- More info on Life with qmail
- README.vdelivermail
Changelog
- Sep 14, 2023
- simsizelimit control file defined - Jun 18, 2023
- defined the variable QMAILDIR in all run scripts in order to manage installations of qmail in directories different from default /var/qmail
- /home/vpopmail is now ~vpopmail in order to manage installations of vpopmail in directories different from default /home/vpopmail
- defined the variable TCPRULES_DIR on top of all run scripts - Mar 2, 2023
- vusaged moved to daemontools
Defining alias and control files
QMAILDIR=/var/qmail echo 3 > $QMAILDIR/control/spfbehavior echo "| ~vpopmail/bin/vdelivermail '' delete" > $QMAILDIR/control/defaultdelivery echo 200 > $QMAILDIR/control/concurrencyincoming echo postmaster > $QMAILDIR/control/bouncefrom echo 20000000 > $QMAILDIR/control/databytes echo mydomain.tld > $QMAILDIR/control/doublebouncehost echo postmaster > $QMAILDIR/control/doublebounceto echo 272800 > $QMAILDIR/control/queuelifetime echo 30000000 > $QMAILDIR/control/softlimit echo 100 > $QMAILDIR/control/maxrcpt echo 2 > $QMAILDIR/control/brtlimit echo 10000000 > /var/qmail/control/simsizelimit cd /usr/local/src/netqmail-1.06 ./config-fast smtp.mydomain.tld
When you run ./config-fast it will automatically populate these files: defaultdomain, locals, me, plusdomain, rcpthosts. smtp.yourdomain.tld will be the name of your MTA and it must have a valid MX record.
defaultdomainwhen you have many domains on the same server (defined later in thevirtualhostfile) this is the default domainlocalsdomains that we deliver locally (qmail-sendviaqmail-lspawnprogram). Other domains are spawned byqmail-rspawnand delivered to other MTAs. The domains listed inlocalsshould not be confused withvirtualdomains; infact,qmail-senddoesn't even readvirtualdomainsif the recipient domain is already listed inlocalsand in that case you'll get a "no mailbox" error message. This is the reason why it's not a good idea to use a virtualdomain as the name of the MTA.methe name of the server. This is the domain name that appers in thefromfield when you receive system messages, for instance. It's also the domain used in theHELO(i.e. the greeting at the very beginning of theSMTPconversation). It must have a validMXrecord in ourDNS, and also anSPFrecord as we'll see later.plusdomaindomain substituted for trailing "+"rcpthostsDomains that we accept mail for. Later you will see howchkuserrejects incoming emails for non existing recipients.spfbehaviorconcerns the SPF configuration.softlimitsets soft resource limits forqmail-smtpddatabytesis the max number of bytes in message (0=no limit)doublebouncetois the account which will receive double-bounce messages. If you’re using my combined patch, you can erase the first line of/var/qmail/control/doublebouncetoto delete these unwanted messages before they’re injected into the local queue.brtlimitis the maximum allowed numer of not found recipients. The connection with the remote host will be closed if this number is exceeded (brtlimit patch)defaultdeliveryis the default.qmailfile. It tells qmail how to deliver the email. In case you didn't understand yet how the delivery is done, please read at this point the relaying chapter of Life with qmail and expecially the README.vdelivermail that comes withvpopmail, which explains how the.qmailfiles are used.simsizelimitWe define in advance a variable forsimscan, which we'll install later. It defines the maximum size in bytes of the messages thatsimscanwill pass tospamassassin.
You can find an exhaustive presentation of all control configuration files on Life with qmail book http://www.lifewithqmail.org/lwq.html#configuration
Setup the primary administrator's email address. This address will receive mail for root, postmaster, and mailer-daemon. Replace postmaster@yourdomain.tld with the administrator email address (postmaster):
cd $QMAILDIR/alias echo "postmaster@mydomain.tld" > .qmail-postmaster ln -s .qmail-postmaster .qmail-mailer-daemon ln -s .qmail-postmaster .qmail-root chmod 644 .qmail*
Setup the log dirs
The log dirs belong to qmaill.nofiles user and should not be accessible by other users
mkdir -p /var/log/qmail chown -R qmaill.nofiles /var/log/qmail chgrp root /var/log/qmail chmod -R og-wrx /var/log/qmail chmod g+rx /var/log/qmail
Defining the supervise scripts
- References: tcpserver page
Download the startup scripts from here and untar
cd $QMAILDIR wget https://notes.sagredo.eu/files/qmail/supervise.tar.gz tar xzf supervise.tar.gz chown -R root:root rc supervise rm supervise.tar.gz
You can see the rc excutable, which is the qmail-start script, and the supervise folder:
rc
supervise/
|
|----qmail-smtpd/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----qmail-smtpsd/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----qmail-submission/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----qmail-send/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----vpopmaild/
| |
| |-----run
| |-----log/
| |
| |---run
|
|----vusaged/
|
|-----run
|-----log/
|
|---run
When you create symbolic links to a supervise directory in the /service dir, the run command will be executed at boot time when /command/svcscanboot is launched, i.e. at boot time.
QMAILDIR=/var/qmail ln -s $QMAILDIR/supervise/qmail-smtpd /service ln -s $QMAILDIR/supervise/qmail-smtpsd /service ln -s $QMAILDIR/supervise/qmail-submission /service ln -s $QMAILDIR/supervise/qmail-send /service ln -s $QMAILDIR/supervise/vpopmaild /service ln -s $QMAILDIR/supervise/vusaged /service ln -s $QMAILDIR/admin/clear /service
Let's see more in detail the supervise scripts that we have downloaded. Many lines are still commented out because concern features that will be activated later. For the moment only the basic functionalities remain active.
File qmail/rc
#!/bin/sh QMAILDIR=/var/qmail # Comment out to disable dkim sign at qmail-remote level DKIMSIGN=1 if [ -n $DKIMSIGN ]; then # Sign with 2048 bit RSA. Comment out DKIMSIGNOPTIONS to sign with 1024 bit DKIMSIGNOPTIONS="-z 2" DKIMDOMAIN=`cat $QMAILDIR/control/dkimdomain` # DKIM sign at qmail-remote level exec env - PATH="$QMAILDIR/bin:$PATH" \ QMAILREMOTE=$QMAILDIR/bin/spawn-filter \ DKIMSIGNOPTIONS="$DKIMSIGNOPTIONS" \ DKIMDOMAIN="$DKIMDOMAIN" \ FILTERARGS=$QMAILDIR/bin/dk-filter \ qmail-start "`cat $QMAILDIR/control/defaultdelivery`" else # Use this if you are signing at qmail-smtpd level or you don't want to sign at all exec env - PATH="$QMAILDIR/bin:$PATH" \ qmail-start "`cat $QMAILDIR/control/defaultdelivery`" fi
Do not bother of the lines concerning the DKIM settings. The server can work with those lines active. We will cover that topic later in this guide.
File qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDIR=/var/qmail
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=~vpopmail/etc
#export REJECTNULLSENDERS=1
#export SMTPAUTH="!cram"
# qmail-spp plugins
#export ENABLE_SPP=1
#export HELO_DNS_CHECK=PLRIV
# enable greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1
# greylisting
#export JGREYLIST_DIR="$QMAILDIR/jgreylist"
#export JGREYLIST_LOG_SMTP=1
# enable chkuser
export CHKUSER_START=ALWAYS
# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering
#export QMAILQUEUE=$QMAILDIR/bin/simscan # do not execute SURBL nor DKIM filtering
export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter
export SURBLQUEUE=$QMAILDIR/bin/simscan # executes simscan after SURBL
#### qmail-dkim disabled => no dkim verification
#### to have verification active export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim
#export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim # executes qmail-dkim after surblfilter
export DKIMQUEUE=$QMAILDIR/bin/simscan # simscan is executed after qmail-dkim
export DKIMKEY=/usr/local/etc/domainkeys/%/default
# DKIM verification. Use carefully
export DKIMVERIFY="FGHKLMNOQRTVWp"
# allow msg without "subject" in the h= list
export UNSIGNED_SUBJECT=1
# avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1
# turn off TLS on port 25
#export DISABLETLS="1"
# require that authenticated user and 'mail from' are identical
export FORCEAUTHMAILFROM="1"
# rcptcheck-overlimit. Limits the number of emails sent by relayclients
if [ -x $QMAILDIR/bin/rcptcheck-overlimit.sh ]; then
export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT="1"
fi
# enable simscan debug
#export SIMSCAN_DEBUG=4
#export SIMSCAN_DEBUG_FILES=2
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" \
-x $TCPRULES_DIR/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
$QMAILDIR/bin/qmail-smtpd /bin/true 2>&1
Note that the standard smtp (port 25) does not allow the authentication.
You have to adjust the resource limit (softlimit in bytes). Each system is different, and has different requirements. Life with qmail suggests just 2MB. You have to experiment the correct value increasing by steps of 1MB, especially once you have loaded spamassassin, clamAV and simscan (the mail scanner).
We'll cover GREETDELAY and DKIM later.
File qmail/supervise/qmail-smtpd/log/run
#!/bin/sh LOGUSER="qmaill" LOGDIR="/var/log/qmail/smtpd" LOGDIRQLOG="/var/log/qmail/smtpd/qlog" if [ -x /usr/local/bin/archive_qmail_qlog ]; then exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t n5 s16777215 $LOGDIR \ n5 s16777215 '-*' '+*qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG else exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16777215 $LOGDIR fi
If you want to have a dir (/var/log/qmail/smtpd/qlog) which saves separately just the "qlogenvelope" lines as follows:
@400000005855db3028811e24 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp= pid=11928 @400000005855db322a892324 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts= size=2689 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp=11934 pid=11928
then create the archive_qmail_qlog
cat > /usr/local/bin/archive_qmail_qlog << __EOF__ #!/bin/sh tai64nlocal >> /var/log/qmail/smtpd/qlog/qmail-smtpd.log # let's prepare the same for qmail-smtpsd tai64nlocal >> /var/log/qmail/smtpsd/qlog/qmail-smtpsd.log __EOF__ chmod +x /usr/local/bin/archive_qmail_qlog
In this way we have the /var/log/qmail/smtpd/qmail-smtpd.log file with just the qlog lines in human-readable time format:
2016-01-29 13:15:17.677946500 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp= pid=11928 2016-01-29 13:15:17.677946500 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=smtp.senderdomain.com mailfrom=sender@senderdomain.com rcptto=user@rcptdomain.com relay=no rcpthosts= size=2689 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=83.103.72.231 remoteport=43618 remotehost= qp=11934 pid=11928
You may want to rotate this log file saving a "qlog" file like this in your logrotate configuration (/etc/logrotate.d/qlog in my Slackware):
cat > /etc/logrotate.d/qlog << __EOF__
/var/log/qmail/smtpd/qlog/qmail-smtpd.log /var/log/qmail/smtpsd/qlog/qmail-smtpsd.log {
missingok
notifempty
delaycompress
rotate 50
daily
minsize 2M
create 0644 qmaill root
}
__EOF__
File /var/qmail/supervise/qmail-smtpsd/run
#!/bin/sh
QMAILDIR=/var/qmail
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=~vpopmail/etc
SSL_DIR="$QMAILDIR/control"
SSL_CHROOT="$SSL_DIR"
SSL_UID=$QMAILDUID
SSL_GID=$NOFILESGID
CERTFILE="$SSL_DIR/servercert.pem"
KEYFILE="$SSL_DIR/servercert.pem"
DHFILE="$SSL_DIR/dh4096.pem"
export SSL_UID SSL_GID SSL_CHROOT
export CERTFILE KEYFILE DHFILE
#export REJECTNULLSENDERS=1
#export SMTPAUTH="!cram"
# qmail-spp plugins
#export ENABLE_SPP=1
#export HELO_DNS_CHECK=PLRIV
# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1
# greylisting
#export JGREYLIST_DIR="$QMAILDIR/jgreylist"
#export JGREYLIST_LOG_SMTP=1
# enable chkuser
export CHKUSER_START=ALWAYS
# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering
#export QMAILQUEUE=$QMAILDIR/bin/simscan # do not execute SURBL nor DKIM filtering
export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter
export SURBLQUEUE=$QMAILDIR/bin/simscan # executes simscan after SURBL
#### qmail-dkim disabled => no dkim verification
#### to have verification active export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim
#export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim # executes qmail-dkim after surblfilter
export DKIMQUEUE=$QMAILDIR/bin/simscan # simscan is executed after qmail-dkim
export DKIMKEY=/usr/local/etc/domainkeys/%/default
# DKIM verification. Use carefully
export DKIMVERIFY="FGHKLMNOQRTVWp"
# allow msg without "subject" in the h= list
export UNSIGNED_SUBJECT=1
# avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1
# turn off TLS on port 25
#export DISABLETLS="1"
# require that authenticated user and 'mail from' are identical
export FORCEAUTHMAILFROM="1"
# rcptcheck-overlimit. Limits the number of emails sent by relayclients
if [ -x $QMAILDIR/bin/rcptcheck-overlimit.sh ]; then
export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT="1"
fi
# enable simscan debug
#export SIMSCAN_DEBUG=4
#export SIMSCAN_DEBUG_FILES=2
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/sslserver -seV -Rp -l "$LOCAL" \
-Xx $TCPRULES_DIR/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
$QMAILDIR/bin/qmail-smtpd /bin/true 2>
File qmail/supervise/qmail-smtpsd/log/run
#!/bin/sh LOGUSER="qmaill" LOGDIR="/var/log/qmail/smtpsd" LOGDIRQLOG="/var/log/qmail/smtpsd/qlog" if [ -x /usr/local/bin/archive_qmail_qlog ]; then exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t n5 s16777215 $LOGDIR \ n5 s16777215 '-*' '+*qlog*' !/usr/local/bin/archive_qmail_qlog $LOGDIRQLOG else exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16777215 $LOGDIR fi
File qmail/supervise/qmail-send/run
#!/bin/sh exec /var/qmail/rc
File qmail/supervise/qmail-send/log/run
#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s16000000 n200 /var/log/qmail/send
File qmail/supervise/qmail-submission/run
This service makes the MTA also act as an outgoing relay, but the user must authenticate (with TLS encryption).
#!/bin/sh
QMAILDIR=/var/qmail
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=~vpopmail/etc
# You MUST export this, otherwise you'd get a 30 sec timeout
# "!" if you want the submission feature (auth required)
export SMTPAUTH="!"
# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=3
export DROP_PRE_GREET=1
# This enables chkuser
export CHKUSER_START=ALWAYS
# This makes qmail to allow connections without TLS (default 1)
#export FORCETLS=0
# This turns off TLS on port 587 (default 0)
#export DISABLETLS=1
# Requires that authenticated user and 'mail from' are identical (default 0)
export FORCEAUTHMAILFROM=1
# rcptcheck-overlimit. Limits the number of emails sent by relayclients
#export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
#export RCPTCHECKRELAYCLIENT=1
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" \
-x $TCPRULES_DIR/tcp.submission.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
$QMAILDIR/bin/qmail-smtpd \
~vpopmail/bin/vchkpw /bin/true 2>&1
Note the use of vchkpw in conjunction with qmail-smtpd to ensure authentication. The connection requires TLS enabled. This is the reason why we opened a separate secure connection on port 587 to allow remote clients to use our MTA as a relay.
The SMTPAUTH variable is related to the authentication patch. You are invited to take a look to the README.auth file for further details.
File qmail/supervise/qmail-submission/log/run
#!/bin/sh LOGUSER="qmaill" LOGDIR="/var/log/qmail/submission" exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t s16000000 n200 $LOGDIR
File qmail/supervise/vpopmaild/run
#!/bin/sh
QMAILDUID=`id -u root`
NOFILESGID=`id -g root`
VPOPMAILID=`id -g vpopmail`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-u $QMAILDUID -g $NOFILESGID 0 $VPOPMAILID \
~vpopmail/bin/vpopmaild 2>&1
vpopmaild is important when connecting to vpopmail via webmail to change the password, for instance.
File qmail/supervise/vpopmaild/log/run
#!/bin/sh LOGUSER="qmaill" LOGDIR="/var/log/qmail/vpopmail" exec /usr/local/bin/setuidgid $LOGUSER /usr/local/bin/multilog t $LOGDIR
File qmail/supervise/vusaged/run
#!/bin/sh exec ~vpopmail/bin/vusaged 2>&1
File qmail/supervise/vusaged/log/run
#!/bin/sh exec setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/vusaged
cronjobs
To backup the log files of the qmail services we'll use the convert-multilog script from John Simpson (thanks to the author and to Marc for the suggestion) who describes the script as follows:
convert-multilog is a script which searches "/service/*/log/main" for any "@4*" files (the automatic cut-off files generated by multilog), converts their timestamps from tai64n to human-readable format, and writes them to /var/log/{service}.{date}. Once the lines from a given "@4*" file have been converted, the file is deleted.
The log files are saved separated by date, for example
-rw-r--r-- 1 root root 259558 Aug 24 12:21 qmail-smtpd.2014-08-20 -rw-r--r-- 1 root root 806917 Aug 24 12:21 qmail-smtpd.2014-08-21 -rw-r--r-- 1 root root 1523116 Aug 24 12:21 qmail-smtpd.2014-08-22 -rw-r--r-- 1 root root 364022 Aug 24 12:21 qmail-smtpd.2014-08-23
Inside each file the date is now human-readable
2014-08-23 00:31:49.503947500 tcpserver: status: 1/20
This is very useful when you have to do quick searches.
Install like this:
mkdir -p /var/log/qmail/backup wget -O /usr/local/bin/convert-multilog https://notes.sagredo.eu/files/qmail/convert-multilog chmod +x /usr/local/bin/convert-multilog ln -s /var/log/qmail/send /service/qmail-send/log/main ln -s /var/log/qmail/smtpd /service/qmail-smtpd/log/main ln -s /var/log/qmail/smtpsd /service/qmail-smtpsd/log/main ln -s /var/log/qmail/submission /service/qmail-submission/log/main
NB: the script that you have downloaded is my patched version, which gains compatibility with the readable timeformat (daemontools' multilog_readable-datetime patch). If ypu decided not to install that patch, then download the original convert-multilog program.
Now set up a cronjob once a day (crontab -e):
59 2 * * * /usr/local/bin/convert-multilog 1> /dev/null
Since we want to convert each log file every day, we have to rotate them on a daily basis. So we'll add something like this to our crontab:
0 0 * * * /usr/local/bin/svc -a /service/qmail-submission/log 0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log 0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpsd/log 0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log 0 0 * * * /usr/local/bin/svc -a /service/vpopmaild/log 0 0 * * * /usr/local/bin/svc -a /service/vusaged/log
qmailctl script
- Reference: Life with qmail
- Download qmailctl (thanks to Sam Tang)
As usual we will put the script in /usr/local/bin and give it the +x flag.
wget -O /usr/local/bin/qmailctl https://notes.sagredo.eu/files/qmail/qmailctl chmod +x /usr/local/bin/qmailctl
The startup script below does the following:
- Starts/stops the services
- Calls
tcprulesto reloadtcp.smtp.cdbandtcp.submission.cdb - Shows the status of the services and the queue
- Shows the up/down status of some other related daemons
- Shows the the date of the
clamavdatabase
Note that it starts and stops vpopmaild also, and starts both normal SMTP on port 25, and the submission service on port 587, where SMTP authentication is required to perform outgoing relay for remote users. In any event, be sure to review the service list to make sure it reflects the services you want to provide.
#!/bin/bash
#
# tx Sam Tang
#
# May 25, 2022
# a few modifications by Roberto Puzzanghera to avoid error strings in the service uptime when service is stopped
#
# Aug 07, 2022
# now the script exits if services are not started with svscanboot or the supervise script is missing
#
# Put here the services you want to manage
svclist="qmail-smtpd qmail-smtpsd qmail-submission qmail-send vpopmaild vusaged"
# Put here the services want monitoring
servicelist="dovecot clamd freshclam spamd solr httpd mariadb fail2ban"
QMAILDIR=/var/qmail
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
TCPRULES_DIR=~vpopmail/etc
PATH=$QMAILDIR/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
function show_uptime() {
re='^[0-9]+$'
org="$(svstat /service/$1 | awk '{print $2,$3,$4;}' | sed 's/up/[ up ]/g' | sed 's/down/[ down ]/g' | sed ''/up/s//`printf "\033[1\;32mup\033[0m"`/'' | sed ''/down/s//`printf "\033[1\;31mdown\033[0m"`/'')"
sec="$(svstat /service/$1 | awk '{print $5;}')"
if ! [[ $sec =~ $re ]]; then
sec="$(svstat /service/$1 | awk '{print $3;}')"
fi
d=$(( $sec / 86400))
h=$(( $(($sec - $d * 86400)) / 3600 ))
m=$(( $(($sec -d * 86400 - $h * 3600)) / 60 ))
s=$(($sec -d * 86400 - $h * 3600 - $m * 60))
if [ $sec -le 60 ]; then
if [[ "$(svstat /service/qmail-smtpd | awk '{print $2}')" = 'down' ]]; then
printf "%-22s %s %s %s %s %s\n" "$1:" $org
else
printf "%-22s %s %s %s %s %s %s seconds\n" "$1:" $org $s
fi
else
printf "%-22s %s %s %s %s %s %3s day(s), %02d:%02d:%02d\n" "$1:" $org $d $h $m $s
fi
}
# check if qmail has been sttarted at boot time
function svscan_check() {
if ! pgrep -x "svscanboot" > /dev/null; then
echo "/command/svscanboot not running. Please stat qmail running:"
echo "qmailctl boot"
echo "or"
echo "/command/svscanboot"
exit 1
fi
}
case "$1" in
start)
svscan_check
echo "Starting qmail"
for svc in $svclist ; do
if [ ! -x /service/$svc ]; then
echo $svc service script not found
elif svok /service/$svc ; then
svc -u /service/$svc
else
echo $svc service not running
fi
done
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
svscan_check
echo "Stopping qmail..."
