QMT-ISO Manual Guide
From Qmailtoaster
While QMT-ISO if fully integrated and readily to use qmailtoaster and centos but then there are some things that may / must to change to suit your needs.
Installation
- Get the latest QMT-ISO's iso file from QMT-ISO website
- Burn it to CD using your favorits burner
- Put the CD on the server you want to install
- Boot the server from CD
- Step-by-step installation screenshot is available on QMT-ISO Install Screenshots
Primary Configuration
All these section need to re-configure to suits your needs
Change admin-toaster password
Change it so others can't access your qmtiso control panel
Go to http://your.ip.address.com/admin-toaster and use
username: admin password: toaster and click the field "Change Admin Password:"
Change mysql root password
Same as above, for security sake
Default password is v2gnu-qmailtoaster
My suggestion is change it, but it is up to you
# mysqladmin -u root -p password NEWPASSWD enter v2gnu-qmailtoaster if asked oldpassword
Setup localhost name
QMT-ISO now contains a script to change the hostname of the system (set-hostname) that is experimental. If you have an issue or feature request, please email Jake with the details so it can be (hopefully) included in the next release. Otherwise use the below instructions.
If have multiple qmtiso's server in your network (training labs)
you dont want all of them have the same name right?
Use your own machine name not mailsvr.mycompany.com
# vi /etc/sysconfig/network from HOSTNAME=localhost.localdomain into HOSTNAME=mailsvr.mycompany.com restart so new hostname can be use # init 6
Add DNS server
add your DNS server which you want to use
# vi /etc/resolv.conf nameserver dnssvr.myisp.com
if this qmtiso use for lab or testing purpose
you can use it's IP as nameserver after you setup DNS service on qmtiso
simple setup on brings up DNS service is below
Add /etc/hosts
use your own IP address and machine name
# vi /etc/hosts into 127.0.0.1 localhost localhost.localdomain 222.111.0.33 mailsvr mailsvr.mycompany.com
Setting ntpd service
you dont want your mailserver clock missed right?
# chkconfig ntpd on # vi /etc/ntp.conf (add your ntp server) # service ntpd start
Setting smartd
I dont know how to use and configure it.
but everytime the machine boot up it display error, so I am disabling it.
if anyone know how configure smartd on qmtiso please update this section
# chkconfig smartd off # service smartd stop
[update] edit /etc/smartd.conf
like:
/dev/hda -H -m user@host
/dev/hdb -H -m user@host
/dev/sda -H -m user@host
and you will get mails is there are S.M.A.R.T. errors on your drive(s)
Setting iptables
adding your local network or additional port used by other daemon
QMT-ISO has a firewall included, located at /etc/rc.d/firewall.ruleset that is enabled during startup via the /etc/rc.d/rc.local file.
you can setup your firewall by running
http://www.qmailtoaster.com/centos/cnt40/firewall.sh (for Centos 4)
or see my iptables for refference but still, firewall setting on each machine may difference
note: this firewall setting only for qmailtoaster machine which has Public IP directly, NOT located on DMZ or NATed IP, if you have it there is some IPTables section you need to add
# vi /etc/sysconfig/iptables
# Completed on Sat Jun 23 17:57:05 2007 # Generated by iptables-save v1.2.11 on Sat Jun 23 17:57:05 2007 *filter :INPUT ACCEPT [1:40] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1915:191237] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -s 10.10.64.0/255.255.255.0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 465 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 783 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 2106:2706 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT COMMIT # service iptables restart
Setting /etc/tcprules.d/tcp.smtp
adding local network, in this example my local network is 10.0.0.0/8
so I just copy 127 line and change it into network 10
# vi /etc/tcprules.d/tcp.smtp 10.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",NOP0FCHECK="1",RBLSMTPD="" # service qmail cdb
tcp enviroments can be different depend on what you need
Disabling domainkeys
disable domainkeys on qmtiso ver 1.2
somehow in this version domainkeys is still link to qmail
need to disable it
Disabling Domain Keys
Setup /var/qmail/control 's files
Details for these section can be found at Control Files by Name
These need to changes because most of them has localhost as it's value
After change these values you might need to restart qmail
# service qmail restart
/var/qmail/control/rcpthosts
List of domains that qmtiso can sent it for you
No need to edit it manually because vqadmin will added for you
detail info Rcpthosts
/var/qmail/control/me
type in your hostname
if you still using localhost for smtp server it might get caught by SORBS, like me
