Step by step guide to install Postfix
Ubuntu + Postfix + Courier IMAP + MySQL + Amavisd-new + SpamAssassin + ClamAV + SASL + TLS + SquirrelMail + Postgrey
Easy to follow howto on setting up a mail server with unlimited users and domains, with IMAP/Pop access, anti-spam, anti-virus, secure authentication, encrypted traffic, web mail interface and more.
Based on an Ubuntu distribution platform, but instructions are distro generic.
7th edition
Author Ivar Abrahamsen
License: Respect (CC by-sa)
Last Update: 2009-01-08
Contact / Discuss
Contents
Editions
List of different versions of this document.
Introduction
Brief description of this document.
Aim
Research
Donate
Software
Which software packages are we using and why.
Installation
How to install all packages and which ones.
Distrobution
Base Install
Repositories
Packages
Configuration
Post install, what to configure for each section, with full command examples.
Firewall (Shorewall)
MTA (Postfix)
Database (MySQL)
Pop/IMAP (Courier)
Content Checks (amivisd-new)
Anti-Spam(SpamAssassin)
Anti-Virus (ClamAV)
Policy Check (PostGrey)
Authentication (SASL)
Encryption (TLS)
Webmail (SquirrelMail)
Administration (phpMyAdmin)
Data
Creating the basic stub of data, and how to add your own.
Add users and domains
Common SQL
Test
Testing and troubleshooting each element.
Initialize
If receiving an already setup machine, a list of actions to do to initialize and configure it.
Extend
Post working system, detailed instructions on optional features to add.
Remote MX mail backup
Local file backup
Sender ID & SPF
Spam Reporting
White/Black lists
PGP & S/MIME
Relocation notice
Pop-before-SMTP
Auto Reply
Block Addresses
Throttle Output
Mail Lists
Admin software
Google Apps / GMail
Elastic Computing Cloud
Amazons' hosting service. Used as examples for this howto.
Impressions of EC2
Using EC2 with this howto
Amazon EC2 Images: AMIs
EC2 Links
Appendix
About author
Contact
Why
References
Software Links
Difference between Ubuntu versions
Download
Todo
Change Log
Return to top.
EditionsEdition State Started Updated Description
1st Released (outdated) 2004-01 2004-02 Based on Mandrake 9.1.
2nd Released (outdated) 2004-02 2004-07 Based on Mandrake 10.x, but valid for all distributions. Very thorough. Includes package description, where to get the sources and binaries, how to build them or which RPMs to use, includes many refrences, etc etc. Starts off with a basic working server, then advances, extends and tightens it in stages.
3rd Released (outdated) 2005-05 2005-11 Based on Ubuntu 5.04, Hoary Hedgehog. More concise simplified guide to get an advanced server working quickly. Now includes SASL & TLS integration.
4th Released (outdated) 2005-10 2005-12 Based on Breezy Badger, Ubuntu 5.10. Includes Postgrey
5th Released 2006-05 2006-11 Based on Dapper Drake, Ubuntu 6.06 LTS.
6th Scrapped 2006-11 2007-10 Will be based on Edgy Eft, Ubuntu 6.10. Or may wait for 7.04. May include Domain Key signing. May include my mail admin or my catchall aliases admin.
7th (this) Released 2008-04 2009-01 Updated, based on Ubuntu 8.04 Hardy Heron. Using Amazon EC2 as example.
Further details available in the change log and below in the introduction.
Return to top.
Introduction
Aim
This is a step by step howto guide to set up a mail server on a GNU / Linux system. It is easy to follow, but you end up with a powerfull secure mail server.
The server accepts unlimited domains and users, and all mail can be read via your favourite clients, or via web mail.
It is secure, traffic can encrypted and it will block virtually all spam and viruses.
Return to top.
Research
Dont take my word for it! Research others opinions and methods. Look at my references, look at Postfix.org's howtos, read the excellent books available (E.g. Kyle's or Hildebrandt's), search the web or read the proper documentation.
If you refer to this howto in your own document, or find useful links, then let me know.
Donate
If you found this howto very useful, spread the word and help others?
If this howto was exceptionally useful why not donate me some beer money?
Or buy a postfix book using my amazon affiliate links further down?
Or buy a t-shirt from my t-shirt shop?
Otherwise send me a Thank You note?
UK US EU
Return to top.
Software
What software packages have/will I use and why.
OS: Ubuntu Linux
www.ubuntu.com
Ah the age old distro argument... Thankfully this set up should work on most distros. I used to base this howto on Mandrake(now Mandriva), and I started this new edition on a Gentoo box. But I don't have the patience for Gentoo, nor the money to stay with Mandriva Power editions. Why Ubuntu? Its free, simple and slick. As Ubuntu is derived from debian the installations used here will be apt-get based. Please refer to my other editions for details on RPM or source based installations.
MTA: Postfix
www.postfix.org
Simple, free and slick. Yup I am a sucker for anything that works easily. Postfix is powerfull, well established, but not too bloated, and is security concious from the start.
Pop/IMAP: Courier IMAP
www.courier-mta.org/imap/
My first mail server installtion was with Courier. I have not found a reason to change this as again it is simple, and free.
Database: MySQL
www.mysql.com
Although I use Firebird for my application development, (or Hibernate/C-JDBC hybrids), MySQL is well supported for the sort of lookups required in a mail server.
Content Check: Amavisd-new
www.ijs.si/software/amavisd/
Easy plug in solution for spam, virus checking etc.
Anti-Spam: SpamAssassin
spamassassin.apache.org
Powerfull renowned spam fighting tool.
Anti-Virus: ClamAV
www.clamav.net
Free virus scanner that can be trusted and includes update daemon.
Authentication: Cyrus SASL
www.imc.org/ietf-sasl/
Secure and trusted crypthography technology for authentication of SMTP traffic.
PostGrey
isg.ee.ethz.ch/tools/postgrey/
Postgrey is an excellent little script to stop 99% of all spam. All it does is on first contact for specific from-to combinations, tells the sender server to try again in a little while, which most spammers cant afford to do. When proper servers try again after a few minutes it lets it through.
Encryption: TLS
www.ietf.org/html.charters/tls-charter.html
Secure and trusted crypthography technology for encryption of SMTP traffic. Not too be confused with client encryption technology like GnuPG and S/MIME. They are covered in the extend section. Formerly referenced as SSL.
WebMail: SquirrelMail
www.squirrelmail.org
Easy to set up php based web mail client.
Please see software links appendix for further information about these software packages. In that section there is more links to documentation or forums, and viable alternatives, downloadable packages, versions details etc.
Further software and tweaks are discussed in the extension section.
Also review other peoples opinion on these packages via my references.
Return to top.
Installation
Distrobution
Base Install
Repositories
Packages
Distribution
Please refer to previous edition for a discussion on distribution selection.
Base Install
With installing Ubuntu you have a choice of which base system to install. You may choose server or desktop image or very basic setups. I will assume a server install, but it should not differ.
