SQUIRRELMAIL
www.squirrelmail.org
the text with yellow background is specific to using MySQL backend. if you don't want to use MySQL backend, then just skip over these sections....
Download and unpack all the sources
cd /usr/local/src
wget http://twtelecom.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.0.tar.gz
cd /usr/local/apache/htdocs
tar xzf /usr/local/src/squirrelmail-1.4.0.tar.gz
chown -R root.www squirrelmail-1.4.0
chmod -R 750 squirrelmail-1.4.0
ln -s squirrelmail-1.4.0 squirrelmail
Create the required directory structure
mkdir /var/squirrelmail
# create the data dir. This is where users personal preferences are stored if not using MySQL backend
mkdir /var/squirrelmail/data
# create the attach dir. This is where temp files for emails in progress are store
mkdir /var/squirrelmail/attach
cd squirrelmail
cp data/default_pref /var/squirrelmail/data
chown -R root.www /var/squirrelmail
chmod -R 0770 /var/squirrelmail/data
chmod -R 0730 /var/squirrelmail/attach
cp /usr/local/src/yourcompanylogo-100.gif /usr/local/apache/htdocs/images
Configure SquirrelMail
cd config
perl conf.pl
1. ORGANIZATION PREFERENCES
1. Organization name : YourCompany
2. Organization Logo : /images/yourcompanylogo-100.gif
3. Org. Logo Height/Width : 100/100
4. Organization title : YourCompany WebMail (v$version)
2. SERVER SETTINGS
1. Domain : yourdomain.com
Press A to update IMAP settings
4. IMAP Server : localhost
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : courier
9. Delimiter : .
Press B to update SMTP settings
4. SMTP Server : localhost
5. SMTP Port : 25
6. POP before SMTP : false
7. SMTP Authentication : none
8. Secure SMTP (TLS) : false
3. FOLDER DEFAULTS
9. List Special Folders First : false
15. Default Unseen Type : 2
4. GENERAL OPTIONS
2. Data directory : /var/squirrelmail/data
3. Attachment directory : /var/squirrelmail/attach
6. Usernames in lower case : true
8. Hide squirrelmail attributions : true
12. Allow server-side sorting : true
6. ADDRESS BOOKS
2. Use Javascript Address Book Search : True
9. DATABASE
1. DSN for address book : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
3. DSN for preferences : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
D. SET PRE-DEFINED SETTINGS FOR SPECIFIC IMAP SERVERS
Choose Courier
Now Save and quit the config program
Create the necessary tables in MySQL :
cd /usr/local/mysql/bin
./mysql --password="mysql-root-pwd"
CREATE DATABASE squirrelmail;
GRANT select,insert,update,delete ON squirrelmail.*
TO squirreluser@localhost IDENTIFIED BY 'squirrelpassword';
USE squirrelmail;
CREATE TABLE address (
owner varchar(128) DEFAULT '' NOT NULL,
nickname varchar(16) DEFAULT '' NOT NULL,
firstname varchar(128) DEFAULT '' NOT NULL,
lastname varchar(128) DEFAULT '' NOT NULL,
email varchar(128) DEFAULT '' NOT NULL,
label varchar(255),
PRIMARY KEY (owner,nickname),
KEY firstname (firstname,lastname)
);
CREATE TABLE userprefs (
user varchar(128) DEFAULT '' NOT NULL,
prefkey varchar(64) DEFAULT '' NOT NULL,
prefval blob DEFAULT '' NOT NULL,
PRIMARY KEY (user,prefkey)
);
quit
You can define what default SquirrelMail settings that users will receive when they log in.
For MySQL backend
cd /usr/local/apache/htdocs/squirrelmail
# replace the default preferences definition in the db_prefs file
# with our own customised defaults.
# Open the file, scroll down and replace the existing "var $default"
# entry (on line 80) with our customised version shown below
vi functions/db_prefs.php
var $default = Array('chosen_theme' => '../themes/default_theme.php',
'show_html_default' => '1',
'language' => 'en_US',
'use_javascript_addr_book' => '1',
'left_size' => '140',
'left_refresh' => '3600',
'show_username' => '1',
'show_username_pos' => 'top',
'order1' => '1',
'order2' => '2',
'order3' => '3',
'order4' => '5',
'order5' => '4',
'order6' => '6');
Or, if you aren't running MySQL backend for SquirrelMail, you can adjust the default preferences like this :
vi /var/squirrelmail/data/default_pref :
show_html_default=1
language=en_US
use_javascript_addr_book=1
left_size=140
left_refresh=3600
show_username=1
show_username_pos=top
order1=1
order2=2
order3=3
order4=5
order5=4
order6=6
Setup periodic purging of the "attach" directory
When SquirrelMail users are composing a message that has attachment(s), the attachment is temporarily stored in the /var/squirrelmail/attach directory. When the user sends the message, the associated temp files will get deleted.
However sometimes the temp files do not get deleted (eg if the user closes their browser mid-compose?). Since the permissions on this directory are setup (as a security measure) to prevent the webserver from listing the files in this directory, there is no way for Apache/SquirrelMail to do a periodic scan/purge of old files.