for svc in $svclist ; do
if [ ! -x /service/$svc ]; then
echo $svc service script not found
else
echo " $svc"
svc -d /service/$svc
fi
done
if [ -f /var/lock/subsys/qmail ]; then
rm /var/lock/subsys/qmail
fi
;;
stat)
svscan_check
for svc in $svclist ; do
if [ ! -x /service/$svc ]; then
echo $svc service script not found
else
show_uptime $svc
show_uptime "$svc/log"
fi
done
echo ""
for service in $servicelist ; do
printf "%-22s " "$service status:"
if (( $(ps -ef | grep -v grep | grep $service | wc -l) > 0 ))
then
echo -e "[ \033[1;32mup\033[m ]"
else
echo -e "[ \033[1;31mdown\033[m ]"
fi
done
if [ -f $QMAILDIR/control/simversions.cdb ]; then
printf "\nClamAV database updated at: "
stat --printf=%y $QMAILDIR/control/simversions.cdb | cut -d. -f1
fi
if [ -f $QMAILDIR/users/assign ]; then
printf "Total Domains: "
wc -l < $QMAILDIR/users/assign
fi
echo ""
qmail-qstat
;;
doqueue|alrm|flush)
svscan_check
echo "Sending ALRM signal to qmail-send."
svc -a /service/qmail-send
;;
queue)
svscan_check
qmail-qstat
qmail-qread
;;
reload|hup)
svscan_check
echo "Sending HUP signal to qmail-send."
svc -h /service/qmail-send
;;
pause)
svscan_check
for svc in $svclist ; do
echo "Pausing $svc"
svc -p /service/$svc
done
;;
cont)
svscan_check
for svc in $svclist ; do
echo "Continuing $svc"
svc -c /service/$svc
done
;;
restart)
svscan_check
echo "Restarting qmail:"
for svc in $svclist ; do
if [ "$svc" != "qmail-send" ] ; then
echo "* Stopping $svc."
svc -d /service/$svc
fi
done
echo "* Sending qmail-send SIGTERM and restarting."
svc -t /service/qmail-send
for svc in $svclist ; do
if [ "$svc" != "qmail-send" ] ; then
echo "* Restarting $svc."
svc -u /service/$svc
fi
done
;;
cdb)
if ! grep '\#define POP_AUTH_OPEN_RELAY 1' ~vpopmail/include/config.h >/dev/null; then
(cd $TCPRULES_DIR ; cat tcp.smtp | tcprules tcp.smtp.cdb tcp.smtp.tmp)
echo "Updated tcp.smtp.cdb."
(cd $TCPRULES_DIR ; cat tcp.submission | tcprules tcp.submission.cdb tcp.submission.tmp)
echo "Updated tcp.submission.cdb."
else
~vpopmail/bin/clearopensmtp
echo "Ran clearopensmtp."
fi
;;
clear)
svscan_check
echo "Clearing readproctitle service errors with ................."
svc -o /service/clear
;;
kill)
svscan_check
echo "First stopping services ... "
for svc in $svclist ; do
if svok /service/$svc ; then
svc -d /service/$svc
svc -d /service/$svc/log
fi
done
echo "Now sending processes the kill signal ... "
killall -g svscanboot
echo "done"
;;
boot)
echo "Starting qmail"
/command/svscanboot &
;;
reboot)
$0 kill
sleep 5
$0 boot
;;
help)
cat <<HELP
stop -- stops mail service (smtp connections refused, nothing goes out)
start -- starts mail service (smtp connection accepted, mail can go out)
pause -- temporarily stops mail service (connections accepted, nothing leaves)
cont -- continues paused mail service
stat -- displays status of mail service
cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
queue -- shows status of queue
alrm -- same as doqueue
flush -- same as doqueue
hup -- same as reload
clear -- clears the readproctitle service errors with .....................
kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
boot -- Boots qmail and all services in /service running /command/svscanboot
reboot -- kill & boot commands in sequence
HELP
;;
*)
echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|clear|kill|boot|reboot|help}"
exit 1
;;
esac
exit 0
Usage
# qmailctl help
stop -- stops mail service (smtp connections refused, nothing goes out)
start -- starts mail service (smtp connection accepted, mail can go out)
pause -- temporarily stops mail service (connections accepted, nothing leaves)
cont -- continues paused mail service
stat -- displays status of mail service
cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- sends qmail-send ALRM, scheduling queued messages for delivery
reload -- sends qmail-send HUP, rereading locals and virtualdomains
queue -- shows status of queue
alrm -- same as doqueue
flush -- same as doqueue
hup -- same as reload
clear -- clears the readproctitle service errors with .....................
kill -- svc -d processes in svclist, then do 'killall -g svscanboot'
boot -- Boots qmail and all services in /service running /command/svscanboot
reboot -- kill & boot commands in sequence
qmailctl can be used to kill all qmail processes and to reboot the server. I use this option inside the rc.6 of my Slackware virtual server to avoid errors messages when stopping or rebooting the guest. You can easily call the clear service as well.
svtools
- More info: https://github.com/kayahr/svtools
- Author: Klaus Reimer
This is a nice collection of tools to manage daemontools' services that you may want to consider. mlcat is one of those; it can cat a service's log with human readable dates with a short command like:
mlcat qmail-smtpd
I slightly modified that script here, just to use it without the need of the "qmail-" prefix:
mlcat smtpd
Installing
cd /usr/local/src wget https://github.com/kayahr/svtools/archive/master.zip unzip master.zip cd svtools-master make make install mkdir /etc/sv /var/log/sv chown root.root /etc/sv /var/log/sv cd /usr/local/bin rm mlcat wget https://notes.sagredo.eu/files/qmail/mlcat chmod +x mlcat
Allowing selected clients to send outgoing messages
Create ~vpopmail/etc/tcp.smtp and ~vpopmail/etc/tcp.submission (the latter one in case you want to enable the submission service).
Enable outgoing relay in this way:
10.0.0.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" 1.2.3.4:deny :allow
Localhost and 10.0.0.0 subnet can use our MTA as an outgoing relay, 1.2.3.4 is denied, the other IPs can only send messages to the domains listed inside /var/qmail/control/rcpthosts.
tcp.smtp
0.0.0.0:allow,RELAYCLIENT="" 10.0.0.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" :allow,CHKUSER_WRONGRCPTLIMIT="3"
chkuser will ban clients' IP after 3 consecutive failures.
tcp.submission
:allow,CHKUSER_WRONGRCPTLIMIT="3"
Updating cdb files
qmailctl can invoke tcprules to create the cdb file in this way:
# qmailctl cdb Updated tcp.smtp.cdb. Updated tcp.submission.cdb.
You must run this command every time you modify tcp.smtp or tcp.submission.
Configuring the standard SMTP service on 25 in tcp.smtp ensures that only localhost and authorized IPs can use the SMTP service as an outgoing relay. We will accept inbound messages from outside as long as the recipient domain is included in the file /var/qmail/control/rcpthosts. When someone sends a message to a domain name not listed in rcpthosts, qmail will respond with “Sorry, that domain isn’t in my list of allowed rcpthosts (#5.7.1)”.
When you enable SMTP authentication on port 587, remote users who successfully authenticate will be allowed to send messages using our MTA.
