  DirectoryIndex index.php index.html
  ServerName dav.yourdomain.com
  Alias /images/ $DAVICAL/htdocs/images/
  <Directory $DAVICAL/htdocs/>
      AllowOverride None
      Require all granted
  </Directory>
  AcceptPathInfo On
  #
  #  You probably don't need to enable any of these sorts of things other than in exceptional
  #  circumstances.  Apart from the include path (which DAViCal will discover if it is anywhere
  #  'normal') they are the default in newer PHP versions.
  #
  # php_value include_path /usr/share/awl/inc
  # php_value magic_quotes_gpc 0
  # php_value register_globals 0
  # php_value error_reporting "E_ALL & ~E_NOTICE"
  # php_value default_charset "utf-8"
</VirtualHost>

Configuring DAViCal

Create your config file:

cd /path/to/davical/davical/config
cp -p example-config.php dav.yourdomain.com-conf.php

Your config has to reside in /etc/davical, so let's create the sym link

ln -s /path/to/davical/davical/config /etc/davical

If everything went well you should be able to navigate to http://dav.yourdomain.com. Retrieve your admin password in this way:

su - postgres
psql davical -c 'select username, password from usr;'

The password is the text after the two **. Once you have changed it will never be possibile again to see the clear password in this way.

• Overview
• Installing
• Configuring
• Download my dovecot's config files
• dovecot.conf
• 10-auth.conf
• auth-sql.conf.ext
• 10-director.conf
• 10-logging.conf
• Logrotate
• 10-mail.conf
• 10-master.conf
• 10-ssl.conf
• 15-lda.conf
• 15-mailboxes.conf
• 20-imap.conf
• 20-lmtp.conf
• 20-pop3.conf
• 90-plugin.conf
• 90-quota.conf

Overview

• Info: http://www.dovecot.org/
• Documentation: http://wiki2.dovecot.org
• Mail Server overview: http://wiki2.dovecot.org/MailServerOverview
• Download: http://www.dovecot.org/releases/2.2/
• Version: dovecot-2.2.14

Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.

Dovecot is simple to configure, the project is alive and the documentation is exhaustive. In addition there is the support for vpopmail (while Courier IMAP no more). I found Dovecot so friendly that I decided to switch off qmail-pop3d and use Dovecot not only as an IMAP but also as a POP3 server. I will show how to configure a secure connection as well.

If you want to support filters in your email you have to manage Sieve rules by means of the dovecot-pigeonhole server. When you create a filter with your webmail or email client, you write a Sieve script to customize how messages are delivered, e.g. whether they are forwarded, rejected or stored in special folders. But, in order to do so, Dovecot must also act as a Local Delivery Agent in place of vpopmail/vdelivermail, e.g. it must be Dovecot to store the email messages in the users' Maildirs. This guide will try to show how to accomplish this.

Installing

cd /usr/local/src
wget http://www.dovecot.org/releases/2.2/dovecot-2.2.14.tar.gz
tar xzf dovecot-2.2.14.tar.gz
chown -R root.root dovecot-2.2.14
cd dovecot-2.2.14

./configure \
        --prefix=/usr/local/dovecot \
        --with-vpopmail \
        --with-sql \
        --with-mysql \
        --with-docs \
        --with-ssl \
        --without-shadow \
        --without-pam \
        --without-ldap \
        --without-pgsql \
        --without-sqlite

Install prefix . : /usr/local/dovecot
File offsets ... : 64bit
I/O polling .... : epoll
I/O notifys .... : inotify
SSL ............ : yes (OpenSSL)
GSSAPI ......... : no
passdbs ........ : static passwd passwd-file checkpassword sql vpopmail
                 : -shadow -pam -bsdauth -sia -ldap
userdbs ........ : static prefetch passwd passwd-file checkpassword sql vpopmail nss
                 : -ldap
SQL drivers .... : mysql
                 : -pgsql -sqlite
Full text search : squat
                 : -lucene -solr

In case you are compiling in a systemd environment you may need to add "--with-systemdsystemunitdir" option to your configure (thanks to Bob Greco), for example:

--with-systemdsystemunitdir=/lib/systemd/system

Check if SSL was detected and if the sql/mysql authentication backend is supported. Compile:

make

If the old dovecot is running, stop it and delete the symbolic link before installing:

dovecotctl stop
rm /usr/local/dovecot
make install

cd /usr/local
mv dovecot dovecot-2.2.14
ln -s dovecot-2.2.14 dovecot

Configuring

Create the dovecot user/group, the log folder and the directory where to store runtime data.

groupadd dovecot
useradd -g dovecot dovecot
useradd -g dovecot dovenull

mkdir -p /var/log/dovecot 
touch /var/log/dovecot/dovecot.log
chgrp vchkpw /var/log/dovecot/dovecot.log
chmod 660 /var/log/dovecot/dovecot.log

The config files must be copied from the share/doc to etc/dovecot folder

cd /usr/local/dovecot/etc/dovecot
cp -rp /usr/local/dovecot/share/doc/dovecot/example-config/* .

