H-Sphere Sysadmin Guide

Qmail Configuration
(version 2.4 and higher)
 

Related Docs:  

Introduction to H-Sphere Mail H-Sphere Mail Installation H-Sphere Mail To Do

Since version 2.4, H-Sphere offers enhanced Qmail SMTP server configuration. Most enhancements have been added to fight spam at the server level.

 Mail Flow Chart

Antivirus and Antispam Filters (SpamAssassin and ClamAV)

Starting with H-Sphere 2.4 Beta 7, the Qmail update incorporates SpamAssassin and ClamAV filters at the server level. It uses an improved qmail-queue patch concept, where the use of the QMAILQUEUE variable is replaced with checking recipient addresses against the clamavclients and spamdclients databases (see the drawing). H-Sphere users can add their mail addresses to the database to have them checked for spam and viruses. User-defined antispam preferences are stored in a MySQL database.

Mail is filtered by standalone clamd and spamd services. We had to get rid of the Qmail-Scanner perl wrapper, because it is rather heavy and unreliable for high load SMTP servers. Instead, we use clamdmail software, which is fast and adapted to working with clamd and/or spamd.

Updating Virus Patterns. Mail server cron has a script that updates virus patterns every day at 12AM. You can manually change the timing of the cron.

Enabling Antivirus and Antispam. ClamAV and Spamassasin have been added to H-Sphere as resources, and can be enabled and disabled from the control panel:

  1. Global Settings. In Info -> Global Resources, check Antispam and Antivirus and click Submit Query.
  2. Plans. In Info -> Plans select the plans where you would like to enable spam and virus protection. On the first page of the wizard, enable Antispam and Antivirus. Optionally, set prices for these resources on the subsequent steps.

Antivirus Configuration. To configure ClamAV at the server level, edit file /hsphere/local/config/mail/clamav/clamav.conf. The format and options of this file are fully described in the clamav.conf(5) manual. Remember - you must remove the "Example" directive. Be careful not to change the values of LocalSocket and TCPSocket.

Antispam Configuration. To configure SpamAssassin at the server level, edit file /hsphere/local/config/mail/spamassassin/local.cf as suggested in Spamassassin documentation. Note that external modules like bayes rules, razor2, dcc, and pyzor are not included, so please be careful not to enable related options.

User Settings. ClamAV and Spamassasin settings can be configured per maildomain and individual mailbox. Please see User Guide for details.

 

Integrated Antispam Addons

Besides SpamAssassin, H-Sphere 2.4 Qmail includes a series of third party and in-house antispam addons. This is the list for 2.4 Final:

In the upcoming versions, we are planning to add a series of other qmail patches.

 

Qmail Server Settings

Default Qmail server settings, including antispam options, can be configured in the admin control panel in the E.Manager/Mail Servers menu:

  1. Select Mail Servers from the E.Manager menu:

  2. Click the Action icon in the Mail Server Settings section:

  3. Edit qmail settings following on-screen explanations and click Submit:

    • tcpsessioncount: the number of concurrent SMTP connections.
      Default: 40. After setting this parameter, Qmail restart is required.
    • concurrencyremote: the number of qmail-send processes of message delivery to remote addresses.
      Default: 100. Max: 500. If Max is exceeded, Max value is set.
    • concurrencylocal: the number of qmail-send processes for message delivery to local addresses.
      Default: 50. Max: 500. If Max is exceeded, Max value is set.
    • databytes: maximum size of a message.
      Default: 0 (unlimited).
    • queuelifetime: the message queue lifetime in seconds.
      Default: 604800 (1 week).
    • bouncefrom: the email user messages are bounced from.
      Default: MAILER-DAEMON;
    • maxrecepients: maximum number of recipients in the "TO:", "CC:", and "BCC" fields.
      Default: 0 (unlimited).
    • timeoutsmtpd: TCP connection timeout in seconds.
      Default: 1200.
    • newline: accept or reject mail from mail user agents (MUA) that send commands without CR (carriage return).
      Default: 0 (disabled);
    • stripsinglequotes: enable or disable stripping single quotes (referred to in the spamcontrol manual as the feature that may cause unpredictable results).
      Default: 0 (disabled);
    • lowercase: enable or disable conversion of mail address to lowercase; it may be useful in filtering patterns, for case-sensitive rules.
      Default: 0 (disabled).
    • badmailfrom: list of sender addresses whose emails will be rejected. A line in badmailfrom may be of the form @host, meaning every address at host.
      Default: the badmailfrom file is absent (all sender addresses are allowed);
    • badmailpatterns: the same as standard badmailfrom but with patterns. Example: 
                        *@earthlink.net
                  !fred@earthlink.net
                  [0-9][0-9][0-9][0-9][0-9]@[0-9][0-9][0-9].com
                  answerme@save*
                  *%*;
      Default: the badmailpatterns file is absent (all sender addresses are allowed);
    • badmailfrom-unknown: if the domain part of sender's address matches a host in this list, qmail checks if sender's IP has a PTR record. Example
      Default: the badmailfrom-unknown file is absent (reverse DNS check is disabled for all IPs);
    • badrcptto: list of recepient addresses for which all mail is blocked. A line in badrecipient may be of the form @host, meaning every address at the host.
      Default: the badrcptto file is absent (no recepient addresses are blocked);
    • badrcptpatterns: the same as badrcptto but with patterns. It allows qmail-smtpd to reject SPAM E-Mail including the signature 
                        *\[dd.dd.dd.dd\]*
      in the badrcptpatterns file, where dd.dd.dd is the IP address in brackets. Default: the badrcptpatterns file is absent (no recepient addresses are blocked);
    • blackholedsender: the same as badmailpatterns but quits the session immediately even if quitasap is disabled;
    • relayclients: list of IP addresses of clients allowed to relay mail through this host. Addresses in relayclients may be wildcarded: 
                        192.168.0.1:
                  192.168.1.:
      Default: the relayclients file is absent (all client IPs are allowed to relay mail via this host);
    • relaydomains: list of host and domain names allowed to relay mail through this host. This is an additional mail relay check by the domain name, in case if relay via the tcp.cdb static relay database is forbidden.
      Addresses in relaydomains may be wildcarded: 
                        heaven.af.mil:
                  .heaven.af.mil:
      Default: the relaydomains file is absent (all domains are allowed to relay mail);
    • relaymailfrom: list of senders ("Mail From:") allowed to relay independently even if open relay is closed. Entries in relaymailfrom can be E-Mail addresses, or just the domain (with the @ sign). Unlike relaydomains, native addresses should be entered. Examples: 
                        joeblow@domain1.com
                  @domain2.com
      Default: the relaymailfrom file is absent (no senders are allowed to relay independently).
      Important: For antispam security reasons, we strongly recommend not to add this parameter to SMTP configuration.
    • quitasap: enables (1) or disables (0) quitting SMTP session immediately if one of the above rules works.
      Default: 0 (no quitting);
    • tarpitcount: the number of recepients after which qmail switches on delay before sending the message to the next portion of recipients.
      Default: 0 (no tarpitting);
    • tarpitdelay: tarpitdelay is the time in seconds of delay to be introduced after each subsequent RCPT TO:.
      Default: 5.
    • ( in 2.4 beta 7) mfdnscheck: enables (1) or disables (0) DNS check of domain name in sender's address. If enabled, no local domain check is performed.
      Default: 0 (disabled);
    • nomfdnscheck: list of domain names that aren't checked for existence. The list has the same format as for relaymailfrom.
      Default: the nomfdnscheck file is absent (if mfdnscheck is enabled, all domains are checked for existence);
    • ( in 2.4 beta 7) userchk: enables (1) or disables (0) check that the vpopmail recipient is valid before accepting the message.
      Default: 0 (disabled);
    • smtpauth: enables SMTP AUTH extension.
      Default: 0 (AUTH LOGIN/PLAIN/CRAM-MD5 SMTP extension is disabled);
    • smdcheck: allows only local domains in the MAIL FROM address if mail is sent remotely.
      Default: 0 (any sender address is allowed);
    • authsender: demands that domain name in the user address during SMTP authentication should coincide with the domain name in the MAIL FROM address field.
      Default: 0 (any sender address is allowed);
    • popbeforesmtp: allows simultaneous POP-BEFORE-SMTP and SMTP AUTH authentication and uses the one that was established first.
      Default: 1 (POP-BEFORE-SMTP mode is on).
      Important: To allow POP-BEFORE-SMTP, set this parameter to 1.
    • rblhosts: RBL (Remote Black List) database hosts. Example: 
                        dnsbl.njabl.org
                  spamguard.leadmon.net
      Default: the rblhosts file is absent (RBL check is disabled: no external RBL databases is being checked).

Values can be of three types:

  • Text: can be either a line, like @12.34.56.78, or a list, for example a list of addresses in badmailfrom.
    badmailfrom is the file that containts a list of senders mail isn't accepted from.
  • Number, like 1000 in databytes.
    databytes is the file that contains the maximum allowed size of a message.
  • Boolean, like 0 or 1 in smtpauth.
    0 disables SMTP Auth, 1 enables it.
    Note: 0 is also set by default if the corresponding control file is absent.

Thus, for example, if you have to enable SMTP Auth, you create/modify the /var/qmail/control/smtpauth control file and put 1 in it. To disable SMTP Auth, put 0 in the control file or just delete the control file.

Also, text values may contain patterns: wildcard expressions to set the range of emails, domains and IPs for filtering rules.

Control characters in patterns:

  • Exclamation mark (!): allows you to INCLUDE particular clients/addresses by simply putting an exclamation mark (!) as first character in the line.
  • Asterisk (*): General pattern matching character; one or more preceding.
  • Question Mark (?): Match zero or one preceding.
  • Backslash (\): Literal expression of following character, eg. \[.
  • Match one from a set ([...]): i.e. [Ff][Aa][Kk][Ee] matches FAKE, fake, FaKe, FAKe etc.

As an example of patterns, see the canonical method filter for spam e-mail in README_SPAMCONTROL

 

Command Line Qmail Configuration

Qmail installation directory is usually /var/qmail/.

In H-Sphere before 2.4 patch 2, SMTPd configuration files are located in the /var/qmail/control directory. They are also called control files. Each SMTP parameter is configured in its own control file with the same name, for example, /var/qmail/control/smtpauth for smtpauth parameter.

In H-Sphere 2.4 patch 2, all controls were gathered and placed in one configuration file, /var/qmail/control/options.

To view SMTP server configuration, run the qmail-showctl utility, under root:

# /var/qmail/bin/qmail-showctl

You will get the list of SMTP parameters. Each line in the list has the following format:

smtp_parameter: [(Default.)] Value

Each stmp_parameter may be set in its own control file with the same name located in the /var/qmail/control directory.. The file contains the parameter's value. If the file is not found, the default value is taken and the default notification (Default.) shows up in the configuration list.

 

Related Docs:  

Introduction to H-Sphere Mail H-Sphere Mail Installation H-Sphere Mail To Do



© Copyright 1998-2004. Positive Software Corporation.
All rights reserved.