So we are going to setup a daily crontab to clean up any attachments that get left hanging around
# delete any files that are more than 2 days old from the SquirrelMail attachment dir
0 0 * * * find /var/squirrelmail/attach/* -atime +2 -exec /bin/rm {} \;
Install the quota_usage plugin so users can see their mailbox quota usage
cd /usr/local/src
wget http://www.squirrelmail.org/plugins/quota_usage-1.0.tar.gz
wget http://www.squirrelmail.org/plugins/compatibility-1.2.tar.gz
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/quota_usage-1.0.tar.gz
tar xzf /usr/local/src/compatibility-1.2.tar.gz
chown -R root.www quota_usage
chmod -R o-rx quota_usage
chown -R root.www compatibility
chmod -R o-rx compatibility
cd ../config
perl config.pl
8. Plugins
choose quota_usage
choose compatibility
Optionally, Setup SSL mode at login time
cd /usr/local/src
wget http://www.squirrelmail.org/plugins/secure_login-1.0-1.2.8.tar.gz
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/secure_login-1.0-1.2.8.tar.gz
chown -R root.www secure_login
chmod -R o-rx secure_login
cd ../config
perl config.pl
8. Plugins, and choose secure_login
Optionally, modify SquirrelMail so that it will any failed login attempts to the syslog
modify squirrelmail/functions/imap_general.php
search for the line that has "Unknown user or password incorrect"
above this line add :
syslog(LOG_MAIL|LOG_NOTICE,"Squirrelmail login failed for Username : $username, Password : $password");
now failed SquirrelMail logins will be logged to /var/log/maillog :-)
We also added some code to squirrelmail/src/login.php to add a notes page to the login screen. We inserted this chunk just before the line that says "do_hook('login_bottom');
echo "<BR><CENTER>".
"<TABLE BORDER=1 WIDTH=75%><TR><TD ALIGN=CENTER><FONT FACE=Arial SIZE=2>".
"<P><B><FONT SIZE=3>IMPORTANT NOTES REGARDING THE WEBMAIL SYSTEM</FONT></B></P>".
"<P><B>AUTOMATIC MAIL DELETION</B></P>".
"<P>The mail server will automatically delete mail from the<BR> ".
"following folders after the specified number of days :<br>".
"Trash Folder - 7 days, Sent Folder - 30 days,<BR> All other folders 90 days.</P>".
"<P><B>POP3 MAIL CLIENTS</B></P>".
"<P>If you check your mail using a POP3 mail client (such as Outlook Express),<BR> ".
"it will download and delete the mail from your WebMail inbox.</P>".
"<P>If you want to be able to download the mail using POP3 and also<BR> ".
"leave it on the server so you can see it with WebMail, you will need<BR> ".
"to adjust the settings in your POP3 client to tell it not to delete<BR> ".
"mail after downloading.</P>".
"<P>For example, to configure this in Outlook Express you would go to<br> ".
"<i>Tools -> Accounts -> Mail -> Properties -> Advanced</i><BR> ".
"and then tick the box<BR><i>'Leave a copy of message on server'</i><P>".
"</FONT>".
"</TD><TR></TABLE></CENTER>";
Now, another cosmetic change... : modify the squirrelmail/src/login.php and change the wording of "Name:" to "Email address:".
Next, we setup a default document in the web servers root, to redirect our customers through to the SquirrelMail login page. That way when people want to access the WebMail tool they can point their browser to "http://webmail.yourdomain.com" and they will get automatically redirected through to the SquirrelMail directory
vi /usr/local/apache/htdocs/index.html
<HTML>
<HEAD>
<TITLE>Redirect to WebMail login screen...</TITLE>
<META HTTP-EQUIV="refresh" CONTENT="1; url=http://webmail.yourdomain.com/squirrelmail/">
</HEAD>
<BODY>
Redirecting to the WebMail login screen...<br>
<a href=squirrelmail/>Click here if you are not automatically redirected</a>
</BODY>
</HTML>
SPAM AND VIRUS CHECKING
OK, now you have a working mail server.. You have loaded all your users and they are giving the new system a good workout. Everything is running nice and smoothly. You sit back and think "my job is done!"
Until... users starting coming to you and saying... "Hey, this new mail server is really good... But how do I block out all these viruses and spam?"... Uh oh...!
Well, luckily the answer is relatively easy..... I would recommend you install SpamAssassin & Qmail-Scanner.
RAZOR V2
http://razor.sourceforge.net
If Razor is installed, SpamAssassin will automatically include it in the list of tests run. We found that Razor is quite accurate in identifying spam, and it only added small amount of extra CPU load on the server, so it is definitely worth installing.
Compile and install :
# the sdk pack includes a bundle of perl modules required by the razor software
tar xzf razor-agents-sdk-2.03.tar.gz
cd razor-agents-sdk-2.03
perl Makefile.PL
make
make test
make install
cd ..
# now install the actual razor software
tar xzf razor-agents-2.22.tar.gz
cd razor-agents-2.22
perl Makefile.PL
make
make test
make install
cd ..
