Qmail-tips

From Qmailwiki
(Difference between revisions)
Jump to: navigation, search
Line 16: Line 16:
 
* Remember to add preline before procmail or other filters when moving .forward to .qmail. Ira Abramov
 
* Remember to add preline before procmail or other filters when moving .forward to .qmail. Ira Abramov
  
* If you use qmail's
+
* If you use qmail's [http://www.qmail.org/qmail-manual-html/man1/preline.html preline]
<a href="qmail-manual-html/man1/preline.html">preline</a>
+
 
utility, remember that preline expects to pipe the <b>entire</b>
 
utility, remember that preline expects to pipe the <b>entire</b>
 
mail message through the specified program. If the specified
 
mail message through the specified program. If the specified
Line 31: Line 30:
  
  
* Run qmail from an <a href="init.d-script">init.d script</a> [<a
+
* Run qmail from an [http://www.qmail.org/init.d-script init.d script] Larry Doolittle
href="http://www.qmail.org/cgi-bin/m/ldoolitta@ajlab.org">Larry Doolittle</a>]
+
  
* You can usually create <samp>control/rcpthosts</samp> from<br>
+
* You can usually create /var/qmail/control/rcpthosts from
<samp>sed 's/:.*//' &lt;virtualdomains | cat - locals | sort
+
sed 's/:.*//' &lt;virtualdomains | cat - locals | sort &gt;rcpthosts
&gt;rcpthosts</samp> <br>[<A HREF="http://www.qmail.org/cgi-bin/m/nelson-qa@aqmail.org">Russ
+
Russ Nelson
Nelson</A>]
+
  
 
* Sometimes you need to use a database to
 
* Sometimes you need to use a database to
forward mail.  Create <samp>~alias/.qmail-default</samp> like this:
+
forward mail.  Create /var/qmail/alias/.qmail-default like this:
     |if T=`<i>X</i>`; then forward $T; else
+
     |if T=`X`; then forward $T; else
 
       echo "Sorry, no mailbox here by that name (#5.1.1)";
 
       echo "Sorry, no mailbox here by that name (#5.1.1)";
 
       exit 100; fi
 
       exit 100; fi
  
That all goes on one line.  Fill in the <i>X</i> part with a program
+
That all goes on one line.  Fill in the X part with a program
 
that looks up the user, and exits with zero and prints the destination
 
that looks up the user, and exits with zero and prints the destination
 
address, or else exits nonzero if no match is found.  By the way, the
 
address, or else exits nonzero if no match is found.  By the way, the
<i>X</i> program probably should ignore case.  For NIS, you would replace the
+
X program probably should ignore case.  For NIS, you would replace the
  
<i>X</i> in the above command with: <samp>ypmatch $LOCAL aliases </samp>.
+
X in the above command with: ypmatch $LOCAL aliases. Russ Nelson
<br>[<A HREF="http://www.qmail.org/cgi-bin/m/nelson-qa@aqmail.org">Russ Nelson</A>]
+
  
 
* Similarly, you could also use a simple linear search text file
 
* Similarly, you could also use a simple linear search text file
named <samp>mapping</samp> containing lines in the form
+
named mapping containing lines in the form
<samp>incoming:outgoing</samp> like this:
+
incoming:outgoing like this:
  
 
     |if MAP=`grep -i "$LOCAL:" mapping` && T=`echo $MAP |  awk -F: '{print $2}'` ;
 
     |if MAP=`grep -i "$LOCAL:" mapping` && T=`echo $MAP |  awk -F: '{print $2}'` ;
Line 95: Line 91:
 
passwords without changing qmail-smtpd---and it's still more widely
 
passwords without changing qmail-smtpd---and it's still more widely
 
supported than XTND XMIT.
 
supported than XTND XMIT.
** Oh, you want <em>real</em> security? Check that all messages are <a
+
** Oh, you want real security? Check that all messages are [http://www.pgp.com PGP]-signed by local users. I wouldn't be
href="http://www.pgp.com">PGP</a>-signed by local users. I wouldn't be
+
 
surprised if PGP plugins are available for more clients than XTND XMIT
 
surprised if PGP plugins are available for more clients than XTND XMIT
 
patches are.
 
patches are.
  
* Anand Buddhdev wrote <a href="turnmail">turnmail</a></a>, modified by
+
* Anand Buddhdev wrote [http://www.qmail.org/turnmail turnmail], modified by
 
Russell Nelson for publication here, which wraps around qmail-pop3d
 
Russell Nelson for publication here, which wraps around qmail-pop3d
 
and triggers a serialmail delivery to the connecting host whose user
 
and triggers a serialmail delivery to the connecting host whose user
just authenticated themselves.  Or, a Unix system can use <a
+
just authenticated themselves.  Or, a Unix system can use
href="http://www.tuxedo.org/~esr/fetchmail/index.html">fetchmail</a>,
+
[http://www.tuxedo.org/~esr/fetchmail/index.html fetchmail],
<a
+
[http://www.qcc.ca/~charlesc/software/getmail-4/ getmail]
href="http://www.qcc.ca/~charlesc/software/getmail-4/">getmail</a>
+
or an NT system [http://www.swsoft.co.uk pullmail].
 
+
or an NT system <a href="http://www.swsoft.co.uk">pullmail</a>.
+
  
 
* Dan Bernstein suggested that one might give ordinary users access
 
* Dan Bernstein suggested that one might give ordinary users access
to qmail-qread through ucspi.  <a
+
to qmail-qread through ucspi.  Steinar Haug implemented that suggestion thusly with a client that looks
href="http://www.qmail.org/cgi-bin/m/sthauga@anethelp.no">Steinar
+
Haug</a> implemented that suggestion thusly with a client that looks
+
 
like this:
 
like this:
 
  #!/bin/sh
 
  #!/bin/sh
Line 125: Line 116:
 
.qmail-root .qmail-mailer-daemon and .qmail-postmaster.
 
.qmail-root .qmail-mailer-daemon and .qmail-postmaster.
  
* Anand Buddhdev recommends <a
+
* Anand Buddhdev recommends  
href="http://www.swsoft.co.uk/index.asp?page=freesoftware">pullmail</a>, which is a
+
[http://www.swsoft.co.uk/index.asp?page=freesoftware pullmail], which is a
 
Windows NT program that pulls mail from a POP3 server, and stuffs it
 
Windows NT program that pulls mail from a POP3 server, and stuffs it
 
into NT's SMTP server.
 
into NT's SMTP server.
  
 
* Mark
 
* Mark
Delany modifies FAQ 2.3 so he can use the same .qmail file for multiple UUCP sites:
+
Delany modifies FAQ 2.3 so he can use the same .qmail file for multiple UUCP sites.
<samp>
+
 
Here is our .qmail-uucpfqdn-default file (all on one line)
 
Here is our .qmail-uucpfqdn-default file (all on one line)
  |preline -df /usr/bin/uux - -r -gC -a"$SENDER"
+
  |preline -df /usr/bin/uux - -r -gC -a"$SENDER" `echo $EXT | cut -f2 -d-`!rmail "(${EXT3}@$HOST)"
    `echo $EXT | cut -f2 -d-`!rmail "(${EXT3}@$HOST)"
+
 
And here is a sample virtualdomains entry:
 
And here is a sample virtualdomains entry:
 
  some.domain:uucpfqdn-uuhostname
 
  some.domain:uucpfqdn-uuhostname
  
 
* Dan Bernstein noted that qmail will skip dns queries for incoming
 
* Dan Bernstein noted that qmail will skip dns queries for incoming
mail with <samp>tcpserver -Hl your.host.name</samp>; and you can skip
+
mail with tcpserver -Hl your.host.name; and you can skip
 
them for outgoing mail with control/smtproutes.
 
them for outgoing mail with control/smtproutes.
  
Line 150: Line 139:
 
Now send qmail-send an ALRM signal.
 
