Qmail-tips

From Qmailwiki
Revision as of 21:30, 2 February 2005 by 68.78.194.78 (Talk)
Jump to: navigation, search

Some good advice for new qmail users, contributed by qmail users.

  • Did you restart qmail? I find that to be a help for a lot of qmail problems. :-) John Mitchell
  • You should also check the permissions very carefully on all of the necessary directories and files. John Mitchell
  • You must also put the virtual domain into /vra/qmail/control/rcpthosts or the mailer will bounce the message with a notice saying that the host wasn't in rcpthosts. John Mitchell
  • Of course, you must also be the MX for the virtual hosts. I had a problem in my setup that was driving me nuts until I realized that my DNS provider had missed an MX update request. John Mitchell
  • Check all lines in sendmail.cf beginning with M. Any that contain P=[IPC] or P=[TCP] should also have

E=\r\n. Tim Goodwin

  • The right-hand-side of entries in /var/qmail/control/virtualdomains should begin with a username. If you don't use a username, the mail will be handled by ~alias. But if you forget, and create a user by that name, then the mail will suddenly be handled by the user, which is probably not what you intended to happen. Best to use, in this case, alias as the username and avoid trouble. Russ Nelson
  • Remember to add preline before procmail or other filters when moving .forward to .qmail. Ira Abramov
  • If you use qmail's

<a href="qmail-manual-html/man1/preline.html">preline</a> utility, remember that preline expects to pipe the entire mail message through the specified program. If the specified program closes standard input before preline has finished, preline will exit with a transient failure and you'll see the following error in your logs:

    deferral: preline:_fatal:_unable_to_copy_input:_broken_pipe/

You'll see this problem if you try to use the sendmail version of vacation. Use Peter's <a href="#200109040"> vacation program</a> instead. [Peter Samuel]


  • Run qmail from an <a href="init.d-script">init.d script</a> [<a

href="http://www.qmail.org/cgi-bin/m/ldoolitta@ajlab.org">Larry Doolittle</a>]

  • You can usually create control/rcpthosts from

sed 's/:.*//' <virtualdomains | cat - locals | sort >rcpthosts
[<A HREF="http://www.qmail.org/cgi-bin/m/nelson-qa@aqmail.org">Russ Nelson</A>]

  • Sometimes you need to use a database to

forward mail. Create ~alias/.qmail-default like this:

   |if T=`X`; then forward $T; else
      echo "Sorry, no mailbox here by that name (#5.1.1)";
      exit 100; fi

That all goes on one line. Fill in the X part with a program that looks up the user, and exits with zero and prints the destination address, or else exits nonzero if no match is found. By the way, the X program probably should ignore case. For NIS, you would replace the

X in the above command with: ypmatch $LOCAL aliases .
[<A HREF="http://www.qmail.org/cgi-bin/m/nelson-qa@aqmail.org">Russ Nelson</A>]

  • Similarly, you could also use a simple linear search text file

named mapping containing lines in the form incoming:outgoing like this:

   |if MAP=`grep -i "$LOCAL:" mapping` && T=`echo $MAP |  awk -F: '{print $2}'` ;
      then forward $T;
      else echo "Sorry, no mailbox here by that name (#5.1.1)";
      exit 100; fi



[<A HREF="http://www.qmail.org/cgi-bin/m/nelson-qa@aqmail.org">Russ Nelson</A>]

  • Anything you print from a program run by a .qmail file ends up in

the log file.
[<A HREF="http://www.qmail.org/cgi-bin/m/nelson-qa@aqmail.org">Russ Nelson</A>]

  • You can do a reasonable imitation of sendmail delivery, including

.forward and /var/spool/mail, with

#!/bin/sh
exec qmail-start '|dot-forward .forward
|preline -f /bin/mail -f "$SENDER" -d "$USER"' splogger qmail

depending on your system's binmail interface. Of course, I recommend throwing binmail away, but people who need to preserve /var/spool/mail should still be able to use qmail.
[<a href="http://www.qmail.org/cgi-bin/m/djba@apobox.com">Daniel J. Bernstein</a>]

  • If you want to have private .qmail files which only work on local

mail (e.g. a fax gateway), you can put the following test at the beginning of it (all on one line):

| if [ -n "`sed -n -e '/invoked from network/p' -e 2q`" ]; then exit 100; else exit 0; fi

That is, peek at the headers, if the message came from the network, bounce it, otherwise forward it along.
[<a href="http://www.qmail.org/cgi-bin/m/johnla@aiecc.com">John R. Levine</a>]

  • Daniel J. Bernstein has three suggestions for allowing your users to

relay when they're not at a known IP address (which is the FAQ 5.4 solution):

    • Use a secret IP address and port number, and you'll have much

better security than user-chosen passwords.

