http://qmail.kldp.net/wiki/wiki.php/qmail_antispam

머릿말 

100 % 스팸을 막을 수는 없지만 최소한 아침에 메일 정리하는 시간을 줄여보고자 이 글을 적는다.
100 % 막으려 하지 말라. 머리도 아프고 당신은 원하던 메일도 못받는 경우가 생길 수 있다.^^;
100 % 스팸을 막고 싶은가? 당장 메일 서버의 랜선을 뽑아라!! -.-;

목차

 

1 Anti spam 시스템 구축하기

1.1 머릿말

2 어디서 부터 막을 것인가?

2.1 메일 시스템에 접근하는 단계에서의 필터링

2.1.1 rblsmtpd 를 이용

2.1.2 tcp.smtp(cdb) 이용

2.1.3 시스템의 방화벽을 이용(리눅스의 경우에는 iptables)

2.1.4 qmail control파일 이용

2.2 qmail 의 Queue 에 저장되는 단계에서의 필터링

2.2.1 qmail-queue 단에서의 필터링(ex. qmail-queue-scanner,qfilter,etc)

2.2.2 qmail-smtpd 단에서의 필터링(ex. domainkey,spf,spamcontrol,etc)

2.3 MDA 단계(사용자의 메일박스에 메시지가 도달하기전)에서의 필터링

3 Spam filtering 도구 소개

3.1 메일 서버 접근 단계의 필터링 도구

3.1.1 rblsmtpd

3.1.2 spamdyke

3.2 qmail-smtpd or qmail-queue 단계에서의 필터링 도구

3.2.1 qmail-scanner

3.2.2 simscan

3.2.3 Qmail 패치를 통한 스팸 방지 기능 추가

3.3 MDA 단에서의 필터링

4 스팸 필터링의 새로운 패러다임

4.1 SPF (Sender Policy Framework)

4.1.1 qmail 에 spf 패치를 하여 필터링를 하는 방법

4.1.2 spamassassin 을 이용하여 필터링을 하는 방법.

4.2 DKIM(Domain keys identified mail)

5 맺으며

2.1 메일 시스템에 접근하는 단계에서의 필터링 

이 단계에서는 불 필요한 메일에 대한 처리 과정이 없이 smtp 서버에 접속을 막기 때문에 서버의 불필요한 자원의 낭비를 막아주는 효과가 있다.
TCP/IP 프로토콜 중에서 주로 IP 기반의 필터링을 하는 과정이다.

2.1.1 rblsmtpd 를 이용 

rblsmtpd 프로그램은 ucspi-tcp 패키지에 포함되어 있는 프로그램으로 rbldns서버에 쿼리를 던져서 그 결과에 따라 접속 허가를 해주는 프로그램이다.

rblsmtpd 설정 예(qmail-smtpd/run 파일의 내용이다.) 
주의.) 필자의 셋업을 그대로 복사해서 사용하지는 말라.테스트용 run파일이다.^^;
rblsmtpd가 들어가는 라인만 참조하자.

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
QMAILQUEUE="/var/qmail/bin/qmail-dk"
DKQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
DKSIGN="/etc/domainkeys/linuxstudy.pe.kr/mail"
export QMAILQUEUE DKQUEUE DKSIGN

rbldns="-r bl.spamcop.net -r rbl.linuxstudy.pe.kr"

exec /usr/local/bin/softlimit -m 100000000 \
/usr/local/bin/tcpserver -vRHl0 -x/etc/tcp.smtp.cdb \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/local/bin/rblsmtpd -t 30 -b $rbldns \
/var/qmail/bin/qmail-smtpd mail.linuxstudy.pe.kr \
/bin/checkpassword /bin/true 2>&1

2.1.2 tcp.smtp(cdb) 이용 

qmail.kldp.net 에서 열심히 활동해주시고 계시는 ironiris 님이 업데이트 하셨던  스팸서버 발송지 주소리스트 를 참조해보자.
tcp.smtp 파일(파일을 변경하였다면 tcprules 명령으로 cdb 파일을 업데이트 하도록 한다.)

1.2.3.4(스팸발송지ip):deny
5.6.7.8(스팸발송지ip):deny
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp

2.1.3 시스템의 방화벽을 이용(리눅스의 경우에는 iptables) 

Shell>iptables -A INPUT -p tcp -s 스팸아이피주소 -j DROP

2.1.4 qmail control파일 이용 

badmailfrom 이나 기타 스팸필터관련 패치 이후 환경 설정 파일을 이용하는 방법.(실제로는 qmail-smtpd 단에서 호출해서 사용하지만 일단 tcpserver 와 qmail-smtpd 중간의 과정이라 이곳에 기록한다.)

2.2.1 qmail-queue 단에서의 필터링(ex. qmail-queue-scanner,qfilter,etc) 

먼저 큐메일의 전체적인 구조를 살펴보도록 하자.
참고. 큐메일시스템 메시지 전달과정
외부에서 우리의 메일서버로 메시지가 전송되는 과정은 다음과 같다.

 tcpserver->qmail-smtpd->qmail-queue->qmail-send->qmail-lspawn->qmail-local->메일박스

큐메일 서버의 전달 과정을 보면 알겠지만 모든 메시지는 qmail-queue에 의해서 메시지가 처리된다.
물론 qmail-smtpd 소스를 고쳐서 qmail-queue 이전에 스팸 메일들을 처리할수도 있겠지만 이미 큐메일의 queue patch 도 있고 금방 적용하기 쉬운 편이라 필자는 개인적으로 queue 단에서 스팸처리를 하는것을 선호하는 편이다.

Queue patch를 적용한 이후에 원래 qmail-queue 대신에 다른 프로그램을 호출하여 스팸처리를 하는것이다.
queue_patch 이후에 메시지 전달 과정은 아래처럼 변경이 되는 것이다.

 tcpserver->qmail-smtpd->임의의 필터링 프로그램(or qmail-queue)->qmail-send->qmail-lspawn->qmail-local->메일박스

2.2.2 qmail-smtpd 단에서의 필터링(ex. domainkey,spf,spamcontrol,etc) 

변형된 qmail-smtpd 를 이용한 스팸메일 필터링

[root@db stone]# cat .qmail 
|/var/qmail/bin/qmail-quota
|/var/qmail/bin/preline /usr/bin/procmail -p -m /home/webmail/linuxstudy.pe.kr/stone/.procmailrc
[root@db stone]# 

[root@db tttt]# cat .procmailrc 
PATH=/bin:/usr/bin:/usr/local/bin
DEFAULT=/home/webmail/linuxstudy.pe.kr/tttt/Maildir/
MAILDIR=/home/webmail/linuxstudy.pe.kr/tttt/Maildir/
LOGFILE=/var/log/qmail/procmail
VERBOSE=no
SHELL=/bin/sh

:0 Efhw
*^(Subject|From|Cc):.*=\?EUC-KR\?(B|Q)\?
|formail -c | hcode -dk -m

:0 Efhw
*^(Subject|From|Cc):.*=\?ks_c_5601-1987\?(B|Q)\?
|formail -c | hcode -dk -m

3.1.1 rblsmtpd 

- 메일서버에 접속하는 클라이언트 아이피가 rbldns 서버에 등록되어 있는 IP 인지 여부를 판단하여 등록되어 있을 경우에는 rbldns서버에 기록되어진 반송 메시지와 함께 반송을 한다.

rblsmtpd에 대한 자세한 내용은 rblsmtpd한글 메뉴얼을 살펴보도록 하자.

rblsmtpd 를 설정했을때의 qmail-smtp로그 파일의 내용이다.(필자는 현재 spamcop.net 과 필자가 직접 구축한 rbldns 를 이용하고 있다. 

@4000000046c8b4dc2e44d74c rblsmtpd: 61.183.0.8 pid 1601: 553 Blocked - see http://www.spamcop.net/bl.shtml?61.183.0.8
@4000000046ca90a91a7ab984 rblsmtpd: 72.237.208.57 pid 23522: 553 Your IP is Blocked, see http://spamlist.linuxstudy.pe.kr/lookup?72.237.208.57

rblsmtp 설정하기
/var/qmail/bin/qmail-smtpd/run 파일에 아래와 같이 rbldns 서버의 주소를 추가해 준다.
-r 은 블럭리스트 -a white 리스트임.

안타깝게도 rbldns서버들이 예전에는 많았지만 많이 유료화 되었다.(우리나라에서는 kisa에서 무료로 rbldns서버를 운영하는것으로 알고 있다.)

exec /usr/bin/softlimit -m 66000000 \
/usr/bin/tcpserver -vRHl0 -x/etc/tcp.smtp.cdb \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/bin/rblsmtpd \
-t 30 -b -a white.linuxstudy.pe.kr \
-r bl.spamcop.net \
-r rbl.linuxstudy.pe.kr \
/var/qmail/bin/qmail-smtpd linuxstudy.pe.kr  /bin/true 2>&1

Q) 반드시 다른 rbldns 서버를 사용해서 ip필터링을 해야 하나요??

A) 아니다. Local 베이스의 rbldns 서버를 구축할 수 있다.(참고. 이운억님께서 작성하신rbldns구축하기)

3.1.2 spamdyke 

- rblsmtp 처럼 tcpserver 와 qmail-smtp 사이에서 IP레벨의 다양한 필터 설정을 할 수 있는 통합(?)툴이다. 또한 패키지에 들어있는 몇몇 유틸리티들은 다양한 기능들을 제공해주고 있다.

- 먼저 소스를 spamdyke다운로드 한다.
- 받은 소스를 압축을 해제하고 소스디렉토리에서 make 명령을 실행하여 spamdyke 실행파일 생성
- 적당한 위치에 파일을 복사(/var/qmail/bin/spamdyke)
- qmail-smtpd/run 파일 수정

Shell>wget http://www.spamdyke.org/releases/spamdyke-2.6.3.tgz
Shell> tar xvfz spamdyke-2.6.3.tgz
Shell> cd spamdyke-2.6.3/spamdyke
Shell> make
Shell> cp spamdyke /var/qmail/bin/
Shell> vi /var/qmail/supervise/qmail-smtpd/run

예제)spamdyke 를 포한한 smtpd run파일 내용

exec /usr/bin/softlimit -m 66000000 \
/usr/bin/tcpserver -vRHl0 -x/etc/tcp.smtp.cdb \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp  \
/var/qmail/bin/spamdyke -a 30 /var/qmail/bin/qmail-smtpd linuxstudy.pe.kr  /bin/true 2>&1

위의 예제는 spamdyke 의 많은 옵션중에서 한번 접속당 recipients 수를 지정한 경우 입니다.
이외에도 아주 많은 옵션을 제공합니다만 일일히 설명드리기에는 너무 많네요. www.spamdyke.org에 가셔서 도움말 참고하시면 되실겁니다.

3.2 qmail-smtpd or qmail-queue 단계에서의 필터링 도구 

qmail 의 queue 단계에서의 필터링은 반드시 qmail의 queue 패치를 해주는게 좋다. 물론 queue 패치없이도 필터링이 불가능 한것은 아니다.
약간의 꼼수겠지만 qmail-queue 바이너리 파일의 이름을 변경하고 다른 프로그램으로 대체하는것이다.
먼저 netqmail-1.05를 사용중이라면 별도의 패치가 필요없을 것이다. 이미 queue 패치가 이루어진 버전이기 때문이다.
qmail-1.03 버전을 사용한다면 반드시 패치를 해주도록 하자.