# vi /var/qmail/control/me mailsvr.mycompany.com
/var/qmail/control/smtpgreeting
type in your hostname
if you still using localhost for smtp server it might get caught by SORBS, like me
# vi /var/qmail/control/smtpgreeting mailsvr.mycompany.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server
other control files
/var/qmail/control/defaultdomain /var/qmail/control/defaulthost /var/qmail/control/plusdomain
edit them and replace it with your domain
/var/qmail/control/locals
add your hostname
/home/vpopmail/etc/defaultdomain
default vpopmail's domain
type domain name that will be the default for qmtiso
if the domain name is listed here, no domain is needed for user authentication
i.e. w/o /home/vpopmail/etc/defaultdomain users need to authenticate as
user@mycompany.com
but with /home/vpopmail/etc/defaultdomain user only need to authenticate as
user
# vi /home/vpopmail/etc/defaultdomain mycompany.com
Adding a Domain
You can use vqadmin on admin-toaster control panel to add a domain. But preffered way is to use command that described here Domains
Bulk add users
If you have new domain then you maybe will adding your users one time at the time. But if you have many users waiting to be added into your toaster (say, you are migrating from other servers you can use Bulk User Adding For Qmail Toaster script
Optional Configuration
At this line your QMT-ISO should run smoothly for sending and receving emails. Below are others optional configuration which you may want change, how your qmt-iso behave and might fine tune it.
Configure Bind
On QMT-ISO, Bind (NameServer) is already installed and active, so if you only have 1 server for all purpose (DNS, Web and Mails) QMT-ISO suits for you.
For caching only name server you do not need to configure anything, just make sure bind is active and your /etc/resolv.conf point to it
# chkconfig named on # service named restart # vi /etc/resolv.conf nameserver 192.168.31.2 nameserver dnssvr.myISP.com
For authoritative domain name server you might want to configure Bind as follow: Below sample can be use for real domain or labs usage.
First, make sure you have the latest bind softwares version
- bind-chroot - bind-libs - bind - bind-utils - caching-nameserver
If not yum to install or upgrage it
# yum -y install bind-chroot bind-libs bind bind-utils caching-nameserver
-- or --
# yum -y upgrade bind-chroot bind-libs bind bind-utils caching-nameserver
Add your DNS server IP Address on /etc/resolv.conf. i.e.:
# vi /etc/resolv.conf nameserver 192.168.31.2
Add your domain zone on /etc/named.conf Change mycompany.com with your domain
# vi /etc/named.conf
zone "mycompany.com" IN {
type master;
file "mycompany.com";
; these line is optional, for DNS slave updating purpose
; allow-update { none; };
};
then create a new file on /var/named/mycompany.com with these lines (note: please change the IP address with yours)
$TTL 86400
@ IN SOA @ root (
2007 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS mail.test.com. @ IN MX 5 mail.test.com. mail IN A 192.168.31.2 www IN A 192.168.31.3 ; if webserver located on same machine ; www IN CNAME mail ; to access squirrelmail as subdomain webmail IN CNAME mail
Make sure bind is run when startup and activate now
# chkconfig named on # service named restart
For email client configuration, you can use mail.mycompany.com for POP3 and SMTP server
Detail info on Bind on CentOS 4 (at current time when this manual written QMT-ISO is using CentOS 4.5), please read here: http://www.centos.org/docs/4/html/rhel-rg-en-4/ch-bind.html
Configure Apache
QMT-ISO is perfect for SOHO, which only has 1 server for all services. If you create a www record on Bind (previous section) and want to deploy your Website on the same server, you can put your Website (HTML, PHP, other scripts) directly on /var/www/html.
Then you can access your Webmail via http://www.mycompany.com/webmail
But if you have another server function as Webserver, you might want to configure QMT-ISO to serve webmail as http://webmail.mycompany.com
In this case, you must create a webmail record in your domain zone on you DNS server: (which may look like this -- change 192.168.31.3 with QMT-ISO IP address)
webmail IN A 192.168.31.3
Then on QMT-ISO box add below lines in /etc/httpd/conf/httpd.conf :
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin admin@mycompany.com
DocumentRoot /usr/share/squirrelmail
ServerName webmail.mycompany.com
ErrorLog logs/webmail.mycompany.com-error_log
CustomLog logs/webmail.mycompany.com-access_log common
<Directory /usr/share/squirrelmail>
Options None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Save the file, and reload apache
service httpd reload
SquirrelMail
Modifying SquirrelMail, a webmail to suits your need by adding plugins and changing template. By default not much squirrelmail plugins available nor activate.
