Secure Email system setup based on FreeBSD operating system

Qmail is the sendmail server software installed in the world, which is second only to Linux/Unix by default. Qmail configuration is simpler than Sendmail, and the speed is faster. Therefore, during the setup of this mail system, I chose Qmail as the core of the mail server.

A mail server has three main functions: the mail transmission agent MTA (mail transport agent) and the mail distribution agent MDA (Mail delevery agent) and the Mail User Agent Mua (Mail User Agent ). The Qmail package implements these three basic functions. The reason why it only implements the basic functions of the mail server is that it does not implement the functions required by many mail servers, some of these features are secure and prevent spam, such as SMTP verification, APOP, relay control, and limitation on user IP addresses, some other extended functions such as webmail, virtual domain, database-based user management, mail list, and automatic forwarding cannot be provided.

Fortunately, Qmail is now popular, and many free software alliances are available to help Qmail. These self-organized alliances have developed patches that can compensate for insufficient Qmail. These software patches mainly include:

Ucspi-tcp-0.88 (tcpsever service program that provides the IP address limitation function)
Checkpassword-0.81 (verify the/etc/passwd user and password as POP3 USER and password)
Ezmlm-0.53 (support for the mail list feature)
Vpopmail-5.2.2 (this is important to provide support for virtual domains and databases)
Qmailadmin-0.35 (Web management tools for virtual domains)
Autorespond-1.0.0 (auto-reply program, ezmlm needed)
Sqwebmail-1.2.0 webmail (a CGI Webmail System)
Vqsignup-0.4 (provide Web-based user mailbox Registration)
Qmail-smtpd-auth-0.26 (provides SMTP authentication)
Cmd5checkpw-0.22 (providing authentication encryption algorithms)

Because there are a lot of software involved during the installation, if you cannot figure out the role of each software in the mail server, you will feel confused. The architecture of the basic Qmail System and the entire mail system is shown in Figure 1 and figure 2:

Figure 1 Basic Function Structure of Qmail

Figure 2 Overall email server architecture
With these architectures, you will feel very clear and clear during software installation and debugging.

You must have DNS support before installation. If your server IP address is not resolved by DNS, you can run named deamon as the DNS server and assign a domain name to yourself, put your IP address in/etc/resolve. conf. Here is mail.itp.swjtu.edu.cn.
First, install the basic Qmail system. The detailed steps are as follows: (replace mail.itp.swjtu.edu.cn with the domain name of the corresponding email server)
Create necessary users and user groups # PW groupadd nofiles
# PW useradd alias-G nofiles-D/var/Qmail/alias-S/nonexistent
# PW useradd qmaild-G nofiles-D/var/Qmail-S/nonexistent
# PW useradd qmaill-G nofiles-D/var/Qmail-S/nonexistent
# PW useradd qmailp-G nofiles-D/var/Qmail-S/nonexistent
# PW groupadd Qmail
# PW useradd qmailq-G Qmail-D/var/Qmail-S/nonexistent
# PW useradd qmailr-G Qmail-D/var/Qmail-S/nonexistent
# PW useradd qmails-G Qmail-D/var/Qmail-S/nonexistent

Create the installation directory, decompress the installation software source code package # mkdir/var/Qmail # create the installation directory/var/Qmail by default
# Tar zxvf qmail-1.03.tar.gz # unlock source code
# Cd qmail-1.03.tar.gz # enter the source directory

Installation # Make setup check # Install and copy files
#./Config-fast mail.itp.swjtu.edu.cn # Add the domain name to the file in the/var/Qmail/control directory.
# (Cd ~ Alias; touch. Qmail-postmaster. Qmail-mailer-daemon. Qmail-root)
# Chmod 644 ~ Alias/. Qmail *

Copy the MDA Execution Code # cp/var/Qmail/boot/home to/var/Qmail/RC # copy the home script to the default startup location
# CSH-CF '/var/Qmail/RC &' Start the MDA Section

Because there are two popular email directories:/home/$ user/mailbox and/home/$ user/maildir /, the content delivery agent (MDA) must correctly configure the/var/Qmail/RC file to determine the email to which the email is sent. Mailbox uses a file to store all emails of $ User Users, the maildir/method uses a directory to store each email of a user, which is more efficient than the former and reduces the chance of errors. Therefore, we recommend that you use the maildir/format. Because the RC file uses the mailbox format by default, we open this file and replace 'mailbox' with 'maildir/'to save it, kill the Qmail-send and other processes started with RC and restart the MDA.
Start the SMTP module with inetd:
It is equivalent to running/var/Qmail/bin/TCP-ENV/var/Qmail/bin/Qmail-smtpd
Edit/etc/inetd. conf, find the SMTP module, and remove the comment "#" # killall-hup inetd # restart the inetd service to bring SMTP up.

