schlitt.info - php, photography and private stuff
Trace this
- Revision 1
- by Tobias Schlitt
- Wed, 19 Nov 2008
- 23:29:46 +0100
Hire me
Surprise me
Follow this
Read this
Get more
Praise these
Respect this
Conforms to
F**k spammers
Moving
No, not myself, but my server. Until now I ow a 1und1 Root Server L, which I bought more than 2 years ago. Now that 1und1 offers a new generation of servers, I decided to switch to a 64-bit machine. My old server had a Celeron processor, 256 MB RAM and 20 GB HD, which could not really handle my spam protection anymore. The new one is an Athlon 64 3000+, has 1 GB RAM and 2 80 GB SATA discs, which I run as a soft raid.
While migrating all of my stuff (28 domains, which I host for myself and friends) to the new server, I decided to switch the platform, I'm running, completely. While I still claimed a few weeks ago, that Debian is my favorite system for servers, I now have Gentoo running. I know, this is a system most people would never use for something else but desktops, but for one major reason it's better for me than Debian in this place: I'm more familiar with it! While I used Debian constantly more than 2 years on all of my machines, I got much too used to the Gentoo style of doing things in the past month and always tried stuff like "$ eix spamassassin" or "$ emerge -pv apache". Gentoo is simply cleaner and I have a much better overview on what my system has installed and what should be running.
When switching the system itself, I decided to go for other server software, too. While Postfix is a cool MTA, it's still hard to configure (naturally easier than Sendmail, but still hard) and it took me 2 weeks to figure out how stuff has to work. Since there is a very nice Gentoo-Howto for Qmail and it looked like this one is capable of everything I basically need for my personal playground, I went this way. Believe me or not, setting up my whole mail stuff (including virtual domains and accounts, spam and virii protection, mailing lists,...) took me 2 man days. Qmail, qmail-scanner, vpopmail, ezmlm, qmailadmin and maildrop give you a fantastically clean interface, to realize even complex architectures easily.
Beside my migration from Postfix to Qmail, I started (influenced by Kore) to use Lighttpd as my web server. Lighttpd is developed by Jan Kneschke and is a lighweight, easy to configure and secure web server. Most convenient, it uses the FCGI interface to address PHP, which is almost as fast as using Apache with mod_php, but gives you a huge bunch of flexibility. For instance I run 2 versions of PHP (4.4 and 5.1) in parallel inside 1 server, being able to define on a host or filename basis, which version to choose.
The migration is now almost complete and I'm very satisfied with the results. So long, thanks Qmail and Lighttpd! See some more info on my setup in the extended body of this entry.
Howto Qmail and Lighttpd on Gentoo
First of all, the term "Howto" might be a bit misleading. I will refer to multiple howtos I used during setup here and will try to share a general overview on how I got my setup working. So this is not really a howto in itself, but a howto collection with some enhancements.
Qmail
The Qmail installation on Gentoo is quite easy, if you follow this great howto from the Gentoo website. The Gentoo-Wiki also provides information here.
After that, you should have Qmail up and running for your system, including Vpopmail, which takes the need of having a system user for each mailbox you create from you. Beside that, you might have running Hordes IMP, a very convenient web mail tool. For IMAP/POP access I use Courier-IMAP, as suggested in the howto, if you already setup a web server.
When you migrate from another system, you may run into the pitfall of having to migrate from the Mbox format to Maildir. Mbox generally stores all mails of a mailbox in 1 single file, while Maildir uses a unique file for each message. The advantages of Maildir are obvious here: It's damn fast. Nevertheless, you have to convert your mail boxes. I used this tool and some bash magic to move my mailboxes. Also I had some worries to run a script on my whole mail archive (around 1 GB now), it worked perfectly fine.
For spam protection I use Spamassassin (is there really an alternative?) in combination with qmail-scanner. The latter script hooks into Qmail and replaces it's usual queuing mechanism to allow attaching of filters. Beware: qmail-scanner does not really work with emerge, it tries guessing your system components (without listening to USE flags) and adds only available components to itself. This means, that you have Spamassassin up and running before installing qmail-scanner and your Spamassassin must manipulate the headers of a spam mail, else qmail-scanner will not recognize it correctly! Additionally you can install ClamAV before emerging qmail-scanner and the latter one will automatically integrate both.
Before we finalize Qmail, let's setup Lighttpd.
Lighttpd
Basically you need to follow this howto from the Gentoo wiki. While this assumes that you emerge PHP, I still tend to compile it on my own. To get multiple versions of PHP running, I simply changed the Gentoo config file under /etc/lighttpd/mod_fastcgi.conf to not load PHP at all, but only the FCGI module. Now I can define Fast CGI configurations for every VHost I'm creating. This looks basically like that:
$HTTP["host"] =~ "^schlitt\.info$" {
var.localroot = "/home/dotxp/web/schlitt.info"
var.fcgibin = "/usr/bin/suphp-5.1.sh"
server.document-root = localroot + "/htdocs/"
fastcgi.server = (
".php" =>
(( "socket" => localroot + "/tmp/php_fcgi.socket",
"bin-path" => fcgibin,
"min-procs" => 5,
"max-procs" => 20,
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
)
))
)
fastcgi.map-extensions = (
".php3" => ".php",
".php4" => ".php",
".php5" => ".php",
)
server.errorlog = localroot + "/log/error.log"
accesslog.filename = localroot + "/log/access.log"
}As you can see, you can define all necessary options per VHost. I have a VHost file for each of my running domains, which specifies, which PHP version to use and so on. The suphp-5.1.sh simply changes to the user the PHP should run with (basically my user) and runs PHP. This has the benefit, that uploaded files are owned by they should be owned and therfore no hazards occur, if you grant someone FTP/SCP access.
