Note: As I now use jms1's combined patch I no longer use this method, but it might be useful someday.

Summary

How to set up an SMTPAUTH submission daemon based on the firewall version of mini-qmail.

This procedure will result in a mini-qmail firewall based in­stal­la­tion (hearafter known as miniq) on the same server as a full qmail in­stal­la­tion (hearafter known as qmail). Messages submitted by au­then­ti­cat­ed users go straight to the qmail-queue program of the qmail.

As­sump­tions

• A fully functional qmail in­stal­la­tion already exists in /var/qmail.

• Ability to request and/or generate SSL cer­tifi­cates, and configure software (sslsvd) to use them.

• Basic knowledge of runit and log services.

• Working directory is ~/tmp.

Purpose

• I want anyone to be able to

  • connect to port 465 using ssh, and

  • submit an email message using SMTPAUTH, and

  • not be subject to any filtering/rbling I may do on port 25.

• But why (I imagine hearing) wouldn't you simply patch the qmail with the SMTPAUTH patch? Why set up a miniq?

  • I do not want users to be able to use SMTPAUTH on port 25.

  • I do not want any of the patches/utilities which I use on the qmail applied to users who use SMTPAUTH.

  • I do not want to deal with patch hell involved in SMTPAUTH + other patches when patching the qmail.

Procedure

• Get the qmail source and decompress/untar it into a new directory.

  $ cd tmp && wget http://www.qmail.org/netqmail-1.06.tar.gz
  $ tar xzf netqmail-1.06.tar.gz
  $ mv netqmail-1.06 miniqmail-1.06
  $ cd miniqmail-1.06
  

• Patch the qmail source using the SMTPAUTH patch from Dr. Erwin Hoffmann's SMTP Au­then­ti­ca­tion tutorial.

• Change the first line of conf-qmail from /var/qmail to /var/qmail-auth.

  $ make qmail-smtpd
  # mkdir -p /var/qmail-auth/bin /var/qmail-auth/control /var/qmail-auth/man/man8
  # cp qmail-smtpd /var/qmail-auth/bin
  # cp qmail-smtpd.8 /var/qmail-auth/man/man8
  # chown -R root:qmail /var/qmail-auth
  # cd /var/qmail-auth/bin
  # ln -sf /var/qmail/bin/qmail-queue qmail-queue
  # cd /var/qmail-auth/control
  # sh -c 'echo hostname > me'
  # touch rcpthosts
  

• An empty rcpthosts file will reject any email submitted unless the submitter has first au­then­ti­cat­ed.

• NOTE: Do not attempt to change the ownership/per­mis­sions of the qmail-queue link.

• Set up a service and a log service for qmail-smtpd-smtps (see script below). If you don't want to secure this, use tcpsvd instead of sslsvd and remove the necessary parameters.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

  #!/bin/sh # qmail-smtpd-smtps/run MAXCONN=$(cat /var/qmail/control/concurrencyincoming) IP=[IP ADDRESS] PORT=465 exec 2>&1 exec chpst -m3000000 \ sslsvd \ -vvh \ -l local-host-name \ -U qmaild \ -Z ./cert.pem \ -c $MAXCONN \ -C '10:421 Per host concurrency limit reached\r\n' \ $IP $PORT \ /var/qmail-auth/bin/qmail-smtpd /usr/sbin/some-checkpassword-implementation true

SMTPAUTH submission daemon complete, although this in­stal­la­tion does not do StartTLS, just SSL.