To change squirrelmail options /usr/share/squirrelmail/config/conf.pl
Press 1 (change your Squirrelmail display name and logo) - press R to return to Main menu
Press 5 (change default Squirrelmail color theme) - press R to return to Main menu
Press 6 (add a Global Address to your webmail -- discussed on next section) - press R to return to Main menu
Press 8 (Plugins) lets play with it
You may want to activate these available plugins
- quota_usage : to display current quota infomation - qmailadmin_login : change user password directly to vpopmail database - calendar : display a calendar - filters : so users can create their own filter rule - notes : users can leave a notes on his webmail - unsafe_image_rules : prevent a hotlink images displayed
just press the corresponding number on the left side to activate it - press R to return to Main menu
Other than above plugins there are more plugins available on SquirrelMail Website
For instances:
- msg_flags : users can flags their messages - todo : put a to do list on webmail - abook_import_export : users can import/export address book from/into webmail - vlogin : a must installed plugins if your QMT-ISO, so your users wont have to login using full emailaddress (user1@mycompany.com) instead he can login only using user1. - spam_buttons : see Spamassassin section.
Read documentation along with the plugin to install and configure the plugins.
Press S to save it, or Press Q di quit and discard (if make mistake)
Or if want your webmail to look like Outlook Web Access you can download and install SquirrelOutlook
note: squirrelmail is a web application using PHP, a bug fixes may found in the way to prevent hack, so you should monitor Qmailtoaster Mainsite and/or Develsite incase any update.
As per this manual made QMT-ISO 1.2 is still using squirrelmail ver 1.4.9a but on Develsite available ver 1.4.11.
Simple steps to upgrade Squirrelmail
# links http://devel.qmailtoaster.com/download/develop/squirrelmail-toaster-1.4.11-1.3.8.src.rpm # rpmbuild --rebuild --with cnt40 squirrelmail-toaster-1.4.11-1.3.8.src.rpm # rpm -Uvh /usr/src/redhat/RPMS/i386/quirrelmail-toaster-1.4.11-1.3.8.i386.rpm
Install Qmailtoaster-Plus
On QMT-ISO 1.2, If at your QMT-ISO installation time you didn't have Internet connection, you may not have QmailToaster-Plus (QTP) installed. With QTP installed you can have easily QMT administrating.
Download latest version of QTP here
On your QMT box you can download QTP by using links
# links http://qtp.qmailtoaster.com/download/qtp/qmailtoaster-plus-current.noarch.rpm
For detail info visit QmailToaster-Plus
Fighting SPAM
You can found more info about Spamassassin on Qmailtoaster
Adding RBL Servers
The more Realtime Black Server scanning incoming smtp connection to your mailserver, the less spam you might get. But it also taking more time to check what IP is listed on what RBL server.
I use RBL servers which listed on qtp-set-rbls moderate. Here's how to activate it: (I assume qtp is installed)
# qtp-set-rbls -moderate
If you don't have qtp edit /var/qmail/control/blacklists
# vi /var/qmail/control/blacklists -r zen.spamhaus.org -r bl.spamcop.net -r list.dsbl.org -r cbl.abuseat.org # qmailctl restart
More info about RBLs
Configure Domain's SPF
You can add SPF record for your domain, so other mailserver can recognize which email was sent using your mailserver. Visit SPF page for detail info about it.
For your information, there are some admin that may provide SPF record for their domain is wrong syntax. Or DNS server that provide SPF record down. So it may reject emails to your server.
What I do is change the value into 1
# vi /var/qmail/control/spfbehavior 1 # qmailctl restart
Then add these SA rules, so it can prevent bad emails
# vi /etc/mail/spamassassin/local.cf # add score to softfail SPF header spf_softfail Received-SPF =~ /\bsoftfail\b/ score spf_softfail 1.0
# add score to fail SPF header spf_fail Received-SPF =~ /\bfail\b/ score spf_fail 2.0 # qmail-spam restart
Setup greylisting
Greylisting will likely to be available on QMT ver 1.4 using Spamdyke, an antispam utility that has many features other than just greylisting. Currently QMT-ISO is still using QMT ver 1.3, so I am not going to show how to install and configure Spamdyke.