That's basically everything you need for your Lighttpd ground installation.
Qmail II
What was still missing for Qmail/Vpopmail is the very convenient user interface QmailAdmin. This is a CGI binary, which allows you to manage your complete virtual mail setup through the web. Since it runs CGI, you have to activate this module in your Lighttpd (most howtos assume you have Apache). Then edit the mod_cgi.conf and assign qmailadmin to run on it's own (without an interpreter):
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"/qmailadmin" => ""
)Note: You need to run QmailAdmin with setuid, because it has to access the vpopmail scripts and the data of it stored on the HD and in MySQL. For more security, I recommend to restrict the access to this script on IP basis or add an additional authentication (e.g. basic auth).
If you installed Ezmlm before installing QmailAdmin, you have also support for managing mailinglists in it. QmailAdmin allows you to login on a per-domain basis and allows the administrator of a domain to create and modify mailboxes, forwards, aliases, autoresponders and mailinglists.
Maildrop is the last component I needed for my setup. What Procmail is in the sendmail world, is Maildrop for the Qmail world. At a first glance both do the same: Matching parts of a mail with regex and delivering the mail according to defined rules. On a second look, Maildrop seems more powerful to me. At least it is more convenient to code your rules, since it has a kind of programming language to do so. E.g. I wrote a simple script which takes spam mails that have been discovered by Spamassasin, looks if the user to deliver the mail to already has a spam mailbox. If not, it creates one for him and subscribes him to the new mailbox:
import EXT
import HOST
import PWD
BASE = `/var/vpopmail/bin/vuserinfo -d $EXT@$HOST`
DEFAULT = "$BASE/.maildir"
SPAM = "$DEFAULT/.Spam/"
if(`test -f "$BASE/.mailfilter"`)
{
include "$BASE/.mailfilter"
}
FOLDERTEST = `test -d "$SPAM"`
if($RETURNCODE != 0)
{
# Creating maildir for spam
DUMMY=`/var/qmail/bin/maildirmake "$SPAM"`
# Subscribing to spam maildir
DUMMY=`echo "INBOX.Spam" >> "$DEFAULT/courierimapsubscribed"`
}
FOLDERTEST = `test -d "$SPAM"`
if(/^Subject:.*\[SPAM\].*/ && $RETURNCODE == 0)
{
to $SPAM
}The script has to go to the global maildroprc (/etc) and Maildrop has to be activated in the users .qmail file. Thats all. :)
If you liked this blog post or learned something, please consider using flattr to contribute back: .
Trackbacks
Comments
Fields with bold names are mandatory.
Markus Wolff
Funny, most people would never use Gentoo on a server but only for Desktops, while preferring Debian for the server?
Link to commentFor me it's exactly the other way round - after having used Gentoo as my Desktop OS for quite a while, I have now switched to Ubuntu (which is more Debianish) simply because I got annoyed by having to wait sometimes for hours for the latest versions of, say, KDE, OpenOffice, Firefox etc. to install. On Debian systems it's much quicker to simply install a program to see if you like it and if not, throw it away again.
On the server, on the other hand, I still prefer Gentoo and we've recently upgraded our server hardware as well, replacing Debian with Gentoo in the process. I have to agree that when using Gentoo you have far greater control over your environment, which is of much greater importance on a server installation than on a desktop.
Ingmar Runge
Hi, first off, excellent post! I'm using Gentoo, Qmail and Lighttpd as well, but couldn't for the heck of it figure out how to set up the PHP stuff for different users/vhosts/phps... the problem is the sh script, not the lighttpd config.
Link to commentSo, would you mind posting your suphp-5.1.sh? That'd be cool, thanks in advance!
Toby
Sure, it's really simple:
Link to comment<code>
#!/bin/bash
sudo -u dotxp /usr/local/php/5.1/bin/php
</code>
You can easily enhance it with e.g. providing the user to su to in an environment variable.
pachanga
Nice post indeed, but how about "grey list" support for Qmail, is it possible?
Link to commentToby
I did not try greylisting, yet, but I think it should work. This is on my todo list.
Link to commentpachanga
That's great, don't forget to blog about it as well :)
Link to commentpachanga
BTW, which version of qmail did you install from portage? I remember there were some problems with installing new versions of qmail ebuilds with vpopmail and i had to stick to certain versions of those two packages....
Link to commentToby
I've latest AMD64 ebuilds running without problems here.
Link to commentfa
I must strongly disagree with postfix being hard to setup. I failed at qmail and have postfix running on several hosts for quite some time. Works flawlessly and first-time installation wasn't too hard, too :)
Link to commentToby
Maybe it's simply a matter of taste. :) By now, I love the complete architecture provided by qmail+vpopmail+ezmlm. It simply rocks! ;)
Link to commentJeff
There is a big problem with qmail+vpopmail, which is that it will accept e-mail for any virtual domain you have set up, even if the account does not exist. On my system it contributed to ridiculously large queues (trying to bounce undeliverable spam), high system load averages, and lots of lost bandwidth. Not to mention many of these bounces end up in the postmaster account. It was simply unacceptable, and I have just migrated from qmail+vpopmail to postfix to address the issue.
Link to commentI also grew tired of patching qmail to add features that other MTA's have had for a long time...basic stuff like SMTP AUTH, TLS, SPF, etc.
Toby
The first part is not true [http://qmail-spp.sourceforge.net/ Qmail-SPP] does that for you. For the second one I love my Gentoo. It does the patching quite comfortable for you. I did not touch the Qmail source myself even once.
Link to comment