netqmail-1.06 - basic setup

September 10, 2024 by Roberto Puzzanghera 34 comments

Changelog

  • Sep 10, 2024: the original netqmail sources are now compatible with latest gcc compilers.


Remove all existing MTA's like sendmail:

rm /usr/sbin/sendmail

For Slackware users:

removepkg /var/log/packages/sendmail*

Create users and groups:

groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails

The original netqmail-1.06 sources won't compile with latest gcc versions. I solved all the compilation breaks/warnings up to gcc-14.2 and loaded the final result to my github space. Let's download netqmail-1.06 from there and compile:

cd /usr/local/src
git clone -b netqmail-1.06 https://github.com/sagredo-dev/qmail.git
cd qmail
make setup check

qmail will be patched, recompiled and configured once vpopmail has been installed.

Create a symbolic link of the sendmail program

ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail

In his book The qmail Handbook, Dave Sill explains why we need to create a symbolic link for sendmail:

Because Sendmail was the de facto Unix MTA for years, many scripts and utilities run it directly to send mail messages. For this reason, qmail and other Unix MTAs provide a sendmail replacement that emulates Sendmail’s behavior for injecting message. Qmail’s sendmail resides in /var/qmail/bin/sendmail, so we’ll symbolically link it to the traditional location of Sendmail’s sendmail:

Add bin dir to your PATH and man dir to MANPATH

PATH=$PATH:/var/qmail/bin
export PATH
MANPATH=$MANPATH:/var/qmail/man
export MANPATH

Remember to save the new PATH and MANPATH in your profile (usually /etc/profile) also.

Comments

Suggestion

In your github readme file under the getting started section you really ought to link to the information on this page.  It would save a ton of frustration.

Reply |

Suggestion

Thanks for the hint, even though it's quite obvious that the patch page is not a standalone page and that it is part of a complete guide

Reply |

git clone qmail

no need of autorisation - just:

git clone -b netqmail-1.06 https://github.com/sagredo-dev/qmail.git

Reply |

Qmail + HAproxy

Hi Roberto,

Firstly, I'd like to express my gratitude for the invaluable tutorials you've been providing. I've been an ardent follower for years and have found your content indispensable.

Recently, I've embarked on a project where I've positioned three qmail-submission servers (587) behind an HAPROXY. Although Haproxy integrates seamlessly with Dovecot and qmail-submission, I've run into a bit of a snag. With qmail, I'm facing challenges capturing the proxy protocol header. Consequently, all connections on port 587 appear to originate from the Haproxy's IP address. This has been a persistent issue over the past few months, and my efforts to find an SMTP level balancing solution for qmail haven't borne fruit.

I was wondering if you might have come across any resources or solutions pertaining to the use of qmail with Haproxy? Furthermore, based on your expertise, do you have any suggestions or recommendations tailored for my specific scenario?

Your insights would be invaluable, and I truly appreciate your time and assistance.

Reply |

Qmail + HAproxy

Hi Favio,

thanks for your appreciation. Unfortunately I'm afraid I can't be of any help as I don't use Haproxy. However, it's not very clear to me what happening whan you say that you're facing challenges capturing the proxy protocol header...

Reply |

Qmail + HAproxy

Roberto,
Thanks for answering me.

When using a proxy with haproxy, the IP we have for the qmail connection is the proxy's IP and I then need to capture the real IP of the request to change the information for log, but this information is sent by haproxy in the header. I understand that qmail does not have an option to handle this in which I can inform that SMTP is receiving connections from a proxy, as is done in dovecot and postfix.

So I was wondering if you have any patch suggestions or other scalable options for qmail-smtp?

Reply |

Qmail + HAproxy

Have you considered to use the dovecot submission service in front of qmail SMTP? I'm wondering if qmail will see the client IP when dovecot is behind your proxy and qmail-smtpd

Reply |

qmail-smtpd and OAUTH

Hi Roberto, would you know if it is possible to use qmail-smtpd with OAUTH authentication?

Reply |

qmail-smtpd and OAUTH

I'm not aware of any patch to do oauth authentication

Reply |

read failed error

Dear Roberto,

Happy New Year to you in advanced.

I have a user who is using IP 14.100.x.x sending email via my server with an internet IP of 10.10.12.10. I do not have any idea what is this IP 10.236.225.108

@400000005684afa602fb6f74 tcpserver: pid 12093 from 14.100.x.x
@400000005684afa602fdc51c tcpserver: ok 12093 0:::ffff:10.10.12.10:587 :14.100.x.x::13162
@400000005684afab1905bd24 qmail-smtpd: read failed: (null) from 14.100.x.x to (null) helo [10.236.225.108]
@400000005684afab19137cac tcpserver: end 12093 status 256
@400000005684afab19138864 tcpserver: status: 0/20

Do you have a clue what is going on? How can i allow this email to go through?

