Conservative qmail with SSL/TLS

Customization Hacks / Tools / Tips / Tricks
1

Before you implement this strategy please familiarize yourself with how qmail works. This is just to feel more comfortable messing with qmail. Here are a few links:

About the qmail programs and process

###################################
http://www.nrg4u.com/
http://cr.yp.to/qmail/pictures.html
http://www.thedjbway.org/qmail/qmailflow.html

General qmail information

#########################
http://cr.yp.to/qmail.html
http://www.qmailrocks.org/
http://www.lifewithqmail.org/

Also, please be aware of your mail server’s configuration and the DNS records on your system. This may not be something you are able to implement on your current configuration and DNS records setup. It requires a single mail server, preferably on a dedicated IP address separate from any websites, on a single ethernet IP address. All mail.domain.com A or CNAME records should be pointing to that one IP address, and a DNS template setup in a similar manner for future domain name additions. It will also run a new tcpserver for SMTP connections from the localhost, which may be something you require for your mail server or not.

SSL/TLS setup

#################

I’m not going to go into detail here about setting up a hostname SSL certificate over POP3/IMAP/SMTP. There are other threads in this forum that explain that really well and had helped me. You can do your own search or you can try these:

http://www.interworx.com/forums/showthread.php?t=1803
http://www.interworx.com/forums/showthread.php?t=2121
http://www.interworx.com/forums/showthread.php?t=316

I have one thing to add to this. That is to disable SSLv2, an older and less secure cipher. To do this, you edit the files /etc/courier/pop3-ssl.dist and /etc/courier/imapd-ssl.dist on the line:

# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"

remove the # and replace +SSLv2 with !SSLv2 like so:

TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:!SSLv2:@STRENGTH"

After you have that setup, it is your choice whether or not you want to disable the non-SSL services for POP3 and IMAP and just run those services over the SSL ports.

POP3 and POP3-SSL on a single ethernet IP address

############################################

For good practice and consistency’s sake, edit the following files first:

/etc/courier/pop3d.dist
/etc/courier/pop3d-ssl.dist

There are 2 lines in these files to change:

In pop3d.dist

ADDRESS=0

In pop3d-ssl.dist

SSLADDRESS=0

Change the address from 0 to the IP address related to the hostname of your mail server. This step does not actually close the other IP connections. It is just for consistency.

Next, edit the following file:

/service/pop3/run

Edit the line that looks like:

/usr/bin/tcpserver -v -R -c 200 0 110 \

and change the lone 0 between 200 and 110 to your mail server’s IP address. Save and exit.

Next, edit the following file:

/service/pop3-ssl/run

Edit the line that looks like:

/usr/bin/tcpserver -c 200 -v -R -H -l $HOSTNAME 0 995 \

and change the lone 0 between $HOSTNAME and 995 to your mail server’s IP address. Save and exit.

Restart the POP3 services:

/etc/init.d/pop3 restart
/etc/init.d/pop3-ssl restart

You should be able to run:

ps faux | grep pop3

and see the services running on the single IP address. You can also check this with:

netstat -punta

also, if you’re running LSM, you’ll soon be receiving an email from that about the change in sockets.

Please post any questions or concerns.

IMAP and IMAP-SSL on a single ethernet IP address

############################################

I’ve actually decided not to implement this on my server. However, if you’ve followed the rest of the tutorials in this post than it shouldn’t be too difficult to hack IMAP to your liking. All I’m doing on my server is running IMAP-SSL on the localhost for my webmail client. If anybody needs any further assistance with this section I’ll be happy to help. :slight_smile:

SMTP on a single ethernet IP address

#################################

Edit the following file:

/service/smtp/run

Edit the line that looks like:

-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \

and change the lone 0 before smtp to your mail server’s IP address. Save and exit.

