HOWTO QmailRocksOnGentoo

De Gentoo Linux Wiki

Este articulo es parte de las series de HOWTO.
Kernel & Hardware Red y Servicios Portage Relacionado con el Sistema Servidor X Juegos Misceláneos

Image:QmailLogo.jpg

Qmail Gentoo-Wiki How-To's

El Sitio: Qmail.org

Otros Gentoo-wiki Qmail

edit


Tabla de contenidos

[editar] Introducción

Este How-To esta completo. Solo quedara añadir algunas cosillas.
--s0undt3ch 01:05, 10 September 2005 (GMT)
--Vguardiola 23:10, 30 de Mayo de 2006 (GMT)

Esto empezo cuando necesite instalar Qmail en Gentoo, basandome en QmailRocks, pero usando los ebuilds de Gentoo. Despues de intentarlo sin exito, Encontre algui que lo habia conseguido, pero usando MySQL. Y no queria usar MySQL así que empeze este How-To. Eres libre de añadir tus esperencias con este How-To.

Este how-to esta basado en otros how-to's y unos cuantos recursos de la red:

[editar] Ebuilds utilizados

Estos son los ebuilds utilizados en este How-To.
P.S.:No he incluido todas las depencias, lo siento.
Puede algien hacer una instalación limpia y poner las que falten?

  • QMail 
sys-apps/ucspi-tcp-0.88-r14
net-mail/dot-forward-0.71-r2
sys-process/daemontools-0.76-r5
net-mail/queue-fix-1.4-r2
virtual/qmail-1.03
net-mail/cmd5checkpw-0.30
net-mail/checkpassword-0.90-r2
mail-mta/qmail-1.03-r16
  • RELAY-CTRL 
net-mail/relay-ctrl-3.1.1-r2
  • VPOPMAIL 
net-mail/vpopmail-5.4.6-r1
  • COURIER-IMAP 
net-libs/courier-authlib-0.58
net-mail/courier-imap-4.0.1
  • COURIERPASSD 
net-mail/courierpassd-1.1.0 [provided new ebuild]
  • Ezmlm-idx 
net-mail/ezmlm-idx-0.40-r2
  • Autorespond 
net-mail/autorespond-2.0.4
  • QmailAdmin 
net-mail/qmailadmin-1.2.3 [provided new ebuild]
  • vQadmin 
net-mail/vqadmin-2.3.6
  • Razor 
perl-core/Time-HiRes-1.82
virtual/perl-Time-HiRes-1.82
virtual/perl-net-ping-2.31
dev-perl/Digest-Nilsimsa-0.06-r1
mail-filter/razor-2.81
  • Soporte Spamassassin SPF 
dev-perl/Sys-Hostname-Long-1.2
dev-perl/Net-CIDR-Lite-0.18
dev-perl/Mail-SPF-Query-1.998
  • Spamassassin 
dev-perl/Compress-Zlib-1.41
dev-perl/IO-Zlib-1.04
virtual/perl-PodParser-1.30
dev-perl/Net-IP-1.24
dev-perl/Socket6-0.17
dev-perl/IO-Socket-INET6-2.51
virtual/perl-MIME-Base64-3.05
virtual/perl-Digest-MD5-2.33
perl-core/digest-base-1.13
dev-perl/Digest-SHA1-2.11
virtual/perl-digest-base-1.13
dev-perl/Digest-HMAC-1.01-r1
dev-perl/Net-DNS-0.53-r1
virtual/perl-Test-Harness-2.4
dev-perl/IO-String-1.08
dev-perl/Archive-Tar-1.28
perl-core/Storable-2.15
virtual/perl-Storable-2.15
virtual/perl-libnet-1.19
dev-perl/Crypt-SSLeay-0.51
dev-perl/HTML-Tagset-3.10
dev-perl/HTML-Parser-3.48
dev-perl/URI-1.35
dev-perl/HTML-Tree-3.19.01
dev-perl/libwww-perl-5.803-r1
dev-perl/Net-SSLeay-1.25
dev-perl/IO-Socket-SSL-0.97
perl-core/DB_File-1.814
virtual/perl-DB_File-1.814
mail-filter/spamassassin-3.1.0
  • Pyzor 
dev-python/pyzor-0.4.0-r2
  • DCC 
mail-filter/dcc-1.3.24
  • RulesDuJour 
mail-client/mailx-support-20030215
net-libs/liblockfile-1.06
mail-client/mailx-8.1.2.20040524-r1
mail-filter/spamassassin-ruledujour-20051123
  • Clam Anti-Virus 
dev-libs/gmp-4.1.4-r3
net-misc/curl-7.15.1-r1
app-antivirus/clamav-0.88.2
  • Qmail-Scanner 
app-arch/zip [opcional]
app-arch/zoo [opcional]
app-arch/lha [opcional]
app-arch/rar [opcional]
app-arch/unrar [opcional]
app-antivirus/bitdefender-console [opcional]
app-antivirus/f-prot [opcional]
net-mail/qlogtools-3.1 [Si usa un ebuild personalizado]
net-mail/qmailanalog-0.70-r1 [Si usa un ebuild personalizado]
net-mail/qms-analog-0.4.4-r1 [Si usa un ebuild personalizado]
net-mail/ripmime-1.4.0.6
app-arch/unzip-5.52
net-mail/tnef-1.3.4
mail-filter/qmail-scanner-1.25-r3 [Si usa un ebuild personalizado]
  • QMS-Analog 
mail-filter/qms-analog-0.4.4-r1 [Si usa un ebuild personalizado]
  • SquirrelMail 
mail-client/squirrelmail-1.4.5
  • Gentoolkit-Dev 
app-portage/gentoolkit-dev-0.2.5

Vamos haya.

[editar] Asegurate que los Flags de USE estan correctos

Hay dos caminos para hacer esto, uno es editar el archivo /etc/make.conf y poner los flags de forma global, y el segundo, ponerlos por paquete. Este puede prevenir el utilizar flags erroneos en los paquetes, por ejemplo al hacer una actualización de world .

  • Camino UNO 
vi /etc/make.conf

USE="apache2 maildir valias vhosts ssl imap authdaemond -selinux"
  • Camino DOS

Este es el camino que seguimos en este how-to y todo los pasos esta descritos, asi como los camdos para poner en tu shell, como: 

echo PackageCategory/PackageName The Use Flags >> /etc/portage/package.use

El paquete selinux interfiere con vpopmail y vqadmin para que funcionen correctamante, asi que añade -selinux a tu make.conf. Y si no inlcuyes -selinux como en el segundo camnio, hazlo en tu make.conf.

