기존의 webmail을 cocktail 패치를 사용하여 운영해왔으나
domainkey, spf 패치등 TLS 에러 현상등 때문에
vpopmail 에 기반한 knetqmail을 설치하게 되었다.
기존 웹메일에서 사용하던 mysql 테이블을 그대로 이용하긴 힘드나,
최소한의 수정만으로 이용하는 방법을 택하기로 했다.
메일서버운영시 골치인 스팸 처리를 위해
spf, domainkeys 패치를 적용한 knetqmail.1.06을 이용하여 설치한다.
설치를 단순하기 위해 주로 rpm 패키지들이 있는지 확인하여 최대한 사용하도록 하였다.
1. ucspi-tcp 설치
ucspi-tcp는 tcpserver와 tcpclient 전송제어 프로토콜(TCP client-server)을 지원
1) yum repository atomic 추가
[root@localhost]# cd /tmp
[root@localhost]# wget -q -O - http://www.atomicorp.com/installers/atomic | sh
2) 설치
[root@localhost]# yum install ucspi-tcp
3) ucspi-tcp의 ssl, pid 패치버전 설치 (yum 버전과 둘중하나만 설치하면됨)
- 위의 rpm 버전은 이패치가 적용되지 않은듯 하다. 따라서 ssl과 pid 패치 적용하려면
inter7.com에서 패치가 적용된 버전을 다운로드 받아서 설치하면된다.
[root@localhost]# wget http://www.inter7.com/devel/ucspi-tcp-ssl-pid-0.88.tar.gz
[root@localhost]# tar -xvfz ucspi-tcp-ssl-pid-0.88.tar.gz
[root@localhost]# cd ucspi-tcp-ssl-pid-0.88
[root@localhost]# make
[root@localhost]# make setup check
2. daemontools 설치
[root@localhost]# yum install daemontools
3. qmail, vpopmail user 및 group 생성
[root@localhost]# groupadd -r nofiles
[root@localhost]# groupadd -r qmail
[root@localhost]# groupadd -r -o -g {qmail gid} vchkpw
[root@localhost]# useradd -r -M -d /var/qmail/alias -s /sbin/nologin -c "qmail alias" -g qmail alias
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail daemon" -g qmail qmaild
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail logger" -g qmail qmaill
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail passwd" -g qmail qmailp
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail queue" -g qmail qmailq
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail remote" -g qmail qmailr
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail send" -g qmail qmails
[root@localhost]# useradd -r -M -d /home/vpopmail -s /sbin/nologin -c "Vpopmail User" -o -u {qmailq uid} -g vchkpw vpopmail
4. vpopmail 설치
소스다운로드 http://sourceforge.net/projects/vpopmail/
폴더가 있어야만 컴파일되므로 다음 폴더와 파일을 생성만 해준다.
[root@localhost]# mkdir -p /var/qmail/bin
[root@localhost]# touch /var/qmail/bin/qmail-newu
[root@localhost]# touch /var/qmail/bin/qmail-inject
[root@localhost]# touch /var/qmail/bin/qmail-newmrh
[root@localhost]# tar xfz vpopmail-5.4.33.tar.gz
[root@localhost]# cd vpopmail-5.4.33
[root@localhost]# ./configure \
--prefix=/home/vpopmail \
--disable-roaming-users \
--disable-users-big-dir \
--disable-file-locking \
--disable-spamassassin \
--disable-domainquotas \
--disable-passwd \
--enable-valias \
--enable-qmail-ext \
--enable-auth-logging \
--enable-vpopuser=vpopmail \
--enable-vpopgroup=vchkpw \
--enable-tcprules-prog=/usr/bin/tcprules \
--enable-tcpserver-file=/etc/tcprules.d/tcp.smtp \
--enable-logging=y \
--enable-sql-logging \
--enable-log-name=vpopmail \
--enable-many-domains \
--enable-auth-module=mysql \
--enable-incdir=/usr/include/mysql \
--enable-libdir=/usr/lib64/mysql
[root@localhost]# make
[root@localhost]# make install-strip
임시파일삭제
[root@localhost]# rm -rf /var/qmail
mysql 연동 세팅수정
[root@localhost]# vi /home/vpopmail/etc/vpopmail.mysql
localhost|0|DB_USER|PASSWORD|DB_NAME
5. libdomainkeys 설치
[root@localhost]# rpm -Uvh http://dl.atrpms.net/el5-x86_64/atrpms/stable/atrpms-repo-5-5.el5.x86_64.rpm
[root@localhost]# yum install libdomainkeys
6. knetqmail 설치
[root@localhost]# cd /var/tmp
[root@localhost]# wget http://jeremy.kister.net/code/qmail-dk-0.54-auth.patch
[root@localhost]# tar xfz knetqmail-1.06-20110908.tar.gz
[root@localhost]# cd knetqmail-1.06-20110908
[root@localhost]# patch -p0 < ../qmail-dk-0.54-auth.patch
[root@localhost]# patch -p0 < ../fix-complie.patch
[root@localhost]# make
[root@localhost]# make setup check
[root@localhost]# cp -a spfquery /var/qmail/bin
[root@localhost]# cp -a /usr/bin/dknewkey /var/qmail/bin
[root@localhost]# chown root:qmail /var/qmail/bin/spfquery /var/qmail/bin/dknewkey
[root@localhost]# chmod 755 /var/qmail/bin/spfquery /var/qmail/bin/dknewkey
7. qmail 설정
주의)다른버전의 패치와 다르게 locals파일은 localhost가 아니면 동작하지 않는다.
[root@localhost]# cd /var/qmail/control
[root@localhost]# touch rcpthosts smtproutes
[root@localhost]# echo "localhost" > locals
[root@localhost]# echo "your-domain.com" > me
[root@localhost]# echo "your-domain.com" > defaultdomain
[root@localhost]# echo "your-domain.com" > defaulthost
[root@localhost]# echo "your-domain.com" > plusdomain
[root@localhost]# echo "60" > concurrencyremote
[root@localhost]# echo "100" > concurrencyincoming
[root@localhost]# echo "86400" > queuelifetime
[root@localhost]# echo "4" > spfbehavior
[root@localhost]# echo "Welcome to Qmail SMTP Server" > smtpgreeting
[root@localhost]# echo "./Maildir/" > defaultdelivery
[root@localhost]# chmod 644 *
[root@localhost]# cd /var/qmail/users
[root@localhost]# touch cdb
[root@localhost]# echo "." > assign
[root@localhost]# chmod 644 *
8. 시작,로그 폴더 및 스크립트 생성
[root@localhost]# mkdir -p /var/qmail/supervise
[root@localhost]# for i in send smtp pop3 submission; do mkdir -p /var/qmail/supervise/$i/log; mkdir -p /var/log/qmail/$i; done
[root@localhost]# chmod -R 750 /var/log/qmail
[root@localhost]# chown -R qmaill:qmail /var/log/qmail
[root@localhost]# vi /var/qmail/rc
#!/bin/sh
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`" /usr/bin/multilog t /var/log/qmail/full qmaill
[root@localhost]# vi /var/qmail/supervise/send/run
#!/bin/sh
exec /var/qmail/rc
[root@localhost]# vi /var/qmail/supervise/send/log/run
#!/bin/sh
exec /usr/bin/setuidgid qmaill /usr/bin/multilog t /var/log/qmail/send 2>&1
[root@localhost]# vi /var/qmail/supervise/smtp/run
#!/bin/sh
QMAILD_UID=`id -u qmaild`
QMAILD_GID=`id -g qmaild`
MAXSMTPD=`head -1 /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILD_UID" -o -z "$QMAILD_GID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILD_UID, QMAILD_GID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/smtp/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
# /usr/bin/rblsmtpd -b -r spamlist.or.kr \
# /home/vpopmail/bin/vchkpw /bin/true 2>&1
#exec /usr/bin/softlimit -m 64000000 \
exec /usr/bin/softlimit -m 1000000000 \
/usr/bin/tcpserver -v -R -H -l "$LOCAL" \
-x /etc/tcprules.d/tcp.smtp.cdb \
-c ${MAXSMTPD} \
-u ${QMAILD_UID} -g ${QMAILD_GID} 0 25 \
/var/qmail/bin/qmail-smtpd "$LOCAL" \
/bin/checkpassword /bin/true 2>&1
[root@localhost]# vi /var/qmail/supervise/smtp/log/run
#!/bin/sh
exec /usr/bin/setuidgid qmaill \
/usr/bin/multilog t /var/log/qmail/smtp 2>&1
[root@localhost]# vi /var/qmail/supervise/pop3/run
#!/bin/sh
QMAILD_UID=`id -u qmailq`
QMAILD_GID=`id -g qmailq`
HOSTNAME=`head -1 /var/qmail/control/me`
if [ -z "$QMAILD_UID" -o -z "$QMAILD_GID" -o -z "$HOSTNAME " ]; then
echo QMAILD_UID, QMAILD_GID, MAXSMTPD, or HOSTNAME is unset in
echo /var/qmail/supervise/pop3/run
exit 1
fi
#exec /usr/bin/softlimit -m 48000000 \
# -u ${QMAILD_UID} -g ${QMAILD_GID} 0 110 \
#/home/vpopmail/bin/vchkpw \
exec /usr/bin/softlimit -m 8589934592 \
/usr/bin/tcpserver -vRH -u ${QMAILD_UID} -g ${QMAILD_GID} 0 110 \
/var/qmail/bin/qmail-popup ${HOSTNAME} \
/bin/checkpassword \
/var/qmail/bin/qmail-pop3d Maildir 2>&1
[root@localhost]# vi /var/qmail/supervise/pop3/log/run
#!/bin/sh
exec /usr/bin/setuidgid qmaill \