By now, you can connect to the SMTP service through the mail client, such as Foxmail. Currently, the entire server does not have any verification function and any user or address can be forwarded.
Because there is no tool installed for user name and password monitoring, if you only use FreeBSD's system user name and password file (/etc/passwd) as authentication that only install the checkpasswd tool, the installation method is as follows: # tar zxvf Checkpassword-0.81.tar.gz // unpack
# Cd checkpassword-0.81
# Make // compile the source code
# Make install check // install-copy checkpasswd to the/bin/directory

After the installation is complete, run the following command to test whether checkpasswd works properly.
(Note: The Qmail-popup running syntax is "Qmail-popup server domain name running subroutine". Here the domain name is mail.itp.swjtu.edu.cn, And the subroutine is the verification program checkpasswd .) #/Var/Qmail/bin/Qmail-popup mail.itp.swjtu.edu.cn/bin/checkpassword pwd
+ OK <... @ mail.itp.swjtu.edu.cn>
User zhp // enter the username 'zhp'
+ OK
Pass friend // enter the password 'friend'
/Usr/home/zhp // The user directory of the zhp user returned after successful authentication
(-Err authorization failed) // If the authentication fails, it is displayed as follows:

If it works properly, you can input the POP3 Service Startup code to the/etc/inetd. conf file. Add the following characters to the file and use "# killall-hup inetd" to restart the inetd service. POP3 stream tcp Nowait root/var/Qmail/bin/Qmail-popup mail.swjtu.edu.cn/bin/checkpassword/var/Qmail/bin/qmail-pop3d maildir // do not wrap in the middle

At this stage, your server can already undertake basic mail sending and receiving tasks through SMTP and POP3. Use Foxmail to test it. If everything goes well, continue.
The next step is to use the Vpopmail software to enable the server to support virtual domains. Because at this stage, the mail server can only provide mail services to users on FreeBSD. If every New Mail User is added to the system, this server not only wastes resources but also brings security risks. It currently only supports one domain name mail.itp.swjtu.edu.cn. Vpopmail provides the virtual domain function and converts/etc/passwd-based authentication to/home/Vpopmail/domain/% domain %/passwd-based authentication. CDB (Vpopmail is installed in/home/Vpopmail by default, % domain % is the virtual domain name created) Certification, you can also choose to store user registration information through the database, the following uses the MySQL database as an example.

For simplicity, here I assume that the user has installed the MySQL server and is working properly. We only need to install and configure Vpopmail.

Unpack the package first, and then configure it to authenticate, compile, and install it as a MySQL database. # Tar zxvf vpopmail-5.2.2.tar.gz
# Cd vpopmail-5.2.2
#./Configure-enable-mysql = y -- enable-roaming-users = y
// Declare MySQL authentication and support roaming users
# PW group add-G 89 vchkpw // create a user group vchkpw
# Adduser Vpopmail // create a user Vpopmail. You do not need to add PW user because adduser creates a user directory/home/Vpopmail.
# Make // compile
# Make install-strip // install to/home/Vpopmail

After Vpopmail is installed, checkpasswd is "retired" of course. The module used to replace checkpasswd in Vpopmail is vchkpw. Or edit/etc/inetd. conf, change the POP3 line set above to POP3 stream tcp Nowait root/var/Qmail/bin/Qmail-popup mail.itp.swjtu.edu.cn home/Vpopmail/bin/vchkpw/var/Qmail/bin /qmail-pop3d maildir
// No line break in the middle

You can use killall-hup inetd to restart and perform authentication based on the MySQL database. Of course, we do not have any common domains and users yet. It is too early to talk about authentication. Use the following command to create a domain name and a user. # Cd/home/Vpopmail/bin
#./Vadddomain mail.itp.swjtu.edu.cn 123456 // create a virtual domain. If this is the first creation, a Vpopmail database is connected to the MySQL database.
#./Vadduser zhp@mail.itp.swjtu.edu.cn friend // create user zhp

(Note: When connecting to the database, Vpopmail may incorrectly find/usr/local/MySQL/tmp/MySQL. sock serves as a channel to connect to MySQL. sock is installed to/tmp/MySQL. at sock, use # mkdir/usr/local/MySQL/tmp
# Ln-S/tmp/MySQL. Sock/usr/local/MySQL/tmp/MySQL. Sock

Command to establish a symbolic connection. But the specific problem must be analyzed .)

Using the vadddomain and vadduser commands to add users to the MySQL database instead of the/etc/passwd command is actually a lot of science, but we cannot bother our administrator every time we add one user! To facilitate user registration, the vqsingup software package does not provide the Web-based registration function. The premise is, of course, a Web server, so the well-known Apache is the best choice.