Thanks

nic

Reply |

Happy new year, Nic

Happy new year, Nic

I think 10.236.225.108 should be the helo of the client. I don't know why it is using such an ip. You can get the same log testing from command line..

Reply |

SSL3 error

Hi Roberto,

I am begining to see bounces like this.

TLS connect failed: error:14082174:SSL

routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small; connected to 202.79.217.55.

I'm not going to try again; this message has been in the queue too long.

May i know what is wrong? What should i do?

Many thanks

nic

Reply |

Fix TLS_connect_failed:_error:14082174:SSL_routines:SSL3_CHECK

Hi,

A few days ago I notice a user of the same problem as you relate, indeed it seems that the problem is due to the version of openssl on the remote server (currently have the latest version of openssl).

Downgrading openssl, it does not seem the most appropriate, since in particular the openssl is quite important.

To resolve the issue I made an exception ssl check for these remote hots.

I leave the steps in case help someone:

mkdir /var/qmail/control/notlshosts
touch /var/qmail/control/notlshosts/domain.com

(If you do not know the mx record of the domain you can use: "dig mx domain.com")

touch /var/qmail/control/notlshosts/mail.domain.com

qmailctl restart

Done! --> @4000000055943b8f3a664b64 delivery 1: success: IP_accepted_message./Remote_host_said:_250_2.0.0_t61JC5iW004986_Message_accepted_for_delivery/

Reply |

I will update this thread,

I will update this thread, sorry if it is the wrong place. I'm still going on with my hardening steps on my qmail server.

I'm trying to fix this output from a penetration testing scan:

- Deprecated SSLv2 and SSLv3 Protocol Detection

- Check for SSL Weak Ciphers

These two issues refer to my qmail ssl submit service running on port 465 (submission service on 587 is already ok, thanks to this line in the /var/qmail/ssl/env/tls.env file:

CIPHERS="TLSv1+HIGH:!SSLv3:!SSLv2:!MD5"

Dovecot is alreay fine with this:

10-ssl.conf:ssl_protocols = !SSLv2 !SSLv3

I tried to put this content  in the /var/qmail/control/tlsserverciphers:

ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM

but this breaks all the submission services (I get an "unknown error" both on 465 and 587 ports).

Question is, how can I disable SSLv2/SSLv3 and all the weak cyphers for 465 qmail service ?

Thank you !

Reply |

I gueess it's an openssl

I guess it's an openssl related error, but I've never seen it...

Reply |

Dear Roberto,I realised it

Dear Roberto,

I realised it is the openssl package 1.0.1e-30.el6.9 is causing this. I had downgraded to 1.0.1e-30.el6.8.x86_64 and it is working fine.

Many thanks

nic

Reply |

qmail-smtpd: read failed:

Hi, I am getting alot of in my /var/log/qmail/smtpd/current qmail-smtpd: read failed: & qmail-smtpd read failed (null) And i realized alot of legit emails are rejected by these. Any idea what does this means and how to solve this issue? Many thanks again nic

Reply |

qmail-smtpd: read failed:

Hi Roberto,

I see the exact same behavior here. About 5,000 transactions listed as "read failed" in our qmail-smtpd log per day, all from legit transactional emails coming from our webserver (i.e., relay). Following the logs, I can see a corresponding entry at the qmail-send log, at about the same time, saying the email was delivered succesfully. So we can assume the emails are being delivered correctly. Why this error is being logged is something we need to investigate further, looking at the source code to understand why it is being shown. We didn't have these error messages with our previous qmail installation, following a different (outdated) guide.

Cheers!

Reply |

qmail-smtpd: read failed:

webserver? did you mean messages coming from your mail server?

Reply |

Hi Nic,they are rejections

Hi Nic,

they are rejections due to bad smtp syntax by the client, definitely a spam or a bot bad connection attempt. Me too have tons of such lines in the log and never had a complaint for an unreceived msg :)

These days I'm looking for an additional patch just to improve the verbosity of smtpd, which would help to show more details of such rejections...

Reply |

Hi Roberto,Seem like these

Hi Roberto,

Seem like these emails are from a copier. The user is trying to scan some documents from the copier to an email address on the server.
The email address used to send from the copier is not authenticated. It is the ISP's email address which do not need to be verifed.
Thus the emails were rejected by spamdyke. I had then added the email into whitelist_senders but still got rejected by spamdyke.