The razor programs will now be installed in /usr/bin. In particular, SpamAssassin makes use of the program called : "razor-check"
Last job is to create the Razor configuration files (they get put into /etc/razor/) by using this command :
razor-admin -d -create -home=/etc/razor
SPAMASSASSIN
http://www.spamassassin.org
Description :
Spamassassin is program that scans email messages using a set of rules, and then assigns a score. If the score is higher than your nominated limit, then the message will be tagged as spam.
Download and compile
tar xzf Mail-SpamAssassin-2.53.tar.gz
cd Mail-SpamAssassin-2.53
perl Makefile.PL
make
make install
"make install" puts the following files :
/usr/bin/spamassassin <- This is the standard SpamAssassin program
/usr/bin/spamc <- Daemonised Spamassassin client
/usr/bin/spamd <- Daemonised Spamassassin server
/usr/share/spamassassin/ <- The spamassasin logic/filter files live here
/etc/mail/spamassassin/local.cf <- sitewide configuration settings
Test to see if the installation was successful
spamassassin -t < sample-nonspam.txt
spamassassin -t < sample-spam.txt
To improve security, modify the configuration of the spamd daemon so it runs under its own uid
Create a spamd user for the spamd process to run as
groupadd spamd
useradd -g spamd spamd
Modify / create the spamd configuration file
vi /etc/sysconfig/spamd
# Hint : if you want to enable SpamAssassin debugging
# (the debug output goes to /var/log/maillog) then use :
# OPTIONS="-x -u spamd -d -D"
#
# Otherwise, for normal operation (debugging disabled) use :
OPTIONS="-x -u spamd -d"
Configure the spamd daemon so it is running all the time from bootup onwards
cp spamd/redhat-rc-script.sh /etc/rc.d/init.d/spamd
chmod 700 /etc/rc.d/init.d/spamd
chkconfig --add spamd
Then I like to use the ntsysv program to double-check that spamd is set to launch at boot time
Setup the SpamAssassin configuration
vi /etc/mail/spamassassin/local.cf
# Define the sensitivity level. Standard level is 5.
# After a fair bit of testing, we found that 10 was the best option.
# Anything lower produced too many false positives
required_hits 10
# Allow SpamAssassin to rewrite the subject line of any messages it classifies as spam
rewrite_subject 1
# This is the value that will prepended to the subject line of messages classified as spam
subject_tag [SPAM]
# Put the spam report into the headers of the message, rather than in the body
report_header 1
# Use condensed wording for the spam report
use_terse_report 1
# As of SpamAssassin 2.50, if SPAM is detected, by default the a new report
# email will be created and the spam message will be attached as a MIME part
# We dont like this behavior so we turn it off
report_safe 0
# Dont modify the content-type: mime header of suspect mail..
# Usually you would be running a virus checker from Qmail-Scanner which will block out
# any nasty attachments
defang_mime 0
# Spamassassin by default will try and run these following spam-detection utilities
# for every mail message. (You can read about them at http://www.spamassassin.org/dist/INSTALL)
# We don't want to waste any CPU cycles trying to run utilities that we dont have installed,
# so disable these tests for the moment .
use_dcc 0
use_pyzor 0
use_razor1 0
# enable razor2 checking
use_razor2 1
# Enable SpamAssassin's RBL checking features :
# Although we have already done some RBL filtering earier in qmail's rblsmtpd program,
# it is still recommended to turn on RBL checking in SpamAssassin, as it will run
# checks against a variety of different RBL sources, and the results will help
# tag spam more accurately
skip_rbl_checks 0
# If we havent received a response from the RBL server in X seconds, then skip that test
rbl_timeout 3
# Examine the headers of the message for the last 3 mail servers that the message
# passed through. Run all of these IPs through the RBL checking systems
num_check_received 3
# Now we want to alter some of the default scores for RBL hits
#
# By default the bl.spamcop.net RBL score is 0 (disabled).
# We will override this and give any hits a score of 3
# Info about this RBL is available from http://spamcop.net/fom-serve/cache/290.html
score RCVD_IN_BL_SPAMCOP_NET 3
If you wish to view all the possible configuration options, use this command :
perldoc Mail::SpamAssassin::Conf
OK, the SpamAssassin software is now fully installed!
Any mail that SpamAssassin classifies as spam will have [SPAM] added to the subject line. You should now probably setup some docs for your users showing them how they can use message filtering rules in their email client. You can see our message filtering guides here
QMAIL-SCANNER
http://Qmail-Scanner.sourceforge.net
Description :
Qmail-Scanner is an addon that enables a qmail server to scan messages for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial (or open source) virus scanners. It also capable of blocking email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).
