- 작 성 자 : 김혁중(티니) [sky #at# tini4u.net]
- 작 성 일 : 2010-10-06
- 사 이 트 : http://linux.tini4u.net/
- 원 제 목 : 큐메일 서버 구축 - ucspi-tcp, daemontools, knetqmail-1.06, vpopmail
- 환 경 : CentOS 5.x, CentOS 6.x
- 키 워 드 : ucspi-tcp, daemontools, knetqmail, qmail, vpopmail, libdomainkeys
- 업데이트 : 2012-01-10
--------------------------------------------------------------------------------------
이 문서는 knetqmail-1.06(qmail.kldp.net)을 기준으로 제작된 문서 입니다.
knetqmail은 qmail.kldp.net 운영자이신 임은재님께서 netqmail 1.06에
toaster 패치 및 여러가지 추가적인 패치를 적용한 소스 입니다.
기존의 문서는 qmail 1.03 + cocktail 14 patch를 기준으로 제작되었으나,
시간이 흐르면서 각종 패치에 여러 변화가 있었고, 또한 일부는 outdate 되기도 했었습니다.
따라서 spf, domainkeys, mail submission 등을 반영한 knetqmail의 문서를 추가적으로 제작합니다.
물론 cocktail 패치에 문제가 있다는 것은 아닙니다. 지금도 수많은 서버에서 잘 사용되고 있습니다.
이 문서를 보시는 분들께서 불필요한 오해가 없기를 분명히 밝힙니다.
01. ucspi-tcp 0.88 [최신버전: http://cr.yp.to/ucspi-tcp/install.html]
ucspi-tcp는 tcpserver와 tcpclient 전송제어 프로토콜(TCP client-server)을 구축하는데
좀더 편리하게 사용할 수 있도록 제작된 command-line 툴 입니다.
이 프로그램의 자세한 정보는 http://cr.yp.to/ucspi-tcp.html 이곳을 참조하시면 되겠습니다.
Code: Select all
[root@localhost]# cd /var/tmp
[root@localhost]# wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
[root@localhost]# wget http://djbware.csi.hu/patches/ucspi-tcp-0.88.errno.patch
[root@localhost]# tar xfz ucspi-tcp-0.88.tar.gz
[root@localhost]# cd ucspi-tcp-0.88
[root@localhost]# patch -p1 < ../ucspi-tcp-0.88.errno.patch
[root@localhost]# echo "/usr/local" > conf-home
[root@localhost]# make
[root@localhost]# make setup check02-1. daemontools 설치
Code: Select all
[root@localhost]# cd /var/tmp
[root@localhost]# wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
[root@localhost]# wget http://djbware.csi.hu/patches/daemontools-0.76.errno.patch
[root@localhost]# tar xfz daemontools-0.76.tar.gz
[root@localhost]# cd admin/daemontools-0.76
[root@localhost]# patch -p1 < ../../daemontools-0.76.errno.patch
[root@localhost]# echo "/usr/local" > src/home
[root@localhost]# make -C src
[root@localhost]# mkdir /service /command
[root@localhost]# for i in `cat package/commands`; do cp -a src/$i /usr/local/bin/$i; done
[root@localhost]# for i in `cat package/commands`; do ln -sfv /usr/local/bin/$i /command/$i; done설치과정 중간에 for문이 나왔다고 script를 만드는 수고를 하지 않으시길 바랍니다.
02-2. daemontools 시작
※ CentOS 5.x 이하
Code: Select all
[root@localhost]# echo "SV:345:respawn:/command/svscanboot" >> /etc/inittab
[root@localhost]# pkill -1 initCode: Select all
[root@localhost]# vi /etc/init/svscan.conf
start on runlevel [2345]
stop on runlevel [S016]
respawn
exec /command/svscanboot
[root@localhost]# initctl start svscan※ -r 옵션은 시스템 계정(uid 500 미만)으로 사용자를 생성하겠다는 의미 입니다.
Code: Select all
[root@localhost]# groupadd -r nofiles
[root@localhost]# groupadd -r qmail
[root@localhost]# groupadd -r vchkpw
[root@localhost]# useradd -r -M -d /var/qmail/alias -s /sbin/nologin -c "qmail alias" -g qmail alias
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail daemon" -g qmail qmaild
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail logger" -g qmail qmaill
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail passwd" -g qmail qmailp
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail queue" -g qmail qmailq
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail remote" -g qmail qmailr
[root@localhost]# useradd -r -M -d /var/qmail -s /sbin/nologin -c "qmail send" -g qmail qmails
[root@localhost]# useradd -r -M -d /home/vpopmail -s /sbin/nologin -c "Vpopmail User" -g vchkpw vpopmail※ 큐메일의 chkuser 패치로 인하여 컴파일시 vpopmail의 라이브러리를 필요로 하게 됐습니다.