Qmail-queue 단계에서의 필터링을 위한 기본 구성.

- 먼저 qmail-smtpd 에 QMAILQUEUE라는 환경변수를 통해서 기본 큐 프로그램인 qmail-queue 를 다른 프로그램으로 전환한다.

둘중에 편한 방법을 선택하도록 한다.

run 파일로 변경하는 방법.

QMAILQUEUE="qmail-queue 를 ��~@신�~U� 다른 ��~D��~\그�~^�(ex. /var/qmail/bin/qmail-scanner-queue)"
export QMAILQUEUE
exec /usr/bin/softlimit -m 66000000 \
/usr/bin/tcpserver -vRHl0 -x/etc/tcp.smtp.cdb \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/bin/rblsmtpd -t 30 \
-b $rbl /var/qmail/bin/qmail-smtpd linuxstudy.pe.kr  /bin/true 2>&1

tcp.smtp파일을 변경하는 방법.

linuxstudy qmail # cat /etc/tcp.smtp
127.0.0.1:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
:allow,QMAILQUEUE="/var/qmail/bin/simscan" 
linuxstudy qmail # 
 

사용자 추가
Shell>groupadd qscand 
Shell>useradd -c "Qmail-Scanner Account" -g qscand  -s /bin/false qscand
qmail-scanner 설치를 위한 패키지들 설치(maildrop, 각종 Perl module)- qmail-scanner홈페이지를 참고할 것
Shell> ./configure --install yes

# 첨부 파일에 mp3가 첨부되어 있다면 필터링 하겠다는 룰이다. SIZE에 -1 되어 있다면 사이즈에 관계없이 필터링 하라는 룰이 된다.
.mp3 SIZE=-1 mp3 disallowed

# 첨부파일에 .doc 가 첨부되어 있고 사이즈가 0 인 경우에 필터링 하라는 룰이다.
.doc  SIZE=0   Zero-length corrupt viruses - ignore

# 첨부파일에 Happy99.exe 가 첨부되어 있고 첨부파일 사이즈가 10Kbyte 라면 필터링 하라는 룰이다.
Happy99.exe             SIZE=10000      Happy99 Trojan virus

# 메일헤더의 제목에 viagra 라는 문자열이 있을 경우에 필터링 하라는 룰이다.
.*viagra.*              Policy-Subject:       Spam Viagra

# 메일 헤더의 from  주소가 duma.gov.ru 가 포함된 경우에는 필터링 하라는 룰이다.
.*duma.gov.ru   Policy-MAILFROM:      Virus Dumaru

# 메일 보낸 주소가 127.0.0.5 일 경우에 필터링 하라는 룰이다.
127.0.0.5      Policy-REMOTEIPADDR:   Blocked IP from 127.0.0.5 blocked

# 스팸 메일 발송기 중에서 Bat이 들어가 있는 경우에 필터링 하라는 룰이다. 스팸 메일 발송기가 업그레이드가 늦다면 꽤 유용하게도 쓸수 있을듯 하다.
.*Bat.*            Policy-X-Mailer:             Spammailer sender

[root@db qmail]#adduser -c "simscan user" -s /dev/null simscan(simscan user ��~]성)
[root@db qmail]# wget  http://www.inter7.com/simscan/simscan-1.1.tar.gz
[root@db qmail]# tar xvfz simscan-1.1.tar.gz
[root@db qmail]# cd simscan-1.1
[root@db simscan-1.1]# ./configure && make && make install

--enable-user=유저명 
	simscan을 유저를 셋팅한다. 기본값으로 simscan
--enable-clamav=y|n
	clamav 를 이용한 스캐닝. 기본값으로 y 이다.
--enable-clamdscan=clamdscan의 PTAH
--enable-custom-smtp-reject=y|n
	바이러스 이름을 포함하여 리턴 메시지를 보내도록한다
	주의. 위의 옵션을 사용하기 위해서는 소스디렉토리/contrib/qmail-queue-custom-error.patch 의 패치를 Qmail에 해주어야 한다.
	      또한 나중에 설명되는 옵션중에 하나인 enable-dropmsg 의 값이 y이면 안된다.
--enable-per-domain=y|n
	많은 도메인에 대해서 메일서비스를 하고 있으며 각각에 대한 simscan 의 설정을 하고자 한다면 y를 택하도록 한다.
--enable-attach=y|n
	첨부파일에 대해서 체크를 할 것인지의 여부를 정한다. /var/qmail/control/ssattach 파일안에 필터링할 파일명이나 확장자를 넣어주면 된다.
--enable-spam=y|n
	스팸메일에 대한 필터링을 할 것인지에 대한 옵션이다. 스팸어세신에 의해서 status 가 YES인 메일에 대해서는 반송을 하게 될것이다.
--enable-spam-passthru=y|n
	스팸 어세신에서 붙은 status값을 무시하고 그냥 통과시키고자 할 경우에 사용한다. 이는 나중에 procmail 이나 maildrop으로
	스팸 편지함이나 별도의 디렉토리에 스팸 메일을 저장하고자 한다면 유용하게 사용될 수 있을 것이다.
--enable-spam-hits=점수
	기본값으로 10 이 셋팅되며 스팸 어세신에서 정한 값을 넣으면 될 것이다.
--enable-spamc=PTAH
	spamc 바이너리파일의 위치를 잡아준다. 자동으로 잡을것이다…^^
--enable-spamc-args
	spamc 에 필요한 옵션을 지정할 수 있다. 필자의 경우에 퍼포먼스를 위해 spamd 를 소켓을 사용하게 하였으며 소켓의 위치는 /tmp/spamd 였다.
	쌍따옴표로 지정한다는 점에 주의 하라

Ex) --enable-spamc-args=”-U /tmp/spamd” 
--enable-dropmsg=y|n (스팸 메일에 대한 메시지를 sender 에게 보내지 않겠다는 옵션이다.)
--enable-quarantinedir=디렉토리위치( 스팸,바이러스 메일을 따로 저장해둘 디렉토리를 지정한다)
--enable-received=y|n ( 메일헤더에 received를 추가할 것인지에 대한 옵션이다. 버전정보 및 처리시간이 기록되어진다.)

vi /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
QMAILQUEUE="/var/qmail/bin/simscan"
export QMAILQUEUE
rbl="-r bl.spamcop.net -r rbl.linuxstudy.pe.kr"
exec /usr/local/bin/softlimit -m 100000000 \
/usr/local/bin/tcpserver -vRHl0 -x/etc/tcp.smtp.cdb \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/local/bin/rblsmtpd -t 30 -b $rbl \
/var/qmail/bin/qmail-smtpd mail.linuxstudy.pe.kr \
/bin/checkpassword /bin/true 2>&1

vi  /etc/tcp.smtp
127.0.0.1:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/simscan"
:allow,QMAILQUEUE="/var/qmail/bin/simscan"

[user@mailserver user]$ cat /var/qmail/control/ssattach
    .jpg
    .mp3
    .scr
    .bat

 [user@mailserver user]$ cat /var/qmail/control/simcontrol
  postmaster@example.com:clam=yes,spam=no,attach=.txt:.com
  example.com:clam=no,spam=yes,attach=.mp3
  :clam=yes,spam=yes,trophie=yes,spam_hits=20.1

3.2.3 Qmail 패치를 통한 스팸 방지 기능 추가 

qmail 패치를 통한 스팸방지 기능의 추가는 거의 대부분 소스 패치를 통해서 이루어지고 있어서 상세한 과정은 생략하고 주로 패치들에 대한 소개로 진행할까 한다.
주로 qmail 의 control 파일이 추가 되거나 qmail-smtpd 에 환경변수가 추가되어 동작하는 경우가 많다.
자세한 내용은 아래 사이트를 참고하기 바랍니다.
http://qmail.psshee.com/top.html#spam

몇몇 쓸만한 패치들을 소개를 해본다.

• http://www.arda.homeunix.net/store/qmail/qregex-20060423.patch
  

이 패치는 Qmail에 패턴 매칭을 통해서 다양한 필터링을 제공한다.
/var/qmail/control 하위에 아래와 같은 control 파일들을 이용해서 접근을 막는다.
badhalo,badmailfrom,mailmailfromnorelay,badmailto,badmailtonorelay

• http://www.palomine.net/qmail/tarpit.html
  

이 패치는 RCPT TO 명령어에 대한 카운트를 제한을 하고 그 제한이 걸리면 일정 시간동안 delay를 줘서 한꺼번에 다량의 메일 전송하는것을 방지한다.
/var/qmail/control 하위에 tarpitdelay,tarpitcount 로 제어를 할 수 있게된다.

3.3 MDA 단에서의 필터링 

보통 메일 박스 이전에 .qmail 또는 .qmail-default를 이용해서 다른 프로그램을 호출하여 사용한다.
다른 방법으로는 qmail 의 run 파일을 이용해서도 가능하다.
먼저 간단한 .qmail 의 예제를 보도록 하자.
필자는 개인적으로 procmail 보다는 maildrop을 선호하는 편이다.

cat>.qmail
|spamc -U /tmp/spamd | maildrop .mailfilter

위의 내용은 메시지를 먼저 spamassassin 에 전달하여 메시지에 스팸 점수를 체크한 다음에 maildrop 으로 원하는 메일박스로 전달을 하는 형태이다.

cat> .mailfilter

DEFAULT=/home/webmail/linuxstudy.pe.kr/tttt/Maildir/
SPAMDIR=/home/webmail/linuxstudy.pe.kr/tttt/SPAMDIR/
if (/^X-Spam-Flag: *YES/)
{
to "$SPAMDIR"
}  

위는 maildrop 에서 호출하는 .mailfilter 의 내용이다. 메일 메시지에서 X-Spam-Flag 가 YES인 경우에는 스팸 디렉토리로 메일을 저장하라는 내용이다.
필자가 maildrop을 선호하는 이유는 아주 다양한 설정을 편하게 설정할수 있기 때문이다.
maildrop홈페이지에서 다양한 예제를 볼 수 있다. 참고하기 바란다.

4.1 SPF (Sender Policy Framework) 

SPF 는 DNS 기반의 스팸 필터링 기술이다. 메일 발송의 도메인에 대하여 실제로 정상적인 도메인에서 발송이 되었는지 query를 통해서 처리를 하는것이다.
즉 메일 발송지의 DNS 서버에 특정레코드(TXT)에 대한 쿼리를 해서 그 결과에 따라서 정상적인 메일인지 아닌지를 구분하는 것이다.
아래는 간단한 spf를 이용한 메일 필터링의 구조이다.

메일 송신->메일 수신->발송지(도메인,IP,e-mail address)에 대한 Query->Query 값 리턴받음->메일서버 정책에 따라 처리 

자세한 정보는 http://www.openspf.org/에서 확인해 보도록 하자.