    • Put a secret string into the HELO string sent by the client. This

will be visible to the fixup script, so you can reject messages with bad passwords without changing qmail-smtpd---and it's still more widely supported than XTND XMIT.

    • Oh, you want real security? Check that all messages are <a

href="http://www.pgp.com">PGP</a>-signed by local users. I wouldn't be surprised if PGP plugins are available for more clients than XTND XMIT patches are.

  • Anand Buddhdev wrote <a href="turnmail">turnmail</a></a>, modified by

Russell Nelson for publication here, which wraps around qmail-pop3d and triggers a serialmail delivery to the connecting host whose user just authenticated themselves. Or, a Unix system can use <a href="http://www.tuxedo.org/~esr/fetchmail/index.html">fetchmail</a>, <a href="http://www.qcc.ca/~charlesc/software/getmail-4/">getmail</a>

or an NT system <a href="http://www.swsoft.co.uk">pullmail</a>.

  • Dan Bernstein suggested that one might give ordinary users access

to qmail-qread through ucspi. <a href="http://www.qmail.org/cgi-bin/m/sthauga@anethelp.no">Steinar Haug</a> implemented that suggestion thusly with a client that looks like this:

#!/bin/sh
exec /local/etc/tcpclient -RHl0 -- 127.0.0.1 20025 sh -c 'exec cat <&6'

and he starts the server like this:

tcpserver -u126 -g120 -R 127.0.0.1 20025 /var/qmail/bin/qmail-qread &
  • The default delivery instructions, which are invoked when a .qmail

file is nonexistent or empty, are found in the first parameter of qmail-start. That's why the install instructions tell you to touch .qmail-root .qmail-mailer-daemon and .qmail-postmaster.

  • [<a

href="http://www.qmail.org/cgi-bin/m/arba@aanand.org">Anand Buddhdev</a>] recommends <a href="http://www.swsoft.co.uk/index.asp?page=freesoftware">pullmail</a>, which is a Windows NT program that pulls mail from a POP3 server, and stuffs it into NT's SMTP server.

  • Mark

Delany</a>] modifies FAQ 2.3 so he can use the same .qmail file for multiple UUCP sites: Here is our .qmail-uucpfqdn-default file (all on one line)

|preline -df /usr/bin/uux - -r -gC -a"$SENDER"
   `echo $EXT | cut -f2 -d-`!rmail "(${EXT3}@$HOST)"

And here is a sample virtualdomains entry:

some.domain:uucpfqdn-uuhostname
  • Dan Bernstein noted that qmail will skip dns queries for incoming

mail with <samp>tcpserver -Hl your.host.name; and you can skip them for outgoing mail with control/smtproutes.


  • Harald Hanche-Olsen has a solution to the problem of mail that has

wrongly been queued for a remote host (because, say, you didn't have a host in your locals or virtualdomains):

echo tcn.net:[127.0.0.1] >> /var/qmail/control/smtproutes

Now send qmail-send an ALRM signal.

  • Hitesh Patel has a <a

href="ftp://ftp.freebird.org/unixware/freebird/mailtools/qmail/qmail-UW.tar.Z">patch for UnixWare 2.1.x and 7.0.x</a>, which is not currently supported by qmail.

By the way..... the patch above opens up the option of sending mail to root... if you want this then just copy the right files into your qmail source directory... if you don't go into conf-unusual.h and comment out line 25 that says "#define ALLOW_ROOT_MAIL 1". Probably a good idea to comment it out -russ .

  • Daniel J. Bernstein suggests that if you have buggy clients that

send bare LFs, and you want to treat their messages the same way sendmail does, you can simply run his fixcrio program instead of qmail-smtpd for your outgoing mail relay. fixcrio then takes qmail-smtpd as argument. fixcrio is part of the ucspi-tcp package.

  • Balazs

Nagy likes to watch logs in a virtual terminal (/dev/tty8). He uses

... | tee >(accustamp | tailocal > /dev/tty8) | accustamp | cyclog

The extra accustamp seems to be needed to make it work with bash.

