Instalación de qmail con vpopmail, qmail-scanner, ClamAV y SpamAssassin (VII)

Vamos a terminar esta serie sobre qmail con sistema antispam/antivirus instalando los daemons SMTP y POP3 con SSL.

Primero de todo debemos instalar OpenSSL. Podemos hacerlo desde código fuente o desde un paquete del sistema. En este caso lo haremos mediante paquete:

yum install openssl-devel -y

Seguiremos parcheando UCSPI para soportar SSL:

cd /usr/local/src
wget http://www.superscript.com/ucspi-ssl/ucspi-ssl-0.70.tar.gz
tar xzf ucspi-ssl-0.70.tar.gz
cd host/superscript.com/net/ucspi-ssl-0.70/
wget http://www.suspectclass.com/~sgifford/ucspi-tls/files/ucspi-ssl-0.70-ucspitls-0.1.patch
patch -p1 <ucspi-ssl-0.70-ucspitls-0.1.patch
wget --no-check-certificate http://tips.at.gg3.net/files/2008/07/ucspi-ssl-070-fixsegfault.patch
patch -p1 <ucspi-ssl-070-fixsegfault.patch
package/compile base
package/install base
groupadd ssl
useradd -g ssl -d /var/qmail ssl

Seguimos con los certificados:

mkdir /var/qmail/ssl
chown root /var/qmail/ssl
chmod 700 /var/qmail/ssl
cd /var/qmail/ssl
openssl dhparam -out dhparam 1024

A continuación podemos generar los certificados mediante easy-rsa, directamente con OpenSSL o bien comprar los certificados a alguna CA y lo copiamos en /var/qmail/ssl.

A continuación cremos el fichero /var/qmail/ssl/env:

cat >/var/qmail/ssl/env <<EOF
# Set these three
SSL_USER=ssl
SSL_GROUP=ssl
SSL_DIR=/var/qmail/ssl

# Enable UCSPI-TLS
UCSPITLS=1

# The rest are set based on the above three
SSL_CHROOT="\$SSL_DIR"

CERTFILE="\$SSL_DIR/$(hostname --long).crt"
KEYFILE="\$SSL_DIR/$(hostname --long).key"

DHFILE="\$SSL_DIR/dhparam"

SSL_UID=\$(id -u "\$SSL_USER")
if [ \$? -ne 0 ]; then echo "No such user '\$SSL_USER'" >&2; exit; fi

SSL_GID=\$(id -g "\$SSL_GROUP")
if [ \$? -ne 0 ]; then echo "No such group '\$SSL_GROUP'" >&2; exit; fi

# Export the variables used by other scripts
export SSL_CHROOT SSL_UID SSL_GID UCSPITLS CERTFILE KEYFILE DHFILE
EOF

A continuación debemos modificar los scripts de inicio de los deamons:

cat >/var/qmail/supervise/qmail-smtpd/run <<EOF
#!/bin/sh

. /var/qmail/ssl/env

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
MAXSMTPD=\$(cat /var/qmail/control/concurrencyincoming)
LOCAL=\$(head -1 /var/qmail/control/me)
QMAILDUID=\$(id -u qmaild)
NOFILESGID=\$(id -g qmaild)

if [ -z "\$QMAILDUID" -o -z "\$NOFILESGID" -o -z "\$MAXSMTPD" -o -z "\$LOCAL" ]; then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpd/run
    exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi

exec /usr/local/bin/softlimit -m 100000000 \\
    /usr/local/bin/sslserver -e -n -v -R -l "\$LOCAL" -x /etc/tcp.smtp.cdb -c "\$MAXSMTPD" \\
         -u 89 -g 89 0 smtp /usr/local/bin/rblsmtpd -b -rsbl.spamhaus.org \\
         /var/qmail/bin/qmail-smtpd \$(hostname --long) /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-smtp-auth-wrapper.sh 2>&1 7>&1
EOF
qmailctl restart

A continuación si miramos en el fichero de log (/var/log/qmail/smtpd/current) veremos lo siguiente:

# tail -n7 /var/log/qmail/smtpd/current
@4000000049b8cee622ec3944 sslserver: cafile 8221
@4000000049b8cee622ec4114 sslserver: ccafile 8221
@4000000049b8cee622ec73dc sslserver: cadir 8221 /usr/local/ssl/certs
@4000000049b8cee622ec73dc sslserver: cert 8221 /var/qmail/ssl/stargate.systemadmin.es.crt
@4000000049b8cee622ec77c4 sslserver: key 8221 /var/qmail/ssl/stargate.systemadmin.es.key
@4000000049b8cee622ec77c4 sslserver: param 8221 /var/qmail/ssl/dhparam 1024
@4000000049b8cee622ec7bac sslserver: status: 0/20

A continuación seguimos con la versión SSL del daemon SMTPD:

mkdir -p /var/qmail/supervise/qmail-smtpd-ssl/log
mkdir /var/log/qmail/smtpd-ssl
chown qmaill /var/log/qmail/smtpd-ssl
cat >/var/qmail/supervise/qmail-smtpd-ssl/run <<EOF
#!/bin/sh

. /var/qmail/ssl/env

unset UCSPITLS

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
MAXSMTPD=\$(cat /var/qmail/control/concurrencyincoming)
LOCAL=\$(head -1 /var/qmail/control/me)
QMAILDUID=\$(id -u qmaild)
NOFILESGID=\$(id -g qmaild)

if [ -z "\$QMAILDUID" -o -z "\$NOFILESGID" -o -z "\$MAXSMTPD" -o -z "\$LOCAL" ]; then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpd/run
    exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi

exec /usr/local/bin/softlimit -m 75000000 \
    /usr/local/bin/sslserver -e -v -R -l "\$LOCAL" -x /etc/tcp.smtp.cdb -c "\$MAXSMTPD" \
         -u 89 -g 89 0 smtps /usr/local/bin/rblsmtpd -b -rsbl.spamhaus.org \
         /var/qmail/bin/qmail-smtpd \$(hostname --long) /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-smtp-auth-wrapper.sh 2>&1 7>&1
EOF
cat >/var/qmail/supervise/qmail-smtpd-ssl/log/run <<EOF
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \\
       /var/log/qmail/smtpd-ssl
EOF
chmod +x /var/qmail/supervise/qmail-smtpd-ssl/log/run /var/qmail/supervise/qmail-smtpd-ssl/run
ln -s /var/qmail/supervise/qmail-smtpd-ssl/ /service/

A continuación modificamos la configuración de dovecot para añadir IMAPS y POP3S:

sed "s@\(ssl.*\)@@g" -i /usr/local/etc/dovecot/dovecot.conf
cat <<EOF > /usr/local/etc/dovecot/dovecot.conf

ssl = yes
ssl_cert = $(ls /var/qmail/ssl/*crt)
ssl_key = $(ls /var/qmail/ssl/*key)

service imap-login {
  inet_listener imaps {
    address = *
    port = 993
  }
}

service pop3-login {
  inet_listener pop3s {
    address = *
    port = 995
  }
EOF
svc -t /service/dovecot

Finalmente modificamos el script de control de qmail (qmailctl) para incluir todos estos servicios:

cat >/var/qmail/bin/qmailctl <<EOF
#!/bin/sh

# description: the qmail MTA

PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

case "$1" in
  start)
    echo "Starting qmail"
    if svok /service/qmail-send ; then
      svc -u /service/qmail-send /service/qmail-send/log
    else
      echo "qmail-send supervise not running"
    fi
    if svok /service/qmail-smtpd ; then
      svc -u /service/qmail-smtpd /service/qmail-smtpd/log
    else
      echo "qmail-smtpd supervise not running"
    fi
    if [ -d /var/lock/subsys ]; then
      touch /var/lock/subsys/qmail
    fi

    if svok /service/qmail-smtpd-ssl ; then
      svc -u /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
    else
      echo qmail-smtpd-ssl supervise not running
    fi

    if svok /service/dovecot ; then
      svc -u /service/dovecot
    else
      echo dovecot supervise not running
    fi

    ;;
  stop)
    echo "Stopping qmail..."
    echo "  qmail-smtpd"
    svc -d /service/qmail-smtpd /service/qmail-smtpd/log
    echo "  qmail-send"
    svc -d /service/qmail-send /service/qmail-send/log
    if [ -f /var/lock/subsys/qmail ]; then
      rm /var/lock/subsys/qmail
    fi
    echo "  qmail-smtpd-ssl"
    svc -d /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
    echo "  dovecot"
    svc -d /service/dovecot