따라서 큐메일보다 vpopmail을 먼저 설치하도록 합니다.
※ vpopmail의 환경설정을 할때 qmail 디렉토리 및 몇몇 바이너리 위치(locate)를 필요로 합니다.
따라서 큐메일이 설치된 것처럼 속이기 위하여, fake 파일을 생성해 주도록 합니다.
(단순히 큐메일의 위치만 설정 하기 때문에, fake 파일로 속이더라도 전혀 문제가 없습니다)
Code: Select all
[root@localhost]# mkdir -p /var/qmail/bin
[root@localhost]# touch /var/qmail/bin/qmail-newu
[root@localhost]# touch /var/qmail/bin/qmail-inject
[root@localhost]# touch /var/qmail/bin/qmail-newmrh따라서 필자와 같이 mysql과 연동해서 관리하고자 하시는 분들은 vpopmail 설치전에 mysql이 미리 설치되어 있어야 합니다.
(만약 cdb를 사용하고자 하신다면 configure 옵션중 --enable-auth-module=mysql 부터 그 아래의 모든 옵션을 제거하시면 됩니다)
※ 환경설정(configure)시 mysql 관련 에러를 만나는 경우 incdir과 libdir의 경로를 mysql에 맞게 수정해주시기 바랍니다.
Code: Select all
[root@localhost]# cd /var/tmp
[root@localhost]# wget http://cdnetworks-kr-2.dl.sourceforge.net/project/vpopmail/vpopmail-stable/5.4.30/vpopmail-5.4.30.tar.gz
[root@localhost]# tar xfz vpopmail-5.4.30.tar.gz
[root@localhost]# cd vpopmail-5.4.30
[root@localhost]# ./configure \
--prefix=/home/vpopmail \
--enable-vpopuser=vpopmail \
--enable-vpopgroup=vchkpw \
--enable-tcprules-prog=/usr/local/bin/tcprules \
--enable-tcpserver-file=/etc/tcprules.d/tcp.smtp \
--disable-users-big-dir \
--enable-qmail-ext \
--enable-domainquotas \
--enable-logging=v \
--enable-log-name=vpopmail \
--enable-valias \
--disable-many-domains \
--enable-auth-module=mysql \
--enable-incdir=/usr/include/mysql \
--enable-libdir=/usr/lib/mysql
[root@localhost]# make
[root@localhost]# make install-stripCode: Select all
[root@localhost]# vi /home/vpopmail/etc/vpopmail.mysql
localhost|0|DB_USER|PASSWORD|DB_NAMECode: Select all
[root@localhost]# rm -rf /var/qmailCode: Select all
[root@localhost]# cd /var/tmp
[root@localhost]# wget http://cdnetworks-kr-2.dl.sourceforge.net/project/domainkeys/libdomainkeys/0.69/libdomainkeys-0.69.tar.gz
[root@localhost]# tar xfz libdomainkeys-0.69.tar.gz
[root@localhost]# mv libdomainkeys-0.69 libdomainkeys
[root@localhost]# cd libdomainkeys
[root@localhost]# echo "-lresolv" > dns.lib
[root@localhost]# make06-1. knetqmail 1.06 설치
Code: Select all
[root@localhost]# cd /var/tmp
[root@localhost]# wget http://.../knetqmail-1.06-20110908.tar.gz
[root@localhost]# wget http://jeremy.kister.net/code/qmail-dk-0.54-auth.patch
[root@localhost]# tar xfz knetqmail-1.06-20110908.tar.gz
[root@localhost]# cd knetqmail-1.06-20110908
[root@localhost]# patch -p0 < ../qmail-dk-0.54-auth.patch
[root@localhost]# echo "gcc -O2 -g -DTLS=20070408 -I/usr/include/openssl -I/home/vpopmail/include" > conf-cc
[root@localhost]# echo "gcc -s -O2 -g" > conf-ld
[root@localhost]# make
[root@localhost]# make setup check
[root@localhost]# cp -a spfquery /var/qmail/bin
[root@localhost]# cp -a /var/tmp/libdomainkeys/dknewkey /var/qmail/bin
[root@localhost]# chown root:qmail /var/qmail/bin/spfquery /var/qmail/bin/dknewkey
[root@localhost]# chmod 755 /var/qmail/bin/spfquery /var/qmail/bin/dknewkey06-2. 설정 파일 생성
※ 큐메일 운영에 필요한 설정 파일을 생성하도록 하겠습니다.