만약 우리의 메일 서버에서 외부로 메일을 발송을 한다면 그리고 메일을 수신하는 메일서버가 SPF 체크를 해서 필터링을 한다면 먼저 우리는 발송 서버에 대한 SPF 설정을 해줘야만
필터링을 무사히 통과할 수 있을 것이다.

spf설정은 네임서버에서 설정을 해주는 것으로 일단 아래의 예제를 보도록 하자

linuxstudy.pe.kr.  IN   TXT   "v=spf1 ip4:211.189.119.187 ip4:211.189.119.186 -all" 

위의 설정은 다음과 같은 의미를 가지고 있다.
메일을 보내는 서버의 도메인이 linuxstudy.pe.kr 이면 발송지 주소는 211.189.119.187,211.189.119.186 이며 이외의 ip에 대해서는 fail 결과를 리턴하라는 이야기이다.

Zone파일 설명

도메인 IN TXT "v=spf1 조건(a,mx,prt,ip4,ip6) 조건 외 정책(-all(fail),~all(softfail),+all(pass),?all(neutral))

몇 가지 Zone 파일의 예제를 보면서 이해를 해보도록 하자.( 조건외 정책은 최소한 -all 또는 ~all 정도 셋업해주는게 좋다.)

linuxstudy.pe.kr.               IN      A       211.189.119.186
                IN      MX 0    mail0.linuxstudy.pe.kr.
                IN      MX 1    mail1.linuxstudy.pe.kr.
                IN      MX 2    mail2.linuxstudy.pe.kr.

mail0            IN      A       211.189.119.187
mail1            IN      A       211.189.119.188
mail2            IN      A       211.189.119.189

# 메일을 보낸쪽 도메인이 linuxstudy.pe.kr 이고 ip address 가 211.189.119.187 이라면  pass 하고 그 나머지에 대해서는 fail 값을 리턴한다.
linuxstudy.pe.kr.  IN   TXT   "v=spf1 ip4:211.189.119.187-all" 

# 메일 수신서버에서 spf레코드에 대한 query 를 했을때 mx값에 설정되어 있는 Host의 IP(아래 예제를 보자면 211.189.119.187~189)에 대한 인증을 하고
# 그 이외의 ip에 대해서는 softfail 값을 리턴하라는 이야기다. 마지막이 -all 이라면 fail값을 리턴한다)
linuxstudy.pe.kr.  IN   TXT   "v=spf1 mx ~all"

# a레코드 값에 설정되어 있는 Host의 IP(즉 211.189.119.186) 일 경우에는 pass 값을 보내주고 그 이외의 값은 fail값을 리턴 하라는 이야기 이다.
linuxstudy.pe.kr.  IN   TXT   "v=spf1 a:linuxstudy.pe.kr -all"

쉽게 설명하자면 네임서버에 우리가 메일을 발송할때는 아래와 같은 서버(or IP)를 사용하니 혹시 우리 도메인을 사용하면서 다른 IP라면 그건 가짜 입니다 라는 정보를 다른 메일서버에 알려주는 형태이다.

지금까지는 메일을 송신했을때 spf 체크를 하는 메일서버에 메일이 잘 들어갈 수 있도록 하는 설정이었으며 
이제는 우리가 메일을 받을 경우에 spf 를 가지고 체크를 해서 필터링을 해보는 방법을 알아보도록 하자.

참고로 아래는 필자가 확인해 본 몇몇 포탈 사이트의 spf 설정 상황이다.

dig TXT 도메인
nownuri.net.            21476   IN      TXT     "v=spf1 ip4:203.238.128.90 ip4:203.238.128.56 ip4:203.238.128.57 ~all"
hanmail.net.            20568   IN      TXT     "v=spf1 ip4:211.43.197.0/24 ptr ~all"
naver.com.              600     IN      TXT     "v=spf1 ip4:220.95.234.208 ip4:61.74.70.0/23 ip4:222.122.16.0/24 ip4:220.73.156.0/24 ip4:211.218.150.0/24 ~all"
chol.com.               3600    IN      TXT     "v=spf1 ip4:203.252.1.0/24 ip4:203.252.3.0/24 ip4:164.124.191.0/24 ip4:210.120.128.23 ~all"
empas.com.              3600    IN      TXT     "v=spf1 ip4:61.97.66.0/24 ip4:61.97.67.0/24 ip4:61.97.70.0/24 ip4:61.97.72.0/24 ptr -all"

먼저 spf 레코드 체크를 위한 몇가지 방법을 알아보도록 하자.
편하게 할 수 있는 방법 몇가지를 소개해 본다.

4.1.1 qmail 에 spf 패치를 하여 필터링를 하는 방법 

http://www.saout.de/misc/spf/에서 qmail-spf 패치를 받아서 spf 패치 이후 Qmail을 재설치 한다.

tar xvfz qmail-1.03.tar.gz
cd qmail-1.03
patch -p1<qmail-spf-rc5.patch
make && make setup check

참고로 spf패치를 하게 되면 spfquery 라는 바이너리 파일이 생성이 되고 간단하게 테스트 spf 테스트를 해볼 수 있다.
기본 사용법: spfquery 메일쪽IP 메일도메인 메일주소

[root@db qmail-1.03_spf]# ./spfquery 211.189.119.186 linuxstudy.pe.kr root@linuxstudy.pe.kr
result=pass
Received-SPF: pass (localhost: SPF record at linuxstudy.pe.kr designates 211.189.119.186 as permitted sender)
[root@db qmail-1.03_spf]# 
필자는 네임서버에 spf설정을 해두었기 때문에 return 값이 pass 로 나온다.

[root@db qmail-1.03_spf]# ./spfquery 211.189.119.190 linuxstudy.pe.kr root@linuxstudy.pe.kr                 
result=fail: See http://spf.pobox.com/why.html?sender=root%40linuxstudy.pe.kr&ip=211.189.119.190&receiver=localhost
Received-SPF: fail (localhost: SPF record at linuxstudy.pe.kr does not designate 211.189.119.190 as permitted sender)
[root@db qmail-1.03_spf]# 
메일 보낸쪽 IP address를 약간 변조를 해서 query 를 날려보았다.
결과를 보면 알겠지만 fail 값이 리턴이 되었다. 왜냐면 필자의 네임서버에서는 186,187번 IP에 대해서만 spf 설정을 해두었기 때문이다.

위의 원리로 변조되어 들어오는 메일을 필터링 할수 있는 것이다.

이제 spf 패치가 된 qmail의 설정을 살펴보도록 하자.
다른 패치와 비슷하게 control 파일을 이용하도록 되어 있다.

cat>/var/qmail/control/spfbehavior<<EOF
3
EOF

값은 0~6까지 줄수 있으며 아래와 같은 레벨로 필터링을 할 수 있다.
0: spf 설정에 대한 쿼리를 하지 않으며 spf 결과에 대한 헤더를 생성하지 않는다. 
1: 단지 spf 쿼리에 대한 헤더만 생성하되 블럭은 하지 않는다.
2: spf쿼리에 문제가 있을경우 dns 에러와 함게 reject한다.
3: spf 쿼리 결과가 fail 일 경우에 deny한다.
4: spf 쿼리 결과가 softfail 일 경우에 deny한다.
5: spf 쿼리 결과가 neutral 일 경우에 deny한다.
6: spf 쿼리 결과가 pass가 아닐 경우에 deny한다.

나머지 몇개의 control파일이 더 있는데 생략한다.

4.1.2 spamassassin 을 이용하여 필터링을 하는 방법. 

spamassassin 을 이용하는 방법은 아주 쉽다.
spamassassin3.x 버전 부터는 기본적으로 spfquery 를 사용할 수 있도록 되어 있다.
spamassassin에서 spf를 이용하기 위해서는 spf perl 라이브러리가 필요하다.
http://www.openspf.org/Implementations 에서 Mail::SPF 모듈을 다운로드 하여 설치하도록 하자.
Mail::SPF 을 설치하기 위해서는 아래와 같은 다른 perl 모듈도 설치를 해줘야 한다.
Module-Build 0.2805
Test-More
Net-DNS-Resolver-Programmable 0.002.1
위의 모듈을 모두 설치한 다음에 Mail::SPF 모듈을 설치하면 된다.
설치하는 방법은 다소 내용이 길어질 수 있어서 생략하도록 하겠다.
Mail::SPF 모듈이 설치가 되었다면 spamassassin 설정 파일을 열어서 SPF 체크를 하도록 하면 된다.

vi /etc/mail/spamassassin/init.pre
loadplugin Mail::SpamAssassin::Plugin::SPF

아마 3.x 버전을 설치했다면 아마 기본적으로 설정이 되어 있을 것이다.
spamassassin은 실제 메일 메시지에 대한 reject를 하는 시스템은 아니고 score를 부여하는 역할만 하므로
만약 smtpd 단에서 필터링을 하기를 원한다면 위에서 말한 qmail에 패치를 하여 사용을 하는것이 좋을 것이다.

4.2 DKIM(Domain keys identified mail) 

Domain key 는 현재 대표적으로 Yahoo에서 사용하는 메일 인증 시스템으로 
기본 원리는 SPF처럼 네임서버에 등록된 정보를 확인하는 구조를 가지고 있다.
그러나 SPF가 IP기반의 인증을 하는 반면에 Domain key는 digital sign을 하는 형태라서 메일의 변조 여부까지 확인할 수 있다.

기본 구조는 다음과 같다

메일 발송서버->메일 수신 서버->메일헤더에 sign 되어진 값을가지고 다시 메일을 발송한 도메인 네임서버에 query->리턴된 public key를 이용하여 메일 메시지 검증

*private key 및 public key, signature 이해하기

Domain key가 어떻게 동작하는지 원리를 잠깐 살펴보도록 하자.

[root@db ~]# cat test.txt 
ajdfasdf
[root@db ~]# openssl dgst -sign /etc/domainkeys/linuxstudy.pe.kr/default -sha1<test.txt >sign.file
[root@db ~]# openssl dgst -verify /etc/domainkeys/linuxstudy.pe.kr/rsa.public -sha1 -signature sign.file <test.txt 
Verified OK

test.txt 파일을 약간 변경해서 검증할 때
[root@db ~]# openssl dgst -verify /etc/domainkeys/linuxstudy.pe.kr/rsa.public -sha1 -signature sign.file <test.txt 
Verification Failure

설명) 먼저 메일 발신 서버에서는 test.txt(메일메시지)에 private key를 이용해서 sign을 하고 메일 메시지에 sign.file을 더 덧붙여서 메일을 전송한다.
그리고 메일 수신서버에서는 메일 메시지에 첨부되어 있는 sign 과 네임 서버에 query를 하여 돌아온 public key 를 이용해서 그 메일의 변조 유무를 체크하는것이다.
만약 test.txt파일이 sign 되는 당시와 변경 사항이 있다면 검증 결과는 Failure 를 리턴한다.

• Qmail에 Domain key 패치하여 설치하기
  

티니님이 작성한 Domain key 설정법을 참고하기 바란다.