  • Perl

SI tienes algun problema con qmail-scanner y la comunicación con clamav, prueba de re-emerging perl con soporte para suid. 

echo "dev-lang/perl perlsuid" >> /etc/portage/package.use
emerge perl -va

[editar] Instalar Qmail

Primero de todo, debes asegurate de haber quitado cualquier otro manegajor de correo como: ssmtp, sendmail, o postfix: 

emerge -C ssmtp sendmail postfix
Nota:

Actaulmente, sys-apps/ucspi-tcp-0.88-r14 no soporta SSL con IPv6 activado, así, que debes hacer tu elección: 

echo sys-apps/ucspi-tcp -ipv6 >> /etc/portage/package.use

O: 

echo sys-apps/ucspi-tcp -ssl >> /etc/portage/package.use

Yo utilizo la primera, deshabilitar el soprte a IPv6. 

echo  mail-mta/qmail ssl >> /etc/portage/package.use
emerge mail-mta/qmail -va

Personalizaremos el certificado de Qmail(con nuestra información personal). Cambia la parte [req_dn]. 

vi /var/qmail/control/servercert.cnf

ebuild /var/db/pkg/mail-mta/qmail-1.03-r16/qmail-1.03-r16.ebuild config

mkdir /service
ln -s /var/qmail/supervise/qmail-send /service/qmail-send
ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd

Ahora toca crear los alias de las cuentas comunes del sistema. Estos son los encargados de decirle a Qmail que hacer con los mails generados en el servidor. Materias como lso bouncebacks, las salidas de el cron diario y de otros processo del sistema. Es una buena idea volver a dirigir estos alias a una cuenta la cual vayas a comprobar regularmente. Tu no queras tener los mails de sitema apilandose en una esquina de tu servidor sin hacerles caso y ocupando , poco a poco, el espacio de tu disco duro. 

echo some_address > /var/qmail/alias/.qmail-root
echo some_address > /var/qmail/alias/.qmail-postmaster
echo some_address > /var/qmail/alias/.qmail-mailer-daemon
ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous
chmod 644 /var/qmail/alias/.qmail*

Añade a /var/qmail/control/locals, algunos puede que ya esten: 

<TheMachine'sHostName>
localhost
domain.com
<TheMachine'sHostName>.domain.com
localhost.domain.com

Por supuesto, no olvides de cambiar <TheMachine'sHostName> por el hostname de TU servidor ;)

Ahora hacemos que Qmail carge en el arranque y lo ejecutamos 

source /etc/profile
rc-update add svscan default
/etc/init.d/svscan start

¡Esto es todo! Ahora ya tienes un sistema de correo que gestionara el correo de tu servidor y los demonios/usuarios del sistema que podran utilizarlo.

[editar] Instalando RELAY-CTRL

Usando relay-ctrl es una manera simple y segura de permitir el envio de emails con cualquier cliente y desde cualquier parte. 

emerge relay-ctrl -va

Ahora edita los archivos /etc/tcprules.d/tcp.qmail-*, toda la información que hay, seran tus IPs. Tu debes hacer tu propia linea de :allow como esta: 

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

Esta solo sera utilizada para el Qmail-Scanner, pero por ahor atampoco nos molestara

Despues ejecuta 

tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/tcp.qmail-smtp.tmp \
< /etc/tcprules.d/tcp.qmail-smtp

tcprules /etc/tcprules.d/tcp.qmail-pop3.cdb /etc/tcprules.d/tcp.qmail-pop3.cdb.tmp\
< /etc/tcprules.d/tcp.qmail-pop3

O aún mejor: 

cd /etc/tcprules.d
make *

Si tu has configurado la mascara de archivos, umask, deforma muy restrictiva como 077) deberas corregir los permisos de /etc/tcprules.d/*.cdb con 

chmod 644 /etc/tcprules.d/*.cdb

Y ahora solo queda reiniciar qmail. 

/etc/init.d/svscan restart


¡IMPORTANTE! Si tu recibes correo en tu cuenta PERO no puedes enviar, y la razón que devuelve el servidor es algo como: "sorry, that domain isn't in my list of allowed rcpthosts", entonce prueba añadiendo estas lineas al archivo: 

localhost:allow,RELAYCLIENT="",RBLSMTPD=""
domain.com:allow,RELAYCLIENT="",RBLSMTPD=""
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

NOTA: La manera más fácil de prohibir la salida de emails desde tu SMTP, es decir que no sea un SMTP público , y solo permitir "localroute" (enviar mails solo desde/para tus dominios, que estan listados/añadidos desde vQadmin): 

:allow,RBLSMTPD="-Reason_here"

Exactamente despues de esto si tu pruebas de enviar un mail a otro destinatario tu recibiras un mensaje como este: "sorry, that domain isn't in my list of allowed rcpthosts". Un sistema muy lógico.

[editar] Instalar VpopMail 

echo  net-mail/vpopmail -mysql >> /etc/portage/package.use
emerge vpopmail -va

Ahora crea un dominio: 

vadddomain blah.com

Si este comando te devuvle que el comando no ha sido encontrado, haz: 

env-update && source /etc/profile

Añade un suario: 

vadduser user@blah.com

Borrar un usuario: 

vdeluser user@blah.com

Tu tambien puedes esperar hasta tener instalado vQadminpara hacer estas operaciones.
Esto es todo Vpopmail ya esta configurado.

IMPORTANTE: No olvides de de añadir el nuevo dominio a /var/qmail/control/rcpthosts.

[editar] Instalar Courier-IMAP

Ahora toca instalar Courier-IMAP como servidor IMAP y POP3. 

echo net-libs/courier-authlib -mysql >> /etc/portage/package.use
emerge courier-imap -va

Primero configuraremso courier-authlib. 

vi /etc/courier/authlib/authdaemonrc

Asegurate que la cabeceradel archivo es exactamente como esta authdaemonrc 

authmodulelist="authvchkpw"
authmodulelistorig="authvchkpw"

No puedes poner/dejar/tener extras en este. Ahora es el turno de configurar courier-imap. 

vi /etc/courier-imap/imapd

Asegurate que las siguientes lineas estan puestas como aquí.Puede que no esten una segudi de la otra o en el mismo orden pero comprueba que esten y que sean iguales. 

IMAPDSTART=YES
MAXPERIP=20
MAILDIR=.maildir
MAILDIRPATH=.maildir
PRERUN="envdir /etc/relay-ctrl relay-ctrl-chdir"
LOGINRUN="relay-ctrl-allow"

Repeat process for imapd-ssl, pop3d, pop3d-ssl files as well, except instead of IMAPDSTART you'll want to look for POP3DSTART or whatevers appropriate depending on the file. Lets configure...

Now lets add courier to our bootup scripts so it launches when we fire up Gentoo. 

rc-update add courier-authlib default
rc-update add courier-imapd default
rc-update add courier-pop3d default

If you want to use SSL and TLS, you'll need to make SSL certs for them. Fill out State, City, Organization name etc etc etc. For the Common Name (CN) of your server make sure its mail.yourservername.com. 

vi /etc/courier-imap/imapd.cnf
vi /etc/courier-imap/pop3d.cnf

Now let's create the certificates: 

mkimapdcert
mkpop3dcert

Let's add these services to boot time 

rc-update add courier-imapd-ssl default
rc-update add courier-pop3d-ssl default

Last thing: once started, you can totally stop and start the whole courier suite by recycling courier-authlib. Like this: 

/etc/init.d/courier-authlib restart

Now let's install a useful tool, Courierpassd. It will allow a user to change it's password from within SquirelMail. Since there's no ebuild for it, I've made a custom one, and to have it we need a small package, app-portage/gentoolkit-dev: 

emerge gentoolkit-dev -va

Why are we using this? Because I've setup a support site for my ebuilds, all bugs/new features should go there co's these ebuilds aren't supported by Gentoo, and also an rsync server for you to sync from in order to have my ebuilds.
First of all, after emerging app-portage/gentoolkit-dev of course, you'll need a .synsource so gensync can know where to sync from: 

cd /etc/gensync/
wget wget http://dev.ufsoft.org/qmr-portage/attachment/wiki/WikiStart/qmr-portage.syncsource?format=raw -O qmr-portage.syncsource

The defaults are good, but you can check /etc/gensync/gensync.conf and /etc/gensync/qmr-portage.syncsource.
Now, if you kept the default settings on the above files, you'll need to add my overlay to your /etc/make.conf. It should look like: 

PORTDIR_OVERLAY="/usr/local/overlays/qmr-portage"

If you have an overlay already, seperate both by a blank space: 

PORTDIR_OVERLAY="/your/old/overlay /usr/local/overlays/qmr-portage"

Now it's as simple as: 

gensync qmr-portage

And you have all my ebuilds. Let's start installing them: 

emerge courierpassd -va

Make sure you take a look at the only_from on /etc/xinetd.d/courierpassd to see if you want to add more.


