Hi,
This is my first “howto”, so if anything is wrong, please correct me.
As many of you know, I’ve been after a greylisting solution for qmail for a long time now because we have it running on Windows servers and it runs really fine and keeps spammers back.
The problem with qmail is that greylisting (at least the current installs I had found) didn’t support “smtp auth”, so sending emails had to be done on port 587 (alternate port) and on a production server with more than 1000 email accounts we couldn’t get everyone to change their email client configurations, so I kept on looking.
Yesterday I found this install:
http://mij.oltrelinux.com/net/greylite/
and gave it a try on one of our boxes with hardly any traffic. It worked so well I installed it on our other boxes!.
As the instructions aren’t very clear (at least for me the first 150 times I read them :)), I’ll post step by step how I did it and if the guys at Interworx give it a try and like it, it could be implemented in the next version as an option.
Here we go:
We have CentOS 5.1 machines, so your mileage might vary.
One of the first requisites is to have sqlite3 installed, so I did:
cd ~
wget http://sqlite.org/sqlite-3.5.4.tar.gz
tar xvzf sqlite-3.5.4.tar.gz
cd sqlite-3.5.4
./configure
make
sudo make install
After that I started actually installing greylite:
wget http://mij.oltrelinux.com/net/greylite/releases/greylite-2.3.tar.bz2
tar xjvf greylite-2.3.tar.bz2
cd greylite-2.3
make all install
That got me the binaries installed and now all I had to do was to configure it:
mkdir -p /var/db/greylite
sqlite3 -init greydb.sql /var/db/greylite/greylite.db
CTRL+D
The problem I encountered later on was that if left like this, the database would be “read-only” and greylisting wouldn’t work, so I had to change the permissions on the folder and greylite.db file.
cd /var/db/
chmod 777 greylite
cd greylite
chmod 777 greylite.db
I did try setting the permissions to a lower level, but then greylisting wouldn’t work and it said “cannot write to database. Set as readonly”. If anyone can give me the correct permissions, I would be very grateful.
Now to actually get greylisting in the smtp process:
nano /service/smtp/run
My file looked like this:
#!/bin/sh
QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail
MAXSMTPD=cat /var/qmail/control/concurrencyincoming
BLACKLIST=cat /var/qmail/control/blacklists
SMTPD=“/var/qmail/bin/qmail-smtpd”
TCP_CDB=“/etc/tcprules.d/tcp.smtp.cdb”
RBLSMTPD=“/usr/bin/rblsmtpd”
HOSTNAME=hostname
VCHKPW=“/home/vpopmail/bin/vchkpw”
exec /usr/bin/softlimit -m 512000000
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
$RBLSMTPD $BLACKLIST $SMTPD $VCHKPW /bin/true 2>&1
and it ended up looking like this:
#!/bin/sh
QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail
MAXSMTPD=cat /var/qmail/control/concurrencyincoming
BLACKLIST=cat /var/qmail/control/blacklists
SMTPD=“/var/qmail/bin/qmail-smtpd”
TCP_CDB=“/etc/tcprules.d/tcp.smtp.cdb”
RBLSMTPD=“/usr/bin/rblsmtpd”
HOSTNAME=hostname
VCHKPW=“/home/vpopmail/bin/vchkpw”
GREY=“/usr/local/bin/greylite”
exec /usr/bin/softlimit -m 512000000
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
$GREY $RBLSMTPD $BLACKLIST $SMTPD $VCHKPW /bin/true 2>&1
Now to get the variables in the tcp.smtp file:
nano /etc/tcprules.d/tcp.smtp
The original file was:
127.:allow,RELAYCLIENT=“”
:allow,LANG=“en_US”,QMAILQUEUE=“/var/qmail/bin/simscan”
and after editing it, it was:
127.:allow,RELAYCLIENT=“”
:allow,LANG=“en_US”,QMAILQUEUE=“/var/qmail/bin/simscan”,GREYLIST=“5”,DBFILE=“/var/db/greylite/greylite.db”,GREETDELAY=“”
Now to include it in the tcp.smtp.cdb file:
tcprules tcp.smtp.cdb footmpcdbfile < tcp.smtp
After that we want to check that the variables are being read correctly:
tcprulescheck tcp.smtp.cdb
and the result should be something like this:
rule :
set environment variable LANG=en_US
set environment variable QMAILQUEUE=/var/qmail/bin/simscan
set environment variable GREYLIST=5
set environment variable DBFILE=/var/db/greylite/greylite.db
set environment variable GREETDELAY=
allow connection
And finally you have to restart the service:
service smtp restart
You can now test the system by telnetting (you write the bits in red):
# telnet my.server.com 25
Trying 1.2.3.4...
Connected to my.server.com.
Escape character is '^]'.
220 my.server.com ESMTP
HELO asd
250 my.server.com
MAIL FROM:<youruser@yourhost.com>
250 ok
RCPT TO:<youruser@yourhost.com>
451 qqt failure (#4.3.0) -- or -- 452 insufficient system storage The connection is closed. Wait 30 seconds and try again the same commands, the message should be accepted.
[B]P.S.[/B]: ALWAYS test from an [B]external[/B] address, one for which the GREYLIST environment variable will be set.
Hopefully this works for someone and comes back to leave some feedback!
From here my thanks to Mij (mij@bitchx.it) for this great patch.
Now for my personal comments:
- I’ve tried sending emails with authentication and it seems to work.
- I’d like to be able to create a whitelist or similar, but the only option is to add “allowed IP addresses” in the tcp.smtp file. I’m not very happy with that.
Apart from that, it seems to be working really great for us…
Regards,
Daniel
May be the mail servers have to do more work and we may get the mails somewhat delayed, but it will be worth to do it.