Facebook
Twitter
Y
yurtesen
Guest
NOTICE: Use this information on your own risk!
Hello,
One of my friend thought drweb is very expensive and he was using plesk and wanted to change to clamav. But we thought qmail-scanner is clumsy. So we decided to have an innovative solution
. I just thought this information can be helpful to you all who uses plesk so here it is...
The information applies to FreeBSD however with little change anybody can use it on Linux also.
Also you must use your imagination a little bit I didnt have time to write all the details.
How it works is:
Exim receives the mail. Exim checks if the domain exists and the user exists before accepting e-mail. Then after doing fancy mail scanning etc. forwards to qmail of plesk. Seems like the operation is done twice but qmail uses almost no resources in any case so.
Also SMTP Auth etc. works fine with this configuration.
Now, once exim is in place, you can do all kinds of fancy stuff like ratelimiting etc. use RBLs from there if you want.
I also figured out that qmail wasnt checking if the user was existing or not before accepting mail. With my exim configuration, exim doesnt accept mail for users who doesnt exist, saving bandwidth and queue space.
Thanks,
Evren
First go to /usr/ports/security/clamav and install it
Then go to /usr/ports/mail/exim
Use make install with the following options (unless you need something more)
make install WITH_MYSQL=yes WITH_MYSQL_VER=41 WITHOUT_OLD_DEMIME=yes WITHOUT_IPV6=yes WITHOUT_PAM=yes WITHOUT_AUTH_CRAM_MD5=yes WITHOUT_AUTH_SPA=yes WITHOUT_MAILDIR=yes WITHOUT_MAILSTORE=yes WITHOUT_MBX=yes WITHOUT_CDB=yes WITHOUT_DNSDB=yes WITHOUT_DSEARCH=yes WITHOUT_LSEARCH=yes WITHOUT_NIS=yes WITHOUT_PASSWD=yes WITHOUT_LMTP=yes WITH_CONTENT_SCAN=yes
Unfortunately we need the mysql client library from ports since for some weird reason I
couldnt compile it with the includes in psa/mysql directory... Just let it install it, it wont harm a thing.
Copy this to /usr/local/etc/exim and make necessary settings if you want TLS
/usr/local/psa/qmail/control/servercert.pem
Some configuration directives you might find very useful: You have to figure out yourself to where to put these though Ididnt want to put my whole conf file here since it has millions of other not related stuff too...
# MySQL connection parameters
hide mysql_servers = 127.0.0.1/psa/exim/mypassword
#Clamd with socket
av_scanner = clamd:/var/run/clamav/clamd
domainlist relay_to_domains = ${lookup mysql{SELECT A.name FROM `domains` A, `DomainServices` B \
WHERE B.dom_id = A.id AND A.status = 0 AND B.type = 'mail' AND \
B.status = 0 AND A.name = '$domain'}}
# Accept if the address is in a domain for which we are an incoming relay,
# but again, only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = 511 sorry, no mailbox here by that name (#5.1.1)
condition = ${if =={1}{${lookup mysql{SELECT count(A.id) FROM `accounts` A, mail B, domains C \
WHERE B.account_id = A.id AND B.dom_id= C.id AND CONCAT(B.mail_name, '@', C.name) \
= '$local_part@$domain'}}} }
qmail_manual_route:
driver = manualroute
domains = +relay_to_domains
transport = qmail_smtp
route_data = 127.0.0.1
self = send
# This transport delivers mails to qmail running at port 24
qmail_smtp:
driver = smtp
port = 24
# esmtpa authentication
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{eq{$3}{${lookup mysql{SELECT A.password FROM `accounts` A, mail B, domains C \
WHERE B.account_id = A.id AND B.mail_name='${local_part:$2}' \
AND B.dom_id= C.id AND C.name = '${domain:$2}'}{$value}fail}}} \
} {yes}{no}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{eq{$2}{${lookup mysql{SELECT A.password FROM `accounts` A, mail B, domains C \
WHERE B.account_id = A.id AND B.mail_name='${local_part:$1}' \
AND B.dom_id= C.id AND C.name = '${domain:$1}'}{$value}fail}}} \
} {yes}{no}}"
server_set_id = $1
Set the above stuff to exim configure file where needed
go to /etc/inetd.conf and disable smtp and smtps
change smtp to qmail (for example)
go to /etc/services and find 24/tcp and change # to qmail (must be same as in inetd.conf)
go to /etc/hosts.allow and insert these before allowing all:
tcp-env : localhost 127.0.0.1 : allow
tcp-env : ALL : deny
SQL statements needed to create the exim client user:
GRANT USAGE ON * . * TO 'exim'@'localhost' IDENTIFIED BY 'exim001' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 ;
GRANT SELECT (`id` , `password` ) ON `psa`.`accounts` TO 'exim'@'localhost';
GRANT SELECT (`mail_name` , `account_id` , `dom_id` ) ON `psa`.`mail` TO 'exim'@'localhost';
GRANT SELECT (`id` , `name`, `status` ) ON `psa`.`domains` TO 'exim'@'localhost';
If I am not forgetting anything, you should be ready to go
Be careful if the lines are wrapped or something...might not be a nice suprise. You can test exim locally without even running it before enabling. Check exim documents for how to do this.