Install the required supporting modules for Qmail-Scanner
TNEF unpacker
http://sourceforge.net/projects/tnef/
tar xzf tnef-1.2.0.tar.gz
cd tnef-1.2.0
./configure
make
make install
ReformatMIME (from the Maildrop package)
http://download.sourceforge.net/courier/
bunzip2 maildrop-1.5.2.tar.bz2
tar xf maildrop-1.5.2.tar
cd maildrop-1.5.2
./configure
make
make install-strip
make install-man
Install an antivirus product
We use Trend Micro InterScan VirusWall for Linux and we are happy with its performance and reliability
We tried "McAfee VirusScan Command Line Scanner for Linux" a while back but found it suffered from resource problems and often crashed while scanning mail
From what I have seen on the Qmail-Scanner mailing list, it appears the open source clam antivirus package is also pretty popular.
A full list of supported anti-virus packages are available on the Qmail-Scanner web site
Install the Qmail-Scanner script :
http://qmail-scanner.sourceforge.net
tar xzf Qmail-Scanner-1.16.tgz
cd Qmail-Scanner-1.16
# Here are the settings we used at our site for configuring Qmail-Scanner :
#
# configure Qmail-Scanner to work in the following manner :
# - notify a nominated admin each time a virus is detected
# (in this case it will be virusadmin@yourdomain.com)
# - use vscan (Trendmicro virusscan for Linux) for virus scanning
# - enable support for spamc/spamd in "verbose" mode.
# Qmailscanner can run spamd in "fast" mode or "verbose" mode.
# You can read more about this at the Qmail-Scanner FAQ page.
# I would recommend that you use verbose mode as this allows you to get access to
# the full reporting/tagging features that SpamAssassin can provide. It costs you
# a fraction more CPU power, but provides a much greater range of features.
#
./configure \
--admin virusadmin \
--domain yourdomain.com \
--scanners vscan,verbose_spamassassin \
--debug no \
--install
Modify you qmail configuration to send mail through Qmail-Scanner :
Modify your qmail-smtpd script so that it allocates sufficient resources to support Qmail-Scanner & SpamAssassin
vi /var/qmail/supervise/qmail-smtpd/run
Change the softlimit from 2000000 to something a fair bit larger. We use 10000000.
Next, you need to define what mail is to be sent through the Qmail-Scanner
At our site, we have configured our mail server to scan ALL messages it receives (ie inbound and outbound mail). We did this by setting up our our /var/qmail/supervise/qmail-smtpd/run file like this :
#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/Qmail-Scanner-queue.pl" export QMAILQUEUE
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
# softlimit needs to be set at 10000000 to allow virus scanner to run
exec /usr/local/bin/softlimit -m 10000000 \
/usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 30 -R \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
... and the rest of the file snipped ...
However, if you dont want to scan all mail, you can selectively nominate which IP ranges should or not be checked by setting the qmailqueue variable in your /etc/tcp.smtp file rather than inside the supervise/qmail-smtpd/run file. Refer to the Qmail-Scanner home page for setup examples.
QMAIL-SCANNER / SPAMASSASSIN NOTES :
How can I tell if SpamAssassin is working?
Each time SpamAssassin processes a message, it will log some information to /var/log/maillog (score, message size, time taken to process)
Not all mail gets passed through SpamAssassin
We have configured our supervise/qmail-smtpd/run script so that it runs Qmail-Scanner for every mail message. Thus all incoming and outgoing mail will get viruschecked. However this doesn't necessarily mean that every message passing through Qmail-Scanner will also get sent through SpamAssassin.
Qmail-Scanner has been coded so that messages are only passed onto SpamAssassin if the RELAYCLIENT variable in the tcp.smtp is not set. The idea behind this to reduce load on the system by not scanning mail originated by your users.
It is possible to force SpamAssassin checking for local users if you choose by setting QS_SPAMASSASSIN="on" in your tcp.smtp file
You can read more about this subject at the Qmail-Scanner FAQ page
Is it possible to configure per-user settings for SpamAssassin?
It depends on your configuration. We believe it will be possible to implement an interface so that vpopmail users can turn SpamAssassin checking on/off, and also set their own custom required_hits. We are hoping to store these settings as additional columns in the vpopmail MySQL database... Stay tuned and we will post more info as it comes to hand
TIPS :
* "ps axf" is your friend. Particularly useful for visualising how the supervise/qmail processes all fit together.
* "ps axfu" is good for double checking what accounts that individual server processes are running under
To add a domain :
/home/vpopmail/bin/vadddomain yourdomain.com yourpassword
# this creates the domain and makes a mailbox postmaster@yourdomain.com
To add a mailbox:
/home/vpopmail/bin/vadduser someone@yourdomain.com apassword
To remove a mailbox
/home/vpopmail/bin/vdeldomain someone@yourdomain.com
To remove a domain :
/home/vpopmail/bin/vdeldomain yourdomain.com
To change a users password
/home/vpopmail/bin/vpasswd someone@yourdomain.com newpassword
To lookup info about a user
/home/vpopmail/bin/vuserinfo someone@yourdomain.com
This gives you info such as name, crypted password, cleartext password, dir, quota, usage%, last auth.
It has a number of flags to let you see the individual fields, or you can see them all if you dont use any flags.
It also creates the maildirsize file in the users dir
www.squirrelmail.org
the text with yellow background is specific to using MySQL backend. if you don't want to use MySQL backend, then just skip over these sections....
