Idealog

SETTING UP YOUR ACCOUNT

I bought a personal account at Redwood Virtual. It’s $10 per month or $100 annually. I had them install Debian Sarge (a.k.a. testing).

MAKE ALTERNATE USER ACCOUNT

When you receive your account information, log in as the root user with the password you chose.

On my Mac, I use:

> ssh –l root mydomain.org

Windows users might try downloading putty here.

Change your root password – don’t lose it:
> passwd

Then, create an alternate user account:

> adduser <username>

Check your free space:
> df -h

INSTALL SUDO TO OPERATE AS ADMINISTRATOR FROM OTHER ACCOUNT

Sudo is a program that lets alternate users operate as administrators. It needs to be installed to work properly.

Apt-get is a Debian command that installs packages of software. Debian is nice because it preconfigures these install routines to make the process simple.

> apt-get update

> apt-get install sudo

> cd /etc

Now, we need to add the new account to the list of administrators – or the sudoers file. Nano is the text editor that I used to do this.

> nano sudoers

Add your <username>  to the list of sudo users. Save it.

> logout

INSTALL SERVICES

Reconnect to your server using the alternate account:
> ssh –l username mydomain.org

Now we’re going to get a bunch of services that make up the mail services:

> sudo apt-get install postfix spamassassin amavisd-new clamav clamav-daemon libmailtools-perl fam

Note: I haven’t yet completed a working version of clamav, clamav-daemon. So, you may see some errors in the logs with this install script. I plan to come back to this soon.

In response to the questions during the install, I chose the following. In almost every case I selected the default options:

• Choose daemon since redwood virtual has a network connection
• Select the default URL
• Select yes to notify
• Select Internet Site when asked for configuration
• Select postmaster as the root account
• Select default mydomain.org
• Select defaults for mail routing etc...

Be sure to remember to add a user account for the postmaster later. I’ll come back to this shortly.

> sudo apt-get install courier-maildrop

Yes to using more disk space during install
No to web-based administration for courier

> sudo apt-get install courier-imap courier-imap-ssl

Yes to using more disk space during install

CONFIGURE THE HOME DIRECTORY

Go to your home directory:

> cd /home/<username>

Now we need to set up a special kind of mail directory. These are case sensitive below:
> sudo maildirmake Maildir

To make our sub folders run:
> sudo maildirmake -f Sent Maildir
> sudo maildirmake -f Drafts Maildir
> sudo maildirmake -f Templates Maildir
> sudo maildirmake -f Junkmail Maildir

Now we want to create a skeleton structure that will create an identical folder mapping for each new mail user:

> cd /etc/skel
> sudo maildirmake Maildir
> sudo maildirmake -f Sent Maildir
> sudo maildirmake -f Drafts Maildir
> sudo maildirmake -f Templates Maildir
> sudo maildirmake -f Junkmail Maildir

ADD THE POSTMASTER ACCOUNT AND OTHER USER MAILBOXES
> sudo adduser postmaster
> sudo adduser <username>

The system will use the skel directory structure to replicate the structure for each new user.

CONFIGURE POSTFIX AND MAIL DELIVERY

The files master.cf and main.cf are primary configuration files for PostFix. They are located in the /etc/postfix directory. Let’s configure them:

> cd /etc/postfix
> sudo nano main.cf

To have Postfix deliver to Maildir, add the following line to your main.cf:
home_mailbox = Maildir/

Change the mailbox_command to this one
mailbox_command = /usr/bin/maildrop

Save the file.

To add logging for Maildrop, create the log file and add the directive in  /etc/courier/maildroprc

> cd /var/log
> sudo touch /var/log/maildrop
> sudo chmod 666 /var/log/maildrop

Edit the Maildroprc file:
> cd /etc/courier
> sudo nano maildroprc

Copy these contents into the file:

if ( $SIZE < 26144 )
{
    exception {
       xfilter "/usr/bin/spamassassin"
    }
}

if (/^X-Spam-Flag: *YES/)
{
    exception {
        to "$HOME/Maildir/.Junkmail/"
    }
}
else
{
    exception {
        to "$HOME/$DEFAULT"
    }
}
 
SEND A TEST EMAIL

> sudo sendmail

Note: I think my SMTP test format message may be slightly off here…

From: you@yourdomain.com
To: you@yahoo.com
Subject: This is a test
This is my message
.

Then you can go look at the log to see if it was sent:
> cd /var/log
> tail –f maildrop

You’ll also want to add Maildrop’s log file to logrotate. Create a new file in the /etc/logrotate.d directory called maildrop:

> cd /etc/logrotate.d
> sudo touch maildrop
> sudo nano maildrop

And add the following:

/var/log/maildrop {
weekly
missingok
}

CONFIGURE AMAVIS FOR SPAM AND VIRUS HANDLING

To run Amavis, you’ll have to setup your amavis.conf file. They suggest reading the Postfix install doc for Amavis, /usr/share/doc/amavisd-new/README.postfix.gz.

