short attention span theatre/ projects/ mini-qmail smtpauth howto

Note: As I now use jms1's combined patch I no longer use this method, but it might be useful someday.

Summary

How to set up an SMTPAUTH submission daemon based on the firewall version of mini-qmail.

This procedure will result in a mini-qmail firewall based installation (hearafter known as miniq) on the same server as a full qmail installation (hearafter known as qmail). Messages submitted by authenticated users go straight to the qmail-queue program of the qmail.

Assumptions

  • A fully functional qmail installation already exists in /var/qmail.

  • Ability to request and/or generate SSL certificates, and configure software (sslsvd) to use them.

  • Basic knowledge of runit and log services.

  • Working directory is ~/tmp.

Purpose

  • I want anyone to be able to

    • connect to port 465 using ssh, and

    • submit an email message using SMTPAUTH, and

    • not be subject to any filtering/rbling I may do on port 25.

  • But why (I imagine hearing) wouldn't you simply patch the qmail with the SMTPAUTH patch? Why set up a miniq?

    • I do not want users to be able to use SMTPAUTH on port 25.

    • I do not want any of the patches/utilities which I use on the qmail applied to users who use SMTPAUTH.

    • I do not want to deal with patch hell involved in SMTPAUTH + other patches when patching the qmail.

Procedure

  • $ cd tmp && wget http://www.qmail.org/netqmail-1.06.tar.gz

  • $ tar xzf netqmail-1.06.tar.gz

  • $ mv netqmail-1.06 miniqmail-1.06

  • $ cd miniqmail-1.06

  • patch using

  • Change the first line of conf-qmail from /var/qmail to /var/qmail-auth.

  • $ make qmail-smtpd

    • You can simply type make, but it takes longer.

  • # mkdir -p /var/qmail-auth/bin /var/qmail-auth/control /var/qmail-auth/man/man8

  • # cp qmail-smtpd /var/qmail-auth/bin

  • # cp qmail-smtpd.8 /var/qmail-auth/man/man8

  • # chown -R root:qmail /var/qmail-auth

  • # cd /var/qmail-auth/bin

  • # ln -sf /var/qmail/bin/qmail-queue qmail-queue

    • Do not attempt to change the ownership/permissions of this link.

  • # cd /var/qmail-auth/control

  • # sh -c 'echo hostname > me'

    • replace hostname with your host's name

  • # touch rcpthosts

    • We want an empty rcpthosts file which will reject any email submitted unless the submitter has first authenticated.

  • Set up service and log service for qmail-smtpd-smtps (see script below).

    • If you don't want to secure this, use tcpsvd instead of sslsvd and remove the necessary parameters.
#!/bin/sh
# qmail-smtpd-smtps/run
MAXCONN=$(cat /var/qmail/control/concurrencyincoming)
IP=[IP ADDRESS]
PORT=465

exec 2>&1
exec chpst -m3000000 \
    sslsvd \
        -vvh \
        -l local-host-name \
        -U qmaild \
        -Z ./cert.pem \
        -c $MAXCONN \
        -C '10:421 Per host concurrency limit reached\r\n' \
        $IP $PORT \
        /var/qmail-auth/bin/qmail-smtpd
            /usr/sbin/some-checkpassword-implementation true

  • SMTPAUTH submission daemon complete.

    • Note: This installation does not do StartTLS, just SSL.