This an easy step by step guide for computer literates, but not quite gurus. Initial steps will be to get a server up, before (over) extending it. And then starting to tighten it down for security and convenience purposes.
You should follow each step, to get an understanding so that you could tweak it to your needs.
All software used are Open Source and free (as in beer). Most are GPLed.
Feel free to link to this from any related websites. Please reference back any work based on this Howto.
Written by Ivar Abrahamsen of electric ray. Initial draft of this Howto started on the 22nd Februay 2004. Last modification was on 17th January 2005. Ivar is norwegian software engineer based in England.
Comments to me are welcome. Including bug reports, spelling mistakes, tweaks, questions, job offers or just plain comments.
Here is brief rundown of the software packages I use in this set up. Links and discussion on alternative software can be found in Appendix A.
The OS this tutorial is run on is a Mandrake Linux distribution. This is my chosen distribution, however with minor tweaking the guide should be compatible with other distribution, I just dont have access to a system with them on.
This was originally written based upon Mandrake 9.1, then update for 9.2 and now is based Mandrake 10 Official.
Any further future releases should be compatible with this tutorial with a few tweaks.
Sendmail is the most famous MTA, email server, for *nix flavours. However it is a monster, which is where Postfix come in. It is designed as a capable but easier to use MTA.
A database is not essential for a mail server of this kind, but it does make it easier to maintaina and scale.
A stable Imap/Pop server that is often used with Postfix. Handles SSL as well and is easy to configure.
Also a well supported application that is easy to configure. PHP based and sits in your web directory.
If you need outsiders to send email via your server, you need to authenticate them some how. Pop-Before-SMTP is an easy way to do this, an requires no user configuration.
Amavisd-new a fork off Amavisd is an interface with several easy plug ins for content checking. Well supported, extensive configuration options.
A well know spam detector. Often achieves 99% detection. Uses several techiniques: Signatures, blacklists and now Bayesian filters.
A mature scanner with frequent signatures updates.
Thankfully Mandrake 10 comes with most of the packages as binary RPMs on the CDs. Some later ones you have to download tar files, but none require compiling.
Make sure you have the pre-requisites in Appendix C.
Fetch the source/binary of the S/W we are going to use. Mandrake comes with several of the S/W used as RPMs, the others must be fetched from the links in Appendix A.
I recommened always get the latest stable versions and keep yourselves up to date. However this tutorial may not be fully compatible with future versions, so maybe use the ones mentione here then upgrade after you got it working.
If your distribution , does not come with a pre built Postfix, or in the
case of Mandrake 9.x the prebuilt RPM does not include MySQL support,
then you need to uninstall, rebuild the RPM and reinstall the rebuilt RPM.
( Appendix A has a link to a Mandrake 9.1 Postfix
RPM with MySQL support. )
rpm --rebuild --with mysql postfix.xxxx.SRPM.
Initial steps is to get a server up and running. For that we will install only Postfix, MySQL and Courier. Ive included the database, but you can have an even more basic server without it. I have included it as my further steps depend on it.
Install the Postfix RPM with MySQL support. If you are using Mandrake 10, you need to Postfix RPM and the Postfix-MySQL RPM( and their dependancies). This will do a lot of the neccessary step for you. It should create the user and groups required. It will create the init script for you and create the folder /etc/postfix where all the configuration files will be kept.
Make sure the rpm has created the correct users and groups. Postfix use a postfix user and a postdrop group.
You need to create the folder where the mails will be spooled to. This in my setup is /var/mail/virtual. And an owner to own the emails and the directory. Create this directory and change owner to virtual:
adduser -M -u 5000 virtual mkdir /var/mail/virtual chown virtual /var/mail/virtual
You may need to edit the aliases file, and towards the bottom replace a user (yours>?) with the dummy one user , so that all email to root goes to you. This may already have been set for you so this step may not be neccessary. But do it anyway and then create a hash of it with this command:
postalias aliases
Create backup copies of the main.cf and master.cf, and keep doing so throughout this tutorial for safety sake.
Postfix have a great security feature of running everything in chroot. This restricts all files that anyone can access through it to within /etc/postfix only.
However this is restrictive when you need to access other parts, and we may need to initially disable this options. Remember this step: First change nothing, only view your master.cf and notice what state each section onder chroot column is set to. If virtual is set to y, change this to n.
If some stages dont work, it often is the chroot step that is restricting it. You may often finding yourself turning the whole chroot column to n to test if it is the problem, then setting them back to y, where applicable.
( It is important you change these back to y later, once you can test if they are the source of problems or not. Otherwise you wont be utilising the chroot jail facility of Postfix.)
Set up a clean and basic main.cf. Mdk 10, comes with a basic main.cf
that you can base your upon. These are example settings:
Review
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix mail_owner = postfix unknown_local_recipient_reject_code = 450 alias_maps = hash:/etc/postfix/aliases mail_spool_directory = /var/spool/mail mailbox_command = /usr/bin/procmail -Y -a $DOMAIN debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 4 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.0.6/samples readme_directory = /usr/share/doc/postfix-2.0.6/README_FILES alias_database = hash:/etc/postfix/aliases smtpd_banner = $myhostname ESMTP $mail_name (Mandrake Linux) inet_interfaces = all smtpd_recipient_restrictions = reject_unauth_pipelining, \ reject_unknown_recipient_domain, permit_mynetworks, \ reject_unauth_destination smtpd_sender_restrictions = reject_non_fqdn_sender, \ reject_unknown_sender_domain
Next add you ISPs smtp server or whichever SMTP server you normally use for sending emails through. You can once you have firewalls, dns and all settings tested leave this as blank, so that your server acts as the relayhost on its own. You are then in more control of the queues, although I feel more secure relaying through my ISPs smtp server.
relayhost=smtp.yourisp.tld
Add the name of you server. Postfix is clever and may work it out anyway, but it is better to specify it. Postfix will workout domain name from it.
myhostname=server.domain.tld
Next we need to tell Postfix we wont be using local users, but instead a database based virtual users.