Guess i will have to check with the spamdyke mailing list

Thanks
nic

Reply |

qmail-smtpd: read failed

Hi Roberto!

First, sorry my bad english...

I was looking for the same error, qmail-smtpd: read failed.
In may case, i see many real messages refused from server at logs, but the message is received in user account.

I think the sending server received errors and try to send again.

I received report from user when he received same message many times... and, i search logs and look this...

From he user, sender is real person using Gmail...

Looking qmail-smtp logs, i see other cases, many messages sent by Bots or spammers and others reals..

In case of spam, i see at Spam Folder at RoundCube, many copies of same message, again, i think this because sending server received errors and try to send again.

You have any idea ?

I'm look for timeout from qmail, but the default values is big at time:

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.
timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.
timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

[] s

Tiago

Reply |

Hi Tiago, can you show the

Hi Tiago, can you show the logs of those failures?

Reply |

qmail-smtpd: read failed - LOGS

Yes, see two cases bellow:

First:

2014-11-04 09:46:20.006514500 tcpserver: pid 21642 from 209.85.217.179
2014-11-04 09:46:20.008674500 rblsmtpd: ::ffff:209.85.217.179 pid 21642: greetdelay: 30
2014-11-04 09:46:53.645219500 CHKUSER accepted sender: from <xxxxxxx@gmail.com::> remote  rcpt <> : sender accepted
2014-11-04 09:46:54.054991500 CHKUSER accepted rcpt: from <xxxxxxx@gmail.com::> remote  rcpt <my_client@domain.com.br> : found existing recipient
2014-11-04 09:55:19.411489500 simscan:[21642]:CLEAN (-0.10/9.50):505.0341s:=?UTF-8?B?XXXXXXXXXX=?=:::ffff:209.85.217.179:xxxxxxx@gmail.com:my_client@domain.com.br
2014-11-04 09:55:19.947539500 qmail-smtpd: message accepted: xxxxxxx@gmail.com from ::ffff:209.85.217.179 to my_client@domain.com.br helo mail-lb0-f179.google.com
2014-11-04 09:55:19.947546500 qmail-smtpd: read failed: xxxxxxx@gmail.com from ::ffff:209.85.217.179 to my_client@domain.com.br helo mail-lb0-f179.google.com
2014-11-04 09:55:19.948518500 tcpserver: end 21642 status 256

Second:

2014-11-04 11:04:58.791132500 tcpserver: pid 3848 from 200.169.101.24
2014-11-04 11:04:58.791297500 tcpserver: ok 3848 0:::ffff:192.168.0.141:25 :200.169.101.24::53778
2014-11-04 11:04:58.792396500 rblsmtpd: ::ffff:200.169.101.24 pid 3848: greetdelay: 30
2014-11-04 11:05:30.449029500 CHKUSER accepted sender: from <FROM@trucofXX.com.br::> remote  rcpt <> : sender accepted
2014-11-04 11:05:30.735536500 CHKUSER accepted rcpt: from <FROM@trucofXX.com.br::> remote  rcpt <my_other_client@other_domain.com.br> : found existing recipient
2014-11-04 11:06:38.809496500 simscan:[2112]:CLEAN (1.60/9.50):160.2689s:=?iso-8859-1?Q?RES__XXXXXXXXXXXXXXXXx?=:::ffff:200.169.101.24:FROM@trucofXX.com.br:my_other_client@other_domain.com.br
2014-11-04 11:06:38.961131500 qmail-smtpd: message accepted: FROM@trucofXX.com.br from ::ffff:200.169.101.24 to my_other_client@other_domain.com.br helo nomer-spool-2a.nomer.com.br
2014-11-04 11:06:38.961179500 qmail-smtpd: read failed: FROM@trucofXX.com.br from ::ffff:200.169.101.24 to my_other_client@other_domain.com.br helo nomer-spool-2a.nomer.com.br
2014-11-04 11:06:38.962129500 tcpserver: end 2112 status 256

I'm borred mails and subjects, minus @gmail.com at first

I noticed that the scan time of spamd is high at many cases... but not all

[] s

Reply |

you have to investigate about

you have to investigate about that read-failure... have you performed all suggested tests to your mail server? If yes, send me in private a telnet session on port 25 recorded when receiving a message from the outnet. Or you can enable recordio as explained here towards the bottom of the page http://notes.sagredo.eu/node/22

Reply |

554 Error

Hi,

I had installed a toaster base on your tutorial. Everything is running good. But my setup will not be able to accept mails from Yahoo. I had tested almost all the free mail available and found out that Yahoo is the only 1 with issue.