Adjust the MANPATH variable (add this line to your /etc/profile as well):

export MANPATH=$MANPATH:/usr/local/dovecot/share/man

Dowload my dovecot's config files

• Download from here

If you don't want to have the trouble to modify your conf files and want to follow the directives of this guide you can download my config files and adjust them to your needs.

cd /usr/local/dovecot
mv etc etc-bak
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/dovecot.conf.tar.gz
tar xzf dovecot.conf.tar.gz
mv dovecot-etc etc
cd etc/dovecot
chown -R root.root .

dovecot.conf

protocols = imap pop3
# delete IP6 addresses here
listen = *
dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
!include conf.d/*.conf
!include_try local.conf

Note that all conf.d/*.conf files will be included, so rename what is not needed.

10-auth.conf

disable_plaintext_auth = yes # we are going to configure SSL and the sql driver requires it
# To append @domain to username in plaintext logins
auth_default_realm = defaultdomain.net
auth_mechanisms = plain login # the sql drivers requires that the pwd is transmitted with no encryption
# !include auth-system.conf.ext # now commented
# !include auth-vpopmail.conf.ext # commented
!include auth-sql.conf.ext

auth-sql.conf.ext

passdb {
  driver = sql
  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args = /usr/local/dovecot/etc/dovecot/dovecot-sql.conf.ext
}

userdb {
  driver = sql
  args = /usr/local/dovecot/etc/dovecot/dovecot-sql.conf.ext
}

dovecot-sql.conf.ext

NB: the file has now to be edited from the etc/dovecot/ directory

# This file is opened as root, so it should be owned by root and mode 0600.
#
# Database driver: mysql, pgsql, sqlite
driver = mysql

# Database connection string. This is driver-specific setting.
#
connect = host=[MySQL IP] dbname=vpopmail user=vpopmail password=[PASSWORD]

# Default password scheme.
#
default_pass_scheme = MD5-CRYPT

# passdb query to retrieve the password. It can return fields:
password_query = SELECT CONCAT(pw_name, '@', '%d') AS user, \
  pw_passwd AS password, \
  pw_dir as userdb_home, \
  89 AS userdb_uid, \
  89 AS userdb_gid \
  FROM `vpopmail` \
  WHERE pw_name = '%n' AND pw_domain = '%d'

# userdb query to retrieve the user information. It can return fields:
# (Thanks to Arturo Blanco for his hints concerning vpopmail limits)
user_query = \
  SELECT pw_dir AS home, \
  89 AS uid, \
  89 AS gid \
  FROM vpopmail \
  WHERE pw_name = '%n' AND pw_domain = '%d' \
  AND ('%a'!='995' or !(pw_gid & 2)) \
  AND ('%r'!='[WEBMAIL-IP]' or !(pw_gid & 4)) \
  AND ('%r'='[WEBMAIL-IP]' or '%a'!='993' or !(pw_gid & 8))

# [WEBMAIL-IP] is the IP of your webmail web server. 
# I'm assuming that the imap connection is only on port 993 and the pop3 connection is on port 955.
# Adjust to your needs
#
# logically this means:
# SELECT user
# WHEN POP is not disabled for that user connecting on port 995 (995 is the pop3s port allowed from remote in my configuration)
# AND WHEN webmail access is not disabled for that user when connecting from [WEBMAIL-IP]
# AND WHEN IMAP is not disabled for that user connecting on port 993 (993 is the imaps port allowed from remote 
# in my configuration) unless his remote ip the one belonging to the webmail

# Query to get a list of all usernames.
iterate_query = SELECT CONCAT(pw_name,'@',pw_domain) AS username FROM `vpopmail`

Since this file stores the database password and is open only by root, you must secure the access priviledges:

chmod go-wrx ../dovecot-sql.conf.ext

10-director.conf

If you don't want to use the Director service rename the conf file, so that it will not be loaded:

mv 10-director.conf 10-director.conf.disabled

10-logging.conf

Set your log destination. I prefer to have a dedicated logfile for dovecot (default is syslog)

log_path = /var/log/dovecot/dovecot.log
plugin {
}

Logrotate

Save the below scriptlet as /etc/logrotate.d/dovecot:

cat > /etc/logrotate.d/dovecot << __EOF__
/var/log/dovecot/*.log {
missingok
notifempty
delaycompress
sharedscripts
postrotate
/usr/local/dovecot/bin/doveadm log reopen
endscript
}
__EOF__

10-mail.conf

We have to tell Dovecot which is the mailbox location. It will look for the Maildir in the home directory (%h):

mail_location = maildir:%h/Maildir
namespace inbox {
  inbox = yes
}

Set to 89 (vpopmail userid number) the mail_uid and mail_gid. The same for the valid first/last id as you want to manage only vpopmail users:

mail_uid = 89
mail_gid = 89

mail_privileged_group = 89
mail_access_groups = 89

first_valid_uid = 89
last_valid_uid = 89

first_valid_gid = 89
last_valid_gid = 89

Adjust the socket and the plugin folder:

auth_socket_path = /usr/local/dovecot/var/run/dovecot/auth-userdb
mail_plugin_dir = /usr/local/dovecot/lib/dovecot
mail_plugins = $mail_plugins quota

10-master.conf

Read carefully this before continuing.