Review
local_recipient_maps = mydestination = virtual_mailbox_base = /var/mail/virtual virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf virtual_mailbox_domains = localhost.$mydomain $mydomain $myhostname
Next we need to create the files Postfix will use to query the MySQL database.
Create these three files in the postfix directory:
mysql_mailbox.cf
user=mail password=**** dbname=maildb table=users select_field=maildir where_field=id hosts=localhost
mysql_uid.cf
user=mail password=**** dbname=maildb table=users select_field=uid where_field=id hosts=localhost
mysql_gid.cf
user=mail password=**** dbname=maildb table=users select_field=gid where_field=id hosts=localhost
Obviusly, change the fields where applicable. If your mail database (dbname)/ MySQL username (user)/ MySQL password (password) or database server (hosts) is not correct change it it to your setup. However if you keep to my setup exactly only the password field needs adjusting.
MySQL is now a quite renowned database and was an easy choice.
( Firebird would have been the ideal
choice, but is not supported by any of the apps we will use for this mail
server. )
If it is not installed already, follow the instructions in Appendix: Pre-Requisites.
Create a mail user and set its password as well.
mysql -u root -p**** mysql GRANT ALL PRIVILEGES ON *.* TO 'mail'@'localhost' IDENTIFIED BY '****' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON *.* TO 'mail'@'%' IDENTIFIED BY '****' WITH GRANT OPTION; quit; mysql -u mail -p****
If you mess up and lock yourselves out of MySQL, dont panic. There are several ways to recreate your users, look up in Google for ways to start MySQL without grant tables. Or if you dont have any data in other databases, reinstall it!
Create the mail database
create database maildb; use maildb;
Create the tables required for Postfix.
CREATE TABLE `users` ( `id` varchar(128) NOT NULL default '', `crypt` varchar(128) NOT NULL default 'sdtrusfX0Jj66', `name` varchar(128) NOT NULL default '', `uid` smallint(5) unsigned NOT NULL default '5000', `gid` smallint(5) unsigned NOT NULL default '5000', `home` varchar(255) NOT NULL default '/var/mail/virtual/', `maildir` varchar(255) NOT NULL default 'spam/', `quota` varchar(255) NOT NULL default '', `enabled` tinyint(3) unsigned NOT NULL default '1', `change_password` tinyint(3) unsigned NOT NULL default '1', `procmailrc` varchar(128) NOT NULL default '', `spamassassinrc` varchar(128) NOT NULL default '', PRIMARY KEY (`id`), UNIQUE KEY `id` (`id`) );
id is the email field, a complete address which is the ids people use. crypt is the password field, encrypted with Unix Crypt(), and not MySQL's version. Its default password is ChangeMe. Obviously change these later. home is the path to where the folders are kept, and maildir is the directory where this users mail are kept. Multiple rows with same maildir will share emails. If maildir ends on a /, then Postfix will use the maildir mail spooling option and not the mail file spooling. I think Courier require maildir format. Ignore the other fields for now.
Pop3 and IMAP server is of course required. Otherwise getting access to mail is tricker. Courier has support for MySQL authenticaton among others and are used in many Postfix+MySQL+Courier setups.
Again the require RPMs are available on Mandrake's CDs
rpm -i courier-imap-1.7.0-3mdk courier-imap-pop-1.7.0-3mdk \ courier-imap-mysql-1.7.0-3mdk courier-imap-utils-1.7.0-3mdk
Configuration files are in /etc/courier. Edit authdaemonrc and modify this line to:
authmodulelist="authmysql authpam"
Edit authmysqlrc:
MYSQL_SERVER localhost MYSQL_USERNAME mail MYSQL_PASSWORD **** MYSQL_PORT 0 MYSQL_DATABASE maildb MYSQL_USER_TABLE users MYSQL_CRYPT_PWFIELD crypt MYSQL_UID_FIELD uid MYSQL_GID_FIELD gid MYSQL_LOGIN_FIELD id MYSQL_HOME_FIELD home MYSQL_NAME_FIELD name MYSQL_MAILDIR_FIELD CONCAT(home,'/',maildir) MYSQL_WHERE_CLAUSE enabled=1
The last setting is optional, if you want to be able to disable accounts.
Edit imapd and set this to 2 then change to 0 later when working:
DEBUG_LOGIN=2
Then edit imapd again edit this line to YES
IMAPDSTART=YES
Depending on what you want running you can turn the others, pop3,
POP3DSTART=YES
imapd-ssl and/or pop3-ssl on as well:
If you plan to have many connections per client, ie. perhaps you want to login to 20 mailboxes at once,then you need to increase the connections limit in the different files. E.g in imapd
MAXPERIP=24
Not many systems are any good without any data in them. You need to comply to some RFC by adding abuse and postmaster as valid email addresses. Also a root user is a good idea. In MySQL insert these statements
INSERT INTO users (id,maildir) VALUES
('[email protected]','post/'),
('[email protected]','post/'),
('[email protected]','post/'),
('[email protected]','post/'),
('root@localhost','post/'),
('[email protected]','post/');
You need to insert the users you require on top of this. Naturally start with one and add more when working ok.