Download and unpack all the sources
cd /usr/local/src
wget http://twtelecom.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.0.tar.gz
cd /usr/local/apache/htdocs
tar xzf /usr/local/src/squirrelmail-1.4.0.tar.gz
chown -R root.www squirrelmail-1.4.0
chmod -R 750 squirrelmail-1.4.0
ln -s squirrelmail-1.4.0 squirrelmail
Create the required directory structure
mkdir /var/squirrelmail
# create the data dir. This is where users personal preferences are stored if not using MySQL backend
mkdir /var/squirrelmail/data
# create the attach dir. This is where temp files for emails in progress are store
mkdir /var/squirrelmail/attach
cd squirrelmail
cp data/default_pref /var/squirrelmail/data
chown -R root.www /var/squirrelmail
chmod -R 0770 /var/squirrelmail/data
chmod -R 0730 /var/squirrelmail/attach
cp /usr/local/src/yourcompanylogo-100.gif /usr/local/apache/htdocs/images
Configure SquirrelMail
cd config
perl conf.pl
1. ORGANIZATION PREFERENCES
1. Organization name : YourCompany
2. Organization Logo : /images/yourcompanylogo-100.gif
3. Org. Logo Height/Width : 100/100
4. Organization title : YourCompany WebMail (v$version)
2. SERVER SETTINGS
1. Domain : yourdomain.com
Press A to update IMAP settings
4. IMAP Server : localhost
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : courier
9. Delimiter : .
Press B to update SMTP settings
4. SMTP Server : localhost
5. SMTP Port : 25
6. POP before SMTP : false
7. SMTP Authentication : none
8. Secure SMTP (TLS) : false
3. FOLDER DEFAULTS
9. List Special Folders First : false
15. Default Unseen Type : 2
4. GENERAL OPTIONS
2. Data directory : /var/squirrelmail/data
3. Attachment directory : /var/squirrelmail/attach
6. Usernames in lower case : true
8. Hide squirrelmail attributions : true
12. Allow server-side sorting : true
6. ADDRESS BOOKS
2. Use Javascript Address Book Search : True
9. DATABASE
1. DSN for address book : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
3. DSN for preferences : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
D. SET PRE-DEFINED SETTINGS FOR SPECIFIC IMAP SERVERS
Choose Courier
Now Save and quit the config program
Create the necessary tables in MySQL :
cd /usr/local/mysql/bin
./mysql --password="mysql-root-pwd"
CREATE DATABASE squirrelmail;
GRANT select,insert,update,delete ON squirrelmail.*
TO squirreluser@localhost IDENTIFIED BY 'squirrelpassword';
USE squirrelmail;
CREATE TABLE address (
owner varchar(128) DEFAULT '' NOT NULL,
nickname varchar(16) DEFAULT '' NOT NULL,
firstname varchar(128) DEFAULT '' NOT NULL,
lastname varchar(128) DEFAULT '' NOT NULL,
email varchar(128) DEFAULT '' NOT NULL,
label varchar(255),
PRIMARY KEY (owner,nickname),
KEY firstname (firstname,lastname)
);
CREATE TABLE userprefs (
user varchar(128) DEFAULT '' NOT NULL,
prefkey varchar(64) DEFAULT '' NOT NULL,
prefval blob DEFAULT '' NOT NULL,
PRIMARY KEY (user,prefkey)
);
quit
You can define what default SquirrelMail settings that users will receive when they log in.
For MySQL backend
cd /usr/local/apache/htdocs/squirrelmail
# replace the default preferences definition in the db_prefs file
# with our own customised defaults.
# Open the file, scroll down and replace the existing "var $default"
# entry (on line 80) with our customised version shown below
vi functions/db_prefs.php
var $default = Array('chosen_theme' => '../themes/default_theme.php',
'show_html_default' => '1',
'language' => 'en_US',
'use_javascript_addr_book' => '1',
'left_size' => '140',
'left_refresh' => '3600',
'show_username' => '1',
'show_username_pos' => 'top',
'order1' => '1',
'order2' => '2',
'order3' => '3',
'order4' => '5',
'order5' => '4',
'order6' => '6');
Or, if you aren't running MySQL backend for SquirrelMail, you can adjust the default preferences like this :
vi /var/squirrelmail/data/default_pref :
show_html_default=1
language=en_US
use_javascript_addr_book=1
left_size=140
left_refresh=3600
show_username=1
show_username_pos=top
order1=1
order2=2
order3=3
order4=5
order5=4
order6=6
Setup periodic purging of the "attach" directory
When SquirrelMail users are composing a message that has attachment(s), the attachment is temporarily stored in the /var/squirrelmail/attach directory. When the user sends the message, the associated temp files will get deleted.
However sometimes the temp files do not get deleted (eg if the user closes their browser mid-compose?). Since the permissions on this directory are setup (as a security measure) to prevent the webserver from listing the files in this directory, there is no way for Apache/SquirrelMail to do a periodic scan/purge of old files.