But if you want to use Greylisting for your current QMT 1.3, you can visit
Basic QmailToaster Greylisting
Thomas' ramblings This drops you on a link not found page. If you enter "greylisting" in the search box on the right you'll get the desired page.
or my greyd install note
Add greylisting to qmailtoaster
Setup SA learning account and script
For detail info look at Spamassassin#Bayesian_Statistical_Scoring
Setup SA URI Plugin
For detail info visit SURBL
Setup FuzzyOCR
FuzzyOCR is an excellent tools to fight Spam Image.
Manny has created simple how to install FuzzyOCR on QMailToaster. Visit Archive Message.
My FuzzyOCR install on QMailToaster log is available on my site
But some said using FuzzyOCR is CPU intensive, and prefer to use SARE's ImageInfo
note: as per this section made. SA is version 3.2.x and FuzzyOCR 3.5.1 which incompatible to each other until further notice
ps: on QMT-ISO 1.3.1 is using SA 3.1.x, so if you want to use FuzzyOCR make sure you didn't upgrade it
Add Pyzor check
For detail info visit Install Pyzor
Updates SA Rules
QmailToaster-Plus has provided and easy way to configure your QMT to updating SA rules and additional rules from SAUpdates.OpenProtect.com, so to use command below, make sure QmailToaster-Plus is installed (qmailtoaster-plus-0.2.12-1.3.15 known has qtp-sa-update)
# qtp-sa-updates
Adding a Spambox option
So messages which tagged with ***SPAM*** wont delivered on INBOX folder but stayed on SPAM folder. Users can see it when they using webmail (SquirrelMail). To enable it, you need to reinstall qmailadmin-toaster:
Adding SaneSecurity's ClamAV signature
SaneSecurity's ClamAV signature is a great addition to QMT-ISO to prevent Scam/Spam Emails.
You can download it using Bill Landry's download scripts -- preferred because it has additional signature from SecurityInfo
# wget http://www.sanesecurity.co.uk/clamav/unofficial-sigs.txt # mv unofficial-sigs.txt ss-clamdsig.sh # chmod +x ss-clamdsig.sh # vi ss-clamdsig.sh clam_sigs="/usr/share/clamav/" #clamd_pid="/var/run/clamav/clamd.pid" clamd_socket="/tmp/clamd.socket" user_configuration_complete="yes" # crontab -e 53 03 * * * /root/ss-clamdsig.sh &> /dev/null
Adding SARE's PDFInfo and ImageInfo plugin
Plugins available from RulesEmporium to prevent PDF and Image Spam
# cd /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Plugin/ # wget http://www.rulesemporium.com/plugins/ImageInfo.pm # wget http://www.rulesemporium.com/plugins/PDFInfo.pm # cd /etc/mail/spamassassin/ # wget http://www.rulesemporium.com/plugins/imageinfo.cf # wget http://www.rulesemporium.com/plugins/pdfinfo.cf # vi v310.pre and insert (at the bottom): loadplugin Mail::SpamAssassin::Plugin::ImageInfo loadplugin Mail::SpamAssassin::Plugin::PDFInfo # qmail-spam restart (utility from QTP)
Write your own SA rules
Why? because everybody spam is different. For me softwares, contract, shipping and stocks are not spam. But for you it might. So, write your own SA rules to suits your need.
Try Googling with "how to write SA rule" or visit this links
A Guide to Writing your own Add-On Rules for SpamAssassin
Limiting type of files sent to your QMailToaster
By default only files with extension exe, pif and scr are blocked to your mailserver on /var/qmail/control/simcontrol
:clam=yes,spam=yes,spam_hits=12,attach=.exe:.pif:.scr
But you can have additional file extensions to minimalist SPAM or virus-email sent to you with attached files. Edit /var/qmail/control/simcontrol
:clam=yes,spam=yes,spam_hits=12,attach= .ade:.adp:.app:.asd:.asf:.asp:.asx:.avi:.bas:.bat:.bin:.chm:.cil:.cla:.class: .cmd:.com:.cpl:.crt:.csh:.css:.dll:.dot:.email:.eml:.exe:.fxp:.hlp:.hta:.htm: .html:.inf:.ins:.isp:.js:.jse:.ksh:.lnk:.mda:.mdb:.mde:.mdt:.mdw:.mdz:.mov:.mp3: .mpe:.mpeg:.mpg:.msc:.msi:.msp:.mst:.nws:.ocx:.ops:.pcd:.pif:.pl:.pm:.pot:.pps: .prf:.prg:.ps:.rar:.reg:.scf:.scr:.sct:.shb:.shm:.shs:.url:.vb:.vbe:.vbs:.vxd: .wav:.wmd:.wmf:.wms:.wmz:.wsc:.wsf:.wsh:.wsz:.xsl:.xlt:.xlw: # service qmail cdb
For detail info visit Simscan
Email Server Test
To test you Email Server for HELO Greeting, Reverse DNS, DNSBL (RBL), SPF, Domain Keys, SPAMAssassin Content Checks, BATV (Bounce Address Tag Validation), Greylisting, URIBL
You can send email to: test [at] allaboutspam [dot] com Then you will get bounce message, with URL on it Visit the url to know the results.
