History / Status

• DONE - spam/virus filtering removed. I now do this with a dedicated server.

Introduction

First things first. If you are a novice at linux I don't think you should be trying to set this up. This is an advanced email server configuration. This configuration will allow you to serve multiple domains on one server. You will get the following features:

• postfix: the workhorse behind the mail delivery
• smtp authentication
• cyrus imap: imap and pop3 mailbox service
• mysql: haldle all the virtual domains and users
• mail quotas
• squirrelmail: web mail access

Lets get started

First - Building the Post Office

Installing the easy stuff

1. Lets start with Cyrus related stuff.
   > yum install cyrus-imapd cyrus-imapd-utils perl-Cyrus
2. Lets install a mysql module for pam
   > yum install pam_mysql
3. install pam-devel

> yum install pam-devel

1. Now for the web interface for cyrus imap. Download web-cyradm from http://www.web-cyradm.org
   > wget http://www.web-cyradm.org/web-cyradm-0.5.4-1.tar.gz
   > tar -xzvf web-cyradm-0.5.4-1.tar.gz
   > mv web-cyradm-0.5.4-1 /usr/share/

Installing postfix

Wouldn't you know it. the postfix rpm from fedora core does not include mysql support. So lets install the correct version.
> yum remove postfix
> rpm -ivh http://www.campworld.net/downloads/postfix-2.2.8-1.2.i386.rpm
> yum install fetchmail mdadm

Configure web-cyradm

• We need to create the initial log file.
  > touch /var/log/web-cyradm.log
  > chown apache /var/log/web-cyradm.log
• We need php5 to play nicely with web-cyradm. Add the following to /etc/php.ini
  Add them just below the [PHP] at the top.
  

 
; added for web-cyradm
allow_call_time_pass_reference on

• Copy the default config file so we can customize it.
  > cd /usr/share/web-cyradm-0.5.4-1/config
  > cp conf.php.dist conf.php
  > nano -w conf.php
• First configure web-cyradm to access cyrus imap. Look for the following section in the file and enter the appropreate information.

 
# The Cyrus login stuff
$CYRUS = array(
        'HOST'  => 'localhost',
        'PORT'  => 143,
        'ADMIN' => 'cyrus',
        'PASS'  => 'secret'
);

• We need to set the config file to connect to our database. So find the following in the file and edit it.

 
$DB = array(
        'TYPE'  => 'mysql',
        'USER'  => 'mail',
        'PASS'  => 'secret',
        'PROTO' => 'unix',      // set to "tcp" for TCP/IP
        'HOST'  => 'localhost',
        'NAME'  => 'mail'
);

• find: $DOMAIN_AS_PREFIX = 0;
  change the 0 to a 1
• We need a config file for apache
  > nano -w /etc/httpd/conf.d/webcyradm.conf
  past the following and save and exit.
  

  
alias /webcyradm /usr/share/web-cyradm-0.5.4-1
<Directory /usr/share/web-cyradm-0.5.4-1>
        php_flag allow_call_time_pass_reference on
</Directory> 

Create database and tables

1. switch to the scripts dir
   > cd /usr/share/web-cyradm-0.5.4-1/scripts/
2. edit the insertuser_mysql.sql and change the password
   > nano -w insertuser_mysql.sql
3. edit create_mysql.sql and change the passwords at the bottom
4. lets create the db and tables
   > mysql -u root -p < /usr/share/web-cyradm-0.5.4-1/scripts/insertuser_mysql.sql
   > mysql mail -u root -p < /usr/share/web-cyradm-0.5.4-1/scripts/create_mysql.sql

Configure PAM - Authentication that binds us all

NOTE: There should only be 2 lines when you create the pam files. They are line wrapped on this page. One line begins with 'auth' and the other begins with 'account'.

• edit /etc/pam.d/imap and replace the Fedora defaults with the following

  
auth       sufficient   pam_mysql.so user=mail passwd=secret host=localhost db=m
ail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable
=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid log
timecolumn=time
account    required     pam_mysql.so user=mail passwd=secret host=localhost db=m
ail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable
=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid log
timecolumn=time 

• now lets fix up other pam files
  > mv smtp.postfix smtp.postfix.old
  > rm smtp
  > cp imap smtp
  > cp imap smtp.postfix
  > cp imap pop
  > cp imap sieve
  > cat smtp.postfix.old >> smtp.postfix
  > rm smtp.postfix.old

Configure saslauthd

Fedora doesn't start saslauthd with the right flags. Edit /etc/sysconfig/saslauthd. Replace /etc/syscnfig/saslauthd with the following.

 
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=-r

Configure Cyrus IMAP

First we need to set the password for the cyrus user.
> passwd cyrus

Below you will see the config files you need to create. Be sure to change things such as the server name.

/etc/imapd.conf

 
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 320
sieve_maxscripts: 5
unixhierarchysep: yes
altnamespace: yes
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
allowanonymouslogin: no
allowplaintext: yes
allowplainwithouttls: yes
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
servername: host.example.com

/etc/imapd-local.conf

 
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
unixhierarchysep: yes
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
allowanonymouslogin: no
allowplaintext: yes
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
servername: host.example.com

/etc/cyrus.conf

 
# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=5
  imaps         cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=3
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="sieve" prefork=1

  # these are only necessary if receiving/exporting usenet via NNTP
#  nntp         cmd="nntpd" listen="nntp" prefork=3
#  nntps                cmd="nntpd -s" listen="nntps" prefork=1

  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1

  # this is only necessary if using notifications
#  notify       cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" at=0400
}

Configure Postfix

Here we go with more config files. You'll have to be sure to change some settings to match your host. The config files will have sections commented out. Don't worry about it. These sections are for spam/virus/sympa configuration. Just copy and past to create the config files. What ever you see here replaces what already exists.