• SPF 와 Domain key 비교(어디까지나 필자의 생각다  )
  

	SPF	Domain key
인증방식	IP기반	RSA 이중키로부터 만들어진Digital Signature
구현방식	DNS에 등록된 IP와 실제 메일 발신 IP대조	발신자의 서명을 검사
장점	적용하기 편리함(네임서버에 등록만 해주면 됨	안전하고 신뢰성이 높음
단점	위/변조 가능성이 있다(IP spoofing)	적용하기가 좀 어려움

By stone92

http://wiki.clamav.net/bin/view/Main/ClamOverview

Overview

ClamAV is an anti-malware application that scans files for viruses, worms, spyware, and other forms of malware. Optimized for automated e-mail scanning on mail gateways, you can use ClamAV with SMTP, POP3, and IMAP mail servers. ClamAV also includes provisions for on-demand scans as well as test files for verifying the installation. Its major components include:
* libclamav
* clamd
* clamdscan
* clamscan
* freshclam
* sigtool
* clamav-milter
* clamuko
* clamconf

libclamav

Libclamav is the shared library for clamav and is the virus-scanning engine.

The library is thread-safe, and automatically recognizes and scans archives. Scanning is very fast. Libclamav can add virus protection to software other than ClamAV.

clamd

Clamd is a scalable, multi-threaded daemon.

Clamd uses sockets, streams, and file pointers so that it can be used thousands of times an hour and perform file and mail attachment scans as needed. Clamd uses the clamd.conf configuration file.

clamdscan

Clamdscan is a command line scanner that uses clamd.

When you need an on-demand scan and clamd is running, use clamdscan for the best performance. Clamdscan uses the running daemon and does not have to wait for ClamAV to start.

clamscan

Clamscan is the command line scanner that uses the ClamAV database.

Use clamscan to scan files on an infrequent basis or when when the clamd daemon is not running. Clamscan starts clam and the clam startup (loading database, etc.) slows overall detection time. For routine scans, use clamdscan.

freshclam

Freshclam is the ClamAV virus database-updating tool that runs either as a daemon or on the command line to update the ClamAV signature database.

Freshclam uses the freshclam.conf configuration file. It relies on an Internet connection to update the signature database, but runs in a variety of ways to compensate for intermittent connections. For installations with no connection, many distributions provide a clamav-data file and the package is not automatically updated, once installed.

sigtool

Sigtool is the ClamAV antivirus database manipulation tool.

It is for advanced users who intend to write their own signatures. Refer to the signatures portion of the documentation for more information about sigtool.

clamav-milter

Nigel Horne's clamav-milter is a very efficient email scanner.

It is a plugin for Sendmail and Postfix that enables those programs to scan email.

clamuko

Clamuko is a special thread in clamd that performs on-access scans on Linux and FreeBSD. Clamuko shares the virus database with the clamd daemon.

clamconf

Clamconf is a program that runs from a command line.

It displays information about your configuration. It is useful during ClamAV debugging. When you file a bug report, the ClamAV engineering team will often ask for clamconf output.

http://qmail.kldp.net/wiki/wiki.php/QmailControl%ED%8C%8C%EC%9D%BC%EC%84%A4%EB%AA%85

qmail은 하나의 전체 설정 파일을 사용하지 않고 /var/qmail/control/ 안에 다음과 같이 분리되고 각각의 기능을 하는 설정파일들을 사용합니다. 각 설정 파일들의 목적은 매우 뚜렷하고 이해와 수정이 용이합니다. 다음 콘트롤 파일들이 모두 존재하고 있어야 하는 것은 아니며, 필요에 따라 만들어 줍니다. -- 임은재 2004-04-15 21:25:37

• bounce : 어떤 이유로든 메일이 되돌려 질때 (from: 헤더가 있는 경우)
  
• double bounce : bounce 한 메일이 다시 되돌아 오는 경우
  
• me 는 FQDN으로 명기한 도메인 명이 적혀있는 me 라는 파일을 의미합니다.
  

http://domainkeys.sourceforge.net/
http://jeremy.kister.net/howto/dk.html
http://sourceforge.net/projects/domainkeys/

qmail-1.03 & Netqmail-1.06 / DomainKeys Integration Howto v20081001.02

  cd /usr/local/src/
  wget http://cr.yp.to/software/qmail-1.03.tar.gz
  wget http://superb-east.dl.sourceforge.net/sourceforge/domainkeys/libdomainkeys-0.68.tar.gz
  wget http://www.qmail.org/qmail-1.03-dk-0.54.patch
  wget http://jeremy.kister.net/code/qmail-dk-0.54-auth.patch # optional, for smtp-auth
  tar -zxvf libdomainkeys-0.68.tar.gz
  cd libdomainkeys-0.68
  make
  tar -zxvf /usr/local/src/qmail-1.03.tar.gz
  echo 'gcc -O2 -include /usr/include/errno.h' > qmail-1.03/conf-cc
  patch -d qmail-1.03/ < ../qmail-1.03-dk-0.54.patch
  patch -d qmail-1.03/ < ../qmail-dk-0.54-auth.patch   # optional, for smtp-auth
  cd qmail-1.03
  make qmail-dk
  cp qmail-dk /var/qmail/bin/
  cp qmail-dk.8 /var/qmail/man/man8/
  chown qmailq /var/qmail/bin/qmail-dk
  chmod 4711 /var/qmail/bin/qmail-dk

  mkdir -p /etc/domainkeys/example.com/
  cd /etc/domainkeys/example.com/
  /usr/local/ssl/bin/openssl genrsa -out rsa.private 768
  /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
  mv rsa.private default
  chown -R qmailq /etc/domainkeys
  chmod 0600 default

  grep -v ^- rsa.public | perl -e 'while(<>){chop;$l.=$_;}print "k=rsa; t=y; p=$l;\n";'

For tinydns (djbdns):
'_domainkey.example.com.:k=rsa; t=y; o=-;
'default._domainkey.example.com.:DomainKey_from_step_5

or for BIND:
_domainkey.example.com. IN TXT "k=rsa; t=y; o=-;"
default._domainkey.example.com. IN TXT "DomainKey_from_step_5"

  qmailctl cdb

Portability Notes

tar -zxvf libdomainkeys-0.68.tar.gz
cd libdomainkeys-0.68
echo '-lresolv' > dns.lib
make

-- 

Jeremy Kister
http://jeremy.kister.net./
http://kister.net/cgi-bin/contact.pl?addr=info

http://cr.yp.to/rblsmtpd.html
http://cr.yp.to/software/rblsmtpd-0.70.tar.gz
http://cr.yp.to/ucspi-tcp/rblsmtpd.html
http://ladro.com/docs/dns/rblsmtpd.html

D. J. Bernstein 

rblsmtpd

The features of rblsmtpd have been incorporated into ucspi-tcp 0.86; there will be no more rblsmtpd releases.

What is it?

The rblsmtpd program

Interface

     rblsmtpd opts prog

Normally rblsmtpd runs prog. prog is expected to carry out an SMTP conversation to receive incoming mail messages.

However, rblsmtpd does not invoke prog if it is told to block mail from this client. Instead it carries out its own limited SMTP conversation, temporarily rejecting all attempts to send a message. Meanwhile it prints one line on descriptor 2 to log its activity.

rblsmtpd drops the limited SMTP conversation after 60 seconds, even if the client has not quit by then.

Options:

• -t n: Change the 60-second timeout to n seconds.

Blocked clients

If $RBLSMTPD is set and is empty, rblsmtpd does not block mail.

If $RBLSMTPD is not set, rblsmtpd looks up $TCPREMOTEIP in the RBL, and blocks mail if $TCPREMOTEIP is listed. tcpserver sets up $TCPREMOTEIP as the IP address of the remote host.

Options:

• -r base: Use base as an RBL source. An IP address a.b.c.d is listed by that source if d.c.b.a.base has a TXT record. rblsmtpd uses the contents of the TXT record as an error message for the client.
• -a base: Use base as an anti-RBL source. An IP address a.b.c.d is anti-listed by that source if d.c.b.a.base has an A record. In this case rblsmtpd does not block mail.

You may supply any number of -r and -a options. rblsmtpd tries each source in turn until it finds one that lists or anti-lists $TCPREMOTEIP.

If you do not supply any -r options, rblsmtpd tries an RBL source of rbl.maps.vix.com. This will be changed in subsequent versions.

RBL sources

I've heard about the following public RBL sources:

• dev.null.dk
• list.dsbl.org, using rbldns as of 2002-03
• multihop.dsbl.org, using rbldns as of 2002-03
• orbs.dorkslayers.com
• orbz.gst-group.co.uk
• relays.osirusoft.com
• unconfirmed.dsbl.org, using rbldns as of 2002-03
• dnsbl.sorbs.net
• cbl.abuseat.org

• blackholes.mail-abuse.org, demanding money for access as of 2001-07
• dialups.mail-abuse.org, demanding money for access as of 2001-07
• dul.maps.vix.com, renamed dialups.mail-abuse.org
• inputs.orbz.org, disabled as of 2002-03
• outputs.orbs.org, disabled in 2001-06
• outputs.orbz.org, disabled as of 2002-03
• rbl.maps.vix.com, renamed blackholes.mail-abuse.org
• relays.mail-abuse.org, TXT records eliminated in 2000-08, demanding money for access as of 2001-07
• relays.msci.memphis.edu, a copy of relays.mail-abuse.org with TXT records, disabled in 2001-01 because mail-abuse.org started demanding money
• rss.maps.vix.com, renamed relays.mail-abuse.org
• or.orbl.org, down as of 2001-10
• relays.ordb.org, no longer in operation
• bl.spamcop.net, fails to interoperate with deferred-delivery ISPs

Temporary errors

However, if $RBLSMTPD begins with a hyphen, rblsmtpd removes the hyphen and uses a 553 error code. This tells legitimate clients to bounce the message immediately.

There are several error-handling options for RBL lookups:

• -B: (Default.) Use a 451 error code for IP addresses listed in the RBL.
• -b: Use a 553 error code for IP addresses listed in the RBL.
• -C: (Default.) Handle RBL lookups in a ``fail-open'' mode. If an RBL lookup fails temporarily, assume that the address is not listed; if an anti-RBL lookup fails temporarily, assume that the address is anti-listed. Unfortunately, a knowledgeable attacker can force an RBL lookup or an anti-RBL lookup to fail temporarily, so that his mail is not blocked.
• -c: Handle RBL lookups in a ``fail-closed'' mode. If an RBL lookup fails temporarily, assume that the address is listed (but use a 451 error code even with -b). If an anti-RBL lookup fails temporarily, assume that the address is not anti-listed (but use a 451 error code even if a subsequent RBL lookup succeeds with -b). Unfortunately, this sometimes delays legitimate mail.

Acknowledgments

Thanks to Andrew Richards for his comments on this documentation.

http://cr.yp.to/cdb.html
http://cr.yp.to/cdb/install.html
http://cr.yp.to/cdb/cdb-0.75.tar.gz

cdb

The cdb format specification 
The cdb-reading library interface

What is it?

• Fast lookups: A successful lookup in a large database normally takes just two disk accesses. An unsuccessful lookup takes only one.
• Low overhead: A database uses 2048 bytes, plus 24 bytes per record, plus the space for keys and data.
• No random limits: cdb can handle any database up to 4 gigabytes. There are no other restrictions; records don't even have to fit into memory. Databases are stored in a machine-independent format.
• Fast atomic database replacement: cdbmake can rewrite an entire database two orders of magnitude faster than other hashing packages.
• Fast database dumps: cdbdump prints the contents of a database in cdbmake-compatible format.

