From The Network People, Inc. - Wiki
Jump to navigation Jump to search
Mail Toaster 6
Start Installation
FreeBSD Upgrade
DNS Upgrade
MySQL Upgrade
ClamAV Upgrade
AVG Upgrade
SpamAssassin Upgrade
Rspamd Upgrade
dspam Upgrade
Vpopmail Upgrade
Haraka Upgrade
Haproxy Upgrade
webmail Upgrade
Monitor Upgrade

Install Haraka

jailmanage haraka
pkg install -y gmake iconv node npm redis swaks git rsync
npm install -g Haraka ws express

If npm refuses to install, it's because a bug in node.js isn't resolved yet. The workaround is to provide the jail with an IP that's not on the loopback interface. One such method is to set 'ip4.addr = lo0|, em0|N.N.N.N' for the Haraka jail in /etc/jail.conf and restart the haraka jail.

update with Mail Toaster options

cd /usr/local
git clone
mv Haraka haraka.msimerson
cd haraka.msimerson
git checkout toaster
rsync -acOv --exclude .git ./ /usr/local/lib/node_modules/Haraka/
cd /usr/local/lib/node_modules/Haraka && npm install

Configure Haraka

All of Haraka's configuration files live in the config directory within Haraka's install directory. In these instructions, we are using /usr/local/haraka.

haraka -i /usr/local/haraka
cd /usr/local/haraka
sed -i .bak -e 's/^listen=\[.*$/listen=,,' config/smtp.ini
sed -i .bak -e 's/^daemon_log_file=.*/daemon_log_file=\/dev\/null/' config/smtp.ini
sed -i .bak -e 's/^host=localhost/host=' config/smtp_forward.ini
sed -i .bak -e 's/^port=2555/port=25/' config/smtp_forward.ini
echo 'reject=0' > config/dnsbl.ini
echo 'periodic_checks=30' >> config/dnsbl.ini
sed -i .bak -e 's/always_ok=false/always_ok=true/' config/log.syslog.ini

enable Watch

sed -i .bak -e 's/; listen=\[::\]:80/listen=' config/http.ini

enable TLS

cd /usr/local/haraka
ln /etc/ssl/certs/server.crt config/tls_cert.pem
ln /etc/ssl/private/server.key config/tls_key.pem

enable p0f

p0f is a utility that provides OS detection based on the TCP/IP fingerprint of the remote computer

pkg install -y p0f
fetch -o /usr/local/etc/rc.d/p0f
chmod 555 /usr/local/etc/rc.d/p0f
echo 'p0f_enable="YES"' >> /etc/rc.conf

Now edit /usr/local/etc/rc.d/p0f and look for the line that reads:

: ${p0f_args="-i em0 -d -s /tmp/.p0f_socket 'dst port 25 or dst port 587 or dst port 465'"}

Change em0 to the interface name of your external[?] NIC.

Continue with starting the service:

service p0f start
perl -pi -e 's/^dnsbl$/dnsbl\nconnect.p0f/' config/plugins

configure qmail-deliverable

sed -i .bak -e 's/^host=' config/rcpt_to.qmail_deliverable.ini

configure auth_vpopmaild

echo 'host=' > config/auth_vpopmaild.ini

Note: to enable CRAM-MD5 support for SMTP AUTH, see the auth_vpopmaild docs

configure spamassassin

sed -i .bak -e 's/^spamd_socket=' config/spamassassin.ini
sed -i .bak -e 's/^;spamd_user=$/spamd_user=first-recipient/' config/spamassassin.ini

configure clamav

echo 'clamd_socket=' >> config/clamd.ini

configure AVG

sed -i .bak -e 's/;host.*/host =' config/avg.ini
sed -i .bak -e 's/;tmpdir.*/tmpdir=\/var\/tmp\/avg/' config/avg.ini

configure rspamd

sed -i .bak -e 's/;host.*/host =' config/rspamd.ini

enable Redis

echo 'redis_enable="YES"' >> /etc/rc.conf
service redis start

fetch GeoIP databases regularly

mkdir -p /usr/local/share/GeoIP
npm install -g maxmind-geolite-mirror
ln -s /usr/local/bin/maxmind-geolite-mirror /usr/local/etc/periodic/weekly/999.maxmind-geolite-mirror

Start Haraka

fetch -o /usr/local/etc/rc.d/haraka
chmod 555 /usr/local/etc/rc.d/haraka
echo 'haraka_enable="YES"' >> /etc/rc.conf
echo 'haraka_flags="-c /usr/local/haraka"' >> /etc/rc.conf
mkdir -p /usr/local/haraka/queue
service haraka start

Send a test message.

swaks -server localhost -to postmaster@[CHANGE.THIS] -from []

More Information

Mail Toaster SMTPd History

Versions of Mail::Toaster prior to 6 included a heavily patched qmail-smtpd. The patch added quite a few "must have" SMTP features to netqmail, including SMTP AUTH, STARTTLS, SPF, chkuser, and more. The patch was very difficult to maintain, and thus wasn't maintained well.


Haraka provides a basic SMTP daemon with a plugin architecture. Need encryption? Enable the tls plugin. The SPF plugin is there, just enable it. The chkuser functionality of the patched qmail is handled via Qmail::Deliverable and its daemon. A Haraka plugin calls the qmail-deliverabled daemon to assure we accept mail for the recipient. There's a plugin for nearly every popular email technology.