If both your Vpopmail and Apache are installed in the default/home/Vpopmail and/user/local/Apache directories, the installation of this software is simple. # Tar zxvf vqsignup-0.5.tar.gz
# Cd vqsignup-0.5
# Make
# Make install

If your Apache is installed elsewhere, such as/usr/local/WWW, find makefile and change cgibindir =/usr/local/Apache/cgi-bin to cgibindir =/usr/local/www/cgi-bin.
You may need to modify the permissions of the corresponding file to view the registered page in the browser. # Cd/usr/local/Apache/cgi-bin/vqsignup
# Chown Vpopmail vqsignup. cgi
# Chgrp vchkpw vqsignup. cgi
# Chmod ug + S vqsignup. cgi

To put it bluntly, you still need to modify the vqsignup.html file and replace the 'test. com 'and other things, in fact, there are still some path problems that the software package has not been well handled. Here I am not clear about it. People who know some web pages should be able to easily deal with it, some information prompt files in the HTML folder can be simplified and beautified. After installation.
Http://mail.itp.swjtu.edu.cn/vqsignup.html)

Figure 3 sqsignup new user registration page
There is a problem with using inetd to start SMTP and POP3, that is, the visitor's IP address cannot be restricted. This is certainly caused by insecure factors. Therefore, many email server websites use the tcpserver tool to protect their websites from malicious attacks. The installation process is below: # tar zxvf ucspi-tcp-0.88.tar.gz
# Cd ucspi-tcp-0.88
# Make // compile
# Make setup check // The execution file tcpserver will be installed in/usr/local/bin.

Now let's change the POP3 running mode: first set/etc/inetd. delete the POP3 part in conf or add '#' to comment it out. Run killall-hup inetd to turn off POP3. then create a/pop3.sh script and add the following code: /usr/local/bin/tcpserver-H-R 0 POP3/var/Qmail/bin/Qmail-popup mail.itp.swjtu.edu.cn/home/Vpopmail/bin/vchkpw/var/Qmail/bin/ qmail-pop3d maildir &

You only need to understand the parameters. After saving the file, use chmod + x/pop3.sh to add the execution attribute to the file, and then use sh/pop3.sh to execute the script. Then POP3 runs on the background.

So much has been said, but SMTP has no authentication function, so that our server will be used by anyone to relay their spam. Because Qmail itself does not provide authentication function, to achieve this function can only rely on third-party plug-ins to achieve, more famous is the combination of qmail-smtpd-auth-0.26 and cmd5checkpw-0.22. The source code of Qmail is required for patching. False qmail-1.03.tar.gz?qmail-smtpd-auth-0.31.tar.gz in the same directory, enter the Directory and do the following operations: # tar zxvf qmail-1.03.tar.gz
# Tar zxvf qmail-smtpd-auth-0.31.tar.gz
# Cp readme. Auth base64.c base64.h ../qmail-1.03
# Patch-D ../qmail-1.03 <Auth. Patch
# ../Qmail-1.03/make Qmail-smtpd
# CP ../qmail-1.03/Qmail-smtpd/var/Qmail/bin/Qmail-smtpd-auth

The above operation is actually to compile the Qmail-SMTP execution file with the patch separately and copy it to/var/Qmail/bin and name it Qmail-smtpd-auth.
Next install cmd5checkpw-0.22 # tar zxvf cmd5checkpw-0.22
# Cd cmd5checkpw-0.22
# Make
# Mkdir/usr/man // by default, this directory does not exist in FreeBSD.
# Make install

Finally, write the SMTP execution script/usr/local/bin/tcpserver-H-R-l 0-T 1-v-p-x/etc/TCP. SMTP. CDB-u 89-G 89 0 SMTP/var/Qmail/bin/qmail-smtpd.auth/home/Vpopmail/bin/vchkpw/bin/true/bin/empty 5checkpw/bin/true 2> & 1 &
// No branch in the middle

Make a/SMTP File like/pop3.sh. sh executable script. Run/etc/inetd before execution. in Conf, the SMTP project is blocked or deleted and killall-hup inetd is used to close the SMTP service that was previously opened. After sh/SMTP. Sh, your server will already have the SMTP authentication function.
Let's see how to set Foxmail. 4:

Figure 4 Authentication Settings in Foxmail
Currently, Foxmail can only be used to send and receive emails. In fact, there is also a good tool to provide a convenient webmail service, which is sqwebmail.
I did not use the original version of the software. I found a Chinese version. Installation Process: # tar xvfz sqwebmail-1.2.0.tar.gz
# Cd sqwebmail-1.2.0
#. /Configure -- without-authpam -- without-authuserdb -- enable-webpass = No -- without-authpwd -- without-authshadow -- With-mimetypes =/usr/local/Apache/CONF/mime. types
# Make configure-Check
# Make // compile
# Make check
# Make install-strip
# Make install-configure

If the problem persists, open the browser on the client and enter http://mail.itp.swjtu.edu.cn/cgi-bin/sqwebmailto display the following page:

Figure 5 sqwebmail logon page

Figure 6 interface of sqwebmail after login
Finally, to enable the server to automatically load SMTP at startup. SH and pop3.sh, we copy them to/usr/local/etc/rc. under the D/directory, add the script for starting the # CSH-CF '/var/Qmail/RC &' line to the SMTP service. sh or pop3.sh. Remember to grant the executable permissions to these two files. Due to the rush of time, this manuscript may be missing, and there are still a lot of installation processes that I don't understand. I hope you will receive your advice.