Nota: You may want to add additional IP's to the only_from setting above, depending on your needs, specially the local ip of the mail server machine, separate ip's by blank spaces.

Append to following line to the /etc/services file: 

courierpassd 106/tcp #for /etc/xinetd.d/courierpassd

Let's make xinetd start at boot time: 

rc-update add xinetd default
/etc/init.d/xinetd start

[editar] Update the SMTPD Config

Let's update the SMTPD Config to Allow SMTP-AUTH Using VPOPMAIL. 

vi /var/qmail/control/conf-smtpd

I've tried alot of iterations on this but the easiest and most straight forward way is to completely delete or comment out(better) the contents of your /var/qmail/control/conf-smtpd file and just insert this in. 

################## START OF /var/qmail/control/conf-smtpd #######################
#
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"
QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
#
################## END OF /var/qmail/control/conf-smtpd #######################

Important for qmail-1.03-r16 (and later?): If you're using qmail-1.03-r16 you have to change the last line above to QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}" for your server to accept SMTP connections.

Final touches to bring this together... 

svc -t /var/qmail/supervise/qmail-smtpd
chmod u+s /var/vpopmail/bin/vchkpw

I've not done it but it was in the last howto and its said that "The following step makes sending mail a lot faster under some circumstances, and I highly recommend that you do the following if you notice delays of 30 to 45 seconds sending mail..." I've never seen any harm in it so it stays. 

vi /var/qmail/control/conf-common

TCPSERVER_OPTS="-H -R -l 0" (that's lower-case L followed by zero)

(question?? should we be removing the TCPSERVER_OPTS "-R" option from conf-smtp file? If not, wouldn't it be setting that flag twice?)

[editar] Install Ezmlm-idx

EZmlm is a nice mailing list add-on to Qmail. I've used it several times myself and its actually one of the better mailing list programs out there. When we install Qmailadmin later on, you'll see that EZmlm integrates seamlessly into Qmailadmin to provide a very user friendly mailing list management interface. As an added bonus, Vpopmail will let you control what users can and cannot use mailing lists, and you can even use vQadmin's web interface to do it! Can't beat that! 

emerge ezmlm-idx -va

[editar] Install Qmailadmin

Qmailadmin is going to provide us with a nice web based interface for administering mail accounts once they are setup through Vpopmail (or Vqadmin). From Qmailadmin we can create mailboxes, aliases, fowards, mail robots, mailing lists. You'll also find a few other handy functions as well. Qmailadmin is sort of the icing on the Qmail cake.
The Qmailadmin package will also emerge net-mail/autorespond, which does exactly what you think it does. It allows us to set up autoresponders for mailboxes and so forth.

If haven't already, sync to my rsync server: 

gensync qmr-portage

Qmailadmin doesnt support the vhost USE flag and will be installed to /var/www/localhost. If you want it elsewhere: 

cp -r /usr/local/overlays/qmr-portage/net-mail/qmailadmin/ /usr/local/overlays/mine/net-mail/

Arround line 47 change dir_vhost to where you want it to be and make sure those dir's exist.
If you changed dir_vhost do: 

ebuild /usr/local/overlays/mine/net-mail/qmailadmin/qmailadmin-1.2.3.ebuild digest

Make your mine overlay is before qmr-portage in /etc/make.conf and that qmailadmin is coming from your overlay in case you changed the ebuild and not qmr-portage. Of course you can name you're overlay whatever you want. 

emerge qmailadmin -va

To access Qmailadmin go to: 

http://www.domain.com/cgi-bin/qmailadmin

[editar] Install vQadmin

Now, let's emerge all the packages we need to manage our domains from a web browser. Vqadmin is simply a nice web based interface that will let us manage Vpopmail. Through the interface we can create new domains, new users, net quotas, enable services and much more. Autoresponder does exactly what you think it does. It allows us to set up autoresponders for mailboxes and so forth.

Enough talking, but since vQadmin is masked we need some other steps... Let's set the keyword to "unmask" it and install. 

echo net-mail/vqadmin ~x86 >> /etc/portage/package.keywords
emerge vqadmin -va

vQadmin also doesn't support the vhost USE flag and will be installed to /var/www/localhost. If you want it elsewhere: 

cp -r /usr/portage/net-mail/vqadmin/ /usr/local/overlays/mine/net-mail/
vi /usr/local/overlays/mine/net-mail/vqadmin/vqadmin-2.3.6.ebuild

Arround line 27 change dir_vhost to where you want it to be and make shure those dir's exist. 

ebuild /usr/local/overlays/mine/net-mail/vqadmin/vqadmin-2.3.6.ebuild digest
emerge vqadmin -va

Now let's configure Apache for the default ebuild: 

vi /etc/apache2/vhosts.d/00_default_vhost.conf

Put this inside it: 

<Directory "/var/www/localhost/cgi-bin/vqadmin">
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>

Now we generate a pass for our admin user: 

htpasswd2 -c /etc/apache2/vqadmin.passwd admin
chmod 644 /etc/apache2/vqadmin.passwd

vi /var/www/localhost/cgi-bin/vqadmin/.htaccess

Make sure it looks like this: 

AuthType Basic
AuthUserFile /etc/apache2/vqadmin.passwd
AuthName vQadmin
require valid-user
satisfy any

chown apache /var/www/localhost/cgi-bin/vqadmin/.htaccess
chmod 644 /var/www/localhost/cgi-bin/vqadmin/.htaccess
/etc/init.d/apache2 restart

To access vQadmin: 

http://www.domain.com/cgi-bin/vqadmin/vqadmin.cgi

Or you can configure Apache for our custom ebuild: 

vi /etc/apache2/vhosts.d/your_vhost_file_here.conf

Put this inside it: 

ScriptAlias /cgi-bin/ /var/www/your_vhost_dir/cgi-bin/
<Directory "/var/www/your_vhost_dir/cgi-bin/vqadmin">
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>

Now we generate a pass for our admin user: 

htpasswd2 -c /etc/apache2/vqadmin.passwd admin
chmod 644 /etc/apache2/vqadmin.passwd

vi /var/www/your_vhost_dir/cgi-bin/vqadmin/.htaccess

Make sure it looks like this: 

AuthType Basic
AuthUserFile /etc/apache2/vqadmin.passwd
AuthName vQadmin
require valid-user
satisfy any

chown apache /var/www/your_vhost_dir/cgi-bin/vqadmin/.htaccess
chmod 644 /var/www/your_vhost_dir/cgi-bin/vqadmin/.htaccess
/etc/init.d/apache2 restart

To access vQadmin: 

http://your.vhost.domain.com/cgi-bin/vqadmin/vqadmin.cgi

[editar] SpamAssassin

[editar] Razor

Razor should be emerged before SpamAssassin, so: 

emerge razor -va

And as root do: 

razor-admin --home=/etc/mail/spamassassin/.razor -create
razor-admin --home=/etc/mail/spamassassin/.razor -discover
razor-admin --home=/etc/mail/spamassassin/.razor --user=postmaster@domain.com -pass=ThePassword -register

It should then say "Register successful...". (Note that you may need to enter the last command a couple times to reach the registration server; if it says "Error 202", try "razor-admin -register" step again.)

[editar] SPF Support

SpamAssassin 3.0 supports SPF to detect and penalize header forgery. Like so, let's emerge it(It also needs to be emerged before spamassassin): 

emerge Mail-SPF-Query -va

[editar] Install SpamAssassin

Now we install SpamAssassin: 

echo mail-filter/spamassassin qmail ssl >> /etc/portage/package.use
emerge spamassassin -va

Now let's configure it. 

vi /etc/mail/spamassassin/local.cf

At least put this inside, check documentation for some other tweaks... 

required_score 6
skip_rbl_checks 1
rewrite_header Subject *****SPAM*****
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 1
bayes_auto_learn_threshold_spam 14.00

These settings manipulate the bayes learning feature of SpamAssassin. I would recommend setting the threshold to 'learn' high, as otherwise you will get a lot of false positives. A spam score of 14 seems to do a good job for me. Lower & you will see things like many aol.com emails getting marked with a high Bayes score. Also have a look at the files inside /usr/share/spamassassin/ and make any changes you want in /etc/mail/spamassassin/local.cf.

Add it to boot time. 

rc-update add spamd default
/etc/init.d/spamd start

[editar] Enable SPF Support

Add to /etc/mail/spamassassin/local.cf 

loadplugin     Mail::SpamAssassin::Plugin::SPF

For more info check the SpamAssassin docs or in this particular case here.

[editar] Enable Razor Support

Add to /etc/mail/spamassassin/local.cf: 

loadplugin     Mail::SpamAssassin::Plugin::Razor2
use_razor2 1

For more info check the SpamAssassin docs or in this particular case here. Some of the usual steps/options are discribed bellow.

Now we might need to tell SpamAssassin where to look for razor's config. Newest ebuilds put the directory in the right place. We can check this by doing: 

ls -ail /etc/mail/spamassassin/.razor

If we found nothing there then we need to copy it (assuming previous location): 

cp /etc/razor/razor-agent.conf /etc/mail/spamassassin/.razor

Now let's add it to /etc/mail/spamassassin/local.cf, in my case: 

razor_config /etc/mail/spamassassin/.razor/razor-agent.conf

Tell razor where it lives, add to /etc/mail/spamassassin/.razor/razor-agent.conf: 

razorhome = /etc/mail/spamassassin/.razor/

Here's how mine looks: 

#
# Razor2 config file
#
# Autogenerated by Razor-Agents v2.75
# Sun Jul 24 19:43:42 2005
# Non-default values taken from /etc/razor/razor-agent.conf
#
# see razor-agent.conf(5) man page
#
razorhome = /etc/mail/spamassassin/.razor/
debuglevel             = 3
identity               = identity
ignorelist             = 0
listfile_catalogue     = servers.catalogue.lst
listfile_discovery     = servers.discovery.lst
listfile_nomination    = servers.nomination.lst
logfile                = razor-agent.log
logic_method           = 4
min_cf                 = ac
razordiscovery         = discovery.spamnet.com
razorzone              = razor2.cloudmark.com
rediscovery_wait       = 172800
report_headers         = 1
sort_by_distance       = 0
turn_off_discovery     = 0
use_engines            = 4,8
whitelist              = razor-whitelist

Attention: Razor needs TCP port 2703 open.

[editar] Pyzor Support 

emerge pyzor -va

And as root do: 

pyzor --homedir /etc/mail/spamassassin/.pyzor discover

Make sure you add to /etc/mail/spamassassin/local.cf: 

loadplugin     Mail::SpamAssassin::Plugin::Pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1 # optional
pyzor_timeout 15 # optional, default 10 seconds

For more info check the SpamAssassin docs or in this particular case here.

Nota: Newest ebuilds put pyzor in /usr/sbin/. May want to check where it is on your system and change pyzor_path to reflect accordingly.

[editar] DCC Support 

emerge dcc -va

Don't forget to open port 6277 UDP on your firewall, because DCC uses UDP packets when replying, which are blocked by most firewalls by default.

Make sure you add to /etc/mail/spamassassin/local.cf: 

loadplugin     Mail::SpamAssassin::Plugin::DCC
use_dcc 1
dcc_home /var/dcc
dcc_path /usr/bin/dccproc
dcc_dccifd_path /usr/sbin/dccifd
ddc_add_header 1 # optional
dcc_timeout 15 # optional, default 10 seconds

For more info check the SpamAssassin docs or in this particular case here.
DCC also provides some CGI's for some stuff that even I am gathering info about. So, If you know what their for(I know, I can read the docs), provide some info here.

Those CGI's are installed by default on /var/www/localhost, if you wan't them on a VHost: 

cp -R /usr/portage/mail-filter/dcc/ /usr/local/portage/mail-filter/
vi /usr/local/portage/mail-filter/dcc/dcc-1.3.16.ebuild

Change on line 26 dcc_cgibin to whatever VHost you'd like it to be. 

ebuild /usr/local/portage/mail-filter/dcc/dcc-1.3.16.ebuild digest
emerge dcc -va

[editar] My SpamAssassin local.cf

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################

# Sensitive data, such as database connection info, should
# be stored in /etc/mail/spamassassin/secrets.cf with
# appropriate permissions
###########################################################################
loadplugin     Mail::SpamAssassin::Plugin::DCC
loadplugin     Mail::SpamAssassin::Plugin::Pyzor
loadplugin     Mail::SpamAssassin::Plugin::Razor2
loadplugin     Mail::SpamAssassin::Plugin::SPF
###########################################################################
required_score 10 #6
skip_rbl_checks 0
rbl_timeout 5 # default 15 secs
rewrite_header subject *****SPAM*****

score PYZOR_CHECK 1
score RCVD_IN_BL_SPAMCOP_NET 2.0

######################
report_safe 1
######################
use_bayes 1
bayes_path /etc/mail/spamassassin/bayes
bayes_file_mode 0770
bayes_auto_learn 1
bayes_min_ham_num 400
bayes_min_spam_num 400
bayes_learn_during_report 1
bayes_use_hapaxes 1
bayes_auto_learn_threshold_nonspam 1
bayes_auto_learn_threshold_spam 14.00
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status

# Razor
use_razor2 1
razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
# DCC
use_dcc 1
dcc_home /var/dcc
dcc_path /usr/bin/dccproc
dcc_dccifd_path /usr/sbin/dccifd
#ddc_add_header 1 # optional
dcc_timeout 15 # optional, default 10 seconds
# Pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
#pyzor_add_header 1 # optional
pyzor_timeout 15 # optional, default 10 seconds
##########################################################