>sudo nano /etc/amavis/amavisd.conf

Locate and change the “$mydomain” section to your domain.

Locate and uncomment these lines to have Amavis work with Postfix:
$forward_method = 'smtp:127.0.0.1:10025'; # where to forward checked mail
$notify_method = $forward_method; # where to submit notifications

Locate and comment out this line: (It may already be commented out - leave it commented out)
#@bypass_spam_checks_acl

To have Spamassassin add it’s header tags to mail, find the @local_domains_acl = lines and change them to the following (don’t forget the period in the parenthisis!):

@local_domains_acl = qw(.);
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 999; # triggers spam evasive actions

Don’t want to quarantine virused email, and spam will be delivered to the users Junkmail folder, so locate and change the following:

$QUARANTINEDIR = undef;
$virus_quarantine_to = undef;
#$spam_quarantine_to = 'spam-quarantine';

Other related changes:
$remove_existing_spam_headers = 0;
$sa_local_tests_only = 0;
$SYSLOG_LEVEL = 'mail.info';
$log_level = 2;

Be sure to create the /var/log/amavis.log file and chown it to amavis:

> cd /var/log
> sudo touch amavis.log
> sudo chown amavis:amavis amavis.log

TEST AMAVIS

Start amavis and check for typos. To see any error messages and debugging info, I suggest running Amavis for the first time interactively and keep it attached to the terminal by issuing the following comands:

> sudo su - amavis #(or whatever username you decided to use, e.g. amavis)
$ /usr/sbin/amavisd-new debug

From another window check that it is listening on a local SMTP port 10024 (default):

$ telnet 127.0.0.1 10024
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

220 [127.0.0.1] ESMTP amavisd-new service ready

Type quit

221 Bye
Connection closed by foreign host.

HOOK UP AMAVIS TO POSTFIX

> sudo nano /etc/postfix/master.cf

Now add the following to the end of your /etc/postfix/master.cf file:

smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

Now, edit main.cf:
> sudo nano /etc/postfix/main.cf

Add this:

content_filter = smtp-amavis:[127.0.0.1]:10024

What all of this does is add a SMTP proxy. Mail comes into Postfix and is handed off to Amavis on port 10024. Amvais will then process the mail and hand it back to Postfix on port 10025.

Reload Postfix. At this point, you should have a working installation that filters mail for viruses and spam.

> sudo /etc/init.d/postfix start

Note: I am still having problems with ClamAV anti-virus with this configuration.

SET UP SMTP AUTHENTICATION

To enable users to relay messages through the server, they must authenticate with the server.

First we’ll have to install the Postfix ssl patch.
> sudo apt-get install postfix-tls

> cd /etc/postfix/sasl
> sudo touch smtpd.conf

Create the /etc/postfix/sasl/smtpd.conf file and enter the following:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Now install the sasl apps:
> sudo apt-get install libsasl2-modules
> sudo apt-get install sasl2-bin

To have the the sasl authentication daemon listening where Postfix will be looking for it, we’ll need to edit the init script for saslauthd.

Open the /etc/init.d/saslauthd file in your favorite editor and enter the following line in the header (under PWDIR):

> cd /etc/init.d
> sudo nano saslauthd

Add under PWDIR:
PARAMS="-m /var/spool/postfix/var/run/saslauthd"

Now we’ll have to make the directory we just added in the previous step, chown it so Postfix can use it, and add the Postfix user to the sasl group.

> sudo mkdir /var/spool/postfix/var/
> sudo mkdir /var/spool/postfix/var/run/
> sudo mkdir /var/spool/postfix/var/run/saslauthd
> sudo chown -R root:sasl /var/spool/postfix/var/
> sudo adduser postfix sasl

To enable saslauthd to start, edit the /etc/default/saslauthd file:
> sudo nano /etc/default/saslauthd

Comment out this:
START=yes
MECHANISMS="pam"

Start saslauthd and check that is running. Issue the following command:
> cd /etc/init.d
> sudo ./saslauthd start

> ps waux | grep saslauthd

You should see:
root 6143 0.0 0.2 5916 1432 ? S 08:53 0:00 /usr/sbin/saslauthd -m /var/spool/postfix/var/run/saslauthd -a pam

To check that sasl is indeed working, use the testsaslauthd command with your username and password:
> sudo testsaslauthd -u username -p password -f /var/spool/postfix/var/run/saslauthd/mux

If everything is setup correctly, you should see:
0: OK "Success."

Edit main.cf more:
> cd /etc/postfix
> sudo nano main.cf

To have Postfix use sasl, you need to add this to your main.cf:
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

Restart Postfix:
> cd /etc/init.d
> sudo ./postfix stop
> sudo ./postfix start

SETTING UP YOUR TLS CERTIFICATES

New Certificate:

To build our certificates we will be using the script /usr/lib/ssl/misc/CA.pl. First we’ll need to create our certificate authority, or CA, so change to the /usr/lib/ssl/misc/ directory and issue the commands:

> cd /usr/lib/ssl/misc/
> sudo ./CA.pl –newca

You’ll be asked some questions about your organization, be sure to answer the line, “Common Name (eg, your name or your server's hostname):” with the FQDN of your mail server, i.e. mail.yourdomain.com.

