How to Mail Server
Postfix/Dovecot/SMTP auth with sasl/squirrelmail/clamav/spamassassin/amavis/dkim/Postfixadmin & virtual users using mysql
Prerequisites:
- CentOS 5.3
- Intermediate knowledge of Linux
- apache
- mysql
- saslauthd
- Centos/Base repository
Purpose:
I have created this how to produce all these integrated howtos from one place because I have to make hard struggle to find out all these things & off course to configure with integration. I have followed how to from different sites & this how to is also derived from those I have adjusted it according to my requirements you can also do it
Installing & configuring Postfix SMTP server with mysql support
The version of Postfix that comes with Red Hat Enterprise Linux 5 or CentOS 5 does not support MySQL lookups. You can build your own custom Postfix RPM or get a prebuilt RPM from the CentOS Plus repository. You can use the CentOS repository in RHEL since CentOS is binary compatible with RHEL. This article describes how to install Postfix with MySQL lookup table support from the CentOS Plus repository.
login to your server open terminal & type the following command
vi /etc/yum.repos.d/CentOS-Base.repo
edit the lines below
[updates]
exclude=postfix
[centosplus]
enabled=1
includepkgs=postfix
If you have already installed postfix first remove it
yum remove postfix
Now install the version of Postfix found in the CentOS Plus repository
yum install postfix
To verify MySQL support, type following command and check if mysql is found in the output
postconf -m
[root@cu config]# postconf -m
btree
cidr
environ
hash
ldap
mysql
nis
pcre
pgsql
proxy
regexp
static
unix
Switch to Postfix from Sendmail
By default, Sendmail is the active SMTP server. Here’s how to change it.
alternatives --config mta
now choose postfix by entering number
Configuring Postfix
vi /etc/postfix/main.cf
Find the following keys and change its values as follows
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/
Note:Make sure that all mail_spool_directory lines are commented out. Otherwise, it will override the setting in the home_mailbox line above.
Now restart postfix or start if it first time
service postfix restart
chkconfig postfix on
Checking Postfix/ SMTP
you can verify this by doing telnet on smtp port
hint:If you encounter any problems, check the log file at
/var/log/maillog
Dovecot POP3/IMAP Server Setup
First install dovecot
yum install dovecot
After that
vi /etc/dovecot.conf
Find the following keys and change its values as follows
protocols = pop3 pop3s imap imaps
mail_location = maildir:~/Maildir/
pop3_uidl_format = %08Xu%08Xv
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
Now start service
service dovecot start
chkconfig dovecot on
Checking Dovecot
you can verify this by doing telnet on pop/imap port
Hint:If you encounter any problems, check the log file at
Postfix SMTP Authentication and Dovecot SASL
First dovecot
Edit the file “/etc/dovecot.conf” and make sure your auth default section has the lines below
vi /etc/dovecot.conf
auth default {
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
mechanisms = plain login
}
Now Postfix/SMTP
mynetworks = 127.0.0.0/8
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
Edit /etc/postfix/main.cf, find the keys below and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found
Hint:The first line says trust only localhost, meaning only localhost can send email outside the network (relay). The last line is there to support old clients like Microsoft Outlook Express 4.0 and Microsoft Exchange 5.0 just in case someone is still using it
Now restart postfix & dovecot
service postfix restart
service dovecot restart
now you can verify both services by telnet if you face any problem check above mentioned log file
Note: make sure that “saslauthd” is started
SquirrelMail Webmail Setup
yum install squirrelmail
you can now access it
http://servername/webmail
Configuring Squirrelmail
cd /usr/share/squirrelmail/config/
./conf.pl
2
1
Enter your domain name
abc.com
After entring dns name now press
3
smtp
After saving information quit from menue
This is the minimum configuration for squirrel webmail they are lot of other option like organization setting, logo change now it your to-do to explore this further
Note:Now at this point your minimum mail server is configured with system username & password u can logon by
but prior to this start apache
service httpd start
chkconfig httpd on
How to Install Postfix Admin
Install the Postfix Admin requirements using the command below
yum install php-mysql php-imap
Download the latest stable version of Postfix Admin in .tar.gz format here. Assuming you got the file postfixadmin-2.2.1.1.tar.gz, type in the commands below to extract and to put it into its proper directory
tar -xvzf postfixadmin-2.2.1.1.tar.gz
mv postfixadmin-2.2.1.1 /usr/share/postfixadmin
Create the Postfix Admin MySQL database using the commands below. The default root password of MySQL is a blank password
Start mysql service if it is not strated
service mysqld strat
chkconfig mysql on
mysql -u root -p -e "CREATE DATABASE postfix;"
mysql -u root -p -e "CREATE USER postfix IDENTIFIED BY 'password';"
mysql -u root -p -e "GRANT ALL PRIVILEGES ON postfix.* TO postfix;"
Edit the file /usr/share/postfixadmin/config.inc.php and update the following lines below
$CONF['configured'] = true;
$CONF['postfix_admin_url'] = '/postfixadmin';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = 'your_password';
$CONF['database_name'] = 'postfix';
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['encrypt'] = 'cleartext';
Configuring the Postfix Admin Web Application
Create the file /etc/httpd/conf.d/postfixadmin.conf containing the line below
vi /etc/httpd/conf.d/postfixadmin.conf
Alias /postfixadmin /usr/share/postfixadmin
Restart httpd
service httpd restart
Go to the Postfix Admin setup page a
http://servername/postfixadmin/setup.php
Ccreate a new admin user. The admin user name should be a valid email address. Delete setup.php when you are done
Go to the Postfix Admin login page at http://servername/postfixadmin/ and login using your newly created admin account
Note: You must create mysql root passowrd
Postfix/dovecot virtual users using mysql
Now we configure Postfix and Dovecot to handle multiple domains stored in MySQL. Postfix Admin is used to manage the domains, mailboxes and aliases in MySQL.
creating the Virtual Mail User Account
useradd vmail
passwd vmail
vi /etc/passwd
just change after the home directory path
vmail:x:501:501::/home/vmail:/bin/nologin
Create the file “/etc/postfix/mysql-domains.cf”
vi /etc/postfix/mysql-domains.cf
Add following lines
host = localhost
user = postfix
password = your_password
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'
Save&exit
Create the file “/etc/postfix/mysql-users.cf “
vi /etc/postfix/mysql-users.cf
Add following lines
host = localhost
user = postfix
password = your_password
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
result_format = %sMaildir/
Save&exit
Create the file “/etc/postfix/mysql-aliases.cf”
vi /etc/postfix/mysql-aliases.cf
Add following lines
host = localhost
user = postfix
password = your_password
dbname = postfix
table = alias
select_field = goto
where_field = address
Edit the postfix configuration file
vi /etc/postfix/main.cf
mydestination = $myhostname, localhost.$mydomain, localhost
and add the lines below
virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-users.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:501
virtual_gid_maps = static:501
Note:virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively
Note:Make sure $mydomain in mydestination has been removed, otherwise the lookup will not work and you will get a “User unknown in local recipient table” error in some cases myhost to.
Configuring Dovecot
Create the file “/etc/dovecot-mysql.conf”
vi /etc/dovecot-mysql.conf
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=password
default_pass_scheme = PLAIN
password_query = SELECT password FROM mailbox WHERE username = '%u'
svae&exit
Edit the file “/etc/dovecot.conf”
vi /etc/dovecot.conf
passdb sql {
args = /etc/dovecot-mysql.conf
}
userdb static {
args = uid=501 gid=501 home=/home/vmail/%d/%n
}
Note:uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.
Note:If you encounter any problems, check the log file at /var/log/maillog
Install the SquirrelMail Change Password Plugin
cd /usr/share/squirrelmail/plugins
Connect to your SquirrelMail server and note down its version.
Download the Change Passwd and Compatibility plugins
tar xvfz compatibility-2.0.14-1.0.tar.gz
tar xvfz change_sqlpass-3.3-1.2.tar.gz
Extract the downloaded files and put them into the /usr/share/squirrelmail/plugins directory.
If your version of SquirrelMail is not 1.4.13 and higher or 1.5.1 and higher, you need to patch your SquirrelMail source
cd compatibility/
Compatibility patch by typing in the command below
patch -p0 <>
cd ..
cd change_sqlpass
cp config.php.sample config.php
vi vi config.php
Note:Change the following required parameters your parameters may differ but if you have follow this howto from top to till this setting will work, you only have to give postfix database password
$csp_dsn = 'mysql://postfix:your_password@localhost/postfix';
$lookup_password_query = 'SELECT count(*) FROM mailbox WHERE username = "%1" AND password = "%5"';
$password_update_queries = array(
'UPDATE mailbox SET password = "%5" WHERE username = "%1"',
$force_change_password_check_query = '';
$password_encryption = 'NONE';
$csp_salt_query = '';
save&exit
They are other options you can also play it
Note:if you are experiencing blank screen problem after logging in squirellmail the mostlikly your data base setting is not correct & mak double check on config .php in changpass module directory
/usr/share/squirrelmail/config/conf.pl
you'll see the following menu. Navigate through it as indicated:
SquirrelMail Configuration Read config.php(1.4.0)
---------------------------------------------------------
MainMenu--
1.Organization Preferences
2.Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day(MOTD)
8. Plugins
9. Database
10. Languages
Command >> ← 8
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. filters
Available Plugins:
5. translate
6. compatibility
7. administrator
8. bug_report
9. abook_take
10. listcommands
11. message_details
12. fortune
13. mail_fetch
14. calendar
15. spamcop
16. change_sqlpass
17. sent_subfolders
18. info
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >>
6
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. filters
5. compatibility
Available Plugins:
6. translate
7. administrator
8. bug_report
9. abook_take
10. listcommands
11. message_details
12. fortune
13. mail_fetch
14. calendar
15. spamcop
16. change_sqlpass
17. sent_subfolders
18. info
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >>
16
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. delete_move_next
2. squirrelspell
3. newmail
4. filters
5. compatibility
6. change_sqlpass
Available Plugins:
7. translate
8. administrator
9. bug_report
10. abook_take
11. listcommands
12. message_details
13. fortune
14. mail_fetch
15. calendar
16. spamcop
17. sent_subfolders
18. info
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >>
s
Command >>
q
clamav/spamassassin/amavis
Adding DAG repo
To install amavis and clamav, we need to add dag repositories since the packages mentioned are not available on the centos base repositories.To do this, we have to create a file named “/etc/yum.repos.d/dag.repo “
vi /etc/yum.repos.d/dag.repo
Add the following lines
[dag]
name=Dag-RHEL-Yum
baseurl=http://dag.linux.iastate.edu/dag/redhat/el$releasever/en/$basearch/dag
http://www.mirrorservice.org/sites/apt.sw.be/redhat/el$releasever/en/$basearch/dag
http://mirrors.ircam.fr/pub/dag/redhat/el$releasever/en/$basearch/dag
http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
enabled=1
gpgcheck=1
save & exit
After doing that, we need to import dag rpm-gpg-key with the command below:
rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
if you are unable to imort just wget these keys & import localy
Now we are ready to install, do it as root with the command below.
yum install amavisd-new clamav clamd
yum install perl-Archive-Tar.noarch
touch /var/log/amavis.log && chown amavis.amavis /var/log/amavis.log
Edit/etc/amavis.conf, then set the $domain and $hostname to our own value and then uncomment the following:
vi /etc/amavis.conf
$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications
Disable virus quarantines: change the value of $QUARANTINEDIR the line:
$QUARANTINEDIR = undef;
If we dont want our system to notify those senders that we did not accept their email attachment or we found out that their email has virus, uncomment the ff: below.
# $final_virus_destiny = D_DISCARD;
# $final_banned_destiny = D_BOUNCE;
# $final_spam_destiny = D_BOUNCE;
# $final_bad_header_destiny = D_PASS;
Next, find and uncomment the Clam AV section. Comment out all virus scanners you are not using:
### http://www.clamav.net/
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN { }\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Make sure amavis is not currently running, do the command:
/etc/init.d/amavis stop
then do the command
amavis debug
( if you found error, then troubleshoot)
Start amavis now:
/etc/init.d/amavis start
chkconfig amavis on
Try to
telnet 127.0.0.1 10024
You should get the response below showing that amavis has been running.
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
Now we have to configure Postfix to pipe incoming email through amavisd-new:
postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings
Next, configure Postfix to use Amavisd-new, which will now function as an SMTP proxy server. Add this to the end of /etc/postfix/master.cf:
vi /etc/postfix/master.cf
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_bind_address=127.0.0.1
Then add this line to /etc/postfix/main.cf:
content_filter = smtp-amavis:[127.0.0.1]:10024
Then restart postfix by the command below:
/etc/init.d/postfix restart
Now open /etc/clamav.conf and /etc/amavisd.conf, and make sure that amavisd.conf references the LocalSocket file:
vi /etc/clamav/clamav.conf
LocalSocket /var/run/clamav/clamd.ctl
Save&exit
vi /etc/amavis/amavisd.conf
### http://www.clamav.net/
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN { }\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Note:It might happen that /var/run/clamav/clamd.ctl does not exist and when you will try to start clamd, it won't start since it did'nt find that file or does not have the right to create or use the file so we can do the command:
touch /var/run/clamav/clamd.ctl
and then
chown amavis.amavis /var/run/clamav/clamd.ctl
Now we need to change some lines on clamd.conf and freshclam.conf..see below:
vi /etc/clamd.conf
User amavis #orig user is clamav
Also change some default settings below
# Path to a local socket file the daemon will listen on.
# Default: disabled
LocalSocket /var/run/clamav/clamd.sock
#note, the default is that LocaSocket was commented so have to uncomment it
#Below, the default is that TCPSocket has no comment so you have to comment it
#because if you forget to comment that line, when you restart Clamav, the error would be
#Starting Clam AntiVirus Daemon: ERROR: You can select one mode only (local/TCP).
# TCP port address.
# Default: disabled
#TCPSocket 3310
vi /etc/freshclam
DatabaseOwner amavis #orig is clamav
Now try to chown some clamav folder to amavis.amavis
LogFile /var/log/clamav/clamav.log
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/clamav/
Finally, hunt down any files belonging to Clam AV in /etc/logrotate.d/.
For example:
/etc/logrotate.d/clamav
/etc/logrotate.d/freshclam
The filenames may vary. Inside each file, find this line:
Change it to:
create 640 clamav amavis
Save the changes and reload clamav and that's it! You can now check the maillog of by the command:
tail -f /var/log/maillog
You can also try to check if CLAMV anti-virus really functioning. Try to create a file in you name test.com ( do this inside your linux box ) paste the line of characters below without the quotes.
"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* "
This is the eicar anti-virus test file. Email this file as attachement to the user on that box or from that box to outside and you will see messages something like below, saying that it did detected this file as a sort of infected file.
log file below:
Feb 20 10:24:22 pacland amavis[3786]: (03786-06) Blocked INFECTED
(Eicar-Test-Signature), <> -> , Message-ID:
<20060220022421.ga25880@test.net>, mail_id: qvSy9GYSCarX,
Hits: -, 614 ms
Feb 20 10:24:22 pacland postfix/smtp[25890]: C564C4A665:
to=, relay=127.0.0.1[127.0.0.1], delay=1,
status=sent (250 2.7.1 Ok, discarded, id=03786-06 - VIRUS: Eicar-Test-Signature)
If you find this in your log files, it means that the installation has been functioning well basically.
Installing and configuring spamassassin
On Centos, "yum install spamassassin or check if might be already installed. After the installation,
rpm -q spamassassin
if not
yum intsall spamassassin
Edit “/etc/amavis.conf”
vi /etc/amavis.conf
Uncomment and set
$final_spam_destiny = D_PASS; # (defaults to D_REJECT)
D_PASS allow the message to be delivered to the recipient and let the recipient decide what to do.
D_DISCARD will drop the message at smtp level, avoiding extra usage of bandwidth. Set the following:
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = -999; # triggers spam evasive actions
# string to prepend to Subject header field when message exceeds tag2 level
$sa_spam_subject_tag = '***SPAM*** ';
Then chown the spamassassin folders and files, as root, do the command.
chown -R amavis:amavis /usr/share/spamassassin
Now, to test your system if it really filters spam, at least basically, try to email a certain account on the host that has been installed with spamassassin with a message that contains "penis enlargement, viagra" and I'm sure it will be block as spam.
Then restart amavis-new
/etc/init.d/amavisd restart
Check this out -/spamassassin autoconfigurator/-
Installing & configuring DKIM
Installation
Install the rpm, ignore dependencies as csh is a dependency but it does not affect dkim-milter; it's only required for some sample scripts that are shipped with the rpm.
rpm -Uvh http://www.c-corp.net/linux/centos/5/general/RPMS/i386/dkim-milter-2.2.1-1.i386.rpm --nodeps
mkdir /etc/dkim-milter
chown dkim-milt.dkim-milt /etc/dkim-milter
chmod 700 /etc/dkim-milter
chgrp postfix /var/run/dkim-milter
chmod 770 /var/run/dkim-milter
Generate The Keys
Download this script that you can use to easily generate the keys for signing the mail:
./dkim-genkey.sh -d
Replace
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDvwn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+zJVW+CKpUcI8BJD03iW2l1CwIDAQAB"
; ----- DKIM default for topdog-software.com
Default.private contains your private key. Move this file into /etc/dkim-milter and rename it
mv default.private /etc/dkim-milter/
Edit the file /etc/sysconfig/dkim-milter and set the variables:
USER="dkim-milt"
PORT=local:/var/run/dkim-milter/dkim.sock
SIGNING_DOMAIN="
SELECTOR_NAME="default"
KEYFILE="/etc/dkim-milter/${SIGNING_DOMAIN}_${SELECTOR_NAME}.key.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
SIGALG=rsa-sha1
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
Init Script Fix
Install my modified init script as the one that is supplied with the rpm has a bug.
wget http://www.topdog-software.com/files/dkim-milter -O /etc/init.d/dkim-milter
chkconfig --level 345 dkim-milter on
service dkim-milter start
chkconfig dkim-milter on
Configure Postfix
Add this to the postfix configuration file /etc/postfix/main.cf:
smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
non_smtpd_milters = unix:/var/run/dkim-milter/dkim.sock
Append to the existing milters if you have other milters already configured.
Start dkim-milter and restart Postfix:
service dkim-milter start
service postfix restart
Note: now check mail it is working or not in case of problem check /var/log/maillog.
Possible Error
if your postfix fail to start due to error “/var/run/dkim-milter/dkim.sock” not found then
vi /etc/sysconfig/dkim-milter
uncomment the following lines
PORT="inet:10035@localhost"
Testing
Send a message to autorespond+dkim@dk.elandsys.com; the system will return a response to let you know if DKIM is working.
References
http://aioshin.blogspot.com/2006/02/quick-how-to-on-installing-amavis.html
http://www.topdog.za.net/howtos