# My Modified Headers
clear_headers
add_header all Level _STARS(*)_
add_header all Score _HITS_
add_header all Flag _YESNO_
remove_header all Report

#add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ dcc=_DCCR_ pyzor=_PYZOR_ rbl=_RBL_ autolearn=_AUTOLEARN_ version=_VERSION_"
#add_header all Spammy "_SPAMMYTOKENS(2,short)_"
#add_header all Hammy "_HAMMYTOKENS(2,short)_"
trusted_networks 10.1.0
internal_networks 10.1.0

[editar] Test SpamAssassin Installation

First create your Bayes database: 

sa-learn --sync

You should now have all the packages you need installed. First get the samples provided by Spamassassin. 

cd /root
wget http://ufsoft.org/ebuilds/qmailrocks/sample-nonspam.txt

You can test this by entering: 

spamassassin -D < /root/sample-nonspam.txt

Look for: 

debug: bayes: found bayes db version 3
debug: is DNS available? 1
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8cb56b8)
debug: Razor2 is available
debug: Pyzor is available: /usr/bin/pyzor
debug: DCC is available: /usr/bin/dccproc

I could only see the above if I do: 

spamassassin -r -D < /root/sample-nonspam.txt

If you have the debug: is DNS available? 1, then add to your local.cf: 

dns_available yes

Pyzor and DCC will not show if you use the example local.cf. To get the debug to show them comment out the PYZOR_CHECK and DCC_CHECK lines.

If you wan't to you can also test with a spam email found here:

[editar] Some things to consider

The -r option in SpamAssassin tell's it to submit the signatures of the messages to the online Razor, Pyzor, and DCC databases if we have those configured, and update both the local AWL and Bayesian databases. However, when a user submits ham, I personally don't want any chance that the body of that message will leave my network. For that reason, I suggest using sa-learn --local, which will only update local databases.

[editar] Spamassassin Optional Steps

You can make Spamassassin learn a bit from the others experience. 

mkdir /root/spam
cd /root/spam
wget ftp://spamarchive.org/pub/archives/submit/*
gunzip *
screen -AmS learning
sa-learn --spam -C /etc/mail/spamassassin --showdots --debug-level --dir /root/spam/

If you get "out of memory" errors try this instead. 

for i in /root/spam/* ; do sa-learn --spam -C /etc/mail/spamassassin --showdots --debug-level $i ; done

This will only process one file at a time and be less intense on memory.

You can now hit CTRL+a d to detach screen session and go to sleep or whatever(to get back to the screen session, with the same user do screen -dr), it WILL take some while. For someone with a P4 3000 MHz something around 12 hours .... May be less, but it took pretty long :-)

Well, I have news on this subject, on my P3 450 MHz with 512 Ram, it broke my spamassasin bayes db with 660.r2 to 669.r2(had to re-emerge spamassassin), with all others it hanged my computer at the middle of the night, so I guess my Bayes only learned from a few(Do note that I had aMule running also ;) ). I'll leave this step to your consideration, besides, from what I've read around, if these spam messages are mostly old, you can lead bayes to thinks old messages are spam.

It seems that this step also eats up memory like I've never seen before. On a server with 768Mb of RAM and 512 of swap, sa-learn crashed with a Out of Memory message before finishing the first lot of spam...

[editar] Install Rules Du Jour

RulesDuJour is a bash script intended to automatically download new versions of SpamAssassin rulesets as the authors release new versions. 

emerge mail-filter/spamassassin-ruledujour -va

If you wan't it to update everyday: 

chmod +x /etc/cron.daily/rulesdujour

Now let's update our rules: 

/var/lib/spamassassin/rules_du_jour

As stated on the ebuilds output, it is also recommended that you clean out your rulesets in /etc/mail/spamassassin ocassionally, to ensure that old rules are not being used. You can also edit /etc/rulesdujour/config to check configuration, but the defaults should be ok. For more information check Rules Du Jour website.

[editar] Install Clam Antivirus 

emerge clamav -va

Let's Configure it. 

vi /etc/conf.d/clamd

Set START_CLAMD=yes.
Setup stuff the way you want it on clamd.conf. Don't forget to check if the line that says Example is commented out. 

vi /etc/clamd.conf

As an quick out of the box configuration, make sure you have this(it's on multiple lines and might not be followed so look in the intire document): 

#Example
LogFile /var/log/clamav/clamd.log
LogTime
LogSyslog
ScanMail
User qscand

vi /etc/freshclam.conf

As an quick out of the box configuration, make sure you have this(it's on multiple lines and might not be followed so look in the intire document): 

#Example
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog
DatabaseMirror db.XX.clamav.net
DatabaseMirror database.clamav.net
DatabaseOwner qscand

Change XX with your country, see Iana.org CCLD Whois for the full list.


Nota: Clamav permissions issues

Clamd and Freshclam need to be run by the user/group qscand:qscand which still does not exist on the system. We could, of course, create the user and group qscand, but the mail-filter/qmail-scanner ebuild does this for us, yet it's not the time to do a full emerge of it. So, my sugestion is, emerge mail-filter/qmail-scanner and cancel the emerge after the user id's are all created, only then you can proceed with the steps bellow. 

echo mail-filter/qmail-scanner spamassassin >> /etc/portage/package.use
emerge mail-filter/qmail-scanner -va

Don't forget to cancel right after the user id's are created.

Now we'll need to fix some permissions for clamd to be able to run as qscand and for qmail-scanner not to complain about it: 

chown -R qscand:qscand /var/lib/clamav
chown -R qscand:qscand /var/run/clamav
chown -R qscand:qscand /var/log/clamav

Let's update the virus database, run: 

/usr/bin/freshclam -l /var/log/clamav/clam-update.log

And explanation on why we do the above is here.

Let's add it to boot time. 

rc-update add clamd default
/etc/init.d/clamd start

[editar] Install Qmail-Scanner

Important: The build process of qmail-scanner is quite ugly. In order to support packages, they must already be on your system. This means you will have to emerge SpamAssassin and/or Clam AntiVirus before you emerge qmail-scanner.

In order to provide some stats we have to use two custom ebuilds, one for QMS-Analog and another for Qmail-Scanner to include the qms-analog's patch to use qmailstats which provides us with some nice statistics.

I'm even makking the process uglier from ferringb's point of view at #gentoo-portage IRC channel ;)
I'll add a variable to /etc/make.conf, MAIL_VHOSTS, which will setup qmail-scanner-queue.pl correctly for qmailstats reports.

If you haven't sync to my rsync server yet: 

gensync qmr-portage

Now the uggly part, add to /etc/make.conf: 

MAIL_VHOSTS="host1,host2,host3"

You could also emerge app-arch/zip, app-arch/zoo, app-arch/lha, app-arch/rar, app-arch/unrar, app-antivirus/bitdefender-console and app-antivirus/f-prot among others, if you do, qmail-scanner will use them. Note that most of these antivirus are only needed if you also serve W*ndows machines.

