This looked important, and the original site was dead, heres where it came from:
and here it is: (NOTE: I DIDNT WRITE THIS AND HAVENT FOLLOWED IT)
= Postfix, SASL, Cyrus IMAP, MySQL, Amavis, Postgrey, !SpamAssassin, ClamAV, Squirrelmail, Mailman, Mailgraph and Openmailadmin =
== Introduction ==
My name is [http://www.linuxsilo.net/ Jaume Sabater] and I work as a System Administrator. I've been using [http://www.postfix.org/ Postfix] and [http://cyrusimap.web.cmu.edu/ Cyrus] for three years so far. Previously I used [http://www.qmail.org/ Qmail] and [http://www.courier-mta.org/imap/ Courier]. I only work with [http://www.debian.org/ Debian], so don't waste your time asking about Red Hat, Suse or any other. [http://people.debian.org/~srivasta/talks/why_debian/talk.html Why Debian?]
I've recently set up a new email server and here you are the results of my work, in case they are of any help to you. From these lines I would like to thank Mark-W Kubacki, the author of [http://www.openmailadmin.org/ OpenMailAdmin], for his excellent tool. I will be working on improving it on several aspects to adapt it to the needs of my company.
== Purpose of the document and disclaimer ==
The objective of this tutorial is to setup a mail server with local mailboxes and virtual domains and alias. This is useful if you have a lot of domais of your own and you receive mails from all of them but only send mail from one of them. This tutorial won't lead you to an ISP-like setup (with virtual mailboxes).
It's based on Debian Sid as of July of 2006. When Debian Etch becomes the new Debian Stable I will update it to the final versions of the needed packages and will tweak the configuration as required. Of course, any sort of suggestion, improvement and correction is most welcome. Contact me at [mailto:jsabater@linuxsilo.net jsabater at linuxsilo dot net].
This tutorial is not idiot-proof, so don't blame on me later if you just followed the steps without knowing what you are doing and it lead you to data loss or whatever. Read the software documentation, read the forums, read the mailing list archives, read the tutorials, etc. and test it on a development server before setting it on production.
== Installation of packages ==
As root:
{{{
apt-get install postfix postfix-doc postfix-mysql postfix-pcre openssl ca-certificates
apt-get install libsasl2 libsasl2-modules sasl2-bin
apt-get install cyrus-admin-2.2 cyrus-clients-2.2 cyrus-common-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 libcyrus-imap-perl22
apt-get install mysql-server-5.0 mysql-client-5.0 libpam-mysql
apt-get install apache2-mpm-prefork libapache2-mod-php5 php5 php5-cli php5-mysql libphp-adodb
apt-get install apache2-utils nmap ntpdate ccze less wget bzip2
}}}
== PAM configuration ==
Edit /etc/pam.d/imap:
{{{
auth sufficient pam_mysql.so user=postfix passwd=<my_passwd> host=localhost db=postfix table=user usercolumn=mbox passwdcolumn=pass_md5 crypt=3
account required pam_mysql.so user=postfix passwd=<my_passwd> host=localhost db=postfix table=user usercolumn=mbox passwdcolumn=pass_md5 crypt=3
}}}
Optionally, you can add "verbose=1" at the end of those two lines to throw more information into the log files and help you debug the config. Set up the right permissions and links in /etc/pam.d:
{{{
chmod 600 /etc/pam.d/imap
rm --force /etc/pam.d/sieve /etc/pam.d/lmtp
ln --symbolic /etc/pam.d/imap /etc/pam.d/sieve
ln --symbolic /etc/pam.d/imap /etc/pam.d/lmtp
ln --symbolic /etc/pam.d/imap /etc/pam.d/smtp
}}}
The current version of libpam-mysql in Debian, 0.6.2-1, does not support MD5, so we'll have to recompile the package with SSL support:
{{{
mkdir /usr/src/libpam-mysql
cd /usr/src/libpam-mysql
apt-get source pam-mysql
apt-get build-dep pam-mysql
cd pam-mysql-0.6.2
}}}
Modify line 51 of the debian/rules file so that it looks like this one:
{{{
./configure --prefix=/usr --with-openssl
}}}
Modify line 109 of the Makefile.in file so that it looks like this one:
{{{
DEFS = @DEFS@ -I. -I$(srcdir) -I. -DHAVE_OPENSSL
}}}
Modify line 6 of the debian/control file so that it looks like this one:
{{{
Build-Depends: libpam0g-dev, libmysqlclient15-dev, libssl-dev, debhelper (>= 4.0.0)
}}}
Install some dependencies and build the package:
{{{
apt-get install libssl-dev
dpkg-buildpackage
cd ..
dpkg --install libpam-mysql_0.6.2-1_i386.deb
}}}
So that APT does not overwrite our brand new self-compiled package when upgrading the system, we should set it on hold. From time to time, visit the [http://packages.debian.org/unstable/admin/libpam-mysql web page of the package] and check the changelog until we find the bug is closed. At that point we should unset the hold state of the package.
To put the package on hold:
{{{
echo libpam-mysql hold | dpkg --set-selections
}}}
To remove the hold:
{{{
echo libpam-mysql install | dpkg --set-selections
}}}
For more information about this bug, visit the [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373834 Debian bugtracking system]
In case that the package build process ends in an error, these commands will provide us with a library that supports MD5:
{{{
mv /lib/security/pam_mysql.so /lib/security/pam_mysql.so.bak
cp /usr/src/libpam-mysql/pam-mysql-0.6.2/debian/libpam-mysql/usr/lib/security/pam_mysql.so /lib/security/
chmod 644 /lib/security/pam_mysql.so
chown root:root /lib/security/pam_mysql.so
}}}
== MySQL configuration ==
Set password for root:
{{{
mysqladmin -u root password <my_root_passwd>
}}}
Create database "postfix":
{{{
mysql --user=root --password mysql
Enter password:
mysql> CREATE DATABASE `postfix` ;
mysql> GRANT USAGE ON *.* TO 'postfix'@'localhost' IDENTIFIED BY 'my_passwd' ;
mysql> GRANT ALL PRIVILEGES ON `postfix`.* TO 'postfix'@'localhost' WITH GRANT OPTION ;
mysql> FLUSH PRIVILEGES ;
mysql> quit
}}}
== Apache and Openmailadmin config ==
{{{
mkdir --mode=755 /var/www
cd /var/www
wget http://static.ossdl.de/openmailadmin/downloads/openmailadmin-0.9.3.tbz2
tar -xjf openmailadmin-0.9.3.tbz2
mv openmailadmin-0.9.3 openmailadmin
chown --recursive root:www-data /var/www/openmailadmin
chmod 2770 /var/www/openmailadmin
cd openmailadmin
find /var/www/openmailadmin -type d -exec chmod 2770 '{}' ';'
find /var/www/openmailadmin -type f -exec chmod 660 '{}' ';'
}}}
Add "!NameVirtualHost *:443" to /etc/apache2/sites-available/default
Add "Listen 443" to /etc/apache2/ports.conf
Edit /etc/apache2/sites-available/mail.domain.com
{{{
<VirtualHost *:443>
ServerAdmin webmaster@domain.com
ServerName mail.domain.com
SSLEngine on
SSLCertificateFile "/etc/ssl/local/mail.domain.com_newcert.pem"
SSLCertificateKeyFile "/etc/ssl/private/mail.domain.com_newkey.pem"
ErrorLog /var/log/apache2/error_mail.domain.com.log
CustomLog /var/log/apache2/access_mail.domain.com.log combined
Alias /openmailadmin /var/www/openmailadmin
<Directory /var/www/openmailadmin/>
AllowOverride All
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From x.y.z.t
<IfModule mod_php5.c>
php_flag file_uploads 0
php_flag ignore_repeated_errors 1
php_flag ignore_repeated_source 1
php_flag display_errors 0
php_flag log_errors 1
</IfModule>
</Directory>
</VirtualHost>
}}}
Where x.y.z.t is the IP address where you want to access !OpenMailAdmin from. Of course this can be customized to your needs (for instance, let it be accessed from anywhere).
Create the certificates:
{{{
/usr/bin/openssl req -new -nodes -out /etc/ssl/certs/mail.domain.com_newreq.pem -keyout /etc/ssl/private/mail.domain.com_newkey.pem
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mail.domain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
}}}
This will generate two files:
a) A certificate request, that a certificate authority (CA) will have to sign, at /etc/ssl/certs/mail.domain.com_newreq.pem.
b) The private key of the certificate at /etc/ssl/private/mail.domain.com_newkey.pem.
Use cacert.org or any other CA (including your own one) to sign the certificate request. The resulting certificate will have to be put in the file /etc/ssl/certs/mail.domain.com_newcert.pem with 644 permissions for the user and group 'root' and the private key at /etc/ssl/private/mail.domain.com_newkey.pem with 640 permissions for the user root and the group ssl-cert.
Enable the module SSL and the site:
{{{
a2enmod ssl
a2ensite mail.domain.com
/etc/init.d/apache2 force-reload
}}}
Load !OpenMailAdmin setup at https://mail.domain.com/openmailadmin/setup.php check that the system configuration is the appropriate one and, if so, skip to the next step, where we'll have to fill this information in:
{{{
db connection settings
----------------------
DSN: mysql://postfix:<my_passwd>@127.0.0.1/postfix
tablenames' prefix:
IMAP connection settings
------------------------
type: Cyrus IMAPd
host: localhost
port: 143
imap admin: cyrus
... password: <my_passwd>
first superuser
---------------
mailbox of superuser: postmaster
... password: <my_passwd>
}}}
The installation process will create the file /var/www/openmailadmin/inc/config.local.inc.php with the configuration to access the database and the following 5 tables in the 'postfix' database:
* domains
* imap_demo
* user
* virtual
* virtual_regexp
From now onwards we can access the system with the 'postmaster' account, using the password '<my_passwd>'. We'll access this interface from the URL:
https://mail.domain.com/openmailadmin/
== Configuration of saslauthd ==
Edit /etc/default/saslauthd:
{{{
START=yes
MECHANISMS="pam"
}}}
Edit /etc/init.d/saslauthd:
{{{
PARAMS="${PARAMS} -a ${MECHANISMS} -r"
}}}
You can add the "-V" parameter after the "-r" one to the "PARAMS" variable to make saslauthd be more verbose in the logs.
Move the saslauthd's socket inside the Postfix jail so that it can access it and create a symbolic link in its place so that saslauthd won't complain:
{{{
mkdir --parents --mode=755 /var/spool/postfix/var/run
mv /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
ln --symbolic /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
chown root:sasl /var/run/saslauthd
}}}
== Postfix configuration ==
{{{
echo "mail.domain.com" > /etc/mailname
echo "mail.domain.com" > /etc/hostname (and modify /etc/resolv.conf y /etc/hosts accordingly)
}}}
Create /etc/postfix/canonical.mysql:
{{{
hosts = 127.0.0.1
user = postfix
password = <my_passwd>
dbname = postfix
table = user
select_field = canonical
where_field = mbox
additional_conditions = and active = '1' limit 1
}}}
Create /etc/postfix/mydestination.mysql:
{{{
hosts = 127.0.0.1
user = postfix
password = <my_passwd>
dbname = postfix
table = domains
select_field = domain
where_field = domain
}}}
Create /etc/postfix/virtual.mysql:
{{{
hosts = 127.0.0.1
user = postfix
password = <my_passwd>
dbname = postfix
table = virtual
select_field = dest
where_field = address
additional_conditions = and active = '1'
}}}
Set the right permissions:
{{{
chown root:postfix /etc/postfix/canonical.mysql /etc/postfix/mydestination.mysql /etc/postfix/virtual.mysql
chmod 640 /etc/postfix/canonical.mysql /etc/postfix/mydestination.mysql /etc/postfix/virtual.mysql
}}}
Edit /etc/postfix/main.cf:
{{{
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
myhostname = mail.domain.com
mydomain = $myhostname
myorigin = $mydomain
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8, my.public.ip.address
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
unknown_local_recipient_reject_code = 550
mailbox_transport = cyrus
virtual_alias_domains = mysql:/etc/postfix/mydestination.mysql
virtual_alias_maps = mysql:/etc/postfix/virtual.mysql
sender_canonical_maps = mysql:/etc/postfix/canonical.mysql
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
}}}
Edit /etc/postfix/master.cf and add the following line:
{{{
cyrus unix - n n - - pipe
flags= user=cyrus argv=/usr/sbin/cyrdeliver -r ${sender} -m ${extension} ${user}
}}}
You can add the "-v" option at the end of the smtp daemon line to increase verbosity:
{{{
smtp inet n - - - - smtpd -v
}}}
Create /etc/postfix/sasl/smtpd.conf with 644 permissions (root:postfix) and the following content:
{{{
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 0
}}}
You can set the 'log_level' parameter with a value of 7 to increase verbosity and help debugging.
Add the user "postfix" to the group "sasl" so that it can read the socket of saslauthd:
{{{
adduser postfix sasl
}}}
Optional: add "etc/postfix/sasl/smtpd.conf" to the "FILES" variable of the script /etc/init.d/postfix so that it copies the file into the chroot everytime it's restarted (it seems that it's not necessary on Debian but I haven't really tested this deeply enough to state it and be sure I'm not mistaken).
=== Add support for regular expressions ===
Edit /var/www/openmailadmin/samples/oma_mail.daimon.php:
Change the first line so that it points at the right location of "env":
{{{
#!/usr/bin/env php
}}}
Modify the following variables so that they look like this:
{{{
$MTA['virtual'] = '/etc/postfix/virtual';
$MTA['regexp'] = '/etc/postfix/virtual.regex';
$MTA['domains'] = '/etc/postfix/domains';
$PASSWD_CACHE = NULL;
$DB = array('TYPE' => 'mysql',
'HOST' => 'localhost',
'USER' => 'postfix',
'PASS' => '<my_passwd>',
'DB' => 'postfix',
'PREFIX'=> '',
);
}}}
Set the appropriate permissions:
{{{
chmod 770 /var/www/openmailadmin/samples/oma_mail.daimon.php
}}}
Edit the crontab by using the command 'crontab -e' and add the following line:
{{{
0 */2 * * * /var/www/openmailadmin/samples/oma_mail.daimon.php
}}}
Alternatively, create /etc/cron.d/oma_mail.daimon with the following content:
{{{
0 */2 * * * root /var/www/openmailadmin/samples/oma_mail.daimon.php
}}}
and /etc/init.d/cron restart. These both will make the script to be executed every half an hour. Thus we'll have to have in mind that, when adding a new regular expression to some account, it will take up to 30 minutes to be active (of course we can accelerate this process by executing the script as root via the console).
This script will create a file named 'virtual.regexp' inside /etc/postfix that will have a dump of the table 'virtual_regexp'. We'll tell Postfix to read and process the file so that we'll get support for regular expressions in !OpenMailAdmin (very useful when we have a lot of virtual domains). Edit /etc/postfix/main.cf:
{{{
virtual_alias_maps = mysql:/etc/postfix/virtual.mysql, regexp:/etc/postfix/virtual.regex
}}}
And reload Postfix:
{{{
/etc/init.d/postfix reload
}}}
== Configuración de Cyrus IMAP ==
=== In /etc/cyrus.conf ===
Comment the lines of the POP3 and NNTP services in case that you don't plan to use them (I don't).
=== Edit /etc/imapd.conf and modify or add the following lines ===
{{{
admins: cyrus
sasl_pwcheck_method: saslauthd
allowusermoves: yes
sasl_mech_list: PLAIN LOGIN
sasl_minimum_layer: 0
umask: 027
}}}
If you plan to allow the users to use dots in the name, as in foo.bar@domain.com, then you will have to add the following directive (I would):
{{{
unixhierarchysep: yes
}}}
You can comment out the following line in /etc/default/cyrus2.2 to increase the verbose level of Cyrus IMAP:
{{{
CYRUS_VERBOSE=1
}}}
== (Re)start services ==
{{{
/etc/init.d/saslauthd restart
/etc/init.d/cyrus2.2 restart
/etc/init.d/postfix restart
}}}
== Test ==
You should be able to log in via "cyradm" and type some commands:
{{{
/usr/bin/cyradm --user cyrus --server localhost --auth login
}}}
Monitor the logs for information:
{{{
/usr/bin/tail -f /var/log/mail.log | /usr/bin/ccze
/usr/bin/tail -f /var/log/auth.log | /usr/bin/ccze
}}}
== Securing the channel (TLS/SSL) ==
At present time we can sent via SMTP on port 25 and receive via IMAP on port 143, enough to test that the installation works fine so far. Let's add security to the channel using TLS and SSL to protect both the passwords and the content of the messages.
=== Cyrus ===
Edit /etc/cyrus.conf and make sure these two lines exist (add or modify as needed):
{{{
imap cmd="imapd -U 30" listen="localhost:imap" prefork=0 maxchild=100
imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
}}}
Add the user 'cyrus' to the group 'ssl-cert' so that it can access the private key of the certificate:
{{{
adduser cyrus ssl-cert
}}}
Edit /etc/imapd.conf:
{{{
sasl_minimum_layer: 128
tls_cert_file: /etc/ssl/certs/mail.domain.com_newcert.pem
tls_key_file: /etc/ssl/private/mail.domain.com_newkey.pem
tls_ca_file: /etc/ssl/certs/cacert.org.pem
}}}
Restart the server:
{{{
/etc/init.d/cyrus2.2 restart
}}}
With these changes we now have support for IMAP over SSL on port 993 and access to IMAP on port 143 from the localhost only (for the webmail). You can test this with 'imtest'::
{{{
imtest -a <username> -w <passwd> -m login -s localhost
}}}
=== Postfix ===
Add these to /etc/postfix/main.cf:
{{{
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/private/mail.domain.com_newkey.pem
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.com_newcert.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
}}}
The smtpd_tls_auth_only should be changed to yes later (when you are sure the setup is working fine) as plain text login should only be allowed over encrypted channels. Setting this to no makes it easier to debug later on.
== Spamassassin ==
{{{
apt-get install spamassassin spamc
}}}
No further tuning needed. Did I say I love Debian? ;-)
== ClamAV ==
{{{
apt-get install rar unrar lha arj unzoo zip unzip bzip2 gzip cpio file lzop nomarch
apt-get install clamav clamav-base clamav-daemon clamav-freshclam libclamav1 clamav-docs
}}}
Make sure the directive 'AllowSupplementaryGroups' exists in the file /etc/clamav/clamd.conf.
Add the user 'clamav' to the group 'amavis':
{{{
adduser clamav amavis
}}}
Restart the daemons:
{{{
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart
}}}
== Amavis ==
{{{
apt-get install amavisd-new
}}}
If our hostname in /etc/hostname is not a FQDN (Fully Qualified Domain Name), that is to say it's a name of the type "server" instead of a name of the type "mail.domain.com", we will have to modify the file /etc/amavis/conf.d/50-user, adding:
{{{
$myhostname = "mail.domain.com";
}}}
so that Amavis has the right value of the variable $myhostname.
Activate the use of ClamAV and the SpamAssassin spam filter in the Amavis config by editing the file /etc/amavis/conf.d/15-content_filter_mode and commenting out the following lines:
{{{
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
}}}
Edit /etc/amavis/conf.d/20-debian_defaults:
{{{
$final_spam_destiny = D_PASS;
}}}
This way we let emails marked as spam pass and rely on the user using SIEVE filters (or the filters provided by his or her email client) to filter the spam by looking at the headers. Viruses are discarded.
Here you are my recommended configuration for allowed and banned attachments. You may want to evaluate the needs of your company and finetune it as needed. Comment out these lines:
{{{
qr'^application/x-msmetafile$'i,
qr'^\.wmf$',
qr'^message/partial$'i, qr'^message/external-body$'i,
[ qr'^\.(Z|gz|bz2)$' => 0 ],
[ qr'^\.(rpm|cpio|tar)$' => 0 ],
[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
wmf|wsc|wsf|wsh)$'ix,
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,
qr'^\.(exe|lha|tnef|cab|dll)$',
}}}
Comment the following line if you don't want Amavis to modify the subject of the emails marked as spam:
{{{
# $sa_spam_subject_tag = '***SPAM*** ';
}}}
=== Modify the configuration of Postfix ===
Add these to /etc/postfix/master.cf:
{{{
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
}}}
And add this to /etc/postfix/main.cf:
{{{
content_filter=smtp-amavis:[127.0.0.1]:10024
}}}
Restart Postfix:
{{{
/etc/init.d/postfix restart
}}}
== Anti-UCE measure in Postfix ==
Edit /etc/postfix/main.cf:
{{{
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
# check_policy_service inet:127.0.0.1:60000,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
}}}
Restart Postfix:
{{{
/etc/init.d/postfix restart
}}}
== Postgrey ==
{{{
apt-get install postgrey
}}}
Edit /etc/postfix/main.cf:
Add 'check_policy_service inet:127.0.0.1:60000' to the directive 'smtpd_recipient_restrictions' (comment it out from what you added in point 14).
Restart Postfix:
{{{
/etc/init.d/postfix restart
}}}
More info about Postgrey at [http://isg.ee.ethz.ch/tools/postgrey/]
== Mailman ==
{{{
apt-get install mailman
}}}
Edit /etc/apache2/sites-available/mail.domain.com:
{{{
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/
}}}
Reload Apache:
{{{
/etc/init.d/apache2 reload
}}}
Edit /etc/mailman/mm_cfg.py:
{{{
DEFAULT_URL_PATTERN = 'https://%s/cgi-bin/mailman/'
MTA='Postfix'
}}}
Generate the aliases:
{{{
cd /var/lib/mailman
bin/genaliases
}}}
Edit /etc/postfix/main.cf:
{{{
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
mailman_destination_recipient_limit = 1
unknown_local_recipient_reject_code = 550
owner_request_special = no
recipient_delimiter = +
}}}
{{{
/etc/init.d/postfix reload
/usr/bin/newaliases
}}}
newlist mailman (use a temporal password since it's send in clear text via email; then change it and leave the option "Send monthly reminders" deactivated).
{{{
/etc/init.d/mailman start
}}}
https://mail.domain.com/mailman/admin/mailman/
The lists you create will be created using the local domain "mail.domain.com". If you create the list "marketing", you'll have to post to "marketing@mail.domain.com". But you can use !OpenMailAdmin to set an alias in the "postmaster" account by using the "Addresses" tab, so that all email sent to "marketing@domain.com" will be redirected to "marketing@mail.domain.com". This way users will be able to post to a shorter address.
== Squirrelmail ==
apt-get install squirrelmail squirrelmail-decode squirrelmail-locales php5-recode
Run /usr/sbin/squirrelmail-configure and change:
- Set pre-defined settings for specific IMAP servers = cyrus
If, and only if, you set the directive "unixhierarchysep" to "yes" in /etc/imapd.conf, then you will have to do these changes:
* Server Settings: Update IMAP Settings: Delimiter = /
* Folder Defaults: Trash Folder = INBOX/Trash
* Folder Defaults: Sent Folder = INBOX/Sent
* Folder Defaults: Drafts Folder = INBOX/Drafts
Optionally, you can customize these as well:
* Organization Preferences: Organization Name
* Organization Preferences: Organization Logo
* Organization Preferences: Organization Title
* Message of the Day (MOTD): Edit the MOTD
Edit /etc/apache2/sites-available/mail.domain.com:
{{{
Alias /squirrelmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
php_flag register_globals off
Options Indexes FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
# access to configtest is limited by default to prevent information leak
<Files configtest.php>
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
</Files>
</Directory>
}}}
Reload Apache 2:
{{{
/etc/init.d/apache2 reload
}}}
See Squirrelmail working:
https://mail.domain.com/squirrelmail/
Usually, users will prefer an URL like http://webmail.domain.com/ For this purpose you will have to configure an entry in the DNS zone and another virtual domain in Apache that redirects the traffic:
{{{
<VirtualHost *>
ServerName webmail.domain.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^webmail\.dominio\.com$ [NC]
RewriteRule ^(.*)$ https://mail.domain.com/squirrelmail/$1 [R=301,L]
</VirtualHost>
}}}
This way we let the users have a short and never changing URL and we make sure webmail is always accessed via a secure channel, while we benefit from the certificate we already created for the domain "mail.domain.com".
To manage the SIEVE scripts we can use the Squirrelmail's plugin 'Avelsieve - SIEVE Mail Filters'. Download it from the web:
http://email.uoa.gr/projects/squirrelmail/avelsieve_download.php
These commands should do the work:
{{{
cd /usr/share/squirrelmail/plugins/
wget http://email.uoa.gr/download/squirrelmail/avelsieve/avelsieve-1.9.6.tar.gz
tar -xzf avelsieve-1.9.6.tar.gz
rm --force avelsieve-1.9.6.tar.gz
chown --recursive root.root avelsieve
cp --archive /usr/share/squirrelmail/plugins/avelsieve/config/config_sample.php /usr/share/squirrelmail/plugins/avelsieve/config/config.php
}}}
Activate the plug-in by using the configuration script of Squirrelmail /etc/squirrelmail/conf.pl (Plugins: avelsieve). Edit /usr/share/squirrelmail/plugins/avelsieve/config/config.php and change the desired options.
== Mailgraph ==
{{{
apt-get install mailgraph
}}}
Edit /etc/apache2/sites-available/mail.domain.com:
{{{
ScriptAlias /mailgraph/ /usr/lib/cgi-bin/
}}}
Reload Apache 2:
{{{
/etc/init.d/apache2 reload
}}}
See it working at https://mail.domain.com/mailgraph/mailgraph.cgi
== Final note ==
Enjoy it! And remember that closed source leads to the dark side of the force!
pam-mysql 0.7~RC1 purports to fix the MD5 bug so that recompilation of pam-mysql is no longer necessary.