Information for distributors

Packages that need to read cdb files should incorporate the necessary portions of the cdb library rather than relying on an external cdb library.

Related packages

M. J. Pomraning's python-cdb is a Python interface to cdb.

Kazuteru Okahashi's ruby-cdb is a Ruby interface to cdb.

Michael Alyn Miller's sg-cdb is a Java library to read cdb files.

Taj Khattra's luacdb is a Lua interface to cdb.

Felix von Leitner's rdbm combines cdb with a separate journal of database updates.

David Wilson's python-pure-cdb is a Python reimplementation of cdb.

cdb is used in my djbdns, fastforward, mess822, qmail, and ucspi-tcp packages.

How to install cdb

System requirements

Installation

Unpack the cdb package:

     gunzip cdb-0.75.tar
     tar -xf cdb-0.75.tar
     cd cdb-0.75

Compile the cdb programs:

     make

As root, install the cdb programs under /usr/local:

     make setup check

Automatic tests

     make rts
     ./rts > rts.out
     cmp rts.out rts.exp

Beware that, starting with version 0.75, rts takes some time to run: e.g., 155 seconds on a Pentium II-350. (It writes three 4GB databases to /dev/null.)

Manual tests

     ./cdbmake-sv test.cdb test.tmp < /etc/services

     ./cdbtest < test.cdb

Try retrieving particular records from the database:

     ./cdbget smtp/tcp < test.cdb && echo ''
     ./cdbget @25/tcp < test.cdb && echo ''

     ./cdbstats < test.cdb

To report success:

     ( echo 'First M. Last'; cat `cat SYSDEPS` ) \
     | mail djb-sysdeps@cr.yp.to 

Replace First M. Last with your name.

http://www.inter7.com/vpopmail/
http://sourceforge.net/project/showfiles.php?group_id=85937
http://www.inter7.com/vpopmail/install.txt
http://www.inter7.com/vpopmail/doc/index.html

For more information see the README files
 README	     
 README.mysql   
 README.quotas    
 README.ldap  
 README.sybase
 README.oracle  
 README.vqmaillocal

For information on upgrading please see the UPGRADE files
UPGRADE  
UPGRADE.tren


Note: If you are using any of the BSD distro's you should probably use gmake
      and not make.

VPopMail 5.0 Upgrade Instructions are in the UPGRADE File
Hints on converting an old system to a new vpopmail system
are also in the UPGRADE file

1. check for diskspace
	# df
	  or
	# df -k 

	Determine which disk partition you want to place the pop email.

2. add groups and users and home directory
	# groupadd -g 89 vchkpw
	# useradd -g vchkpw -u 89 vpopmail

We recommend you use the user and group id's of 89. The FreeBSD folks
have reserved 89 for the group and 89 for the user for vpopmail. 
if you want to place the vpopmail home dir in a different disk partition
than the default home dir location try:

	# useradd -g vchkpw -u 89 -d /path/to/where/you/want vpopmail
		

	RedHat and other linux systems place useradd and groupadd in
	the /usr/sbin directory.

NOTE: the home directory of vpopmail must exist before you contiue with
the installation.

3.  FAST default install
    $ su
    # ./configure
    # make
    # make install-strip 

If you are making vpopmail for roaming users to be able to relay
through your smtp server after the authenticate with pop do: 

    $ su
    # ./configure --enable-roaming-users=y
    # make
    # make install-strip

NOTE: To get a complete list of configure options type: ./configure --help

MySQL NOTE: if you are using --enable-mysql=y make sure you are running
the lasted stable version (Currently 3.23 as of March 5th 2001). Older
versions of mysql, such as 3.22 do not support the "unique index (domain)"
syntax when creating the dir_control table. 

3.a configure option recommendations for New Sites

If you are installing a brand new email server please make
use of the new vpopmail-5.0 features. We recommend adding
the following options to your ./configure line:

--enable-clear-passwd=y ( store a clear text copy of users password )

This option helps sysadmins and help desk people. They find it
helpful to be able to see the pasword the user should be using.

--enable-valias=y (Turn on vpopmail alias processing)

This is mainly for the mysql module. It allows aliases/forwards to
be stored in the mysql database. It also turns on the valias
command line program to maintain alias/forwards

--enable-mysql-replication=y ( requires advanced sys admin skills )

If you have a running mysql replicated site, multiple machines with
a central update mysql server and a farm of machines running read-only
mysql servers, THEN, you can make use of this feature. It allows
vpopmail to do read-only queries to a local mysql server, and send
all update transactions (add user, change password, delete domain)
to a central mysql database. A must use for clustered sites 
vpopmail to lo

4. Check your ~vpopmail/etc/tcp.smtp file 

    This file should list all the static IP's of your machines
    you want to allow to relay out to the internet.
	
    For example: If you have a whole C class named 10.1.1.X
    either edit /etc/tcp.smtp file, or use the following to appened:

	# echo "10.1.1.:allow,RELAYCLIENT=\"\"" >> ~vpopmail/etc/tcp.smtp

	you can add other ip's later, when ever you want.


5. Setup crontab for --enable-roaming-users=y (default is disabled)
	Add a line to roots crontab
	$ su
	# crontab -e

	add a line like the following:

    	40 * * * * /home-dir-of-vpopmail/bin/clearopensmtp 2>&1 > /dev/null

	replace "home-dir-of-vpopmail" with the home directory of vpopmail user. 
	To find the home dir of vpopmail:
		grep vpopmail /etc/passwd
        pick out the entry for the home dir

vpopmail:x:502:502::/home/vpopmail:/bin/bash
                    ^^^^^^^^^^^^^^

Done!

You can go on to add a virtual domain and users if you wish

6. Add a virtual domain

	For this example, we will add a domain "test.com"

	# cd /home-dir-of-vpopmail/bin

	# ./vadddomain test.com
		or
	# ./vadddomain test.com password-for-postmaster

	vadddomain will modify the following qmail files 
		(default locations used)
	/var/qmail/control/locals
	/var/qmail/control/rcpthosts
	/var/qmail/control/morercpthosts (if rcpthosts > than 50 lines)
	/var/qmail/control/virtualdomains
	/var/qmail/users/assign
	/var/qmail/users/cdb

	It will also create a domains directory 
		~vpopmail/domains/test.com
		~vpopmail/domains/test.com/postmaster/Maildir ...
		~vpopmail/domains/test.com/vpasswd
		~vpopmail/domains/test.com/vpasswd.cdb

	If you do not specify a password on the command line, it
	will prompt for a password for the postmaster.

	Then it will send a kill -HUP signal to qmail-send telling it
	to re-read the control files.

	Note: setting up DNS MX records for the virtual domain is not
	covered in this INSTALL file.

7. Add a new pop user.

	You can install qmailadmin and administer your new pop mail
	system via a web interface. Or you can use the command line
	interface.

	# cd /home-dir-of-vpopmail/bin
	# ./vadduser newuser@test.com
		or
	# ./vadduser newuser@test.com <password-for-newuser>

	In the case where the domain is specified (user@domain.com), 
	the user is added to the ~vpopmail/domains/domain.com directory.
	If you don't enter a password on the command line, it will
	prompt for a password.

8. Delete a pop user

	# cd /home-dir-of-vpopmail/bin
	# ./vdeluser newuser@test.com (for the test.com virtualdomain example)

9. Delete a virtual domain

	# cd /home-dir-of-vpopmail/bin
	# ./vdeldomain test.com

10. Changing a pop users password (new in 3.4.3)
	# cd /home-dir-of-vpopmail/bin
	# ./vpasswd user@domain.com
			or
	# ./vpasswd user@domain.com <password-for-user@domain.com>

11. Information details hiding 
	Alot of the underlying qmail details are not covered in this
	file. This is on purpose. If you want to find out the internal
	workings of vchkpw and qmail look into /var/qmail/control files
	and /var/qmail/users/assign file. 

12. How to use vchkpw with qmail-pop3d server

	Here is a sample startup line for qmail-pop3d and vchkpw

	env - PATH="/var/qmail/bin:/usr/local/bin" \
	tcpserver -H -R 0 pop-3 \
	/var/qmail/bin/qmail-popup your.domain.com \
	/home-dir-of-vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir &

	If you want to authenticate against /etc/passwd do not use the -u -g
	options, since it would need to run as root.
 
	Notice where the vchkpw program goes. 
	Some sites use pop3 instead of pop-3. /etc/services has the
        master list. grep pop /etc/services to find out.

	If you want to use inetd style startup use this:
		pop3 stream tcp nowait root \
  		/var/qmail/bin/qmail-popup \
  		qmail-popup mail.stilen.com \
  		/home/vpopmail/bin/vchkpw \
  		/var/qmail/bin/qmail-pop3d \
  		Maildir

	If you want to use xinetd style use this:
service pop3
{
    disable              = no
    socket_type       = stream
    protocol             = tcp
    wait                   = no
    user                  = root
    server                = /var/qmail/bin/qmail-popup
    server_args        = foo.bar.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir
    log_type             = FILE /var/log/xinetd.log
    log_on_success  = HOST
    log_on_failure      = HOST RECORD
}

13. For sites using the mysql module and --enable-roaming-users=y it
    is highly suggested to use Matt Simersons tcpserver-mysql patch.
    This removes the need for vpopmail to compile a tcp.smtp.cdb file
    for each pop authentication. Instead, tcpserver looks directly
    into the vpopmail mysql table of IP's.

14. Good luck

Please report any bugs to kbo@inter7.com.

Also visit http://www.inter7.com/vchkpw/ home page and join the
mailing list vchkpw@inter7.com by sending an email 
to vchkpw-subscribe@inter7.com

About

vpopmail is a set of API that manages virtual user accounts on a qmail system, and handles delivery for these virtual users. The command-line utilities, and Qmailadmin all use the vpopmail API, provided by the vpopmail library to manage the system.

Please note that this document does not yet cover the 5.5 branch of vpopmail.

Features

Roaming Users

Roaming users provides a non-SMTP_AUTH authentication system for allowing users with dynamic IPs to send mail through the server without allowing relay from non-authenticated users. After a user has authenticated via POP3, IMAP, etc, their IP is set allowed to relay for the next three hours. This provides them plenty of time to read and respond to all their email. Successive authentications during this time extend the time limit.

SMTP authentication is preferred over roaming users.

Where do I get vpopmail?

vpopmail is available for download at sourceforge http://sourceforge.net/projects/vpopmail/. vpopmail is also available at our website http://www.inter7.com/.