  • Frederik Vermeulen says: If you don't want a specific

undeliverable mail to sit in the queue any longer, you can make it reach the queuelifetime by running touch -d '1 week ago' on its queue/info file. It will then be bounced after one more delivery attempt.

  • Russ Nelson has used qmail-local to deliver to a dynamic Mailbox

or Maildir name. He does it like this:

|qmail-local "$USER" "$HOME" "$LOCAL" "" "nodeliver" "$HOST" "$SENDER" "/path/to/users/maildir/here/"
  • Harald Hanche-Olsen warns people to beware when patching Solaris

machines, because at least one patch restores the /etc/rc?.d/[SK]??sendmail symlink. You might want to remove files matching that name in your startup scripts.

  • Vern Hart doesn't like a pile of .qmail files in his home

directory.</a> So he uses users/assign to put them into a subdirectory:

=vern:vern:2244:18:/home/vern:::
+vern-:vern:2244:18:/home/vern:s/::

This puts .qmail in his home directory but everything else is in .qmails/. This changes ~/.qmail-foo to ~/.qmails/foo and really cleans up his home.

  • Jim Simmons points out that you can stop linuxconf from creating a

potential security hole</a> by removing the /usr/sbin/sendmail line from /usr/lib/linuxconf/redhat/perm. If you don't do this, linuxconf will change /var/qmail/bin/sendmail to running suid.

  • Dag Wieers wants to see all messages that are delivered to his

domain but were bounced</a> because the user or alias does not exist. Since you cannot forward and pipe in the same dot-qmail he found the following solution to be his most simple option, .qmail-default:

|forward dag@mind.be &>/dev/null
|echo "Sorry, no mailbox here by that name. (#5.1.1)"; exit 100

This way someone can simply check those mails regularly and forward them to the right person manually (which sometimes saves time when people are waiting for feedback)

  • Peter van Dijk suggests that

you have two services running smtpd</a>, one using recordio and the other not. He says that it's a great diagnostic tool. Create /service/qmail-smtpd as you would normally. Create /service/qmail-smtpd-recordio as a copy with recordio inserted, and logging to a separate space (be sure to chmod this logdir tight because recordio records complete emails). Create /service/qmail-smtpd-recordio/down. The switchover is then simply:

# svc -u /service/qmail-smtpd-recordio ; svc -d /var/service/qmail-smtpd

and viceversa.

  • Han Boetes blocks sites with no

reverse dns. He uses the following tcp.smtp file. The only thing I would do differently is to set RBLSMTPD instead of just denying the connection.

127.0.0.1:allow,RELAYCLIENT=""
172.16.11.:allow,RELAYCLIENT=""
=:allow
:deny
  • Adrian Knoth suggests that your

Unix client machines can use <a href="http://mail.socha.net/story/2002/8/14/181252/427">stunnel's public key mechanism</a> to authenticate smtp.</a>

  • Richard Lyons points out that

multilog has filtering capabilities</a>, see http://cr.yp.to/daemontools/multilog.html. If you leave recordio in place you can select what bits of the output to write. For example:

multilog t '-* * > *' '-* * < *' /var/log/qmail/smtpd \
          '-*' '+* * > 5*' /var/log/qmail/smtpd-err

will do the normal logging to /var/log/qmail/smtpd, and will record 5xx errors sent by your server to the client in /var/log/qmail/smtpd-err.

  • Qmail-popup redirects stderr to

stdout, thus making it impossible to write a wrapper around qmail-pop3d which writes to the logfile by writing to stderr. Being a little cleverer with the shell, you can also redirect FD 7 onto stdout like this:

/var/qmail/bin/qmail-pop3d-wrapper.sh /var/qmail/bin/qmail-pop3d Maildir 2>&1 7>&1


Once you've done that, qmail-pop3d-wrapper.sh can log to FD 7, like this:

#!/bin/sh
echo "qmail-pop3d: user $USER logged in from $TCPREMOTEIP:$TCPREMOTEPORT" >&7
$@
  • Alex Greg likes to see the output

of svstat expressed in <a href="http://agreg.com/scripts/secs2dhms">dhms instead of seconds</a></a>.

  • Erwin Hoffmann suggests a

one-line fix to the errno compilation problem. It works for most DJB software:

cat error.h | sed -e s/^extern\ int\ errno\;/#include\ \<errno.h\>/  > error.h
Personal tools