#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
default_login_user = vpopmail

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0600
    user = vpopmail
    group = vchkpw
  }

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  user = $default_internal_user
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}

10-ssl.conf

Of course we want SSL support. First of all let's create a self-signed SSL certificate. Dovecot includes a script to build self-signed SSL certificates using OpenSSL; you can find it in doc/mkcert.sh:

cd /usr/local/src/dovecot/doc

mkcert.sh will create the SSL certificate. Before running mkcert.sh you have to customize the cert editing dovecot-openssl.cnf (in the same folder):

> nano dovecot-openssl.cnf

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=IT

# State or Province Name (full name)
ST=Italy

# Locality Name (eg. city)
L=MyLocality

# Organization (eg. company)
O=My Organization Name

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=mymailserver.net

# E-mail contact
emailAddress=postmaster@mymailserver.net

[ cert_type ]
nsCertType = server

Now we are ready to create the SSL certificate:

> sh mkcert.sh

and the files /etc/ssl/private/dovecot.pem and /etc/ssl/certs/dovecot.pem have been created. Remember their locations because you have to insert them in 10-ssl.conf:

ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem

Remember also to switch off SSLv3 because of security reasons:

ssl_protocols = !SSLv2 !SSLv3

and adjust the ssl_dh_parameters_length parameter to meet latest security recommendations (thanks to Bob Greco):

ssl_dh_parameters_length = 2048

15-lda.conf

As I already said dovecot will also act as an LDA because we want to manage sieve rules and filter our incoming emails.

postmaster_address = postmaster@yourdomain.net
hostname = mail.yourdomain.net

sendmail_path = /var/qmail/bin/sendmail
# the next two to auto create folders
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins quota # if you want to use sieve put sieve here
}

15-mailboxes.conf

##
## Mailbox definitions
##

# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {

  #mailbox name {
    # auto=create will automatically create this mailbox.
    # auto=subscribe will both create and subscribe to the mailbox.
    #auto = no

    # Space separated list of IMAP SPECIAL-USE attributes as specified by
    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
    #special_use =
  #}

  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox Drafts {
    special_use = \Drafts
    auto = subscribe
  }
  mailbox Junk {
    special_use = \Junk
    auto = subscribe
  }
  mailbox Trash {
    special_use = \Trash
    auto = subscribe
  }

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox Sent {
    special_use = \Sent
    auto = subscribe
  }
#  mailbox "Sent Messages" {
#    special_use = \Sent
#  }

  # If you have a virtual "All messages" mailbox:
  #mailbox virtual/All {
  #  special_use = \All
  #}

  # If you have a virtual "Flagged" mailbox:
  #mailbox virtual/Flagged {
  #  special_use = \Flagged
  #}
}

20-imap.conf

protocol imap {
  mail_plugins = $mail_plugins imap_quota
}

20-lmtp.conf

I don't want the support for proxying to other LMTP/SMTP servers, so I disable lmtp:

mv 20-lmtp.conf 20-lmtp.conf.disabled

20-pop3.conf

protocol pop3 {
  mail_plugins = $mail_plugins quota
}

90-acl.conf

If no acl is needed you can disable it:

mv 90-acl.conf 90-acl.conf.disabled

90-plugin.conf

plugin {
# autocreate plugin
# This plugin allows administrator to specify mailboxes that must always 
# exist for all users. They can optionally also be subscribed. The 
# mailboxes are created and subscribed always after user logs in. 
# Namespaces are fully supported, so namespace prefixes need to be used 
# where necessary. 
  autocreate = Sent
  autocreate2 = Drafts
  autocreate3 = Junk
  autocreate4 = Trash
  #autocreate5 = ..etc..
  autosubscribe = Sent
  autosubscribe2 = Drafts
  autosubscribe3 = Junk
  autosubscribe4 = Trash
  #autosubscribe5 = ..etc
}

90-quota.conf

To enable maildir++ comment out this line (thanks to Nicolas for the hint!):

quota = maildir:User quota

Adjusting PATH and MANPATH

You may want to modify your environment variable as follows inside your /etc/profile:

export PATH=$PATH:/usr/local/dovecot/bin
export MANPATH=$MANPATH:/usr/local/dovecot/share/man

NB: you can skip this page if you decided to use qmail-dnsbl instead

• Info: http://www.fehcom.de/ipnet/ucspi-tcp6/rblsmtpd.html
• Greetdelay patch by Erwin Hoffmann: http://www.fehcom.de/qmail/qmail.html##greetdelay

A Realtime Blackhole List (RBL) is a list of addresses that an RBL list supplier believes are a source of Spam.
rblsmtpd blocks mail from RBL-listed sites. It works with any SMTP server that can run under tcpserver.

qmail-smtpd's run script is already set to run rblsmtpd before qmail-smtpd. The following lines are related to rblsmtpd (others are omitted):

# This enables greetdelay anti-spam functionality on rblsmtpd
export GREETDELAY=15

# This disables rblsmtpd reject
#export RBLSMTPD=""

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
    /usr/local/bin/rblsmtpd -W \
        -b -r zen.spamhaus.org \
        -b -r bl.spamcop.org \
    /var/qmail/bin/qmail-smtpd 2>&1

Since rblsmtpd is the first program who talks with the sender you may want to enable the GREETDELAY here and not inside qmail-smtpd. GREETDELAY=15 sets a delay of 15 seconds. In this example two different RBL sources will be queried. If their responce is ok the qmail-smtpd program will be run.

To disable rblsmtpd you have to delete the following lines from the code above:

/usr/local/bin/rblsmtpd -W \
        -b -r zen.spamhaus.org \
        -b -r bl.spamcop.org \

NB: If you decide to use zen.spamhaus.org as suggested here, check the free use terms and be aware that exceeding these terms causes the cut off of your server. I think that one of my servers has been banned, since I can't resolve  zen.spamhaus.org.

Testing spamhaus.org

Connect to Russel Nelson's http://www.crynwr.com/spam/ site and follow the instructions. In a few words you have to do a telnet ns1.crynwr.com from your mail server and look if spamhaus.org is working fine as a filter.

Howto avoid being "cut off" by spamhaus.org

You may be interested at this point to take a look to the idea of Costel Balta, which is addressed to decrease the amount of connections to the RBL lists, avoiding to be banned consequently.

This note concerns the DKIM patch embedded in my combined patch (more info here). This topic is advanced and you can skip it at the beginning.

• Info: http://www.dkim.org/ - http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
• Author: Manvendra Bhangui
• Patch's version: 1.20
• Download: from SourceForge - local copy

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. The validation technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a domain name to the message and then also affixing a digital signature of it and the message. The value is placed in the DKIM-Signature: header field. The verifier recovers the signer's public key using the DNS, and then verifies the signature.

You are invited to take a look to the man pages starting from dkim(8) and spawn-filter(8).

Changelog

• 2017-05-14
  -DKIM patch updated to v. 1.20
  It now manages long TXT records, avoiding the rejection of some hotmail.com messages.
• 2016-03-09
  Upgraded to v. 1.19: verification will not fail when a dkim signature does not include the subject provided that the   UNSIGNED_SUBJECT environment variable is declared. More info here

Acknowlegments

I would like to address a special thank to Manvendra Bhangui, the author of the DKIM patch, for kindly assisting me during all the configuration.

I will show how to configure qmail-remote to sign your outgoing messages and qmail-smtpd to verify your incoming messages. Eventually, as an alternative, you can decide to set qmail-smtpd to do both things; this configuration is presented towards the bottom of this page.

In any case you have to create the domainkey signature.

Creating the domainkey signature for your outgoing emails

Signatures are created using a private key on your system, and verified by a public key stored in the DNS for the email domain.

Before you can sign an email, you must create at least one public/private key pair. You may want to create key pairs for every domain you wish to sign, or use one single signature for all your hosted domains.

First of all download the script (thanks to Joerg Backschues) which we'll use to create the keys and print the DNS record.

cd /usr/local/bin
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/domainkey
chmod +x domainkey

Now create the folder which will store all the domainkeys.

mkdir /usr/local/etc/domainkeys

Usage

Usage: /usr/local/bin/domainkey [-p] domain [selector]
       Create domainkey
       Print domainkey with -p

The script can create the key or print the existing key if used with the -p option.

When you create a key for a domain.net it will be stored in the /usr/local/etc/domainkeys/domain.net folder. The folder will be owned by qmailr (the user running qmail-remote) if you sign at qmail-remote level or vpopmail, which is the user who runs qmail-smtpd, if you decide to sign at qmail-smtpd level. My script changes the owner to qmailr by default

> domainkey domain.net

Generating RSA private key, 1024 bit long modulus
......................++++++
........++++++
e is 65537 (0x10001)
writing RSA key

TXT record for BIND:
default._domainkey.domain.net. IN TXT "v=DKIM1\; k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyzJujXz9EiMat2eDzzLjWuSJ6g4i20FXGluNOmruuCFnVJP1OxurKdt57JZm+6QP2h9IOP0owBMmecXI9qx3CkFrlGSMbJsOEGqXwiTSSttgGmSTPZeNAureyo79spwPc44Ol2ZK2U9gBoDpSQEQdLdtXUreRvs/HyTkzalue2wIDAQAB"

You have to create a TXT record like that in your DNS server. If your Name Server is not bind, google is your friend.

Configuring qmail-remote for signing and qmail-smtpd for verification

References:

• man spawn-filter
• man dk-filter
• Writing filters (by Manvendra Bhangui)

rc script

Here is how to modify your /var/qmail/rc script so that qmail-remote will sign your outgoing messages:

#!/bin/sh

# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter  \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

The variable QMAILREMOTE makes qmail to call spawn-filter before the message gets queued, which in turn will execute a filter of your choice declared by FILTERARGS. For individual domain level control it is best using the control file filterargs (man spawn-filter). You can use QMAILLOCAL to sign local deliveries as well.

dk-filter uses /var/qmail/control/domainkeys/%/default as the location of the key. The '%' symbol is automatically replaced with the sender's domain. Of course you can decide to sign all your domains with one single signature located in /var/qmail/domainkeys/default.

If you need to store your domainkey elsewhere, define DKIMSIGN as follows (before the last qmail-start command):

DKIMSIGN=/usr/local/etc/domainkeys/example.net/your_keyname

qmail-smtpd/run script

Insert the two following environment variables in your /var/qmail/supervise/qmail-smtpd/run script:

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMVERIFY="FGHKLMNOQRTVWjpu"
# This is to avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1

Declaring RELAYCLIENT_NODKIMVERIFY avoids that qmail-dkim will verify outgoing messages.

You are invited to read the qmail-dkim man page in order to choose the best configuration for you.