원래 큐메일 소스에서 config script를 제공하고 있지만, 아주 기본적인 파일만 생성해주므로
필자는 필요한 파일을 직접 생성해주는 방법을 사용하도록 하겠습니다.
Code: Select all
[root@localhost]# cd /var/qmail/control
[root@localhost]# touch rcpthosts smtproutes
[root@localhost]# echo "localhost" > locals
[root@localhost]# echo "your-domain.com" > me
[root@localhost]# echo "your-domain.com" > defaultdomain
[root@localhost]# echo "your-domain.com" > defaulthost
[root@localhost]# echo "your-domain.com" > plusdomain
[root@localhost]# echo "60" > concurrencyremote
[root@localhost]# echo "100" > concurrencyincoming
[root@localhost]# echo "86400" > queuelifetime
[root@localhost]# echo "1" > spfbehavior
[root@localhost]# echo "Welcome to Qmail SMTP Server" > smtpgreeting
[root@localhost]# echo "./Maildir/" > defaultdelivery
[root@localhost]# chmod 644 *
[root@localhost]# cd /var/qmail/users
[root@localhost]# touch cdb
[root@localhost]# echo "." > assign
[root@localhost]# chmod 644 *Code: Select all
[root@localhost]# mkdir -p /var/qmail/supervise
[root@localhost]# for i in send smtp pop3 submission; do mkdir -p /var/qmail/supervise/$i/log; doneCode: Select all
[root@localhost]# vi /var/qmail/rc
#!/bin/sh
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"Code: Select all
[root@localhost]# vi /var/qmail/supervise/send/run
#!/bin/sh
exec /var/qmail/rcCode: Select all
[root@localhost]# vi /var/qmail/supervise/send/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t /var/log/qmail/send 2>&1Code: Select all
[root@localhost]# vi /var/qmail/supervise/smtp/run
#!/bin/sh
VPOP_UID=`id -u vpopmail`
VPOP_GID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 64000000 \
/usr/local/bin/tcpserver -vRHl0 \
-x /etc/tcprules.d/tcp.smtp.cdb \
-c ${MAXSMTPD} \
-u ${VPOP_UID} -g ${VPOP_GID} 0 25 \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1Code: Select all
[root@localhost]# vi /var/qmail/supervise/smtp/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t /var/log/qmail/smtp 2>&1Code: Select all
[root@localhost]# vi /var/qmail/supervise/pop3/run
#!/bin/sh
VPOP_UID=`id -u vpopmail`
VPOP_GID=`id -g vpopmail`
HOSTNAME=`hostname -f`
exec /usr/local/bin/softlimit -m 48000000 \
/usr/local/bin/tcpserver -vRHl0 \
-u ${VPOP_UID} -g ${VPOP_GID} 0 110 \
/var/qmail/bin/qmail-popup ${HOSTNAME} \
/home/vpopmail/bin/vchkpw \
/var/qmail/bin/qmail-pop3d Maildir 2>&1Code: Select all
[root@localhost]# vi /var/qmail/supervise/pop3/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t /var/log/qmail/pop3 2>&1Code: Select all
[root@localhost]# vi /var/qmail/supervise/submission/run
#!/bin/sh
VPOP_UID=`id -u vpopmail`
VPOP_GID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 48000000 \
/usr/local/bin/tcpserver -vRHl0 \
-x /etc/tcprules.d/tcp.smtp.cdb \
-c ${MAXSMTPD} \
-u ${VPOP_UID} -g ${VPOP_GID} 0 587 \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1Code: Select all
[root@localhost]# vi /var/qmail/supervise/submission/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t /var/log/qmail/submission 2>&1Code: Select all
[root@localhost]# chmod 755 /var/qmail/rc
[root@localhost]# chown root:qmail /var/qmail/rc
[root@localhost]# chmod 700 /var/qmail/supervise
[root@localhost]# chown -R qmaill:qmail /var/qmail/supervise
[root@localhost]# for i in send smtp pop3 submission; do chmod 1700 /var/qmail/supervise/$i; done
[root@localhost]# for i in send smtp pop3 submission; do chmod 700 /var/qmail/supervise/$i/log; done
[root@localhost]# for i in send smtp pop3 submission; do chmod 751 /var/qmail/supervise/$i/run; done
[root@localhost]# for i in send smtp pop3 submission; do chmod 751 /var/qmail/supervise/$i/log/run; doneCode: Select all
[root@localhost]# mkdir -p /etc/tcprules.d
[root@localhost]# vi /etc/tcprules.d/tcp.smtp
127.0.0.1:allow,RELAYCLIENT="",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10"
:allow,CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10"
[root@localhost]# tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtpCode: Select all
[root@localhost]# for i in send smtp pop3 submission; do mkdir -p /var/log/qmail/$i; done