Installing vpopmail

Getting started

This documentation assumes qmail is already installed. If you know what you're doing, you can install vpopmail before qmail, which can be useful when patching qmail with patches that require vpopmail. Run these commands only if you do not have qmail installed:

 mkdir /var/qmail/
 mkdir /var/qmail/bin
 touch /var/qmail/bin/qmail-inject
 touch /var/qmail/bin/qmail-newu
 touch /var/qmail/bin/qmail-newmrh

Before you can configure and install vpopmail, you must create a vpopmail user, and a vpopmail group. An old practice, that most people still follow today, is to name the group vchkpw, and the user vpopmail. The vpopmail tarball will recognize any group name, however, the username must bevpopmail unless you specify an alternative username while configuring.

 groupadd vchkpw
 useradd -g vchkpw vpopmail

If you plan to use roaming users (POP-before-SMTP), you will need to create a tcpserver rules file that vpopmail can update.

 mkdir -p /home/vpopmail/etc
 echo '127.0.0.1:allow,RELAYCLIENT=""' > /home/vpopmail/etc/tcp.smtp
 tcprules /home/vpopmail/etc/tcp.smtp.cdb /home/vpopmail/etc/tcp.smtp.tmp < /home/vpopmail/etc/tcp.smtp

Configuring vpopmail

vpopmail comes packaged with a configure script which will enable the package with the features you want, and disable the ones you don't. To configure vpopmail, while in the vpopmail source directory, run the following command:

./configure <options>

Configure options

 --enable-qmaildir=DIR      Directory where qmail control and user directories are installed /var/qmail.
 --enable-qmail-newu=PATH   Full path to qmail-newu program.
 --enable-qmail-inject=PATH Full path to qmail-inject program.
 --enable-qmail-newmrh=PATH Full path to qmail-newmrh program.
 --enable-vpopuser=USER     User name allocated to vpopmail vpopmail.
 --enable-vpopgroup=GROUP   Group name allocated to vpopmail vchkpw.
 --enable-roaming-users     Enable POP-before-SMTP functionality.
 --enable-tcprules-prog=PATH    Full path to tcprules program /usr/{local/}bin/tcprules.
 --enable-tcpserver-file=PATH   File where tcpserver -x relay information is stored /home/vpopmail/etc/tcp.smtp.
 --disable-rebuild-tcpserver-file  Disable rebuilding of tcpserver relay control file.
 --enable-relay-clear-minutes=#    Expire time for roaming users after pop authentication [180].
 --enable-learn-passwords   If no password is stored for a user, learn it the first time they authenticate.
 --disable-md5-passwords    Use DES crypt() instead of MD5 encryption for passwords.
 --disable-file-locking     Don't use file locking.
 --enable-file-sync         Enable file sync after each message is delivered.
 --disable-make-seekable    Don't try to make input to vdelivermail seekable.
 --disable-clear-passwd     Don't store a cleartext version of the password in addition to the encrypted version.
 --disable-users-big-dir    Disable hashing of user directories.
 --enable-sqwebmail-pass    Store a copy of the user's password in the the user's maildir for use by pre-v3 sqwebmail.
 --enable-qmail-ext         Enable qmail email address extension support.
 --enable-ip-alias-domains  Enable mapping of default domain via reverse ip lookup table.
 --enable-spamassassin      Enable spamassassin. See  README.spamassassin for more info.
 --enable-spamc-prog=PATH   Full path to spamc program /usr/{local/}bin/tcprules.
 --enable-domains-dir=TEXT  Set domains directory name for ~vpopmail/domains/user/.
 --enable-incdir=DIR        Your MySQL/Oracle 'include' directory.
 --enable-libdir=DIR        Your MySQL/Oracle 'lib' directory.
 --enable-auth-module=MOD   Nominate how to store the vpopmail account information (cdb (default), mysql, pgsql, 
                            ldap, oracle, sybase, or activedir).
 --enable-passwd            Enable /etc/passwd (or shadow) accounts in addition to virtual domains.
 --enable-logging=OPT       Log to syslog: n=nothing, e=errors only (default), y=all attempts, 
                            p=errors with passwords, v=verbose (all attempts, withpasswords).
 --enable-log-name=TEXT     Set syslog name vpopmail.
 --disable-auth-logging     Don't record time and ip of last auth attempt. 
                            Valid only for CDB, MySQL, PGSQL, LDAP, ActiveDir.
 --enable-sql-logging       Enable authentication logging to MySQL/Postgres.
 --enable-mysql-limits      Use MySQL to store limits instead of .qmailadmin-limits files.
 --enable-mysql-replication Enable support for replicated MySQL auth servers.
 --enable-valias            Store email aliases in MySQL.
 --disable-many-domains     Creates a table for each virtual domain instead of storing all users in a single table.
                            Only valid for MySQL and PostgreSQL

qmail extensions

This configuration allows users to receive mail to addresses in the format username-anything@example.com qmail extensions is enabled by adding --enable-qmail-ext to the configure line. Don't let the name fool you, this feature is maintained by vpopmail, and not qmail. Once this feature is enabled, it automatically works globally for all domains. If you want this feature to be enabled on a per-user, or per-domain basis, you will need to create dotqmail files under the domain directory to support this.

Compiling

Once the configure process has been completed, and there are no errors, you will see a table displaying enabled and disabled features. From here, compile:

make

If all goes well, and no errors occur:

make install-strip

vpopmail is now installed.

Command-line utilities

All binaries for user management are, by default, under /home/vpopmail/bin. Almost all the binaries in this directory can be executed, without arguments, to display a usage.

vadddomain

Adds a new domain to the mailserver

vadddomain: usage: vadddomain [options] virtual_domain [postmaster password]
options: -v prints the version
         -q quota_in_bytes (sets the quota for postmaster account)
         -b (bounces all mail that doesn't match a user, default)
         -e email_address (forwards all non matching user to this address [*])
         -u user (sets the uid/gid based on a user in /etc/passwd)
         -d dir (sets the dir to use for this domain)
         -i uid (sets the uid to use for this domain)
         -g gid (sets the gid to use for this domain)
         -O optimize adding, for bulk adds set this for all
            except the last one
         -r[len] (generate a len (default 8) char random postmaster password)

 [*] omit @-sign to deliver directly into user's Maildir: '-e postmaster'

vaddaliasdomain

Aliases one domain to another. All users, forwards, autoresponders, etc are the same across the real domain, and the aliased domain.

vaddaliasdomain: usage: [options] real_domain alias_domain
options: -v (print version number)
note: for backward compatability, you can swap real_domain and alias_domain.

Notes

This command creates an entry in the qmail/users/assign file directing all transactions for the new, alias domain name, to the current, real domain. This eliminates needing symlinks, and other harddrive intensive operations.

vdeldomain

Deletes a domain from the mailserver, all users, and all mail under this domain

vdeldomain: usage: [options] domain_name
options: -v (print version number)
         -f (force delete of virtual domains)

vadduser

Adds a mailbox to a domain

vadduser: usage: [options] email_address [passwd]
options: -v (print the version)
         -q quota_in_bytes (sets the users quota, use NOQUOTA for unlimited)
         -c comment (sets the gecos comment field)
         -e standard_encrypted_password
         -n no_password
         -r[len] (generate a len (default 8) char random password)

vdeluser

Deletes a mailbox from a domain, including all mail for that user

vdeluser: usage: [options] email_address
options: -v (print version number)

vdominfo

Return basic information about one or all domains hosted on the server

vdominfo: usage: [options] [domain]
options: -v (print version number)
         -a (display all fields, this is the default)
         -n (display domain name)
         -u (display uid field)
         -g (display gid field)
         -d (display domain directory)
         -t (display total users)

Note that to return the usage with vdominfo, you must type

vdominfo -h

vuserinfo

Return information about user accounts

vuserinfo: usage: [options] email_address
options: -v (print version number)
         -a (display all fields, this is the default)
         -n (display name field)
         -p (display crypted password)
         -u (display uid field)
         -g (display gid field)
         -c (display comment field)
         -d (display directory)
         -q (display quota field)
         -Q (display quota usage)
         -C (display clear text password)
         -l (display last authentication time)
         -D domainname (show all users on this domain)

vmoduser

Modify user settings and flags

vmoduser: usage: [options] email_addr or domain (for each user in domain)
options: -v ( display the vpopmail version number )
         -n ( don't rebuild the vpasswd.cdb file )
         -q quota ( set quota )
         -c comment (set the comment/gecos field )
         -e encrypted_passwd (set the password field )
         -C clear_text_passwd (set the password field )
the following options are bit flags in the gid int field
         -x ( clear all flags )
         -d ( don't allow user to change password )
         -p ( disable POP access )
         -s ( disable SMTP AUTH access )
         -w ( disable webmail [IMAP from localhost*] access )
            ( * full list of webmail server IPs in vchkpw.c )
         -i ( disable non-webmail IMAP access )
         -b ( bounce all mail )
         -o ( user is not subject to domain limits )
         -r ( disable roaming user/pop-before-smtp )
         -a ( grant qmailadmin administrator privileges )
         -S ( grant system administrator privileges - access all domains )
         -E ( grant expert privileges - edit .qmail files )
         -f ( disable spamassassin)
         -F ( delete spam)
  [The following flags aren't used directly by vpopmail but are]
  [included for other programs that share the user database.]
         -u ( set no dialup flag )
         -0 ( set V_USER0 flag )
         -1 ( set V_USER1 flag )
         -2 ( set V_USER2 flag )
         -3 ( set V_USER3 flag )

Notes

The vmoduser command is very useful for more advanced user options. Each user has a set of flags that can be set on them. For instance, 'No webmail' will disallow them to use a webmail interface, and 'No POP3' will not allow them to download mail via POP. Generally people use these flags to nudge customers who haven't paid, or to provide specific services to users who are paying for specific services (ie: webmail or pop3, etc). You can also set a flag which disallows them to send mail. Other than user flags, one can also set quotas with this command.

• -s ( no smtp access ) if you have qmail-smtpd patched to support smtp authentication using the vchkpw program, then this option will cause the smtp connection to be dropped. Which in effect makes it impossible for the user to send email.

• -r ( no external relay flag ) With this option turned on, the user will be able to only send email to local accounts. They will not be able to send email out to the internet. For example: A company can create internal email only accounts.

vpopbull

Short for vpopmail bulletin, vpopbull mass-mails local users an email.

usage: vpopbull [options] -f [email_file] [virtual_domain] [...]
       -v (print version number)
       -V (verbose)
       -f email_file (file with message contents)
       -e exclude_email_addr_file (list of addresses to exclude)
       -n (don't mail. Use with -V to list accounts)
       -c (default, copy file)
       -h (use hard links)
       -s (use symbolic links)

Notes

The vpopbull command solves a number of problems with trying to mail all your users. Firstly, you dont need to maintain a list of all your user accounts to email to. Secondly, emailing users through the actual qmail server would be inefficient. vpopbull drops messages directly into their Maildir directories where they can be picked up by POP3, webmail, etc, making the operation a simple copy operation instead of an actual mailing operation.

The email sent must be a fully valid email message, including From, and Subject headers, followed by a blank line, followed by the message. The one exception is that a To header should not be included.

From: <example@example.com>
Subject: Server maintenance

Dear example.com users,

   We will be performing maintenance on the mail server tomorrow morning.
The maintence window will be between 3am and 5am, and the server will be
down turning this time.

Thank you for your patience,
The example.com Staff

More complicated messages, including ones with attachments, etc, can also be made, however the specifics of generating a multipart message is out of the scope of this document.

vpasswd

vpasswd is used to change passwords for users on the system.

vpasswd: usage: [options] email_address [password]
options: -v (print version number)
         -r generate a random password

vchangepw

vchangepw allows changing of passwords for email addresses hosted on the system. This differs from vpasswd in that it requires you to know the current password for the email address. Note that there is no usage for this binary.

