Now that you've downloaded all the needed packages, we can start
theinstall. At this point you should have a qmailrocks source directory
located at /downloads/qmailrocks. If you don't, go back to step 1. This
step involves the setup of the very heart of you new qmail server. In
this step, we'll install qmail itself, ucspi-tcp and daemontools. These
3 packages are the core of the qmail server and will be the foundation
on which we build everything else. So don't screw it up!
RH 9/RHEL/Fedora/Slackware users:
If you're doing this installation on Redhat 9, RHE, Fedora or
Slackware, be prepared to install a bunch of patches for almost
everything. Redhat 9 uses a different compiler than previous versions
and without the patches, you'll have a headache for days. This is a
known issue, fortunately. It's documented on Life With Qmail and Matt Wierdl has kindly put together a site containing most of the needed
patches. More on that later on in the installation. You will note that
during the install there will be areas marked with "RH 9/RHEL/Fedora/Slackware users". These areas are meant to be used by ,
obviously, people installing Qmail on Redhat 9. If you are such a
person, when you see those addtional notes, simply add whatever the
notes instruct you to do directly into the sequence of the
installation. For example, if you were to see:
Step A
RH 9/RHEL/Fedora/Slackware users:
Step A-1
- you will need to do the following here:
/some/additional/function/to/run
Step B
A Redhat 7.x user would simply do Step A and then Step B. A Redhat 9
user would do Step A, Step A-1 and then Step B.
To start things off, I've created a handy little shell script that
takes care of the first portion of getting qmail, ucspi-tcp and
daemontools intalled. Simply run this script from the command prompt of
your Solaris box and you should be golden. The script will tell you
what it's doing along the way.
/downloads/qmailrocks/scripts/install/qmr_install_linux-s1.script
(click here to view this script)
If all goes well, you should have all the needed user and groups
created as well as all the needed directories, permissions and
ownership settings needed for the installation of qmail, ucspi-tcp and
daemontools
Before we start to compile and install qmail, ucspi-tcp and
daemontools, we're going to apply a group of patches to qmail. These
patches will build all sorts of cool functionality directly into qmail
before we install it. In total, we're going to add around 15 patches,
but fortunately John Simpson
has combined all but one of these patches
into one giant patch file. But it gets even easier because I've thrown
together a shell script that applies ALL the patches in one quick step.
I'm making this so easy for you it's almost sickening. :)
Here's the basic gist of these patches: All critical
patches included
in this bundle will be automatically integrated in your qmail server's
functioning. However, there are a few non-critical
patches that have to
be configured in order to work. These non-critical
patches are included
merely to give you a few extra little goodies that you can play with on
your own time. Some of these "extra little goodies" are new to me too,
so as I learn more about them I will certainly go into more detail.
So that you're not completely ignorant as to what theses patches are
going to be doing to your qmail server, here's a quick list of what
patches are included. I have color coded these patches so that you will
know which ones are critical and which ones are not.
red
patch = critical patch, as
far as the QMR install is concerned,
that is automatically integrated into your qmail server and requires no
additional work on your part.
blue
patch = a non-critical patch
that merely adds some cool
functionality. Blue asterisk patches also will be automatically
integrated and require no additional work.
green
patch = a non-critical patch
that merely add some cool
functionality, but which needs to be configured in order to be active.
maxrcpt
patch - Allows
the sysadmin to set limits a message's number of
recipients. The default for this patch is set to 100.
mfcheck
patch - causes qmail-smtpd to
reject messages where the domain
portion of the envelope sender is not a valid domain
quota
patch - Turns "over quota"
errors into HARD errors, not soft. A
wake up call for those 2 or 3 jackasses on your server who never check
their mail.
date-localtime
patch - causes qmail to use
the local timezone in any
headers it generates.
qmailqueue
- the classic patch that allows qmail-smtpd to call other
programs to process messages. Through qmailqueue, we will later tie in
Clam Antivirus and Spamassassin. However, many ofther programs can also
be tied in if you so desire.
jms1-antispam
patch - An anti-spam patch
created by John Simpson, which
works within qmail-scanner to trick spam servers into believing a spam
message is delivered, when in fact it isn't. This is inactive by
default, but you can play around with this if you want.
errno.patch
- patches error.h to work correctly with libc-2.3, which is
used by RedHat 9 and a few other Linux distributions
smtp-auth
patch - good old smtp
authentication
STARTTLS/AUTH
patch - patch from qmail.org, modified by John Simpson to
not advertise AUTH unless the command line elements are there, AND
adding a check to not advertise or support AUTH unless the connection
is secure.
forcetls
patch - a patch created by
Ryan Schlesinger to compensate for
mail clients that do not support TLS. Using this patch, your qmail
server will always accept an smtp connection encrypted with TLS.
