Adminbuntu

Everything for the Ubuntu Server Administrator

User Tools

Site Tools


Sidebar

Server Administration


Server Applications


At the Command Line


Elsewhere


Copyright 2013 Applied Conscious Technologies, LLC

Terms of Agreement

Contact


submit to reddit

postfix

Server Applications

Postfix

IMPORTANT: This information is out of date. Adapt and use this as a start on your email server configuration.

1. Change Hostname

From: http://articles.slicehost.com/2008/9/2/mail-server-slice-setup

sudo vi /etc/hostname

(Changed “Slice1” to “sitenamehere.com”)

sudo vi /etc/hosts

(Changed “Slice1” to “sitenamehere.com”)

2. Change Reverse DNS Record for the Slice

I changed the reverse DNS record for Slice1 to sitenamehere.com. (Waiting for it to propogate.)

This is changed via https://manage.slicehost.com/rdns_records.

3. Add vmail group and user

From: http://articles.slicehost.com/2008/9/2/mail-server-vmail-user-and-mailboxes

sudo groupadd -g 5000 vmail
sudo useradd -s /usr/sbin/nologin -g vmail -u 5000 vmail -d /home/vmail -m

4. Mail server - Postfix and MySQL installation

From: http://articles.slicehost.com/2008/9/2/mail-server-postfix-and-mysql-installation

sudo aptitude install postfix postfix-mysql mysql-server postfix-tls libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl telnet mailx

The above will ensure that all the components needed are installed. As we have already installed MySQL, it will be skipped. A configuration utility for Postfix will run. Select “Internet Site” for the first screen and enter the domain name (ie: “sitenamehere.com”) for the second. The rest, just accept the defaults.

To re-run the configuration utility, if needed:

sudo dpkg-reconfigure postfix

5. Setup MySQL

mysqladmin -u root -p create mail
mysql -u root -p

This will open a mysql session, enter (change the_password_here with the random crap password you generated and saved in KeePassX):

CREATE USER 'mailadmin'@'localhost' IDENTIFIED BY 'the_password_here';
FLUSH PRIVILEGES;
GRANT SELECT, INSERT, UPDATE, DELETE ON `mail` . * TO 'mailadmin'@'localhost';
FLUSH PRIVILEGES;
USE mail;
 
-- domains table
CREATE TABLE domains (
domain varchar(50) NOT NULL,
PRIMARY KEY (domain)
)
TYPE=MyISAM;
 
-- users table
CREATE TABLE users (
email varchar(80) NOT NULL,
password varchar(20) NOT NULL,
PRIMARY KEY (email)
)
TYPE=MyISAM;
 
-- forward table
CREATE TABLE forwards (
source varchar(80) NOT NULL,
destination TEXT NOT NULL,
PRIMARY KEY (source)
)
TYPE=MyISAM;
 
quit;

6. Mail server - Configuring Postfix to use MySQL

From http://articles.slicehost.com/2008/9/2/mail-server-configuring-postfix-to-use-mysql-part-1

To enable Postfix to use the MySQL database we need to create some text files.

Postfix will use the data contained in these files to connect to MySQL and submit a query such as selecting a domain to use when sending mail.

Take each file one at a time and you will see they are very simple in design - they contain the database name, the database user name (in this case 'mailadmin'), the database user password and then an SQL query that Postfix will execute to get the relevant details.

The following four files will enable Postfix to access the data in the 'mail' database and assign the correct details to any mail.

Domains

Start by creating the file used to find the domain details:

sudo nano /etc/postfix/mysql-domains.cf

Enter the following into this text file:

user = mailadmin
password = the_password_here
dbname = mail
query = SELECT domain AS virtual FROM domains WHERE domain='%s'
hosts = 127.0.0.1

Forwards

Create the forwards details:

sudo vi /etc/postfix/mysql-forwards.cf

Enter the following into this text file:

user = mailadmin
password = the_password_here
dbname = mail
query = SELECT destination FROM forwards WHERE source='%s'
hosts = 127.0.0.1

Mailboxes

sudo vi /etc/postfix/mysql-mailboxes.cf
user = mailadmin
password = the_password_here
dbname = mail
query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'
hosts = 127.0.0.1

Email

Create the file for the email addresses:

sudo vi /etc/postfix/mysql-email.cf
user = mailadmin
password = the_password_here
dbname = mail
query = SELECT email FROM users WHERE email='%s'
hosts = 127.0.0.1

7. Permissions

Set the permissions on the files so we don't have anyone peeking at our database name and password.

We can do that by removing all permissions for the 'other' group. In other words, only the assigned user (in this case it will be the 'postfix' user) and those in the group can see the file details:

Then easy way to do this is to simply turn the permissions for the other group off:

sudo chmod o= /etc/postfix/mysql-*

Change the group ownership of the files to 'postfix' - at the moment they are owned by root. We want Postfix (and, later on, Courier) to access them:

sudo chgrp postfix /etc/postfix/mysql-*

8. main.cf

The main Postfix configuration file is know as 'main.cf'. Edit it:

sudo vi /etc/postfix/main.cf

Remove any entries from the mydestination field:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = Slice1
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = 
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

Virtual Files

Now we need to add the details of the four files we created in the previous article so Postfix knows to refer to those in any mail execution.

At the bottom of the main.cf file add these lines:

virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf, mysql:/etc/postfix/mysql-email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps

You can see the references to the files we created and also the references to the 'vmail' user we created (where the mail is physically located).

The last line lets Postfix know what to search for in a mail domain to get the relevant details for the database query.

9. saslauthd

“a daemon process that handles plaintext authentication requests on behalf of the SASL library.”

Edit the main saslauthd file:

sudo vi /etc/default/saslauthd

The first line to edit is the first you come across and starts saslauthd on login (the default is set to no):

# Should saslauthd run automatically on startup? (default: no)
START=yes

The second thing we need to change is the options defined at the bottom of the file.

The default looks like this:

#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/run/saslauthd"

Well, we are running Postfix so let's follow their advice and change the options to read:

#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Note we added the '-r' option as we parse users by the whole domain (user@example.com) and not just 'user'.

Add a Directory

sudo mkdir -p /var/spool/postfix/var/run/saslauthd

10. MySQL

Remember that we are using MySQL to hold the information on our domains, emails and users, etc.

As such, the authorization process for each user needs to know where to get the information from (i.e. the user and password).

As such, we need to create two simple files to allow the authorization process access to the db holding the relevant data:

sudo vi /etc/pam.d/smtp

We need to enter the relevant details for the db. Enter

auth    required   pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1

This allows the auth process to access the db to check the email and password (note we have defined the password column of the table to be encrypted. When we add users, we will ensure the password is entered into the table in an encrypted format.

And finally, we need to create a second file:

sudo vi /etc/postfix/sasl/smtpd.conf

Enter the following, with the password you created earlier:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mailadmin
sql_passwd: the_password_here
sql_database: mail
sql_select: select password from users where email = '%u'

Again, fairly self explanatory, but the contents simply define how to login and check the details (saslauthd) and how to access the database containing the user details.

11. Users

As with all things Linux, permissions to execute certain actions and to read certain files are all based around users and groups.

As such, we need to add postfix to the sasl group so it can access the saslauthd process we just setup.

sudo adduser postfix sasl

12 Restart Daemons

sudo /etc/init.d/postfix restart
sudo /etc/init.d/saslauthd restart

So far, we have added and edited and had a good time with the configuration files. As such we need to restart the process to ensure any changes are picked up and acted on:

13. Creating a self-signed SSL Certificate

From: http://articles.slicehost.com/2008/9/2/mail-server-secure-connection-creating-the-ssl-cert

Note that we will be creating a self signed certificate which will produce a warning from your mail client (Mail, Thunderbird, Outlook, etc).

However, it will be fine if you are the only user of the mail server. You will need to purchase a valid certificate if other people or clients are using the mail server.

We're going to place the certificate in the default certificate folder in Ubuntu Hardy: /etc/ssl/certs. You can place it in the postfix folder if you prefer.

sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/certs/mailcert.pem

You will be asked for the hostname. Enter the hostname, ie: sitenamehere.com

14. Configuring Postfix for a Secure Connection

Edit Main.cf

From: http://articles.slicehost.com/2008/9/2/mail-server-secure-connection-configuring-postfix

sudo vi /etc/postfix/main.cf

Add the following lines:

# When we get a real SSL certificate, replace the following 2 lines:
smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
# ...with:
#smtpd_tls_cert_file = /etc/ssl/cert/mailcert.cert
#smtpd_tls_key_file = /etc/ssl/private/mailcert.key

Note that we've stubbed in the changes for the real SSL certificate files when we get them. We've temporarily used the self-signed certificate we created.

15. Courier installation

From : http://articles.slicehost.com/2008/9/2/mail-server-courier-installation

Note: If POP ends up not working, read the comment in the above link.

Package Installation

Installation of the various packages is very simple using the aptitude package manager. Remember we already have many packages installed when we looked at Postfix, MySQL and Saslauthd.

sudo aptitude install courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl

During the installation you will be asked if you wish to create directories for web based administration:

Select 'No' as the answer (no is the default anyway, so you should just need to press Enter/Return).

The next page requires a simple press of the Enter/Return key. We will configure Courier to use our self-signed certificate.

Configuration

Now we need to configure Courier to access the MySQL 'mail' database for authorisation.

Edit:

sudo vi /etc/courier/authdaemonrc

Find the following option:

authmodulelist="authpam"

Change it to:

authmodulelist="authmysql"

MySQL Configuration

The next courier file contains the details of the MySQL database:

Make a copy of the original in case we need to refer to it in the future:

sudo cp /etc/courier/authmysqlrc /etc/courier/authmysqlrc.original

Edit the file:

sudo vi /etc/courier/authmysqlrc

Remove all lines in the file (vi command :1,$d ) and replace with:

MYSQL_SERVER localhost
MYSQL_USERNAME mailadmin
MYSQL_PASSWORD the_password_here
MYSQL_PORT 0
MYSQL_DATABASE mail
MYSQL_USER_TABLE users
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD 5000
MYSQL_GID_FIELD 5000
MYSQL_LOGIN_FIELD email
MYSQL_HOME_FIELD "/home/vmail"
MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')

Replace the_password_here with the mailadmin password.

Restart Daemons

We have made some significant changes to the Courier setup so we need to restart Courier.

Note there are 5 different demons that are running:

Once main authorization demon and 4 others relating to pop, pops, imap and imaps:

sudo /etc/init.d/courier-authdaemon restart
sudo /etc/init.d/courier-imap restart
sudo /etc/init.d/courier-imap-ssl restart
sudo /etc/init.d/courier-pop restart
sudo /etc/init.d/courier-pop-ssl restart

16. Opening ports in the firewall

Edit the file:

sudo vi /etc/iptables.test.rules

Just before the HTTP and HTTPS entries add the following details:

# Allows SMTP access
-A INPUT -p tcp --dport 25 -j ACCEPT

# Allows pop and pops connections
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# Allows imap and imaps connections 
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

Apply the new rules:

sudo iptables-restore < /etc/iptables.test.rules

Check out the changes, as applied:

sudo iptables -L

Become root:

sudo -i

Save the rules.

iptables-save > /etc/iptables.up.rules

And exit root:

exit

17. Adding domains and users to MySQL

If you are using a GUI to add the details, make sure that when you add a user's password, you enter it using the MySQL 'ENCRYPT' function.

Log into MySQL:

mysql -u root -p

…you will be prompted for the MySQL root password.

Switch to the mail datebade:

USE mail;

Add a Domain

INSERT INTO `domains` (`domain`) VALUES ('sitenamehere.com');

Note the use of backticks (`) in the first two fields and the use of single quotes (') when entering that actual value.

Add Users

INSERT INTO `users` (`email`, `password`) VALUES ('support@sitenamehere.com', ENCRYPT('passwordhere'));

Reload Postfix

sudo postfix reload

postfix.txt · Last modified: 2015/05/31 21:20 (external edit)