Let's install it. 

echo mail-filter/qmail-scanner spamassassin qmailstats >> /etc/portage/package.use
echo =net-mail/qlogtools-3.1 ~x86 >> /etc/portage/package.keywords
emerge qmail-scanner -va

First of all, let's make shure spamd has no permissions problem, reading SpamAssassin's settings: 

chown -R qscand:qscand /etc/mail/spamassassin/

[editar] Change the Queuer 

vi /var/qmail/control/conf-common

At least have this in it: 

export QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue

Also check /etc/tcprules.d/tcp.qmail-smtp, config it to your needs.

Here's how mine looks:

Archivo: /etc/tcprules.d/tcp.qmail-smtp 
# to update the database after changing this file, run:
# tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp
#------------------------------------------------------
# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS
#
# If you set 'allow', this means that our mail server will allow
# the specified IP range to make a TCP connection to our server
#
# If you set 'deny', this means that our mail server will not allow
# the specified IP range to make a TCP connection to our server
#
# If you set RELAYCLIENT="", this means that the listed IP range is
# allowed to relay mail through our server
#
# If you dont set RELAYCLIENT="", this means that the listed IP range
# will not be able to relay mail through our server
#
# If you set RBLSMTPD="", this means that the listed IP ranges will
# not be checked against any of the RBL databases
#
# If you set RBLSMTPD="some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 4xx temp error message
#
# If you set RBLSMTPD="-some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 5xx perm error message
#
# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup
# will be performed. If the lookup is successful, then RBLSMTPD will
# return your custom error message (as specified in the -r parameter
# in smtpd supervise script)
#
#-----------------------------------------------------
# HERE ARE THE RULES! :
#-----------------------------------------------------
# BYPASS OPEN RELAY CHECKING FOR THESE IPS :
#
# These IPs are ones that we have setup so that they arent RBL checked.
# We have done this because these particular servers are RBL listed,
# and for whatever reason they can't/won't fix their open relay problem,
# and we still want to be able to receive mail from them..
#
# reminder text goes here for this entry so we know the story...
#111.111.111.111:allow,RBLSMTPD=""
# reminder text goes here for this entry so we know the story...
#222.222.222.222:allow,RBLSMTPD=""
#
#-----------------------------------------------------------------
# DONT ALLOW THESE IPS TO SEND MAIL TO US :
#
# mailXX.offermail.net connecting regularly and sending invalid
# format messages causing exit with status 256 (bare linefeed normally)
# entry added 15/12/2001
# after looking at the mail coming from these servers it was found to be spam
216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
#
# heaps of spam from replyto of *@freeamateurhotties.com dec2001
64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#
#-----------------------------------------------------------------
# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER
#
# Local class-c's from our LAN are allowed to relay,
# and we wont bother doing any RBL checking.
#123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""
#123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""
#
# Connections from localhost are allowed to relay
# (because the WebMail server runs on localhost),
# and obviously there is no point trying to perform an RBL check.
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue",QS_SPAMASSASSIN="on"
#127.:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
#
#-----------------------------------------------------------------
# ALLOW EVERYONE ELSE TO SEND US MAIL
#
# Everyone else can make connections to our server,
# but not allowed to relay
# RBL lookups are performed
#:allow

# If you are using qmail-scanner, this line here is the correct one to use
# instead (comment out the above ':allow' line FIRST) and applies that script
# to any mail coming in that is not from a host allowed to relay. You can
# change the value of the variable to any other value you desire to use custom
# scripts for example.
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
#192.168.1.2:allow,RELAYCLIENT="",RBLSMTPD=""
#10.1.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue",QS_SPAMASSASSIN="on"
10.1.0.:allow,RELAYCLIENT=""
#10.:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
#81.193.177.141:allow,RELAYCLIENT="",RBLSMTPD=""

After editing do: 

cd /etc/tcprules.d/
make tcp.qmail-smtp

You can also rebuild all by doing: 

cd /etc/tcprules.d/
make *

Now let's check some stuff: 

vi /var/qmail/bin/qmail-scanner-queue.pl

Make sure the $spamc_binary variable is set to '/usr/bin/spamc', $clamscan_binary variable is set to '/usr/bin/clamscan'. You can also think of changing $V_FROM to 'postmaster@domain.com' or whatever you want arround line 103, $QUARANTINE_CC arround line 107.

If ClamAV reports memory problems try rasing the softlimit on /var/qmail/control/conf-common.

[editar] Test it

To test it, qmail-scanner comes with a handy script: 

gunzip /usr/share/doc/qmail-scanner-1.25-r2/contrib/test_installation.sh.gz
chmod 755 /usr/share/doc/qmail-scanner-1.25-r2/contrib/test_installation.sh
/usr/share/doc/qmail-scanner-1.25-r2/contrib/test_installation.sh -doit

NOTE: If this fails with error "clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status" - check your clamd priveleges OR set clamd user in /etc/clamd.conf: 

User root

Log in into your root user's account, if you have set the alias like me(show above on qmail installation), it should be postmaster@domain.com. If you now have 2 messages inside, you're good to go. Optionally you can also check /var/spool/qmailscan/quarantine/new/: 

ls /var/spool/qmailscan/quarantine/new/

There should be 2 messages inside, the ones, that got cought. ;)

You could also try http://www.webmail.us/testvirus to send you some harmless virus...

[editar] Setup Qmailstats

As of net-mail/qms-analog-0.4.4-r1, there's no need to edit /var/qmail/bin/qmailstats, to change the To and From email addresses, you only need to edit it if you wan't other value than the default, which is postmaster@localhost.

This script is a solid script that sends an email to the server administrator with both the qmailanalog output as well as qms-analog's readout of qmail-scanner's activities and runs every night, check /etc/cron.daily/qmailstats. Pretty sweet, huh?

Even though you don't need to change the addresses on /var/qmail/bin/qmailstats, you might want to take a look at it, and change whatever you might find necessary: 

vi /var/qmail/bin/qmailstats

VERY IMPORTANT:
Previously, in order for the /var/qmail/bin/qmailstats script give you the statistics correctly, you had to change the /var/qmail/bin/qmail-scanner-queue.pl, arround line 126: 

my $local_domains_string="'localhost'";

To all the domains you host, for example: 

my $local_domains_string="'localhost','domain.com','virtual.domain.com','domain1','virtual.domain1.com'";

Man, I was after this solution for such a long time!

You also, needed to change lines 115 and 119, the my $V_FROM and my $QUARANTINE_CC to, for example postmaster@domain.com.

You needed to make these changes EVERY time you emerged qmail-scanner.

Now with my MAIL_VHOSTS variable, it's done automaticaly at every new emerge. Of, course, everytime you add a new domain, you need to add it to MAIL_VHOSTS in /etc/make.conf and re-emerge qmail-scanner. Or, you can edit /var/qmail/bin/qmail-scanner-queue.pl and make the changes as said above, but still add it to /etc/make.conf for the next time you emerge world.