It just bounced with the error below

Sorry, we were unable to deliver your message to the following address.

<nicholas@domain.com>:
Remote host said: 554 mail server permanently rejected message (#5.3.0) [BODY]

I had check my log, and i am very sure the server received it well.

/var/qmail/smtpd/current

@4000000050852ba3254e2db4 CHKUSER accepted sender: from <username@yahoo.com::> remote <nm26-vm0.bullet.mail.ne1.yahoo.com:unknown:98.138.91.68> rcpt <> : sender accepted
@4000000050852ba338cf348c CHKUSER accepted rcpt: from <username@yahoo.com::> remote <nm26-vm0.bullet.mail.ne1.yahoo.com:unknown:98.138.91.68> rcpt <nicholas@domain.com> : found existing recipient
@4000000050852ba5330c811c simscan:[10602]:CLEAN (1.70/5.00):1.6457s:TEST:98.138.91.68:username@yahoo.com:nicholas@domain.com
@4000000050852ba616a1e06c tcpserver: end 10602 status 0
@4000000050852ba616a1ec24 tcpserver: status: 0/20

/var/log/maillog
Oct 22 19:18:50 fantastic spamd[6695]: spamd: processing message <1350904775.35199.YahooMailNeo@web122103.mail.ne1.yahoo.com> for simscan:91
Oct 22 19:18:51 fantastic spamd[6695]: spamd: clean message (1.7/5.0) for simscan:91 in 1.1 seconds, 2769 bytes.
Oct 22 19:18:51 fantastic spamd[6695]: spamd: result: . 1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RDNS_NONE,REPTO_QUOTE_YAHOO,TVD_SPACE_RATIO scantime=1.1,size=2769,user=simscan,uid=91,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=57546,mid=<1350904775.35199.YahooMailNeo@web122103.mail.ne1.yahoo.com>,autolearn=disabled
Oct 22 19:18:53 fantastic spamd[25033]: prefork: child states: II

Any idea what is going on?

Many thanks
Nic

Reply |

Hi Nic

Hi Nic,

supposing that your LDA is working fine, did you test just a particular yahoo's address or you get a bounce each time you receive a message from yahoo?

If the first option is true, does the sender address contain any strange character such as + - (minus) etc.?

What LDA are you using? dovecot-lda? vpopmail delivery?

What does qmail-send say?

Reply |

Hi Roberto,Thanks for your

Hi Roberto,

Thanks for your reply.

It happens to all incoming yahoo addresses and i am very sure there isnt any strange character in any of these addresses.

I am using vpopmail delivery.

/var/log/qmail/current does not contain any log from yahoo email. Where can i see the log for qmail-send ?

 

Many thanks

Nic

Reply |

Hi Nic,Assuming that those

Hi Nic,

Assuming that those messages are not considered spam, that you are not using an rbl list and that the messages are accepted by your qmail-smtpd as shown by the logs above, the qmail-send log is /var/log/qmail/send/current (if you are following my tutorial). You should see the reason why the message is not  stored and the bounce message must be shown also by qmail-smtpd log

Reply |

Hi,/var/log/qmail/send/curren

Hi,

/var/log/qmail/send/current does not log the bounced from Yahoo mails. But it is loging other domains.

What other aspect should i look into?

 

Thanks

nic

Reply |

..in addition, if the message

..in addition, if the message passed qmail-smtpd stage as shown by your log the problem should be the delivery, and this should be shown by qmail-send log as well.

Reply |

Many thanks Roberto.I got it

Many thanks Roberto.

I got it to work by recompiling simscan. Now i got into another situation.

I had setup Send Vacation Auto-Response on my email account. The auto-response works great. But when 2 accounts have turn on Auto-Response and send mail to each other, both account will be disabled due to overquota.These 2 accounts do not have mail quota set.

What should i do to fix this or stop the looping.

 

Thanks

nic

Reply |

If I have understand well

If I have understand well, all messages from yahoo are bounced from you mail server. In that case you should see a sent message looking into qmail-send log.

Reply |

Hi,I understand you well. But

Hi,

I understand you well. But /var/log/qmail/send/current is not logging anything for Yahoo mails. I thought it is not working. But i try sending out mails and i can see those entries.

 

regards

nic

Reply |

Recent comments
Recent posts

RSS feeds