History / Status

• COMPLETE

Introduction

First things first. If you are a novice at linux I don't think you should be trying to set this up. This is an advanced email server configuration. This configuration will allow you to serve multiple domains on one server. You will get the following features:

• Postfix: the workhorse behind the mail delivery
• smtp authentication
• secure smtp using TLS
• Dovecot: imap and pop3 mailbox service
• secure imap and pop3
• mysql: haldle all the virtual domains and users
• PostfixAdmin: GUI for domain administration
• squirrelmail: web mail access

Lets get started

Installing The Software

We'll start with the yum installs.
> yum install dovecot dovecot-mysql squirrelmail cyrus-sasl-devel cyrus-sasl-sql subversion

If you followed my other base server howto then postfix may not be up to date. We need mysql support. So my repo contains the needed version.
> yum update postfix

Postfix.Admin doesn't have an rpm so we need to download it and put it where we want it. Wouldn't you know it but the 2.1.0 release has problems with mysql 5. So we need to download the verson from svn.
> svn co https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/trunk postfixadmin
> mv postfixadmin /usr/share/

Configuring The Server

Configuring Postfix Admin

Create the apache config file for postfixadmin and restart apache.
/etc/httpd/conf.d/postfixadmin.conf

 
alias /mailadmin /usr/share/postfixadmin
<Directory "/usr/share/postfixadmin">
  AllowOverride AuthConfig
</Directory>

> service httpd restart

Now we need to setup the mysql database for postfixadmin. An sql file is provided in the postfixadmin directory. You'll need to edit the file and set the desired passwords for the database users postfix and postfixadmin. Be sure to uncomment the 'INSERT' lines between the 'CREATE' line and the 'FLUSH PRIVILEGES' line. Here's the commands.
> cd /usr/share/postfixadmin
> nano -w DATABASE_MYSQL.TXT
> mysql -u root -p < DATABASE_MYSQL.TXT

Now its time to setup the config file. Don't forget to set your password. Find the following items and change them.
> nano -w config.inc.php

 
// Postfix Admin Path
// Set the location to your Postfix Admin installation here.
$CONF['postfix_admin_url'] = '/mailadmin/';


 
// Database Config
// mysql = MySQL 3.23 and 4.0
// mysqli = MySQL 4.1
// pgsql = PostgreSQL
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'postfixadmin';
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = '';


 
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['encrypt'] = 'cleartext';

Log into the web interface and follow the directions.
http://yourdomain.tld/mailadmin/

NOTE: Don't forget to remove /usr/lib/postfixadmin/setup.php. Postfixadmin will complain until you do.

Configuring Postfix

Here we go with more config files. You'll have to be sure to change some settings to match your host. The config files will have sections commented out. Don't worry about it. These sections are for spam/virus/sympa configuration. Just copy and past to create the config files. What ever you see here replaces what already exists.

The main postfix config files.
/etc/postfix/main.cf

 
# postfix config file

# uncomment for debugging if needed
#soft_bounce=yes

# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES

# network settings
inet_interfaces = all
mydomain = yourdomain.com
myhostname = host.yourdomain.com
mynetworks = 192.168.0.0/16,
        127.0.0.0/24,
        69.239.170.72/29
mydestination = $myhostname, 
        localhost.$mydomain, 
        localhost 
relay_domains = $mydestination

# mail delivery
recipient_delimiter = + 

# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#local_recipient_maps = 

# virtual setup
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf,
                regexp:/etc/postfix/virtual_regexp
virtual_gid_maps = static:89
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_transport = virtual
virtual_uid_maps = static:89

# debugging
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes 
smtp_tls_note_starttls_offer = yes 
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# rules restrictions 
# smtpd_client_restrictions = reject_rbl_client sb1.spamhaus.org
smtpd_helo_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender, 
        reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated, 
        permit_mynetworks, 
        reject_unauth_destination,
        reject_non_fqdn_recipient, 
        reject_unknown_recipient_domain
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining

/etc/postfix/master.cf

 
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#  -o content_filter=smtp-amavis:127.0.0.1:10024
#  -o receive_override_options=no_address_mappings
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter= 
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
# spam/virus section
#
#smtp-amavis  unix  -    -       y       -       2       smtp
#  -o smtp_data_done_timeout=1200
#  -o disable_dns_lookups=yes
#  -o smtp_send_xforward_command=yes
#127.0.0.1:10025 inet n  -       y       -       -       smtpd
#  -o content_filter=
#  -o smtpd_helo_restrictions=
#  -o smtpd_sender_restrictions=
#  -o smtpd_recipient_restrictions=permit_mynetworks,reject
#  -o mynetworks=127.0.0.0/8
#  -o smtpd_error_sleep_time=0
#  -o smtpd_soft_error_limit=1001
#  -o smtpd_hard_error_limit=1000
#  -o receive_override_options=no_header_body_checks
#  -o smtpd_bind_address=127.0.0.1
#  -o smtpd_helo_required=no
#  -o smtpd_client_restrictions=
#  -o smtpd_restriction_classes=
#  -o disable_vrfy_command=no
#  -o strict_rfc821_envelopes=yes
#

The postfix / mysql config files.
/etc/postfix/mysql-virtual_alias_maps.cf

 
hosts = localhost
user = postfix
password = postfix
dbname = postfix
table = alias
select_field = goto
where_field = address

/etc/postfix/mysql-virtual_domains_maps.cf

 
hosts = localhost
user = postfix
password = postfix
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

/etc/postfix/mysql-virtual_mailbox_maps.cf

 
hosts = localhost
user = postfix
password = postfix
dbname = postfix
table = mailbox
select_field = maildir
where_field = username

Now for the sasl auth configuration.
/usr/lib/sasl2/smtpd.conf

 
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
auxprop_plugin: sql
sql_verbose: yes
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_passwd: postfix
sql_database: postfix
sql_select: select password from mailbox where username = '%u@%r'

Now generate an SSL certificate for postfix to have TLS support.
> mkdir /etc/postfix/ssl
> cd /etc/postfix/ssl
> openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

We need to touch a file. So type the follwoing.
> touch /etc/postfix/virtual_regexp

Finally we'll configure the mail store directory. We put it in the /home directory to make backups and other item easy. So type the following.
> mkdir /home/vmail
> chmod 770 /home/vmail
> chown postfix:postfix /home/vmail

Configuring Dovecot

Lets start off with the main config file. Just replace the default one with whats below.
/etc/dovecot.conf

 
# Dovecot config file
auth default {
  userdb sql {
    args = /etc/dovecot-mysql.conf
  }
  passdb sql {
    args = /etc/dovecot-mysql.conf
  }
}
first_valid_uid = 89
default_mail_env = maildir:/home/vmail/%d/%n
protocols =  imaps imap pop3s pop3
ssl_cert_file = /etc/postfix/ssl/smtpd.pem
ssl_key_file = /etc/postfix/ssl/smtpd.pem

Next we configure Dovecot to access mysql. Create the following file.
/etc/dovecot-mysql.conf

 
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=yourpassword
default_pass_scheme = PLAIN
password_query = SELECT password FROM mailbox WHERE username = '%u'
user_query = SELECT maildir, 89 AS uid, 89 AS gid FROM mailbox WHERE username = '%u'

Finally set Dovecot to boot at startup.

Configuring SquirrelMail

We should next give our users a web interface to their mail. This is an optional install.

Lets start configurating SquirrelMail. Luckilly squirrelMail has a configuration utility. So type: > /usr/share/squirrelmail/config/conf.pl

Here's the settings to be changed

• Under server settings change sendmail to SMTP
• Under update IMAP settings change the software to dovecot.
• Other config changes are optional.

Now go to your browser and test squirrelmail. the url is http://yourdomein.com/webmail/src/configtest.php

You should now be able to login to your mailserver. The usr would be 'host.domain.com/webmail'. Remember your username is in the format: user@domain.com

Configuring the Little Things That Drive You MAD

Be sure your /etc/hosts looks similar to the following.

 
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost
192.168.11.21   host.domain.com

Preparing and Testing the Postoffice

First things first. Reboot the system. If everything went well we all should be at the same point.

No errors? Lets keep going.

Setup a test domain and account. Setup your favorit mail client and send some test emails.

Conclusion

With a bit of work you come out with a robust server.

Comments