So we are going to setup a daily crontab to clean up any attachments that get left hanging around
# delete any files that are more than 2 days old from the SquirrelMail attachment dir
0 0 * * * find /var/squirrelmail/attach/* -atime +2 -exec /bin/rm {} \;
Install the quota_usage plugin so users can see their mailbox quota usage
cd /usr/local/src
wget http://www.squirrelmail.org/plugins/quota_usage-1.0.tar.gz
wget http://www.squirrelmail.org/plugins/compatibility-1.2.tar.gz
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/quota_usage-1.0.tar.gz
tar xzf /usr/local/src/compatibility-1.2.tar.gz
chown -R root.www quota_usage
chmod -R o-rx quota_usage
chown -R root.www compatibility
chmod -R o-rx compatibility
cd ../config
perl config.pl
8. Plugins
choose quota_usage
choose compatibility
Optionally, Setup SSL mode at login time
cd /usr/local/src
wget http://www.squirrelmail.org/plugins/secure_login-1.0-1.2.8.tar.gz
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/secure_login-1.0-1.2.8.tar.gz
chown -R root.www secure_login
chmod -R o-rx secure_login
cd ../config
perl config.pl
8. Plugins, and choose secure_login
Optionally, modify SquirrelMail so that it will any failed login attempts to the syslog
modify squirrelmail/functions/imap_general.php
search for the line that has "Unknown user or password incorrect"
above this line add :
syslog(LOG_MAIL|LOG_NOTICE,"Squirrelmail login failed for Username : $username, Password : $password");
now failed SquirrelMail logins will be logged to /var/log/maillog :-)
We also added some code to squirrelmail/src/login.php to add a notes page to the login screen. We inserted this chunk just before the line that says "do_hook('login_bottom');
echo "<BR><CENTER>".
"<TABLE BORDER=1 WIDTH=75%><TR><TD ALIGN=CENTER><FONT FACE=Arial SIZE=2>".
"<P><B><FONT SIZE=3>IMPORTANT NOTES REGARDING THE WEBMAIL SYSTEM</FONT></B></P>".
"<P><B>AUTOMATIC MAIL DELETION</B></P>".
"<P>The mail server will automatically delete mail from the<BR> ".
"following folders after the specified number of days :<br>".
"Trash Folder - 7 days, Sent Folder - 30 days,<BR> All other folders 90 days.</P>".
"<P><B>POP3 MAIL CLIENTS</B></P>".
"<P>If you check your mail using a POP3 mail client (such as Outlook Express),<BR> ".
"it will download and delete the mail from your WebMail inbox.</P>".
"<P>If you want to be able to download the mail using POP3 and also<BR> ".
"leave it on the server so you can see it with WebMail, you will need<BR> ".
"to adjust the settings in your POP3 client to tell it not to delete<BR> ".
"mail after downloading.</P>".
"<P>For example, to configure this in Outlook Express you would go to<br> ".
"<i>Tools -> Accounts -> Mail -> Properties -> Advanced</i><BR> ".
"and then tick the box<BR><i>'Leave a copy of message on server'</i><P>".
"</FONT>".
"</TD><TR></TABLE></CENTER>";
Now, another cosmetic change... : modify the squirrelmail/src/login.php and change the wording of "Name:" to "Email address:".
Next, we setup a default document in the web servers root, to redirect our customers through to the SquirrelMail login page. That way when people want to access the WebMail tool they can point their browser to "http://webmail.yourdomain.com" and they will get automatically redirected through to the SquirrelMail directory
vi /usr/local/apache/htdocs/index.html
<HTML>
<HEAD>
<TITLE>Redirect to WebMail login screen...</TITLE>
<META HTTP-EQUIV="refresh" CONTENT="1; url=http://webmail.yourdomain.com/squirrelmail/">
</HEAD>
<BODY>
Redirecting to the WebMail login screen...<br>
<a href=squirrelmail/>Click here if you are not automatically redirected</a>
</BODY>
</HTML>
SPAM AND VIRUS CHECKING
OK, now you have a working mail server.. You have loaded all your users and they are giving the new system a good workout. Everything is running nice and smoothly. You sit back and think "my job is done!"
Until... users starting coming to you and saying... "Hey, this new mail server is really good... But how do I block out all these viruses and spam?"... Uh oh...!
Well, luckily the answer is relatively easy..... I would recommend you install SpamAssassin & Qmail-Scanner.
RAZOR V2
http://razor.sourceforge.net
If Razor is installed, SpamAssassin will automatically include it in the list of tests run. We found that Razor is quite accurate in identifying spam, and it only added small amount of extra CPU load on the server, so it is definitely worth installing.
Compile and install :
# the sdk pack includes a bundle of perl modules required by the razor software
tar xzf razor-agents-sdk-2.03.tar.gz
cd razor-agents-sdk-2.03
perl Makefile.PL
make
make test
make install
cd ..
# now install the actual razor software
tar xzf razor-agents-2.22.tar.gz
cd razor-agents-2.22
perl Makefile.PL
make
make test
make install
cd ..