Now send qmail-send an ALRM signal.
  
* Hitesh Patel has a <a
+
* Hitesh Patel has a [ftp://ftp.freebird.org/unixware/freebird/mailtools/qmail/qmail-UW.tar.Z patch
href="ftp://ftp.freebird.org/unixware/freebird/mailtools/qmail/qmail-UW.tar.Z">patch
+
for UnixWare 2.1.x and 7.0.x], which is not currently supported by
for UnixWare 2.1.x and 7.0.x</a>, which is not currently supported by
+
 
qmail.
 
qmail.
  
Line 176: Line 164:
 
undeliverable mail to sit in the queue any longer, you can make it
 
undeliverable mail to sit in the queue any longer, you can make it
 
reach the queuelifetime by running <samp> touch -d '1 week ago'</samp>
 
reach the queuelifetime by running <samp> touch -d '1 week ago'</samp>
on its <samp>queue/info</samp> file. It will then be bounced after one
+
on its queue/info file. It will then be bounced after one
 
more delivery attempt.
 
more delivery attempt.
  
Line 189: Line 177:
  
 
* Vern Hart doesn't like a pile of .qmail files in his home
 
* Vern Hart doesn't like a pile of .qmail files in his home
directory.</a> So he uses users/assign to put them into a subdirectory:
+
directory.  So he uses users/assign to put them into a subdirectory:
 
  =vern:vern:2244:18:/home/vern:::
 
  =vern:vern:2244:18:/home/vern:::
 
  +vern-:vern:2244:18:/home/vern:s/::
 
  +vern-:vern:2244:18:/home/vern:s/::
  
This puts <samp>.qmail</samp> in his home directory but everything
+
This puts .qmail in his home directory but everything
else is in <samp>.qmails/</samp>.  This changes ~/.qmail-foo to
+
else is in .qmails/.  This changes ~/.qmail-foo to
 
~/.qmails/foo and really cleans up his home.
 
~/.qmails/foo and really cleans up his home.
  
 
* Jim Simmons points out that you can stop linuxconf from creating a
 
* Jim Simmons points out that you can stop linuxconf from creating a
potential security hole</a> by removing the /usr/sbin/sendmail line from
+
potential security hole by removing the /usr/sbin/sendmail line from
 
/usr/lib/linuxconf/redhat/perm.  If you don't do this, linuxconf will
 
/usr/lib/linuxconf/redhat/perm.  If you don't do this, linuxconf will
 
change /var/qmail/bin/sendmail to running suid.
 
change /var/qmail/bin/sendmail to running suid.
  
 
* Dag Wieers wants  to see all messages that are delivered to his
 
* Dag Wieers wants  to see all messages that are delivered to his
domain but were bounced</a> because the user or alias does not exist. Since
+
domain but were bounced because the user or alias does not exist. Since
 
you cannot forward and pipe in the same dot-qmail he found the following
 
you cannot forward and pipe in the same dot-qmail he found the following
 
solution to be his most simple option, .qmail-default:
 
solution to be his most simple option, .qmail-default:
Line 215: Line 203:
  
 
* Peter van Dijk suggests that
 
* Peter van Dijk suggests that
you have two services running smtpd</a>, one using recordio and the
+
you have two services running smtpd, one using recordio and the
 
other not.  He says that it's a great diagnostic tool.  Create
 
other not.  He says that it's a great diagnostic tool.  Create
 
/service/qmail-smtpd as you would normally.  Create
 
/service/qmail-smtpd as you would normally.  Create
Line 236: Line 224:
  
 
* Adrian Knoth suggests that your
 
* Adrian Knoth suggests that your
Unix client machines can use <a
+
Unix client machines can use  
href="http://mail.socha.net/story/2002/8/14/181252/427">stunnel's
+
[http://mail.socha.net/story/2002/8/14/181252/427 stunnel's public key mechanism] to authenticate smtp.
public key mechanism</a> to authenticate smtp.</a>
+
  