Running qmail at boot time
The command /command/svcscanboot has been inserted in your /etc/inittab at the time you installed daemontools, or you have installed a daemontools systemd service, as already explained in the here.
Comments
authentication issues on port 587
jeff maina June 23, 2023 10:30
Hi Roberto, thank you so much for this guide.
I've followed the guide step by step, and I keep on getting the error "421 unable to read controls (#4.3.0)" when testing port 587 authentication
I've tried researching the issue, and I can't seem to fix the issue.
Where might I be going wrong?
Reply | Permalink
authentication issues on port 587
Roberto Puzzanghera jeff maina June 23, 2023 14:33
Hi jeff, perhaps you enabled SPP and forgot to create the smtpplugins control file?
Reply | Permalink
question regarding SRS
Herbert June 19, 2023 13:36
Maybe dumb question but I haven't found an answer till now:
If I have a server with multiple virtual EMail-Domains - do I need SRS configuration for only the main domain or every virtual domain.
And if yes - how is the sytax for /var/qmail/control/srs_domain?
Every domain in a new line?
Thanks in advance!
Regards,
Herbert
Reply | Permalink
question regarding SRS
Roberto Puzzanghera Herbert June 19, 2023 18:38
it's not a dumb question at all :)
I have just "srs.sagredo.eu" in my srs_domain control file
libsrs2 site says https://www.libsrs2.org/docs/mta-users.html
srs_domain (string)
A domain to use in rewritten addresses. This must point only to machines which know the encoding secret used by this system since any bounces will go to the MX for this domain. This is primarily of use when a system forwards mail for multiple virtual domains, or multiple mail servers forward mail for a single domain using different secrets. It may default to something sensible on some MTAs where appropriate information is available to the SRS subsystem.
Reply | Permalink
question regarding SRS
Herbert Roberto Puzzanghera June 21, 2023 07:57
Hi Roberto,
my question was because of a problem I have with a mailserver.
Google is imho one of the most restrictive EMailproviders and with Google mailservers SRS works like a charm in my "Multidomainenvironment" with one SRS Domain for all EMaildomains I have.
But when I last checked the maillogs a mailserver complained about "forged EMail".
So I can treat this as an error from the other EMailserver not "understanding" SRS rewrites?
And besides that I recognized that spf.pobox.com is not working anymore?
Could you or anyone check if this is true and if yes maybe you could change the error message for SPF error response in the sourcecode?
Thank's in advance for your help!
Herbert
Reply | Permalink
question regarding SRS
Roberto Puzzanghera Herbert June 21, 2023 10:13
Be aware that you can always overwrite the default SPF explanation by means of the /var/qmail/control/spfexp file. BTW I'll change it with a generic explanation in the next patch release
Reply | Permalink
question regarding SRS
Herbert Roberto Puzzanghera June 21, 2023 10:28
ah - ok - didn't know this...maybe this solves some problems - I'm curious :-)
Regards,
Herbert
Reply | Permalink
question regarding SRS
Roberto Puzzanghera Herbert June 21, 2023 08:19
Hi Herbert,
> Google is imho one of the most restrictive EMailproviders and with Google mailservers SRS works like a charm in my "Multidomainenvironment" with one SRS Domain for all EMaildomains I have.
I can confirm that
> But when I last checked the maillogs a mailserver complained about "forged EMail".
> So I can treat this as an error from the other EMailserver not "understanding" SRS rewrites?
I presume that this is the answer. I haven't done tests with providers without srs.
Did you set the SPF record for your srsdomain? When I do tests with google I pass the SPF, but the DKIM sign fails, as the message is signed by the remote receiver. So it's possible that it is classified as "forged" when both SPF and DKIM fail and DMARC with them
> And besides that I recognized that spf.pobox.com is not working anymore?
> Could you or anyone check if this is true and if yes maybe you could change the error message for SPF error response in the sourcecode?
I know... anyone can suggest a free spf checker?
Reply | Permalink
smtps port 465 or submission port 587 support multiple domains ssl cert
Keng Heng. Chan April 10, 2023 07:27
Hi,
Would like to know the smtps port 465 or submission port 587 support multiple domains ssl cert ?
Beside using the letsencrypt to create the multiple ssl cert in single flie.
Reply | Permalink
smtps port 465 or submission port 587 support multiple domains ssl cert
Roberto Puzzanghera Keng Heng. Chan April 10, 2023 07:43
Yes. There's no need for a specific support for multiple domains cert. It will accept the connection if the cert is valid
Reply | Permalink
typo in smtpsd log script
Goofy March 4, 2023 11:41
hi, I think there's a minor typo in the smtpsd log part: (I noticed it when running qmailctl stat -> log of smtpd was always 1 or 0. But the actual typo seems to be in smtpsd
Reply | Permalink
typo in smtpsd log script
Roberto Puzzanghera Goofy March 4, 2023 12:02
Yes you are right. Corrected. I'll correct the tar file as well later
Reply | Permalink
Typo?
Herbert February 24, 2023 12:46
Hi Roberto,
I think you have typo in your manual:
Imho the last line should look like this:
and shouldn't be the "clear-service" also under /service?
Regards,
Herbert
Reply | Permalink
Typo?
Roberto Puzzanghera Herbert February 24, 2023 13:48
Yes, absolutely. Thank you, corrected
Reply | Permalink
qmailctl stat erro
Kelvin August 2, 2022 20:01
when running qmailctl stat we get the following error
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Kelvin August 3, 2022 16:17
Look at this modified version https://notes.sagredo.eu/files/qmail/qmailctl which will output a more intelligible error message
Reply | Permalink
qmailctl stat erro
Kelvin Roberto Puzzanghera August 3, 2022 16:30
Thank you Roberto Puzzanghera
Really with this qmailctl the errors are more intelligible
follow now
But services exist in /service/
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Kelvin August 3, 2022 20:34
Can you check that those listed symbolic links point to existing files and that those scripts are executables?
Reply | Permalink
qmailctl stat erro
Kelvin Roberto Puzzanghera August 4, 2022 01:39
Symbolic links are present in /service/
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Kelvin August 4, 2022 07:33
Weird... Qmailctl is not finding the executables...
Let's see if the services start/stop
Reply | Permalink
qmailctl stat erro
Kelvin Roberto Puzzanghera August 4, 2022 15:37
The commands svc -u /service/qmail-smtpd and svc -d /service/qmail-smtpd are executed but return nothing, neither executed successfully nor executed with failure
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Kelvin August 4, 2022 17:39
Let's see if they are running.
Start the server
Check if it is up
or even
Reply | Permalink
qmailctl stat erro
Anonymous Roberto Puzzanghera August 5, 2022 16:40
netstat does not return anything
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Anonymous August 5, 2022 16:49
It appears that the smtpd run file Is missing. I suggest to double check the supervise installation
Reply | Permalink
qmailctl stat erro
Kelvin Roberto Puzzanghera August 5, 2022 17:01
the run file exists follows the ls -la of all folders in the /var/qmail/supervise directory with their respective run files
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Kelvin August 7, 2022 21:26
I modified again the qmailctl script. Now it checks that svscanboot is already running. I also added a note at the bottom of the "Configuring" page to advice systemd user to run /command/svscanboot at boot
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Kelvin August 5, 2022 18:39
Weird.. your tests are contraddictory...