The razor programs will now be installed in /usr/bin. In particular, SpamAssassin makes use of the program called : "razor-check"
Last job is to create the Razor configuration files (they get put into /etc/razor/) by using this command :
razor-admin -d -create -home=/etc/razor
SPAMASSASSIN
http://www.spamassassin.org
Description :
Spamassassin is program that scans email messages using a set of rules, and then assigns a score. If the score is higher than your nominated limit, then the message will be tagged as spam.
Download and compile
tar xzf Mail-SpamAssassin-2.53.tar.gz
cd Mail-SpamAssassin-2.53
perl Makefile.PL
make
make install
"make install" puts the following files :
/usr/bin/spamassassin <- This is the standard SpamAssassin program
/usr/bin/spamc <- Daemonised Spamassassin client
/usr/bin/spamd <- Daemonised Spamassassin server
/usr/share/spamassassin/ <- The spamassasin logic/filter files live here
/etc/mail/spamassassin/local.cf <- sitewide configuration settings
Test to see if the installation was successful
spamassassin -t < sample-nonspam.txt
spamassassin -t < sample-spam.txt
To improve security, modify the configuration of the spamd daemon so it runs under its own uid
Create a spamd user for the spamd process to run as
groupadd spamd
useradd -g spamd spamd
Modify / create the spamd configuration file
vi /etc/sysconfig/spamd
# Hint : if you want to enable SpamAssassin debugging
# (the debug output goes to /var/log/maillog) then use :
# OPTIONS="-x -u spamd -d -D"
#
# Otherwise, for normal operation (debugging disabled) use :
OPTIONS="-x -u spamd -d"
Configure the spamd daemon so it is running all the time from bootup onwards
cp spamd/redhat-rc-script.sh /etc/rc.d/init.d/spamd
chmod 700 /etc/rc.d/init.d/spamd
chkconfig --add spamd
Then I like to use the ntsysv program to double-check that spamd is set to launch at boot time
Setup the SpamAssassin configuration
vi /etc/mail/spamassassin/local.cf
# Define the sensitivity level. Standard level is 5.
# After a fair bit of testing, we found that 10 was the best option.
# Anything lower produced too many false positives
required_hits 10
# Allow SpamAssassin to rewrite the subject line of any messages it classifies as spam
rewrite_subject 1
# This is the value that will prepended to the subject line of messages classified as spam
subject_tag [SPAM]
# Put the spam report into the headers of the message, rather than in the body
report_header 1
# Use condensed wording for the spam report
use_terse_report 1
# As of SpamAssassin 2.50, if SPAM is detected, by default the a new report
# email will be created and the spam message will be attached as a MIME part
# We dont like this behavior so we turn it off
report_safe 0
# Dont modify the content-type: mime header of suspect mail..
# Usually you would be running a virus checker from Qmail-Scanner which will block out
# any nasty attachments
defang_mime 0
# Spamassassin by default will try and run these following spam-detection utilities
# for every mail message. (You can read about them at http://www.spamassassin.org/dist/INSTALL)
# We don't want to waste any CPU cycles trying to run utilities that we dont have installed,
# so disable these tests for the moment .
use_dcc 0
use_pyzor 0
use_razor1 0
# enable razor2 checking
use_razor2 1
# Enable SpamAssassin's RBL checking features :
# Although we have already done some RBL filtering earier in qmail's rblsmtpd program,
# it is still recommended to turn on RBL checking in SpamAssassin, as it will run
# checks against a variety of different RBL sources, and the results will help
# tag spam more accurately
skip_rbl_checks 0
# If we havent received a response from the RBL server in X seconds, then skip that test
rbl_timeout 3
# Examine the headers of the message for the last 3 mail servers that the message
# passed through. Run all of these IPs through the RBL checking systems
num_check_received 3
# Now we want to alter some of the default scores for RBL hits
#
# By default the bl.spamcop.net RBL score is 0 (disabled).
# We will override this and give any hits a score of 3
# Info about this RBL is available from http://spamcop.net/fom-serve/cache/290.html
score RCVD_IN_BL_SPAMCOP_NET 3
If you wish to view all the possible configuration options, use this command :
perldoc Mail::SpamAssassin::Conf
OK, the SpamAssassin software is now fully installed!
Any mail that SpamAssassin classifies as spam will have [SPAM] added to the subject line. You should now probably setup some docs for your users showing them how they can use message filtering rules in their email client. You can see our message filtering guides here
QMAIL-SCANNER
http://Qmail-Scanner.sourceforge.net
Description :
Qmail-Scanner is an addon that enables a qmail server to scan messages for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial (or open source) virus scanners. It also capable of blocking email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).
Install the required supporting modules for Qmail-Scanner
TNEF unpacker
http://sourceforge.net/projects/tnef/
tar xzf tnef-1.2.0.tar.gz
cd tnef-1.2.0
./configure
make
make install
ReformatMIME (from the Maildrop package)
http://download.sourceforge.net/courier/
bunzip2 maildrop-1.5.2.tar.bz2
tar xf maildrop-1.5.2.tar
cd maildrop-1.5.2
./configure
make
make install-strip
make install-man
Install an antivirus product
We use Trend Micro InterScan VirusWall for Linux and we are happy with its performance and reliability
We tried "McAfee VirusScan Command Line Scanner for Linux" a while back but found it suffered from resource problems and often crashed while scanning mail
From what I have seen on the Qmail-Scanner mailing list, it appears the open source clam antivirus package is also pretty popular.