Testing

Create a test message to be used in the tests below (it's important to exit with ctrl+d and that the first line is not empty):

# cat > /tmp/testmail.txt
To: someone@somewhere.xy
From: postmaster@yourdomain.xy
Subject: DKIM Test Message

Test message FOLLOWING A BLANK LINE

cntrl-D

Signing test

We'll do the test as qmailr, the user who runs qmail-remote and which owns the domainkey.

# su qmailr                                         
# declare -x QMAILREMOTE=/var/qmail/bin/spawn-filter
# declare -x _SENDER=postmaster@yourdomain.xy
# /var/qmail/bin/dk-filter < /tmp/testmail.txt
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=yourdomain.xy;
        s=default; h=To:From:Subject; bh=lrIChgTwMnmPKfGEgElIyJgL9jk=;
        b=LQPayl6VbbITdGjVC6vx2+bYF27jAjAkR6qm967GMd1L+0hb7szwP9cDfvy738
        Y05llEnOqMrc1QbGGE9uLxqGQrkOAPhl0q+Hxt8yQz1B4BsVk8vED812K/178pIe
        f+4oGrnodNCCJwg97TLXJmVdecGbrmOVPiBfm51kl4nSI=
To: someone@somewhere.xy
From: postmaster@yourdomain.xy
Subject: DKIM Test Tessage

Test message FOLLOWING A BLANK LINE

Send to yourself a message and look for the DKIM signature in the header:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
    d=domain.net; s=private; x=1298156019; h=to:from:subject;
    bh=tVrwKZaEzYO4qmI9mPfR04ZvZik=; b=r2VH/6rQdY6xcPjyg55ULnf7U+DEs
    +apecicwvygIZVvQwxU4NqiqAQGTF3Qkft2eBDu42TBzX4nV7FTs8wzn40iGkfhB
    mMZhQdcyOseg7DyOFKUK5D8Ji3ueF/xgYFUnffrxPdZUMpGN9+dA9fY0wkonp5ML
    dDSaNje9mmd34I=

verification test

I assume that vpopmail is the user who runs qmail-smtpd.

# su vpopmail
# declare -x DKIMQUEUE=/bin/cat
# unset RELAYCLIENT
# /var/qmail/bin/qmail-dkim < /tmp/testmail.txt
DKIM-Status: no signatures
To: someone@somewhere.net
From: postmaster@yourdomain.xy
Subject: DKIM Test Message

Test message FOLLOWING A BLANK LINE

Send a message to yourself from a gmail.com account (which is DKIM signed) and check the header. The message has been verified if you get a header like this:

DKIM-Status: good

Testing the DNS record

Finally, send an email to  check-auth@verifier.port25.com with "test" as subject. They will send you back a reply with the test results and you will know if your DNS configuration is ok.

Making qmail-dkim and simscan live together in peace

[If you didn't install simscan yet skip this and come here later. qmail won't work with this directive without simscan installed.]

As you probably know, also simscan needs to call qmail-queue and must be included in the QMAILQUEUE environment variable, just as qmail-dkim. The same should happen with other qmail scanners.

The work around is to assign qmail-dkim to QMAILQUEUE and assing simscan to the DKIMQUEUE variable. In this case qmail-dkim will call simscan when has finished its work.

You have to modify like this your /var/qmail/supervise/qmail-smtpd/run script (and /var/qmail/supervise/qmail-submission/run as well)

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMQUEUE=/var/qmail/bin/simscan

Configuring qmail-smtpd for signing outgoing messages

You can skip this paragraph if you have already decided to sign at qmail-remote level.

qmail-smtpd run script

Insert the two following environment variables in your /var/qmail/supervise/qmail-smtpd/run script:

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/usr/local/etc/domainkeys/%/default

qmail-dkim will sign your messages if the variable RELAYCLIENT is set (take a look at your tcp.smtp) and will verify all messages from IPs where RELAYCLIENT is not set.

DKIMKEY is the location of the key. The '%' symbol is automatically replaced with the sender's domain. Of course you can decide to sign all your domains with one single signature located in /usr/local/etc/domainkeys/default

Testing

# cat > /tmp/testmail.txt
To: someone@somewhere.xyz
From: postmaster@yourdomain.xyz
Subject: Test Message

Test message FOLLOWING A BLANK LINE THAT YOU DON'T HAVE TO FORGET

cntrl-D

In this test qmail-dkim assumes that the domainkey is stored in the /var/qmail/control/domainkeys folder, so if your domainkeys are stored elsewhere create a symbolic link.

# su vpopmail
# declare -x DKIMQUEUE=/bin/cat
# declare -x DKIMKEY=/usr/local/etc/domainkeys/%/default \
# declare -x RELAYCLIENT=""
# /var/qmail/bin/qmail-dkim < /tmp/testmail.txt
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
        d=yourdomain.xyz; s=default; x=1298483339; h=To:From:Subject;
        bh=6rJdFs2WVS8T72i61KhaAvC6O6s=; b=ffnXBB98Gg6iZFEIL6alk8c5davso
        ozyrunXM3C8qaejIrJOwYhnlWQwSdrV599WErmJcDYyMjFjVgLzRQ9OTeYHjEnHT
        X/aiIkvjcxRuOaTK7PcwrcJGdtF0c6LWoK9RgiPctCw7DMcHGmUcSyXWc6ayzHgX
        A7nopQYuHzTuIU=
To: someone@somewhere.xyz
From: postmaster@yourdomain.xyz
Subject: Test Message

Test message FOLLOWING A BLANK LINE THAT YOU DON'T HAVE TO FORGET

Choosing between DKIMSIGN and DKIMKEY

• man qmail-dkim(8) for more info

• More info here: http://www.inter7.com/?page=vpopmail
• The qmail newbie's guide to relaying
• README.vdelivermail
• vpopmail version: 5.4.33

Vpopmail provides an easy way to manage virtual email domains and non /etc/passwd email accounts on your mail servers.