INSERT INTO users (id,maildir) VALUES \
('[email protected]','yourname/');
Addresses such as info, support and sales are very common addresses and you may find them usefull, however they will also fill up with junk mail quite quickly.
The basic server is now configured. Remember to turn all debugging on. Start/Restart the servers:
/etc/init.d/mysql start /etc/init.d/courier-imap start /etc/init.d/postfix start
Send an email to one of the users configured. Watch the /var/log/syslog for any activity. Now set up an email client to read the email. Read Appendix E: for a some examples.
When you have the basic server up and running it is worth extending it into an advanced server. This adds a few usefull options, and makes maintaining it simpler as well.
In the basic setup, domains are hardcoded into main.cf. To be more flexible, you can use the database to supply the domains used.
Modify the virtual_mailbox_domains line:
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
Create a new file in postfix folder: mysql_domains.cf
user=mail password=**** dbname=maildb table=domains select_field=domain where_field=domain hosts=localhost
Create the table in MySQL:
CREATE TABLE domains ( pkid smallint(6) NOT NULL auto_increment, domain varchar(120) NOT NULL default '', transport varchar(120) NOT NULL default 'virtual:', PRIMARY KEY (pkid) );
Populate the table
insert into domains (domain) values
('localhost'),('localhost.localdomain'),
('server.domain.tld'),('domain.tld');
Now next time you want the mail server to receive mail from a domain, just insert it into this table. Apperently you need to have local: for at the real domain name of the server. However I can not verify this.
Instead of creating loads of records in the users table, you could implement Aliases. This means you can forward loads of accounts to one address. Handy if you have multiple of domains. It also makes it easier to manage the users table, and controlling who can access and who receives what.
Append this line to main.cf:
virtual_alias_maps =mysql:/etc/postfix/mysql_alias.cf
Create this file: mysql_alias.cf
user=mail password=**** dbname=maildb table=aliases select_field=destination where_field=mail hosts=localhost
Then import this into MySQL:
CREATE TABLE aliases ( pkid smallint(3) NOT NULL auto_increment, mail varchar(120) NOT NULL default '', destination varchar(120) NOT NULL default '', PRIMARY KEY (pkid), UNIQUE KEY mail (mail) );
Populate the table, remember you need to alias the aliased address to itself as well.
insert into aliases (mail,destination) values
('[email protected]','[email protected]'),
('[email protected]','[email protected]'),
('[email protected]','[email protected]');
If you add a @domain.tld as mail field, then all mails not matching others for that domain will go that destination. Handy sometimes, spamfest other times.
Another advantage of using the aliases option, is that you can then forward email outside your domains. E.g:
insert into aliases (mail,destination) values
('[email protected]','[email protected]');
This will now forward that email to that persons other address not hosted by you. Handy for friends who want an email address, but prefer to use other email servers.
Another feature to avoid email addresses like this: [email protected], you can masquerade it into: [email protected]. Append these lines to main.cf.
masquerade_domains = server.domain.tld !notlocalname.domain.tld masquerade_exceptions = root
Emails are today an important tool of communication. And loosing emails can be very annoying and with significant implications sometimes. So when your server goes down (which mine does every night!), you dont want to loose any emails. Luckily by default most email servers will keep trying to send to your server for ~ 5 days. But you can not be sure of this.
Postfix can work as a backup server. If the primary MX server is down, and this server is the secondary, Postfix will spool all emails for that domain. It will try at intervals if the primary is up again and if so forward the backed up emails to it. This gives you the confidence that fewer emails will be lost.
But the flipside is that you may want people to be notified if the urgent email they sent has been delayed? It is a choice you have to make.
To enable back up, of you own domain you dont do anything, however to enable backup on your server of other's domain emails append this to Postfix's main.cf
proxy_interfaces = 1.2.3.4 relay_domains = mysql:/etc/postfix/mysql_domains.cf \ mysql:/etc/postfix/mysql_backups.cf transport_maps = mysql:/etc/postfix/mysql_transport.cf maximal_queue_lifetime = 16 minimal_backoff_time = 1000 maximal_backoff_time = 54000
Replace the 1.2.3.4 with your external IP if behind a NAT. This can be tricky if your IP keep changing. See Appendix F for tips on how to automate this. The Queue Lifetime is how many days the server keeps the emails. Default is 5, however 16 should cover a holiday etc.
For your server to connect directly to the primary server when it comes online again, you need the transport field. It contains the SMTP server address, wrapped in :[], which indicate ignore its mx settings, just use it.
And replace smtpd_recipient_restrictions with this:
smtpd_recipient_restrictions = permit_mynetworks, \ reject_unauth_destination, check_relay_domains
This will generate some errors as check_relay_domains is being faded out, but I am not 100% reject_unauth_destination works the same when using back up relays.