Details please visit AllAboutSpam
Setup Global Address Book
A Global Address Book for your Domain account which available throughout WebMail (SquirrelMail)
Please see my scripts on Qmailtoaster Archive
Note:
- Creation of address book is not automatic so you need to add the scripts on crontab
- These scripts only create an address book only for 1 domain specified on the configuration.
- It will create 1 file for 1 domain specified, so if use squirrelmail for multiple domain, it wont suits you. (later revision may available on next version)
- Users can't update his information on Global Address book
- For users who use Email client and want to access Global Address he can export Address book from SquirrelMail and import in on Outlook Express / Ms. Outlook (tested OK, no -mapping- changes need to make)
Simple installation how to:
# cd ~ # wget http://am3n.profusehost.net/files/sqweb_gabook.tar.gz # tar xzvf sqweb_gabook.tar.gz # cd scripts # vi sqweb_gabook.sh (edit the variables there) # vi sqweb_gabook.php (edit the variables there) # crontab -e (weekly update, you can change if you want daily update) 0 12 * * 3 /root/scripts/sqweb_gabook.sh >/dev/null
Provide MailingList Archiving
If you want to setup Mailinglist Archiving system like Mail-Archive.com, you may want to install MHonArc and mharc. But for simplity I have create a scripts to install them which can be directly run at QMailToaster or QMT-ISO box
Install how to:
# wget http://am3n.profusehost.net/files/install-mailarchive.sh # chmod +x install-mailarchive.sh # vi install-mailarchive.sh # ./install-mailarchive.sh
More info about the script you visit my blog about it and read the script description
For customizing your Mailinglist Archiving system visit MHonArc and mharc website
Other Options
Colorfull QMail Logging
Color can make our eyes easily catch what lines came out when we monitoring QMT log files. It'll display something like this Multitail but with more than 1 color.
Follow steps on this link to enable it Colorfull QMail Logging
Note: if you install the latest qtplus, you can execute it by typing "cwatchall" from console after you install it from qtp-menu
Maintain Trash and Spam folder
This script will maintain users' Trash and Spam folder within the period you define. (Default 28 days) So no users will experience his mailbox full because he forgot to maintain his Trash and / or Spam folder
Maintain Trash and Spam folder
Some said, he also need to maintain users' Draft and Sent folder. So I modified the script a little bit. You can copy the script and save it with new file name under /etc/cron.daily and dont forget 'chmod +x'
Maintain Drafts, Sent, Spam and Trash folder on mailserver (Qmailtoaster)
Backup QMail Log files
If you were out of office for a week you may can't monitor qmail log files then if some error happen and you need to see the log file to trace what happen, the log files maybe already replace with current log. So what this qmail log backup script do is backup your qmail log files and keep it for number of days you specified.
- Copy the script from here - Paste it into file backupqmaillog.sh - chmod +x backupqmaillog.sh - add to crontab 55 23 * * * /root/scripts/backupqmaillog.sh
Even so, you still can keep of your qmail log by increase the number in Logcount and Logsize
Adding VI editor color-syntax highlighting
VI Editor which included on QMT-ISO only include vim-minimal package. I think this is for reducing the size of ISO file. I often use VI to edit all configuration and script in the server, so I need syntax color highlight enabled VI. To enable it just type:
# yum -y install vim-common vim-enhanced
re-login and open your script using VI, it should be color-highlighted
Providing WapMail
Yes, nowadays new handphone provided with email client (IMAP n POP3) plus hi-end Webbrowser. so you dont need to provide a wapmail access. But if sure there is someone will using it you can install a wapmail client scripts I have put on Wapmail or asking Google. Dont forget to read documentation along with it how to install and configure.