/usr/bin/multilog t s2500000 /var/log/qmail/pop3 2>&1
[root@localhost]# vi /var/qmail/supervise/submission/run
#!/bin/sh
QMAILD_UID=`id -u qmaild`
QMAILD_GID=`id -g qmaild`
MAXSMTPD=`head -1 /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILD_UID" -o -z "$QMAILD_GID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILD_UID, QMAILD_GID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/submission/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
# /usr/bin/rblsmtpd -b -r spamlist.or.kr \
# /home/vpopmail/bin/vchkpw /bin/true 2>&1
#exec /usr/bin/softlimit -m 64000000 \
exec /usr/bin/softlimit -m 1000000000 \
/usr/bin/tcpserver -v -R -H -l "$LOCAL" \
-x /etc/tcprules.d/tcp.smtp.cdb \
-c ${MAXSMTPD} \
-u ${QMAILD_UID} -g ${QMAILD_GID} 0 25 \
/var/qmail/bin/qmail-smtpd "$LOCAL" \
/bin/checkpassword /bin/true 2>&1
[root@localhost]# vi /var/qmail/supervise/submission/log/run
#!/bin/sh
exec /usr/bin/setuidgid qmaill \
/usr/bin/multilog t /var/log/qmail/submission 2>&1
[root@localhost]# chmod 755 /var/qmail/rc
[root@localhost]# chown root:qmail /var/qmail/rc
[root@localhost]# chmod 700 /var/qmail/supervise
[root@localhost]# chown -R qmaill:qmail /var/qmail/supervise
[root@localhost]# for i in send smtp pop3 submission; do chmod 1700 /var/qmail/supervise/$i; done
[root@localhost]# for i in send smtp pop3 submission; do chmod 700 /var/qmail/supervise/$i/log; done
[root@localhost]# for i in send smtp pop3 submission; do chmod 751 /var/qmail/supervise/$i/run; done
[root@localhost]# for i in send smtp pop3 submission; do chmod 751 /var/qmail/supervise/$i/log/run; done
[root@localhost]# mkdir -p /etc/tcprules.d
[root@localhost]# vi /etc/tcprules.d/tcp.smtp
127.0.0.1:allow,RELAYCLIENT="",CHKUSER_RCPTLIMIT="15",CHKUSER_WRONGRCPTLIMIT="3"
:allow,CHKUSER_RCPTLIMIT="15",CHKUSER_WRONGRCPTLIMIT="3"
[root@localhost]# tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtp
[root@localhost]# vi /etc/init.d/qmaild
#!/bin/sh
#
# qmaild This shell script takes care of starting and stopping
# the qmail system.
#
# chkconfig: - 30 80
# description: qmail is a small, fast, secure replacement for the sendmail package, which is
# the program that actually receives, routes, and delivers electronic mail.
export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/var/qmail/bin"
svclist="send smtp pop3 submission"
case "$1" in
start)
echo "Starting qmail"
for svc in $svclist; do
if [ -e /service/${svc} ]; then
if svok /service/${svc}; then
svc -u /service/${svc}
else
echo "${svc} supervise not running"
fi
else
ln -s /var/qmail/supervise/${svc} /service/
fi
done
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo "Stopping qmail..."
for svc in $svclist; do
if [ -e /service/${svc} ]; then
echo " ${svc}"
svc -dx /service/${svc} /service/${svc}/log
rm -f /service/${svc}
fi
done
if [ -f /var/lock/subsys/qmail ]; then
rm -f /var/lock/subsys/qmail
fi
;;
stat)
for svc in $svclist; do
if [ -e /service/${svc} ]; then
svstat /service/${svc}
svstat /service/${svc}/log
fi
done
qmail-qstat
;;
doqueue|alrm|flush)
if [ -e /service/send ]; then
echo "Flushing timeout table and sending ALRM signal to send."