The purpose of this note is to show how to use Mysql as the authentication system. Having a users database also offers the advantage of communicating with the database via PHP, and creating web-based user interfaces to manage accounts.

Setup

Create vpopmail user and group:

groupadd -g 89 vchkpw
useradd -g vchkpw -u 89 -d /home/vpopmail vpopmail

Download the source from here: http://sourceforge.net/projects/vpopmail/files/ and configure. I tested the following with vpopmail-5.4.30 - 32 - 33

cd /usr/local/src
tar xzf vpopmail-5.4.33.tar.gz
cd vpopmail-5.4.33
chown -R root.root .
./configure \
        --enable-qmaildir=/var/qmail/ \
        --enable-qmail-newu=/var/qmail/bin/qmail-newu \
        --enable-qmail-inject=/var/qmail/bin/qmail-inject \
        --enable-qmail-newmrh=/var/qmail/bin/qmail-newmrh \
        --disable-roaming-users \
        --enable-auth-module=mysql \
        --enable-incdir=/usr/include/mysql \
        --enable-libdir=/usr/lib64 \
        --enable-logging=p \
        --disable-clear-passwd \
        --enable-auth-logging \
        --enable-sql-logging \
        --disable-valias \
        --disable-mysql-limits \
        --disable-passwd \
        --enable-qmail-ext \
        --enable-learn-passwords

--disable-roaming-users roaming users will be disabled, since we don't want to use POP before SMTP authorization. We will patch qmail with smtp-auth instead.

--enable-auth-module=mysql builds mysql support and  stores virtual users accounts into a mysql database.

--enable-incdir=/usr/include/mysql Your MySQL include dir (use just in case you installed mysql from binaries or source in a non standard location. Mount mysql dir somewhere if it is installed in a different machine).

--enable-libdir=/usr/lib64 Your MySQL lib dir. Obviously it might be /usr/lib on 32b systems

--disable-valias Do not store aliases in MySQL, but as dot-qmail files.
Note: it appears that dovecot-lda continues to look for .qmail-alias files also when you enable this. So this option is useless if you deliver via dovecot-lda

--disable-passwd Don't include /etc/passwd support. I don't want to manage real users, this is just a web server.

--disable-clear-passwd Clear password will be not be saved on DB. If you don't want to have problems when users forget their passwords and you want to recover them quickly switch this to --enable-clear-passwd. I also noticed that using the --disable-clear-passwd flag the change password mechanism is broken at least on version 5.4.33 (comments are welcome)

--enable-sql-logging Maintain the vlog table in MySQL (shows failed authentication requests).

--enable-auth-logging Maintain a lastauth table in MySQL (shows when / how a user last accessed their email)

--disable-mysql-limits MySQL doesn't store limits instead of .qmailadmin-limits files.

--enable-qmail-ext Enable qmail email address extension support (emails containing dots).

Compile and install:

make install-strip

vusaged

vusaged looks up every vpopmail user and tracks how much storage space they’re using. It requires libev.

Installing libev

• Download latest version from http://dist.schmorp.de/libev/

cd /usr/local/src
wget http://dist.schmorp.de/libev/libev-4.22.tar.gz
tar xzvf libev-4.22.tar.gz
cd libev-4.22
chown -R root.root .
./configure
make
make install
ldconfig

Installing and configuring vusaged

cd /usr/local/src/vpopmail-5.4.33/vusaged
./configure
make
cp -f vusaged /home/vpopmail/bin
cp -f etc/vusaged.conf /home/vpopmail/etc

Now copy the startup script ro /etc/rc.d (Slackware) or init.d and run it. This is a Slackware example:

cp contrib/rc.vusaged /etc/rc.d/
/etc/rc.d/rc.vusaged start

Configuring

Check your ~vpopmail/etc/tcp.smtp file This file should list all the static IPs of your machines that you want to allow to relay out to the internet. For example: to allow relaying for localhost and the localnet 10.0.0.x edit your ~vpopmail/etc/tcp.smtp as follows:

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

add any other IP later, whenever you want. To give a client relay access, add an entry to ~vpopmail/etc/tcp.smtp like:

IP address of client:allow,RELAYCLIENT=""

Now build the tcp.smtp.db. This command must be run every time you modify tcp.smtp

cd ~vpopmail/etc
tcprules tcp.smtp.cdb tcp.smtp.tmp < tcp.smtp

Now setup a quota warning that will be delivered to users when they are at 90% quota

# nano ~vpopmail/domains/quotawarn.msg

From: SomeCompany Postmaster <postmaster@yourdomain.com>
Reply-To: postmaster@yourdomain.com
To: SomeCompany User:;
Subject: Mail quota warning
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Your mailbox on the server is now more than 90% full.

So that you can continue to receive mail,
you need to remove some messages from your mailbox.