[editar] Install SquirrelMail

Let's install a webmail client to make mail accessible via a web browser. My choice for this was Squirrelmail. Squirrelmail is both easy to install and it has lots of nice plugins to broaden its abilities. With it a lot of packages will also be installed and we'll need to set some flags for those. 

echo media-gfx/xloadimage jpeg >> /etc/portage/package.use
echo app-crypt/gnupg -X bzip2 >> /etc/portage/package.use
echo mail-client/squirrelmail virus-scan spell ssl vhosts -mysql >> /etc/portage/package.use

Has you might have noticed, webapp-config was installed, that's a handy tool to install web applications, so lets install SquirrelMail to http://mail.domain.com. 

 webapp-config -I -h mail.domain.com -d / squirrelmail 1.4.4

You'll notice an output of severall files that need to be edited. Let's start 

cd /var/www/mail.domain.com/htdocs

[editar] Configure Plugins

[editar] Config Retrieve User Data 

vi plugins/retrieveuserdata/config.php

Comment out $SQRUD_RETRIEVE_DATA_FROM = "ldap.php";, arround line 32, like this: 

//$SQRUD_RETRIEVE_DATA_FROM = "ldap.php";

And uncomment some lines down: 

$SQRUD_RETRIEVE_DATA_FROM = "vpopmail.php";

Arround line 150, uncoment $SQRUD_VPOP_VUSERINFO = "/mail/bin/vuserinfo"; and make it look like: 

$SQRUD_VPOP_VUSERINFO = "/var/vpopmail/bin/vuserinfo";

vi plugins/retrieveuserdata/vpopmail.php

Arround line 36 set it to an absolute path: 

require_once("/var/www/mail.domain.com/htdocs/plugins/retrieveuserdata/config.php");

[editar] Config Virus Scan 

vi plugins/virus_scan/config.php

Tweak it to your needs.

[editar] Config GnuPG 

vi plugins/gpg/gpg_local_prefs.txt

Tweak it to your needs.

If this one fails to work, make shure you have on you're apache ssl mail vhost config the following: 

SSLEngine on
SSLOptions	+StdEnvVars

In order for our gpg_plugin to work correctly when retrieving key's from keyserver we have to set allow_url_fopen to on, it's off on /etc/apache2/php.ini for security reasons, so we still keep that security on and only allow it on that ssl vhost.

So, add to your vhost config: 

php_admin_flag allow_url_fopen on

[editar] Config Show SSL Link 

vi plugins/show_ssl_link/config.php

Tweak it to your needs.

[editar] Config Secure Login 

vi plugins/secure_login/config.php

Tweak it to your needs.

[editar] Config SquirrelSpell

If squirrelmail emerges aspell, you need to change plugins/squirrelspell/sqspell_config.php, if you had ispell installed previously, no need to do anything.

Whenever you find ispell inside, change that to aspell. 

vi plugins/squirrelspell/sqspell_config.php

Here's how mine looks, the parts that interest: 

$SQSPELL_APP = array('English' => 'aspell -a',
                        'Spanish' => 'aspell -d spanish -a');
$SQSPELL_APP_DEFAULT = 'English';
$SQSPELL_WORDS_FILE =
   getHashedFile($username, $data_dir, "$username.words");

$SQSPELL_EREG = 'ereg';


Nota: If you don't want aspell at all, emerge ispell before squirrelmail.

[editar] Install Change Pass

This one will alow users to change their own password. 

cd /var/www/mail.domain.com/htdocs/plugins
wget http://squirrelmail.org/countdl.php?fileurl=http://www.squirrelmail.org/plugins/change_pass-2.7-1.4.x.tar.gz
tar zxvf change_pass-2.7-1.4.x.tar.gz
rm change_pass-2.7-1.4.x.tar.gz

[editar] Configure SquirellMail 

cd /var/www/mail.domain.com/htdocs/config
./conf.pl

Let's configure the main options. Do fell free to see the other options and tweak them to your needs.

  • Press 2 and Return to set the server options;
  • Press 1 and Return and set it to your domain;
  • Press A and Return then press 4 and Return and set it to your local ip address;
  • Press 5 and Return and set it to 993, the secure IMAP server port;
  • Press 7 and Return and press y and Return to enable TLS, you won't be able to login without it.
  • Press B and Return then press 4 and Return and set it to your local ip address;
  • Press R and Return then Press 8 and Return and enable gpg, retrieveuserdata, virus_scan, show_ssl_link, change_pass and compatablity. Again, fell free to add or remove the plugins you want. secure_login will force users to use https.

You might also want to set the admins of squirrelmail, to be able to use the administration plugin. Those emails entered on /var/www/mail.domain.com/htdocs/config/admins, will have access to the administration plugin when they log into squirrelmail.

Want to speed SquirrelMail when sending messages??? ;)
Set squirrel to use sendmail instead of smtp, and set the path to sendmail to /bin/true, add to courrier imapd or imapd-ssl config in /etc/courier-imap: 

##NAME: OUTBOX:0
#
# The next set of options deal with the "Outbox" enhancement.
# Uncomment the following setting to create a special folder, named
# INBOX.Outbox
#
#OUTBOX=.Outbox
OUTBOX=.Sent

##NAME: SENDMAIL:0
#
# If OUTBOX is defined, mail can be sent via the IMAP connection by copying
# a message to the INBOX.Outbox folder.  For all practical matters,
# INBOX.Outbox looks and behaves just like any other IMAP folder.  If this
# folder doesn't exist it must be created by the IMAP mail client, just
# like any other IMAP folder.  The kicker: any message copied or moved to
# this folder is will be E-mailed by the Courier-IMAP server, by running
# the SENDMAIL program.  Therefore, messages copied or moved to this
# folder must be well-formed RFC-2822 messages, with the recipient list
# specified in the To:, Cc:, and Bcc: headers.  Courier-IMAP relies on
# SENDMAIL to read the recipient list from these headers (and delete the Bcc:
# header) by running the command "$SENDMAIL -oi -t -f $SENDER", with the
# message piped on standard input.  $SENDER will be the return address
# of the message, which is set by the authentication module.
#
# DO NOT MODIFY SENDMAIL, below, unless you know what you're doing.
#
SENDMAIL=/usr/sbin/sendmail

##NAME: HEADERFROM:0
#
# For administrative and oversight purposes, the return address, $SENDER
# will also be saved in the X-IMAP-Sender mail header.  This header gets
# added to the sent E-mail (but it doesn't get saved in the copy of the
# message that's saved in the folder)
#
# WARNING - By enabling OUTBOX above, *every* IMAP mail client will receive
# the magic OUTBOX treatment.  Therefore advance LARTing is in order for
# _all_ of your lusers, until every one of them is aware of this.  Otherwise if
# OUTBOX is left at its default setting - a folder name that might be used
# accidentally - some people may be in for a rude surprise.  You can redefine
# the name of the magic folder by changing OUTBOX, above.  You should do that
# and pick a less-obvious name.  Perhaps brand it with your organizational
# name ( OUTBOX=.WidgetsAndSonsOutbox )
HEADERFROM=X-IMAP-Sender

This will make all messages moved to the Sent Magic Folder be emailed trough the existing imap connection, a lot faster!!!!!!
More info on this subject can be found here

[editar] Optional

[editar] QTrap

A usefull ingredient in this installation is going to be a domain level word filter, which the QmailRocks.org Postmaster named "Qtrap". This script is applied on a per domain basis and serves as a "bad word" scanner to catch any spam that Spamassassin may have missed. This filter serves as the last defense against SPAM before it arrived in your inbox. I like this filter because it helps to get rid of any SPAM that happens to make it by Spamassassin. Without any protection at all, my mailbox gets a shit ton of SPAM every day. Within the first 3 months I enacted the Qtrap filter, Qtrap logged over 9,000 deleted SPAM messages, none of which were legitimate e-mails. My keyboard's delete key was very appreciated the extra rest.