 
* Richard Lyons points out that
 
* Richard Lyons points out that
multilog has filtering capabilities</a>, see
+
multilog has filtering capabilities, see
 
http://cr.yp.to/daemontools/multilog.html.  If you leave recordio in
 
http://cr.yp.to/daemontools/multilog.html.  If you leave recordio in
 
place you can select what bits of the output to write.  For example:
 
place you can select what bits of the output to write.  For example:
Line 265: Line 252:
  
 
* Alex Greg likes to see the output
 
* Alex Greg likes to see the output
of svstat expressed in <a
+
of svstat expressed in [http://agreg.com/scripts/secs2dhms dhms instead of seconds].
href="http://agreg.com/scripts/secs2dhms">dhms instead of seconds</a></a>.
+
  
 
* Erwin Hoffmann suggests a
 
* Erwin Hoffmann suggests a

Revision as of 21:43, 2 February 2005

Some good advice for new qmail users, contributed by qmail users.

  • Did you restart qmail? I find that to be a help for a lot of qmail problems. :-) John Mitchell
  • You should also check the permissions very carefully on all of the necessary directories and files. John Mitchell
  • You must also put the virtual domain into /vra/qmail/control/rcpthosts or the mailer will bounce the message with a notice saying that the host wasn't in rcpthosts. John Mitchell
  • Of course, you must also be the MX for the virtual hosts. I had a problem in my setup that was driving me nuts until I realized that my DNS provider had missed an MX update request. John Mitchell
  • Check all lines in sendmail.cf beginning with M. Any that contain P=[IPC] or P=[TCP] should also have E=\r\n. Tim Goodwin
  • The right-hand-side of entries in /var/qmail/control/virtualdomains should begin with a username. If you don't use a username, the mail will be handled by ~alias. But if you forget, and create a user by that name, then the mail will suddenly be handled by the user, which is probably not what you intended to happen. Best to use, in this case, alias as the username and avoid trouble. Russ Nelson
  • Remember to add preline before procmail or other filters when moving .forward to .qmail. Ira Abramov

utility, remember that preline expects to pipe the entire mail message through the specified program. If the specified program closes standard input before preline has finished, preline will exit with a transient failure and you'll see the following error in your logs:

   deferral: preline:_fatal:_unable_to_copy_input:_broken_pipe/


You'll see this problem if you try to use the sendmail version of vacation. Use Peter's <a href="#200109040"> vacation program</a> instead. [Peter Samuel]


  • You can usually create /var/qmail/control/rcpthosts from
sed 's/:.*//' <virtualdomains | cat - locals | sort >rcpthosts

Russ Nelson

  • Sometimes you need to use a database to

forward mail. Create /var/qmail/alias/.qmail-default like this:

   |if T=`X`; then forward $T; else
      echo "Sorry, no mailbox here by that name (#5.1.1)";
      exit 100; fi

That all goes on one line. Fill in the X part with a program that looks up the user, and exits with zero and prints the destination address, or else exits nonzero if no match is found. By the way, the X program probably should ignore case. For NIS, you would replace the

X in the above command with: ypmatch $LOCAL aliases. Russ Nelson

  • Similarly, you could also use a simple linear search text file

named mapping containing lines in the form incoming:outgoing like this:

   |if MAP=`grep -i "$LOCAL:" mapping` && T=`echo $MAP |  awk -F: '{print $2}'` ;
      then forward $T;
      else echo "Sorry, no mailbox here by that name (#5.1.1)";
      exit 100; fi

Russ Nelson

  • Anything you print from a program run by a .qmail file ends up in

the log file. Russ Nelson

  • You can do a reasonable imitation of sendmail delivery, including

.forward and /var/spool/mail, with

#!/bin/sh
exec qmail-start '|dot-forward .forward
|preline -f /bin/mail -f "$SENDER" -d "$USER"' splogger qmail

depending on your system's binmail interface. Of course, I recommend throwing binmail away, but people who need to preserve /var/spool/mail should still be able to use qmail. Daniel J. Bernstein

  • If you want to have private .qmail files which only work on local

mail (e.g. a fax gateway), you can put the following test at the beginning of it (all on one line):

| if [ -n "`sed -n -e '/invoked from network/p' -e 2q`" ]; then exit 100; else exit 0; fi

That is, peek at the headers, if the message came from the network, bounce it, otherwise forward it along. John R. Levine

  • Daniel J. Bernstein has three suggestions for allowing your users to

relay when they're not at a known IP address (which is the FAQ 5.4 solution):

    • Use a secret IP address and port number, and you'll have much

better security than user-chosen passwords.