Ps. I actually built this recent mail server using Amazon Elastic Computing Cloud (EC2). And thus I have created public images of my mail server that you can use. For more details see my EC2 section. If you have your own server, then it is not relevant.
Repositories
Please refer to previous edition for a details of repository configurations.
Packages
You need to install a whole bunch of packages. We will install them bit by bit. But first check your package sources are correctly pointing to main multiverse restricted universe repositories of your current Ubuntu version.
sudo vi /etc/apt/sources.list
Secondly update your current system:
sudo aptitude update
sudo aptitude upgrade
MySQL
First we'll install MySQL
sudo aptitude install mysql-client mysql-server
This will prompt you for a root password. Choose someting wise and remember it! For purpose of this tutorial I will set it to rootPASSWORD
Postfix
Then we'll install postfix
sudo aptitude install postfix postfix-mysql
This will prompt you to choose type of email server. Select internet site It will also suggest a server name. Correct this if needed.
SASL
aptitude install libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl
Courier
aptitude install courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-ssl
will prompt you about webdirectories. You can say no to this. It will also warn you about the certificate location. Ignore it.
Amavis, SpamAssassin, ClamAV, postgrey
aptitude install amavisd-new
aptitude install spamassassin spamc
aptitude install clamav-base libclamav3 clamav-daemon clamav-freshclam
aptitude install postgrey
SquirrelMail
aptitude install squirrelmail squirrelmail-locales php-pear php5-cli
phpMyAdmin
aptitude install phpmyadmin
Accept apache2 as the web server.
ShoreWall
aptitude install shorewall shorewall-doc
Amazon provides a firewall/ access control for its servers, so not always needed then, but nice to have. And in all others situations; a must have.
Extras
I also install a few other packages that I personally prefer. But nothing todo with the mail server.
aptitude install vim mutt lynx
Package status
To find out which packages you may have installed, you can use for example:
sudo dpkg --list | grep postfix
or
sudo aptitude search postfix
EC2 Bundle
My AMI flurdy-amis/ubuntu-mail-server-clean is based on Eric Hammond's with the basic mail server packages installed.
Return to top.
Configuration
Firewall (Shorewall)
MTA (Postfix)
Database (MySQL)
Pop/IMAP (Courier)
Content Checks (amivisd-new)
Anti-Spam(SpamAssassin)
Anti-Virus (ClamAV)
Policy Check (PostGrey)
Authentication (SASL)
Encryption (TLS)
Webmail (SquirrelMail)
Administration (phpMyAdmin)
Simple mail server
Now lets configure a simple mail server using some of the packages installed.
Firewall
Shorewall
Not essential for an EC2 image. It is essential for a normal server.
Basically at first you want to only allow SSH. Then SMTP and IMAP from your IP only.
When you are confident that the mail server is secure, you can open SMTP to the world. If you prefer you can also open IMAP to the world, unless you have a very small client IP range.
Later you may open web access to the webmail and admin gui. This you may also restrict to specific IPs.
SSH only
By default Shorewall in Ubuntu has an empty set up. You can find the default values for Shorewall in /usr/share/doc/shorwall-common/default-config. And examples in
First configure which network adapters we are accessing the net.
cp /usr/share/doc/shorewall-common/default-config/interfaces /etc/shorewall/
vi /etc/shorewall/interfaces
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs
Then we will configure network zones
cp /usr/share/doc/shorewall-common/default-config/zones /etc/shorewall/
vi /etc/shorewall/zones
Add the firewall if not there and the internet as a zone.
fw firewall
# loc ipv4
net ipv4
Then if needed to specify hosts you can do it in this file. E.g. If you wanto specify what is your home IP etc.
cp /usr/share/doc/shorewall-common/default-config/hosts /etc/shorewall/
vi /etc/shorewall/hosts
# loc eth0:192.168.0.0/24
Then set what is the default policy for firewall access.
cp /usr/share/doc/shorewall-common/default-config/policy /etc/shorewall/
vi /etc/shorewall/policy
$FW net ACCEPT
net $FW DROP info
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
For safety in case it goes down.
cp /usr/share/doc/shorewall-common/default-config/routestopped /etc/shorewall/
vi /etc/shorewall/routestopped
eth0 0.0.0.0 routeback
You may put in a netmask of your ip range if you are more concerned.
Now for the main firewall rules. You can find predetermined macro rules for Shorewall in /usr/share/shorewall.
cp /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall/
vi /etc/shorewall/rules
SSH/ACCEPT net $FW
Open for business
Once your server is working come back to this step and open up SMTP and Web access to others.
vi /etc/shorewall/rules
Ping/ACCEPT net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# mail lines
SMTP/ACCEPT net $FW
SMTPS/ACCEPT net $FW
Submission/ACCEPT net $FW
IMAP/ACCEPT net $FW
IMAPS/ACCEPT net $FW
#web
Web/ACCEPT net $FW
Firewall configuring is always risky business, as it is easy to lock yourself out. To test the setup syntax, run
shorewall check
Restart it with
/etc/init.d/shorewall restart
Then to switch it on during boot:
vi /etc/default/shorewall
startup=1
For more details on IP Tables and Shorewall, look up its website.
Return to top.
MTA
Postfix
You should put the name of your server in this file
vi /etc/mailname
Could be something like smtp.domain.name, where domain name obviously is replaced with your domain name.
Now will open the main postfix configuration file:
vi /etc/postfix/main.cf
Debian and Ubuntu already puts in some sensible default values in this file. You may need to comment some of them out if we put the same in as well.
First specify the name of your server.
# This is already done in /etc/mailname
#myhostname=/etc/mailname
Next is the origin which is the domain appended to email from this machine, this can be your full servername, or domain name.
# myorigin=/etc/mailname
myorigin=yourdomain.com
Then decide what the greeting text will be. Enough info so it is useful, but not divelge everything to potential hackers.
smtpd_banner = $myhostname ESMTP $mail_name
Next you need to decide whether to send all outgoing mail via another SMTP server, or send them yourself. I send via my ISP's server, so it has to worry about the queing etc. If you send it yourself then you are not reliant on 3rd party server. But you may risk more exposure and accidentally be blocked by spam blockers. And it is more work for your server. Also many servers block dynamic dns hosts, so you may find your server gets rejected. However choose whichever you are comfortable with.
# leave blank to do it yourself
relayhost =
# or put it an accessible smtp server
relayhost = smtp.yourisp.com
Next is network details. You will accept connection from anywhere, and you only trust this machine
inet_interfaces = all
mynetworks_style = host
Next you can masquerade some outgoing addresses. Say your machine's name is mail.domain.com. You may not want outgoing mail to come from username@mail.domain.com, as you'd prefer username@domain.com. You can also state which domain not to masquerade. E.g. if you use a dynamic dns service, then your server address will be a subdomain. You can also specify which users not to masquerade.
# masquerade_domains = sub.domain.com !sub.dyndomain.com
# masquerade_exceptions = root
As we will be using virtual domains, these need to be empty.
local_recipient_maps =
mydestination =
Then will set a few numbers.
