Log in
Menu

REPOST: Postfix, SASL, Cyrus IMAP, MySQL, Amavis, Postgrey, SpamAssassin, ClamAV, Squirrelmail, Mailman, Mailgraph and Openmailadmin

 

This looked important, and the original site was dead, heres where it came from:

http://openmailadmin.ossdl.de/wiki/howto/Postfix-SASL-Cyrus-MySQL-Amavis-Postgrey-SpamAssassin-ClamAV-Squirrelmail-Mailman-Mailgraph-OMA

and here it is: (NOTE: I DIDNT WRITE THIS AND HAVENT FOLLOWED IT)

= Postfix, SASL, Cyrus IMAP, MySQL, Amavis, Postgrey, !SpamAssassin, ClamAV, Squirrelmail, Mailman, Mailgraph and Openmailadmin =

 

== Introduction ==

 

My name is [http://www.linuxsilo.net/ Jaume Sabater] and I work as a System Administrator. I've been using [http://www.postfix.org/ Postfix] and [http://cyrusimap.web.cmu.edu/ Cyrus] for three years so far. Previously I used [http://www.qmail.org/ Qmail] and [http://www.courier-mta.org/imap/ Courier]. I only work with [http://www.debian.org/ Debian], so don't waste your time asking about Red Hat, Suse or any other. [http://people.debian.org/~srivasta/talks/why_debian/talk.html Why Debian?]

 

I've recently set up a new email server and here you are the results of my work, in case they are of any help to you. From these lines I would like to thank Mark-W Kubacki, the author of [http://www.openmailadmin.org/ OpenMailAdmin], for his excellent tool. I will be working on improving it on several aspects to adapt it to the needs of my company.

 

== Purpose of the document and disclaimer ==

 

The objective of this tutorial is to setup a mail server with local mailboxes and virtual domains and alias. This is useful if you have a lot of domais of your own and you receive mails from all of them but only send mail from one of them. This tutorial won't lead you to an ISP-like setup (with virtual mailboxes).

 

It's based on Debian Sid as of July of 2006. When Debian Etch becomes the new Debian Stable I will update it to the final versions of the needed packages and will tweak the configuration as required. Of course, any sort of suggestion, improvement and correction is most welcome. Contact me at [mailto:jsabater@linuxsilo.net jsabater at linuxsilo dot net].

 

This tutorial is not idiot-proof, so don't blame on me later if you just followed the steps without knowing what you are doing and it lead you to data loss or whatever. Read the software documentation, read the forums, read the mailing list archives, read the tutorials, etc. and test it on a development server before setting it on production.

 

 

== Installation of packages ==

 

As root:

{{{

apt-get install postfix postfix-doc postfix-mysql postfix-pcre openssl ca-certificates

apt-get install libsasl2 libsasl2-modules sasl2-bin

apt-get install cyrus-admin-2.2 cyrus-clients-2.2 cyrus-common-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 libcyrus-imap-perl22

apt-get install mysql-server-5.0 mysql-client-5.0 libpam-mysql

apt-get install apache2-mpm-prefork libapache2-mod-php5 php5 php5-cli php5-mysql libphp-adodb

apt-get install apache2-utils nmap ntpdate ccze less wget bzip2

}}}

 

== PAM configuration ==

 

Edit /etc/pam.d/imap:

{{{

auth sufficient pam_mysql.so user=postfix passwd=<my_passwd> host=localhost db=postfix table=user usercolumn=mbox passwdcolumn=pass_md5 crypt=3

account required pam_mysql.so user=postfix passwd=<my_passwd> host=localhost db=postfix table=user usercolumn=mbox passwdcolumn=pass_md5 crypt=3

}}}

Optionally, you can add "verbose=1" at the end of those two lines to throw more information into the log files and help you debug the config. Set up the right permissions and links in /etc/pam.d:

{{{

chmod 600 /etc/pam.d/imap

rm --force /etc/pam.d/sieve /etc/pam.d/lmtp

ln --symbolic /etc/pam.d/imap /etc/pam.d/sieve

ln --symbolic /etc/pam.d/imap /etc/pam.d/lmtp

ln --symbolic /etc/pam.d/imap /etc/pam.d/smtp

}}}

The current version of libpam-mysql in Debian, 0.6.2-1, does not support MD5, so we'll have to recompile the package with SSL support:

{{{

mkdir /usr/src/libpam-mysql

cd /usr/src/libpam-mysql

apt-get source pam-mysql

apt-get build-dep pam-mysql

cd pam-mysql-0.6.2

}}}

Modify line 51 of the debian/rules file so that it looks like this one:

{{{

./configure --prefix=/usr --with-openssl

}}}

Modify line 109 of the Makefile.in file so that it looks like this one:

{{{

DEFS = @DEFS@ -I. -I$(srcdir) -I. -DHAVE_OPENSSL

}}}

Modify line 6 of the debian/control file so that it looks like this one:

{{{

Build-Depends: libpam0g-dev, libmysqlclient15-dev, libssl-dev, debhelper (>= 4.0.0)

}}}

 

Install some dependencies and build the package:

{{{

apt-get install libssl-dev

dpkg-buildpackage

cd ..

dpkg --install libpam-mysql_0.6.2-1_i386.deb

}}}

So that APT does not overwrite our brand new self-compiled package when upgrading the system, we should set it on hold. From time to time, visit the [http://packages.debian.org/unstable/admin/libpam-mysql web page of the package] and check the changelog until we find the bug is closed. At that point we should unset the hold state of the package.

 

To put the package on hold:

{{{

echo libpam-mysql hold | dpkg --set-selections

}}}

To remove the hold:

{{{

echo libpam-mysql install | dpkg --set-selections

}}}

For more information about this bug, visit the [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373834 Debian bugtracking system]

 

In case that the package build process ends in an error, these commands will provide us with a library that supports MD5:

{{{

mv /lib/security/pam_mysql.so /lib/security/pam_mysql.so.bak

cp /usr/src/libpam-mysql/pam-mysql-0.6.2/debian/libpam-mysql/usr/lib/security/pam_mysql.so /lib/security/

chmod 644 /lib/security/pam_mysql.so

chown root:root /lib/security/pam_mysql.so

}}}

 

== MySQL configuration ==

 

Set password for root:

{{{

mysqladmin -u root password <my_root_passwd>

}}}

Create database "postfix":

{{{

mysql --user=root --password mysql

Enter password:

mysql> CREATE DATABASE `postfix` ;

mysql> GRANT USAGE ON *.* TO 'postfix'@'localhost' IDENTIFIED BY 'my_passwd' ;

mysql> GRANT ALL PRIVILEGES ON `postfix`.* TO 'postfix'@'localhost' WITH GRANT OPTION ;

mysql> FLUSH PRIVILEGES ;

mysql> quit

}}}

 

== Apache and Openmailadmin config ==

{{{

mkdir --mode=755 /var/www

cd /var/www

wget http://static.ossdl.de/openmailadmin/downloads/openmailadmin-0.9.3.tbz2

tar -xjf openmailadmin-0.9.3.tbz2

mv openmailadmin-0.9.3 openmailadmin

chown --recursive root:www-data /var/www/openmailadmin

chmod 2770 /var/www/openmailadmin

cd openmailadmin

find /var/www/openmailadmin -type d -exec chmod 2770 '{}' ';'

find /var/www/openmailadmin -type f -exec chmod 660 '{}' ';'

}}}

Add "!NameVirtualHost *:443" to /etc/apache2/sites-available/default

Add "Listen 443" to /etc/apache2/ports.conf

 

Edit /etc/apache2/sites-available/mail.domain.com

{{{

<VirtualHost *:443>

        ServerAdmin webmaster@domain.com

        ServerName mail.domain.com

        SSLEngine on

        SSLCertificateFile "/etc/ssl/local/mail.domain.com_newcert.pem"

        SSLCertificateKeyFile "/etc/ssl/private/mail.domain.com_newkey.pem"

        ErrorLog /var/log/apache2/error_mail.domain.com.log

        CustomLog /var/log/apache2/access_mail.domain.com.log combined

 

        Alias /openmailadmin /var/www/openmailadmin

        <Directory /var/www/openmailadmin/>

                AllowOverride All

                Order Deny,Allow

                Deny From All

                Allow From 127.0.0.1

                Allow From x.y.z.t

                <IfModule mod_php5.c>

                        php_flag file_uploads 0

                        php_flag ignore_repeated_errors 1

                        php_flag ignore_repeated_source 1

                        php_flag display_errors 0

                        php_flag log_errors 1

                </IfModule>

        </Directory>

</VirtualHost>

}}}

Where x.y.z.t is the IP address where you want to access !OpenMailAdmin from. Of course this can be customized to your needs (for instance, let it be accessed from anywhere).

