Mini-qmail SMTPAUTH howto
Note: As I now use jms1's combined patch I no longer use this method, but it might be useful someday.
Summary
How to set up an SMTPAUTH submission daemon based on the firewall version of mini-qmail.
This procedure will result in a mini-qmail firewall based installation (hearafter known as miniq) on the same server as a full qmail installation (hearafter known as qmail). Messages submitted by authenticated users go straight to the qmail-queue program of the qmail.
Assumptions
-
A fully functional qmail installation already exists in /var/qmail.
-
Ability to request and/or generate SSL certificates, and configure software (sslsvd) to use them.
-
Basic knowledge of runit and log services.
-
Working directory is ~/tmp.
Purpose
-
I want anyone to be able to
-
connect to port 465 using ssh, and
-
submit an email message using SMTPAUTH, and
-
not be subject to any filtering/rbling I may do on port 25.
-
-
But why (I imagine hearing) wouldn't you simply patch the qmail with the SMTPAUTH patch? Why set up a miniq?
-
I do not want users to be able to use SMTPAUTH on port 25.
-
I do not want any of the patches/utilities which I use on the qmail applied to users who use SMTPAUTH.
-
I do not want to deal with patch hell involved in SMTPAUTH + other patches when patching the qmail.
-
Procedure
-
Get the qmail source and decompress/untar it into a new directory.
$ cd tmp && wget http://www.qmail.org/netqmail-1.06.tar.gz $ tar xzf netqmail-1.06.tar.gz $ mv netqmail-1.06 miniqmail-1.06 $ cd miniqmail-1.06
-
Patch the qmail source using the SMTPAUTH patch from Dr. Erwin Hoffmann's SMTP Authentication tutorial.
-
Change the first line of conf-qmail from /var/qmail to /var/qmail-auth.
$ make qmail-smtpd # mkdir -p /var/qmail-auth/bin /var/qmail-auth/control /var/qmail-auth/man/man8 # cp qmail-smtpd /var/qmail-auth/bin # cp qmail-smtpd.8 /var/qmail-auth/man/man8 # chown -R root:qmail /var/qmail-auth # cd /var/qmail-auth/bin # ln -sf /var/qmail/bin/qmail-queue qmail-queue # cd /var/qmail-auth/control # sh -c 'echo hostname > me' # touch rcpthosts
-
An empty rcpthosts file will reject any email submitted unless the submitter has first authenticated.
-
NOTE: Do not attempt to change the ownership/permissions of the
qmail-queue
link. -
Set up a service and a log service for
qmail-smtpd-smtps
(see script below). If you don't want to secure this, usetcpsvd
instead ofsslsvd
and remove the necessary parameters.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
#!/bin/sh # qmail-smtpd-smtps/run MAXCONN=$(cat /var/qmail/control/concurrencyincoming) IP=[IP ADDRESS] PORT=465 exec 2>&1 exec chpst -m3000000 \ sslsvd \ -vvh \ -l local-host-name \ -U qmaild \ -Z ./cert.pem \ -c $MAXCONN \ -C '10:421 Per host concurrency limit reached\r\n' \ $IP $PORT \ /var/qmail-auth/bin/qmail-smtpd /usr/sbin/some-checkpassword-implementation true
SMTPAUTH submission daemon complete, although this installation does not do StartTLS, just SSL.