[root@localhost]# chmod -R 750 /var/log/qmail
[root@localhost]# chown -R qmaill:qmail /var/log/qmailCode: Select all
[root@localhost]# vi /etc/init.d/qmaildCode: Select all
#!/bin/sh
#
# qmaild This shell script takes care of starting and stopping
# the qmail system.
#
# chkconfig: - 30 80
# description: qmail is a small, fast, secure replacement for the sendmail package, which is
# the program that actually receives, routes, and delivers electronic mail.
export PATH="$PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/var/qmail/bin"
svclist="send smtp pop3 submission"
case "$1" in
start)
echo "Starting qmail"
for svc in $svclist; do
if [ -e /service/${svc} ]; then
if svok /service/${svc}; then
svc -u /service/${svc}
else
echo "${svc} supervise not running"
fi
else
ln -s /var/qmail/supervise/${svc} /service/
fi
done
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo "Stopping qmail..."
for svc in $svclist; do
if [ -e /service/${svc} ]; then
echo " ${svc}"
svc -dx /service/${svc} /service/${svc}/log
rm -f /service/${svc}
fi
done
if [ -f /var/lock/subsys/qmail ]; then
rm -f /var/lock/subsys/qmail
fi
;;
stat)
for svc in $svclist; do
if [ -e /service/${svc} ]; then
svstat /service/${svc}
svstat /service/${svc}/log
fi
done
qmail-qstat
;;
doqueue|alrm|flush)
if [ -e /service/send ]; then
echo "Flushing timeout table and sending ALRM signal to send."
/var/qmail/bin/qmail-tcpok
svc -a /service/send
fi
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
if [ -e /service/send ]; then
echo "Sending HUP signal to send."
svc -h /service/send
fi
;;
pause)
for svc in $svclist; do
if [ -e /service/${svc} ]; then
echo "Pausing ${svc}"
svc -p /service/${svc}
fi
done
;;
cont)
for svc in $svclist; do
if [ -e /service/${svc} ]; then
echo "Continuing ${svc}"
svc -c /service/${svc}
fi
done
;;
restart)
echo "Restarting qmail:"
for svc in $svclist; do
if [ -e /service/${svc} ]; then
if [ "${svc}" != "send" ]; then
echo "* Stopping ${svc}."
svc -d /service/${svc}
fi
fi
done
if [ -e /service/send ]; then
echo "* Sending send SIGTERM and restarting."
svc -t /service/send
fi
for svc in $svclist; do
if [ -e /service/${svc} ]; then
if [ "${svc}" != "send" ]; then
echo "* Restarting ${svc}."
svc -u /service/${svc}
fi
fi
done
;;
cdb)
if [ -z "`grep '\#define POP_AUTH_OPEN_RELAY 1' /home/vpopmail/include/config.h 2>/dev/null`" ]; then
tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtp
else
/home/vpopmail/bin/clearopensmtp
fi
echo "Reloaded /etc/tcprules.d/tcp.smtp."
;;
help)
cat <<HELP
stop -- stops mail service (smtp connections refused, nothing goes out)
start -- starts mail service (smtp connection accepted, mail can go out)
pause -- temporarily stops mail service (connections accepted, nothing leaves)
cont -- continues paused mail service
stat -- displays status of mail service
cdb -- rebuild the tcpserver cdb file for smtp
restart -- stops and restarts smtp, sends send a TERM & restarts it
doqueue -- schedules queued messages for immediate delivery
reload -- sends send HUP, rereading locals and virtualdomains
queue -- shows status of queue
alrm -- same as doqueue
flush -- same as doqueue
hup -- same as reload
HELP
;;
*)
echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|help}"
exit 1
;;
esac
exit 0Code: Select all
[root@localhost]# chmod 755 /etc/init.d/qmaild
[root@localhost]# chkconfig --add qmaild
[root@localhost]# chkconfig --level 345 qmaildCode: Select all
[root@localhost]# /etc/init.d/qmaild start이 아래는 번외편(?) 입니다. 즉, 설정하실분만 설정하셔서 사용하시면 됩니다.