# how long if undelivered before sending warning update to sender
delay_warning_time = 4h
# will it be a permanent error or temporary
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.
# some have 3 days, I have 16 days as I am backup server for some people
# whom go on holiday with their server switched off.
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12
Now we can specify some restrictions. Be carefull that each setting is on one line only.
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname,
reject_invalid_hostname, permit
# Requirements for the sender details
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unauth_pipelining, permit
# Requirements for the connecting server
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client dnsbl.njabl.org
# Requirement for the recipient address
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining
Further restrictions:
# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes
Next we need to set some maps and lookups for the virtual domains.
# not sure of the difference of the next two
# but they are needed for local aliasing
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and their user id
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
# and group id
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# this is how to connect to the domains (all virtual, but the option is there)
# not used yet
# transport_maps = mysql:/etc/postfix/mysql_transport.cf
You need to set up an alias file. This is only used locally, and not by your own mail domains.
cp /etc/aliases /etc/postfix/aliases
# may want to view the file to check if ok.
# especially that the final alias, eg root goes
# to a real person
postalias /etc/postfix/aliases
Next you need to set up the folder where the virtual mail will be stored. This may have already been done by the apt-get. And also create the user whom will own the folders.
# to add if there is not a virtual user
mkdir /var/spool/mail/virtual
groupadd virtual -g 5000
useradd virtual -u 5000 -g 5000
chown -R virtual:virtual /var/spool/mail/virtual
If using Amazon EC2 you put these in /mnt?
Return to top.
Postfix's MySQL configuration
Next we need to set up the files to access the lookups via the database. We will only set up a few now, and the rest later when/if needed:
Edit(create) how to find the users mailbox location
vi /etc/postfix/mysql_mailbox.cf
user=mail
password=apassword
dbname=maildb
table=users
select_field=maildir
where_field=id
hosts=127.0.0.1
additional_conditions = and enabled = 1
Create how to find the user id (this step I will eventualy remove)
vi /etc/postfix/mysql_uid.cf
user=mail
password=apassword
dbname=maildb
table=users
select_field=uid
where_field=id
hosts=127.0.0.1
Create how to find the group id. (this step I will eventualy remove)
vi /etc/postfix/mysql_gid.cf
user=mail
password=apassword
dbname=maildb
table=users
select_field=gid
where_field=id
hosts=127.0.0.1
Create how to find the email alias:
vi /etc/postfix/mysql_alias.cf
user=mail
password=apassword
dbname=maildb
table=aliases
select_field=destination
where_field=mail
hosts=127.0.0.1
additional_conditions = and enabled = 1
Create how to find the domains:
vi /etc/postfix/mysql_domains.cf
user=mail
password=apassword
dbname=maildb
table=domains
select_field=domain
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 1
As you can see the 3 first are very similar, only the select_field changes. If you specify an ip in hosts, (as opposed to 'localhost') then it will communicate over tcp and not the mysql socket. (chroot restriction)
Return to top.
Database
MySQL
Now we will need to create the tables for thos lookups just specified. First you need to create a user to use in MySQL for mail only. Then you need to create the database, Take note of your chosen mail username and password. You will need the password you specified for root during MySQL package installation.
# If not already done...
mysqladmin -u root password new_password
# log in as root
mysql -u root -p
# then enter password for the root account when prompted
Enter password:
# then we create the mail database
create database maildb;
# then we create a new user: "mail"
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
ON maildb.* TO 'mail'@'localhost' IDENTIFIED by 'apassword';
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
ON maildb.* TO 'mail'@'%' IDENTIFIED by 'apassword';
exit;
Obviously replace apassword with your chosen password!
Then you will need to create these tables:
aliases
domains
users
We will create more later on for further extensions, but only these are relevant now.
Log in to mysql as the new mail user
mysql -u mail -p maildb
# enter the newly created password
Enter password:
Then run this commands to create the tables:
CREATE TABLE `aliases` (
`pkid` smallint(3) NOT NULL auto_increment,
`mail` varchar(120) NOT NULL default '',
`destination` varchar(120) NOT NULL default '',
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`pkid`),
UNIQUE KEY `mail` (`mail`)
) ;
CREATE TABLE `domains` (
`pkid` smallint(6) NOT NULL auto_increment,
`domain` varchar(120) NOT NULL default '',
`transport` varchar(120) NOT NULL default 'virtual:',
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`pkid`)
) ;
CREATE TABLE `users` (
`id` varchar(128) NOT NULL default '',
`name` varchar(128) NOT NULL default '',
`uid` smallint(5) unsigned NOT NULL default '5000',
`gid` smallint(5) unsigned NOT NULL default '5000',
`home` varchar(255) NOT NULL default '/var/spool/mail/virtual',
`maildir` varchar(255) NOT NULL default 'blah/',
`enabled` tinyint(3) unsigned NOT NULL default '1',
`change_password` tinyint(3) unsigned NOT NULL default '1',
`clear` varchar(128) NOT NULL default 'ChangeMe',
`crypt` varchar(128) NOT NULL default 'sdtrusfX0Jj66',
`quota` varchar(255) NOT NULL default '',
`procmailrc` varchar(128) NOT NULL default '',
`spamassassinrc` varchar(128) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `id` (`id`)
) ;
The last few fields in the users table are not required, but useful if you extend later.
Next is to edit the MySQL's my.cnf file. In Ubuntu/debian this is created by default. In Mandrake I had to manually create a blank one in /etc. But we need to configure it, so:
vi /etc/mysql/my.cnf
In previous version you needed to comment out this line
#skip-networking
However in todays file the default is to bind the address to localhost, which is fine.
bind-address = 127.0.0.1
It is very useful at the start to log any SQL calls that makes it to MySQL. So enable this line:
log = /var/log/mysql/mysql.log
Then in a few weeks comment it out when everything is working, as it slows mysql down
Restart MySQL to make sure its picking up the new settings.
sudo /etc/init.d/mysql restart
Return to top.
Pop/IMAP
Courier IMAP
Please refer to previous edition for more explanations. But below is the details of what you need to change.
vi /etc/courier/authdaemonrc
Change to mysql mode.
authmodulelist="authmysql"
Enable logging.
DEBUG_LOGIN=2
vi /etc/courier/authmysqlrc
Changed user
MYSQL_USERNAME mail
Changed password
MYSQL_PASSWORD apassword
Changed database
MYSQL_DATABASE maildb
Changed users table
MYSQL_USER_TABLE users
Keep commented in crypt pw
MYSQL_CRYPT_PWFIELD crypt
Keep commented out clear pw
#MYSQL_CLEAR_PWFIELD clear
Added maildir
MYSQL_MAILDIR_FIELD concat(home,'/',maildir)
Added where clause
MYSQL_WHERE_CLAUSE enabled=1
vi /etc/courier/imapd
Leave unchanged.
Return to top.
You know have a basic mail server. You can use this, but Id recommend continuing. However this is a good point to test the set up so far and to insert some data in the db.
Ive created an EC2 bundle for this stage: flurdy-amis/ubuntu-mail-server-simple.
Return to top.
No, I will not fix your computer
Advanced mail server
Now lets extend this setup with more useful content checks , security and user interfaces.
Content Checks (Anti spam & anti virus)
Amavisd-new
Amavisd ties together all the different ways of checking email content for spam and viruses.
The defaults are pretty good and also the ubuntu documentation is pretty clear, and recommended.
Here is a tweaked version of it:
Initially we will not enable spam or virus detection! This is so we can get amavis set up to receive, check and pass on emails before we go on and over-complicate it.
All of amavis' configuration files are in /etc/amavisd. They are now spread across several files in conf.d. Debian and Ubuntu defaults are now very sensible and spread into seperate files.
cd /etc/amavis.d/conf.d
01-debian defaults are fine.
Have a look at
less 05-domain-id
but dont change anything in it.
Have a look at
less 05-node-id
but dont change anything in it.
Have a look at
less 15-av_scanners
but dont change anything in it.
Edit content check file
sudo vi 15-content_filter_mode
Comment out both virus and spam scans. (Default).
# #@bypass_virus_checks_maps = (
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
# @bypass_spam_checks_maps = (
# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
Have a look at
less 20-debian_defaults
but dont change anything in it.
25-amavis_helpers defaults are fine.
30-template-localization defaults are fine.
Edit user file
sudo vi 50-user
In the middle insert:
@local_domains_acl = qw(.);
$log_level = 2;
$syslog_priority = 'debug';
$sa_kill_level_deflt = 8.0; # triggers spam evasive actions
$final_spam_destiny = D_PASS;
# $final_spam_destiny = D_PASS;
We have not setup amavis to scan and pass along incomming email. Next we will setup postfix to talk to amavis.
vi /etc/postfix/master.cf
Append these lines to the end of the file (make sure they are not already present). (Note the -o lines have spaces in front of them.
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Also add the following two lines immediately below the "pickup" transport service:
-o content_filter=
-o receive_override_options=no_header_body_checks
and then added to main.cf
sudo vi /etc/postfix/main.cf
content_filter = amavis:[127.0.0.1]:10024
Enable scanning by ClamAV of amavis' temporary files.
sudo adduser clamav amavis
This should be it to get amavis working. If emails are picked up by amavis and passed back to postfix then it looks okay. Next is to uncomment the anti virus and anti spam lines in
sudo vi 15-content_filter_mode
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
But do that after the next section (SpamAssassin).
When things are working we will turn down logging level, and start bouncing/discarding spam.
sudo vi /etc/amavis/conf.d/50-user
@local_domains_acl = qw(.);
$log_level = 1;
$syslog_priority = 'info';
$sa_kill_level_deflt = 8.0; # triggers spam evasive actions
#$final_spam_destiny = D_PASS;
$final_spam_destiny = D_DISCARD;
Return to top.
Anti-Spam
SpamAssassin
The default config of spam assassin is okay. You could refer to previous edition for more configuration options.
You do need to tell SpamAssassin to start smapd on boot.
vi /etc/default/spamassassin
ENABLED=1
One configuration option you could tweak is to enable Bayes and auto learning.
vi /etc/spamassassin/local.rf
I read your email
Return to top.
Anti Virus
ClamAV
ClamAV does not need setting up. Configuration files are in /etc/clamav, but they are automatically generated, so do not edit.
By default freshclam, the daemon that updates the virus definition database, is run 24 times a day. That seems a little excessive, so I tend to set that to once a day.
sudo dpkg-reconfigure clamav-freshclam
If needed, this will redefine the configuration with a lot of questions. Not needed unless you need to configure.
sudo dpkg-reconfigure clamav-base
Return to top.
Postgrey
The default config of postgrey is okay. However you need to tell Postfix to use it.
sudo vi /etc/postfix/main.cf
And then edit the recipient restrictions:
s mtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000, permit
You can tweak whitelisting in /etc/postgrey. You can tweak postgrey configuration by tweaking /etc/default/postgrey. E.g. delay, auto whitelisting, or reject message.
Return to top.
You know have an advanced mail server. You can use this, but Id recommend continuing. However this is a good point to test the set up so far and to insert some data in the db.
Ive created an EC2 bundle for this stage: flurdy-amis/ubuntu-mail-server-spam.
Return to top.
Secure mail server
Stopping hackers, phishers, spammers, your boss and your neighbour from accessing your server or the traffic in between is important, and easily done.
Authentication
Normal email traffic between clients and servers are in open plain text. That includes passwords and content of emails.
SASL
Please refer to previous edition for more detail.
SASL secures the actual authentication (login), by encoding the passwords so that it can be easily intercepted. The rest of the emails are however in clear plain text.
This is a section I will revisit for the next edition!
Encryption
TLS
Encrypting the traffic stops anyone else listening in on your email communications. And is very recommended. There are different types of communication to encrypt: The data traffic between your email applications and the server when you read emails or when you send emails, and communication between other email servers and your server.
For the encryption of reading emails, it is Courier you need to configure. For sending, and beetwen server encryption it is Postfix.
TLS in Postfix
To encrypt you need certificates. Ubuntu creates some for you for which you can use while setting up the server. However before you go live, it is recommended to create your own with your proper domain name etc. Please refer to previous edition for more detail.
vi /etc/postfix/main.cf
There are already some TLS settings in the default debian/ubuntu version of this file. I moved these to the end, for clarity, but that is up to you.
# TLS parameters
#smtp_use_tls = no
smtp_tls_security_level = may
#smtpd_use_tls=yes
smtpd_tls_security_level = may
#smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Next we have a look at the master.cf file.
vi /etc/postfix/master.cf
By default only the normal smtp service is enabled, which is fine. But I prefer to enable submission (port 587), so that clients can use it, and I can restrict them to TLS only. Also enabled smtps service (port 465), for some compatebility with some older clients (outlook express etc).
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
# if you do not want to restrict it encryption only, comment out next line
-o smtpd_tls_auth_only=yes
# -o smtpd_tls_security_level=encrypt
# -o header_checks=
# -o body_checks=
-o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination, reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
# -o milter_macro_daemon_name=ORIGINATING
TLS in Courier
Again Ubuntu has created a certificate for you, but if you want to create your own, especially for a properly named server, then do this.
cd /etc/courier
openssl req -x509 -newkey rsa:1024 -keyout imapd.pem \
-out imapd.pem -nodes -days 999
For more details review last edition.
Then you need to edit
vi /etc/courier/imapd-ssl
By default Ubuntu already points to you certificate
TLS_CERTFILE=/etc/courier/imapd.pem
Modify this if needed.
Also you if want to restrict IMAP users to SSL/TLS only toggle this setting to 1.
IMAP_TLS_REQUIRED=1
For maximum compatability it is not wise to restrict to TLS only for the traffic between servers. As this means not all valid emails sent by others can reach your server. However enabling them the option to encrypt is a good idea.
Be aware that the emails are not encrypted on your machine, nor on the server. For this type of client encryption, please refer to previous edition for more on GnuPG.
In some situations SASL and TLS do not play well together. Those situations are in combinations of storing encrypted passwords, using MD5 authentication over encrypted traffic. I recommend, insisting on TLS traffic with your authenticating clients, which then negates the need for SASL.
You know have an advanced secure mail server. Now is another good point to test the set up so far and to insert some data in the db.
Ive created an EC2 bundle for this stage: flurdy-amis/ubuntu-mail-server-secure.
Return to top.
Webmail
Using among others the https://help.ubuntu.com/community/Squirrelmail as an updated reference.
Enable web access
You may need to enable web access in the firewall. Check the firewall configuration if this neccessary.
You need to copy a SquirrelMail configuration to apache.
sudo cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail
And enable with this:
sudo ln -s /etc/apache2/sites-available/squirrelmail /etc/apache2/sites-enabled/500-squirrelmail
Or as Florent recommends, use:
sudo a2ensite squirrelmail
You may accept the default apache configuration where squirrelmail is folder in all sites. But I prefer virtual hosting. But you dont need to do these next steps.
sudo vi /etc/apache2/sites-available/squirrelmail
Comment out the alias.
# alias /squirrelmail /usr/share/squirrelmail
Uncomment the virtual settings., and insert your servers name.
# users will prefer a simple URL like http://webmail.example.com
DocumentRoot /usr/share/squirrelmail
ServerName webmail.example.com
If you have apache SSL enabled in apache, then you can also uncomment the mod_rewrite section for further security.
Reload apache to activate changes. First test if ok.
sudo apache2ctl -t
Then reload it.
sudo /etc/init.d/apache2 reload
You can now go toyourdomain.com/squirrelmail/ or mail.yourdomain.com if you chose virtual host. This should show a squirrel mail page. Log in wont work yet though.
Start configuring squirrel mail.
sudo squirrelmail-configure
Initially change nothing. You can customize more afterwards. You can browse, and exit sub menues by typing R.
Type 2 to edit server settings. Type A to edit IMAP settings.
Type 8 to edit server software. Enter courier.
courier
Now they say using TLS over localhost is a waste of time. But I do anyway. Type 7 to edit secure IMAP. Type
Y
to enable it.
Type 5 to edit IMAP port. Enter
993
Type S to save your changes. Hit Enter.
Type Q to exit.
You can now go to yourdomain.com/squirrelmail/ or mail.yourdomain.com if you chose virtual host. This should show a squirrel mail page. Log in will now work. (Except you may not have defined users, check data section. And they may not have received an email which also means you can not view any IMAP info.)
Please refer to previous edition for more detail. E.g. creating address books and user preferences.
Return to top.
Administration
Enable web access
You may need to enable web access in the firewall. Check the firewall configuration if this neccessary.
You need to copy a phpMyAdmin configuration to apache.
sudo cp /etc/phpmyadmin/apache.conf /etc/apache2/sites-available/phpmyadmin
And enable with this:
sudo ln -s /etc/apache2/sites-available/phpmyadmin /etc/apache2/sites-enabled/400-phpmyadmin
Or as Florent recommends, use:
sudo a2ensite phpmyadmin
You may choose to restrict phpMyAdmin to a spefic virtual host. If so you need to, edit
sudo vi /etc/apache2/sites-available/phpmyadmin
and comment out the alias. And insert the alias into a virtual host configuration. For this example we are not.
Reload apache to activate changes. First test if ok.
sudo apache2ctl -t
Then reload it.
sudo /etc/init.d/apache2 reload
You can now go to http://yourdomain.com/phpmyadmin/, and login with the mail user. You can use it as it is, but I recommend securing it a bit more.
One simple way is adding apache's .htaccess login requirement.
Further restrictions can be restricting to a specific virtual host. Or renaming the folder. Purely ubfuscating, but simple.
Or using the example in the webmail section, and adding SSL requirement to the connection. Or disabel mysql root's access via phpMyAdmin.
Please refer to previous edition for example on htaccess, and mysql user restriction.
You know have a finished mail server. This is as far as the main guide goes. Hope it was clear enough to follow.
Now it is time to insert data, and to test how it works.
Feel free to extend it with my suggestions further down.
Ive created an EC2 bundle for this stage: flurdy-amis/ubuntu-mail-server-webmail.
Return to top.
Data
Add users and domains
Common SQL
Add users and domains
So we got a fully set up mail server... Well no, there is no users, domains, no nothing!
Okay, first you need add some default data, some which are required, some which make sense.
Then we'll add your own users and domains.
First the required domains for local mail
# Use phpMyAdmin or command line mysql
INSERT INTO domains (domain) VALUES
('localhost'),
('localhost.localdomain');
Then some default aliases. Some people say these are not needed, but I'd include them.
INSERT INTO aliases (mail,destination) VALUES
('postmaster@localhost','root@localhost'),
('sysadmin@localhost','root@localhost'),
('webmaster@localhost','root@localhost'),
('abuse@localhost','root@localhost'),
('root@localhost','root@localhost'),
('@localhost','root@localhost'),
('@localhost.localdomain','@localhost');
Then a root user.
INSERT INTO users (id,name,maildir,crypt) VALUES
('root@localhost','root','root/', encrypt('apassword') );
Now lets add some proper data.
Say you want this machine to handle data for the fictional domains of "blobber.org", "whopper.nu" and "lala.com".
Then say this machine's name is "mail.blobber.org".
You also have two users called "Xandros" and "Vivita".
You want all mail for whooper to go to xandros.
There is also a "Karl" user, but he does want all mail forwarded to an external account.
INSERT INTO domains (domain) VALUES
('blobber.org'),
('whopper.nu'),
('lala.com');
INSERT INTO aliases (mail,destination) VALUES
('xandros@blobber.org','xandros@blobber.org'),
('vivita@blobber.org','vivita@blobber.org'),
('karl@blobber.org','karl.vovianda@gmail.com'),
('@whopper.nu','xandros@blobber.org'),
('@lala.com','@blobber.org'),
('postmaster@whopper.nu','postmaster@localhost'),
('abuse@whopper.nu','abuse@localhost'),
('postmaster@blobber.org','postmaster@localhost'),
('abuse@blobber.org','abuse@localhost');
INSERT INTO users (id,name,maildir,clear) VALUES
('xandros@blobber.org','xandros','xandros/', encrypt('apassword') ),
('vivita@blobber.org','vivita','vivita/', encrypt('anotherpassword') );
So what does each of these lines do? Well the domains are pretty straight forward.
The users are as well, it requires four fields. ID is the email address of the user, and also its username when loggin in, described later on. NAME is optional description of the user. MAILDIR is the name of the folder inside /var/spool/mail/virtual. It must end in a /, otherwise it wont be used as a unix maildir format. CRYPT is the encrypted text password to use.