** All outgoing mail being processed through qmail-remote is sent through the first IP address on the interface. If you have made your SMTP IP address different from the first IP address on your network interface, you will need to adjust this in /etc/sysconfig/network-scripts/. Make sure your SMTP IP address is ifcfg-eth0:0 or ifcfg-venet0:0, however your interface is configured. Please address any questions about this in the thread. **

You can stop here, restart SMTP, and be on your way. If you want SMTP to listen for connections from localhost, for certain mailing list software, webmail, or anything else that connects to SMTP on the localhost, follow along below.

New SMTP service for localhost connections

######################################

We’re going to create a new service. I would create a new temporary directory for this outside of the /service directory until it is setup. If you create this directly in the /service directory, the svscan and supervise processes will catch it in about 5 seconds and add it to the process tree. You’ll receive some errors and would have to reboot your server after you have the configurations sorted out to refresh the supervise process’ knowledge:

mkdir /test

Change to the /service directory and copy the smtp directory to this new test directory:

cd /service
cp -Rp smtp /test/smtp-local

the -R is for recursion, the -p is for preservation of ownership.

We’re going to leave that directory alone for now, and create the log directory:

cd /var/log
mkdir smtp-local
chown qmaill:qmail smtp-local
chmod 750 smtp-local
ls -al

Now we’re going to edit the smtp-local service:

cd /test/smtp-local

Edit the run file using your editor and change the following line to read:

-u "$QMAILDUID" -g "$NOFILESGID" [B]127.0.0.1[/B] smtp \

Note that we have changed the IP address from our mail server’s IP to the localhost.

Next, we need to edit the run file in the new service’s log directory:

cd /test/smtp-local/log

Edit the run file using your editor and change the following line to read:

exec /usr/bin/setuidgid qmaill /usr/bin/multilog t [B]/var/log/smtp-local[/B] 2>&1

Note that we have changed the log path from /var/log/smtp to /var/log/smtp-local.

Next, we need to edit the /etc/init.d/smtp file. Find the line that looks like:

progdirs="/service/smtp /service/send"

and add our new service to it. The line should now read:


progdirs="/service/smtp /service/send /service/smtp-local"

Now we can change back to our /test directory and move the new service into its proper place. From within the /test directory, execute the following command:

mv smtp-local /service

and then restart the SMTP service:


/etc/init.d/smtp restart

Testing and Awareness ###

#######################

You can test that this is working by a variety of methods. First, let’s check the status of the SMTP service:

/etc/init.d/smtp status

That should give you something similar to:

/service/smtp: up (pid 8985) 9079 seconds
/service/send: up (pid 8988) 9079 seconds
/service/smtp-local: up (pid 8991) 9079 seconds

Another check we can run is:

ps aux | grep readproctitle

to check for any service errors. You should just see a bunch of … here.

We should also see our new smtp-local service listed in the process tree:

ps faux

Run a:

netstat -punta

to check the sockets are correct.

You can test your mail server on incoming and outgoing deliveries, local to local, local to remote, and remote to local in various ways and see how it reacts via the log files. The quickest way is probably through your email client and also using off-server email addresses, etc. If you have a way to trigger root’s mail to send to your off-server email, such as SSH login notifications, that helps in testing as well.

Try to telnet to the other existing IP addresses on the server which should no longer contain those open ports for the mail server: 25, 110, 143, 993, 995. The server should refuse the connections. See the example below, where 12.34.56.78 represents the IP addresses that you are not running the mail server on, and 25 represents the SMTP port. 25 should be substituted with 110, 143, 993, and 995 to check the POP3 and IMAP services. 12.34.56.78 should be substituted with all of your server’s IP addresses. It should only connect to the one that you had specified in the run files, and to localhost for SMTP.

[root@hostname]# telnet 12.34.56.78 25
Trying 12.34.56.78...
telnet: connect to address 12.34.56.78: Connection refused
telnet: Unable to connect to remote host: Connection refused

[root@hostname]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 hostname.domain.com ESMTP

That’s it! Hope this helps. Please post any questions, concerns or comments.

:slight_smile: