Difference between revisions of "Creating a Mail Server on Ubuntu 12.04"

From Zam Wiki

 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Mail Server on Ubuntu 12.04 (Postfix, Courier, SSL/TLS, SpamAssassin, ClamAV, Amavis, Roundcube)
 
Mail Server on Ubuntu 12.04 (Postfix, Courier, SSL/TLS, SpamAssassin, ClamAV, Amavis, Roundcube)
 
  
 
= Introduction =
 
= Introduction =
Line 12: Line 11:
 
* MySQL will be used to manage user accounts and e-mail forwarding.
 
* MySQL will be used to manage user accounts and e-mail forwarding.
 
* Roundcube is the mail interface similar like Squirrelmail
 
* Roundcube is the mail interface similar like Squirrelmail
 
  
 
= Install required packages from repo =
 
= Install required packages from repo =
<syntaxhighlight lang=text>
+
  apt-get update
apt-get update
+
  apt-get install -y mysql-server postfix postfix-mysql libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin libpam-mysql clamav-base libclamav6 clamav-daemon clamav-freshclam amavisd-new spamassassin spamc courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl php-pear php-auth-sasl php-net-smtp php5-intl php5-mcrypt
apt-get install -y mysql-server postfix postfix-mysql libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin libpam-mysql clamav-base libclamav6 clamav-daemon clamav-freshclam amavisd-new spamassassin spamc courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl
 
</syntaxhighlight>
 
  
 +
sudo pear install Mail_Mime
 +
sudo pear install Mail_mimeDecode
 +
sudo pear install channel://pear.php.net/Net_IDNA2-0.1.1
  
 
During the installation of MySQL you will be prompted for the root user password
 
During the installation of MySQL you will be prompted for the root user password
Line 56: Line 55:
 
First, we create file name main.cf
 
First, we create file name main.cf
  
<syntaxhighlight lang=text>
+
mv /etc/postfix/main.cf{,.default}
mv /etc/postfix/main.cf{,.default}
+
nano /etc/postfix/main.cf
nano /etc/postfix/main.cf
 
</syntaxhighlight>
 
  
 
Copy/paste the following (change all instances of '''mail.yourdomain.com'''):
 
Copy/paste the following (change all instances of '''mail.yourdomain.com'''):
<syntaxhighlight lang=text>
+
myorigin = /etc/mailname
myorigin = /etc/mailname
+
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_banner = $myhostname ESMTP $mail_name
+
biff = no
biff = no
+
append_dot_mydomain = no
append_dot_mydomain = no
+
readme_directory = no
readme_directory = no
+
mydestination =
mydestination =
+
relayhost =
relayhost =
+
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+
mynetworks_style = host
mynetworks_style = host
+
mailbox_size_limit = 0
mailbox_size_limit = 0
+
virtual_mailbox_limit = 0
virtual_mailbox_limit = 0
+
recipient_delimiter = +
recipient_delimiter = +
+
inet_interfaces = all
inet_interfaces = all
+
inet_protocols = all
message_size_limit = 0
+
message_size_limit = 0
 
+
# SMTP Authentication (SASL)
+
# SMTP Authentication (SASL)
 
+
smtpd_sasl_auth_enable = yes
+
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
+
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
+
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
+
smtpd_sasl_local_domain =
 
+
# Encrypted transfer (SSL/TLS)
+
# Encrypted transfer (SSL/TLS)
 
+
smtp_use_tls = yes
+
smtp_use_tls = yes
smtpd_use_tls = yes
+
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/mail.yourdomain.com.crt
+
smtpd_tls_cert_file = /etc/ssl/private/mail.yourdomain.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.yourdomain.com.key
+
smtpd_tls_key_file = /etc/ssl/private/mail.yourdomain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
+
# Basic SPAM prevention
+
# Basic SPAM prevention
 
+
smtpd_helo_required = yes
+
smtpd_helo_required = yes
smtpd_delay_reject = yes
+
smtpd_delay_reject = yes
disable_vrfy_command = yes
+
disable_vrfy_command = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, permit
+
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
 
+
# Force incoming mail to go through Amavis
+
# Force incoming mail to go through Amavis
 
+
content_filter = amavis:[127.0.0.1]:10024
+
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
+
receive_override_options = no_address_mappings
 
+
# Virtual user mappings
+
# Virtual user mappings
 
+
alias_maps = hash:/etc/aliases
+
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
+
alias_database = hash:/etc/aliases
virtual_mailbox_base = /var/spool/mail/virtual
+
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/maps/user.cf
+
virtual_mailbox_maps = mysql:/etc/postfix/maps/user.cf
virtual_uid_maps = static:5000
+
virtual_uid_maps = static:5000
virtual_gid_maps =  static:5000
+
virtual_gid_maps =  static:5000
virtual_alias_maps = mysql:/etc/postfix/maps/alias.cf
+
virtual_alias_maps = mysql:/etc/postfix/maps/alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/maps/domain.cf
+
virtual_mailbox_domains = mysql:/etc/postfix/maps/domain.cf
</syntaxhighlight>
 
 
 
  
 
Next, we edit file master.cf
 
Next, we edit file master.cf
<syntaxhighlight lang=text>
+
mv /etc/postfix/master.cf{,.default}
mv /etc/postfix/master.cf{,.default}
+
nano /etc/postfix/master.cf
nano /etc/postfix/master.cf
 
</syntaxhighlight>
 
 
 
  
 
Copy/paste the following ('''no changes is required'''):
 
Copy/paste the following ('''no changes is required'''):
<syntaxhighlight lang=text>
+
#
#
+
#
#
+
# Postfix master process configuration file.  For details on the format
# Postfix master process configuration file.  For details on the format
+
# of the file, see the master(5) manual page (command: "man 5 master").
# of the file, see the master(5) manual page (command: "man 5 master").
+
#
#
+
# Do not forget to execute "postfix reload" after editing this file.
# Do not forget to execute "postfix reload" after editing this file.
+
#
#
+
# ==========================================================================
# ==========================================================================
+
# service type  private unpriv  chroot  wakeup  maxproc command + args
# service type  private unpriv  chroot  wakeup  maxproc command + args
+
#              (yes)  (yes)  (yes)  (never) (100)
#              (yes)  (yes)  (yes)  (never) (100)
+
# ==========================================================================
# ==========================================================================
+
smtp      inet  n      -      -      -      -      smtpd
smtp      inet  n      -      -      -      -      smtpd
+
smtps    inet  n      -      -      -      -      smtpd
smtps    inet  n      -      -      -      -      smtpd
+
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_wrappermode=yes
+
submission inet n      -      -      -      -      smtpd
submission inet n      -      -      -      -      smtpd
+
pickup    fifo  n      -      -      60      1      pickup
pickup    fifo  n      -      -      60      1      pickup
+
  -o content_filter=
  -o content_filter=
+
  -o receive_override_options=no_header_body_checks
  -o receive_override_options=no_header_body_checks
+
cleanup  unix  n      -      -      -      0      cleanup
cleanup  unix  n      -      -      -      0      cleanup
+
qmgr      fifo  n      -      n      300    1      qmgr
qmgr      fifo  n      -      n      300    1      qmgr
+
tlsmgr    unix  -      -      -      1000?  1      tlsmgr
tlsmgr    unix  -      -      -      1000?  1      tlsmgr
+
rewrite  unix  -      -      -      -      -      trivial-rewrite
rewrite  unix  -      -      -      -      -      trivial-rewrite
+
bounce    unix  -      -      -      -      0      bounce
bounce    unix  -      -      -      -      0      bounce
+
defer    unix  -      -      -      -      0      bounce
defer    unix  -      -      -      -      0      bounce
+
trace    unix  -      -      -      -      0      bounce
trace    unix  -      -      -      -      0      bounce
+
verify    unix  -      -      -      -      1      verify
verify    unix  -      -      -      -      1      verify
+
flush    unix  n      -      -      1000?  0      flush
flush    unix  n      -      -      1000?  0      flush
+
proxymap  unix  -      -      n      -      -      proxymap
proxymap  unix  -      -      n      -      -      proxymap
+
proxywrite unix -      -      n      -      1      proxymap
proxywrite unix -      -      n      -      1      proxymap
+
smtp      unix  -      -      -      -      -      smtp
smtp      unix  -      -      -      -      -      smtp
+
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+
relay    unix  -      -      -      -      -      smtp
relay    unix  -      -      -      -      -      smtp
+
-o smtp_fallback_relay=
-o smtp_fallback_relay=
+
showq    unix  n      -      -      -      -      showq
showq    unix  n      -      -      -      -      showq
+
error    unix  -      -      -      -      -      error
error    unix  -      -      -      -      -      error
+
retry    unix  -      -      -      -      -      error
retry    unix  -      -      -      -      -      error
+
discard  unix  -      -      -      -      -      discard
discard  unix  -      -      -      -      -      discard
+
local    unix  -      n      n      -      -      local
local    unix  -      n      n      -      -      local
+
virtual  unix  -      n      n      -      -      virtual
virtual  unix  -      n      n      -      -      virtual
+
lmtp      unix  -      -      -      -      -      lmtp
lmtp      unix  -      -      -      -      -      lmtp
+
anvil    unix  -      -      -      -      1      anvil
anvil    unix  -      -      -      -      1      anvil
+
scache    unix  -      -      -      -      1      scache
scache    unix  -      -      -      -      1      scache
+
#
#
+
# ====================================================================
# ====================================================================
+
# Interfaces to non-Postfix software. Be sure to examine the manual
# Interfaces to non-Postfix software. Be sure to examine the manual
+
# pages of the non-Postfix software to find out what options it wants.
# pages of the non-Postfix software to find out what options it wants.
+
#
#
+
# Many of the following services use the Postfix pipe(8) delivery
# Many of the following services use the Postfix pipe(8) delivery
+
# agent.  See the pipe(8) man page for information about ${recipient}
# agent.  See the pipe(8) man page for information about ${recipient}
+
# and other message envelope options.
# and other message envelope options.
+
# ====================================================================
# ====================================================================
+
#
#
+
# maildrop. See the Postfix MAILDROP_README file for details.
# maildrop. See the Postfix MAILDROP_README file for details.
+
# Also specify in main.cf: maildrop_destination_recipient_limit=1
# Also specify in main.cf: maildrop_destination_recipient_limit=1
+
#
#
+
maildrop  unix  -      n      n      -      -      pipe
maildrop  unix  -      n      n      -      -      pipe
+
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+
#
#
+
# See the Postfix UUCP_README file for configuration details.
# See the Postfix UUCP_README file for configuration details.
+
#
#
+
uucp      unix  -      n      n      -      -      pipe
uucp      unix  -      n      n      -      -      pipe
+
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+
#
#
+
# Other external delivery methods.
# Other external delivery methods.
+
#
#
+
ifmail    unix  -      n      n      -      -      pipe
ifmail    unix  -      n      n      -      -      pipe
+
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+
bsmtp    unix  -      n      n      -      -      pipe
bsmtp    unix  -      n      n      -      -      pipe
+
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+
scalemail-backend unix - n n - 2 pipe
scalemail-backend unix - n n - 2 pipe
+
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+
mailman  unix  -      n      n      -      -      pipe
mailman  unix  -      n      n      -      -      pipe
+
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+
  ${nexthop} ${user}
  ${nexthop} ${user}
+
amavis    unix -        -      -      -      2      smtp
amavis    unix -        -      -      -      2      smtp
+
  -o smtp_data_done_timeout=1200
  -o smtp_data_done_timeout=1200
+
  -o smtp_send_xforward_command=yes
  -o smtp_send_xforward_command=yes
+
  -o disable_dns_lookups=yes
  -o disable_dns_lookups=yes
+
  -o max_use=20
  -o max_use=20
+
127.0.0.1:10025 inet n  -      -      -      -      smtpd
127.0.0.1:10025 inet n  -      -      -      -      smtpd
+
  -o content_filter=
  -o content_filter=
+
  -o local_recipient_maps=
  -o local_recipient_maps=
+
  -o relay_recipient_maps=
  -o relay_recipient_maps=
+
  -o smtpd_restriction_classes=
  -o smtpd_restriction_classes=
+
  -o smtpd_delay_reject=no
  -o smtpd_delay_reject=no
+
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_client_restrictions=permit_mynetworks,reject
+
  -o smtpd_helo_restrictions=
  -o smtpd_helo_restrictions=
+
  -o smtpd_sender_restrictions=
  -o smtpd_sender_restrictions=
+
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_data_restrictions=reject_unauth_pipelining
+
  -o smtpd_end_of_data_restrictions=
  -o smtpd_end_of_data_restrictions=
+
  -o mynetworks=127.0.0.0/8
  -o mynetworks=127.0.0.0/8
+
  -o smtpd_error_sleep_time=0
  -o smtpd_error_sleep_time=0
+
  -o smtpd_soft_error_limit=1001
  -o smtpd_soft_error_limit=1001
+
  -o smtpd_hard_error_limit=1000
  -o smtpd_hard_error_limit=1000
+
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_count_limit=0
+
  -o smtpd_client_connection_rate_limit=0
  -o smtpd_client_connection_rate_limit=0
+
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
 
</syntaxhighlight>
 
  
 
As all our mail users are going to be virtual (i.e. we’re not going to create physical user accounts for each user), we only need to create one mail directory and one user account.
 
As all our mail users are going to be virtual (i.e. we’re not going to create physical user accounts for each user), we only need to create one mail directory and one user account.
  
<syntaxhighlight lang=text>
+
groupadd virtual -g 5000
groupadd virtual -g 5000
+
useradd -r -g "virtual" -G "users" -c "Virtual User" -u 5000 virtual
useradd -r -g "virtual" -G "users" -c "Virtual User" -u 5000 virtual
+
mkdir /var/spool/mail/virtual
mkdir /var/spool/mail/virtual
+
chown virtual:virtual /var/spool/mail/virtual
chown virtual:virtual /var/spool/mail/virtual
 
</syntaxhighlight>
 
 
 
  
 
Now we’ll create the database which will store the mail user configuration and forwarding rules.
 
Now we’ll create the database which will store the mail user configuration and forwarding rules.
<syntaxhighlight lang=text>
 
mysql -u root -p
 
</syntaxhighlight>
 
 
 
Enter the password you created during the MySQL installation.
 
Enter the password you created during the MySQL installation.
 +
Copy/paste the following (change '''mailuserpassword''', '''yourdomain.com''' and '''admin password''' to something more secure)
 +
CREATE DATABASE mail;
 +
GRANT ALL ON mail.* TO mail@localhost IDENTIFIED BY 'mailuserpassword';
 +
FLUSH PRIVILEGES;
  
Copy/paste the following (change '''mailuserpassword''', '''yourdomain.com''' and '''admin password''' to something more secure)
+
USE mail;
<syntaxhighlight lang=text>
 
CREATE DATABASE mail;
 
GRANT ALL ON mail.* TO mail@localhost IDENTIFIED BY 'mailuserpassword';
 
 
   
 
   
FLUSH PRIVILEGES;
+
CREATE TABLE IF NOT EXISTS `alias` (`source` VARCHAR(255) NOT NULL, `destination` VARCHAR(255) NOT NULL DEFAULT "", `enabled` TINYINT UNSIGNED NOT NULL DEFAULT 1, PRIMARY KEY (`source`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;
USE mail;
+
 
 +
CREATE TABLE IF NOT EXISTS `domain` (`domain` VARCHAR(255) NOT NULL DEFAULT "", `transport` VARCHAR(255) NOT NULL DEFAULT "virtual:", `enabled` TINYINT UNSIGNED NOT NULL DEFAULT 1, PRIMARY KEY (`domain`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;
 
   
 
   
CREATE TABLE IF NOT EXISTS `alias` (`source` varchar(255) NOT NULL, `destination` varchar(255) NOT NULL default '', `enabled` tinyint(1) unsigned NOT NULL default '1', PRIMARY KEY  (`source`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;
+
  CREATE TABLE IF NOT EXISTS `user` (`email` VARCHAR(255) NOT NULL DEFAULT "", `password` VARCHAR(255) NOT NULL DEFAULT "", `name` VARCHAR(255) DEFAULT NULL, `quota` INT UNSIGNED DEFAULT NULL, `enabled` TINYINT UNSIGNED NOT NULL DEFAULT 1, PRIMARY KEY (`email`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;
 
 
CREATE TABLE IF NOT EXISTS `domain` (`domain` varchar(255) NOT NULL default '', `transport` varchar(255) NOT NULL default 'virtual:', `enabled` tinyint(1) unsigned NOT NULL default '1', PRIMARY KEY (`domain`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;
 
 
 
CREATE TABLE IF NOT EXISTS `user` (`email` varchar(255) NOT NULL default '', `password` varchar(255) NOT NULL default '', `name` varchar(255) default '', `quota` varchar(255) default NULL, `enabled` tinyint(1) unsigned NOT NULL default '1', PRIMARY KEY (`email`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;
 
 
   
 
   
INSERT INTO `alias` (`source`, `destination`, `enabled`) VALUES ('@localhost', '[email protected]', 1);
+
INSERT INTO `alias` (`source`, `destination`, `enabled`) VALUES ('@localhost', '[email protected]', 1);
INSERT INTO `alias` (`source`, `destination`, `enabled`) VALUES ('@localhost.localdomain', '@localhost', 1);
+
INSERT INTO `alias` (`source`, `destination`, `enabled`) VALUES ('@localhost.localdomain', '@localhost', 1);
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('localhost', 'virtual:', 1);
+
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('localhost', 'virtual:', 1);
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('localhost.localdomain', 'virtual:', 1);
+
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('localhost.localdomain', 'virtual:', 1);
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('yourdomain.com', 'virtual:', 1);
+
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('yourdomain.com', 'virtual:', 1);
INSERT INTO `user` (`email`, `password`, `name`, `quota`, `enabled`) VALUES ('[email protected]', ENCRYPT('adminpassword'), 'Administrator', NULL, 1);
+
INSERT INTO `user` (`email`, `password`, `name`, `quota`, `enabled`) VALUES ('[email protected]', ENCRYPT('adminpassword'), 'Administrator', NULL, 1);
</syntaxhighlight>
 
  
 
Now that the database is in place we can create the map files to tell Postfix how to communicate with it.
 
Now that the database is in place we can create the map files to tell Postfix how to communicate with it.
<syntaxhighlight lang=text>
+
mkdir /etc/postfix/maps
mkdir /etc/postfix/maps
+
nano /etc/postfix/maps/alias.cf
nano /etc/postfix/maps/alias.cf
 
</syntaxhighlight>
 
  
 
Copy/paste the following (change '''mailuserpassword'''):
 
Copy/paste the following (change '''mailuserpassword'''):
<syntaxhighlight lang=text>
+
user=mail
user=mail
+
password=mailuserpassword
password=mailuserpassword
+
dbname=mail
dbname=mail
+
table=alias
table=alias
+
select_field=destination
select_field=destination
+
where_field=source
where_field=source
+
hosts=127.0.0.1
hosts=127.0.0.1
+
additional_conditions=and enabled = 1
additional_conditions=and enabled = 1
 
</syntaxhighlight>
 
 
 
  
<syntaxhighlight lang=text>
+
nano /etc/postfix/maps/domain.cf
nano /etc/postfix/maps/domain.cf
 
</syntaxhighlight>
 
  
 
Copy/paste the following (change '''mailuserpassword'''):
 
Copy/paste the following (change '''mailuserpassword'''):
<syntaxhighlight lang=text>
+
user = mail
user = mail
+
password = mailuserpassword
password = mailuserpassword
+
dbname = mail
dbname = mail
+
table = domain
table = domain
+
select_field = domain
select_field = domain
+
where_field = domain
where_field = domain
+
hosts = 127.0.0.1
hosts = 127.0.0.1
+
additional_conditions = and enabled = 1
additional_conditions = and enabled = 1
 
</syntaxhighlight>
 
 
 
  
 
We create file name user.cf
 
We create file name user.cf
<syntaxhighlight lang=text>
+
nano /etc/postfix/maps/user.cf
nano /etc/postfix/maps/user.cf
 
</syntaxhighlight>
 
  
 
Copy/paste the following (change '''mailuserpassword'''):
 
Copy/paste the following (change '''mailuserpassword'''):
<syntaxhighlight lang=text>
+
user = mail
user = mail
+
password = mailuserpassword
password = mailuserpassword
+
dbname = mail
dbname = mail
+
table = user
table = user
+
select_field = CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
select_field = CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
+
where_field = email
where_field = email
+
hosts = 127.0.0.1
hosts = 127.0.0.1
+
additional_conditions = and enabled = 1
additional_conditions = and enabled = 1
 
</syntaxhighlight>
 
  
 
Set restrictive read permissions as these files contain the MySQL mail user’s password.
 
Set restrictive read permissions as these files contain the MySQL mail user’s password.
<syntaxhighlight lang=text>
+
chmod 700 /etc/postfix/maps/*
chmod 700 /etc/postfix/maps/*
+
chown postfix:postfix /etc/postfix/maps/*
chown postfix:postfix /etc/postfix/maps/*
 
</syntaxhighlight>
 
 
 
  
 
== SASL ==
 
== SASL ==
 
The final part of configuring Postfix is to configure the authentication mechanism. SASL is a authentication layer that provides the ability to receive a user’s credentials in a variety of formats.
 
The final part of configuring Postfix is to configure the authentication mechanism. SASL is a authentication layer that provides the ability to receive a user’s credentials in a variety of formats.
  
<syntaxhighlight lang=text>
+
mkdir -p /var/spool/postfix/var/run/saslauthd
mkdir -p /var/spool/postfix/var/run/saslauthd
+
mkdir /etc/postfix/sasl
mkdir /etc/postfix/sasl
+
adduser postfix sasl
adduser postfix sasl
+
 
nano /etc/postfix/sasl/smtpd.conf
+
nano /etc/postfix/sasl/smtpd.conf
</syntaxhighlight>
 
  
 
Copy/paste the following (change '''mailuserpassword'''):
 
Copy/paste the following (change '''mailuserpassword'''):
<syntaxhighlight lang=text>
+
pwcheck_method: saslauthd
pwcheck_method: saslauthd
+
auxprop_plugin: sql
auxprop_plugin: sql
+
mech_list: plain login
mech_list: plain login
+
sql_engine: mysql
sql_engine: mysql
+
sql_hostnames: 127.0.0.1
sql_hostnames: 127.0.0.1
+
sql_user: mail
sql_user: mail
+
sql_passwd: mailuserpassword
sql_passwd: mailuserpassword
+
sql_database: mail
sql_database: mail
+
sql_select: SELECT password FROM user WHERE email='%u@%r' AND enabled = 1
sql_select: SELECT password FROM user WHERE email='%u@%r' AND enabled = 1
 
</syntaxhighlight>
 
  
 +
Change file permission:
 +
chmod -R 700 /etc/postfix/sasl/smtpd.conf
  
<syntaxhighlight lang=text>
+
mv /etc/default/saslauthd{,.default}
chmod -R 700 /etc/postfix/sasl/smtpd.conf
+
nano /etc/default/saslauthd
mv /etc/default/saslauthd{,.default}
 
nano /etc/default/saslauthd
 
</syntaxhighlight>
 
  
 
Copy/paste the following (no changes required):
 
Copy/paste the following (no changes required):
<syntaxhighlight lang=text>
+
START=yes
START=yes
+
DESC="SASL Authentication Daemon"
DESC="SASL Authentication Daemon"
+
NAME="saslauthd"
NAME="saslauthd"
+
MECHANISMS="pam"
MECHANISMS="pam"
+
MECH_OPTIONS=""
MECH_OPTIONS=""
+
THREADS=5
THREADS=5
+
OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"
 
</syntaxhighlight>
 
  
 
+
nano /etc/pam.d/smtp
<syntaxhighlight lang=text>
 
nano /etc/pam.d/smtp
 
</syntaxhighlight>
 
  
 
Copy/paste the following (change all instances of '''mailuserpassword'''):
 
Copy/paste the following (change all instances of '''mailuserpassword'''):
<syntaxhighlight lang=text>
+
auth    required  pam_mysql.so user=mail passwd=mailuserpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1
auth    required  pam_mysql.so user=mail passwd=mailuserpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1
+
account sufficient pam_mysql.so user=mail passwd=mailuserpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail passwd=mailuserpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1
 
</syntaxhighlight>
 
 
 
 
 
<syntaxhighlight lang=text>
 
chmod 700 /etc/pam.d/smtp
 
</syntaxhighlight>
 
  
 +
Change file permission:
 +
chmod 700 /etc/pam.d/smtp
  
 
== Courier ==
 
== Courier ==
Line 390: Line 339:
 
I like to provide both IMAP and POP3 support, although personally I only use IMAP. In addition, we’ll be provide SSL support for securing authentication requests.
 
I like to provide both IMAP and POP3 support, although personally I only use IMAP. In addition, we’ll be provide SSL support for securing authentication requests.
  
<syntaxhighlight lang=text>
+
mv /etc/courier/authdaemonrc{,.default}
mv /etc/courier/authdaemonrc{,.default}
+
nano /etc/courier/authdaemonrc
nano /etc/courier/authdaemonrc
 
</syntaxhighlight>
 
  
 
Copy/paste the following (no changes required):
 
Copy/paste the following (no changes required):
<syntaxhighlight lang=text>
+
authmodulelist="authmysql"
authmodulelist="authmysql"
+
authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"
authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"
+
daemons=5
daemons=5
+
authdaemonvar=/var/run/courier/authdaemon
authdaemonvar=/var/run/courier/authdaemon
+
DEBUG_LOGIN=0
DEBUG_LOGIN=0
+
DEFAULTOPTIONS=""
DEFAULTOPTIONS=""
+
LOGGEROPTS=""
LOGGEROPTS=""
 
</syntaxhighlight>
 
  
 
+
mv /etc/courier/authmysqlrc{,.default}
<syntaxhighlight lang=text>
+
nano /etc/courier/authmysqlrc
mv /etc/courier/authmysqlrc{,.default}
 
nano /etc/courier/authmysqlrc
 
</syntaxhighlight>
 
  
 
Copy/paste the following (change '''mailuserpassword'''):
 
Copy/paste the following (change '''mailuserpassword'''):
<syntaxhighlight lang=text>
+
MYSQL_SERVER localhost
MYSQL_SERVER localhost
+
MYSQL_USERNAME mail
MYSQL_USERNAME mail
+
MYSQL_PASSWORD mailuserpassword
MYSQL_PASSWORD mailuserpassword
+
MYSQL_PORT 0
MYSQL_PORT 0
+
MYSQL_DATABASE mail
MYSQL_DATABASE mail
+
MYSQL_USER_TABLE user
MYSQL_USER_TABLE user
+
MYSQL_CRYPT_PWFIELD password
MYSQL_CRYPT_PWFIELD password
+
MYSQL_UID_FIELD 5000
MYSQL_UID_FIELD 5000
+
MYSQL_GID_FIELD 5000
MYSQL_GID_FIELD 5000
+
MYSQL_LOGIN_FIELD email
MYSQL_LOGIN_FIELD email
+
MYSQL_HOME_FIELD "/var/spool/mail/virtual"
MYSQL_HOME_FIELD "/var/spool/mail/virtual"
+
MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
+
MYSQL_NAME_FIELD name
MYSQL_NAME_FIELD name
+
MYSQL_QUOTA_FIELD quota
MYSQL_QUOTA_FIELD quota
 
</syntaxhighlight>
 
  
 
+
mv /etc/courier/imapd{,.default}
<syntaxhighlight lang=text>
+
nano /etc/courier/imapd
mv /etc/courier/imapd{,.default}
 
nano /etc/courier/imapd
 
</syntaxhighlight>
 
  
 
Copy/paste the following (no changes required):
 
Copy/paste the following (no changes required):
<syntaxhighlight lang=text>
+
ADDRESS=0
ADDRESS=0
+
PORT=143
PORT=143
+
MAXDAEMONS=40
MAXDAEMONS=40
+
MAXPERIP=20
MAXPERIP=20
+
PIDFILE=/var/run/courier/imapd.pid
PIDFILE=/var/run/courier/imapd.pid
+
TCPDOPTS="-nodnslookup -noidentlookup"
TCPDOPTS="-nodnslookup -noidentlookup"
+
LOGGEROPTS="-name=imapd"
LOGGEROPTS="-name=imapd"
+
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
+
IMAP_KEYWORDS=1
IMAP_KEYWORDS=1
+
IMAP_ACL=1
IMAP_ACL=1
+
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
+
IMAP_PROXY=0
IMAP_PROXY=0
+
IMAP_PROXY_FOREIGN=0
IMAP_PROXY_FOREIGN=0
+
IMAP_IDLE_TIMEOUT=60
IMAP_IDLE_TIMEOUT=60
+
IMAP_MAILBOX_SANITY_CHECK=0
IMAP_MAILBOX_SANITY_CHECK=1
+
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
+
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
+
IMAP_DISABLETHREADSORT=0
IMAP_DISABLETHREADSORT=0
+
IMAP_CHECK_ALL_FOLDERS=0
IMAP_CHECK_ALL_FOLDERS=0
+
IMAP_OBSOLETE_CLIENT=0
IMAP_OBSOLETE_CLIENT=0
+
IMAP_UMASK=022
IMAP_UMASK=022
+
IMAP_ULIMITD=65536
IMAP_ULIMITD=65536
+
IMAP_USELOCKS=1
IMAP_USELOCKS=1
+
IMAP_SHAREDINDEXFILE=/etc/courier/shared/index
IMAP_SHAREDINDEXFILE=/etc/courier/shared/index
+
IMAP_ENHANCEDIDLE=0
IMAP_ENHANCEDIDLE=0
+
IMAP_TRASHFOLDERNAME=Trash
IMAP_TRASHFOLDERNAME=Trash
+
IMAP_EMPTYTRASH=Trash:7
IMAP_EMPTYTRASH=Trash:7
+
IMAP_MOVE_EXPUNGE_TO_TRASH=0
IMAP_MOVE_EXPUNGE_TO_TRASH=0
+
SENDMAIL=/usr/sbin/sendmail
SENDMAIL=/usr/sbin/sendmail
+
HEADERFROM=X-IMAP-Sender
HEADERFROM=X-IMAP-Sender
+
IMAPDSTART=YES
IMAPDSTART=YES
+
MAILDIRPATH=Maildir
MAILDIRPATH=Maildir
 
</syntaxhighlight>
 
 
 
  
<syntaxhighlight lang=text>
+
mv /etc/courier/imapd-ssl{,.default}
mv /etc/courier/imapd-ssl{,.default}
+
nano /etc/courier/imapd-ssl
nano /etc/courier/imapd-ssl
 
</syntaxhighlight>
 
  
 
Copy/paste the following (change '''mail.yourdomain.com'''):
 
Copy/paste the following (change '''mail.yourdomain.com'''):
<syntaxhighlight lang=text>
+
SSLPORT=993
SSLPORT=993
+
SSLADDRESS=0
SSLADDRESS=0
+
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
+
SSLLOGGEROPTS="-name=imapd-ssl"
SSLLOGGEROPTS="-name=imapd-ssl"
+
IMAPDSSLSTART=YES
IMAPDSSLSTART=YES
+
IMAPDSTARTTLS=YES
IMAPDSTARTTLS=YES
+
IMAP_TLS_REQUIRED=0
IMAP_TLS_REQUIRED=0
+
COURIERTLS=/usr/bin/couriertls
COURIERTLS=/usr/bin/couriertls
+
TLS_KX_LIST=ALL
TLS_KX_LIST=ALL
+
TLS_COMPRESSION=ALL
TLS_COMPRESSION=ALL
+
TLS_CERTS=X509
TLS_CERTS=X509
+
TLS_CERTFILE=/etc/ssl/private/mail.yourdomain.com.pem
TLS_CERTFILE=/etc/ssl/private/mail.yourdomain.com.pem
+
TLS_TRUSTCERTS=/etc/ssl/certs
TLS_TRUSTCERTS=/etc/ssl/certs
+
TLS_VERIFYPEER=NONE
TLS_VERIFYPEER=NONE
+
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHEFILE=/var/lib/courier/couriersslcache
+
TLS_CACHESIZE=524288
TLS_CACHESIZE=524288
+
MAILDIRPATH=Maildir
MAILDIRPATH=Maildir
 
</syntaxhighlight>
 
 
 
  
<syntaxhighlight lang=text>
+
mv /etc/courier/pop3d{,.default}
mv /etc/courier/pop3d{,.default}
+
nano /etc/courier/pop3d
nano /etc/courier/pop3d
 
</syntaxhighlight>
 
  
 
Copy/paste the following (no changes required):
 
Copy/paste the following (no changes required):
<syntaxhighlight lang=text>
+
PIDFILE=/var/run/courier/pop3d.pid
PIDFILE=/var/run/courier/pop3d.pid
+
MAXDAEMONS=40
MAXDAEMONS=40
+
MAXPERIP=4
MAXPERIP=4
+
POP3AUTH="LOGIN"
POP3AUTH="LOGIN"
+
POP3AUTH_ORIG="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
POP3AUTH_ORIG="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
+
POP3AUTH_TLS="LOGIN PLAIN"
POP3AUTH_TLS="LOGIN PLAIN"
+
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
+
POP3_PROXY=0
POP3_PROXY=0
+
PORT=110
PORT=110
+
ADDRESS=0
ADDRESS=0
+
TCPDOPTS="-nodnslookup -noidentlookup"
TCPDOPTS="-nodnslookup -noidentlookup"
+
LOGGEROPTS="-name=pop3d"
LOGGEROPTS="-name=pop3d"
+
POP3DSTART=YES
POP3DSTART=YES
+
MAILDIRPATH=Maildir
MAILDIRPATH=Maildir
 
</syntaxhighlight>
 
  
 +
mv /etc/courier/pop3d-ssl{,.default}
 +
nano /etc/courier/pop3d-ssl
  
<syntaxhighlight lang=text>
+
Copy/paste the following (change '''mail.yourdomain.com'''):
mv /etc/courier/pop3d-ssl{,.default}
+
SSLPORT=995
nano /etc/courier/pop3d-ssl
+
SSLADDRESS=0
</syntaxhighlight>
+
SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
 +
SSLLOGGEROPTS="-name=pop3d-ssl"
 +
POP3DSSLSTART=YES
 +
POP3_STARTTLS=YES
 +
POP3_TLS_REQUIRED=0
 +
COURIERTLS=/usr/bin/couriertls
 +
TLS_STARTTLS_PROTOCOL=TLS1
 +
TLS_KX_LIST=ALL
 +
TLS_COMPRESSION=ALL
 +
TLS_CERTS=X509
 +
TLS_CERTFILE=/etc/ssl/private/mail.yourdomain.com.pem
 +
TLS_TRUSTCERTS=/etc/ssl/certs
 +
TLS_VERIFYPEER=NONE
 +
TLS_CACHEFILE=/var/lib/courier/couriersslcache
 +
TLS_CACHESIZE=524288
 +
MAILDIRPATH=Maildir
  
Copy/paste the following (change mail.yourdomain.com):
+
== SSL ==
<syntaxhighlight lang=text>
+
We need to create SSL certificates for Courier to use when authenticating using SSL/TLS. You can either purchase these (to prevent "invalid" certificate warnings) or generate a self-signed certificate which is just as secure, and free.
SSLPORT=995
 
SSLADDRESS=0
 
SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
 
SSLLOGGEROPTS="-name=pop3d-ssl"
 
POP3DSSLSTART=YES
 
POP3_STARTTLS=YES
 
POP3_TLS_REQUIRED=0
 
COURIERTLS=/usr/bin/couriertls
 
TLS_STARTTLS_PROTOCOL=TLS1
 
TLS_KX_LIST=ALL
 
TLS_COMPRESSION=ALL
 
TLS_CERTS=X509
 
TLS_CERTFILE=/etc/ssl/private/mail.yourdomain.com.pem
 
TLS_TRUSTCERTS=/etc/ssl/certs
 
TLS_VERIFYPEER=NONE
 
TLS_CACHEFILE=/var/lib/courier/couriersslcache
 
TLS_CACHESIZE=524288
 
MAILDIRPATH=Maildir
 
</syntaxhighlight>
 
  
 +
You will be prompted to input some information about the certificates you create. You can enter any information you want here except Common Name (CN) which must be your mailname (e.g. '''mail.yourdomain.com''').
  
== SSL ==
+
Run the following (change '''mail.yourdomain.com'''):
We need to create SSL certificates for Courier to use when authenticating using SSL/TLS. You can either purchase these (to prevent "invalid" certificate warnings) or generate a self-signed certificate which is just as secure, and free.
 
  
You will be prompted to input some information about the certificates you create. You can enter any information you want here except Common Name (CN) which must be your mailname (e.g. mail.yourdomain.com).
+
1. Remove default certificates
 +
rm -f /etc/courier/imapd.cnf
 +
rm -f /etc/courier/imapd.pem
 +
rm -f /etc/courier/pop3d.cnf
 +
rm -f /etc/courier/pop3d.pem
  
Run the following (change mail.yourdomain.com):
+
2. Generate a new PEM certificate (valid for 10 years)
<syntaxhighlight lang=text>
+
openssl req -x509 -newkey rsa:1024 -keyout "/etc/ssl/private/mail.yourdomain.com.pem" -out "/etc/ssl/private/mail.example.com.pem" -nodes -days 3650
# Remove default certificates
 
rm -f /etc/courier/imapd.cnf
 
rm -f /etc/courier/imapd.pem
 
rm -f /etc/courier/pop3d.cnf
 
rm -f /etc/courier/pop3d.pem
 
 
# Generate a new PEM certificate (valid for 10 years)
 
openssl req -x509 -newkey rsa:1024 -keyout "/etc/ssl/private/mail.yourdomain.com.pem" -out "/etc/ssl/private/mail.example.com.pem" -nodes -days 3650
 
 
# Generate a new CRT certificate (valid for 10 years)
 
openssl req -new -outform PEM -out "/etc/ssl/private/mail.yourdomain.com.crt" -newkey rsa:2048 -nodes -keyout "/etc/ssl/private/mail.example.com.key" -keyform PEM -days 3650 -x509
 
  
chmod 640 /etc/ssl/private/mail.yourdomain.com.*
+
3. Generate a new CRT certificate (valid for 10 years)
chgrp ssl-cert /etc/ssl/private/mail.yourdomain.com.*
+
openssl req -new -outform PEM -out "/etc/ssl/private/mail.yourdomain.com.crt" -newkey rsa:2048 -nodes -keyout "/etc/ssl/private/mail.example.com.key" -keyform PEM -days 3650 -x509
</syntaxhighlight>
 
  
 +
chmod 640 /etc/ssl/private/mail.yourdomain.com.*
 +
chgrp ssl-cert /etc/ssl/private/mail.yourdomain.com.*
  
 
== Amavis ==
 
== Amavis ==
 
Next we’ll configure Amavis, the software that ties together SpamAssassin and ClamAV with Postfix.
 
Next we’ll configure Amavis, the software that ties together SpamAssassin and ClamAV with Postfix.
  
<syntaxhighlight lang=text>
+
adduser clamav amavis
adduser clamav amavis
+
cat /dev/null > /etc/amavis/conf.d/15-content-filter-mode
cat /dev/null > /etc/amavis/conf.d/15-content-filter-mode
+
nano /etc/amavis/conf.d/15-content-filter-mode
nano /etc/amavis/conf.d/15-content-filter-mode
 
</syntaxhighlight>
 
  
 
Copy/paste the following (no changes required):
 
Copy/paste the following (no changes required):
<syntaxhighlight lang=text>
+
use strict;
use strict;
 
 
   
 
   
@bypass_virus_checks_maps = (
+
$log_level = 1;
  \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
$sa_kill_level_deflt = 6.5;
 +
$final_spam_destiny = D_DISCARD;
 +
$pax = 'pax';
 
   
 
   
@bypass_spam_checks_maps = (
+
@bypass_virus_checks_maps = (\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
  \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
@bypass_spam_checks_maps = (\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
 +
@local_domains_acl = qw(.);
 
   
 
   
1;
+
1;
</syntaxhighlight>
 
 
 
  
<syntaxhighlight lang=text>
+
cat /dev/null > /etc/amavis/conf.d/50-user
cat /dev/null > /etc/amavis/conf.d/50-user
+
nano /etc/amavis/conf.d/50-user
nano /etc/amavis/conf.d/50-user
 
</syntaxhighlight>
 
  
 
Copy/paste the following (no changes required):
 
Copy/paste the following (no changes required):
<syntaxhighlight lang=text>
+
use strict;
use strict;
 
 
   
 
   
@local_domains_acl = qw(.);
+
@local_domains_acl = qw(.);
$log_level = 1;
+
$log_level = 1;
$syslog_priority = 'info';
+
$syslog_priority = 'info';
$sa_kill_level_deflt = 6.5;
+
$sa_kill_level_deflt = 6.5;
$final_spam_destiny = D_DISCARD;
+
$final_spam_destiny = D_DISCARD;
$pax = 'pax';
+
$pax = 'pax';
 
   
 
   
1;
+
1;
</syntaxhighlight>
 
  
 +
mv /etc/default/spamassassin{,.default}
 +
nano /etc/default/spamassassin
  
<syntaxhighlight lang=text>
+
Copy/paste the following (no changes required):
mv /etc/default/spamassassin{,.default}
+
ENABLED=1
nano /etc/default/spamassassin
+
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
</syntaxhighlight>
+
PIDFILE="/var/run/spamd.pid"
 +
CRON=0
  
Copy/paste the following (no changes required):
+
== ClamAV ==
<syntaxhighlight lang=text>
+
ClamAV will scan e-mails for viruses before delivering it to your inbox.
ENABLED=1
 
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
 
PIDFILE="/var/run/spamd.pid"
 
CRON=0
 
</syntaxhighlight>
 
  
 +
Now, let's configure our ClamAV:
 +
dpkg-reconfigure clamav-freshclam
  
<syntaxhighlight lang=text>
+
After that, it will show you a console with an options. Select the settings accordingly:
dpkg-reconfigure clamav-freshclam
 
</syntaxhighlight>
 
  
 
[[File:Clamav 1.png]]
 
[[File:Clamav 1.png]]
Line 662: Line 571:
  
 
Now restart everything
 
Now restart everything
 +
sudo /etc/init.d/saslauthd restart
 +
sudo /etc/init.d/postfix restart
 +
sudo /etc/init.d/courier-authdaemon restart
 +
sudo /etc/init.d/courier-imap restart
 +
sudo /etc/init.d/courier-imap-ssl restart
 +
sudo service amavis restart
  
<syntaxhighlight lang=text>
+
= Testing =
/etc/init.d/saslauthd restart
+
Now Postfix is running properly. So it should accept connections on port 25(SMTP port), and send email anywhere in the world.
/etc/init.d/postfix restart
 
/etc/init.d/courier-authdaemon restart
 
/etc/init.d/courier-imap restart
 
/etc/init.d/courier-imap-ssl restart
 
</syntaxhighlight>
 
  
 +
So let's try telnet to our server via port 25 and send a test email:
  
You can test your setup by configuring your mail client to connect to your new mail server using [email protected] as your username and the password you chose ("changeme" in the guide).
+
$ telnet mail.yourdomain.com 25
 +
 +
Trying mail.yourdomain.com...
 +
 +
Connected to mail.yourdomain.com.
 +
Escape character is '^]'.
 +
220 mail.yourdomain.com ESMTP Postfix
 +
HELO localhost
 +
250 mail.yourdomain.com
 +
MAIL FROM: <[email protected]>
 +
250 2.1.0 Ok
 +
RCPT TO: <[email protected]>
 +
250 2.1.5 Ok
 +
DATA
 +
354 End data with <CR><LF>.<CR><LF>
 +
Subject: Test email
 +
 +
Testmail to ensure Postfix is working.
 +
.
 +
250 2.0.0 Ok: queued as 6705C20E32
 +
QUIT
 +
221 2.0.0 Bye
 +
 +
Connection closed by foreign host.
  
Errors will usually show up in /var/log/mail.log
+
So this proving that our email is working properly.
  
 +
But is some cases, you may encounter something like this during test sending email to another domain:
  
== Roundcube ==
+
$ telnet mail.yourdomain.com 25
 +
 +
Trying mail.yourdomain.com...
 +
 +
Connected to mail.yourdomain.com.
 +
Escape character is '^]'.
 +
220 mail.yourdomain.com ESMTP Postfix
 +
HELO localhost
 +
250 mail.yourdomain.com
 +
MAIL FROM: <[email protected]>
 +
250 2.1.0 Ok
 +
RCPT TO: <[email protected]>
 +
454 4.7.1 <[email protected]>: Relay access denied
 +
QUIT
 +
221 2.0.0 Bye
 +
 +
Connection closed by foreign host.
 +
 
 +
This may cause by misconfiguration during the setup or your server has blocked the port 25.
 +
 
 +
Do check your firewall and allow connection to and from port 25.
 +
 
 +
Errors will usually show up in:
 +
/var/log/mail.log
 +
/var/log/mail.err
 +
 
 +
= Roundcube =
  
 
Download Roundcube file from http://roundcube.net/download :
 
Download Roundcube file from http://roundcube.net/download :
<syntaxhighlight lang=text>
+
wget http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/1.1.0/roundcubemail-1.1.0.tar.gz
wget http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/0.9.2/roundcubemail-0.9.2.tar.gz
+
tar xvfz roundcubemail-1.1.0.tar.gz
tar xvfz roundcubemail-0.9.2.tar.gz
+
cd roundcubemail-1.1.0
cd roundcubemail-0.9.2
+
mv roundcubemail-1.1.0 mail
mv roundcubemail-0.9.2 mail
+
 
</syntaxhighlight>
+
It is recommended to make the document root and the Roundcube files in it writable by the running as user www-data and group www-data:
 +
chown -R www-data:www-data /var/www/mail
  
It is recommended to make the document root and the Roundcube files in it writable by the nginx daemon which is running as user www-data and group www-data:
+
If you haven't already created a MySQL database for Roundcube (including a MySQL Roundcube user), you can do that as follows:
<syntaxhighlight lang=text>
+
mysqladmin -u root -p create roundcube
chown -R www-data:www-data /var/www/mail
 
</syntaxhighlight>
 
  
Make now these folders writable using these commands
+
mysql -u root -p
<syntaxhighlight lang=text>
 
sudo chown -R www-data.www-data /var/www/webmail/temp
 
sudo chown -R www-data.www-data /var/www/webmail/logs
 
</syntaxhighlight>
 
  
If you haven't already created a MySQL database for Roundcube (including a MySQL Roundcube user), you can do that as follows:
+
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube_admin'@'localhost' IDENTIFIED BY 'roundcube_password';
 +
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube_admin'@'localhost.localdomain' IDENTIFIED BY 'roundcube_password';
 +
FLUSH PRIVILEGES;
 +
quit;
  
<syntaxhighlight lang=text>
+
Edit php.ini:
mysqladmin -u root -p create roundcube
+
sudo nano /etc/php5/apache2/php.ini
  
mysql -u root -p
+
Add this to the end of file:
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube_admin'@'localhost' IDENTIFIED BY 'roundcube_password';
+
extension=mcrypt.so
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube_admin'@'localhost.localdomain' IDENTIFIED BY 'roundcube_password';
 
FLUSH PRIVILEGES;
 
quit;
 
</syntaxhighlight>
 
  
 +
Edit timezone:
 +
date.timezone = "Asia/Kuala_Lumpur"
  
 
Now we can launch the web-based Roundcube installer by going to http://yourdomain/mail/installer/
 
Now we can launch the web-based Roundcube installer by going to http://yourdomain/mail/installer/
Line 743: Line 700:
 
[[File:Roundcube 8.png]]
 
[[File:Roundcube 8.png]]
  
On the next page you will see two configuration files (main.inc.php and db.inc.php). Copy the contents and create both files in the config directory (/var/www/mail/config/ in this case)
+
On the next page you will see two configuration files (main.inc.php and db.inc.php). Copy the contents and create both files in the config directory (/var/www/mail/config/ in this case):
 
+
nano /var/www/mail/config/main.inc.php
<syntaxhighlight lang=text>
+
nano /var/www/mail/config/db.inc.php
nano /var/www/mail/config/main.inc.php
 
nano /var/www/mail/config/db.inc.php
 
</syntaxhighlight>
 
  
 
[[File:Roundcube 9.png]]
 
[[File:Roundcube 9.png]]
Line 764: Line 718:
 
[[File:Roundcube 12.png]]
 
[[File:Roundcube 12.png]]
  
After the installation has finished, you should delete the Roundcube installer directory
+
After the installation has finished, you should delete the Roundcube installer directory:
 
+
rm -rf /var/www/mail/installer/
<syntaxhighlight lang=text>
 
rm -rf /var/www/mail/installer/
 
</syntaxhighlight>
 
  
 
Now you can go to http://yourdomain.com/mail/ and use Roundcube to log into your email account
 
Now you can go to http://yourdomain.com/mail/ and use Roundcube to log into your email account

Latest revision as of 23:02, 16 February 2015

Mail Server on Ubuntu 12.04 (Postfix, Courier, SSL/TLS, SpamAssassin, ClamAV, Amavis, Roundcube)

Introduction

Main components:

  • Postfix is the mail transfer agent (MTA) responsible for accepting new messages and storing them on your server as well as allowing authorised users to send e-mail.
  • Courier sits in front of Postfix and provides an IMAP and POP3 interface for clients to connect to.
  • SASL with SSL and TLS allows you to authenticate and communicate with the mail server securely.
  • SpamAssassin will analyse your e-mails as they arrive and will filter out what it thinks is spam.
  • ClamAV will scan e-mails for viruses before delivering it to your inbox.
  • Amavis ties SpamAssasin and ClamAV together, and is itself hooked into Postfix.
  • MySQL will be used to manage user accounts and e-mail forwarding.
  • Roundcube is the mail interface similar like Squirrelmail

Install required packages from repo

 apt-get update
 apt-get install -y mysql-server postfix postfix-mysql libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin libpam-mysql clamav-base libclamav6 clamav-daemon clamav-freshclam amavisd-new spamassassin spamc courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl php-pear php-auth-sasl php-net-smtp php5-intl php5-mcrypt 
sudo pear install Mail_Mime
sudo pear install Mail_mimeDecode
sudo pear install channel://pear.php.net/Net_IDNA2-0.1.1

During the installation of MySQL you will be prompted for the root user password

File:Mail 1.png

Enter a secure password, and don’t forget it!

Similarly, during the installation of Courier you will be presented with the following configuration prompts

File:Mail 2.png

Choose No

File:Mail 3.png

Choose OK

File:Mail 4.png

Choose Internet Site

File:Mail 5.png

Enter your mail server name (e.g. replace mail.example.com with your own domain). Make sure you have this subdomain configured in your DNS records.

File:Mail 6.png

Choose OK

After everything has finished, we can proceed to configure our mail server.

Configuration

Postfix

First, we create file name main.cf

mv /etc/postfix/main.cf{,.default}
nano /etc/postfix/main.cf

Copy/paste the following (change all instances of mail.yourdomain.com):

myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
mailbox_size_limit = 0
virtual_mailbox_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
message_size_limit = 0

# SMTP Authentication (SASL)

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =

# Encrypted transfer (SSL/TLS)

smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/mail.yourdomain.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.yourdomain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Basic SPAM prevention

smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

# Force incoming mail to go through Amavis

content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

# Virtual user mappings

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/maps/user.cf
virtual_uid_maps = static:5000
virtual_gid_maps =  static:5000
virtual_alias_maps = mysql:/etc/postfix/maps/alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/maps/domain.cf

Next, we edit file master.cf

mv /etc/postfix/master.cf{,.default}
nano /etc/postfix/master.cf

Copy/paste the following (no changes is required):

#
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
submission inet n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
  -o content_filter=
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
amavis    unix -        -       -       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
127.0.0.1:10025 inet n  -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

As all our mail users are going to be virtual (i.e. we’re not going to create physical user accounts for each user), we only need to create one mail directory and one user account.

groupadd virtual -g 5000
useradd -r -g "virtual" -G "users" -c "Virtual User" -u 5000 virtual
mkdir /var/spool/mail/virtual
chown virtual:virtual /var/spool/mail/virtual

Now we’ll create the database which will store the mail user configuration and forwarding rules. Enter the password you created during the MySQL installation. Copy/paste the following (change mailuserpassword, yourdomain.com and admin password to something more secure)

CREATE DATABASE mail;
GRANT ALL ON mail.* TO mail@localhost IDENTIFIED BY 'mailuserpassword';
FLUSH PRIVILEGES;
USE mail;

CREATE TABLE IF NOT EXISTS `alias` (`source` VARCHAR(255) NOT NULL, `destination` VARCHAR(255) NOT NULL DEFAULT "", `enabled` TINYINT UNSIGNED NOT NULL DEFAULT 1, PRIMARY KEY (`source`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;
CREATE TABLE IF NOT EXISTS `domain` (`domain` VARCHAR(255) NOT NULL DEFAULT "", `transport` VARCHAR(255) NOT NULL DEFAULT "virtual:", `enabled` TINYINT UNSIGNED NOT NULL DEFAULT 1, PRIMARY KEY (`domain`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;

CREATE TABLE IF NOT EXISTS `user` (`email` VARCHAR(255) NOT NULL DEFAULT "", `password` VARCHAR(255) NOT NULL DEFAULT "", `name` VARCHAR(255) DEFAULT NULL, `quota` INT UNSIGNED DEFAULT NULL, `enabled` TINYINT UNSIGNED NOT NULL DEFAULT 1, PRIMARY KEY (`email`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;

INSERT INTO `alias` (`source`, `destination`, `enabled`) VALUES ('@localhost', '[email protected]', 1);
INSERT INTO `alias` (`source`, `destination`, `enabled`) VALUES ('@localhost.localdomain', '@localhost', 1);
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('localhost', 'virtual:', 1);
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('localhost.localdomain', 'virtual:', 1);
INSERT INTO `domain` (`domain`, `transport`, `enabled`) VALUES ('yourdomain.com', 'virtual:', 1);
INSERT INTO `user` (`email`, `password`, `name`, `quota`, `enabled`) VALUES ('[email protected]', ENCRYPT('adminpassword'), 'Administrator', NULL, 1);

Now that the database is in place we can create the map files to tell Postfix how to communicate with it.

mkdir /etc/postfix/maps
nano /etc/postfix/maps/alias.cf

Copy/paste the following (change mailuserpassword):

user=mail
password=mailuserpassword
dbname=mail
table=alias
select_field=destination
where_field=source
hosts=127.0.0.1
additional_conditions=and enabled = 1
nano /etc/postfix/maps/domain.cf

Copy/paste the following (change mailuserpassword):

user = mail
password = mailuserpassword
dbname = mail
table = domain
select_field = domain
where_field = domain
hosts = 127.0.0.1
additional_conditions = and enabled = 1

We create file name user.cf

nano /etc/postfix/maps/user.cf

Copy/paste the following (change mailuserpassword):

user = mail
password = mailuserpassword
dbname = mail
table = user
select_field = CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
where_field = email
hosts = 127.0.0.1
additional_conditions = and enabled = 1

Set restrictive read permissions as these files contain the MySQL mail user’s password.

chmod 700 /etc/postfix/maps/*
chown postfix:postfix /etc/postfix/maps/*

SASL

The final part of configuring Postfix is to configure the authentication mechanism. SASL is a authentication layer that provides the ability to receive a user’s credentials in a variety of formats.

mkdir -p /var/spool/postfix/var/run/saslauthd
mkdir /etc/postfix/sasl
adduser postfix sasl
nano /etc/postfix/sasl/smtpd.conf

Copy/paste the following (change mailuserpassword):

pwcheck_method: saslauthd
auxprop_plugin: sql
mech_list: plain login
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: mail
sql_passwd: mailuserpassword
sql_database: mail
sql_select: SELECT password FROM user WHERE email='%u@%r' AND enabled = 1

Change file permission:

chmod -R 700 /etc/postfix/sasl/smtpd.conf
mv /etc/default/saslauthd{,.default}
nano /etc/default/saslauthd

Copy/paste the following (no changes required):

START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"
nano /etc/pam.d/smtp

Copy/paste the following (change all instances of mailuserpassword):

auth    required   pam_mysql.so user=mail passwd=mailuserpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail passwd=mailuserpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1

Change file permission:

chmod 700 /etc/pam.d/smtp

Courier

Now let’s configure Courier. I like to provide both IMAP and POP3 support, although personally I only use IMAP. In addition, we’ll be provide SSL support for securing authentication requests.

mv /etc/courier/authdaemonrc{,.default}
nano /etc/courier/authdaemonrc

Copy/paste the following (no changes required):

authmodulelist="authmysql"
authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"
daemons=5
authdaemonvar=/var/run/courier/authdaemon
DEBUG_LOGIN=0
DEFAULTOPTIONS=""
LOGGEROPTS=""
mv /etc/courier/authmysqlrc{,.default}
nano /etc/courier/authmysqlrc

Copy/paste the following (change mailuserpassword):

MYSQL_SERVER localhost
MYSQL_USERNAME mail
MYSQL_PASSWORD mailuserpassword
MYSQL_PORT 0
MYSQL_DATABASE mail
MYSQL_USER_TABLE user
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD 5000
MYSQL_GID_FIELD 5000
MYSQL_LOGIN_FIELD email
MYSQL_HOME_FIELD "/var/spool/mail/virtual"
MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
MYSQL_NAME_FIELD name
MYSQL_QUOTA_FIELD quota
mv /etc/courier/imapd{,.default}
nano /etc/courier/imapd

Copy/paste the following (no changes required):

ADDRESS=0
PORT=143
MAXDAEMONS=40
MAXPERIP=20
PIDFILE=/var/run/courier/imapd.pid
TCPDOPTS="-nodnslookup -noidentlookup"
LOGGEROPTS="-name=imapd"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_KEYWORDS=1
IMAP_ACL=1
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
IMAP_PROXY=0
IMAP_PROXY_FOREIGN=0
IMAP_IDLE_TIMEOUT=60
IMAP_MAILBOX_SANITY_CHECK=0
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
IMAP_DISABLETHREADSORT=0
IMAP_CHECK_ALL_FOLDERS=0
IMAP_OBSOLETE_CLIENT=0
IMAP_UMASK=022
IMAP_ULIMITD=65536
IMAP_USELOCKS=1
IMAP_SHAREDINDEXFILE=/etc/courier/shared/index
IMAP_ENHANCEDIDLE=0
IMAP_TRASHFOLDERNAME=Trash
IMAP_EMPTYTRASH=Trash:7
IMAP_MOVE_EXPUNGE_TO_TRASH=0
SENDMAIL=/usr/sbin/sendmail
HEADERFROM=X-IMAP-Sender
IMAPDSTART=YES
MAILDIRPATH=Maildir
mv /etc/courier/imapd-ssl{,.default}
nano /etc/courier/imapd-ssl

Copy/paste the following (change mail.yourdomain.com):

SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/etc/ssl/private/mail.yourdomain.com.pem
TLS_TRUSTCERTS=/etc/ssl/certs
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir
mv /etc/courier/pop3d{,.default}
nano /etc/courier/pop3d

Copy/paste the following (no changes required):

PIDFILE=/var/run/courier/pop3d.pid
MAXDAEMONS=40
MAXPERIP=4
POP3AUTH="LOGIN"
POP3AUTH_ORIG="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
POP3AUTH_TLS="LOGIN PLAIN"
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
POP3_PROXY=0
PORT=110
ADDRESS=0
TCPDOPTS="-nodnslookup -noidentlookup"
LOGGEROPTS="-name=pop3d"
POP3DSTART=YES
MAILDIRPATH=Maildir
mv /etc/courier/pop3d-ssl{,.default}
nano /etc/courier/pop3d-ssl

Copy/paste the following (change mail.yourdomain.com):

SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/var/run/courier/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=YES
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_STARTTLS_PROTOCOL=TLS1
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/etc/ssl/private/mail.yourdomain.com.pem
TLS_TRUSTCERTS=/etc/ssl/certs
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

SSL

We need to create SSL certificates for Courier to use when authenticating using SSL/TLS. You can either purchase these (to prevent "invalid" certificate warnings) or generate a self-signed certificate which is just as secure, and free.