    ;;
  stat)
    svstat /service/qmail-send
    svstat /service/qmail-send/log
    svstat /service/qmail-smtpd
    svstat /service/qmail-smtpd/log
    svstat /service/qmail-smtpd-ssl
    svstat /service/qmail-smtpd-ssl/log
    svstat /service/dovecot
    qmail-qstat

    ;;
  doqueue|alrm|flush)
    echo "Flushing timeout table and sending ALRM signal to qmail-send."
    /var/qmail/bin/qmail-tcpok
    svc -a /service/qmail-send
    ;;
  queue)
    qmail-qstat
    qmail-qread
    ;;
  reload|hup)
    echo "Sending HUP signal to qmail-send."
    svc -h /service/qmail-send
    ;;
  pause)
    echo "Pausing qmail-send"
    svc -p /service/qmail-send
    echo "Pausing qmail-smtpd"
    svc -p /service/qmail-smtpd
    echo "Pausing qmail-smtpd-ssl"
    svc -p /service/qmail-smtpd-ssl
    echo "Pausing dovecot"
    svc -p /service/dovecot

    ;;
  cont)
    echo "Continuing qmail-send"
    svc -c /service/qmail-send
    echo "Continuing qmail-smtpd"
    svc -c /service/qmail-smtpd
    echo "Continuing qmail-smtpd-ssl"
    svc -c /service/qmail-smtpd-ssl
    echo "Continuing dovecot"
    svc -c /service/dovecot
    ;;
  restart)
    echo "Restarting qmail:"
    echo "* Stopping qmail-smtpd."
    svc -d /service/qmail-smtpd /service/qmail-smtpd/log
    echo "* Sending qmail-send SIGTERM and restarting."
    svc -t /service/qmail-send /service/qmail-send/log
    echo "* Restarting qmail-smtpd."
    svc -u /service/qmail-smtpd /service/qmail-smtpd/log
    echo "* Restarting qmail-smtpd-ssl."
    svc -t /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
    echo "* Restarting dovecot."
    svc -t /service/dovecot
    ;;
  cdb)
    tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
    chmod 644 /etc/tcp.smtp.cdb
    echo "Reloaded /etc/tcp.smtp."
    ;;
  help)
    cat <<HELP
   stop -- stops mail service (smtp connections refused, nothing goes out)
  start -- starts mail service (smtp connection accepted, mail can go out)
  pause -- temporarily stops mail service (connections accepted, nothing leaves)
   cont -- continues paused mail service
   stat -- displays status of mail service
    cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
 reload -- sends qmail-send HUP, rereading locals and virtualdomains
  queue -- shows status of queue
   alrm -- same as doqueue
  flush -- same as doqueue
    hup -- same as reload
HELP
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|help}"
    exit 1
    ;;
esac

exit 0
EOF

Con esto ya tenemos SMTP, SMTP-TLS, SMTP-SSL, POP3, POP3S, IMAP y IMAPS:

# netstat -tpa | grep LIST
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      577/dovecot
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      577/dovecot
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      577/dovecot
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      577/dovecot
tcp        0      0 127.0.0.1:783               0.0.0.0:*                   LISTEN      15664/spamd child
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      25787/sslserver
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      25636/sslserver

El listado de la serie completa es Instalación de un servidor de correo con qmail/vpopmail/qmail-scanner/ClamAV/SpamAssassin:

• Iniciar la instalación de qmail con las daemontools y MySQL para vpopmail
• Instalación de vpopmail y spamassassin
• Instalación de ClamAV como motor antivirus y qmail-scan-queue para el analisis de los mensajes con ClamAV y SpamAssassin
• Arranque de qmail y sus scripts de inicio
• Instalación del servidor IMAP y POP3 con dovecot
• Instalación de parches para qmail: SMTP-AUTH, CHKUSER y UCSPI-TLS
• Scripts de supervise para los daemons SMTP y POP3 con SSL

Relacionados

• Usar una base de datos MySQL como modo de almacenaje del clasificador bayesiano de SpamAssassin
• Usando qmail para entregar correo a nuestro relay
• UCSPI-TLS sslserver: general protection rip:32bca95737 rsp:7fff288e6988 error:0
• spamd: prefork: server reached –max-children setting, consider raising it
• SpamAssassin Y2K10 Rule Bug: FH_DATE_PAST_20XX