    • Put a secret string into the HELO string sent by the client. This

will be visible to the fixup script, so you can reject messages with bad passwords without changing qmail-smtpd---and it's still more widely supported than XTND XMIT.

    • Oh, you want real security? Check that all messages are PGP-signed by local users. I wouldn't be

surprised if PGP plugins are available for more clients than XTND XMIT patches are.

  • Anand Buddhdev wrote turnmail, modified by

Russell Nelson for publication here, which wraps around qmail-pop3d and triggers a serialmail delivery to the connecting host whose user just authenticated themselves. Or, a Unix system can use fetchmail, getmail or an NT system pullmail.

  • Dan Bernstein suggested that one might give ordinary users access

to qmail-qread through ucspi. Steinar Haug implemented that suggestion thusly with a client that looks like this:

#!/bin/sh
exec /local/etc/tcpclient -RHl0 -- 127.0.0.1 20025 sh -c 'exec cat <&6'

and he starts the server like this:

tcpserver -u126 -g120 -R 127.0.0.1 20025 /var/qmail/bin/qmail-qread &
  • The default delivery instructions, which are invoked when a .qmail

file is nonexistent or empty, are found in the first parameter of qmail-start. That's why the install instructions tell you to touch .qmail-root .qmail-mailer-daemon and .qmail-postmaster.

  • Anand Buddhdev recommends

pullmail, which is a Windows NT program that pulls mail from a POP3 server, and stuffs it into NT's SMTP server.

  • Mark

Delany modifies FAQ 2.3 so he can use the same .qmail file for multiple UUCP sites. Here is our .qmail-uucpfqdn-default file (all on one line)

|preline -df /usr/bin/uux - -r -gC -a"$SENDER" `echo $EXT | cut -f2 -d-`!rmail "(${EXT3}@$HOST)"

And here is a sample virtualdomains entry:

some.domain:uucpfqdn-uuhostname
  • Dan Bernstein noted that qmail will skip dns queries for incoming

mail with tcpserver -Hl your.host.name; and you can skip them for outgoing mail with control/smtproutes.


  • Harald Hanche-Olsen has a solution to the problem of mail that has

wrongly been queued for a remote host (because, say, you didn't have a host in your locals or virtualdomains):

echo tcn.net:[127.0.0.1] >> /var/qmail/control/smtproutes

Now send qmail-send an ALRM signal.

for UnixWare 2.1.x and 7.0.x], which is not currently supported by qmail.

By the way..... the patch above opens up the option of sending mail to root... if you want this then just copy the right files into your qmail source directory... if you don't go into conf-unusual.h and comment out line 25 that says "#define ALLOW_ROOT_MAIL 1". Probably a good idea to comment it out -russ .

  • Daniel J. Bernstein suggests that if you have buggy clients that

send bare LFs, and you want to treat their messages the same way sendmail does, you can simply run his fixcrio program instead of qmail-smtpd for your outgoing mail relay. fixcrio then takes qmail-smtpd as argument. fixcrio is part of the ucspi-tcp package.

  • Balazs

Nagy likes to watch logs in a virtual terminal (/dev/tty8). He uses

... | tee >(accustamp | tailocal > /dev/tty8) | accustamp | cyclog

The extra accustamp seems to be needed to make it work with bash.

  • Frederik Vermeulen says: If you don't want a specific

undeliverable mail to sit in the queue any longer, you can make it reach the queuelifetime by running touch -d '1 week ago' on its queue/info file. It will then be bounced after one more delivery attempt.