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
07. SMTP SSL 인증서 생성
※ SMTP를 SSL을 이용하여 사용할 경우 SSL 인증서가 필요 합니다.
SSL 인증서는 RootCA 에서 유료로 구입을 해야 되지만, 테스트를 위하여 사설 인증서를 생성하도록 하겠습니다.
Code: Select all
[root@localhost]# cd /var/qmail/control
[root@localhost]# openssl req -newkey rsa:1024 -x509 -days 365 -nodes -out servercert.pem -keyout servercert.pem
Generating a 1024 bit RSA private key
..........++++++
.......................................................++++++
writing new private key to 'servercert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:KR
State or Province Name (full name) [Berkshire]:Seoul
Locality Name (eg, city) [Newbury]:Seoul
Organization Name (eg, company) [My Company Ltd]:Qmail SMTP Server
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@localhost]# ln -sfv servercert.pem clientcert.pem
[root@localhost]# openssl ciphers > tlsserverciphers
[root@localhost]# ln -sfv tlsserverciphers tlsclientciphers
[root@localhost]# echo "01 01 * * * root /var/qmail/bin/update_tmprsadh >/dev/null 2>&1" >> /etc/crontab※ 도메인키 시스템은 Yahoo에서 주도하여 개발된 SSL 키를 이용한 메일 인증 방법 입니다.
자세한 사항은 http://antispam.yahoo.com/domainkeys 이곳을 참조하시기 바랍니다.
08-1. SSL Key 생성
※ SSL 키는 도메인별로 생성해주는것이 좋습니다.
예제에서는 example.com 이라는 도메인에 대해서 세팅하겠습니다.
Code: Select all
[root@localhost]# mkdir -p /var/qmail/control/domainkeys
[root@localhost]# cd /var/qmail/control/domainkeys
[root@localhost]# mkdir example.com
[root@localhost]# cd example.com
[root@localhost]# /var/qmail/bin/dknewkey private > public.txt
[root@localhost]# chmod 440 private
[root@localhost]# cd ..
[root@localhost]# chown -R root:vchkpw example.com※ 큐메일 서버가 메일 헤더에 비밀키로 Sign 하거나, 혹은 인증쿼리(Verify query)를 정상적으로 처리할 수 있도록
qmail-dk를 거치도록 바이너리 파일을 교체하도록 하겠습니다.
Code: Select all
[root@localhost]# cd /var/qmail/bin
[root@localhost]# mv qmail-queue qmail-queue.orig
[root@localhost]# ln -sv qmail-dk qmail-queue
[root@localhost]# chmod 4711 qmail-queue.orig※ knetqmail에 적용된 도메인키 패치는 기본적으로 SSL 인증서를 /etc/domainkeys/your-domain.com/default 에서 찾도록 되어 있습니다.
따라서 큐메일이 정상적으로 SSL 인증서를 찾을 수 있도록 환경변수를 설정하도록 하겠습니다.
(참고로 인증서 파일명은 자유롭게 수정이 가능합니다. 단, DNS에 설정된 HostName과 동일해야 됩니다)
Code: Select all
[root@localhost]# vi /etc/tcprules.d/tcp.smtp
127.0.0.1:allow,RELAYCLIENT="",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
:allow,CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKSIGN="/var/qmail/control/domainkeys/%/private"
[root@localhost]# tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtp※ 도메인 키 인증 시스템이 사용할 TXT 레코드를 추가하도록 합니다.
TXT 레코드에 사용될 값은 SSL Key 생성 부분에서 추출한 public.txt 파일의 내용을 이용하시면 됩니다.
Code: Select all
[root@localhost]# cat /var/qmail/control/domainkeys/example.com/public.txt
private._domainkey IN TXT "k=rsa; p=MEwwDQYJKoZ..... SSL Key End"Code: Select all
[root@localhost]# vi /var/named/data/example.com.zone
_domainkey IN TXT "o=-"
private._domainkey IN TXT "k=rsa; p=MEwwDQYJKoZ..... SSL Key End"