Next we’ll create the server cert request that we’ll sign with our new CA. Issue the following command and answer the questions presented:

> sudo ./CA.pl –newreq-nodes

All that is left is to sign the server certificate request with our new CA with the following command (Answer yes to both questions):
> sudo ./CA.pl –sign

Make a new directory to hold your new certificates in /etc/postfix called ssl, and copy you new certificates into it:

> sudo mkdir /etc/postfix/ssl
> cd /usr/lib/ssl/misc
> sudo mkdir /etc/postfix/ssl
> sudo cp newcert.pem /etc/postfix/ssl/
> sudo cp newreq.pem /etc/postfix/ssl/
> sudo cp demoCA/cacert.pem /etc/postfix/ssl/

Note: Make sure your certificate names match your domain exactly or you'll have problems turning on authentication.

UPDATED: The SSL certificate you see from within thunderbird when checking email is the courier certficate,  the cert you see when sending email is the postfix cert. So we were seeing a problem when checking email that the certficate was the auto-generated courier cert that claimed to be for "localhost".

The way you update the courier cert is:

1. edit /etc/courier/imapd.cnf      change the common name in that file to your FQDN (e.g. mail.yourdomain.org)      make any other changes you care to

2. run /usr/lib/courier/mkimapdcert      (this might complain 'imapd.pem' already exists.  rm /usr/lib/courier/imapd.pem)

3. cp /usr/lib/courier/imapd.pem to /etc/courier/imapd.pem

4. /etc/init.d/courier-imap-ssl restart

End of Update.

Now all that is left is to tell Postfix to use TLS. Add the following stanza to your /etc/postfix/main.cf file:

>sudo nano /etc/postfix/main.cf

smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem
smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

And in your /etc/postfix/master.cf file, find and uncomment the following stanza:
> sudo nano /etc/postfix/master.cf

# only used by postfix-tls
tlsmgr fifo - - n 300 1 tlsmgr
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

Reload Postfix:

> cd /etc/init.d
> sudo ./postfix stop
> sudo ./postfix start

If you telnet to Postfix and issue the EHLO domain.tld command, you should now also see the “250-STARTTLS” line, meaning that Postfix is now taking requests via TLS.

We primarily used RiseUp’s guide to install Apache:
http://deb.riseup.net/mail/buffy/mail-clients/apache/

I think we also just did the following to install squirrelmail. Squirrelmail was running in like 3 minutes. Pretty cool.

> apt-get squirrelmail

That’s the main set of steps that we used. I had to do some troubleshooting especially with SpamAssassin. I will try to come back to that. If you have comments or suggested changes, please post them below.

The things on my to do list are:
- Finish the ClamAV installation
- Add support for hosting multiple domains

You may find these books helpful:

• Linux in a Nutshell
• Running Linux
• Essential System Administration Pocket Reference
• Essential Postfix: The Definitive Guide
• Debian GNU Linux 3.x Bible
• Debian GNU/Linux 2.1 Unleashed

Here are my main.cf and master.cf files for reference:

/etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = mydomain.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.org, mail.mydomain.org, localhost.org, , localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
home_mailbox = Maildir/
mailbox_command = /usr/bin/maildrop
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem
smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/postfix/master.cf
#
# Postfix master process configuration file.  Each logical line
# describes how a Postfix daemon program should be run.
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment
# lines whose first non-whitespace character is a `#'. 
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A "-" field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field).  With INET transports, a service is specified as
# host:port.  The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server:  localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service.  Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file). Only the
# pipe, virtual and local delivery daemons require privileges.
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The proxymap server can run chrooted, but doing so defeats most of
# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used.  Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the daemon_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# General main.cf options can be overridden for specific services.
# To override one or more main.cf options, specify them as arguments
# below, preceding each option by "-o".  There must be no whitespace
# in the option itself (separate multiple values for an option by
# commas).
#
# In order to use the "uucp" message tranport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n      -       -       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       -       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipi
ent
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}

# only used by postfix-tls
tlsmgr    fifo  -       -       n       300     1       tlsmgr
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrapp
ermode=yes -o smtpd_sasl_auth_enable=yes
587       inet  n       -       n       -       -       smtpd -o smtpd_enforce_t
ls=yes -o smtpd_sasl_auth_enable=yes
smtp-amavis unix - - n - 2 smtp
        -o smtp_data_done_timeout=1200
        -o disable_dns_lookups=yes

127.0.0.1:10025 inet n - n - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000

UPDATE:

This article on Postfix shows how to use the same email name on multiple domains.