 

Create the certificates:

{{{

/usr/bin/openssl req -new -nodes -out /etc/ssl/certs/mail.domain.com_newreq.pem -keyout /etc/ssl/private/mail.domain.com_newkey.pem

 

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:mail.domain.com

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

}}}

This will generate two files:

 

a) A certificate request, that a certificate authority (CA) will have to sign, at /etc/ssl/certs/mail.domain.com_newreq.pem.

b) The private key of the certificate at /etc/ssl/private/mail.domain.com_newkey.pem.

 

Use cacert.org or any other CA (including your own one) to sign the certificate request. The resulting certificate will have to be put in the file /etc/ssl/certs/mail.domain.com_newcert.pem with 644 permissions for the user and group 'root' and the private key at /etc/ssl/private/mail.domain.com_newkey.pem with 640 permissions for the user root and the group ssl-cert.

 

Enable the module SSL and the site:

{{{

a2enmod ssl

a2ensite mail.domain.com

/etc/init.d/apache2 force-reload

}}}

Load !OpenMailAdmin setup at https://mail.domain.com/openmailadmin/setup.php check that the system configuration is the appropriate one and, if so, skip to the next step, where we'll have to fill this information in:

{{{

db connection settings

----------------------

DSN: mysql://postfix:<my_passwd>@127.0.0.1/postfix

tablenames' prefix:

 

IMAP connection settings

------------------------

type: Cyrus IMAPd

host: localhost

port: 143

imap admin: cyrus

... password: <my_passwd>

 

first superuser

---------------

mailbox of superuser: postmaster

... password: <my_passwd>

}}}

The installation process will create the file /var/www/openmailadmin/inc/config.local.inc.php with the configuration to access the database and the following 5 tables in the 'postfix' database:

 

* domains

* imap_demo

* user

* virtual

* virtual_regexp

 

From now onwards we can access the system with the 'postmaster' account, using the password '<my_passwd>'. We'll access this interface from the URL:

 

https://mail.domain.com/openmailadmin/

 

 

== Configuration of saslauthd ==

 

Edit /etc/default/saslauthd:

{{{

START=yes

MECHANISMS="pam"

}}}

Edit /etc/init.d/saslauthd:

{{{

PARAMS="${PARAMS} -a ${MECHANISMS} -r"

}}}

You can add the "-V" parameter after the "-r" one to the "PARAMS" variable to make saslauthd be more verbose in the logs.

 

Move the saslauthd's socket inside the Postfix jail so that it can access it and create a symbolic link in its place so that saslauthd won't complain:

{{{

mkdir --parents --mode=755 /var/spool/postfix/var/run

mv /var/run/saslauthd /var/spool/postfix/var/run/saslauthd

ln --symbolic /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

chown root:sasl /var/run/saslauthd

}}}

 

== Postfix configuration ==

{{{

echo "mail.domain.com" > /etc/mailname

echo "mail.domain.com" > /etc/hostname (and modify /etc/resolv.conf y /etc/hosts accordingly)

}}}

Create /etc/postfix/canonical.mysql:

{{{

hosts = 127.0.0.1

user = postfix

password = <my_passwd>

dbname = postfix

table = user

select_field = canonical

where_field = mbox

additional_conditions = and active = '1' limit 1

}}}

Create /etc/postfix/mydestination.mysql:

{{{

hosts = 127.0.0.1

user = postfix

password = <my_passwd>

dbname = postfix

table = domains

select_field = domain

where_field = domain

}}}

Create /etc/postfix/virtual.mysql:

{{{

hosts = 127.0.0.1

user = postfix

password = <my_passwd>

dbname = postfix

table = virtual

select_field = dest

where_field = address

additional_conditions = and active = '1'

}}}

 

Set the right permissions:

 

{{{

chown root:postfix /etc/postfix/canonical.mysql /etc/postfix/mydestination.mysql /etc/postfix/virtual.mysql

chmod 640 /etc/postfix/canonical.mysql /etc/postfix/mydestination.mysql /etc/postfix/virtual.mysql

}}}

Edit /etc/postfix/main.cf:

{{{

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

append_dot_mydomain = no

delay_warning_time = 4h

 

myhostname = mail.domain.com

mydomain = $myhostname

myorigin = $mydomain

mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost

mynetworks = 127.0.0.0/8, my.public.ip.address

 

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

mailbox_size_limit = 0

recipient_delimiter = +

unknown_local_recipient_reject_code = 550

 

mailbox_transport = cyrus

virtual_alias_domains = mysql:/etc/postfix/mydestination.mysql

virtual_alias_maps = mysql:/etc/postfix/virtual.mysql

sender_canonical_maps = mysql:/etc/postfix/canonical.mysql

 

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

}}}

Edit /etc/postfix/master.cf and add the following line:

{{{

cyrus     unix  -       n       n       -       -       pipe

  flags= user=cyrus argv=/usr/sbin/cyrdeliver -r ${sender} -m ${extension} ${user}

}}}

You can add the "-v" option at the end of the smtp daemon line to increase verbosity:

{{{

smtp      inet  n       -       -       -       -       smtpd -v

}}}

Create /etc/postfix/sasl/smtpd.conf with 644 permissions (root:postfix) and the following content:

{{{

pwcheck_method: saslauthd

mech_list: PLAIN LOGIN

log_level: 0

}}}

You can set the 'log_level' parameter with a value of 7 to increase verbosity and help debugging.

 

Add the user "postfix" to the group "sasl" so that it can read the socket of saslauthd:

{{{

adduser postfix sasl

}}}

Optional: add "etc/postfix/sasl/smtpd.conf" to the "FILES" variable of the script /etc/init.d/postfix so that it copies the file into the chroot everytime it's restarted (it seems that it's not necessary on Debian but I haven't really tested this deeply enough to state it and be sure I'm not mistaken).

 

 

=== Add support for regular expressions ===

 

Edit /var/www/openmailadmin/samples/oma_mail.daimon.php:

 

Change the first line so that it points at the right location of "env":

{{{

#!/usr/bin/env php

}}}

Modify the following variables so that they look like this:

{{{

$MTA['virtual'] = '/etc/postfix/virtual';

$MTA['regexp']  = '/etc/postfix/virtual.regex';

$MTA['domains'] = '/etc/postfix/domains';

$PASSWD_CACHE   = NULL;

 

$DB     = array('TYPE'  => 'mysql',

                'HOST'  => 'localhost',

                'USER'  => 'postfix',

                'PASS'  => '<my_passwd>',

                'DB'    => 'postfix',

                'PREFIX'=> '',

                );

}}}

 

Set the appropriate permissions:

 

{{{

chmod 770 /var/www/openmailadmin/samples/oma_mail.daimon.php

}}}

Edit the crontab by using the command 'crontab -e' and add the following line:

{{{

0 */2 * * * /var/www/openmailadmin/samples/oma_mail.daimon.php

}}}

Alternatively, create /etc/cron.d/oma_mail.daimon with the following content:

{{{

0 */2 * * * root /var/www/openmailadmin/samples/oma_mail.daimon.php

}}}

and /etc/init.d/cron restart. These both will make the script to be executed every half an hour. Thus we'll have to have in mind that, when adding a new regular expression to some account, it will take up to 30 minutes to be active (of course we can accelerate this process by executing the script as root via the console).

 

This script will create a file named 'virtual.regexp' inside /etc/postfix that will have a dump of the table 'virtual_regexp'. We'll tell Postfix to read and process the file so that we'll get support for regular expressions in !OpenMailAdmin (very useful when we have a lot of virtual domains). Edit /etc/postfix/main.cf:

{{{

virtual_alias_maps = mysql:/etc/postfix/virtual.mysql, regexp:/etc/postfix/virtual.regex

}}}

 

And reload Postfix:

{{{

/etc/init.d/postfix reload

}}}

 

== Configuración de Cyrus IMAP ==

 

 

=== In /etc/cyrus.conf ===

 

Comment the lines of the POP3 and NNTP services in case that you don't plan to use them (I don't).

 

 

=== Edit /etc/imapd.conf and modify or add the following lines ===

{{{

admins: cyrus

sasl_pwcheck_method: saslauthd

allowusermoves: yes

sasl_mech_list: PLAIN LOGIN

sasl_minimum_layer: 0

umask: 027

}}}

If you plan to allow the users to use dots in the name, as in foo.bar@domain.com, then you will have to add the following directive (I would):

{{{

unixhierarchysep: yes

}}}

You can comment out the following line in /etc/default/cyrus2.2 to increase the verbose level of Cyrus IMAP:

{{{

CYRUS_VERBOSE=1

}}}

 

== (Re)start services ==

{{{

/etc/init.d/saslauthd restart

/etc/init.d/cyrus2.2 restart

/etc/init.d/postfix restart

}}}

 

== Test ==

 

You should be able to log in via "cyradm" and type some commands:

{{{

/usr/bin/cyradm --user cyrus --server localhost --auth login

}}}

Monitor the logs for information:

{{{

/usr/bin/tail -f /var/log/mail.log | /usr/bin/ccze

/usr/bin/tail -f /var/log/auth.log | /usr/bin/ccze

}}}

 

== Securing the channel (TLS/SSL) ==

 

At present time we can sent via SMTP on port 25 and receive via IMAP on port 143, enough to test that the installation works fine so far. Let's add security to the channel using TLS and SSL to protect both the passwords and the content of the messages.

 

 

=== Cyrus ===

 

Edit /etc/cyrus.conf and make sure these two lines exist (add or modify as needed):

{{{

imap            cmd="imapd -U 30" listen="localhost:imap" prefork=0 maxchild=100

imaps           cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100

}}}

Add the user 'cyrus' to the group 'ssl-cert' so that it can access the private key of the certificate:

{{{

adduser cyrus ssl-cert

}}}

Edit /etc/imapd.conf:

{{{

sasl_minimum_layer: 128

tls_cert_file: /etc/ssl/certs/mail.domain.com_newcert.pem

tls_key_file: /etc/ssl/private/mail.domain.com_newkey.pem

tls_ca_file: /etc/ssl/certs/cacert.org.pem

}}}

Restart the server:

{{{

/etc/init.d/cyrus2.2 restart

}}}

With these changes we now have support for IMAP over SSL on port 993 and access to IMAP on port 143 from the localhost only (for the webmail). You can test this with 'imtest'::

{{{

imtest -a <username> -w <passwd> -m login -s localhost

}}}

 

=== Postfix ===

 

Add these to /etc/postfix/main.cf:

{{{

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/private/mail.domain.com_newkey.pem

smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.com_newcert.pem

smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

}}}

The smtpd_tls_auth_only should be changed to yes later (when you are sure the setup is working fine) as plain text login should only be allowed over encrypted channels. Setting this to no makes it easier to debug later on.

 

 

== Spamassassin ==

{{{

apt-get install spamassassin spamc

}}}

No further tuning needed. Did I say I love Debian? ;-)

 

 

== ClamAV ==

{{{

apt-get install rar unrar lha arj unzoo zip unzip bzip2 gzip cpio file lzop nomarch

apt-get install clamav clamav-base clamav-daemon clamav-freshclam libclamav1 clamav-docs

}}}

Make sure the directive 'AllowSupplementaryGroups' exists in the file /etc/clamav/clamd.conf.

Add the user 'clamav' to the group 'amavis':

{{{

adduser clamav amavis

}}}

Restart the daemons:

{{{

/etc/init.d/clamav-daemon restart

/etc/init.d/clamav-freshclam restart

}}}

 

== Amavis ==

{{{

apt-get install amavisd-new

}}}

If our hostname in /etc/hostname is not a FQDN (Fully Qualified Domain Name), that is to say it's a name of the type "server" instead of a name of the type "mail.domain.com", we will have to modify the file /etc/amavis/conf.d/50-user, adding:

{{{

$myhostname = "mail.domain.com";

}}}

so that Amavis has the right value of the variable $myhostname.

 

Activate the use of ClamAV and the SpamAssassin spam filter in the Amavis config by editing the file /etc/amavis/conf.d/15-content_filter_mode and commenting out the following lines:

{{{

@bypass_virus_checks_maps = (

   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

 

@bypass_spam_checks_maps = (

   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

}}}

Edit /etc/amavis/conf.d/20-debian_defaults:

{{{

$final_spam_destiny       = D_PASS;

}}}

This way we let emails marked as spam pass and rely on the user using SIEVE filters (or the filters provided by his or her email client) to filter the spam by looking at the headers. Viruses are discarded.

 

Here you are my recommended configuration for allowed and banned attachments. You may want to evaluate the needs of your company and finetune it as needed. Comment out these lines:

{{{

qr'^application/x-msmetafile$'i,

qr'^\.wmf$',

qr'^message/partial$'i, qr'^message/external-body$'i,

[ qr'^\.(Z|gz|bz2)$'           => 0 ],

[ qr'^\.(rpm|cpio|tar)$'       => 0 ],

[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],

qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|

inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|

ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|

wmf|wsc|wsf|wsh)$'ix,

qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,

qr'^\.(exe|lha|tnef|cab|dll)$',

}}}

Comment the following line if you don't want Amavis to modify the subject of the emails marked as spam:

{{{

# $sa_spam_subject_tag = '***SPAM*** ';

}}}

 

=== Modify the configuration of Postfix ===

 

Add these to /etc/postfix/master.cf:

{{{

smtp-amavis unix -      -       y     -       2  smtp

    -o smtp_data_done_timeout=1200

    -o smtp_send_xforward_command=yes

    -o disable_dns_lookups=yes

    -o max_use=20

 

127.0.0.1:10025 inet n  -       y     -       -  smtpd

    -o content_filter=

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o smtpd_restriction_classes=

    -o smtpd_delay_reject=no

    -o smtpd_client_restrictions=permit_mynetworks,reject

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o smtpd_data_restrictions=reject_unauth_pipelining

    -o smtpd_end_of_data_restrictions=

    -o mynetworks=127.0.0.0/8

    -o smtpd_error_sleep_time=0

    -o smtpd_soft_error_limit=1001

    -o smtpd_hard_error_limit=1000

    -o smtpd_client_connection_count_limit=0

    -o smtpd_client_connection_rate_limit=0

    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

}}}

And add this to /etc/postfix/main.cf:

{{{

content_filter=smtp-amavis:[127.0.0.1]:10024

}}}

Restart Postfix:

{{{

/etc/init.d/postfix restart

}}}

 

== Anti-UCE measure in Postfix ==

 

Edit /etc/postfix/main.cf:

{{{

smtpd_helo_required = yes

disable_vrfy_command = yes

strict_rfc821_envelopes = yes

 

smtpd_recipient_restrictions =

reject_invalid_hostname,

reject_non_fqdn_hostname,

reject_non_fqdn_sender,

reject_non_fqdn_recipient,

reject_unknown_sender_domain,

reject_unknown_recipient_domain,

permit_mynetworks,

permit_sasl_authenticated,

reject_unauth_destination,

check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,

check_helo_access hash:/etc/postfix/helo_checks,

check_helo_access pcre:/etc/postfix/helo_checks.pcre,

reject_rbl_client relays.ordb.org,

reject_rbl_client sbl.spamhaus.org,

# check_policy_service inet:127.0.0.1:60000,

permit

 

smtpd_data_restrictions =

reject_unauth_pipelining,

permit

}}}

Restart Postfix:

{{{

/etc/init.d/postfix restart

}}}

 

== Postgrey ==

{{{

apt-get install postgrey

}}}

Edit /etc/postfix/main.cf:

 

Add 'check_policy_service inet:127.0.0.1:60000' to the directive 'smtpd_recipient_restrictions' (comment it out from what you added in point 14).

 

Restart Postfix:

{{{

/etc/init.d/postfix restart

}}}

More info about Postgrey at [http://isg.ee.ethz.ch/tools/postgrey/]

 

 

== Mailman ==

{{{

apt-get install mailman

}}}

Edit /etc/apache2/sites-available/mail.domain.com:

{{{

ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/

Alias /pipermail/ /var/lib/mailman/archives/public/

Alias /images/mailman/ /usr/share/images/mailman/

}}}

Reload Apache:

{{{

/etc/init.d/apache2 reload

}}}

Edit /etc/mailman/mm_cfg.py:

{{{

DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/'

MTA='Postfix'

}}}

Generate the aliases:

{{{

cd /var/lib/mailman

bin/genaliases

}}}

Edit /etc/postfix/main.cf:

{{{

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases

alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases

mailman_destination_recipient_limit = 1

unknown_local_recipient_reject_code = 550

owner_request_special = no

recipient_delimiter = +

}}}

{{{

/etc/init.d/postfix reload

/usr/bin/newaliases

}}}

newlist mailman (use a temporal password since it's send in clear text via email; then change it and leave the option "Send monthly reminders" deactivated).

{{{

/etc/init.d/mailman start

}}}

https://mail.domain.com/mailman/admin/mailman/

 

The lists you create will be created using the local domain "mail.domain.com". If you create the list "marketing", you'll have to post to "marketing@mail.domain.com". But you can use !OpenMailAdmin to set an alias in the "postmaster" account by using the "Addresses" tab, so that all email sent to "marketing@domain.com" will be redirected to "marketing@mail.domain.com". This way users will be able to post to a shorter address.

 

 

== Squirrelmail ==

 

apt-get install squirrelmail squirrelmail-decode squirrelmail-locales php5-recode

 

Run /usr/sbin/squirrelmail-configure and change:

 

- Set pre-defined settings for specific IMAP servers = cyrus

 

If, and only if, you set the directive "unixhierarchysep" to "yes" in /etc/imapd.conf, then you will have to do these changes:

 

* Server Settings: Update IMAP Settings: Delimiter = /

* Folder Defaults: Trash Folder = INBOX/Trash

* Folder Defaults: Sent Folder = INBOX/Sent

* Folder Defaults: Drafts Folder = INBOX/Drafts

 

Optionally, you can customize these as well:

 

* Organization Preferences: Organization Name

* Organization Preferences: Organization Logo

* Organization Preferences: Organization Title

* Message of the Day (MOTD): Edit the MOTD

 

Edit /etc/apache2/sites-available/mail.domain.com:

{{{

Alias /squirrelmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>

php_flag register_globals off

Options Indexes FollowSymLinks

<IfModule mod_dir.c>

DirectoryIndex index.php

</IfModule>

# access to configtest is limited by default to prevent information leak

<Files configtest.php>

Order Deny,Allow

Deny From All

Allow From 127.0.0.1

</Files>

</Directory>

}}}

Reload Apache 2:

{{{

/etc/init.d/apache2 reload

}}}

See Squirrelmail working:

 

https://mail.domain.com/squirrelmail/

 

Usually, users will prefer an URL like http://webmail.domain.com/ For this purpose you will have to configure an entry in the DNS zone and another virtual domain in Apache that redirects the traffic:

{{{

<VirtualHost *>

        ServerName webmail.domain.com

        RewriteEngine on

        RewriteCond %{HTTP_HOST} ^webmail\.dominio\.com$ [NC]

        RewriteRule ^(.*)$ https://mail.domain.com/squirrelmail/$1 [R=301,L]

</VirtualHost>

}}}

This way we let the users have a short and never changing URL and we make sure webmail is always accessed via a secure channel, while we benefit from the certificate we already created for the domain "mail.domain.com".

 

To manage the SIEVE scripts we can use the Squirrelmail's plugin 'Avelsieve - SIEVE Mail Filters'. Download it from the web:

 

http://email.uoa.gr/projects/squirrelmail/avelsieve_download.php

 

These commands should do the work:

{{{

cd /usr/share/squirrelmail/plugins/

wget http://email.uoa.gr/download/squirrelmail/avelsieve/avelsieve-1.9.6.tar.gz

tar -xzf avelsieve-1.9.6.tar.gz

rm --force avelsieve-1.9.6.tar.gz

chown --recursive root.root avelsieve

cp --archive /usr/share/squirrelmail/plugins/avelsieve/config/config_sample.php /usr/share/squirrelmail/plugins/avelsieve/config/config.php

}}}

Activate the plug-in by using the configuration script of Squirrelmail /etc/squirrelmail/conf.pl (Plugins: avelsieve). Edit /usr/share/squirrelmail/plugins/avelsieve/config/config.php and change the desired options.

 

 

== Mailgraph ==

{{{

apt-get install mailgraph

}}}

Edit /etc/apache2/sites-available/mail.domain.com:

{{{

ScriptAlias /mailgraph/ /usr/lib/cgi-bin/

}}}

Reload Apache 2:

{{{

/etc/init.d/apache2 reload

}}}

See it working at https://mail.domain.com/mailgraph/mailgraph.cgi

 

 

== Final note ==

 

Enjoy it! And remember that closed source leads to the dark side of the force!

    • jager
      jager

      pam-mysql 0.7~RC1 purports to fix the MD5 bug so that recompilation of pam-mysql is no longer necessary.

      Benjamin H. Graham - bman

      Benjamin H. Graham - bman

      I like tacos and if you have them, send moar.

      Latest comments