Did you installed the rc file in /var/qmail? If yes try to start qmail manually
Reply | Permalink
qmailctl stat erro
Roberto Puzzanghera Kelvin August 2, 2022 20:37
this is because the supervise scripts are missing...
Reply | Permalink
Received "delivery 303: failure: User_over_quota._(#5.1.1)¨ if MAILDIR used in .qmail-"
idollar February 8, 2022 10:12
Hello,
I have performed my installation following your guide. MANY THANKS !!!!!
I would like to use direct Maildirs in the .qmail- files. In this way, I can redidect email easily to my sub-maildirs and use the ifspamh tool.
I have set the following files:
# cat .qmail-default
| /home/vpopmail/bin/ifspamh isspamuser@mydomain.org
| /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/mydomain.org/myuser
# cat .qmail-isspamuser
/home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam/
My problem is that any email to "isspamuser@mydomain.org" is rejected with the following error:
delivery 278: failure: User_over_quota._(#5.1.1)/
I came to the conclusion that qmail-local rejects the delivery because I am not using vdelivermail in the .qmail-isspamuser file. Instead I use the regular Maildir.
My alternative is to use vdeliver but it understands the path as a "user path" and adds Maildir at the end:
# cat .qmail-isspamuser
| /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam/
delivery 298: deferral: user_does_not_exist,_but_will_deliver_to_/home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam//can_not_open_new_email_file_errno=2_file=/home/vpopmail/domains/mydomain.org/myuser/Maildir/.Spam/Maildir/tmp/1644311037.167234.host,S=16793/system_error/
Has anyone had a similar issue ?
Any idea on how to get this done ?
Thanks in advance
Reply | Permalink
Qmailctl Script Error
Shailendra Shukla November 21, 2020 12:35
Hi Roberto ,
I followed you installation and got stuck at the qmailctl script . It gives the following error
Can you please help me on that . I have downloaded the script as per your guide . Tried by copy and pasting the script but same error message.
Regards
Shail
Reply | Permalink
Qmailctl Script Error
Shailendra Shukla Shailendra Shukla November 21, 2020 12:54
Sorry the correct error message is
Regards
Shail
Reply | Permalink
Qmailctl Script Error
Roberto Puzzanghera Shailendra Shukla November 21, 2020 13:00
it seems like the $sec variable is empty. Can you check
Reply | Permalink
Qmailctl Script Error
Shailendra Shukla Roberto Puzzanghera November 21, 2020 13:27
Reply | Permalink
Qmailctl Script Error
Roberto Puzzanghera Shailendra Shukla November 21, 2020 13:33
can you copy&paste the content of your qmailctl, please?
Reply | Permalink
Qmailctl Script Error
Anonymous Roberto Puzzanghera November 21, 2020 13:40
I downloaded the script from and I am running Centos6.10
Reply | Permalink
Qmailctl Script Error
Roberto Puzzanghera Anonymous November 21, 2020 13:47
I've no idea, but I know that $sec is empty. I would try to replace $sec with ${sec}
Reply | Permalink
Qmailctl Script Error
Shailendra Shukla Roberto Puzzanghera November 21, 2020 13:50
got it working seems like svscanboot was not working
started the same with csh -cf '/command/svscanboot &'
and then tried the script started working have added the above command to rc.local . Thanks a lot for your help.
Reply | Permalink
Qmailctl Script Error
Newb Shailendra Shukla July 27, 2021 14:00
I have a same problem with svscanboot.
Can u tell me where exacly did you copy command:
csh -cf '/command/svscanboot &'
in file rc.local?
I tried added it the above/below "exit" and svscan still dont work after reboot :(
Reply | Permalink
Qmailctl Script Error
Roberto Puzzanghera Newb July 27, 2021 14:08
Is your rc.local working for all the other programs that you start at boot time?
Reply | Permalink
Qmailctl Script Error
Newb Roberto Puzzanghera July 27, 2021 14:12
i got there only vpopmail there but it isnt working too ater boot
Reply | Permalink
Qmailctl Script Error
Roberto Puzzanghera Newb July 27, 2021 14:16
Are you sure that your systemd is set to run your rc.local? I'm not expert of systemd because slackware doesn't use it, but I guess that there could be other ways to run a script at boot..
Reply | Permalink
Qmailctl Script Error
Newb Roberto Puzzanghera July 27, 2021 14:23
Fixed it.
It seems it is not possible to enable rc.local at startup using SystemD on Ubuntu 20.04 and u have to do it another way
Reply | Permalink
Qmailctl Script Error
Roberto Puzzanghera Newb July 27, 2021 14:25
I managed to do it in a debian 10 with systemd.
Anyhow, please, can you write a note on how you solved?
Reply | Permalink
Qmailctl Script Error
Newb Roberto Puzzanghera July 27, 2021 14:54
Of course :)
To enable rc-local service you have to:
1) Manually create a systemd service
Now enter the following text, save and close the file.
2) Enable the service on boot (enable rc.local with systemd on Ubuntu 20.04)
Next you reboot and check status:
it should be active
Reply | Permalink
Small error in guide
Gabriel Torres July 16, 2019 12:59
Hi Roberto,
I found a small mistake in the configuration published above. In this line:
The 'n' and 's' parameters are too low, and the log files are deleted too soon. To maintain coherency with the rest of the configuration, n should be 200 and s should be 16000000 in both occurrences, like this:
Please update the guide! :)
Cheers.
Reply | Permalink
Small error in guide
Roberto Puzzanghera Gabriel Torres July 16, 2019 13:37
Thanks for the hint.
s16000000 (or even s16777215 which is the maximum size allowed) is better. Instead I'm going to put n5 everywhere, infact I'm explaining below how to backup the logs every night...
Reply | Permalink
Small error in guide
Gabriel Torres Roberto Puzzanghera July 16, 2019 16:43
Hi Roberto,
Yes, I use the backup option you published, and they are stored at /var/log/qmail/backup
The problem is that -n5 and -s10000000 is not sufficient for us, as we send out newsletters to over 400,000 subscribers. With that, the backup that is generated contains only the log entries starting at around 23h00min, i.e. the older entries are discarded automatically as they are not available at /var/log/qmail/smtpd anymore. Hence the need to increase those numbers... ;)
Cheers.
Reply | Permalink
qmail-remote not working at its full capacity
Gabriel Torres June 27, 2019 01:33
Hi Roberto,
I have a problem here that maybe you or other readers of this guide might have a better understanding about what is going on.
I have concurrencyremote configured with 120. However, qmail-send only sends, at best, 20 emails concurrently. I used to have qmail patched and installed according to a different guide, and decided to redo everything from scratch using your patch/guide to see if the problem would be solved.
While your guide solved a lot of other problems we used to have (e.g., our previous installation would accept any email and then perform any check, and now with chkuser our server only accepts "good" emails and rejects all sorts of junk, making the server to run faster and with lower loads). But it didn't solve this particular issue.
If you see, I send our newsletter this morning, and it is still sending it out. You can see we have almost 100,000 emails in queue:
But qmail-send is only sending less than 10 in parallel:
If we run qmHandle -a, qmail-send starts sending up to 120 emails in parallel, but soon after an initial burst of emails, it goes back to sending up to 20 emails concurrently at best.
I really don't know what is going on and how to diagnose this. It may be a hardware-related issue (e.g. server in need of more RAM), but I don't want to risk getting a new, more expensive server, or even adding more RAM and the problem ending up being something else.
Our server config is a dedicated quad-core Xeon X3210 with 8 GiB of RAM.
