Monday, 6 August 2012

Post Installation Checklist of Qmail Server Part-1

Post Installation Checklist of Qmail Server Part 1

1.     Check all qmail services running on server and their timestamp are same.

[root@mail ~]# qmailctl stat
/service/qmail-send: up (pid 6480) 10591 seconds
/service/qmail-send/log: up (pid 6482) 10591 seconds
/service/qmail-smtpd: up (pid 6474) 10591 seconds
/service/qmail-smtpd/log: up (pid 6479) 10591 seconds
/service/qmail-pop3d: up (pid 6475) 10591 seconds
/service/qmail-pop3d/log: up (pid 6471) 10591 seconds
/service/qmail2-send: up (pid 6476) 10591 seconds
/service/qmail2-send/log: up (pid 6472) 10591 seconds
/service/qmail2-smtpd: up (pid 6466) 10591 seconds
/service/qmail2-smtpd/log: up (pid 6467) 10591 seconds

2.     DNS Setup: Emails don’t work without properly configured domain names. So, it’s a good idea to configure the domain name (names) with proper MX records pointing to the new server before starting the installation of an email server. This can be done before the actual testing of email server but since it’s critical, just do it a step ahead.

3.     You need to create different scenarios for testing. The minimum testing scenario might look like this:

i) Test from local to local: send an email to local user using the same server. (From: localuser; To: localuser)
ii) Test from remote to local: send an email to newly created user using any outside server. (From: Gmail user; To: localuser)
iii) Test receiving emails: make sure you can receive both the email from test (i) and (ii).
iv) Test from local to remote: send an email using the local server to a remote server and make sure you can receive it in the remote server. (From: localuser; To: Gmail user)


1.     Check the logs: Check the server logs during test because they provide a very good view on what is happening e.g. the newly created user cannot login. You can see “password incorrect” in the log. Which will tell you that you are typing an incorrect password? Or “relay not allowed” meaning your SMTP auth is not working or the IP is not listed in “tcp.smtp” file. Server log is the first place we should be looking during first test even if we don’t see any obvious problems. We don’t want to discover any hidden silly problems after the system is put on production.

The main qmail log files:

/var/log/qmail/current
/var/log/qmail/smtpd/current
/var/log/qmail2/current
/var/log/qmail2/smtpd/current
/var/log/qmail/pop3d/current

2.     Check the Ports:

   Check the ports on mail server whether these are working on server.

[root@mail ~]# nmap localhost

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2011-12-30 13:53 IST
Interesting ports on localhost (127.0.0.1):
(The 1647 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
199/tcp open  smux
443/tcp open  https
631/tcp open  ipp
825/tcp open  unknown
953/tcp open  rndc
993/tcp open  imaps
995/tcp open  pop3s

6.     Test Courier-authlib: Check first if the created account is still there (without testing the authentification)

 [root@mail ~]# /home/vpopmail/bin/vuserinfo jitendrakumar@mydomain.in
name:   jitendrakumar
passwd: $1$6qh6nLgH$PjYHZzP/n/ofo9nyjNIQ2.
clear passwd: password
comment/gecos: Jitendra Kumar
uid:    1
gid:    0
flags:  0
gecos: Jitendra Kumar
limits: No user limits set.
dir:       /home/vpopmail/domains/mydomain.in/0/jitendrakumar
quota:     NOQUOTA
usage:     NOQUOTA
last auth: Tue Jan  3 13:39:51 2012
last auth ip: pop3

Test now the authentication process:

[root@mail ~]# /usr/local/src/courier-authlib-0.55/authtest jitendrakumar@mydomain.in
 Authentication succeeded.
 Authenticated: jitendrakumar@mydomain.in  (uid 507, gid 502)
 Home Directory: /home/vpopmail/domains/mydomain.in/0/jitendrakumar
           Maildir: (none)
           Quota: (none)
Encrypted Password: $1$6qh6nLgH$PjYHZzP/n/ofo9nyjNIQ2.
Cleartext Password: (none)
Options: disablewebmail=0,disablepop3=0,disableimap=0

This is the sign authlib is working well!

7.     SMTP authentication: The SMTP authentication system lets us identify the sender of any emails to you and helps us stop anonymous emails from getting through. It allows us to control spam and viruses sent through our outgoing mail servers and to protect your email service.

telnet 10.0.0.99 25
220 mail.mydomain.in ONLY SECURE MAIL ESMTP
EHLO TESTING
250-mail.mydomain.in ONLY SECURE MAIL
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250-8BITMIME
250 SIZE 17000000

If you see the AUTH line, then your server is broadcasting that capability. Next, let's try connecting and authenticating. First, generate the Base64 string required.

[root@mail ~]# perl -MMIME::Base64 -e 'print encode_base64("\000jitendrakumar\@mydomain.in\000AAA")'
AGppdGVuZHJha3VtYXJAY2RhY25vaWRhLmluAEFBQQ==

Next, connect and issue the AUTH command to login:
telnet 10.0.0.99 25
220 mail.mydomain.in ONLY SECURE MAIL ESMTP
EHLO TESTING
250-mail.mydomain.in ONLY SECURE MAIL
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250-8BITMIME
250 SIZE 17000000
AUTH PLAIN AGppdGVuZHJha3VtYXJAY2RhY25vaWRhLmluAEFBQQ==
235 ok, go ahead (#2.0.0)

If you see the 235 response, then your login has succeeded.


8.     Chkuser Testing: chkuser rejects messages if the MX record in the from field nonexistent. This is a rare case since spammers will try to use own domain in from field.

telnet 10.0.0.99 25
220 mail.mydomain.in ONLY SECURE MAIL ESMTP
mail from:jitendra@fake.com
511 sorry, can't find a valid MX for sender domain (#5.1.1 - chkuser)


9.     Password Management: The password policy should be implemented in qmail-admin package so that every user would forcefully change password of minimum 8 characters with two special characters.

10.     Default User and Domain Quota: The default quota of every domain user should be set by following command. ( set default user quota, '100M' = 100 MB )

[root@mail ~]# /home/vpopmail/bin/vmoddomlimits –q 100M

The Domain Quota can be set by following command. ((set domain disk quota, '100' = 100 MB))

[root@mail ~]# /home/vpopmail/bin/vmoddomlimits –Q 100
 


11.     Open Relay: There should be open relay to only localhost and other IPs should be blocked.

[root@mail bin]# cat /etc/tcp1.smtp
127.:allow,RELAYCLIENT="",RBLSMTPD=""
10.0.0.99:allow,RELAYCLIENT="",RBLSMTP=""
.:deny

12.     Test POP3: POP3 connection can be tested by following result.

telnet 10.0.0.99 110
+OK <19705.1325496378@mail.mydomain.in>
user jitendrakumar
+OK
pass password
+OK
quit
+OK

4 comments:

  1. Wah Jitu Sir! Kya baat hai!!!!

    ReplyDelete
  2. Meghdoot ke bare mei kab bata rahe ho????

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete