2218859 How to Set Up a Mail Server on a GNU Linux System

8/6/2019 2218859 How to Set Up a Mail Server on a GNU Linux System

1/47

How to set up a mail server in Ubuntu 2008

Flurdy. (2008, 03 05). How to set up a mail server on a GNU / Linux system.

Retrieved 03 05, 2008, from Flurdy: http://flurdy.com/docs/postfix/

How to set up a mail server on a GNU /

Linux system

Step by step guide to install Postfix

Ubuntu + Postfix + Courier IMAP + MySQL + Amavisd-new + SpamAssassin +

ClamAV + SASL + TLS + Squirrel Mail + Postgrey

Easy to follow how to on setting up a mail server with unlimited users and domains, with

IMAP/Pop access, anti-spam, anti-virus, secure authentication, encrypted traffic, web mail

interface and more.

Based on an Ubuntu distribution platform, but instructions are distro generic.

postfix

5th edition

Author Ivar Abrahamsen

License: Respect (CC by-sa)

Last Update: 2006-11-27

Contact / Discuss

Contents

Editions

List of different versions of this document.

Introduction

Brief description of this document.

o Aim

o Requirements

o Research

o Author

Software

1

By CyBerNe7 * Visit WwW.cyberfun.ro * thank you *
http://www.postfix.org/http://flurdy.com/docs/postfix/#editionshttp://flurdy.com/http://flurdy.com/http://flurdy.com/docs/license/respecthttp://flurdy.com/docs/postfix/#contacthttp://www.ubuntuforums.org/showthread.php?t=185913http://www.ubuntuforums.org/showthread.php?t=185913http://flurdy.com/docs/postfix/#editionshttp://flurdy.com/docs/postfix/#introhttp://flurdy.com/docs/postfix/#intro_aimhttp://flurdy.com/docs/postfix/#intro_reqshttp://flurdy.com/docs/postfix/#intro_researchhttp://flurdy.com/docs/postfix/#intro_authhttp://flurdy.com/docs/postfix/#softhttp://flurdy.com/docs/postfix/#editionshttp://flurdy.com/http://flurdy.com/docs/license/respecthttp://flurdy.com/docs/postfix/#contacthttp://www.ubuntuforums.org/showthread.php?t=185913http://flurdy.com/docs/postfix/#editionshttp://flurdy.com/docs/postfix/#introhttp://flurdy.com/docs/postfix/#intro_aimhttp://flurdy.com/docs/postfix/#intro_reqshttp://flurdy.com/docs/postfix/#intro_researchhttp://flurdy.com/docs/postfix/#intro_authhttp://flurdy.com/docs/postfix/#softhttp://www.postfix.org/


2/47


Which software is used for the different elements and why.

Install

How to install the required software.

o Distro

o Base

o Repositories

o Packages

o Procedure

Configure

Post install, what to configure for each section, with full command examples.

o OS (Ubuntu)

o MTA (Postfix)

o Database (MySQL)

o IMAP (Courier)

o Content Checks (amavisd-new)

Anti Virus (ClamAV)

Anti Spam (SpamAssassin)

o Policy (Postgrey)

o Authentication (SASL)

o Encryption (TLS)

o Webmail (SquirrelMail)

o Admin (phpMyAdmin)

o DNS

Data

Creating the basic stub of data, and how to add your own.

o Add users and domains

o Common SQL

Test

Testing and troubleshooting each element.

Extend

Post working system, detailed instructions on optional features to add.

o Remote MX mail backup

o Local file backup

o Sender ID & SPF

o Spam Reporting

o White/Black lists

o PGP & S/MIME

o Relocation notice

o Pop-before-SMTP

2

http://flurdy.com/docs/postfix/#installhttp://flurdy.com/docs/postfix/#install_distrohttp://flurdy.com/docs/postfix/#install_basehttp://flurdy.com/docs/postfix/#install_reposhttp://flurdy.com/docs/postfix/#install_packhttp://flurdy.com/docs/postfix/#install_prochttp://flurdy.com/docs/postfix/#confhttp://flurdy.com/docs/postfix/#conf_oshttp://flurdy.com/docs/postfix/#conf_mtahttp://flurdy.com/docs/postfix/#conf_datahttp://flurdy.com/docs/postfix/#conf_imaphttp://flurdy.com/docs/postfix/#conf_conthttp://flurdy.com/docs/postfix/#conf_cont_virushttp://flurdy.com/docs/postfix/#conf_cont_spamhttp://flurdy.com/docs/postfix/#conf_greyhttp://flurdy.com/docs/postfix/#conf_authhttp://flurdy.com/docs/postfix/#conf_encryptionhttp://flurdy.com/docs/postfix/#conf_webhttp://flurdy.com/docs/postfix/#conf_adminhttp://flurdy.com/docs/postfix/#conf_dnshttp://flurdy.com/docs/postfix/#datahttp://flurdy.com/docs/postfix/#data_addhttp://flurdy.com/docs/postfix/#data_commonhttp://flurdy.com/docs/postfix/#testhttp://flurdy.com/docs/postfix/#extendhttp://flurdy.com/docs/postfix/#ext_mxhttp://flurdy.com/docs/postfix/#ext_backhttp://flurdy.com/docs/postfix/#ext_spfhttp://flurdy.com/docs/postfix/#ext_pyzorhttp://flurdy.com/docs/postfix/#ext_listhttp://flurdy.com/docs/postfix/#ext_pgphttp://flurdy.com/docs/postfix/#ext_relochttp://flurdy.com/docs/postfix/#ext_pophttp://flurdy.com/docs/postfix/#installhttp://flurdy.com/docs/postfix/#install_distrohttp://flurdy.com/docs/postfix/#install_basehttp://flurdy.com/docs/postfix/#install_reposhttp://flurdy.com/docs/postfix/#install_packhttp://flurdy.com/docs/postfix/#install_prochttp://flurdy.com/docs/postfix/#confhttp://flurdy.com/docs/postfix/#conf_oshttp://flurdy.com/docs/postfix/#conf_mtahttp://flurdy.com/docs/postfix/#conf_datahttp://flurdy.com/docs/postfix/#conf_imaphttp://flurdy.com/docs/postfix/#conf_conthttp://flurdy.com/docs/postfix/#conf_cont_virushttp://flurdy.com/docs/postfix/#conf_cont_spamhttp://flurdy.com/docs/postfix/#conf_greyhttp://flurdy.com/docs/postfix/#conf_authhttp://flurdy.com/docs/postfix/#conf_encryptionhttp://flurdy.com/docs/postfix/#conf_webhttp://flurdy.com/docs/postfix/#conf_adminhttp://flurdy.com/docs/postfix/#conf_dnshttp://flurdy.com/docs/postfix/#datahttp://flurdy.com/docs/postfix/#data_addhttp://flurdy.com/docs/postfix/#data_commonhttp://flurdy.com/docs/postfix/#testhttp://flurdy.com/docs/postfix/#extendhttp://flurdy.com/docs/postfix/#ext_mxhttp://flurdy.com/docs/postfix/#ext_backhttp://flurdy.com/docs/postfix/#ext_spfhttp://flurdy.com/docs/postfix/#ext_pyzorhttp://flurdy.com/docs/postfix/#ext_listhttp://flurdy.com/docs/postfix/#ext_pgphttp://flurdy.com/docs/postfix/#ext_relochttp://flurdy.com/docs/postfix/#ext_pop


3/47


o Auto Reply

o Block Addresses

o Throttle Output

o Mail Lists

o Admin software

Appendix

o Referenceso Software Links

o Difference between Ubuntu versions

o Downloads

o Contact

o Todo

o Change Log

Return to top.

Editions

Edition State Started Updated Description

1st Released (outdated) 2004-01 2004-02 Based on Mandrake 9.1.

2nd Released (outdated) 2004-02 2004-07

Based on Mandrake 10.x, but valid for alldistributions. Very thorough. Includespackage description, where to get thesources and binaries, how to build them orwhich RPMs to use, includes many

refrences, etc etc. Starts off with a basicworking server, then advances, extends andtightens it in stages.

3rd Released 2005-05 2005-11

Based on Ubuntu 5.04, Hoary Hedgehog.More concise simplified guide to get anadvanced server working quickly. Nowincludes SASL & TLS integration.

4th Released 2005-10 2005-12Based on Breezy Badger, Ubuntu 5.10.Includes Postgrey

5th (this) Released 2006-05 2006-11 Based on Dapper Drake, Ubuntu 6.06 LTS.

6th In developement 2006-11 2006-11

Will be based on Edgy Eft, Ubuntu 6.10. Ormay wait for 7.04. May include Domain Keysigning. May include my mail admin or mycatchall aliases admin.

Further details available in the change logand below in theintroduction.

3

http://flurdy.com/docs/postfix/#ext_replyhttp://flurdy.com/docs/postfix/#ext_blockhttp://flurdy.com/docs/postfix/#ext_throttlehttp://flurdy.com/docs/postfix/#ext_mlisthttp://flurdy.com/docs/postfix/#ext_adminhttp://flurdy.com/docs/postfix/#apphttp://flurdy.com/docs/postfix/#referenceshttp://flurdy.com/docs/postfix/#app_linkshttp://flurdy.com/docs/postfix/#app_difhttp://flurdy.com/docs/postfix/#downloadhttp://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#app_todohttp://flurdy.com/docs/postfix/#app_loghttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/edition1.htmlhttp://flurdy.com/docs/postfix/edition2.htmlhttp://flurdy.com/docs/postfix/edition3.htmlhttp://flurdy.com/docs/postfix/edition4.htmlhttp://flurdy.com/docs/postfix/edition5.htmlhttp://flurdy.com/docs/postfix/#app_loghttp://flurdy.com/docs/postfix/#app_loghttp://flurdy.com/docs/postfix/#introhttp://flurdy.com/docs/postfix/#introhttp://flurdy.com/docs/postfix/#ext_replyhttp://flurdy.com/docs/postfix/#ext_blockhttp://flurdy.com/docs/postfix/#ext_throttlehttp://flurdy.com/docs/postfix/#ext_mlisthttp://flurdy.com/docs/postfix/#ext_adminhttp://flurdy.com/docs/postfix/#apphttp://flurdy.com/docs/postfix/#referenceshttp://flurdy.com/docs/postfix/#app_linkshttp://flurdy.com/docs/postfix/#app_difhttp://flurdy.com/docs/postfix/#downloadhttp://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#app_todohttp://flurdy.com/docs/postfix/#app_loghttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/edition1.htmlhttp://flurdy.com/docs/postfix/edition2.htmlhttp://flurdy.com/docs/postfix/edition3.htmlhttp://flurdy.com/docs/postfix/edition4.htmlhttp://flurdy.com/docs/postfix/edition5.htmlhttp://flurdy.com/docs/postfix/#app_loghttp://flurdy.com/docs/postfix/#intro


4/47


Return to top.

Notice

This document evolves with every ubuntu release. It may have some old incorrect

references. if you encounter any, please let me know.

Introduction

Aim

Requirements

Research

Author

Aim

This is a step by step howto guide to set up a mail server on a GNU / Linux system. It iseasy to follow, but you end up with a powerfull secure mail server.

The server accepts unlimited domains and users, and all mail can be read via your

favourite clients, or via web mail.

It is secure, traffic can encrypted and it will block virtually all spam and viruses.

Return to top.

Requirements

Hardware: A computer to be the server. Processor and memory requirements are low. Disk

space is relevant to what mail you expect to keep, Range between


5/47


Author

I am Ivar Abrahamsen, a 29 year old software engineer from Norway, but based in

Manchester. I use Linux a lot, though I am not a guru. My general intrests are sports,

technology and my better half.

Why have I written this how to? I set up my mail server in 2003, and then did the same for

a few friends and collegues. Soon I was getting more request, and being a lazy programmer,

I thought.. "Why don't I write a howto and let them do it themselves..." Soon it was listed

on postfix.org and I was getting thousends of hits and lots of emails. (blessing in disguise)

See thecontact section for how to discuss this howto and how to contact me. Send me anote

if you found this usefull. If you use this for commercial purposes, then why not donate a

few quid? (Remember to respect the licenses involved)

Return to top.

Software

UbuntupostfixCourier IMAPMySQLamavisd-newClamAVSpamAssassinSquirrelMail

adminSPFGnuPGSASL

What software packages have/will I use and why.

OS: Ubuntu Linux

www.ubuntu.com

Ah the age old distro argument... Thankfully this set up should work on most

distros. I used to base this howto on Mandrake(now Mandriva), and I started this

new edition on a Gentoo box. But I don't have the patience for Gentoo, nor the

money to stay with Mandriva Power editions. Why Ubuntu? Its free, simple and

slick. As Ubuntu is derived from debian the installations used here will be apt-get

based. Please refer to my other editions for details on RPM or source based

installations.

MTA: Postfix

www.postfix.org

5

http://flurdy.com/http://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://www.ubuntu.com/http://www.postfix.org/http://www.courier-mta.org/imap/http://www.mysql.com/http://www.ijs.si/software/amavisd/http://www.clamav.net/http://spamassassin.apache.org/http://www.squirrelmail.org/http://www.phpmyadmin.net/http://spf.pobox.com/http://www.gnupg.org/http://asg.web.cmu.edu/sasl/http://www.ubuntu.com/http://www.postfix.org/http://flurdy.com/http://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#contacthttp://flurdy.com/docs/postfix/#tophttp://www.ubuntu.com/http://www.postfix.org/http://www.courier-mta.org/imap/http://www.mysql.com/http://www.ijs.si/software/amavisd/http://www.clamav.net/http://spamassassin.apache.org/http://www.squirrelmail.org/http://www.phpmyadmin.net/http://spf.pobox.com/http://www.gnupg.org/http://asg.web.cmu.edu/sasl/http://www.ubuntu.com/http://www.postfix.org/


6/47


Simple, free and slick. Yup I am a sucker for anything that works easily. Postfix is

powerfull, well established, but not too bloated, and is security concious from the

start.

Pop/IMAP: Courier IMAP

www.courier-mta.org/imap/

My first mail server installtion was with Courier. I have not found a reason to

change this as again it is simple, and free.

Database: MySQL

www.mysql.com

Although I use Firebird for my application development, (or Hibernate/C-JDBC

hybrids), MySQL is well supported for the sort of lookups required in a mail server.

Content Check: Amavisd-new

www.ijs.si/software/amavisd/

Easy plug in solution for spam, virus checking etc.

Anti-Spam: SpamAssassin

spamassassin.apache.org

Powerfull renowned spam fighting tool.

Anti-Virus: ClamAV

www.clamav.net

Free virus scanner that can be trusted and includes update daemon.

Authentication: Cyrus SASL

www.imc.org/ietf-sasl/

Secure and trusted crypthography technology for authentication of SMTP traffic.

PostGrey

isg.ee.ethz.ch/tools/postgrey/

Postgrey is an excellent little script to stop 99% of all spam. All it does is on first

contact for specific from-to combinations, tells the sender server to try again in a

6

http://www.courier-mta.org/imap/http://www.mysql.com/http://www.ijs.si/software/amavisd/http://spamassassin.apache.org/http://www.clamav.net/http://www.imc.org/ietf-sasl/http://isg.ee.ethz.ch/tools/postgrey/http://www.courier-mta.org/imap/http://www.mysql.com/http://www.ijs.si/software/amavisd/http://spamassassin.apache.org/http://www.clamav.net/http://www.imc.org/ietf-sasl/http://isg.ee.ethz.ch/tools/postgrey/


7/47


little while, which most spammers cant afford to do. When proper servers try again

after a few minutes it lets it through.

Encryption: TLS

www.ietf.org/html.charters/tls-charter.html

Secure and trusted crypthography technology for encryption of SMTP traffic. Not

too be confused with client encryption technology like GnuPG and S/MIME. They

are covered in the extendsection. Formerly referenced as SSL.

WebMail: SquirrelMail

www.squirrelmail.org

Easy to set up php based web mail client.

Please see software links appendix for further information about these software packages.In that section there is more links to documentation or forums, and viable alternatives,

downloadable packages, versions details etc.

Further software and tweaks are discussed in the extension section.

Also review other peoples opinion on these packages via my references.

Return to top.

Install

Distro

Base

Repositories

Packages

Procedure

Distro

This section is different for every distribution and for every version.

This howto is based on Ubuntu and its base of debian which uses apt-get. Therefor thissection uses apt packages to its fullest.

For other installation method please refer to the software and the software links and your

own distribution for the documention for other ways of installing. My 2nd

edition(outdated) has instructions for Mandriva, general RPM and tarball compiling.

7

http://www.ietf.org/html.charters/tls-charter.htmlhttp://flurdy.com/docs/postfix/#extendhttp://flurdy.com/docs/postfix/#extendhttp://www.squirrelmail.org/http://flurdy.com/docs/postfix/#app_linkshttp://flurdy.com/docs/postfix/#extendhttp://flurdy.com/docs/postfix/#referenceshttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#install_distrohttp://flurdy.com/docs/postfix/#install_basehttp://flurdy.com/docs/postfix/#install_reposhttp://flurdy.com/docs/postfix/#install_packhttp://flurdy.com/docs/postfix/#install_prochttp://flurdy.com/docs/postfix/#softhttp://flurdy.com/docs/postfix/#apphttp://flurdy.com/docs/postfix/edition2.htmlhttp://flurdy.com/docs/postfix/edition2.htmlhttp://www.ietf.org/html.charters/tls-charter.htmlhttp://flurdy.com/docs/postfix/#extendhttp://www.squirrelmail.org/http://flurdy.com/docs/postfix/#app_linkshttp://flurdy.com/docs/postfix/#extendhttp://flurdy.com/docs/postfix/#referenceshttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#install_distrohttp://flurdy.com/docs/postfix/#install_basehttp://flurdy.com/docs/postfix/#install_reposhttp://flurdy.com/docs/postfix/#install_packhttp://flurdy.com/docs/postfix/#install_prochttp://flurdy.com/docs/postfix/#softhttp://flurdy.com/docs/postfix/#apphttp://flurdy.com/docs/postfix/edition2.htmlhttp://flurdy.com/docs/postfix/edition2.html


8/47


To follow the rest of this howto, you need to ensure all your packages have been installed

with the same modules, E.g MySQL lookup on postfix and sasl, php in apache etc.

I have set up mail servers using the 32bit and 64bit x86 platforms, however if all the

packages are available then other, E.g. Mac platforms should work too.

Return to top.

Base

Upon installing Ubuntu you have a choice of which base system to install.

The default, ie the one chosen when you just hit enter when promted right at the start, is

the basic desktop flavour.

Another useful one is the server base. It only includes the absolute minimum of packages,

so is quite usefull if you are only to use it remotely. Since Breezy it also available as a

smaller iso download, or by using the normal cd by hitting F1 instead of enter and writing

server on the prompt.

This howto have been used with both bases, the server base will need some more

dependancy packages thats all.

Return to top.

Repositories

When the base system is up and running you need to check your package repositories, ie

where the system retrieves new software.

The install procedure usually leaves you with a/etc/apt/sources.listthat includes the cd and

the main and restricted and updates repositories.

That is fine for the absolute core packages involved in this mail server, however a full

install requires the universal, and you might as well also include the multiverse and

backports as well.

I also tend to disable the cd option, but that is up to you.

You will have to find a repository mirror close to your location from the archives, replaceminegb.archive.ubuntu.com with your choice.

#deb cdrom:[Ubuntu 6.06 _Dapper Drake_ - Release i386 (20060601)]/ dapper main restricteddeb http://gb.archive.ubuntu.com/ubuntu dapper main restricted multiverse universe deb-srchttp://gb.archive.ubuntu.com/ubuntu dapper main restricted multiverse universe debhttp://gb.archive.ubuntu.com/ubuntu dapper-updates main restricted multiverse universe deb-srchttp://gb.archive.ubuntu.com/ubuntu dapper-updates main restricted multiverse universe deb

8

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://wiki.ubuntu.com/archiveshttp://wiki.ubuntu.com/archiveshttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://wiki.ubuntu.com/archives


9/47


http://gb.archive.ubuntu.com/ubuntu dapper-security main restricted multiverse universe deb-srchttp://gb.archive.ubuntu.com/ubuntu dapper-security main restricted multiverse universe debhttp://gb.archive.ubuntu.com/ubuntu dapper-backports main restricted multiverse universe deb-src http://gb.archive.ubuntu.com/ubuntu dapper-backports main restricted multiverse universe ##EXTRAS #deb http://ubuntu-backports.mirrormax.net/ dapper-extras main universe multiverse

restricted contrib ## MARILLAT #deb ftp://ftp.nerim.net/debian-marillat unstable main

Return to top.

Packages

Here is a list of packages needed, and what they provide. Some are required by several of

the software, some might not be needed if you are not fully following this howto. Please

note the extended sectionrequire further packages.

OS

shorewall

openssh-client

openssh-server

Ive included the Shorewall firewall. A firewall is not required, but recommended.

Obviously you can use another firewall, but Ill assume you have chosen Shorewall. A SSH

server is not required either, but essential if you need to administer or test the server

remotely.

MySQL

mysql-common

mysql-client

mysql-server

libmysqlclient12

MySQL 4 is required by many of the packages, so install it first.

TLS

openssl

SASL

libsasl2

libsasl2-modules

libsasl2-modules-sql

libauthen-sasl-cyrus-perl

libauthen-sasl-perl

libgsasl7

9

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#extendhttp://flurdy.com/docs/postfix/#extendhttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#extend


10/47


The SASL packages have changed for Breezy. Im investigating the differences. The *

packages I have from hoary repositories.

Postfix

postfix postfix-tls

postfix-mysql

postfix-tls is as of breezy part of the postfix package, however if you are not using breezy

then you must install postfix with included tls features.

Courier-IMAP

courier-base

courier-authdaemon

courier-authmysql

courier-imap

courier-imap-ssl

courier-ssl

If you require pop access then you'd want to install the pop packages as well.

amavis-new

amavisd-new

Spam Assassin

spamassassin

spamc

ClamAV

clamav-base

libclamav1

clamav-daemon

clamav-freshclam

Postgrey

postgrey

There is also a postfix-gld however I am using the postgrey one till I fully tested the other.

SquirrelMail

10



11/47


squirrelmail

squirrelmail-locales

apache2

libapache2-mod-php4

php4-mysql

php4-pear

php4-cli

SquirrelMail webmail require a working apache web server, with php with mysql support.

Note these web packages uses PHP4.

phpMyAdmin

phpmyadmin

Like SquirrelMail, phpMyAdmin require a working apache server.

Return to top.

Procedure

Now you might not want to install all the packages in one go, perhaps better to group them

by each software or a few together.

If you want to find additional packages, you can do a quick command line search for

packages, by useing this command:

Please note you should run most of these commands viasudo. I just havent prepended all

the commands with it.

apt-cache searchpostfix

To find out what you might already have installed:

dpkg --list | greppostfix

Then when you have the package list do this to install

# add -s to do a test run # or -d if you just want to download the packages and do the install later

apt-get installpackage-name, another-package-name, etc

Some of the package installations will prompt you for input,

Postfix will ask you what type of server to create. I just say "Internet Site" as we will be

changing most configs anyway. It will also ask for the fully qualified name of your server.

The clamav installation may ask whether to create directories etc. Courier will ask to

11

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#top


12/47


install web admin, which I dont't need, and that it will install TLS encryption which is

good.

Many of the packages also require further dependant packages. So the final package list is

quite large.

Return to top.

Configure

Now everything is installed it is time to configure each of the core applications used.

OS (Ubuntu)

MTA (Postfix)

Database (MySQL)

IMAP (Courier)

Content Checks (amavisd-new)

o Anti Virus (ClamAV)

o Anti Spam (SpamAssassin)

Policy (Postgrey)

Authentication (SASL)

Encryption (TLS)

Webmail (SquirrelMail)

Admin (phpMyAdmin)

DNS

OS: Ubuntu

The most important setting, security wise, is to configure the firewall. This off course variesbetween firewalls, your usage. Shorewall main config files in /etc/shorewall that we are

concerned with, are interfaces, hosts, zones, policy and rules.

Here is a typical basic zones file

#zone display comment loc Local Local network net Net Tinternet

Here is a typical interfaces file

net eth0 detect

Here is a typical hosts file

loc eth0:192.168.0.0/24

Here is a typical policy file

fw loc ACCEPT fw net ACCEPT loc all DROP info net all DROP info all all REJECT info

12

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#conf_oshttp://flurdy.com/docs/postfix/#conf_mtahttp://flurdy.com/docs/postfix/#conf_datahttp://flurdy.com/docs/postfix/#conf_imaphttp://flurdy.com/docs/postfix/#conf_conthttp://flurdy.com/docs/postfix/#conf_cont_virushttp://flurdy.com/docs/postfix/#conf_cont_spamhttp://flurdy.com/docs/postfix/#conf_greyhttp://flurdy.com/docs/postfix/#conf_authhttp://flurdy.com/docs/postfix/#conf_encryptionhttp://flurdy.com/docs/postfix/#conf_webhttp://flurdy.com/docs/postfix/#conf_adminhttp://flurdy.com/docs/postfix/#conf_dnshttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#conf_oshttp://flurdy.com/docs/postfix/#conf_mtahttp://flurdy.com/docs/postfix/#conf_datahttp://flurdy.com/docs/postfix/#conf_imaphttp://flurdy.com/docs/postfix/#conf_conthttp://flurdy.com/docs/postfix/#conf_cont_virushttp://flurdy.com/docs/postfix/#conf_cont_spamhttp://flurdy.com/docs/postfix/#conf_greyhttp://flurdy.com/docs/postfix/#conf_authhttp://flurdy.com/docs/postfix/#conf_encryptionhttp://flurdy.com/docs/postfix/#conf_webhttp://flurdy.com/docs/postfix/#conf_adminhttp://flurdy.com/docs/postfix/#conf_dns


13/47


Here is a typical rules file for a mail server

AllowPing loc fw AllowSSH loc fw #AllowSMTP loc fw #ACCEPT loc fw tcp 465,587 -#AllowIMAP loc fw #AllowPing net fw #AllowSSH loc fw #AllowSMTP net fw #ACCEPT netfw tcp 465,587 - #AllowIMAP net fw

SMTP access from everywhere is commented out, untill we are confident everything is

working and secure. Also commented out for now is IMAP and TLS SMTP traffic untill we

need it. You might enable SSH from the tinternet if you want.

Then edit /etc/default/shorewall and turn it on.

startup=1 #restart shorewall with /etc/init.d/shorewall restart

For more details on IP Tables and Shorewall, look up its website.

Return to top.

MTA: Postfix

Postfix resides in /etc/postfix. Postfix is by default set up in a chroot jail. This is a security

procedure and is very good feature.

However when setting up the server the chroot may be a problem, so keep it in mind if

someting don't work. In master.cf there is a column which decides which modules are run

within the jail restrictions. Hopefully you don't have to change these settings.

In main.cf you define how Postfix shall operate. Each distribution have different defaults

for these settings, however most are similar, so you should not need to worry, but be aware

of it. These default are defined in the postfix installation folder, which probably is

somewhere in /usr. Most distributions also set up some suggested defaults in the main.cf.

Edit this file, note the suggestions and then comment them out.

First set your server name, this must match what you put in your domains DNS MX

records.

myhostname =server.yourdomain.com

Then decide what the greeting text will be. Enough info so it is usefull, but not divelge

everything to potential hackers.

smtpd_banner = $myhostname ESMTP $mail_name

Next you need to decide whether to send all outgoing mail via another SMTP server, or

send them yourself. I send via my ISP's server, so it has to worry about the queing etc. If

you send it yourself then you are not reliant on 3rd party server. But you may risk more

13

http://www.shorewall.net/http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://www.shorewall.net/http://flurdy.com/docs/postfix/#top


14/47


exposure and accidentally be blocked by spam blockers. And it is more work for your

server. Also many servers block dynamic dns hosts, so you may find your server gets

rejected. However choose whichever you are confortable with.

# leave blank to do it yourself relayhost = # or put it an accessible smtp server relayhost =

smtp.yourisp.com

Next is network details. You will accept connection from anywhere, and you only trust this

machine

inet_interfaces = all mynetworks_style = host

Next you can masquerade some outgoing addresses. Say your machine's name is

"mail.domain.com". You may not want outgoing mail to come from

[email protected], as you'd prefer [email protected]. You can also state

which domain not to masquerade. E.g. if you use a dynamic dns service, then your server

address will be a subdomain. You can also specify which users not to masquerade.

masquerade_domains =sub.domain.com !sub.dyndomain.com masquerade_exceptions = root

As we will be using virtual domains, these need to be empty.

local_recipient_maps = mydestination =

Then will set a few numbers.

# how long if undelivered before sending warning update to sender delay_warning_time = 4h #

will it be a permanent error or temporary unknown_local_recipient_reject_code = 450 # howlong to keep message on queue before return as failed. # some have 3 days, I have 16 days as Iam backup server for some people # whom go on holiday with their server switched off.maximal_queue_lifetime = 7d # max and min time in seconds between retries if connectionfailed minimal_backoff_time = 1000s maximal_backoff_time = 8000s # how long to wait whenservers connect before receiving rest of data smtp_helo_timeout = 60s # how many address canbe used in one message. # effective stopper to mass spammers, accidental copy in whole addresslist # but may restrict intentional mail shots. smtpd_recipient_limit = 16 # how many error beforeback off. smtpd_soft_error_limit = 3 # how many max errors before blocking it.smtpd_hard_error_limit = 12

Now we can specify some restrictions. Be carefull that each setting is on one line only.

# Requirements for the HELO statement smtpd_helo_restrictions = permit_mynetworks,warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit # Requirements forthe sender details smtpd_sender_restrictions = permit_mynetworks, warn_if_rejectreject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit #Requirements for the connecting server smtpd_client_restrictions = reject_rbl_clientsbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client blackholes.easynet.nl,

14



15/47


reject_rbl_client dnsbl.njabl.org # Requirement for the recipient addresssmtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit

In my client restrictions I specify some spam detection servers. These are call RBL: Real-

time blackhole list. They check if the connecting server is a known open relay used byspammers. Some argue these should not be used in the postfix configuration, as there are

some false positives. And SpamAssassin uses rbl checking, but as part of its scoring system,

so it is not all black and white. I added som warn_if_rejectparameters. They basically dont

reject the email but warm if they would normally have. Which makes it a nice way to test

features.

Further restrictions:

# require proper helo at connections smtpd_helo_required = yes # waste spammers time beforerejecting them smtpd_delay_reject = yes disable_vrfy_command = yes

Next we need to set some maps and lookups for the virtual domains.

# not sure of the difference of the next two # but they are needed for local aliasing alias_maps =hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases # this specifies where thevirtual mailbox folders will be located virtual_mailbox_base = /var/spool/mail/virtual # this is forthe mailbox location for each user virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf# and their user id virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf # and group idvirtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf # and this is for aliases virtual_alias_maps =mysql:/etc/postfix/mysql_alias.cf # and this is for domain lookups virtual_mailbox_domains =mysql:/etc/postfix/mysql_domains.cf # this is how to connect to the domains (all virtual, but the

option is there) # not used yet # transport_maps = mysql:/etc/postfix/mysql_transport.cf

You need to set up an alias file. This is only used locally, and not by your own mail domains.

cp /etc/aliases /etc/postfix/aliases # may want to view the file to check if ok. # especially that thefinal alias, eg root goes # to a real person postalias /etc/postfix/aliases

Next you need to set up the folder where the virtual mail will be stored. This may have

already been done by the apt-get. And also create the user whom will own the folders.

# to add if there is not a virtual user mkdir /var/spool/mail/virtual groupadd virtual -g 5000

useradd virtual -u 5000 -g 5000 chown -R virtual:virtual /var/spool/mail/virtual # to modify if avirtual user is already set groupmod -g 5000 virtual usermod -g virtual -u 5000 virtual chown -Rvirtual:virtual /var/spool/mail/virtual

Next we need to set up the files to access the lookups via the database. We will only set up a

few now, and the rest later when/if needed:

Edit(create) /etc/postfix/mysql_mailbox.cf

15



16/47


user=mail password=apassworddbname=maildb table=users select_field=maildirwhere_field=id hosts=127.0.0.1 additional_conditions = and enabled = 1

Edit /etc/postfix/mysql_uid.cf

user=mail password=apassworddbname=maildb table=users select_field=uid where_field=idhosts=127.0.0.1

Edit /etc/postfix/mysql_gid.cf

user=mail password=apassworddbname=maildb table=users select_field=gid where_field=idhosts=127.0.0.1

Edit /etc/postfix/mysql_alias.cf

user=mail password=apassworddbname=maildb table=aliases select_field=destination

where_field=mail hosts=127.0.0.1 additional_conditions = and enabled = 1

Edit /etc/postfix/mysql_domains.cf

user=mail password=apassworddbname=maildb table=domains select_field=domainwhere_field=domain hosts=127.0.0.1 additional_conditions = and enabled = 1

As you can see the 3 first are very similar, only the select_field changes. If you specify an ip

in hosts, (as opposed to 'localhost') then it will communicate over tcp and not the mysql

socket. (chroot restriction)

Return to top.

Database: MySQL

Next we need to setup all those lookups specified before.

First you need to create a user to use in MySQL. Then you need to create the database. And

unless you already have done this, make sure you have set a password for the root user!

# If not already done... mysqladmin -u root password new_password# log in as root mysql -uroot -p # then enter password for the root account when prompted Enter password: # then wecreate the mail database create database maildb; # then we create a new user: "mail" GRANTSELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'mail'@'localhost'IDENTIFIED by 'apassword'; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROPON maildb.* TO 'mail'@'%' IDENTIFIED by 'apassword'; exit;

You need to create these tables:

aliases

16



17/47


domains

users

We will create more later on for further extensions, but only these are relevant now.

# log in to mysql as the new mail user mysql -u mail -p maildb # enter the newly createdpassword Enter password: #then run this commands to create the tables; CREATE TABLEàliases` ( `pkid` smallint(3) NOT NULL auto_increment, `mail` varchar(120) NOT NULLdefault '', `destination` varchar(120) NOT NULL default '', ènabled` tinyint(1) NOT NULLdefault '1', PRIMARY KEY (`pkid`), UNIQUE KEY `mail` (`mail`) ) ; CREATE TABLE`domains` ( `pkid` smallint(6) NOT NULL auto_increment, `domain` varchar(120) NOT NULLdefault '', `transport` varchar(120) NOT NULL default 'virtual:', ènabled` tinyint(1) NOT NULLdefault '1', PRIMARY KEY (`pkid`) ) ; CREATE TABLE ùsers` ( ìd` varchar(128) NOT NULLdefault '', `name` varchar(128) NOT NULL default '', ùid` smallint(5) unsigned NOT NULLdefault '5000', `gid` smallint(5) unsigned NOT NULL default '5000', `home` varchar(255) NOTNULL default '/var/spool/mail/virtual', `maildir` varchar(255) NOT NULL default 'blah/',

ènabled` tinyint(3) unsigned NOT NULL default '1', `change_password` tinyint(3) unsignedNOT NULL default '1', `clear` varchar(128) NOT NULL default 'ChangeMe', `crypt`varchar(128) NOT NULL default 'sdtrusfX0Jj66', `quota` varchar(255) NOT NULL default '',`procmailrc` varchar(128) NOT NULL default '', `spamassassinrc` varchar(128) NOT NULLdefault '', PRIMARY KEY (ìd`), UNIQUE KEY ìd` (ìd`) ) ;

The last few fields are not required, but usefull if you extend later.

Next is to edit the my.cnf file. In Ubuntu/debian this is created by default. In Mandrake I

had to manually create a blank one in /etc. In ubuntu edit /etc/mysql/my.cnf

## In Hoary you needed to comment out this line #skip-networking ## however in breezy thishas changed to bind-address = 127.0.0.1 ## which is fine ## Make sure this is set log =/var/log/mysql/mysql.log ## Then in a few weeks comment it out ## when everything isworking, as it slows mysql down

By this you have enable net access to MySQL, but you still control whom connects to it with

your firewall and user settings in MySQL. You may be able to just connect straight to the

socket which is more secure.

# restart MySQL to make sure # its picking up the new settings. sudo /etc/init.d/mysql restart

Return to top.

Pop/IMAP: Courier IMAP

Edit /etc/courier/authdaemonrc, and change the module line to this:

authmodulelist="authmysql"

17



18/47


Edit authmysqlrc and make sure these setting lines are set correctly. Empty spaces at the

end of lines are a common mistake.

MYSQL_SERVER localhost MYSQL_USERNAME mail MYSQL_PASSWORD apasswordMYSQL_PORT 0 MYSQL_OPT 0 MYSQL_DATABASE maildb MYSQL_USER_TABLE

users # comment out this field, # as I now longer use the encrypted pw options#MYSQL_CRYPT_PWFIELD crypt MYSQL_CLEAR_PWFIELD clear MYSQL_UID_FIELDuid MYSQL_GID_FIELD gid MYSQL_LOGIN_FIELD id MYSQL_HOME_FIELD homeMYSQL_NAME_FIELD name MYSQL_MAILDIR_FIELD concat(home,'/',maildir)MYSQL_WHERE_CLAUSE enabled=1

Edit imapd

# set how many connections to use per person. Easy to underestimate if you have 6 mailboxes setup. MAXPERIP=20 # high debug to start with DEBUG_LOGIN=2 IMAPDSTART=YES

Then edit the same in the pop and ssl options, if you are going to use them.

If you have followed these steps properly, you should now have a working mail server. You

can skip down to the data and then teststage to see if your server works as intended. It is

not secure and is suceptable to spam, so do follow the other steps soon, but it is nice to find

out that it works!

Return to top.

Content Checks: Amavisd-new

As of dapper release this is now seperated across several config files in /etc/amavis/conf.d. If

you have an old setup, rename/etc/amavis/amavis.confto eg amavis.conf.disabledQuick edit

is to add your changes to a 50userfile within/etc/amavis/conf.d. Thanks to Donald

Goodman for the 50-user tip. More information in the wiki

The important configurations are:

$mydomain 'yourdomain.com'; $daemon_user= 'virtual'; $daemon_group= 'virtual';@local_domains_acl = qw(.); $inet_socket_port = 10024; $forward_method ='smtp:127.0.0.1:10025'; # @bypass_virus_checks_acl = qw( . ); # @bypass_spam_checks_acl =qw( . ); # I also change these $TEMPBASE = "$MYHOME/tmp"; # Whilst debugging$log_level = 2; $warnbannedrecip = 1; $warn_offsite = 1; $warnvirusrecip = 1;$spam_quarantine_to = "spam-quarantine\@$mydomain"; $virus_quarantine_to = "virus-quarantine\@$mydomain"; $sa_local_tests_only = 0;

Then in av_scanner section you enable/disable the virus scanners you are going to use. We

will be using ClamAV, so comment out all lines between @av_scanners( and its closing

bracket. Do the same for @av_scanners_backup. Then in @av_scanner uncomment Clam

lines, (maybe lines 1232 to 1235).

18

http://flurdy.com/docs/postfix/#datahttp://flurdy.com/docs/postfix/#testhttp://flurdy.com/docs/postfix/#testhttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttps://wiki.ubuntu.com/PostfixAmavisNewhttp://flurdy.com/docs/postfix/#datahttp://flurdy.com/docs/postfix/#testhttp://flurdy.com/docs/postfix/#tophttps://wiki.ubuntu.com/PostfixAmavisNew


19/47


Then you need to check that the $TEMPBASE folder exists and is ownder by the

$daemon_user. The same goes for the virusfolder.

# You may have to do this cd /var/lib/amavis mkdir tmp chown virtual:virtual tmp chownvirtual:virtual virusmails # and maybe this chown -R virtual:virtual /var/run/amavis

The init script for amavis insist on the ownership of these being the "proper" amavis user

and group. As we need it to be the virtual pair, we need to edit the /etc/init.d/amavis script.

(Unless someone has a sweeter, more correct way.)

#edit about line 31 #chown -c -h "$1:$2" "$4" chown -c -h "virtual:virtual" "$4"

Next thing is to specify how to connect to the content check plugin.

Edit master.cf in /etc/postfix, The changes I have made from the default master.cf is

modifying two lines then addding three more services. (Please note lines starting with -o

needs to be either tabbed or double spaced as they belong to line above it. )

#smtp inet n - n - - smtpd smtp inet n - - - - smtpd -o cleanup_service_name=pre-cleanup#cleanup unix n - - - 0 cleanup cleanup unix n - - - 0 cleanup -o mime_header_checks= -onested_header_checks= -o body_checks= -o header_checks= amavis unix - - - - 2 smtp -osmtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n -- - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -osmtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -osmtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -ostrict_rfc821_envelopes=yes -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -osmtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1001 pre-cleanup unix n - - - 0 cleanup

-o virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -orecipient_canonical_maps= -o masquerade_domains=

Then edit main.cf in /etc/postfix and add these lines.

content_filter = amavis:[127.0.0.1]:10024 #receieve_override_options = no_address_mappings

Return to top.

Anti-Virus: ClamAV

ClamAV do not need a lot of setting up. You need to make sure it is run by the same user as

the amavisd-new. And then you may configure the fresclam option, which makes sure you

have the latest virus definitions.

Edit /etc/clamav/clamd.conf and change the user to the amavisd-new user or the other way

round.

# User clamav User virtual

19



20/47


Then change ownership of its runtime folder

chown virtual:virtual /var/run/clamav

Edit freshclam.conf

# how frequent per day. default is once an hourwhich is a bit excesive. # once per day should do.Checks 1

Return to top.

Anti-Spam: Spamassassin

SpamAssassin's default settings were fine, but you can tweak them at

/etc/spamassassin/local.cf and review the defauls at /usr/share/spamassassin/. E.g. you can

in/decrease the levels needed before emails are marked as spam and before rejections.

Here is an example of my local.cf.

skip_rbl_checks 0 use_razor2 0 use_dcc 0 use_pyzor 0 use_bayes 1 bayes_path/etc/spamassassin/bayes bayes_file_mode 0770

Once you have a collection of spam and non spam (200+ of each), you can train the Bayes

filter in SpamAssassin with these emails. Review this on the SpamAssassin web site.

# E.g. like this sa-learn --showdots -C /etc/spamassassin --spam/var/spool/mail/virtual/quarantine/.spam/* sa-learn --showdots -C /etc/spamassassin --ham/var/spool/mail/virtual/mine/cur/*

If you notice too much spam is being let through, then do more tweaking. If you get too

many false postives, ie real emails marked as spam, loosen the set up slightly. A properly

configured SpamAssassin should catch 97% of all spam. With probably 1 in 1000 false

positives.

The SpamAssassin site has a lot of information on setting it up. It is worth a good read

through. Some usefull tips are automatic learning, cronjobs to learn user marked spam and

ham, etc.

Return to top.

PostGrey

Adding Postgrey to this mail set up is a breeze. Thanks for the emails I got on postgreys

benefits and integration.

20

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://wiki.apache.org/spamassassin/BayesInSpamAssassinhttp://spamassassin.apache.org/http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://wiki.apache.org/spamassassin/BayesInSpamAssassinhttp://spamassassin.apache.org/http://flurdy.com/docs/postfix/#top


21/47


Ubuntu's extended repositories has a postgrey module, which installs the scripts and sets

up a /etc/postgrey whitelist configuration. You can edit these files, but I don't bother. You

may want to any back up mx server you use, if you do.

You do however need to edit main.cfto add reciepient restrictions:

#adding the postgrey policy: smtpd_recipient_restrictions = reject_unauth_pipelining,permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain,reject_unauth_destination, check_policy_service inet:127.0.0.1:60000, permit

You can modify the default time before a server can try again. The default is 300 seconds, ie

5 minutes. I have mine set to 1 minute. Edit/etc/default/postgrey

POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=60" #POSTGREY_TEXT="Yourcustomized rejection message here"

Return to top.

If the postgrey method becomes very popular, perhaps spammers will start to comply with

it. However that will be years untill they do, if ever.

Meanwhile enjoy a spamless existence.

Return to top.

Authentication

Cyrus SASL provide a secure method of authenticating users. This type of authentication is

required by two methods, one is by postfix when sending email and the other is by Courierwhen reading emails.

First we wil will deal with postfix. Add these lines to main.cf

# modify the existing smtpd_recipient_restrictions smtpd_recipient_restrictions =reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,reject_non_fqdn_recipient, reject_unauth_destination, check_policy_serviceinet:127.0.0.1:60000, permit # modify the existing smtpd_sender_restrictionssmtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit #

then add these smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_path =/etc/postfix/sasl:/usr/lib/sasl2 smtpd_sasl_security_options = noanonymoussmtpd_sasl_local_domain =

Then we need to create the sasl configuration

# May already exist mkdir /etc/postfix/sasl # Then create the conf file. vi/etc/postfix/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sql mech_list: plain

21

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#top


22/47


login cram-md5 digest-md5 sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: mailsql_passwd: apasswdsql_database: maildb sql_select: select clear from users whereid='%u@%r' and enabled = 1

That is all that should be required for sending email.

Next is to configure Courier to authenticate via SASL as well.

In Ubuntu all this was preset so the only line I needed to modify / confirm in

/etc/courier/imapd is:

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACETHREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"

If you need Pop, modify the pop file as well.

Return to top.

Encryption

SASL is secure authentication, but all the traffic is still in plain text. Enter encryption and

TLS. TLS, an evolution of SSL, encrypts the traffic between the server and your email

client for sending via postfix and reading via courier.

TLS is not client encryption, ie encrypting the content all the way between sender and

recipient. For this type look up GNuPG and S/MIME inextensions.

First you need to create a certificate for postfix and one for courier. In postfix you need to

do this for 3 year certificate:

cd /etc/postfix openssl req -new -outform PEM \ -outpostfix.cert-newkey rsa:2048 -nodes-keyoutpostfix.key -keyform PEM -days 999 -x509

Then you need to add these to /etc/postfix/main.cf

smtpd_use_tls = yes smtpd_tls_cert_file =/etc/postfix/postfix.certsmtpd_tls_key_file =/etc/postfix/postfix.key smtpd_data_restrictions = reject_unauth_pipelining

Followed by adding or making sure these are in master.cf:

# these may already be present in your file, # however I usually have to add them # also, thisspecific line used to use fifo, it now needs to use unix type tlsmgr unix - - n 300 1 tlsmgr smtpsinet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes 587 inet n -n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

22

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#ext_pgphttp://flurdy.com/docs/postfix/#ext_pgphttp://flurdy.com/docs/postfix/#ext_pgphttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#ext_pgp


23/47


These ports are required for clients not able to use the STARTTLS option on plain port 25.

Port 465 (the smtps line) is an unofficial workaround, so clients E.g. Novel Evolution, uses

it untill they fix their software to work with STARTTLS.

The debian packages in Ubuntu creates certificate for courier for you. Otherwise do this (in

case server name is not same as machine name):

openssl req -x509 -newkey rsa:1024 -keyout imapd.pem \ -out imapd.pem -nodes -days 999

Then edit /etc/courier/imapd-ssl and make sure this is path to the certificate.

TLS_CERTFILE=/etc/courier/imapd.pem

This will enable secure traffic of emails via your clients and the server. As these are not

signed certificates, some may be prompted to accept license. You could get people to import

your certificates, if only a few is accessing you imap/smtp server, or purchase a signed one

if you have a large number of users, especially if corporate. Outlook is known as stuburn toaccept the certificates.

There are some issues with using SALS and TLS at the same time. Since all the traffic is

encrypted with TLS, then the need for SASL is less when enforcing TLS.

Return to top.

Webmail: SquirrelMail

The squirrel is php module from sourceforge. Once installed in a web root somewhere go to

its parent folder. E.g. /var/www/. In Ubuntu it is installed in /usr/share, so do this first.

ln -s /usr/share/squirrelmail /var/www/squirrelmail

Next thing is to set up a url to access squirrel mail. You can either have it as a subfolder in

an existing web site, or as I prefer as virtual host for itself. Edit wherever your specify

virtual hosts on your system, ( e.g. /etc/httpd/conf/vhosts/ ). In Ubuntu edit this file:

/etc/apache2/sites-available/webmail

ServerAdmin [email protected] ServerNamewebmail.yourdomain.com DocumentRoot /var/www/squirrelmail Options Indexes FollowSymLinks MultiViews AllowOverrideAuthConfig Order allow,deny allow from all ErrorLog /var/log/apache2/error-webmail.log LogLevel warn CustomLog /var/log/apache2/access-webmail.log combinedServerSignature On

Then will enable and activate it.

ln -s /etc/apache2/sites-available/webmail /etc/apache2/sites-enabled/810-webmail # or asFlorent recommends, use: a2ensite webmail # then activate the changes /etc/init.d/apache2 reload

23



24/47


The config folder is actually symblinked to/etc/squirrelmailso if you run several instances

of squirrelmail you might want to create copies of it.

SquirrelMail is configured with 3 config files. config_default.php is well commented and is

sets up the default values. Do not edit it.

config.php overrides the defaults. Do not edit this one either as it is created by the conf.pl

perl script.

Finally conf_local.php can be edited and it overrides the others.

To configure squirrelmail, run the perl script.

/var/www/squirrelmail/config/conf.pl

It is menu driven, and powerfull so be carefull. Also make sure there are no extra spaces

before or after any settings. Chose option 9 from the menu, the database option. Then 1 toedit the dns for address book.

# Enter this mysql://username:[email protected]/database

Then choose 3 for the preferences and enter the same.

mysql://username:[email protected]/database

There is also a global address option if you choose to use it. Press s to save the settings, and

r to return to main menu. Press q to exit.

Here is copy of my config_local.php. Read the default file for explanations.

$org_name = "flurdy webmail"; $org_logo = 'http://flurdy.com/images/flurdy.gif';$org_logo_width = '212'; $org_logo_height = '108'; $org_title = "webmail by flurdy";$provider_name = 'flurdy'; $provider_uri = 'http://www.flurdy.com/'; $smtp_auth_mech = 'none';$default_use_javascript_addr_book = true; $hide_sm_attributions = true; $edit_identity = false;$edit_name = true; $imap_server_type = 'courier'; $default_folder_prefix = 'INBOX.';$trash_folder = 'Trash'; $sent_folder = 'Sent'; $draft_folder = 'Drafts'; $show_prefix_option =false; $default_sub_of_inbox = false; $show_contain_subfolders_option = false; $delete_folder= true; $optional_delimiter = '.'; $force_username_lowercase = true; $allow_thread_sort = true;

$allow_server_sort = true; $addrbook_dsn = 'mysql://username:password@localhost/database';$prefs_dsn = 'mysql://username:password@localhost/database'; $addrbook_global_dsn ='mysql://username:password@localhost/database'; $addrbook_global_writeable = false;$addrbook_global_listing = false; $theme_default = 18; $theme_css = '/themes/css/verdana-10.css';

24



25/47


Then you need to create these database tables, My previous editions included the

squirrelmail specific tables in the main mail database. However I believe a cleaner setup is

to have seperate squirrel user and database for its settings.

First create a new squirrel database user, or reuse the mail user. See the MySQL section for

user creation details.

Then create a squirrel database or reuse the mail database. Make sure the user created

above has usage access to this database. Again refer to the MySQL section.

Modify the config.php files to reflect this.

Then log into mysql to start creating these tables.

mysql -u username -p database # Then enter the password CREATE TABLE àddress` ( òwner`varchar(128) NOT NULL default '', `nickname` varchar(16) NOT NULL default '', `firstname`

varchar(128) NOT NULL default '', `lastname` varchar(128) NOT NULL default '', èmail`varchar(128) NOT NULL default '', `label` varchar(255) default NULL, PRIMARY KEY(òwner`,`nickname`), KEY firstname` (`firstname`,`lastname`) ) ; CREATE TABLE userprefs`( ùser` varchar(128) NOT NULL default '', `prefkey` varchar(50) NOT NULL default '',`prefval` varchar(255) default NULL, `modified` timestamp(14) NOT NULL, PRIMARY KEY(ùser`,`prefkey`) ) ; CREATE TABLE `global_abook` ( òwner` varchar(128) NOT NULLdefault '', `nickname` varchar(16) NOT NULL default '', `firstname` varchar(128) NOT NULLdefault '', `lastname` varchar(128) NOT NULL default '', èmail` varchar(128) NOT NULLdefault '', `label` varchar(255) default NULL, PRIMARY KEY ( owner`,`nickname`), KEY`firstname` (`firstname`,`lastname`) );

Right then, as the squirrelmail suggested, you can try of this works later on by going tohttp://your-squirrelmail-location/src/configtest.php ( Please note you may not have any

data or mail to test it with yet. so perhaps wait till test section. )

Return to top.

phpMyAdmin

PhpMyAdmin is an excellent MySQL administration gui. I use it to manage my mail

settings, and can be used when setting up the MySQL database as well.

# cd into web root where phpMyAdmin is installed, e.g. /var/www # Again in Ubuntu a soft linkis needed to /usr/share # this time however the apt-get has done it for you. (check though) # If thefolder contains the version in its name. # do this for ease of access and if later upgrading ln -sphpMyAdmin1.6.2 phpMyAdmin

First of all once you have installed phpMyAdmin is the create a .htaccess file in its folder.

Otherwise every Tom, Dick and Harry can mess your system up.

25

http://flurdy.com/docs/postfix/conf_mysqlhttp://flurdy.com/docs/postfix/conf_mysqlhttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/conf_mysqlhttp://flurdy.com/docs/postfix/conf_mysqlhttp://flurdy.com/docs/postfix/#top


26/47


# either reuse an old .htpasswd file # or as below , create one when you add the first userhtpasswd2 -c/path/to/htpasswd/file/outside/www/.htpasswdausername # then enter desiredpasswd

Next you need to either create a .htaccess file or modify one, as Ubuntu comes with one

included. I add these settings to my apache virtual host config file, but that is notneccessary. Make sure the apache config for this host has AllowOverrid Allin its settings.

Add these to/path/to/phpmyadmin/.htaccess. You may need to comment out some existing

settings as well, but see which causes errors.

AuthType Basic AuthName "A Bit Hush and all that" AuthUserFile"/path/to/htpasswd/file/outside/www/.htpasswd" require valid-user

Next is to edit/path/to/phpmyadmin/config.inc.php. Set the $cfg['PmaAbsoluteUri'] to

whatever address and path your phpMyAdmin is. Then set up what servers to connect to.

You can add the root user for easy admin of the whole system, but that is a bit insecure.

Adding a different user with full access is a better solution, if you require full adminthrough the gui. However for the mail admin, neither is required, all you need to add is the

mail user.

$cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['user'] = 'mail';$cfg['Servers'][$i]['password'] = 'apassword'; $cfg['Servers'][$i]['only_db'] = 'maildb';

DNS

For a mail server to be used, people/machines will have to know how and where to connect

to deliver mail for your domains.

You need to edit the MX records of your domains DNS. Whether you run your owm DNS

server, or use a free DNS service. they mostly act the same, even though some has been

fluffed up with a nice GUI.

domain.tldIN MX 10your.mailserver.name.tld

Return to top.

Data

Add users and domains

Common SQL

Add users and domains

So we got a fully set up mail server... Well no, there is no users, domains, no nothing!

26

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#data_addhttp://flurdy.com/docs/postfix/#data_commonhttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#data_addhttp://flurdy.com/docs/postfix/#data_common


27/47


Okay, first you need add some default data, some which are required, some which make

sense.

Then we'll add your own users and domains.

First the required domains for local mail

# Use phpMyAdmin or command line mysql INSERT INTO domains (domain) VALUES('localhost'), ('localhost.localdomain');

Then some default aliases. Some people say these are not needed, but I'd include them.

INSERT INTO aliases (mail,destination) VALUES ('postmaster@localhost','root@localhost'),('sysadmin@localhost','root@localhost'), ('webmaster@localhost','root@localhost'),('abuse@localhost','root@localhost'), ('root@localhost','root@localhost'),('@localhost','root@localhost'), ('@localhost.localdomain','@localhost');

Then a root user.

INSERT INTO users (id,name,maildir,clear) VALUES('root@localhost','root','root/','apassword');

Now lets add some proper data. Say you want this machine to handle data for the fictional

domains of "blobber.org", "whopper.nu" and "lala.com". Then say this machine's name is

"mail.blobber.org". You also have two users called "Xandros" and "Vivita". You want all

mail for whooper to go to xandros. There is also a "Karl" user, but he does want all mail

forwarded to an external account.

INSERT INTO domains (domain) VALUES ('blobber.org'), ('whopper.nu'), ('lala.com'); INSERTINTO aliases (mail,destination) VALUES ('[email protected]','[email protected]'),('[email protected]','[email protected]'), ('[email protected]','[email protected]'),('@whopper.nu','[email protected]'), ('@lala.com','@blobber.org'),('[email protected]','postmaster@localhost'), ('[email protected]','abuse@localhost'),('[email protected]','postmaster@localhost'), ('[email protected]','abuse@localhost');INSERT INTO users (id,name,maildir,clear) VALUES('[email protected]','xandros','xandros/','apassword'),('[email protected]','vivita','vivita/','anotherpassword');

So what does each of these lines do? Well the domains are pretty straight forward. Theusers are as well, it requires four fields. ID is the email address of the user, and also its

username when loggin in, described later on. NAME is optional description of the user.

MAILDIR is the name of the folder inside /var/spool/mail/virtual. It must end in a /,

otherwise it wont be used as a unix maildir format. CLEAR is the clear text password to

use.

27



28/47


The alises are the interesting part. Lets start from a top down view. Say an email arrives

addressed to "[email protected]". Postfix looks up aliases and searches for a row where

the mail field matches "[email protected]". None does so it next searches for

"@whopper.nu", which is the way to specify catch all others for that domain. It finds one

row and its destination is "[email protected]". It then searches for

"[email protected]" and finds one, which destination is the same as the mail, thereforit is the final destination. It then tries to deliver this mail. The look up says blobber.org is a

local mail so it looks up users for a matching id and delivers it to its maildir.

Lets try "[email protected]". First lookup does not find this user, but the next finds

the catchall "@lala.com". But its destination is another catchall, "@blobber.org". This

means Postfix will look for "[email protected]". This address is not found either,

nor is a catchall for blobber.org. Therefor this address is not valid and the message will be

bounced.

Any mail arriving for "[email protected]" or "[email protected]", gets forward to an

external address of "[email protected]". So forwarding is simple. I tend to use asubdomain for all my friends addresses as easily I forget what their real addresses are, and

I use different email clients all the time.

I also added the required aliases of postmaster and abuse to blobber.org and whopper.nu.

The catchall for lala.com means they are not required for that domain. You can add them

though if you do not want xandros to get the admin emails. Another usefull alias to add is

root, as often you get admin mail from e.g cron jobs within those domains etc. Other often

used aliases are info, sysadmin, support, sales, webmaster, mail, contact and all. But they

are also honeypots for spam, so just include the ones you think you will need.

So to add a new domain to the system, You do this:

INSERT INTO domains (domain) VALUES ('domain.tld'); INSERT INTO aliases(mail,destination) VALUES ('@domain.tld','email@address'),('[email protected]','email@address'), ('[email protected]','email@address');

And to add a new user to the system, do this:

INSERT INTO users (id,name,maildir,clear) VALUES ('email@address','shortdescription','foldername/','password'); INSERT INTO aliases (mail,destination) VALUES('email@address','email@address');

Return to top.

Common SQL

A selection of useful sql statements, if you are not using an admin/manager program to

maintain your email domains and users.

Find domains without a catchall

28



29/47


#Remember some might be disabled SELECT dom.domain FROM domains dom LEFT JOINaliases al ON CONCAT( '@', dom.domain ) = al.mail WHERE al.mail is null OR al.enabled = 0ORDER BY dom.domain ASC

Find aliases for an invalid domain

SELECT al.* FROM aliases al LEFT JOIN domains dom ON dom.domain =SUBSTRING(al.mail,LOCATE('@',al.mail)+1) WHERE dom.domain is null OR dom.enabled =0 ORDER BY al.mail ASC

Find all non local destination aliases

SELECT al.* FROM aliases al LEFT JOIN domains dom ON dom.domain =SUBSTRING(al.destination,LOCATE('@',al.destination)+1) WHERE dom.domain is nullORDER BY al.enabled, al.destination ASC, al.mail ASC

Find all aliases for a certain domain

SELECT al.* FROM aliases al WHERE SUBSTRING(al.mail,LOCATE('@',al.mail)+1) ='domain.tld' ORDER BY al.enabled, al.mail ASC

Return to top.

Test

This is a small and simple section, but this will be the one you spend the longest on!

There will be spelling errors(by you and me), difference in setups, external factors etc, sothis server is guaranteed not to work first time. Great eh?

But don't worry, we can quickly track down which section is at fault, and solve the issues

one by one.

I hope you blocked external acces to your SMTP port (25) in your firewall setting.

Otherwise you might have become an open relay for spammers. (Okay unlikely unless you

have been running exposed for a few weeks). You will have to unblock it soon, but not yet.

Lets first be 100% sure the system works, so only local access to SMTP should be allowed

for now.

We will test each section bit by bit to black box certify each bit. First test that postfix

delivery works (by exluding content checks and ignoring courier). We will check if it can

connect to MySQL for its lookups, if maildir are created and if it can send messages. Then

we'll re-enable content checks to see if they work. Then we start testing courier, see if it can

access MySQL and if it shows the right mailboxes.

29



30/47


The easiest way to do the testing is with telnet. Turn on full debuggon, tail a few logs a lets

get started.

# Making sure nothing is running /etc/init.d/courier stop /etc/init.d/postfix stop/etc/init.d/amavisd stop /etc/init.d/spamassassin stop /etc/init.d/clamav stop /etc/init.d/mysqld

stop # Then to check if they really stopped ps aux netstat -tnp

Then we'll disable content cheks. In /etc/postfix/master.cf uncomment/comment these lines

like this:

smtp inet n - n - - smtpd #smtp inet n - - - - smtpd # -o cleanup_service_name=pre-cleanupcleanup unix n - - - 0 cleanup #cleanup unix n - - - 0 cleanup # -o mime_header_checks= # -onested_header_checks= # -o body_checks= # -o header_checks=

Then in main.cf comment out this line:

#content_filter = amavis:[127.0.0.1]:10024

Then we'll tail the mysql and postfix logs. (Paths might differ). It helps being in X windows,

or ssh in from another machine, if no X server. Or just using different sessions (ctrl+alt+f1-

6), as we will be tailling and editing in many sessions at once.

# In one window do this tail -f /var/log/mysql/mysql.log # then in another tail -f/var/log/maillog.info /etc/init.d/mysqld start # then /etc/init.d/postfix start # then check if postfixis listening on 25 and mysql on 3306 netstat -tnp

Okay up and running (hopefully).

First we will telnet in and try and send a message to a local user.

Then we will try and send to an external user via postfix.

# Lets try and send a message to [email protected] # (replace with your own user in this setup,or use postmaster@localhost) telnet localhost 25 # reponse back: > > > # then open the handshake with ehlo and the server name you are connecting from... EHLO mail.domain.tld> > > #then say who is the sender of this email MAIL FROM: > 250 Ok # thensay who the mail is for RCPT TO: > 250 Ok data > 354 End data with. # enter message bodyand end with a line with

only a full stop. blah blah blah more blah . > 250 Ok; queued as QWKJDKASAS # end theconnection with quit > 221 BYE

The postfix log should then start showing up what is happening. If something happens in

the mysql log, it means that connection if working.