You will be prompted to input some information about the certificates you create. You can enter any information you want here except Common Name (CN) which must be your mailname (e.g. mail.yourdomain.com).

Run the following (change mail.yourdomain.com):

1. Remove default certificates

rm -f /etc/courier/imapd.cnf
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.cnf
rm -f /etc/courier/pop3d.pem

2. Generate a new PEM certificate (valid for 10 years)

openssl req -x509 -newkey rsa:1024 -keyout "/etc/ssl/private/mail.yourdomain.com.pem" -out "/etc/ssl/private/mail.example.com.pem" -nodes -days 3650

3. Generate a new CRT certificate (valid for 10 years)

openssl req -new -outform PEM -out "/etc/ssl/private/mail.yourdomain.com.crt" -newkey rsa:2048 -nodes -keyout "/etc/ssl/private/mail.example.com.key" -keyform PEM -days 3650 -x509
chmod 640 /etc/ssl/private/mail.yourdomain.com.*
chgrp ssl-cert /etc/ssl/private/mail.yourdomain.com.*

Amavis

Next we’ll configure Amavis, the software that ties together SpamAssassin and ClamAV with Postfix.

adduser clamav amavis
cat /dev/null > /etc/amavis/conf.d/15-content-filter-mode
nano /etc/amavis/conf.d/15-content-filter-mode

Copy/paste the following (no changes required):

use strict;

$log_level = 1;
$sa_kill_level_deflt = 6.5;
$final_spam_destiny = D_DISCARD;
$pax = 'pax';

@bypass_virus_checks_maps = (\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
@local_domains_acl = qw(.);

1;
cat /dev/null > /etc/amavis/conf.d/50-user
nano /etc/amavis/conf.d/50-user

Copy/paste the following (no changes required):

use strict;

@local_domains_acl = qw(.);
$log_level = 1;
$syslog_priority = 'info';
$sa_kill_level_deflt = 6.5;
$final_spam_destiny = D_DISCARD;
$pax = 'pax';

1;
mv /etc/default/spamassassin{,.default}
nano /etc/default/spamassassin

Copy/paste the following (no changes required):

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=0

ClamAV

ClamAV will scan e-mails for viruses before delivering it to your inbox.

Now, let's configure our ClamAV:

dpkg-reconfigure clamav-freshclam

After that, it will show you a console with an options. Select the settings accordingly:

File:Clamav 1.png

Choose OK

File:Clamav 2.png

Choose daemon

File:Clamav 3.png

Choose a mirror closest to you

File:Clamav 4.png

Enter your proxy, if required. Usually you will leave this blank

File:Clamav 5.png

By default, ClamAV updates every hour. That’s excessive. Bring that down to once a day

File:Clamav 6.png

Choose No

Now restart everything

sudo /etc/init.d/saslauthd restart
sudo /etc/init.d/postfix restart
sudo /etc/init.d/courier-authdaemon restart
sudo /etc/init.d/courier-imap restart
sudo /etc/init.d/courier-imap-ssl restart
sudo service amavis restart

Testing

Now Postfix is running properly. So it should accept connections on port 25(SMTP port), and send email anywhere in the world.

So let's try telnet to our server via port 25 and send a test email:

$ telnet mail.yourdomain.com 25

Trying mail.yourdomain.com...

Connected to mail.yourdomain.com.
Escape character is '^]'.
220 mail.yourdomain.com ESMTP Postfix
HELO localhost
250 mail.yourdomain.com
MAIL FROM: <[email protected]>
250 2.1.0 Ok
RCPT TO: <[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test email

Testmail to ensure Postfix is working.
.
250 2.0.0 Ok: queued as 6705C20E32
QUIT
221 2.0.0 Bye

Connection closed by foreign host.

So this proving that our email is working properly.

But is some cases, you may encounter something like this during test sending email to another domain:

$ telnet mail.yourdomain.com 25

Trying mail.yourdomain.com...

Connected to mail.yourdomain.com.
Escape character is '^]'.
220 mail.yourdomain.com ESMTP Postfix
HELO localhost
250 mail.yourdomain.com
MAIL FROM: <[email protected]>
250 2.1.0 Ok
RCPT TO: <[email protected]>
454 4.7.1 <[email protected]>: Relay access denied
QUIT
221 2.0.0 Bye

Connection closed by foreign host.

This may cause by misconfiguration during the setup or your server has blocked the port 25.

Do check your firewall and allow connection to and from port 25.

Errors will usually show up in:

/var/log/mail.log
/var/log/mail.err

Roundcube

Download Roundcube file from http://roundcube.net/download :

wget http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/1.1.0/roundcubemail-1.1.0.tar.gz
tar xvfz roundcubemail-1.1.0.tar.gz
cd roundcubemail-1.1.0
mv roundcubemail-1.1.0 mail

It is recommended to make the document root and the Roundcube files in it writable by the running as user www-data and group www-data:

chown -R www-data:www-data /var/www/mail

If you haven't already created a MySQL database for Roundcube (including a MySQL Roundcube user), you can do that as follows:

mysqladmin -u root -p create roundcube
mysql -u root -p
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube_admin'@'localhost' IDENTIFIED BY 'roundcube_password';
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube_admin'@'localhost.localdomain' IDENTIFIED BY 'roundcube_password';
FLUSH PRIVILEGES;
quit;

Edit php.ini:

sudo nano /etc/php5/apache2/php.ini

Add this to the end of file:

extension=mcrypt.so

Edit timezone:

date.timezone = "Asia/Kuala_Lumpur"

Now we can launch the web-based Roundcube installer by going to http://yourdomain/mail/installer/

File:Roundcube 1.png

Scroll down and click on START INSTALLATION

File:Roundcube 2.png

On the next page the installer checks if your environment fulfills all prerequisites.

File:Roundcube 3.png

If everyting is ok, scroll down and click on NEXT

File:Roundcube 4.png

On the next page you can configure. Most default settings should be ok. Scroll down to the Database setup section and fill in the details for the Roundcube MySQL database that we've previously created

File:Roundcube 5.png

Then go to the IMAP Settings section and fill in the details of your IMAP server. If it is located on the same server, fill in localhost in the default_host field. If you want to use IMAPS (port 993), prepend the hostname with ssl:// and change the default_port field to 993

File:Roundcube 6.png

Under SMTP Settings fill in your SMTP server (localhost if it's on the same host). If the SMTP server uses the same login details as your IMAP server, please check Use the current IMAP username and password for SMTP authentication

File:Roundcube 7.png

If all other settings are ok (as I mentioned before, the default settings in all other sections should be fine), click on the CREATE CONFIG button

File:Roundcube 8.png

On the next page you will see two configuration files (main.inc.php and db.inc.php). Copy the contents and create both files in the config directory (/var/www/mail/config/ in this case):

nano /var/www/mail/config/main.inc.php
nano /var/www/mail/config/db.inc.php

File:Roundcube 9.png

After you have created both files, click on CONTINUE

File:Roundcube 10.png

On the next page, click on the Initialize database button to make the installer create the Roundcube MySQL database

File:Roundcube 11.png

Finally (this is optional) you have the possibility to test your SMTP and IMAP login

File:Roundcube 12.png

After the installation has finished, you should delete the Roundcube installer directory:

rm -rf /var/www/mail/installer/

Now you can go to http://yourdomain.com/mail/ and use Roundcube to log into your email account

File:Roundcube 13.png

This is how Roundcube looks

File:Roundcube 14.png

blog comments powered by Disqus