You need to create this file mysql_backups.cf:
user=mail password=**** dbname=maildb table=backups select_field=domain where_field=domain hosts=localhost
and this file as well mysql_transport.cf:
user=mail password=**** dbname=maildb table=backups select_field=transport where_field=domain hosts=localhost
And then create this table in the database:
CREATE TABLE backups ( pkid smallint(6) NOT NULL auto_increment, domain varchar(128) NOT NULL default '', transport varchar(128) NOT NULL default ':[]', PRIMARY KEY (pkid), UNIQUE KEY domain (domain) )
Then you would insert records like this:
insert into backups (domain,transport) values
('matesdomain.tld',':[server.matesdomain.tld]');
The next step is restricing who can use your server, to protect it and stop crackers and spammers abusing it. The basic server does restrict where mails can go and where they can send them from. But not much protection beyond that. This step is important, and should be followed.
Error limits stops spammers trying millions of email addresses on your server before it gets fobed off. E.g. [email protected],[email protected]. Recipient Limit will stop spammers CCing 100s of people if they get to your server.
smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 12 smtpd_recipient_limit = 16
To protect yourselves againts spammers or bad clients. And make sure that the headers it will need has not been corrupted.
smtpd_helo_required = yes
And replace smtpd_recipient_restrictions with this:
smtpd_recipient_restrictions = permit_mynetworks, \ reject_unknown_recipient_domain, reject_non_fqdn_recipient, \ reject_unauth_destination, check_relay_domains
A number of sites keep a list of know open relay server, which are easily abused by spammers. By blocking these you keep a lot of spam out, and also help in convincing people to not have open relays.
smtpd_client_restrictions = \ reject_rbl_client bl.spamcop.net, \ reject_rbl_client sbl.spamhaus.org, \ reject_rbl_client relays.ordb.org, \ reject_rbl_client blackholes.easynet.nl, \ reject_rbl_client dnsbl.njabl.org, \ reject_rbl_client cbl.abuseat.org
I initially included reject_rbl_client dnsbl.sorbs.net as well. However it blocks my ISPs SMTP server (NTL), which must have been an open relay at some point, but blocking it would be problematic for me!
In Postfix's master.cf we disabled the chroot jail when setting up this server. For security sake it is a good idea to reenable this. However it will be some trial and error to get this working. One issue is that the MySQL socket is outside this jail. This can be overcome with using TCP/IP traffic by setting in your mysql .cf files
host=server.domain.tldwhere server.domain.tld is your server name.
A webmail is an easy front end to test and to use for all. It does not replace your normal email client usage, but it enables quick access from other locations. It also enables less computer liturate to use email as well.
I have chosen SquirrelMail as my webmail package. It is not the prettiest, but it is easy to manage and setup. It is well supported and used, and has many usefull plugins.
Make sure you have the correct Pre Requisites installed. If you get a DB.php error, then you have not installed Berkeley DB support that comes with PHP-Pear.
See Appendix A on how to get it, and extract it to your web directory. It is all PHP and does not need compiling. Follow the INSTALL direction in its folder, and then run ./config/conf.pl from the folder. Change your settings as required. Dont enable any plug ins at this stage.
In the database section change 1 . DSN for Address Book to
mysql://mail:****@localhost/maildb
Then change 3 . DSN for Preferences to
mysql://mail:****@localhost/maildb
Then create these tables in MySQL
CREATE TABLE address ( owner varchar(128) NOT NULL default '', nickname varchar(16) NOT NULL default '', firstname varchar(128) NOT NULL default '', lastname varchar(128) NOT NULL default '', email varchar(128) NOT NULL default '', label varchar(255) default NULL, PRIMARY KEY (owner,nickname), KEY firstname (firstname,lastname) ) ; CREATE TABLE userprefs ( user varchar(128) NOT NULL default '', prefkey varchar(50) NOT NULL default '', prefval varchar(255) default NULL, modified timestamp(14) NOT NULL, PRIMARY KEY (user,prefkey) );
There will be no need for data in these tables. You need to configure your web server to point to SquirrelMail. Either you have addedd SM as folder inside an existing site, or you will be using it as a virtual host, so change webserver's conf ig files if needed. That should be it. Try it. Login name is the id in the users table. A user need to have a mail for the maildirectories to be created before log in so send the user an email first.
Further extensions via plugins are discussed in Further Extensions.
If you have followed my basic-advanced-tighter server setup, your server now is now fairly well configured. However only your local network, or perhaps just the mail server can send emails out via your server. Anyone else whom tries will get a polite fob off message.
That is okay if everyone can use their local ISP as mail relay. But not everyone can or want to, and what happens when you are traveling, and not got access to your normal ISP. So you need to allow people the ability to send email via SMTP from anywhere.
But simply allowing access to outside world is dangerous, and quite likely will be abused. So we need some way of authenticate the users.
SASL, a way of securely authenticate users, is an option many uses, but I dont. The only reason is that I couldnt get it to work. I may add it to the extensions section later.
Pop-Before-SMTP is my chosen option, and does not actually involve any specific authentication. As the name indicates the server records the IP numbers of people who authenticated okay for Pop or with IMAP. It stores their IP for a brief moment, and if traffic from that address request SMTP shortly afterwards, they will be accepted.
Pop-before-SMTP is available as an RPM in Mdk 9.x. However it did not seem to install the config file, so I retrieved the latest tar file instead.
Untar it and test its dependencies with this command:
./pop-before-smtp --config=./pop-before-smtp-conf.pl \ --debug --nowrite --reprocess
If okay: copy the binary file to /usr/sbin, copy the init file /etc/rc.d/init.d copy the pl file to /etc
cp pop-before-smtp /usr/sbin/ cp pop-before-smtp.init /etc/rc.d/init.d/pop-before-smtp cp pop-before-smtp-conf.pl /etc
Modify /etc/pop-before-smtp-conf.pl, file_tail should be like this:
$file_tail{'name'} = '/var/log/mail/info';
Also incomment the courier lines.