Any comments are welcome
Evren
Hello,
One of my friend thought drweb is very expensive and he was using plesk and wanted to change to clamav. But we thought qmail-scanner is clumsy. So we decided to have an innovative solution
. I just thought this information can be helpful to you all who uses plesk so here it is...The information applies to FreeBSD however with little change anybody can use it on Linux also.
Also you must use your imagination a little bit
I didnt have time to write all the details.How it works is:
Exim receives the mail. Exim checks if the domain exists and the user exists before accepting e-mail. Then after doing fancy mail scanning etc. forwards to qmail of plesk. Seems like the operation is done twice but qmail uses almost no resources in any case so.
Also SMTP Auth etc. works fine with this configuration.
Now, once exim is in place, you can do all kinds of fancy stuff like ratelimiting etc. use RBLs from there if you want.
I also figured out that qmail wasnt checking if the user was existing or not before accepting mail. With my exim configuration, exim doesnt accept mail for users who doesnt exist, saving bandwidth and queue space.
Thanks,
Evren
First go to /usr/ports/security/clamav and install it
Then go to /usr/ports/mail/exim
Use make install with the following options (unless you need something more)
make install WITH_MYSQL=yes WITH_MYSQL_VER=41 WITHOUT_OLD_DEMIME=yes WITHOUT_IPV6=yes WITHOUT_PAM=yes WITHOUT_AUTH_CRAM_MD5=yes WITHOUT_AUTH_SPA=yes WITHOUT_MAILDIR=yes WITHOUT_MAILSTORE=yes WITHOUT_MBX=yes WITHOUT_CDB=yes WITHOUT_DNSDB=yes WITHOUT_DSEARCH=yes WITHOUT_LSEARCH=yes WITHOUT_NIS=yes WITHOUT_PASSWD=yes WITHOUT_LMTP=yes WITH_CONTENT_SCAN=yes
Unfortunately we need the mysql client library from ports since for some weird reason I
couldnt compile it with the includes in psa/mysql directory... Just let it install it, it wont harm a thing.
Copy this to /usr/local/etc/exim and make necessary settings if you want TLS
/usr/local/psa/qmail/control/servercert.pem
Some configuration directives you might find very useful: You have to figure out yourself to where to put these though
Ididnt want to put my whole conf file here since it has millions of other not related stuff too...# MySQL connection parameters
hide mysql_servers = 127.0.0.1/psa/exim/mypassword
#Clamd with socket
av_scanner = clamd:/var/run/clamav/clamd
domainlist relay_to_domains = ${lookup mysql{SELECT A.name FROM `domains` A, `DomainServices` B \
WHERE B.dom_id = A.id AND A.status = 0 AND B.type = 'mail' AND \
B.status = 0 AND A.name = '$domain'}}
# Accept if the address is in a domain for which we are an incoming relay,
# but again, only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = 511 sorry, no mailbox here by that name (#5.1.1)
condition = ${if =={1}{${lookup mysql{SELECT count(A.id) FROM `accounts` A, mail B, domains C \
WHERE B.account_id = A.id AND B.dom_id= C.id AND CONCAT(B.mail_name, '@', C.name) \
= '$local_part@$domain'}}} }
qmail_manual_route:
driver = manualroute
domains = +relay_to_domains
transport = qmail_smtp
route_data = 127.0.0.1
self = send
# This transport delivers mails to qmail running at port 24
qmail_smtp:
driver = smtp
port = 24
# esmtpa authentication
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{eq{$3}{${lookup mysql{SELECT A.password FROM `accounts` A, mail B, domains C \
WHERE B.account_id = A.id AND B.mail_name='${local_part:$2}' \
AND B.dom_id= C.id AND C.name = '${domain:$2}'}{$value}fail}}} \
} {yes}{no}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{eq{$2}{${lookup mysql{SELECT A.password FROM `accounts` A, mail B, domains C \
WHERE B.account_id = A.id AND B.mail_name='${local_part:$1}' \
AND B.dom_id= C.id AND C.name = '${domain:$1}'}{$value}fail}}} \
} {yes}{no}}"
server_set_id = $1
Set the above stuff to exim configure file where needed
go to /etc/inetd.conf and disable smtp and smtps
change smtp to qmail (for example)
go to /etc/services and find 24/tcp and change # to qmail (must be same as in inetd.conf)
go to /etc/hosts.allow and insert these before allowing all:
tcp-env : localhost 127.0.0.1 : allow
tcp-env : ALL : deny
SQL statements needed to create the exim client user:
GRANT USAGE ON * . * TO 'exim'@'localhost' IDENTIFIED BY 'exim001' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 ;
GRANT SELECT (`id` , `password` ) ON `psa`.`accounts` TO 'exim'@'localhost';
GRANT SELECT (`mail_name` , `account_id` , `dom_id` ) ON `psa`.`mail` TO 'exim'@'localhost';
GRANT SELECT (`id` , `name`, `status` ) ON `psa`.`domains` TO 'exim'@'localhost';
If I am not forgetting anything, you should be ready to go
Be careful if the lines are wrapped or something...might not be a nice suprise. You can test exim locally without even running it before enabling. Check exim documents for how to do this.
Any comments are welcome
Evren