Note: As I now use jms1's combined patch I no longer use this method, but it might be useful someday.

Summary

How to set up an SMTPAUTH submission daemon based on the firewall version of mini-qmail.

This procedure will result in a mini-qmail firewall based installation (hearafter known as miniq) on the same server as a full qmail installation (hearafter known as qmail). Messages submitted by authenticated users go straight to the qmail-queue program of the qmail.

Assumptions

• A fully functional qmail installation already exists in /var/qmail.

• Ability to request and/or generate SSL certificates, and configure software (sslsvd) to use them.

• Basic knowledge of runit and log services.

• Working directory is ~/tmp.

Purpose

• I want anyone to be able to

  • connect to port 465 using ssh, and

  • submit an email message using SMTPAUTH, and

  • not be subject to any filtering/rbling I may do on port 25.

• But why (I imagine hearing) wouldn't you simply patch the qmail with the SMTPAUTH patch? Why set up a miniq?

  • I do not want users to be able to use SMTPAUTH on port 25.

  • I do not want any of the patches/utilities which I use on the qmail applied to users who use SMTPAUTH.

  • I do not want to deal with patch hell involved in SMTPAUTH + other patches when patching the qmail.

Procedure

• $ cd tmp && wget http://www.qmail.org/netqmail-1.06.tar.gz

• $ tar xzf netqmail-1.06.tar.gz

• $ mv netqmail-1.06 miniqmail-1.06

• $ cd miniqmail-1.06

• patch using

  • SMTPAUTH patch from Dr. Erwin Hoffmann's SMTP Authentication tutorial

• Change the first line of conf-qmail from /var/qmail to /var/qmail-auth.

• $ make qmail-smtpd

  • You can simply type make, but it takes longer.

• # mkdir -p /var/qmail-auth/bin /var/qmail-auth/control /var/qmail-auth/man/man8

• # cp qmail-smtpd /var/qmail-auth/bin

• # cp qmail-smtpd.8 /var/qmail-auth/man/man8

• # chown -R root:qmail /var/qmail-auth

• # cd /var/qmail-auth/bin

• # ln -sf /var/qmail/bin/qmail-queue qmail-queue

  • Do not attempt to change the ownership/permissions of this link.

• # cd /var/qmail-auth/control

• # sh -c 'echo hostname > me'

  • replace hostname with your host's name

• # touch rcpthosts

  • We want an empty rcpthosts file which will reject any email submitted unless the submitter has first authenticated.

• Set up service and log service for qmail-smtpd-smtps (see script below).

  • If you don't want to secure this, use tcpsvd instead of sslsvd and remove the necessary parameters.

#!/bin/sh
# qmail-smtpd-smtps/run
MAXCONN=$(cat /var/qmail/control/concurrencyincoming)
IP=[IP ADDRESS]
PORT=465

exec 2>&1
exec chpst -m3000000 \
    sslsvd \
        -vvh \
        -l local-host-name \
        -U qmaild \
        -Z ./cert.pem \
        -c $MAXCONN \
        -C '10:421 Per host concurrency limit reached\r\n' \
        $IP $PORT \
        /var/qmail-auth/bin/qmail-smtpd
            /usr/sbin/some-checkpassword-implementation true

• SMTPAUTH submission daemon complete.

  • Note: This installation does not do StartTLS, just SSL.