Mail: qmail, courier-imap, eventually sqwebmail

Qmail

I use qmail patched with qmail-smtpd-viruscan-1.3.patch and qmail-smtpd-viruscan-logging.patch. Rather than using DJB's startup described in the INSTALL file or the one described in LifeWithQmail, I run it from from /var/service like is setup by for DJBDNS . There's a slick tool to create these startup dirs, qmail-conf , but you can do it yourself pretty easily. Once I created one dir, I used tar to bundle it up and re-install it for another service, changing the "run" file and env/* environment variables.

The "svscan" daemon runs at system startup by /usr/local/etc/rc.d/0svscan.sh, basically "svscan /var/service". (DJB uses "/service" but the FreeBSD hierarchy strongly suggests "/var/servie"). Each entry in that directory is a symlink to a directory for each service. Svscan spawns a "supervise" process to run each of the services, and if the service dir has a "log" subdir, it pipes its output to a process for logging.

Each service directory has a "run" script, a subdir "env" which contains environment variable files, a subdir "log" with its own "run", "env", etc.

Courier-IMAP

Courier-IMAP is one of a small number of IMAP servers that can read qmail's Maildir format (others include Binc IMAP, Dovecot.)

Courier-IMAP is part of the larger Courier-MTA suite, which I don't use. It has a sophisticated startup mechanism which is overkill for what I'm doing. I've gutted it and start it just like my qmail and DJBDNS services, from /var/service.

I configured it --without-authdaemon, and without about every other auth mechanism, then used "make". I then manually installed the binaries imapd, imaplogin, authlib/authpam and tcpd/couriertls into /usr/local/sbin. Next, I show my IMAP startup, which is similar to the qmail services.

/var/service

drwxr-xr-x  2 root  wheel 512 Nov 30 17:48 .
drwxr-xr-x 28 root  wheel 512 Nov 30 17:12 ..
lrwxr-xr-x  1 root  wheel  19 Aug  9 15:11 axfrdns -> /var/djbdns/axfrdns
lrwxr-xr-x  1 root  wheel  20 Aug  9 15:16 dnscache -> /var/djbdns/dnscache
lrwxr-xr-x  1 root  wheel  23 Nov 30 17:41 imapd -> /var/courier-imap/imapd
lrwxr-xr-x  1 root  wheel  24 Nov 30 17:48 imapsd -> /var/courier-imap/imapsd
lrwxr-xr-x  1 root  wheel  24 Aug  9 14:02 qmail -> /var/qmail/service/qmail
lrwxr-xr-x  1 root  wheel  24 Aug  9 14:02 qmqpd -> /var/qmail/service/qmqpd
lrwxr-xr-x  1 root  wheel  24 Aug  9 14:02 smtpd -> /var/qmail/service/smtpd
lrwxr-xr-x  1 root  wheel  25 Aug 11 21:17 smtpsd -> /var/qmail/service/smtpsd
lrwxr-xr-x  1 root  wheel  19 Aug  9 15:14 tinydns -> /var/djbdns/tinydns

/var/service/imapd

drwxr-sr-t  5 root  qmail   512 Nov 30 18:40 .
drwxr-xr-x  4 root  wheel   512 Nov 30 17:35 ..
-rw-r--r--  1 root  qmail    87 Nov 11 11:00 Makefile
-rwxr-xr-x  1 root  qmail   149 Jul 18 14:36 add-client
drwxr-sr-x  2 root  qmail  1024 Nov 30 18:56 env
drwxr-sr-x  5 root  qmail   512 Nov 21 17:19 log
-rwxr-xr-x  1 root  qmail   981 Nov 30 17:45 run
drwx--S---  2 root  qmail   512 Nov 30 18:49 supervise
-rw-r--r--  1 root  qmail   207 Nov 26 15:33 tcp
-rw-r--r--  1 root  qmail  2129 Nov 26 15:34 tcp.cdb

/var/service/imapd/run

#!/bin/sh
# Use env/* to turn on courier-imap STARTTLS features.
# imaplogin, auth_imap, imapd MUST be full paths, else imaplogin suicides.

COURIERBIN=/usr/local/sbin
export COURIERBIN

PATH=/bin:/usr/local/bin:${COURIERBIN}
export PATH

exec 2>&1 \
envdir ./env \
sh -c '
    case "$REMOTENAME" in h) H=;; p) H=p;; *) H=H;; esac
    case "$REMOTEINFO" in r) R=;; [0-9]*) R="t$REMOTEINFO";; *) R=R;; esac
    exec \
    softlimit ${DATALIMIT+"-d$DATALIMIT"} \
    tcpserver \
	-vD"$H$R" \
	${LOCALNAME+"-l$LOCALNAME"} \
	${BACKLOG+"-b$BACKLOG"} \
	${CONCURRENCY+"-c$CONCURRENCY"} \
	-xtcp.cdb \
	-- "${IP-0}" "${PORT-143}" \
    ${COURIERBIN}/imaplogin \
    ${COURIERBIN}/authpam \
    ${COURIERBIN}/imapd \
    "${MAILDIRNAME-Maildir}"
'

/var/service/imapd/env

This directory is populated with files named for the (uppercase) environment variables. The "envdir" command above reads just the first line of each file and sets the corresponding variable. In the examples below, even if the variables are wrapped, they must be entirely on the first line of the file. These are all owned by root:qmail. The values are described in courier-imap's "imapd.dist" file. I'm configuring it to require STARTTLS before authentication.

BACKLOG: [empty]
CONCURRENCY: 30
COURIERTLS: /usr/local/sbin/couriertls
DATALIMIT: 2000000
DEBUG_LOGIN: 1
IMAPDSTARTTLS: YES
IMAP_CAPABILITY: IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE
IMAP_CAPABILITY_TLS: IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN
IMAP_CHECK_ALL_FOLDERS: 1
IMAP_DISABLETHREADSORT: 0
IMAP_EMPTYTRASH: Trash:7
IMAP_ENHANCEDIDLE: 1
IMAP_IDLE_TIMEOUT: 60
IMAP_KEYWORDS: 1
IMAP_MOVE_EXPUNGE_TO_TRASH: 0
IMAP_OBSOLETE_CLIENT: 0
IMAP_STARTTLS: Y
IMAP_TLS: 1
IMAP_TLS_REQUIRED: 1
IMAP_TRASHFOLDERNAME: Trash
IMAP_ULIMITD: 65536
IMAP_USELOCKS: 1
IP: 0
LOCALNAME: 0
LOGLEVEL: 3
MAILDIRNAME: [empty]
POPUPHOST: [empty]
PORT: 143
REMOTEINFO: [empty]
REMOTENAME: [empty]
TLS_CERTFILE: /var/courier-imap/imapd.pem
TLS_PROTOCOL: SSL3
TLS_STARTTLS_PROTOCOL: TLS1
TLS_VERIFYPEER: NONE

imapsd

The imapsd startup is almost identical. The "run" file invokes a patched version of "tcpserver" which directly supports SSL like:

    tcpserver \
	-s -n /var/courier-imap/imapd.pem \

That certificate file should not be readable by world but must be readable by the user running the tcpserver process, or any other process which accesses the cert. In other situations I've made it owned by qmail rather than root.

The differences in the env/* dir are:

IMAPDSTARTTLS: NO
IMAP_STARTTLS: NO
IMAP_TLS: 0
IMAP_TLS_REQUIRED: 0
PORT: 993