The alises are the interesting part. Lets start from a top down view. Say an email arrives addressed to "john@whopper.nu". Postfix looks up aliases and searches for a row where the mail field matches "john@whopper.nu". None does so it next searches for "@whopper.nu", which is the way to specify catch all others for that domain. It finds one row and its destination is "xandros@blobber.org". It then searches for "xandros@blobber.org" and finds one, which destination is the same as the mail, therefor it is the final destination. It then tries to deliver this mail. The look up says blobber.org is a local mail so it looks up users for a matching id and delivers it to its maildir.
Lets try "julian.whippit@lala.com". First lookup does not find this user, but the next finds the catchall "@lala.com". But its destination is another catchall, "@blobber.org". This means Postfix will look for "julian.whippit@blobber.org". This address is not found either, nor is a catchall for blobber.org. Therefor this address is not valid and the message will be bounced.
Any mail arriving for "karl@blobber.org" or "karl@lala.com", gets forward to an external address of "karl.vovianda@gmail.com". So forwarding is simple. I tend to use a subdomain for all my friends addresses as easily I forget what their real addresses are, and I use different email clients all the time.
I also added the required aliases of postmaster and abuse to blobber.org and whopper.nu. The catchall for lala.com means they are not required for that domain. You can add them though if you do not want xandros to get the admin emails. Another useful alias to add is root, as often you get admin mail from e.g cron jobs within those domains etc. Other often used aliases are info, sysadmin, support, sales, webmaster, mail, contact and all. But they are also honeypots for spam, so just include the ones you think you will need.
So to add a new domain to the system, You do this:
INSERT INTO domains (domain) VALUES ('domain.tld');
INSERT INTO aliases (mail,destination) VALUES
('@domain.tld','email@address'),
('postmaster@domain.tld','email@address'),
('abuse@domain.tld','email@address');
And to add a new user to the system, do this:
INSERT INTO users (id,name,maildir,clear) VALUES
('email@address','short description','foldername/',encrypt('password'));
INSERT INTO aliases (mail,destination) VALUES
('email@address','email@address');
Return to top.
Common SQL
A selection of useful sql statements, if you are not using an admin/manager program to maintain your email domains and users.
Find domains without a catchall
#Remember some might be disabled
SELECT dom.domain
FROM domains dom
LEFT JOIN aliases al
ON CONCAT( '@', dom.domain ) = al.mail
WHERE al.mail is null
OR al.enabled = 0
ORDER BY dom.domain ASC
Find aliases for an invalid domain
SELECT al.*
FROM aliases al
LEFT JOIN domains dom
ON dom.domain = SUBSTRING(al.mail,LOCATE('@',al.mail)+1)
WHERE dom.domain is null
OR dom.enabled = 0
ORDER BY al.mail ASC
Find all non local destination aliases
SELECT al.*
FROM aliases al
LEFT JOIN domains dom
ON dom.domain = SUBSTRING(al.destination,LOCATE('@',al.destination)+1)
WHERE dom.domain is null
ORDER BY al.enabled, al.destination ASC, al.mail ASC
Find all aliases for a certain domain
SELECT al.*
FROM aliases al
WHERE SUBSTRING(al.mail,LOCATE('@',al.mail)+1) = 'domain.tld'
ORDER BY al.enabled, al.mail ASC
Find all aliases for a certain domains, checking if enabled for both domain and alias
select *
from domains d
join aliases a
on a.mail like concat( '%','@',d.domain)
and a.enabled = 1
where d.enabled = 1
and d.domain like '%foobar%'
order by d.domain,a.mail
Return to top.
Test
Please refer to previous edition for how to test your setup. That edition have an extensive testing section.
Return to top.
Intialize
Brief hints if you receive a ready setup machine (or EC2 AMI), and what then to check and to customize it to your setup.
Stop services
Restrict firewall
Change passwords
Check configurations
Set machine name
Certificates
Start and test services
Insert data
Reload postfix
Open firewall
Test
Stop services
First stop services so they wont accidentally do something.
sudo /etc/init.d/postfix stop
sudo /etc/init.d/courier-imap-ssl stop
sudo /etc/init.d/courier-imap stop
sudo /etc/init.d/courier-authdaemon stop
sudo /etc/init.d/mysql stop
sudo /etc/init.d/amavisd stop
sudo /etc/init.d/spamassassin stop
sudo /etc/init.d/clamav stop
Restrict firewall
Check what the firewall rules are.
vi /etc/shorewall/rules
Refer to the . Restrict to just SSH access for now.
Change passwords
Next the passwords needs to be changed. For both the system and mysql.
System passwords
Check which users are defined on the system.
cat /etc/passwd
Apart from all the system ones, there should probably be none (if EC2 AMI) or just your user if it is a standard Ubuntu install. If there are some users, you need to change their passwords.
SSH Access
Next we check whom got SSH access. If there was any users defined, check their home folders for ssh keys.
cat /home/username/.ssh/auth*
Remove any you do not expect to be there. Next check if and which specific users has been defined for SSH access in
vi /etc/ssh/sshd
Usually this is fine.
MySQL passwords
First you need to change the root mysql user. If none has been set do this
mysqladmin -u root password new_password
Otherwise do this and you will be prompted for the old password
mysqladmin -u root password new_password -p
Then the default mail user as well. If you know the old password
mysqladmin -u mail password new_password -p
Otherwise log into mysql as root:
mysql -u root -p
Enter new root password specified above, then:
update mysql.user set password=password('apassword') where user='mail';
flush privileges;
You may need to revisit the top of MySQL section to re-grant the mail use rights on the database.
If you do not know the old root password, you have to restart mysql without grant rights. Google it... :)
Update postfix mysql configuration files with the new password.
sudo vi /etc/postfix/mysql*
password=apassword
Update courier's authmysql file with the new password as well.
sudo vi /etc/courier/authmysqlrc
MYSQL_PASSWORD apassword
Check configurations
You should scan the postfix, courier, etc. configurations to check if they match what you expect.
Set machine name
Now you need to define your machine name, e.g. something like smtp.yourdomain.com. You need to define it in
sudo vi /etc/mailname
And then your domain name in
sudo vi /etc/postfix/main.cf
under the mydomain setting
myorigin=yourdomain.com
It could also be smart to check what the unix hostname is specified as
hostname
This can be reset by
sudo hostname smtp.yourdomain.com.
All though this does not have to be the same as your postfix mail server name. You may want to speficiy some hosts in hosts file as well,
sudo vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
127.0.0.1 smtp.yourdomain.com smtp
Certificates
You could go along with the generated certificates (if they are there, default for Ubuntu). Or if you could create new ones with the correct machine name in them. Especially if this a mail server used by many, and authenticiy is important. Follow the TLS certificate instructions for Postfix and Courier.
Start and test services.
Next you need to start your mail services and test them.
sudo /etc/init.d/mysql start
sudo /etc/init.d/spamassassin start
sudo /etc/init.d/clamav start
sudo /etc/init.d/amavisd start
sudo /etc/init.d/postfix start
sudo /etc/init.d/courier-imap-ssl start
sudo /etc/init.d/courier-imap start
sudo /etc/init.d/courier-authdaemon start
So test tjenestene via testing section.
Insert data
Insert your mail domains, aliases and users using the data section.
Some times there are test data already in the database. Remove them. E.g.;
mysql -u mail -papassword maildb
delete from domains where domain = 'bar.com';
delete from aliases where mail = 'foo@bar.com';
Open firewall
Then open up the firewall, follow the world access bit in the firewall configuration. Voila. Up and running. Well we hope.
Return to top.
Extend
Please refer to previous edition for how and why you can extend this mail server.
By now you should have a fully working system. No point extending and complicating it untill then. What next? There are many ways to extend the server, to create your own powerfull customized version.
Remote MX mail backup
Local file backup
Sender ID & SPF
Spam reporting
White/Black lists
PGP & S/MIME
Relocation notice
Pop-before-SMTP
Admnin Software
Auto Reply
Block Addresses
Throttle Output
Mail Lists
Sugesstions?
Some of these sections can be brief as they are not core to this howto.
Remote MX mail backup
With MX backup loosing emails are unlikely.
Normally if someone sends an email destined for you, their server will try and connect to your server. If it can't reach your server for whatever reason ( it is down, dns issues, there is network problems, or just too busy ), the other server will back off and try again in a bit. How many and for how long it will try again is determined by the sending server. Some of them are not very patience, and it will report undelivered after only a few attempts. So you would have lost that email.
If you had specified a backup MX, this email may not have been lost. Upon first failure to connect to your server, the sender would see if there is any alternative server to send to. So it connects to your backup mx server. This server spools and queues your message and will try at intervals to send the message to you. It too will though eventually give up.
What is the difference? Simple, you (or whoever controls the backup mx ) is in control how long and often to try connecting to your machine. So if you have a reasonable values and your server is not down for weeks, no mail is lost.
How to implement it? First edit the DNS records again, and add a backup mx with a higher value.
# your server details
domain.tld IN MX 10 your.mailserver.name.tld
# new backup server
domain.tld IN MX 20 your.backupserver.name.tld
Now presuming the other backup mx is a postfix server identical to this, or you are backuing up someone else's server; Go into mysql and create this tables:
CREATE TABLE `backups` (
`pkid` smallint(6) NOT NULL auto_increment,
`domain` varchar(128) NOT NULL default '',
`transport` varchar(128) NOT NULL default ':[]',
`enabled` smallint(6) NOT NULL default '1',
PRIMARY KEY (`pkid`),
UNIQUE KEY `domain` (`domain`)
);
Then still on the backup server, edit main.cf and add these:
relay_domains = mysql:/etc/postfix/mysql_backups.cf
transport_maps = mysql:/etc/postfix/mysql_transport.cf
You may choose to have this as the last line in the file, as you may use small cron jobs to modify this ip address, if you don't have a permanent static address. It should contain your IP addres, hence if you do not have a very static IP address, that you need to automatic editing if the postfix file.
proxy_interfaces = 1.2.3.4
If someone comes with a better way, then let me know.
Next create this file /etc/postfix/mysql_backups.cf
user=mail
password=apassword
dbname=maildb
table=backups
select_field=domain
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 1
Next create this file /etc/postfix/mysql_transport.cf
user=mail
password=apassword
dbname=maildb
table=backups
select_field=transport
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 1
You noticed I added a transport lookup. This is a field in both the domain and the backup tables. In domains it is used to determine how to deliver the email, ie either virtual (correct) or local (not used in this howto). When backing up servers, your also need to specify in the transport field how to connect to the correct servers.
Say you are backiup for a friends server, mail.friend.com, for the domains of friend1.com and friend2.com. So you should insert this into your backup table.
INSERT INTO backups (domain,transport)
VALUES ('friend1.com' , ':[mail.friend.com]' ),
('friend2.com' , ':[mail.friend.com]' );
The :[] tells to connect directly to this server, not doing any more look ups for valid MX servers.
This shouls now work fine. Further tweaking of the queue values, review these and modify as appropiate. Shorter warning times are good for the sender, so that they realise the email has not arrived yet, but may also be annoying. Tradeoffs.. Look in the first main.cf configurations for ways to do so.
Return to top.
Local file backup
Here is rough backup script to backup your configurations and mail folders. You may want to backup the folders seperatly as they can quickly grow to GBs. Adding this to a cronjob automates this process. Be aware that you should stop postfix and courier while backing up the mail folders. And that if they have grown large, that this may take some time.
tar czf mail-config.xxxxx.tgz /etc/postfic /etc/courier /etc/spamassassin /etc/clamav /etc/amavis /etc/mysql/my.cnf
tar czf mail-fold.xxxx.tgz /var/spool/mail/virtual
mysqldump -u mail -papassword -t maildb > data.sql
mysqldump -u mail -papassword -d maildb > schema.sql
tar czf mail-data.xxx.tgz schema.sql data.sql
tar cf mail.xxxxx.tar mail-*.xxxxx.tgz
You may combine a full backup with a intermediate update of what has changed recently only.
tar --newer-mtime "2005-01-01"
Return to top.
Sender ID & SPF
todo
Further security features is using Microsoft's Sender ID or Pobox's SPF. I'd use SPF as there is much argument over Sender ID.
spf.pobox.com/
www.microsoft.com/mscorp/safety/technologies/senderid/
While SPF should limit who can send mail on behalf of your domains, ( so basically less spoofed spam addresses ), I do have some technical issues with SPF as the design of it is a bit iffy. That is because of the limitation of DNS and that it has to fit inside the limited TEXT part. No nice XML config file....
While Microsoft is not always entirely evil, as sometimes they do nice things and make some useful software, I would prefer not to be locked into their Sender ID technology.
Return to top.
Spam reporting
todo
Reporting spam to Pyzor, Razor and SpamCop, for collaboration in spam fighting.
More detail on SpamCop is here.
http://pyzor.sourceforge.net/
http://razor.sourceforge.net/
Return to top.
White/Black Lists
todo
You can implement white and black lists to explicitly allow or block domains and users.
You have already visited the option of a blackhole list of known open relays in the postfix configuration.
You can implement further lists inside Postfix or SpamAssassin. Amavisd-new already has a few well known white/black listed items in its config files. SpamAssissin also as a feture to automaticly learn white lists.
Return to top.
PGP & S/MIME
Adding support for GnuPG and S/MIME increases indiviual security.
This is not implemented on the postfix server side, as this totally a client side option.
However SquirrelMail has a GnuPG option. It is a plugin that can be downloaded from their website. Which can then be enabled via SquirrelMail's config script.
Here is how to create a GnuPG key pair.