Tom Collins submitted a patch to the vpopmail tree including this binary

vsetuserquota

vsetuserquota is used to modify quotas for a single user, or on all users on a domain. See Vpopmail#Quotas for details on quotas.

vsetuserquota: [options] email_address|domain_name quota
options:
-v (print version number)

If you specify a domain name rather than an email address,
the quota will be applied to all users in that domain

Other binaries

You will probably notice that there are binaries in the bin directory that aren't listed above. These binaries are either used by vpopmail to handle delivery or other aspects of the mail system management, or they are used by more advanced users or users who are migrating data between databases.

clearopensmtp

When vpopmail has been compiled with the --enable-roaming-users=y flag enabled, this binary is run out of the crontab every 5 minutes to update the list of IPs that are no longer allowed to send mail. This is a binary used by the Roaming Users feature of vpopmail.

dotqmail2valias

When vpopmail has been compiled with the --enable-valias=y flag, this binary will find all dotqmail files under vpopmail and convert them to valias entries in the database.

valias

When configured with --enable-valias=y, the valias command can be used to add, edit, and delete valiases from the database.

vchkpw

vchkpw is the authentication mechanism used by qmail to check passwords required for downloading mail, and in the case of SMTP_AUTH, sending mail.

vconvert

vconvert is used during conversions and migrations between different database methods. Specifically, vconvert can convert to and from several databases, all information about the users on a vpopmail system.

vconvert: usage
 The first option sets which format to convert FROM,
 the second option sets which format to convert TO.
 -e = etc format
 -c = cdb format
 -m = sql format
 -S = set sqwebmail passwords
 -v = version
 -d = debug info

vdelivermail

vdelivermail is vpopmail's delivery agent. It handles delivery of messages, bouncing, catch-alls, etc. You will find calls to vdelivermail in the .qmail-default file under each domain.

As this is a binary internal to vpopmail's operation, there is no usage provided by the binary. vdelivermail can be called with the following syntax:

 vdelivermail  <default action>

The 'default action' may be one of the following:

   bounce-no-mailbox
 
   All mail to non-existing recipients on this domain will be bounced.  Additionally,
   if the chkuser patch is installed, the recipient will be rejected during the SMTP
   session as a failed RCPT TO response message.

   delete
 
   All mail to non-existing recipients will be accepted and silently dropped for this
   domain

   /path/to/Maildir/
 
   All mail to non-existing recipients will be accepted and delivered into the Maildir

It should be noted that in the current climate of mail abuse via spammers and viruses, that all settings other than bounce-no-mailbox with the chkuser patch installed, are considered a potential problem. Dictionary attacks can take a server to its knees.

vdeloldusers

vdeloldusers compares the last authentication time for all users against an age in days provided on the command-line, and removes all users which match.

vdeloldusers: usage: [options]
options: -a age_in_days (will delete accounts older than this date)
                        (default is 6 months or 180 days)
         -v (print version number and exit)
         -d [domain] (process only [domain])
         -e (process every domain)
         -D (actually delete users. no users are deleted without this option)
         -V (verbose -- print old users that will be deleted)

vipmap

vipmap stands for Vpopmail IP Map. It maps connections on specific IPs, to a particular domain, enabling users to provide just their username for authentication as opposed to the standard user@domain syntax, providing they have connected to a mapped IP.

vipmap: usage: [options] ip domain
options: -d delete mapping
         -a add mapping
         -p print mapping
         -v show version

vkill

vkill is used internally by vpopmail to kill its own processes.

vmkpasswd

vmkpasswd generates the vpasswd.cdb files seen under each of your domain directories. The CDB format allows for faster lookups of information by providing a disk-based hashtable database.

This could be handful for people who are copying one domain to another server. Here is a list of things you have to finish to make it all work again:
- Find directory of domain with vuserinfo on server A
- Add this domain to server B, with the same password as it was on server A
- Find out where the domain is located at server B and change to this directory
- Use rsync to download the entire directory from server A like this, make sure you are in the example.com at server B:
rsync -avz serverA:/dirofvpopmail/domains/example.com/ .
- Make also sure that all the files have vpopmail as its user and vchkpw as its group
- Now check vpasswd in the domain directory. It could have happened that your domain directory has been changed, if so, edit the directory value and run vmkpasswd example.com.

vmoddomlimits

vmoddomlimits provides a command-line interface for modifying the .qmailadmin-limits files that may appear under your domains' directories. This file specifies how many users, forwards, mailing lists, etc that a user with the postmaster password may create with Qmailadmin.

vmoddomlimits: usage: [options] domain
options: -v ( display the vpopmail version number )
         -d ( use the vlimits.default file, instead of domain )
         -S ( show current settings )
         -D ( delete limits for this domain, i.e. switch to default limits)
         -Q quota-in-megabytes ( set domain disk quota, '100' = 100 MB )
         -q quota-in-bytes ( set default user quota, '10M' = 10 MB )
         -M count ( set domain max msg count )
         -m count ( set default user max msg count )
         -P count ( set max amount of pop accounts )
         -A count ( set max amount of aliases )
         -F count ( set max amount of forwards )
         -R count ( set max amount of autoresponders )
         -L count ( set max amount of mailing lists )
the following options are bit flags in the gid int field
          -g "flags"  (set flags, see below)
          gid flags:
            u ( set no dialup flag )
            d ( set no password changing flag )
            p ( set no pop access flag )
            s ( set no smtp access flag )
            w ( set no web mail access flag )
            i ( set no imap access flag )
            r ( set no external relay flag )
            c ( set no spamassasssin flag )
           x ( set delete spam flag )
the following options are bit flags for non postmaster admins
         -p "flags"  (set pop account flags)
         -a "flags"  (set alias flags)
         -f "flags"  (set forward flags)
         -r "flags"  (set autoresponder flags)
         -l "flags"  (set mailinglist flags)
         -u "flags"  (set mailinglist users flags)
         -o "flags"  (set mailinglist moderators flags)
         -x "flags"  (set quota flags)
         -z "flags"  (set default quota flags)
         perm flags:
            a ( set deny all flag )
            c ( set deny create flag )
            m ( set deny modify flag )
            d ( set deny delete flag )

vpopmaild

vpopmaild is a daemon, still under development, which provides a network-based interface to the vpopmail API. There is no further support yet available for this part of vpopmail.

For more information see vpopmaild

vqmaillocal

vqmaillocal is a development testing program, and has no impact on a vpopmail system.

Other Features

Here is a list of features that are not so commonly used, but definately have their place.

valias

valias provides use of special delivery instructions normally found in dotqmail, from a database. Depending upon systems, this may or may not increase efficiency. Careful thought as to system size, and scalability must be taken into account when enabling and using this feature.

API

The vpopmail API gives developers access to vpopmail functions such as adding domains, adding users, and updating user passwords. vpopmail, in general, does not make any of its API private, but this document will cover high-level functions; the functions command-line utilities call. vpopmail has a set of standard error codes that all functions can return. To properly utilize vpopmail's API, return code checking should be done after all calls. High-level function calls, as they are refered to as in this document, are prefixed with a v. Care, and a good understanding of vpopmail's API should be used when calling other functions.

This documentation is current as of vpopmail version 5.4.15

Return codes

vpopmail's return codes are for the most part self-explanitory. Further documentation is not really needed. This list is taken from vpopmail.h. All high-level vpopmail API functions return VA_SUCCESS on successful calls, and one of the below error codes on failure.

#define VA_SUCCES                         0
#define VA_ILLEGAL_USERNAME              -1
#define VA_USERNAME_EXISTS               -2
#define VA_BAD_DIR                       -3
#define VA_BAD_U_DIR                     -4
#define VA_BAD_D_DIR                     -5
#define VA_BAD_V_DIR                     -6
#define VA_EXIST_U_DIR                   -7
#define VA_BAD_U_DIR2                    -8
#define VA_SUBDIR_CREATION               -9
#define VA_USER_DOES_NOT_EXIST          -10
#define VA_DOMAIN_DOES_NOT_EXIST        -11
#define VA_INVALID_DOMAIN_NAME          -12
#define VA_DOMAIN_ALREADY_EXISTS        -13
#define VA_COULD_NOT_MAKE_DOMAIN_DIR    -14
#define VA_COULD_NOT_OPEN_QMAIL_DEFAULT -15
#define VA_CAN_NOT_MAKE_DOMAINS_DIR     -16
#define VA_COULD_NOT_UPDATE_FILE        -17
#define VA_CRYPT_FAILED                 -18
#define VA_COULD_NOT_OPEN_DOT_QMAIL     -19
#define VA_BAD_CHAR                     -20
#define VA_SQWEBMAIL_PASS_FAIL          -21
#define VA_BAD_UID                      -22
#define VA_NO_AUTH_CONNECTION           -23
#define VA_MEMORY_ALLOC_ERR             -24
#define VA_USER_NAME_TOO_LONG           -25
#define VA_DOMAIN_NAME_TOO_LONG         -26
#define VA_PASSWD_TOO_LONG              -27
#define VA_GECOS_TOO_LONG               -28
#define VA_QUOTA_TOO_LONG               -29
#define VA_DIR_TOO_LONG                 -30
#define VA_CLEAR_PASSWD_TOO_LONG        -31
#define VA_ALIAS_LINE_TOO_LONG          -32
#define VA_NULL_POINTER                 -33
#define VA_INVALID_EMAIL_CHAR           -34
#define VA_PARSE_ERROR                  -35
#define VA_CANNOT_READ_LIMITS           -36
#define VA_CANNOT_READ_ASSIGN           -37
#define VA_CANNOT_OPEN_DATABASE         -38
#define VA_INVALID_IP_ADDRESS           -39
#define VA_QUERY_FAILED                 -40
#define VA_STORE_RESULT_FAILED          -41
#define VA_INVALID_OPEN_MODE            -42
#define VA_CANNOT_CREATE_DATABASE       -43
#define VA_CANNOT_CREATE_TABLE          -44

Functions

Add domain - vadddomain()

Add support for a domain to the vpopmail+qmail system.

Declaration

int vadddomain( char *domain, char *dir, uid_t uid, gid_t gid )

Usage

The domain argument is the domain to be added to the system. Your qmail control/rcpthosts, control/virtualdomains, and users/assign will be updated, and the vpopmail authentication module will be updated with the proper details. The dir parameter sets the directory where the domain will be added under. In most cases, this will be the vpopmail/domains directory.

Notes

This API function does not add a postmaster account.

Delete domain - vdeldomain()

Remove a domain from the vpopmail+qmail system.

Declaration

int vdeldomain( char *domain )

Usage

Passing the domain option will update the qmail control/rcpthosts, control/virtualdomains, users/assign, as well as updating the authentication module.

Notes

All mail storage, and user authentication information will be removed for this domain. When in doubt, make backups.

Add user - vadduser()

Add a user to a domain on a vpopmail system.

Declaration

int vadduser( char *username, char *domain, char *password, char *gecos, int apop )

Usage

The username will be added under domain with a password of password, and a GECOS of gecos via the authentication module. Any directory hashing will be handled by vpopmail internally. If apop is set to 1, the apop secrets file will be updated.

Delete user - vdeluser()

Remove a user from the vpopmail system.

Declaration

int vdeluser( char *user, char *domain )

Usage

Removes an entry from the authentication module's database, and removes all user data.

Notes

All user authentication information, and mailstore data associated with this user will be deleted. Make backups where appropriate.

Change user password - vpasswd()

Update a user's password.

Declaration

int vpasswd( char *username, char *domain, char *password, int apop )

Usage

vpasswd updates a user authentication entry in the authentication module's database where username is the user portion of the email address, domain is the domain portion of the email address, and password is a clear-text version of the user's password. The apop flag is not used.

Set user quota - vsetuserquota()

Declare a user's mailstore quota.

Declaration

int vsetuserquota( char *username, char *domain, char *quota )

Usage

Updates the authentication module's database with a Maildir-quota-style quota as defined by quota for username@domain. The user's mailstore usage is also re-calculated.

Troubleshooting

How to troubleshoot vpopmail

vpopmail is relatively easy to troubleshoot, given a little background knowledge on how it processes authentication information, and message delivery information. Before you head down below for specific information about a problem you might be having, get aquainted with how vpopmail handles your day-to-day mail activities.

Authentication

In order to authenticate users, there's a series of steps that is taken. We will be examining vchkpw, the standard binary used for authentication with POP3.

• Firstly, vchkpw expects a valid username.

Because vpopmail is a virtual domain package, it also needs to know what domain they're on. Depending upon the system configuration, the username will sometimes be simply 'username', with a domain mapped either to an IP, or as a default domain, but generally the username will be 'user@domain'. Does the username contain entirely valid characters? Does the domain contain valid characters?

• Next vpopmail opens the qmail/users/cdb

file to determine if the domain is valid. Here is where permissions errors come in. Can the process trying to authenticate access the cdb file? Does the cdb file exist? Is it updated with the latest information from the qmail/users/assign file? Is there an issue with the contents of the assign file causing the cdb file not to be updated? As you can see, each step can have a number of actual causes, but generally they all cause a similar symptom, which can make determining the actual cause a little difficult.

• The next step is to determine if the username provided exists on that domain.

Depending upon the authentication storage scheme, yet more issues can arise here. For the sake of this document, we will assume CDB, however, those of you using MySQL, or another network-based DB may wish to make sure your authentication information is correct. Can the process wishing to authenticate access the vpasswd.cdb file? All processes accessing authentication information for vpopmail must be at least SUID/SGID vpopmail. Note that files under the vpopmail directory should NEVER have their permissions changed to be read by users other than the vpopmail user. Does the vpasswd.cdb file exist? Has it been updated with the latest information from the vpasswd file? Does the vpasswd file contain entirely valid syntax?

• Next it compares their password.

Obviously the question here is, do they have the correct password?

• Now user flags are checked.

Are they allowed to access the POP server? At this point, other flags are checked for other services as well. SMTP, IMAP, etc.

• Now we set up the environment to deal with their mailbox files.

Are the permissions on the user's home directory and Maildir correct?

• The next, and final step is to execute the POP handler.

If this part fails, make sure your POP binary is there, and that it can be executed by the process.

Specific Issues

One of my users can't authenticate via POP3

• Is the user using the correct login name?

Sometimes users are simply using the wrong login name. Try verifying their login information yourself before going any further.

• Is the user using the correct login syntax?

Depending upon the configuration of the system, one may need to log in with different username formats. user@domain is the most common. Be sure your users know that this is the correct format for authenticating for mail.

• Is the user using the correct password?

Systems with clear-text passwords enabled can allow administrators and technical staff to quickly diagnose this issue.

• Is the POP3 server running as root?

The POP3 server must run as root so that it may change the proper UID/GID after it determines what that UID/GID is.

• Does the qmail/users/assign file contain the domain?
• Does the qmail/users/assign file contain proper syntax?
• Is the qmail/users/cdb file up to date?
• Are permissions correct on the vpopmail home directory and sub-directories?

When using MySQL for authentication, I get the error vmysql: sql error[3] MySQL server has gone away

This is almost always caused by permissions, or authentication problems. First, using the information from ~vpopmail/etc/vpopmail.mysql, try to access the MySQL database via the mysql client as the vpopmail system user. (Depending upon your system, you may need to use sudo)

# su vpopmail
$ mysql -u vpopmail -p vpopmail
Enter password:

At this point, you may have received any number of errors. If you get to a MySQL prompt, try the following:

mysql> show tables;

Pick a table. vpopmail is a good one to use

mysql> select count(*) from vpopmail;

The most common problem here is that vpopmail cant access the MySQL socket. Check the location where your MySQL server is creating the socket file, and be sure the vpopmail user can read and write to it.

This problem can also be caused, under certian circumstances on FreeBSD 4.x and 5.x systems when MySQL is compiled with the following options:

WITH_LINUXTHREADS=YES

This is the default compile for many FreeBSD ports distrobutions as it solves several 'spin-locking' and other performance and latency issues. However when a system is under high load it may cause a problem with vpopmail showing the "vmysql: sql error[3] MySQL server has gone away" or no error at all. re-compiling MySQL WITH_LINUXTHREADS=NO will solve this problem.

I've lost all my qmail control files

This can occur because of disk corruption, or administrative mistakes. Either way this is actually solved rather easily. This will recover your domain hosting information, but not any of your other control files.

To use this script, copy the below contents to ~vpopmail/domains/gen-hashed.sh It *must* be called gen-hashed.sh, and it must reside in ~vpopmail/domains. Then just run it. There is no output except three files are created, controls.rcpthosts, controls.virtualdomains, users.assign. These three files should be copied or moved into their respective locations inside the qmail directory.

#!/bin/sh
#
# Generate control files from hashed
# vpopmail domain tree.  Should be run
# from ~vpopmail/domains directory,
# and script should be named gen-hashed.sh
#
# <matt@inter7.com>
#
 
SUB=""
  
rm -f users.assign control.rcpthosts control.virtualdomains

if [ $# -eq 1 ]; then
        CPWD=$PWD
        SUB=$1/
        cd $1
fi
 
for i in *; do
        if [ ! -d $i ]; then
                continue
        fi

        if [ ${#i} -eq 1 ]; then
                /home/vpopmail/domains/gen-hashed.sh $i
                continue
        fi


        if [ "$CPWD" != "" ]; then
                CPWD="${CPWD}/"
        fi

        echo "+$i-:$i:89:89:$PWD/$i:-::" >> ${CPWD}users.assign
        echo "$i:$i" >> ${CPWD}control.virtualdomains
        echo "$i" >> ${CPWD}control.rcpthosts
done

if [ "$SUB" != "" ]; then
        cd $CPWD
fi

if [ $# -eq 0 ]; then
        echo "." >> ${CPWD}users.assign
fi

Qmail Conflicts

If the program qmail-pw2u is run, it will delete the existing contents of /var/qmail/users/assign. If this happens, run the gen-hashed.sh script in the previous section. The qmail RPM by Bruce Guenter includes a cron job that runs qmail-pw2u hourly, you need to disable the cron job.

Nguyen dinh thien viettelidc.com.vn

welcome here

http://www.qmail.org/
http://qmail.yongbok.net/top.html
http://www.qmail.org/netqmail/
http://www.qmail.org/netqmail-1.06.tar.gz
http://www.lifewithqmail.org/
http://cr.yp.to/qmail.html
http://www.qmail.org/man/misc/INSTALL.txt

SAVE COPIES OF YOUR OUTGOING MAIL! Like any other piece of software (and
information generally), the qmail system comes with NO WARRANTY. It's
much more secure and reliable than sendmail, but that's not saying much.


Things you have to decide before starting:

* The qmail home directory, normally /var/qmail. To change this
directory, edit conf-qmail now.

* The names of the qmail users and the qmail groups. To change these
names, edit conf-users and conf-groups now.


To create /var/qmail and configure qmail (won't interfere with sendmail):

 1. Create the qmail home directory:
       # mkdir /var/qmail

 2. Read INSTALL.ids. You must set up the qmail group and the qmail
    users before compiling the programs.

 3. Compile the programs and create the qmail directory tree:
       # make setup check

 4. Read INSTALL.ctl and FAQ. Minimal survival command:
       # ./config

 5. Read INSTALL.alias. Minimal survival command:
       # (cd ~alias; touch .qmail-postmaster .qmail-mailer-daemon .qmail-root)
       # chmod 644 ~alias/.qmail*

 6. Read INSTALL.mbox and INSTALL.vsm.

 7. Read INSTALL.maildir.

 8. Copy /var/qmail/boot/home (or proc) to /var/qmail/rc.


To test qmail deliveries (won't interfere with sendmail):

 9. Enable deliveries of messages injected into qmail:
       # csh -cf '/var/qmail/rc &'

10. Read TEST.deliver.


To upgrade from sendmail to qmail:

11. Read SENDMAIL. This is what your users will want to know about the
    switch from sendmail to qmail.

12. Read REMOVE.sendmail. You must remove sendmail before installing
    qmail.

13. Read REMOVE.binmail.

14. Add
            csh -cf '/var/qmail/rc &'
    to your boot scripts, so that the qmail daemons are restarted
    whenever your system reboots. Make sure you include the &.

15. Make qmail's ``sendmail'' wrapper available to MUAs:
       # ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
       # ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
    /usr/sbin might not exist on your system.

16. Set up qmail-smtpd in /etc/inetd.conf (all on one line):
            smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env
            tcp-env /var/qmail/bin/qmail-smtpd

17. Reboot. (Or kill -HUP your inetd and make sure the qmail daemons
    are running.)

18. Read TEST.receive.



That's it! To report success:
       % ( echo 'First M. Last'; cat `cat SYSDEPS` ) | mail djb-qst@cr.yp.to
Replace First M. Last with your name.

If you have questions about qmail, join the qmail mailing list; see 

http://pobox.com/~djb/qmail.html.

http://cr.yp.to/daemontools.html
http://cr.yp.to/daemontools/install.html
http://cr.yp.to/daemontools/daemontools-0.76.tar.gz

D. J. Bernstein 

daemontools

How to start daemontools 
The svscanboot program 
The svscan program 
The supervise program 
The svc program 
The svok program 
The svstat program 
The fghack program 
The pgrphack program

The readproctitle program 
The multilog program 
The tai64n program 
The tai64nlocal program

The setuidgid program 
The envuidgid program 
The envdir program 
The softlimit program 
The setlock program

What is it?

supervise monitors a service. It starts the service and restarts the service if it dies. Setting up a new service is easy: all supervise needs is a directory with a run script that runs the service.

multilog saves error messages to one or more logs. It optionally timestamps each line and, for each log, includes or excludes lines matching specified patterns. It automatically rotates logs to limit the amount of disk space used. If the disk fills up, it pauses and tries again, without losing any data.

How to install daemontools

System requirements

Installation

     mkdir -p /package
     chmod 1755 /package
     cd /package

     gunzip daemontools-0.76.tar
     tar -xpf daemontools-0.76.tar
     rm -f daemontools-0.76.tar
     cd admin/daemontools-0.76

     package/install

To report success:

     mail djb-sysdeps@cr.yp.to < /package/admin/daemontools/compile/sysdeps