/etc/postfix/main.cf

 
# postfix user/group
#soft_bounce=yes
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES

# network settings
inet_interfaces = all
mydomain = yourdomain.com
myhostname = host.yourdomain.com
mynetworks = 192.168.0.0/16,
        127.0.0.0/24,
        69.239.170.72/29
mydestination = $myhostname, 
        localhost.$mydomain, 
        localhost, 
        mysql:/etc/postfix/mysql-mydestination.cf
relay_domains = $mydestination

# mail delivery
local_transport = cyrus
mailbox_transport = cyrus
recipient_delimiter = + 

# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf,
                regexp:/etc/postfix/virtual_regexp
transport_maps = mysql:/etc/postfix/mysql-transport.cf,
                regexp:/etc/postfix/transport_regexp
#local_recipient_maps = 

# sympa parameters
# sympa_destination_recipient_limit = 1
# sympabounce_destination_recipient_limit = 1

# debugging
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 
broken_sasl_auth_clients = yes

# rules restrictions 
# smtpd_client_restrictions = reject_rbl_client sb1.spamhaus.org
smtpd_helo_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender, 
        reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated, 
        permit_mynetworks, 
        reject_unauth_destination,
        reject_non_fqdn_recipient, 
        reject_unknown_recipient_domain
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining

/etc/postfix/master.cf

 
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#  -o content_filter=smtp-amavis:127.0.0.1:10024
#  -o receive_override_options=no_address_mappings
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter= 
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
# spam/virus section
#
#smtp-amavis  unix  -    -       y       -       2       smtp
#  -o smtp_data_done_timeout=1200
#  -o disable_dns_lookups=yes
#  -o smtp_send_xforward_command=yes
#127.0.0.1:10025 inet n  -       y       -       -       smtpd
#  -o content_filter=
#  -o smtpd_helo_restrictions=
#  -o smtpd_sender_restrictions=
#  -o smtpd_recipient_restrictions=permit_mynetworks,reject
#  -o mynetworks=127.0.0.0/8
#  -o smtpd_error_sleep_time=0
#  -o smtpd_soft_error_limit=1001
#  -o smtpd_hard_error_limit=1000
#  -o receive_override_options=no_header_body_checks
#  -o smtpd_bind_address=127.0.0.1
#  -o smtpd_helo_required=no
#  -o smtpd_client_restrictions=
#  -o smtpd_restriction_classes=
#  -o disable_vrfy_command=no
#  -o strict_rfc821_envelopes=yes
#
# transport entry for the mailing lists
#
#sympa        unix  -       n       n       -       -       pipe
#  flags=R user=sympa argv=/home/sympa/bin/queue ${recipient}
#sympabounce  unix  -       n       n       -       -       pipe
#  flags=R user=sympa argv=/home/sympa/bin/bouncequeue ${user}

/usr/lib/sasl2/smtpd.conf

 
pwcheck_method: saslauthd
mech_list: plain login

/etc/postfix/mysql-canonical.cf

 
# mysql config file for canonical lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = 127.0.0.1
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = virtual
#
select_field = alias
where_field = username
# Return the first match only
additional_conditions = and status = '1' limit 1

/etc/postfix/mysql-mydestination.cf

 
# mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = 127.0.0.1
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = domain
#
select_field = domain_name
where_field = domain_name

/etc/postfix/mysql-relay.cf

 
#
# mysql config file for transport lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = 127.0.0.1
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = domain

#
select_field = transport
where_field = domain_name

/etc/postfix/mysql-transport.cf

 
#
# mysql config file for transport lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = 127.0.0.1
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = domain

#
select_field = transport
where_field = domain_name

/etc/postfix/mysql-virtual.cf

 
#
# mysql config file for alias lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = 127.0.0.1
user = mail
password = secret

# the database name on the servers
dbname = mail

# the table name
table = virtual

#
select_field = dest
where_field = alias
additional_conditions = and status = '1'

/etc/postfix/transport_regexp

 
# /^.*+owner\@lists\..*$/ sympabounce:
# /^.*\@lists\..*$/       sympa:

/etc/postfix/virtual_regexp

 
# This will be used to deal with the mailing lists
#/^(.*)-owner\@lists\.(.*)$/    $1+owner@lists.$2

Configuring the Little Things That Drive You MAD

Be sure your /etc/hosts looks similar to the following.

 
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost
192.168.11.21   host.domain.com

Preparing and Testing the Postoffice

First things first. Reboot the system. If everything went well we all should be at the same point. We need to start some services that are not started yet.

> /etc/init.d/cyrus-imap start
> /etc/init.d/saslauthd start

No errors? Lets keep going. Log into webmin or use ntsysv and set saslauthd and cyrus-imap to start on boot.

Setup a test domain and account. Setup your favorit mail client and send some test emails.

Webmail Client

We should next give our users a web interface to their mail. This is an optional install. The program we're going to install is SquirrelMail. So just type:
>yum install squirrelmail

The easy part is over. Now we need to do some configuration. Luckilly squirrelmail has a configuration utility. So type: > /usr/share/squirrelmail/config/conf.pl

Here's the settings to be changed

• Under server settings change sendmail to SMTP
• Under update IMAP settings change the software to cyrus and the delimiter to '.'.
• Other config changes are optional.

You should now be able to login to your mailserver. The usr would be 'host.domain.com/webmail'. Remember your username is in the format: user.domain.com

Conclusion

With a bit of work you come out with a robust server.

Comments