How to set up a mail server
This mail server guide shows how to setup a small mail server on Salix, that can be used for a small group of users, e.g. a developer team or some friends. Software used in this guide consists of:
- postfix (SMTP mail transfer agent): accepts mails from the outside world and sends mail to the outside
- postgrey (Postfix greylisting policy server): a simple spam filter, that greylists mail.
- dovecot (IMAP and POP3 server): delivers mail to e-mail clients
- roundcube (webmail interface)
This guide does not aim on big installations with many users, because it uses a real Linux account for every mail account. For systems with many users you may want to use virtual mail accounts. More information can be found here. Also note that Linux accounts have full system access via ssh unless you forbid them in sshd_config or by a restricted login shell.
This guide shows how to use a encrypted TLS/SSL connection for all data, that is send over the internet.
Contents |
Create TLS/SSL certificates
For encrypted communication a certificate is needed, so you have to create one. Detailed informations about creating self signed certificates can be found here. But it should be enough to do the following:
cd /root openssl req -new -x509 -days 365 -nodes -out "example.cert" -keyout "example.key"
For web services, the Common Name field usually must exactly match the hostname of the system the certificate will be used on; otherwise, clients should complain about a certificate to hostname mismatch. The -days argument specifies how long the certificate will be valid for.
Example:
Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Seattle Organization Name (eg, company) [Internet Widgits Pty Ltd]:Salix OS Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:example.com Email Address []:postmaster@example.com
As the .key file is private, change it's permissions:
chmod 600 example.key
Postfix
Installation
Install postfix with the usual commands:
slapt-get -u slapt-get -i postfix
Standard configuration
The official Postfix standard configuration documentation can be found here. As this is only a quick how-to there won't be much explanation about the single configuration parameters. Take a look to the official documentation if you want to know more.
Some notes before we begin:
- The command postconf shows the currently used Postfix configuration settings
- The command postfix reload reloads the configuration files, so you don't have to restart Postfix after changing settings
- Postfix uses *.db databases for many config files (e.g. aliases or virtual). After editing these files you have to rebuild the databases by postmap /etc/postfix/$FILENAME)
- Many settings are already in the config file. Search for them!
- You can run tail -f /var/log/maillog on a second terminal to see what happens.
First thing to do is telling Postfix where it can find it's aliases file. It maps usernameX to usernameY so that mail for usernameX will be delivered to usernameY. Open the /etc/postfix/main.cf and set:
alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases
Furthermore you should set an alias for root in /etc/postfix/aliases, so that root does not receive mail:
# Person who should get root's mail. Don't receive mail as root! root: usernameX
Run postmap /etc/postfix/aliases or newaliases after editing the files.
Now you have to set some hostname parameters. You probably just have single vServer with a single domain name, so you could set things like this:
myhostname = example.com mydomain = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost mynetworks_style = host
I'd recommend to use the maildir format fo mailboxes. See here for informations. With this setting the mailbox will be in the users' home directory in a sub folder "Maildir":
home_mailbox = Maildir/
NOTE: Don't forget the trailing /
TLS/SSL configuration
First copy the .cert and .key file to /etc/postfix/ssl/:
cp -a /root/example.cert /etc/postfix/ssl/postfix.cert cp -a /root/example.key /etc/postfix/ssl/postfix.key
Then tell Postfix where it cat find the certificates (in /etc/postfix/main.cf):
smtpd_tls_cert_file = /etc/postfix/ssl/postfix.cert smtpd_tls_key_file = /etc/postfix/ssl/postfix.key
And enable TLS:
smtpd_tls_security_level = may
Dovecot
Installation
Install dovecot with the usual commands:
slapt-get -u slapt-get -i dovecot
Standard configuration
Open /etc/dovecot/dovecot.conf and change some settings. As protocol you probably only want to use imap and imaps (encrypted):
protocols = imap imaps
Of course you have to tell Dovecot, where it can find the users' mailboxes:
mail_location = maildir:~/Maildir
Salix/Slackware does not use PAM, so it's important to change the authentication mechanism from pam to shadow:
auth default {
mechanisms = plain login
passdb shadow {
}
userdb passwd {
}
}
In this example 2 authentication methods are enabled to support the majority of mail clients: plain and login. You can find more information about auth methods in this document.
TLS/SSL configuration
Copy the .cert and .key file to the subdirs in /etc/dovecot/ssl/ (note the changed suffix .pem):
cp -a /root/example.cert /etc/postfix/ssl/certs/dovecot.pem cp -a /root/example.key /etc/postfix/ssl/private/dovecot.pem
SASL authentication in the Postfix SMTP server
To connect to your Postfix SMTP server from other hosts (e.g. from your e-mail client at home) you have to configure SASL authentication. The official documentation about this topic can be found here. There are two SASL implementations, that could be used:
- Cyrus SASL
- Dovecot SASL
Configuration
The Postfix server in Salix repository is build with support for Dovecot SASL and as we want to use Dovecot for IMAP anyway, we'll use this SASL method.
In /etc/postfix/main.cf you have to set:
smtpd_sasl_type = dovecot smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes
You can use the same settings for TLS-encrypted SMTP sessions:
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
Now SASL logins are allowed, but what to do with them? You have to tell Postfix, that SASL authenticated users are allowed to send mail to every other domains. Do this by changing smtpd_recipient_restrictions from it's default:
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
to (note the added permit_sasl_authenticated, it has to be before the reject rule):
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
Please run postfix reload now.
As noted before, we are using Dovecot SASL, so Dovecot has to be configured for this and has to be running. Open /etc/dovecot/dovecot.conf and change the auth default section to:
auth default {
mechanisms = plain login
passdb shadow {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Restart Dovecot with /etc/rc.d/rc.dovecot restart. To test your SASL login, go to the official documentation and search for telnet. There is a method described how to do it.
Restrict the use of wrong e-mail addresses
SMTP clients provide the sender address along with the authentication. So the user_1@example.com could login with it's own authentication but provide user_2@example.com as sender address. To restrict users to their own e-mail addresses you have to add:
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
Furthermore the smtpd_recipient_restrictions has to be tweaked. Add reject_sender_login_mismatch:
smtpd_recipient_restrictions =
permit_mynetworks
reject_sender_login_mismatch
permit_sasl_authenticated
reject_unauth_destination
And of course you need a file /etc/postfix/controlled_envelope_senders with following content:
# sender owners (SASL login names) john@example.com john mary@example.com mary support@example.com john, mary
This way john can send with address john@example.com and support@example.com, mary can send with mary@example.com and support@example.com.
To get this changes applied you have to run postmap /etc/postfix/controlled_envelope_senders and postfix reload.
Enable submission
Submission is the name of a service on port 587. It is intended to split some functionality away from SMTP standard port 25 and should help to avoid spam. Long story short the submission port should be used to receive mail from mail client's of authenticated users, while the SMTP port receives mail unauthenticated from other mail servers to deliver it to local users. Some internet service providers even start to block port 25 for home users to avoid spam. To enable the submission port in postfix you have to edit the /etc/postfix/master.cf file. It may be a good idea to require enryption with STARTTLS for users on the submission port. The beginning of the file should look like this:
smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt
After editing the file run postfix reload.
Roundcube
Roundcube setup is pretty simple and has a good README and INSTALL file included in the tarball. Prerequisits are a running webserver, that supports php (e.g. cherokee, apache, lighttpd) and a working MySQL server.
MySQL database setup
Setting up the mysql database can be done by creating an empty database, importing the table layout and granting the proper permissions to the roundcube user. Here is an example of that procedure:
# mysql -p > CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */; > GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'password'; > FLUSH PRIVILEGES; > quit # mysql roundcubemail -p < SQL/mysql.initial.sql
Note 1: 'password' is the master password for the roundcube user. It is strongly recommended you replace this with a more secure password. Please keep in mind: You need to specify this password later in 'config/db.inc.php'.
Note 2: For MySQL version 4.1 and up, it's recommended to create the database for RoundCube with utf-8 charset.
Installation
- Decompress and put this folder somewhere inside your document root
- Make sure that the following directories (and the files within) are writable by the webserver
- /temp
- /logs
- Create a new database and a database user for RoundCube (see DATABASE SETUP)
- Point your browser to http://url-to-roundcube/installer/
- Follow the instructions of the install script (or see MANUAL CONFIGURATION)
- After creating and testing the configuration, remove the installer directory
- Done!
Check interval
Every open Roundcube session checks for new mails in a given interval. As Roundcube is a php script, the IMAP connection only lasts for the time the script is running. So it has to login to the IMAP server for every login (desktop IMAP clients only connect once and hold the connection). This results in a log entry for every login like this:
Mar 17 13:52:51 hostname dovecot: imap-login: Login: user=<username>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 17 13:52:51 hostname dovecot: IMAP(username): Disconnected: Logged out bytes=71/834
To reduce server load and log entries you could increase the check interval in main.inc.php. Search for the two values 'keep_alive' and 'min_keep_alive' and set both to 180 for a 180 seconds interval.
Postgrey
Install postgrey with the usual commands:
slapt-get -u slapt-get -i postgrey
There is nothing to configure about postgrey itself, but you have to add a rule to the postfix configuration file main.cf. First take a look into /etc/rc.d/rc.postgrey. There you'll find the postgrey start command beginning with
/usr/sbin/postgrey -d -i 10023 ...
In this example postgrey uses the port 10023. Now you have to add the following rule to the end of smtpd_recipient_restrictions:
smtpd_recipient_restrictions =
permit_mynetworks
reject_sender_login_mismatch
permit_sasl_authenticated
reject_unauth_destination
check_policy_service inet:127.0.0.1:10023
NOTE: Make sure to block the postgrey port from the outer world with your firewall!
Mail sorting/filtering with Sieve
Sieve is a programming language that can be used to create filters for e-mail, e.g. it is possible to automatically sort your mails from a "mailing list A" to a subfolder Mailing list/List A (read this for more information). Sieve has a nice advantage over methods like Procamail or Maildrop: With Sievemanage it is possible to set the filter rules from the mail client (e.g. KMail, Roundcube). There is no need for the users to edit files in their home directories. Dovecot provides a Sieve plugin (but not sievemanage yet, will come in version 2.0), so first install it:
slapt-get -u slapt-get -i dovecot-sieve
To use the Sieve plugin you have to use Dovecot's deliver as LDA (local delivery agent, see this for more information) for Postfix. So first open /etc/dovecot/dovecot.conf and search for the LDA settings. Edit them like this:
protocol lda {
postmaster_address = postmaster
mail_plugins = sieve
sendmail_path = /usr/sbin/sendmail
}
Restart your Dovecot server: /etc/rc.d/rc.dovecot restart
Then set Dovecot's deliver as your local delivery agent in Postfix' main.cf file:
mailbox_command = /usr/libexec/dovecot/deliver
Run the usual postfix reload after editing the file.
To test your setup you have to create a Sieve script in the home folder of your mail user: ~/.dovecot.sieve. Try a script that files all messages from a recipient into a folder:
require "fileinto";
if address :is "From" "friend@myfriends.org" {
fileinto "INBOX.My Freinds";
stop;
}
This should create a subdir My Friends in your INBOX and store all mails from friend@myfriends.org there. Remember to update your IMAP folder tree in your mail client after receiving this mail.
Testing
When everything is set up it probably is a good idea to do at least some security tests. Do an internet search for "open relay test". You'll find some websites, that will test if your server is an open relay (and therefore a spammer's paradise).