However, if any of your users have a mail client that does NOT support
TLS, they will still be able to connect with just a plain AUTH
connection. This is the default setting that this patch installs with.
However, if you're a security nazi, this patch allows you to set your
server so it will REQUIRE a TLS smtp connection no matter what. This
patch simply gives you some flexibility with your TLS enabled qmail
server.
The
SPF patch - adds SPF checking
to qmail-smtpd. SPF is a system where
the owners of domain names can "publish" the list of IP addresses from
which their users send mail. If another mail server sees an incoming
message claiming to be "From" that domain, but not coming from an IP on
their SPF list, that server can reliably reject the message as spam.
More info can be found here.
qmail-0.0.0.0
patch - fixes a difference
between how Linux interprets
the IP address "0.0.0.0" and how the *BSD systems handle it. According
to RFC 1122, the IP address 0.0.0.0 should always be treated as an
address for "this host, this network". Part of qmail's loop-detection
logic is determining whether or not a given IP address "is" the current
machine. This patch "teaches" qmail that 0.0.0.0 is always the local
machine.
qmail_local
patch - fixes a possible bug
in qmail-local having to do
with how the first line of a .qmail file is interpreted, when it starts
with whitespace.
sendmail-flagf
patch - fixes how the "-f"
option to
/var/qmail/bin/sendmail is handled, so that it more closely matches how
the original "sendmail" program's "-f" option worked.
bind-interface
patch - a patch that lets you
control the "source IP"
from which outgoing connections appear from a machine with multiple IP
addresses. This page on qmail.org describes the patch more clearly, as
well as the format of the /var/qmail/control/bindroutes file which it
uses.
8k-buffer-patch
- increases
the size of the memory buffer that qmail
uses when querying the system for a list of all local IP addresses.
Ok, so enough talk. Let's apply these mega-patches and get this
patching business out of the way...
/downloads/qmailrocks/scripts/util/qmail_big_patches.script
(click here to view this script)
Now we build Qmail...
cd
/usr/src/qmail/qmail-1.03
make
man && make setup check
./config-fast
your_fqdn_hostname (ex:
./config-fast mail.mydomain.com)
OK, qmail itself is now built and installed. Now let's generate a
secure certificate that will be used to encrypt your server's TLS
encrypted SMTP sessions...
make
cert
When you run the above command you will be asked a series of questions
regarding the generation of your certificate. They are non-technical
questions...such as your location, business name, organaization name,
common name and so forth. If you've ever generated an SSL cert before,
this should be familiar stuff to you. If you haven't, simply follow the
directions. It's easy. If you have trouble following the directions,
you might as well give up now because you're a RETARD. Since the cert
you are generating is already NOT from a trusted authority such as
Verisign or Thawte, the information you provide here is not really THAT
important, so don't sweat it.
Here's a sample of my cert cert configs. Don't be an idiot. Substitute
in your own information.
Country
Name (2 letter code) [GB]:US
State
or Province Name (full name) [Berkshire]:Georgia
Locality
Name (eg, city) [Newbury]:Atlanta
Organization
Name (eg, company) [My Company Ltd]:qmailrocks.org
Organizational
Unit Name (eg, section) []:mail
Common
Name (eg, your name or your server's hostname)
[]:mail.qmailrocks.org
Email
Address []:postmaster@thisdomain.org
If the cert is successfully generated it will be automatically
installed at /var/qmail/control/servercert.pem, along with a symlink to
that cert at /var/qmail/control/clientcert.pem
Now we set the right ownership for the newly create cert...
chown
-R vpopmail:qmail /var/qmail/control/clientcert.pem
/var/qmail/control/servercert.pem
Now we build ucspi-tcp...
cd
/usr/src/qmail/ucspi-tcp-0.88/
RH 9/RHEL/Fedora/Slackware users:
You
will need to patch ucspi-tcp with
an additional errno patch:
patch
< /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch
make
&& make setup check
If you don't get any errors, that's it for ucspi-tcp!
Now we build the daemontools....
cd
/package/admin/daemontools-0.76
RH 9/RHEL/Fedora/Slackware users:You will
need to patch daemontools
with an additional errno patch:
cd
/package/admin/daemontools-0.76/src
patch
<
/downloads/qmailrocks/patches/daemontools-0.76.errno.patch
cd
/package/admin/daemontools-0.76
package/install
If no errors are reported, you've successfully compiled the daemontools
package!
All done for now...
If you run take a look at the running processes on your server at this
point, you should see the daemon "svscanboot" running. You can usually
do this with a "ps aux" command. Here's a screenshot of it. If you see
"svscanboot" running, you're in good shape.
OK, Qmail is almost totally installed but we're going to pause right
here and install a bunch of handy tools and features that will make
Qmail pretty and fun! After that, we'll make some final changes to
Qmail and then crank it up!
|