P.S: All the I are from the QmailRocks.org Postmaster, this text was extracted from his how-to's for other *nix'es

Any emails that are scanned and contain a banned word will be automatically deleted and logged by the qtrap script. A whitelist feature now exists so that individual addresses or domains can be exempt from the qtrap scan.

So let's install it... 

cd /var/vpopmail
mkdir -p qtrap/logs
cd qtrap
vi qtrap.sh

Put this inside 

#!/bin/sh
#################################
#        _                      #
#       | |                     #
#   __ _| |_ _ __ __ _ _ __     #
#  / _` | __| '__/ _` | '_ \    #
# | (_| | |_| | | (_| | |_) |   #
#  \__, |\__|_|  \__,_| .__/    #
#     | |             | |       #
#     |_|             |_| v2.0.0#
#################################
#Release 2.0.0 - June 24th, 2004
#Hacked by Eric Siegel

# Qmailrocks.org presents qtrap v2.0.0. A simple, yet effective domain level e-mail content filter.
# This script, as is is now, is a hacked up rendition of a subject scanning script I found on the web.
# However, instead of only scanning the subject of the email, this script scans the whole damn thing.
# Additionally, I added some extra logging features to the script.

# --- How Qtrap works ---
# Incoming mail to a qtrap enabled domain is scanned up on arrival. If the sender's address
# is found is the qtrap whitelist, the messaged allowed to pass unhindered and the action is logeed.
# If the sender is not in the whitelist, the message is then scanned against an array of "banned" words
# that is set by the system administrator. If the message does not contain a banned word, it is
# allowed to go on its way. If it contains a banned word, the message is deleted and the action
# is logged in the Qtrap log.
# -----------------------

# --- How qtrap logs ---
# There are 2 logging features here:

# 1. Log entry to the qmail-send log
# This script, when it deletes a message, will insert and entry into the qmail-send log
# The format of the entry is:  "MESSAGE DROPPED from someone@somewhere.com because of some_bad_word"
# This feature comes in handy when analyzing your qmail logs. Duh.

# 2. Log entry to independent qtrap log file
# This script, when it deletes a message, will insert and entry into the designated qtrap log.
# The format of the entry is: "MESSAGE DROPPED from someone@somewhere.com because of
# some_bad_word on some_date & time"
# The log is also written to when an email is allowed to pass due to its presence in the whitelist.
# ------------------------

# --- Future plans for qtrap ---
# This script will eventually be converted to Perl
# at which time I will probably add MySQL functionality,
# thus allowing for web based, on the fly, content filter
# management.
# ------------------------------

# --- qtrap filter rules ---
# 1. The filter is case sensitive. So "Porn" is different from "porn".
#
# 2. Wildcards are possible. For example: porn* would block the word "porn" but would also
# block the word "pornography".
#
# 3. Banned words and whitelist addresses must be seperated by a |. NEVER end the array with a |.
#---------------------------



#The whitelist configuration block

whitelist_check () {
 case $WHITELIST in
 address@somewhere.com|address@somewhereelse.com)
 echo $SENDER found in whitelist on `date "+%D %H:%M:%S"` >> \
 /var/vpopmail/qtrap/logs/qtrap.log
 exit 0;;
  *)
   ;;
  esac
}

# The banned word list configuration block

checkall () {
 case $BANNED_WORDS in
 porn|PORN|Sex|SEX)
   echo MESSAGE DROPPED from $SENDER because of $BANNED_WORDS on `date "+%D %H:%M:%S"` >> \
 /var/vpopmail/qtrap/logs/qtrap.log
   exit 99;;
  *)
   ;;
  esac
}

#Do not edit below here

WHITECHECK=$SENDER
for WHITELIST in $WHITECHECK
do
 whitelist_check $WHITELIST
done

CONTENT=`(cat)`
for BANNED_WORDS in $CONTENT
do
 checkall $BANNED_WORDS
done
exit 0

Defnining your whitelist: On qtrap.sh you will see a block of code for the whitelist that looks like this: 

whitelist_check () {
case $WHITELIST in
"address@somewhere.com|address@somewhereelse.com|*entiredomain.com)
echo $SENDER found in whitelist on `date "+%D %H:%M:%S"` >> \
/var/vpopmail/qtrap/logs/qtrap.log
exit 0;;
*)
;;
esac
}

The email addresses in the bold text above should be substituted with any email addresses that you wish to whitelist against the qtrap filter process. Whitelisted addresses will be allowed to send you mail that contains "banned" words. Un-whitelisted address will be scanned and their message deleted if it contains a banned word. As you can see above, you can specify an individual address (address@somewhere.com) or you can simply whitelist an entire domain (*entiredomain.com).

Defining your "banned word" list:

within the qtrap.sh script you should see another section, below the whitelist section of code, that looks like this: 

checkall () {
case $BANNED_WORDS in
porn|PORN|Sex|SEX)
printout $BANNED_WORDS
echo MESSAGE DROPPED from $SENDER because of $BANNED_WORDS on `date "+%D %H:%M:%S"` >> \
/var/vpopmail/qtrap/logs/qtrap.log
exit 99;;
*)
;;
esac
}

The portion of the above section that I've highlighted in BOLD is the array of "banned" words. Edit this array to your satisfaction. Make sure that each word is seperated by a pipe "|" and keep in mind that the array is case sensitive. So the words "SEX" and "Sex" are 2 different words. Also, excercise caution here. You don't want to ban words that are used in everyday e-mails. For example, you wouldn't want to ban the word "hello" or something like that. You should only ban words that you are 100% sure you would never see in a legitimate e-mail.

Now let's set up the logging directory... 

chmod +x /var/vpopmail/qtrap/qtrap.sh
touch /var/vpopmail/qtrap/logs/qtrap.log
chown -R vpopmail:mail /var/vpopmail/qtrap
chmod -R 755 /var/vpopmail/qtrap

Now we will add this script into the mail path for a domain on our server. 

cd /var/vpopmail/domains/yourdomain.com
vi .qmail-default

add the following line above the line that is already there 

| /var/vpopmail/qtrap/qtrap.sh

Here's an example:

.qmail-default before: 

| /var/vpopmail/bin/vdelivermail '' delete

.qmail-default after: 

| /var/vpopmail/qtrap/qtrap.sh
| /var/vpopmail/bin/vdelivermail '' delete

Save these changes and that should be it. You don't have to restart anything. To test this last rule, try sending an e-mail to your mailbox and make sure that the test e-mail contains one of the words that you entered into the "bad word" list in the Qtrap script. If the filter is working right, the message should NOT arrive in your inbox. You should then be able to view the log file at /var/vpopmail/qtrap/logs/qtrap.log and see a log of the dropeed message corresponding to the time at which you sent the test message. The drop log should look something like this:

MESSAGE DROPPED from someone@somewhere.com because of some_banned_word on on 06/13/03 02:37:51

Si el test ha funciona, entonces esto es todo!

[editar] TRADUCCIÓN EN PROGRESO

Obtenido de "http://es.gentoo-wiki.com/HOWTO_QmailRocksOnGentoo"
Herramientas personales