If you require assistance with this,
please contact our support department :

  email : support@yourdomain.com
  Tel   : xx xxxx xx

chmod 600 ~vpopmail/domains/quotawarn.msg
chown vpopmail.vchkpw ~vpopmail/domains/quotawarn.msg

Now adjust ~vpopmail/etc/vlimits.default. I use to limit the default user quota to 100MB (in bytes):

default_quota           104857600

Fixing vusaged bug (only vpopmail 5.4.30)

This bug appears to have been fixed in version 5.4.32. So skip this section if you’re installing 5.4.32.

Setting the default quota seems to cause this error when creating new domains:

client_connect: warning: config_begin failed
Segmentation fault

I saw the same error when creating new users via qmailadmin. This appears to be a bug in the 5.4.30 version: http://www.mail-archive.com/vchkpw@inter7.com/msg27383.html So, even if you're not using vusaged it'll be necessary  to configure vusaged.conf as by Matt Brookings suggests, in order to avoid this bug:

cat > ~vpopmail/etc/vusagec.conf << __EOF__
Server:
  Disable = True;
__EOF__

If you’re interested in reading more about this, see http://comments.gmane.org/gmane.mail.qmail.admin/4761, where Matt says that vusaged isn’t needed (for quotas to work) in vpopmail version 5.4.30.

Configuring mysql back end

Create the vpopmail user and database. Grant all privileges to the vpopmail user. Then quit out of MySQL and save the authentication information for the vpopmail account into the vpopmail.mysql config file:

> /usr/local/mysql/bin/mysql [-h mysql-IP] -u root -p 

CREATE USER 'vpopmail'@'mailserver-IP' IDENTIFIED BY 'vpopmailpwd'; 

GRANT USAGE ON * . * TO 'vpopmail'@'mailserver-IP' IDENTIFIED BY 'vpopmailpwd' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE DATABASE IF NOT EXISTS `vpopmail` ;
GRANT ALL PRIVILEGES ON `vpopmail` . * TO 'vpopmail'@'mailserver-IP';

> echo "mysql-IP|0|vpopmail|vpopmailpwd|vpopmail" > ~vpopmail/etc/vpopmail.mysql

where mysql-IP is the IP of the server which runs mysqld, and mailserver-IP is the IP address where qmail is running. Usually you can specify ‘localhost’ or 0.0.0.0 for both.

Creating virtual domains and virtual users

cd ~vpopmail/bin/

To add/delete a virtual domain

./vadddomain yourdomain.net [./vdeldomain yourdomain.net]

To add/delete a virtual user

./vadduser user@yourdomain.net [./vdeluser user@yourdomain.net]

To view information about user email accounts:

./vuserinfo user@yourdomain.net

name:   user
passwd: xxxxxxxxxxxx
clear passwd: xxxxxxxxx
comment/gecos: Name Surname
uid:    0
gid:    0
flags:  0
gecos: Name Surname
limits: No user limits set.
dir:       /home/vpopmail/domains/yourdomain.net/user
quota:     104857600S

These commands can be useful. But it will be much easier to manage domains and accounts when we install the vqadmin and qmailadmin web interfaces later.

You may be interested to take a look to this page concerning vpopmail testing.

• Info: http://roundcube.net
• Version: 1.3.0
• Requires: php>=5.4

Roundcube is a full featured webmail with a nice interface.

Upgrading to the 1.3.0 version

Read the release note at https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.3.0 for more info.

NB: you have to enable the pdo support to mysql compilng your php --with-pdo-mysql

The upgrade process is quite straightforward; you simply have to untar the package in a temporary directory, move the old folder to be upgraded and run the upgrade shell script. I suppose that roundcube has to be installed in the /usr/local/www/htdocs folder.

cd /usr/local/www/htdocs
tar xzf roundcubemail-1.3.0-complete.tar.gz
# move new version folder to a temporary folder. We'll run the update from there
mv roundcubemail-1.3.0 rc-temp
# remove the symbolic link. We'll restore it later
rm roundcube
# move old version's folder to the new dir. We are going to overwrite it during the upgrade process..
cp -rp roundcubemail-1.2.5 roundcubemail-1.3.0
# restore the symolic link
ln -s roundcubemail-1.3.0 roundcube
# Ready to start the upgrade..
./rc-temp/bin/installto.sh /usr/local/www/htdocs/roundcube/

Follow the instructions. Be aware that this process requires that the php and rsync commands are in your PATH.

At the end you can erase the temporary folder and also the old installation folder:

rm -r rc-temp roundcubemail-1.2.5

Requirements

The basic requirements are:

* .htaccess support allowing overrides for DirectoryIndex
* PHP Version 5.4 or greater including:
   - PCRE, DOM, JSON, Session, Sockets, OpenSSL, Mbstring (required)
   - PHP PDO with driver for either MySQL, PostgreSQL, SQL Server, Oracle or SQLite (required)
   - Iconv, Zip, Fileinfo, Intl, Exif (recommended)
   - LDAP for LDAP addressbook support (optional)
* PEAR and PEAR packages distributed with Roundcube or external:
   - Mail_Mime 1.10.0 or newer
   - Net_SMTP 1.7.1 or newer
   - Net_Socket 1.0.12 or newer
   - Net_IDNA2 0.1.1 or newer
   - Auth_SASL 1.0.6 or newer
   - Net_Sieve 1.3.2 or newer (for managesieve plugin)
   - Crypt_GPG 1.6.0 or newer (for enigma plugin)
   - Endroid/QrCode 1.6.0 or newer (https://github.com/endroid/QrCode)
* php.ini options (see .htaccess file):
   - error_reporting E_ALL & ~E_NOTICE & ~E_STRICT
   - memory_limit > 16MB (increase as suitable to support large attachments)
   - file_uploads enabled (for attachment upload features)
   - session.auto_start disabled
   - suhosin.session.encrypt disabled
   - mbstring.func_overload disabled
* A MySQL, PostgreSQL, MS SQL Server (2005 or newer), Oracle database
  or SQLite support in PHP - with permission to create tables
* Composer installed either locally or globally (https://getcomposer.org)