A full list of supported anti-virus packages are available on the Qmail-Scanner web site
Install the Qmail-Scanner script :
http://qmail-scanner.sourceforge.net
tar xzf Qmail-Scanner-1.16.tgz
cd Qmail-Scanner-1.16
# Here are the settings we used at our site for configuring Qmail-Scanner :
#
# configure Qmail-Scanner to work in the following manner :
# - notify a nominated admin each time a virus is detected
# (in this case it will be virusadmin@yourdomain.com)
# - use vscan (Trendmicro virusscan for Linux) for virus scanning
# - enable support for spamc/spamd in "verbose" mode.
# Qmailscanner can run spamd in "fast" mode or "verbose" mode.
# You can read more about this at the Qmail-Scanner FAQ page.
# I would recommend that you use verbose mode as this allows you to get access to
# the full reporting/tagging features that SpamAssassin can provide. It costs you
# a fraction more CPU power, but provides a much greater range of features.
#
./configure \
--admin virusadmin \
--domain yourdomain.com \
--scanners vscan,verbose_spamassassin \
--debug no \
--install
Modify you qmail configuration to send mail through Qmail-Scanner :
Modify your qmail-smtpd script so that it allocates sufficient resources to support Qmail-Scanner & SpamAssassin
vi /var/qmail/supervise/qmail-smtpd/run
Change the softlimit from 2000000 to something a fair bit larger. We use 10000000.
Next, you need to define what mail is to be sent through the Qmail-Scanner
At our site, we have configured our mail server to scan ALL messages it receives (ie inbound and outbound mail). We did this by setting up our our /var/qmail/supervise/qmail-smtpd/run file like this :
#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/Qmail-Scanner-queue.pl" export QMAILQUEUE
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
# softlimit needs to be set at 10000000 to allow virus scanner to run
exec /usr/local/bin/softlimit -m 10000000 \
/usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 30 -R \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
... and the rest of the file snipped ...
However, if you dont want to scan all mail, you can selectively nominate which IP ranges should or not be checked by setting the qmailqueue variable in your /etc/tcp.smtp file rather than inside the supervise/qmail-smtpd/run file. Refer to the Qmail-Scanner home page for setup examples.
QMAIL-SCANNER / SPAMASSASSIN NOTES :
How can I tell if SpamAssassin is working?
Each time SpamAssassin processes a message, it will log some information to /var/log/maillog (score, message size, time taken to process)
Not all mail gets passed through SpamAssassin
We have configured our supervise/qmail-smtpd/run script so that it runs Qmail-Scanner for every mail message. Thus all incoming and outgoing mail will get viruschecked. However this doesn't necessarily mean that every message passing through Qmail-Scanner will also get sent through SpamAssassin.
Qmail-Scanner has been coded so that messages are only passed onto SpamAssassin if the RELAYCLIENT variable in the tcp.smtp is not set. The idea behind this to reduce load on the system by not scanning mail originated by your users.
It is possible to force SpamAssassin checking for local users if you choose by setting QS_SPAMASSASSIN="on" in your tcp.smtp file
You can read more about this subject at the Qmail-Scanner FAQ page
Is it possible to configure per-user settings for SpamAssassin?
It depends on your configuration. We believe it will be possible to implement an interface so that vpopmail users can turn SpamAssassin checking on/off, and also set their own custom required_hits. We are hoping to store these settings as additional columns in the vpopmail MySQL database... Stay tuned and we will post more info as it comes to hand
TIPS :
* "ps axf" is your friend. Particularly useful for visualising how the supervise/qmail processes all fit together.
* "ps axfu" is good for double checking what accounts that individual server processes are running under
To add a domain :
/home/vpopmail/bin/vadddomain yourdomain.com yourpassword
# this creates the domain and makes a mailbox postmaster@yourdomain.com
To add a mailbox:
/home/vpopmail/bin/vadduser someone@yourdomain.com apassword
To remove a mailbox
/home/vpopmail/bin/vdeldomain someone@yourdomain.com
To remove a domain :
/home/vpopmail/bin/vdeldomain yourdomain.com
To change a users password
/home/vpopmail/bin/vpasswd someone@yourdomain.com newpassword
To lookup info about a user
/home/vpopmail/bin/vuserinfo someone@yourdomain.com
This gives you info such as name, crypted password, cleartext password, dir, quota, usage%, last auth.
It has a number of flags to let you see the individual fields, or you can see them all if you dont use any flags.
It also creates the maildirsize file in the users dir
'linux > Mail' 카테고리의 다른 글
| qmail FAQ (0) | 2007.03.16 |
|---|---|
| qmail 과 삶 (0) | 2007.03.16 |
| qmail+phpmail+imap4.7 (0) | 2007.03.15 |
| qmail+checkpassword+phpmail-임시 (0) | 2007.03.15 |
| Qmail installation --임시 (0) | 2007.03.15 |