If you have any idea or heard of this issue before, please let me know.
Cheers!
Reply | Permalink
qmailctl with Debian
Gabriel Torres June 19, 2019 05:27
Hi,
This new qmailctl script is awesome, as it also shows the status of whatever additional programs/services we want.
However, in order to make it compatible with Debian, two small adjustments are required.
Cheers
Reply | Permalink
Modified of qmailctl
Sam Tang April 4, 2018 01:17
Hi Roberto, thanks for your great qmail setup guide, your website saving lots of my time.
I would like to share my qmailctl script here, this is what I had updated:
- by default when run "qmailctl stat", it will show all qmail's service uptime by seconds, I made it more readable, now will display something like "0 days, 00 hours 16 mins"
- can assign another service which related qmail for monitoring, like dovecot, clamd, freshclam...
- change "up" and "down" to green and red color.
Download: https://www.phpini.com/qmailctl
once again, thank you for your great work.
Reply | Permalink
Modified of qmailctl
Roberto Puzzanghera Sam Tang April 4, 2018 10:43
Thank you, this is very nice. I'm going to update my script and link this new one in this guide
Reply | Permalink
Modified of qmailctl
Kevin Salt Roberto Puzzanghera August 1, 2018 15:08
It would seem there is a syntax error in the script ...
/usr/local/bin/qmailctl: 16: /usr/local/bin/qmailctl: Syntax error: "(" unexpectedI tried copy/paste of the text version above, and downloading the versions from this site and the original. All have the same error
Reply | Permalink
Modified of qmailctl
Roberto Puzzanghera Kevin Salt August 2, 2018 07:41
did you cat&paste or downloaded the file? The second is more secure...
Reply | Permalink
Modified of qmailctl
Kevin Salt Roberto Puzzanghera August 2, 2018 07:49
As my comment says, i tried all the sources. Copy/pasted the text, and downloaded from both source location. I've also found lots of issues with warnings and some errors when coming with gcc 4.8 (especially simscan).
In the end i just have to and referred to my old installation with upgraded spamassassin and cclamav.
Reply | Permalink
Modified qmailctl
zinkro Kevin Salt November 26, 2018 17:05
hi,
for sh 4.4 just simply delete 'function' from line 16, is not necessary declare functions with this.
Reply | Permalink
Modified qmailctl
GoofY zinkro April 10, 2019 08:21
THNX a lot, fixed it in my case! (Debian 9.8).
Reply | Permalink
SRS
Kenneth Dalbjerg September 19, 2017 21:05
Hi
I have a little problems with the SRS.
I have configure it, and it also working just, fine, the address got rewrite and so on.
But if we got a bounce back, the mail will not be deliver to the right sender address, it will try deliver it to the SRS rewrite address.
Do anyone know what iam missing?
Reply | Permalink
pop3 port
Steve Conrad April 27, 2017 02:49
One minor typo I noticed was that your supervise script has the pop server running on port 89 (the vpopmail uid) rather than the usual port 110. Probably this wasn't what you had in mind. Thanks for the great guide.
Reply | Permalink
I'm referring to qmail
Steve Conrad Steve Conrad April 29, 2017 21:31
I'm referring to qmail/supervise/vpopmaild/run from your tarball and listed just up the page a bit from here. That last 89 should probably be a 110 instead. Looks like the vpopmail UID got typoed in place of the intended port number.
exec /usr/local/bin/softlimit -m 25000000 \ /usr/local/bin/tcpserver -v -H -R -l 0 \ -u "$QMAILDUID" -g "$NOFILESGID" 0 89 \ # You probably want a 110 here instead of an 89 /home/vpopmail/bin/vpopmaild 2>&1Not so sure about running vpopmaild as root either. I think you want to be doing that as vpopmail so as to access the maildirs it owns.
#!/bin/sh
QMAILDUID=`id -u root` # wouldn't this be better off as "-u vpopmail"
NOFILESGID=`id -g root` # and "-g vchkpw"?
Reply | Permalink
No it is not the pop3 service
roberto puzzanghera Steve Conrad May 1, 2017 20:29
No it is not the pop3 service (pop3 is served by dovecot in my configuration). vpopmaild is a daemon that you can use to connect and talk with vpopmail. Dovecot and roundcube can use it to change the passwords, for instance
Reply | Permalink
uh.. I don't remember to have
roberto puzzanghera Steve Conrad April 27, 2017 08:20
uh.. I don't remember to have published any note about qmail-pop3d... can you provide a link to the page please?
Reply | Permalink
Hello,
Al March 21, 2017 16:09
Hello,
I set everithing like you wrote in this tutorial and everithing works well, but I have a problem with receieving error message from postmaster when I send email to unknown user.
Instead from postmaster@example.com I get error message from "postmaster@mail.example.com"@mail.example.com
Do you know how can I fix that to get message from postfix@domain.net instead of postmaster@fqdn_hostname?
Thank you,
Al
Reply | Permalink
on qmail the hostname of the
roberto puzzanghera Al March 21, 2017 16:50
on qmail the bounce sender is from the control/bouncefrom file, which is postmaster in my configuration. postmaster is defined by the alias .qmail-postmaster as explained above
Reply | Permalink
Hi Roberto,
Al roberto puzzanghera March 22, 2017 09:10
Hi Roberto,
I now realized that I should get system messages from postmaster@FQDN instead postmaster@HOSTNAME(e.g. postmaster@mail.example.com instead postmaster@example.com) just like you wrote in this tutorial.
Also, I changed /control/bouncefrom file and put only "postamster" instead "postmaster@example.com", so now I receive mails from postmaster@mail.example.com instead "postmaster@mail.example.com"@mail.example.com just like I wanted
Thank you for your support
Reply | Permalink
qmail generating log@myserver.net emails which bounce?
George Cooke October 1, 2015 20:56
Hi Roberto once again thanks for this guide, it's the best Linux guide i've ever seen, so perfect and thourough!
But I have a problem, when I send mail from gmail to a valid vpopmail user at my qmail server, the mail is delivered fine, but the external sender additionally gets a postmaster bounce email from my qmail server about a log@[myserver.net] delivery failure, saying that user doesn't exist like this:
Also, my logs don't seem to have the extra timestamps and message-ID's that yours do, so obviously it's something wrong with logging but I can't figure out what/where the problem is!
+I am also using the netqmail-1.06-exttodo-channels patch: (info, patch file) - I had to patch the failing hunks myself, but it seems to work, hope thats not causing the logging problem), in the log below that's what the suppl[N] queues are for.
You can see what it's doing in the qmail-send log below, it seems to be generating a log@ email for every send, hence the double bounce at the end.
In the below log:
- myserver.net is my qmail server I am setting up (the one I followed your guide on):
- user@gmail.com is the user who sent the mail to my vpopmail user, and who recieves the postmaster bounce email above (about log@myserver.net failing).
- test@myserver.net is the valid vpopmail user who receives the mail from the gmail user ok.
Thanks!
Reply | Permalink
Hi George, I can't garantee
roberto puzzanghera George Cooke October 1, 2015 20:58
Hi George, I can't garantee that the patch you applayed on top of my package will not interfere in some way..
Anyway, as mentioned above in the "Improved qmail-send log" paragraph, you have an email to log@yourdomain just to record the Message-ID in the qmail-send log. You may want to revert that qmail-queue-extra patch or double check your configuration, in particular the content of the file .qmail-log
Reply | Permalink
Thanks for getting back to me
George Cooke roberto puzzanghera October 1, 2015 21:00
Thanks for getting back to me Roberto it's really appreciated!