Modif y this line again in Postfix's main.cf:
smtpd_recipient_restrictions = permit_mynetworks, \ reject_non_fqdn_recipient, \ check_client_access hash:/etc/postfix/pop-before-smtp, \ reject_unauth_destination, check_relay_domains
The limitation of Pop-Before-SMTP is that people have to check mail before sending. Some clients send before read. So some users need to send/receive twice.
When you start receiving emails you will notice how much of it is junk. And if you run M$ Windows especially you are vulnarable to computer viruses. Postfix can be adjusted to check the contents of emails whether they are valid and what to do about it.
For this you need a content check interface and that is what amavisd-new is. It is itself built upon amavisd but is now much more mature and feature rich than the original.
If you are installing this from Mandrake 10.0, be ware MDK ship with amavisd and amavisd-new, but only amavisd is listed as recommended rpm. As I prefer amavisd-new, you will have to search for amavisd.
The RPM would do all the automatic steps here, but check that they are all done.If you are able to, install from RPM (MDK 10.0) or if you desire obtain the tar.gz file from the site in Appendix: Software and extract it. Amavisd-new is Perl based, and dont need compiling, but do need other modules. If you install from RPMs using e.g. RPMDrake the dependencies will be automatically installed. Otherwise There should be INSTALL file to read in the folder. It will contain a list of modules that you need. They all come with the Mdk CDs so just check if they exist. They will all be named perl-xxxxxx as they are all Perl modules. You may do an install like this.
rpm -i perl-Archive-Tar-x.xx \ perl-Archive-Zip-x.xx perl-Compress-Zlib-x.xx \ perl-Convert-TNEF-x.xx perl-Convert-UUlib-x.xxx \ perl-IO-stringy-x.xxx perl-MailTools-x.xx \ perl-MIME-Tools-x.xxxx perl-Net-Server-x.xx \ perl-Unix-Syslog-x.xxx
Where as usual you replace the xs with version availble. perl-MIME-Base64, perl-libnet, perl-Time-Hires and perl-Digest-MD5 are not RPMs with Mandrake, as they comes with the standard Perl install, so it is not required to install seperatly.
Create an user and group to run the daemon. This will be used for antispan & virus as well, so make it a good un. Then create a folder for amavisd-new to use, and the make it owned by the user created.
adduser amavis mkdir /var/local/amavis chown amavis:amavis /var/local/amavis chmod 750 /var/local/amavis
Copy the amavisd from the source to /use/local/sbin, the conf file to /etc/amavis and the init file to /etc/rc.d/init.d.
cp amavisd /usr/local/sbin chown root /usr/local/sbin/amavisd chmod 755 /usr/local/sbin/amavisd mkdir /etc/amavis cp amavisd.conf /etc/amavis chown root /etc/amavis/amavisd.conf chmod 644 /etc/amavis/amavisd.conf cp amavisd_init.sh /etc/rc.d/init.d/amavisd
Create a folder to store the quarantined emails
mkdir /var/local/quarantine chown amavis:amavis /var/local/quarantine chmd 750 /var/local/quarantine
Edit /etc/amavis/amavisd.conf. There are so many settings in there, so it is wise to:
$MYHOME = '/var/local/amavis'; $mydomain = 'yourdomain.tld'; $daemon_user = 'amavis'; $daemon_group = 'amavis'; $TEMPBASE = "$MYHOME/tmp"; $DO_SYSLOG = 1; $LOGFILE = "$MYHOME/amavis.log"; $log_level = 2; $QUARANTINEDIR = '/var/local/quarantine'; $forward_method = 'smtp:127.0.0.1:10025'; $notify_method = $forward_method; $inet_socket_port = 10024;
Edit /etc/postfix/main.cf and add/modify this line:
content_filter = smtp-amavis:[127.0.0.1]:10024
In /etc/postfix/master.cf, make sure this line is there at the top:
smtp inet n - n - - smtpd
Then add these line further down:
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o strict_rfc821_envelopes=yes
When everything is working you can set these settings in /etc/amavis/amavisd.conf back to:
$DO_SYSLOG = 0; $log_level = 0;
That is the base install of the interface. Next you need to install the anti-spam & anti-virus.
SpamAssassin is possibly the most well known spamdetector available. It can be run as a server or client. The version I use is easy to install, as it is Perl based. To install it, run rpmdrake and pick it or do this:
rpm -i perl-Mail-SpamAssassin-x.xx-xmdk
There are furher tools and plugins to choose if you like as well. It creates a file /etc/mail/spamassassin/local.cf which can be tweaked when using it on its own.
To edit the options used with Amavisd-new, open the amavisd.conf file again. There is a number of settings to tweak, but the defaults are fine. Amavisd-new recognises SpamAssassin by default.
Amavisd-new has preconfigured options for a range of scanners, and particular this option that you should choose the one(s) you want. ClamAV, a free open source virus scanner, was my chosen product. It has an auto update option, large userbase, and since it is easy to setup, I am sold. If you prefer others, free or commercial then choose the one you trust. McAfee and Norten's command line scanners work fine with Amavisd-new.
Once again an RPM for ClamAV is available by Mandrake 9.1, however was failry outdated, as Anti-Virus software moves quicly on. So I prefered to get the latest MDK RPM of Rpmfind.net. Install the main, the lib and the latest virus database.