/var/qmail/bin/qmail-tcpok
svc -a /service/send
fi
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
if [ -e /service/send ]; then
echo "Sending HUP signal to send."
svc -h /service/send
fi
;;
pause)
for svc in $svclist; do
if [ -e /service/${svc} ]; then
echo "Pausing ${svc}"
svc -p /service/${svc}
fi
done
;;
cont)
for svc in $svclist; do
if [ -e /service/${svc} ]; then
echo "Continuing ${svc}"
svc -c /service/${svc}
fi
done
;;
restart)
echo "Restarting qmail:"
for svc in $svclist; do
if [ -e /service/${svc} ]; then
if [ "${svc}" != "send" ]; then
echo "* Stopping ${svc}."
svc -d /service/${svc}
fi
fi
done
if [ -e /service/send ]; then
echo "* Sending send SIGTERM and restarting."
svc -t /service/send
fi
for svc in $svclist; do
if [ -e /service/${svc} ]; then
if [ "${svc}" != "send" ]; then
echo "* Restarting ${svc}."
svc -u /service/${svc}
fi
fi
done
;;
cdb)
if [ -z "`grep '\#define POP_AUTH_OPEN_RELAY 1' /home/vpopmail/include/config.h 2>/dev/null`" ]; then
tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtp
else
/home/vpopmail/bin/clearopensmtp
fi
echo "Reloaded /etc/tcprules.d/tcp.smtp."
;;
help)
cat <<HELP
stop -- stops mail service (smtp connections refused, nothing goes out)
start -- starts mail service (smtp connection accepted, mail can go out)
pause -- temporarily stops mail service (connections accepted, nothing leaves)
cont -- continues paused mail service
stat -- displays status of mail service
cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends send HUP, rereading locals and virtualdomains
queue -- shows status of queue
alrm -- same as doqueue
flush -- same as doqueue
hup -- same as reload
HELP
;;
*)
echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|help}"
exit 1
;;
esac
exit 0[root@localhost]# chmod 755 /etc/init.d/qmaild
[root@localhost]# chkconfig --add qmaild
[root@localhost]# chkconfig --level 3 qmaild
[root@localhost]# service qmaild start
9. SMTP SSL 인증서 생성
[root@localhost]# cd /var/qmail/control
[root@localhost]# openssl req -newkey rsa:1024 -x509 -days 365 -nodes -out servercert.pem -keyout servercert.pem
Generating a 1024 bit RSA private key
............++++++
..++++++
writing new private key to 'servercert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Seoul
Locality Name (eg, city) [Default City]:Seoul
Organization Name (eg, company) [Default Company Ltd]:SMTP Server
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:xxxxx
Email Address []:yourid@xxx.xx
[root@localhost]# ln -sfv servercert.pem clientcert.pem[root@localhost]# openssl ciphers > tlsserverciphers[root@localhost]# ln -sfv tlsserverciphers tlsclientciphers[root@localhost]# echo "01 01 * * * root /var/qmail/bin/update_tmprsadh >/dev/null 2>&1" >> /etc/crontab
10. 도메인키 세팅
[root@localhost]# mkdir -p /var/qmail/control/domainkeys
[root@localhost]# cd /var/qmail/control/domainkeys
[root@localhost]# mkdir example.com
[root@localhost]# cd example.com
[root@localhost]# /var/qmail/bin/dknewkey private > public.txt
[root@localhost]# chmod 440 private
[root@localhost]# cd ..
[root@localhost]# chown -R root:vchkpw example.com
[root@localhost]# cd /var/qmail/bin
[root@localhost]# mv qmail-queue qmail-queue.orig
[root@localhost]# ln -sv qmail-dk qmail-queue
[root@localhost]# chmod 4711 qmail-queue.orig
[root@localhost]# vi /etc/tcprules.d/tcp.smtp
127.0.0.1:allow,RELAYCLIENT="",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
:allow,CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
[root@localhost]# tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtp
[root@localhost]# cat /var/qmail/control/domainkeys/example.com/public.txt
private._domainkey IN TXT "k=rsa; p=MEwwDQYJKoZ..... SSL Key End"
[root@localhost]# vi /var/named/data/example.com.zone
_domainkey IN TXT "o=-"
private._domainkey IN TXT "k=rsa; p=MEwwDQYJKoZ..... SSL Key End"
11.기타
[root@localhost]# yum install qmhandle
[root@localhost]# ln -s /usr/bin/qmhandle.pl qmhandle