I did realise it was something to do with the logging, but now I realise how it actually works, it's smart, you send an internal email to the log@ which is the command to log! So I can tell now, something is thinking log@ doesn't exist and therefore:
1. It's sending a bounce
2. The enhanced logging is not working.
So I just have to figure out why it's deciding log@ doesn't exist when actually it does according to qmail alias config.
Thanks a million, you're work has really helped us!
Reply | Permalink
log alias applies to local domain
Norbert George Cooke October 14, 2015 15:08
Reply | Permalink
Alternative way for rotating log files of qmail services
Marc August 23, 2014 13:54
Hello,
as an alternative for rotating the log files from the qmail services i use the convert-multilog script from John Simpson, who describes the script function as follows:
To make the script work with this tutorial, you have to create the following links:
Then you have to create a cronjob:
I like this one because i have the log files inside my /var/log/ dir and the logfiles have normal timestamps.
Cheers
Reply | Permalink
I modified this page with
roberto puzzanghera Marc August 25, 2014 20:43
I modified this page with your suggestion :)
Reply | Permalink
This is very interesting
roberto puzzanghera Marc August 24, 2014 11:16
This is very interesting. I think I'll use it as soon as possible. Thank you
Reply | Permalink
tcpserver binding on ipv4 & ipv6 machine
Marc August 17, 2014 08:18
I have ipv4 & ipv6 enabled on an Debian wheezy 64 machine and tcpserver binds the services only to ipv6 ports. I have to use the option -4 in the run files to use it with ipv4. But then ipv6 ist not possible anymore. In your standard run files the Option 0 is used which should bind tcpserver to any available IP address on any interface according to the tcpserver doc. Do you have a clue wyh tcpserver binds the service ports only to ipv6?
Reply | Permalink
ucspi-tcp6
roberto puzzanghera Marc August 17, 2014 09:19
Are you using the new e.h.'s tcpserver program http://www.fehcom.de/ipnet/ucspi-tcp6/tcpserver.html? In that case I would try to test the -6 option.
Reply | Permalink
hi roberto, thanks for
Marc roberto puzzanghera August 17, 2014 10:41
hi roberto, thanks for answering so fast. i'm using the package ucspi-tcp6-1.00. I have tried the -6 option and the result is the same as without the option (binding only to ipv6). For now i will use the -4 option so that i can use the installation with ip4. When i have more time i will take a closer look. Thank you for this tutorial. It has helped me much.
Reply | Permalink
Why GREETDELAY in qmail-submission/run?
Otto Dandenell August 14, 2014 11:47
Hi,
First off, thanks for your excellent notes / turial. I am building a new server 10 years after the last time I did it. It's so wonderful to have these step-by-step instructions, and all the patches consolidated.
I am curious about the 5 second greet delay in the submission service. Even that low number causes IT stress when I test tghe outgoing mail using Thunderbird.
Since the submission service requires STARTTLS and authentication, spammers are stopped anyway, aren't they?
Regards
/ Otto Dandenell, Sweden
Reply | Permalink
Hi Otto, thanks for your
roberto puzzanghera Otto Dandenell August 14, 2014 18:35
Hi Otto, thanks for your comment.
From time to time I get heavy attacks on port 587 due to spammers who tries to guess users' passwords. Last time it was 2 days with 1 attempt every few seconds. I see them in /var/log/maillog
I think that 5 seconds is a little stress for users, but a verrrry big loss of cpu time for spammers, if you multiply 5s times the number of attempts spanned in a couple of days :-)
anyway it's much better to have a firewall filter like fail2ban and avoid to use that GREETDELAY (https://notes.sagredo.eu/en/qmail-notes-185/setting-up-your-firewall-with-fail2ban-170.html). Maybe it's better to comment out that line on the run script and advise to use it just in case fail2ban is not active.
And time ago I read that a lot of spammers drop the connection if a GREETDELAY of just a couple of seconds is set, but comments are welcome on the purpose
best regards
Roberto
Reply | Permalink
Roberto,Thanks for clearing
Otto Dandenell roberto puzzanghera August 15, 2014 08:55
Roberto,
Thanks for clearing that up. I'll have a look at fail2ban.
Regards
/ Otto
Reply | Permalink
Minor tweak for your supervise/vpopmaild/run script
Aaron November 27, 2012 21:03
I appreciate that you are keeping your documentation referencing /var/qmail for the most part. The supervise/vpopmaild/run script has a reference to "/usr/local/qmail/..." instead of "/var/qmail/.." while the rest of your scripts reference "/var/qmail". Up to you if you want to fix it, of course. I caught it because I don't use /usr/loca/qmail and it was causing an error in readproctitle.
Thanks for the great work!
Reply | Permalink
Thanks
roberto puzzanghera Aaron November 27, 2012 21:24
Thanks, Aaron. Actually the variable MAXSMTPD was not used by tcprules and I have corrected the vpopmaild/run script
Reply | Permalink
Forcetls error....
Anonymous September 15, 2011 20:10
Hi I have a problem with Gmail & roberto-netqmail-1.06.patch-2011.07.27 Problem concerns Forcetls patch: The history of the disease: tcprules:
Qmail run script (Submission):
The server is working properly:
Result (swaks):
If I disable FORCETLS (export FORCETLS="1"), login works fine. My OS: Gentoo Hardened with grsec / Pax
Fortunately, for the moment I test the server in his home, but soon I'm going to run it on a server at work (~ 300 users)
Can I count on any suggestions to solve the problem?
Cheers ;)
Reply | Permalink
RE: force-tls
roberto puzzanghera Anonymous September 17, 2011 11:14
I haven't tested my patch in conjunction with spamdyke. I would try to do a test disabling it.
Reply | Permalink
Thanks
Jacekalex roberto puzzanghera September 17, 2011 16:46
Indeed, he was guilty Spamdyke.
How Spamdyke compiled with the flag -tls, the problem disappeared.
Thank You
Cheers
:)
Reply | Permalink
Nn mi mette la posta su vpopmail
Remo Jacekalex February 18, 2013 17:45
Ciao Roberto, grazie per le info che hai messo, pero' nn mi mette la posta su new sotto vpopmail. i logs mostrano che arriva pero' nn si vede, inoltre nn mi fa connettere su 587 o 25 per mandare la posta suggerimenti?
Grazie
Reply | Permalink
SMTPAUTH
roberto puzzanghera Remo February 18, 2013 20:57
riguardo al problema dell'invio da remoto, la qmail-auth path richiede che vanga esportata la variabile SMTPAUTH nel run file. Se viene lasciata vuota è possibile autenticarsi con LOGIN o PLAIN
Reply | Permalink
Ciao Remo,stai seguendo la
roberto puzzanghera Remo February 18, 2013 19:47
Ciao Remo,
stai seguendo la mia guida passo passo? che LDA stai usando?
per quanto riguarda l'invio da remoto, come certamente sai è necessario accoppiare qmail-smtpd a vchkpw nel tuo run file, vedi se vuoi gli esempi nella pagina sulla configurazione, ma sono dei run file molto standard, come vedi. Stai usando la mia patch, con qmail-auth di E.Hoffmann?
Se vuoi posta i log, se preferisci mandameli in privato (tsasto contact su in alto)
Roberto
Reply | Permalink