Review
rpm -i clamav-x.xx-xmdk \ libclamav1-x.x-xmdk clamav-db-x.xx-xmdk
The conf file /etc/clamav.conf, should be okay, but change it neccessary. Amavisd has support for it to call the daemon and the command line version of clamd. I could not get the daemon to work, but the command line was fine. Edit amavisd's conf file again and comment out all other virus scanners at the av_scanner,/i> section, and then only leave i>ClamAV in the @av_scanners_backup section.
@av_scanners = ();
@av_scanners_backup = (
['Clam Antivirus - clamscan', 'clamscan',
'--stdout --disable-summary -r {}', [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);
That should be it for content checking. As there as so many options in the amavisd conf file, you should go through it more throughly.
To further ensure virus safety, using several virus scanners could be a good idea. Amavisd-new certainly supports this and all you need is to install the scanner, then uncomment the relevant scanner section in the amavisd.conf file.
To enable better spam detection, you should train Spam Assassin. It has a bayessian filter which needs data seeds to improve detection. Also SA supports using black and white list for know spam.
Enabling auto update daemon, protects you against the latest viruses. Recommended unless you are confident you will manually do it once a week. Append this to the root crontab.
0 */8 * * * /usr/bin/freshclam --quiet
Daemon that listens of virus scan requests.
On access client scanning.
Secure authentication for sending emails via SMTP. Trickier to implement and link to MySQL passwords. But more complete secure smtp solution than pop-before-smtp.
If a user no longer uses the email address, postfix can send email back that goes to that sender with a note that addres no longer is in use and what the new address is. Handy if people changes it often.
Append to Postfix's main.cf
relocated_maps = mysql:/etc/postfix/mysql_relocated.cf
Create this MySQL file
user=mail password=**** dbname=maildb table=relocated select_field=newadr where_field=oldadr hosts=localhost
And create this table
CREATE TABLE `relocated` ( `pkid` smallint(6) NOT NULL auto_increment, `oldadr` varchar(128) NOT NULL default '', `newadr` varchar(128) NOT NULL default '', PRIMARY KEY (`pkid`), UNIQUE KEY `oldadr` (`oldadr`) )
I have attempted to import the lists of DNBLs into a MySQL table. However I was not confident it would work. Here is the mods I did to main.cf
smtpd_client_restrictions = reject_rbl_client \ mysql:/etc/postfix/mysql_blacklist.cf
Here is the relevant file: /etc/postfix/mysq_blacklist.cf
user=mail password=**** dbname=maildb table=blacklist select_field=server hosts=localhost
Here is the SQL:
CREATE TABLE `blacklist` (
`pkid` smallint(6) NOT NULL auto_increment,
server varchar(128) NOT NULL default '',
PRIMARY KEY (`pkid`),
UNIQUE KEY `domain` (`domain`)
)
INSERT INTO `blacklist` ( server ) VALUES \
(bl.spamcop.net'), ( 'sbl.spamhaus.org'), \
( 'relays.ordb.org'), ( 'blackholes.easynet.nl'), \
('dnsbl.njabl.org'), ( 'dnsbl.sorbs.net'), \
( 'cbl.abuseat.org');
A web based front end to administer the email server. This simplifies viewing and modifying the email settings. While this mostly targets the email addresses, domain names etc, and not actual Postfix settings, some can be extended to enabled those to also be administered online.
A number of projects already exist which can be used. A quick search of Source Forge reveales several such projects. E.g. CourierAdmin, MyPFXAdmin, myWebHosting etc. ( All phpMyAdmin inspired names...).
But as I am stuborn, I've decided to write my own. It is not ready for public release yet though, as it has few features, needs more debugging and definetly needs someone to do some fluffing over it.
Click here to Download PostfixAdmin. It is simple Java Web Application that I wrote to administer my postfix box. It is not a WAR file, as you need to tweak the WEB-INF/apes.xml and the context if needed.
Files modified in Basic Server setup.
Dont finish with this, it is too unsafe.
Install Postfix, Courier-IMAP, MySQL.
File List:
/etc/postfix/main.cf etc/postfix/master.cf etc/postfix/mysql_uid.cf etc/postfix/mysql_gid.cf etc/postfix/mysql_mailbox.cf etc/courier/imapd etc/courier/pop3d etc/courier/authdaemonrc etc/courier/authmysqlrc home/backup/sql/schema.maildb.basic.sql home/backup/sql/data.maildb.basic.sql usr/local/bin/postfix_basic_setup.sh
Download(Not Available)
Read the shell script postfix_basic_setup.sh, verify I am not corrupting your server, tweak anything non standard, and then execute it.
Files modified in Advanced Server setup.
A powerfull server, but not recommended due to security issues.
File List in addition of Basic:
etc/postfix/main.cf etc/postfix/mysql_domains.cf etc/postfix/mysql_aliases.cf etc/postfix/mysql_backups.cf etc/postfix/mysql_transport.cf home/backup/sql/schema.maildb.advanced.sql home/backup/sql/data.maildb.advanced.sql usr/local/bin/postfix_adv_setup.sh
Download(Not Available)
Read the shell script postfix_adv_setup.sh, verify I am not corrupting your server, tweak anything non standard, and then execute it.
Files modified in Tighter Server setup.
A reliable solution.
File List in addition of Advanced:
etc/postfix/main.cf etc/postfix/master.cf usr/local/bin/postfix_tight_setup.sh
Download (Not Available)
Read the shell script postfix_tight_setup.sh, verify I am not corrupting your server, tweak anything non standard, and then execute it.