  • Russ Nelson has used qmail-local to deliver to a dynamic Mailbox

or Maildir name. He does it like this:

|qmail-local "$USER" "$HOME" "$LOCAL" "" "nodeliver" "$HOST" "$SENDER" "/path/to/users/maildir/here/"
  • Harald Hanche-Olsen warns people to beware when patching Solaris

machines, because at least one patch restores the /etc/rc?.d/[SK]??sendmail symlink. You might want to remove files matching that name in your startup scripts.

  • Vern Hart doesn't like a pile of .qmail files in his home

directory. So he uses users/assign to put them into a subdirectory:

=vern:vern:2244:18:/home/vern:::
+vern-:vern:2244:18:/home/vern:s/::

This puts .qmail in his home directory but everything else is in .qmails/. This changes ~/.qmail-foo to ~/.qmails/foo and really cleans up his home.

  • Jim Simmons points out that you can stop linuxconf from creating a

potential security hole by removing the /usr/sbin/sendmail line from /usr/lib/linuxconf/redhat/perm. If you don't do this, linuxconf will change /var/qmail/bin/sendmail to running suid.

  • Dag Wieers wants to see all messages that are delivered to his

domain but were bounced because the user or alias does not exist. Since you cannot forward and pipe in the same dot-qmail he found the following solution to be his most simple option, .qmail-default:

|forward dag@mind.be &>/dev/null
|echo "Sorry, no mailbox here by that name. (#5.1.1)"; exit 100

This way someone can simply check those mails regularly and forward them to the right person manually (which sometimes saves time when people are waiting for feedback)

  • Peter van Dijk suggests that

you have two services running smtpd, one using recordio and the other not. He says that it's a great diagnostic tool. Create /service/qmail-smtpd as you would normally. Create /service/qmail-smtpd-recordio as a copy with recordio inserted, and logging to a separate space (be sure to chmod this logdir tight because recordio records complete emails). Create /service/qmail-smtpd-recordio/down. The switchover is then simply:

# svc -u /service/qmail-smtpd-recordio ; svc -d /var/service/qmail-smtpd

and viceversa.

  • Han Boetes blocks sites with no

reverse dns. He uses the following tcp.smtp file. The only thing I would do differently is to set RBLSMTPD instead of just denying the connection.

127.0.0.1:allow,RELAYCLIENT=""
172.16.11.:allow,RELAYCLIENT=""
=:allow
:deny
  • Adrian Knoth suggests that your

Unix client machines can use stunnel's public key mechanism to authenticate smtp.

  • Richard Lyons points out that

multilog has filtering capabilities, see http://cr.yp.to/daemontools/multilog.html. If you leave recordio in place you can select what bits of the output to write. For example:

multilog t '-* * > *' '-* * < *' /var/log/qmail/smtpd \
          '-*' '+* * > 5*' /var/log/qmail/smtpd-err

will do the normal logging to /var/log/qmail/smtpd, and will record 5xx errors sent by your server to the client in /var/log/qmail/smtpd-err.

  • Qmail-popup redirects stderr to

stdout, thus making it impossible to write a wrapper around qmail-pop3d which writes to the logfile by writing to stderr. Being a little cleverer with the shell, you can also redirect FD 7 onto stdout like this:

/var/qmail/bin/qmail-pop3d-wrapper.sh /var/qmail/bin/qmail-pop3d Maildir 2>&1 7>&1


Once you've done that, qmail-pop3d-wrapper.sh can log to FD 7, like this:

#!/bin/sh
echo "qmail-pop3d: user $USER logged in from $TCPREMOTEIP:$TCPREMOTEPORT" >&7
$@
  • Alex Greg likes to see the output

of svstat expressed in dhms instead of seconds.

  • Erwin Hoffmann suggests a

one-line fix to the errno compilation problem. It works for most DJB software:

cat error.h | sed -e s/^extern\ int\ errno\;/#include\ \<errno.h\>/  > error.h
Personal tools