Possible problems and solution can be:

30



31/47


Nothing happens when trying to connect via telnet.

Ports are not listening.

o Check with "netstat -ptn" if postfix is listening.

o Firewall blocks all smtp traffic.

o You are testing from a different machine which cant reach the server.

Sender domain not accepted.

You must use a valid domain name and address when connecting via telnet.

o Change the EHLO and MAIL FROM details when telneting.

o DNS resolution might not work from server. check if it can ping google.com etc.

Postfix queue says it has received the message. But noithing happens in the Mysql log.

Mysql connection is not working.

o Check file permission in postfix folder

o Chroot problem, set all services in master.cf to n in chroot column

o Check if mysql socket exists

o Try changing host in the postfix mysql files between localhost, 127.0.0.1 and real ip. This will

result in it trying socket and tcp alternatively.

o Spelling mistake in postfix mysql files. (Extra spaces?)

When all these test are working fine, re-enable the content checks and try them all the tests

again. This time you might have to tail the syslog as well. Possible problems can be:

User access problem.

Make sure its the same user which runs amavisd-new and ClamAV.

Can connect via postfix to amavisd-new.

o Check ports settins in amavisd-new file and master.cf

Not sure if SpamAssassin is working

o Try the testspecified here.

Then the next step is to test Courier-IMAP.

Again tail the maillog, syslog and mysql log. Turn on DEBULEVEL in /etc/courier/imap to

2.

telnet localhost 143 > > >telnet 127.0.0.1 10024 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220[127.0.0.1] ESMTP amavisd-new service ready

If a response then all is well. Otherwise check ownership of /var/run/amavisd. Perhaps

change /etc/init.d/amavisd to make sure it chown to virtual:virtual

31

http://wiki.apache.org/spamassassin/TestingInstallationhttp://wiki.apache.org/spamassassin/TestingInstallationhttp://wiki.apache.org/spamassassin/TestingInstallationhttp://wiki.apache.org/spamassassin/TestingInstallation


32/47


debug_peer_list = 127.0.0.1

Now if all okay internally, then you need to edit the firewall rules and re-enable smtp access

from the net. Test from an external server if you have ssh access. Proper telnet testing will

let you know quickly if something is wrong. When that process works okay, it is time to testwith proper emails. Either use an external webmail service, e.g. gmail, or forward via

external mail forwarding services.

Doing a full reboot to test if everything comes up as desired is probably a good idea as well.

Congratulations, you have a working mail server! Now send me a note to let me know

about it.

Return to top.

Test

New test section in development, please useother.

Start

Firewall (Shorewall)

Database (MySQL)

Plain MTA (Postfix)

IMAP (Courier)

Policy (Postgrey)

Content Checks (Amavisd-new)


Encryption (TLS)

WebMail (SquirrelMail)

Common Problems

Start

Testing eh, it is virtually guaranteed no project works on the first go. But we need to box it

off and find out if each section works one by one.

So first we stop everything, to then bring it up one by one as each test passes.

In theory nothing should be running, but some of the install packages might be started

automatically.

/etc/init.d/apache2 stop /etc/init.d/courier-imap-ssl stop /etc/init.d/courier-imap stop/etc/init.d/courier-authdaemon stop /etc/init.d/courier stop /etc/init.d/postfix stop

32

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/testhttp://flurdy.com/docs/postfix/testhttp://flurdy.com/docs/postfix/#test_starthttp://flurdy.com/docs/postfix/#test_fwhttp://flurdy.com/docs/postfix/#test_mysqlhttp://flurdy.com/docs/postfix/#test_mtahttp://flurdy.com/docs/postfix/#test_courierhttp://flurdy.com/docs/postfix/#test_postgreyhttp://flurdy.com/docs/postfix/#test_amavishttp://flurdy.com/docs/postfix/#test_saslhttp://flurdy.com/docs/postfix/#test_tlshttp://flurdy.com/docs/postfix/#test_squirhttp://flurdy.com/docs/postfix/#test_commonhttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/testhttp://flurdy.com/docs/postfix/#test_starthttp://flurdy.com/docs/postfix/#test_fwhttp://flurdy.com/docs/postfix/#test_mysqlhttp://flurdy.com/docs/postfix/#test_mtahttp://flurdy.com/docs/postfix/#test_courierhttp://flurdy.com/docs/postfix/#test_postgreyhttp://flurdy.com/docs/postfix/#test_amavishttp://flurdy.com/docs/postfix/#test_saslhttp://flurdy.com/docs/postfix/#test_tlshttp://flurdy.com/docs/postfix/#test_squirhttp://flurdy.com/docs/postfix/#test_common


33/47


/etc/init.d/postgrey stop /etc/init.d/amavisd stop /etc/init.d/spamassassin stop /etc/init.d/clamav-daemon stop /etc/init.d/clamav-freshclam stop /etc/init.d/mysql stop

Check if any process above is still lingering and kill it.

ps aux | more

Return to top.

Firewall (Shorewall)

If you setup the firewall as I advised in the configure chapter, then your box is pretty

blocked off from the outside. If not then you might have been an open relay for spammers,

but hopefully not.

Now we need to open up access the local network so you can test locally and remotely.

However it is not ready for net access yet.

# uncomment these lines AllowPing loc fw AllowSMTP loc fw ACCEPT loc fw tcp 465,587 -AllowIMAP loc fw AllowWeb loc fw

Then restart shorewall

shorewall restart

Return to top.

Database (MySQL)

MySQL should work fine after installation and configuration.

However as we go through the other sections, it is very usefull to tail the mysql query log

file throught all the tests. This is an easy way to see if each application has its database

settins configured correctly.

/etc/init.d/mysql start tail -f /var/log/mysql/mysql.log

Return to top.

Plain MTA (Postfix)

The full configured Postfix is overstuffed with features. We need to disable all this to test

the basics.

You should are already tailing the mysql log in one window, but now we need to tail the

mail log file as well.

33

http://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#confhttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#confhttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#top


34/47


tail -f /var/log/mail.log

Basically we are reversing to the postfix config from the config section before we added the

content checks, encryption etc.

I am not modifying/etc/postfix/master.cf, however you can comment out the lines we addedin there as well.

However in main.cf:

## comment out this line # content_filter = amavis:[127.0.0.1]:10024 ## then replace these lines#smtpd_helo_restrictions = permit_mynetworks, # warn_if_reject reject_non_fqdn_hostname,reject_invalid_hostname, permit #smtpd_sender_restrictions = permit_sasl_authenticated,permit_mynetworks, # reject_non_fqdn_sender, reject_unknown_sender_domain, #reject_unauth_pipelining, permit #smtpd_client_restrictions = reject_rbl_clientsbl.spamhaus.org, # reject_rbl_client relays.ordb.org, reject_rbl_client blackholes.easynet.nl, #

reject_rbl_client dnsbl.njabl.org #smtpd_recipient_restrictions = reject_unauth_pipelining, #permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, #reject_unknown_recipient_domain, reject_unauth_destination, # check_policy_serviceinet:127.0.0.1:60000, permit ## with these smtpd_helo_restrictions = permit_mynetworks,warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permitsmtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_client_restrictions =smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit## comment out these lines #broken_sasl_auth_clients = yes #smtpd_sasl_auth_enable = yes#smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2 #smtpd_sasl_security_options = noanonymous

#smtpd_sasl_local_domain = #smtp_use_tls = yes #smtp_tls_cert_file = /etc/postfix/postfix.cert#smtp_tls_key_file = /etc/postfix/postfix.key #smtpd_use_tls = yes #smtpd_tls_cert_file =/etc/postfix/postfix.cert #smtpd_tls_key_file = /etc/postfix/postfix.key #smtpd_data_restrictions= reject_unauth_pipelining

Return to top.

IMAP (Courier)

Return to top.

Policy (PostGrey)

Return to top.

Content Check (amavisd-new)

Return to top.


34

http://flurdy.com/docs/postfix/#conf_mtahttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#conf_mtahttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#tophttp://flurdy.com/docs/postfix/#top


35/47


Return to top.

Encryption (TLS)

Return to top.

Webmail (SquirrelMail)

Return to top.

Common Problems

Return to top.

Return to top.

Extend

By now you should have a fully working system. No point extending and complicating it

untill then. What next? There are many ways to extend the server, to create your own

powerfull customized version.

Remote MX mail backup

Local file backup

Sender ID & SPF

Spam reporting

White/Black lists

PGP & S/MIME

Relocation notice

Pop-before-SMTP

Admnin Software

Auto Reply

Block Addresses

Throttle Output

Mail Lists

Sugesstions?

Some of these sections can be brief as they are not core to this howto.

Remote MX mail backup

With MX backup loosing emails are unlikely.

Normally if someone sends an email destined for you, their server will try and connect to

your server. If it can't reach your server for whatever reason ( it is down, dns issues, there

is network problems, or just too busy ), the other server will back off and try again in a bit.

35

http://flurdy.com/

Documents

2218859 How to Set Up a Mail Server on a GNU Linux System