Files modified in Webmail, Send mail and Content Checks setup.
Advanced Tight Server with webmail, send support and content check.
Install Amavisd-new, SpamAssassin, ClamAV.
File List in addition of Tighter:
etc/postfix/main.cf var/www/html/squirrelmail/config/config.php home/backup/sql/schema.maildb.advanced.sql etc/pop-before-smtp-conf.pl etc/amavis/amavisd.conf etc/amavis/amavisd.conf etc/clamav.conf usr/local/bin/postfix_comp_setup.sh
Download (Not Available)
Read the shell script postfix_comp_setup.sh, verify I am not corrupting your server, tweak anything non standard, and then execute it.
|
My own initial server was based on a set of tutorials by John Lock on the TechRepublic web site. It was then extended with a mixture of HowTos from the Postfix website. Among some read were: Postfix.org has now updated their documentation. So refer to it for commands and set up issues as well. (RTFM).Other Guides:
Buy it here from Amazon UK if you are in their catchment area.Go to top. |
Firstly install the OS. Mandrake is easy to install to what ever you require for it to do.
Enable SMTP, POP3, IMAP, POP3S, IMAPS on your firewall. If you use the MDK's supplied Shorewall simple add this line to /etc/shorewall/rules and restart Shorewall:
ACCEPT net fw tcp 25,80,143,443,993,995 -
You may however restrict this to only local net while testing:
ACCEPT net:192.168.0.0/24 fw tcp 25,80,143,443,993,995 -
Aquire all the souce files needed. See Appendix: Sources, download the ones not on your distribution CD (or URPMI). Then install MySQL and PHP as they are not described anywhere else.
Install MySQL with the RPMs that mandrake supplies. Use these commands, or use rpmdrake and search for mysql.
rpm -i MySQL-x.x.xxx-x.xmdk MySQL-common-x.x.xxx-x.xmdk \ libmysql12-x.x.xxx-x.xmdk libmysql12-devel-x.x.xxx-x.xmdk \ MySQL-client-x.x.xxx-x.xmdk
Start the server and test it
/etc/init.d/mysql start
Debug logging of mysql command is possible by creating /etc/my.cnf:
[mysqld] log=/var/log/mysql/mysql.log
Make sure root has a password. Default is not!
mysqladmin -u root password ****
PHP is require for webmail and myPHPAdmin
rpm -i apache2-mod_php-x.x.xx_x.x.x-xmdk \ libphp_commonxxx-xxx-xx.xmdk php-mysql-x.x.x-xmdk \ php-pear-x.x.x-xmdk
You need to a client to create and manipulate the database. The default command line client is fine.
rpm -i MySQL-client-x.x.xxx-x.xmdk
However a better interface is desirable. phpMyAdmin is a web interface that has become a standard for MySQL administration. Fetch the php tar file from phpmyadmin.sf.net and install into a web folder. Then read INSTALL file.
Send comments to me.
Name: James
Date: 2004-05-17
Subject: Postfix Howto
First I would like to say "Thank You!" for the guide you put
up at http://home.eray.biz/sites/postfix/. I have not gotten any of it
work quite yet but am trouble shooting as I go. I did notice a couple
of small things so far, that I wanted to point out: First: In the mysql_gid.cf
file you have select_field=uid and I believe it should read select_field=gid
Second: unless I missed it, we never create the DB for the users table. This is not a big deal to do however, since your how-to is very step by step, it may be confusing to some. Honestly I have not moved past the basic setup yet.
I am having some permission problems (although Fetchmail grabs the mail alright, the system is unable to create the /var/mail/virtual/foo/bar/ dir.) I am sure that this is a small issue perhaps with the way the APT packages are set up for Debian vs the RPM's you used in Mandrake. Anyway, although I have used postfix quite a bit in the past, this is the first time I have used it with MySQL and Courier. The setup you end up with is pretty much exactly what I want to eventually have so it will be worth a bit of troubleshooting.
Thanks again; James
Review
Name: Bob
Date: 2004-06-03
Subject: Email Server Setup
I followed the techrepublic article on email server setup for postfix,
courier-imap and squirrelmail and your article appears to be very similar.
I ran into an issue with squirrelmail preferences not working that I
finally traced to the mysql userprefs table having user set to only 20
characters, while one of my email addresses was slightly longer. This
seems like something that would affect quite a few people. I'd suggest
changing
CREATE TABLE userprefs (
user varchar(20) NOT NULL default '',
to
CREATE TABLE userprefs (
user varchar(128) NOT NULL default '',
to match the id length given in the users table.
The big problem that I have is that I would like to do filtering on the
email as it comes in, but procmail is only used for local users and not
virtual users as we have set up. I see that the users table has
procmailrc as one of the fields, but I don't know how I would use it.
Everything that I find on the internet seems to say that procmail can
not
be used with virtual users. Do you know of a way? Squirrelmail has a
nice plugin called serversidefilters that I would like to use to configure
the user procmailrc, I just haven't figured out how or if it can be done
with virtual users.
Thanks,
Bob
Review
Name: Bob
Date: 2004-06-08
Subject: Email Server Setup
I installed maildrop and it works great with virtual users as well as
with
the serversidefilter plugin in Squirrelmail. Now each user can create
filter rules easily from within Squirrelmail using a simple interface.