I will show how install it in a Linux/Apache/MySQL/PHP + qmail environment.

php configuration

Here is a minimal php configuration which matches all the Rouncube's requirements above in my Slackware environment:

./configure \
        --with-mysql=/usr/local/mysql \
        --with-mysqli=/usr/local/mysql/bin/mysql_config \
        --with-pdo-mysql=/usr/local/mysql \
        --with-mcrypt \
        --enable-mbstring \
        --with-zlib \
        --with-bz2 \
        --enable-sockets \
        --with-openssl \
        --enable-intl \
        --prefix=/usr/local/php \
        --with-apxs2=/usr/local/apache/bin/apxs

Optional extensions

An additional recommended extension is now intl, which is bundled in PHP-5.3, and on my Slackware requires ICU headers and libraries. Infact during the configuration you can have this error:

checking for icu-config... no
checking for location of ICU headers and libraries... not found
configure: error: Unable to detect ICU prefix or no failed. Please verify ICU install prefix and make sure icu-config works.

Installing ICU

• Download from: http://site.icu-project.org/download
• Version: 4.8.1 (download C source code for unix)

ICU should be available as a packet in your Linux distribution. Slackware 14.2 now includes it.

If not, configure, compile and install as usual:

cd /usr/local/src
wget http://download.icu-project.org/files/icu4c/4.8.1/icu4c-4_8_1-src.tgz
tar xzvf icu4c-4_8_1-src.tgz
cd icu
chown -R root.root .
cd source
./configure
make
make install

Enabling intl with php>=5.3

• Info: http://ca2.php.net/manual/en/intl.setup.php

First of all install ICU, then configure php with --enable-intl

Installing Roundcube

Download the tarball from http://roundcube.net/download to your htdocs folder, untar and set the folders' priviledges:

cd /usr/local/www/htdocs
tar xzf roundcubemail-x.x.x.tar.gz
ln -s roundcubemail-x.x.x roundcube
cd roundcube
chown -R root.apache .
chmod -R o-rx .
chmod g+w logs temp

Create the mysql user and database; grant that user limited priviledges. If MySQL and Apache live in the same host, use localhost as [apache-IP] in the following example:

> /usr/local/mysql/bin/mysql -u root -p

CREATE USER 'roundcube'@'[apache-IP]' IDENTIFIED BY '***';
GRANT USAGE ON * . * TO 'roundcube'@'[apache-IP]' IDENTIFIED BY '***' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE DATABASE IF NOT EXISTS `roundcube` /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
GRANT ALL PRIVILEGES ON `roundcube` . * TO 'roundcube'@'[apache-IP]';

Now point your browser to http://url-to-roundcube/installer/ and follow the instructions. I leave the setup options but the mysql interface (select mysqli if available in your http server). Don't forget to copy the database parameters and set the IMAP address IP. Set username_domain to your default_domain and it will be sufficient to log typing just the username.

Copy the file defaults.inc.php to config.inc.php inside the config folder. Now set the file privileges:

cd config
chown root.apache *
chmod o-r *

If all the tests are ok remove the installer folder as recommended and disable the installer:

$config['enable_installer'] = false;

I suggest to enable these options; of course you have to adjust them to your local configuration, expecially the paths to programs and files:

// Log successful/failed logins to <log_dir>/userlogins or to syslog (important to activate fail2ban later)
$config['log_logins'] = true;
// Automatically add this domain to user names for login
$config['username_domain'] = 'yourdomain.net';
// default setting if preview pane is enabled
$config['preview_pane'] = true;
// declaring the auth type speeds up the imap connection with 0.5 version!!
$config['imap_auth_type'] = NULL;
// enforce connections over https
// with this option enabled, all non-secure connections will be redirected.
// set the port for the ssl connection as value of this option if it differs from the default 443
$config['force_https'] = true;
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = '123456789123456789123456';
// Absolute path to a local mime.types mapping table file.
// This is used to derive mime-types from the filename extension or vice versa.
// Such a file is usually part of the apache webserver. If you don't find a file named mime.types on your system,
// download it from http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types
$config['mime_types'] = '/absolute/path/to/apache/conf/mime.types';
// path to imagemagick identify binary
$config['im_identify_path'] = '/usr/local/bin/identify';
// path to imagemagick convert binary
$config['im_convert_path'] = '/usr/local/bin/convert';
// use this format for date display (date or strftime format)
$config['date_format'] = 'd-m-Y';
// automatically create the above listed default folders on first login
$config['create_default_folders'] = true;
// If true all folders will be checked for recent messages
$config['check_all_folders'] = true;