I
would strongly suggest going with maildrop when using virtual users over
using procmail if you should ever need per user filtering.
Thanks for the reply and providing a great install document.
Bob
Review
Name: Antti
Date: 2004-06-07
Subject: Postfix
Hi,
Thank's for your great post system install manual!
I have one problem: I cannot login my account. Crypt is problematic.
How it works?
When I try to login, I get error that password is wrong.
Can you help me, please?
(sorry my poor english)
- Antti
Review
Name: Antti
Date: 2004-06-12
Subject: Postfix
Hi,
Thank's for help... but I have other problem now.
When I send email to my address, email come back and log say:
postfix/smtpd[17664]: NOQUEUE: reject: RCPT from
xxxx.xxxx.fi[###.###.###.###]: 554 <[email protected]>: Relay access
denied; from=<[email protected]> to=<[email protected]>
proto=ESMTP helo=<xxxx.xxxx.fi>
Maybe I have to use mynetworks variable in main.cf ?
- Antti
Review
Name: Ken
Date: 2004-06-08
Subject: Question on your Postfix Tutorial
Hi Ivar:
I hope this email finds you doing well.
I've been following your tutorial on Postfix + Mysql
at http://home.eray.biz/sites/postfix/.
Thank you for taking the time to outline all of these
steps, without your tutorial, I'd be completely lost!
I've got postfix working using the basic
configuration, where is will accept mail to people
listed in the users table in the MySQL database.
However, the creation of mail in the virtual directory
is failing with a permission denied error.
I did a ps, and see that "virtual" is running as the
user "postfix" but the /var/mail/virtual directory is
owned by virtual, as you instructed. I'm wondering
where the virtual account is used, I don't see it in
any of your sample config files.
Please advise. Thanks again for your tutorial and help!
Kindly,
Ken
Here are some setup tips to read/send email via some familiar email clients.
Adding New Account.
Click File/New/Account. Select Email Account and click Next, Enter you name and email address and click Next, Select IMAP(Recommended) or Pop and enter your servername as server and click Next, Enter as username the full email address you insert into the database, into both fields and click Next, Enter an Account name and click Next then Finish.
Review
#!/bin/bash
touch history.ip
dig yourserver.domain.tld | grep ^yourserver.domain.tld \
| awk '{print $5}' > current.ip
if cmp current.ip history.ip >/dev/null
then
# they are the same
stuff='a'
else
cp current.ip history.ip -f
date >> current.ip
tr '\n' '\t' < current.ip > temp
echo >> temp
cat temp >> iphistory.txt
stuff=`cat history.ip`
stuff="proxy_interfaces=$stuff"
sed -e "s/^proxy_interfaces=.*$/${stuff}/g" < /etc/postfix/main.cf > temp
mv temp /etc/postfix/main.cf -f
postfix reload
fi
To wrap things up, you need to set the servers up to start automatically. Make sure that in /etc/rc.d/init.d there are: a postfix, courier-imap, spamassassin, amavisd, pop-before-smtp and maybe a clamd. then check that they are linked from rc3, 5 and 6. If not do something like this.
cd /etc/rc.d/rc3.d ln -s ../init.d/amavisd S79amavisd ln -s ../init.d/clamd S77clamd ln -s ../init.d/courier-imap S81courier-imap ln -s ../init.d/pop-before-smtp S82pop-before-smtp ln -s ../init.d/spamassassin S78spamassassin ln -s ../init.dpostfix S80postfix cd /etc/rc.d/rc5.d ln -s ../init.d/amavisd S79amavisd ln -s ../init.d/clamd S77clamd ln -s ../init.d/courier-imap S81courier-imap ln -s ../init.d/pop-before-smtp S82pop-before-smtp ln -s ../init.d/spamassassin S78spamassassin ln -s ../init.dpostfix S80postfix cd /etc/rc.d/rc6.d ln -s ../init.d/amavisd K31amavisd ln -s ../init.d/clamd K33clamd ln -s ../init.d/courier-imap K29courier-imap ln -s ../init.d/pop-before-smtp K28pop-before-smtp ln -s ../init.d/spamassassin K32spamassassin ln -s ../init.dpostfix K30postfix cd /etc/rc.d/rc0.d ln -s ../init.d/amavisd K31amavisd ln -s ../init.d/clamd K33clamd ln -s ../init.d/courier-imap K29courier-imap ln -s ../init.d/pop-before-smtp K28pop-before-smtp ln -s ../init.d/spamassassin K32spamassassin ln -s ../init.dpostfix K30postfix
This should start the server up every time. Or use chkconfig to set up the links for you.
Postfix's Maildir type email can be backed up. Limitation are than only delivered mail can be easily backed up. The spool files of queued mails are more tricky. Set up a cronjob to include something like this:
tar -czf mail.tgz /var/spool/mail
I would advice a backup plan for the mysql database as well. Utilise the mysqldump program and backup your mail database.
mysqladmin -d -B maildb -u mail -p**** > maildb_schema.sql mysqladmin -n -t -B maildb -u mail -p**** > maildb.data.sql
These were the source packages used.
Review
Use the ones supplied with your distrubution, if not then download these RPMs and Tar files:
Date: 2004-03-06
Subject: Etiquette
I will post comments made by people here. Bux fixes, better tweaks, and helpfull messages etc. Comments like "You use package A, but package B is way better, as that is what I use." wont be posted as it is not relevant. Some of the comments will be parafrased and edited. If you do not want comments here, then place state so.