# check you have not already got a key
gpg --list-keys
# then create one
gpg --gen-key
To import GnuPG into Evolution; in your settings/preferences edit your account settings and add you private key under the security tab. The private key is found via listing the GnuPG keys as above, then it is the 8 characters after the "sub 1024g/" bit of you key.
To use GnuPG with Thunderbird you need to install EnigMail.
S/MIME is another way to encrypt and/or sign messages. You can create you own certificate or use known organizations like Thawte. (Thawte was originally set up by the Ubuntu founder)
Return to top.
Relocation notice
If people change addresses, a bounced message stating so if people send email to the old address is quite useful. To implement this in postfix, frst create a lookup table in the database.
CREATE TABLE `relocated` (
`pkid` smallint(6) NOT NULL auto_increment,
`oldadr` varchar(128) NOT NULL default '',
`newadr` varchar(128) NOT NULL default '',
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`pkid`),
UNIQUE KEY `oldadr` (`oldadr`)
) ;
Then add this to /etc/postfix/main.cf
relocated_maps = mysql:/etc/postfix/mysql_relocated.cf
The create this file /etc/postfix/mysql_relocated.cf
user=mail
password=apassword
dbname=maildb
table=relocated
select_field=newadr
where_field=oldadr
hosts=127.0.0.1
Then if pete@domain1.com has changed address to pete.jones@another.org:
INSERT INTO relocated (oldadr,newadr)VALUES
('pete@domain1.com','pete.jones@another.org');
If anyone sends an email to pete@domain.com, they will get a message back stating he has changed address to pete.jones@another.org.
Return to top.
Pop-before-SMTP
If SASL didn't work, or you are using clients which dont support it, the Pop-Before-SMTP is an easy way around that issue, so that people externally can still securly send mail via your server.
Refer to my 2nd edition on Pop-before-SMTP setup.
Return to top.
Admin software
todo
Trying out a few admin software might make you life easier, if phpMyAdmin gets to crude. Quick search
More to come later.
Return to top.
Auto Reply
todo
Postfix have now features to auto reply to an email, while still delivering it to its alias.
Return to top.
Block Addresses
If you use catch alls, which are useful for some domains, then eventually some addresses will be target for spam. You can then either stop the catch all, or stop indivdual addresses.
By implementing a lookup and adding this restriction to smtpd_recipient_restrictions accomplises this.
check_recipient_access mysql:/etc/postfix/mysql_block_recip.cf,
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, \
check_recipient_access mysql:/etc/postfix/mysql_block_recip.cf, \
reject_non_fqdn_recipient, reject_unauth_destination, \
check_relay_domains
Beware of the order is important here, if any options says ok before check_recipient_access it will ignore it.
Next create mysql_block_recip.cf to lookup addresses. Either create a another table, or add a blocked field to aliases table.
Return to top.
Throttle Output
todo
For some users with restrictions on bandwidth, you may wish to control how much mail is sendt out. Postfix has long refused to implement these features, out of ideolocial beliefs that mail servers should not be restricted. However there are some ways around this. More to come later.
Return to top.
Mail Lists
Rich Brown has written a howto on adding Mailman, a mail list program, to my howto. Click here to read it.
Do note it is not part of my howto, so do not contact me regarding it. And although I think it is fine, I can't guarantee it will work.
If you do need assistance or need to talk about it, contact Rich via his howto or use the forums for this howto.
If you want a simple mailling list, it can be implemented by simply seperating aliases in the destination field in the aliases table with a comma.
INSERT INTO aliases (mail,destination) VALUES
( 'listof@domain.com' , 'john@ppp.com,vic@domain.com,jj@somewhere.tld' );
Return to top.
Google Apps / GMail
Currently writting this one...
I have for various reasons integrated some Google Apps hosted domains into my mail server. And you can still have good control over the addresses by using your server with Google Apps.
More information on Google Apps.
Why
Some already have their domain's email hosted with Google.
Some people prefer Google's web based interface.
Temporary Migrations.
Include Google's security features on top of yours.
How
Options
The easiest and simples solution is not to have a domain MXed to your server, and simply alias email to those domains. eg All email to joeblogs.co.uk hosted on your server are forwarded to joeblogs.com hosted with google.
You may set up your own server to simple be a mail server backup (mx) for a domain hosted with google. If you are the first priority in the MX details of the DNS, you still have some control, but not all will obey the priority listing. E.g. spammers, but some valid senders as well.
However the one I use and the option where you are most in control is to keep you server as the only MX server in the DNS. And only forward certain aliases onto Google after all your servers checks. Other aliases and user can just use your mail server if you prefer. I will explain how to do this in the next steps.
DNS
You only put your mail server as the mx for the domain in question. Google will complain about this, as it will not be able to verify that email is setup correctly. Ignore this as it will still accept emails.
MySQL tables
You setup you aliases as normal. However you domain table needs tweaking. This is because otherwise your server will just forward the email to itself. You can actually specify aliases in the domain table.
Example: Your domain is bloggs.com. Joe wants to use gmail. Mary does not.
to be done
to be done
Issues
There are some items you should consider when integrating Google Apps.
Privacy
First there is the privacy issue. This is the same as if you were using Google Apps only or GMail. Google can and will read your email. However probably not a person, but they will use it for commercial reasons, E.g. showing relevant ads. Some people really hate this part and refuse to use Google's mail products. However I trust them a little bit, and do use it.
Spam
If you forward spam, then consider your own servers reputation. Should be okay though.
SPF
If you use SPF for your domain, consider that both your server and google will receive and send mail on behalf of that domin.
Google internally
Be aware Google think they host you domain. So if others inside google, or using google hosted apps or GMail, if they email you, the email may not go via your email server, but directly to the Google Apps for your domain. That could be an issue if not all aliases you have use Google Apps. This needs to be tested more though. Especially as it may only be an issue if Google's servers are part of you domains MXs.
Return to top.
Suggestions?
If you have any suggestions to other ways of extending a postfix server, then fire off a mail to me via the contact form further down.
Return to top.
Elastic Computing Cloud
Impressions
Using EC2 with this howto
Amazon EC2 Images: AMIs
EC2 Links
Impressions
Before
Looked very neat, Seemd applicable for big company/universities only. And conveluted interface.
After
Easy to use. Anyone can use, not just big companies. Very useful. Tools are command line but simple. Firefox extensions work well. Recommended.
How I plan to use it with my mail servers
Different images to launch for different needs. Good way to scale backup MXs if needed. Can script backup to S3 of mail dirs etc.
Using EC2 with this howto
If you plan to use EC2 to follow this howto, then familiarise yourself with EC2 first. Check the links further down.
Once competent enough on EC2, launch Eric Hammond's base 32bit Ubuntu 8.04 Hardy Heron AMI image. You can cheat by using my other images, but you should really know how the whole server was built by starting from the bottom.
When using EC2 images, be aware of security groups as they restricts access to your server on top of the firewall. Initially you will need SSH (22) access, quite soon you will need SMTP and IMAP ports opened, 25,143,465,587 and 993, and eventually webserver ports of 80 and 443. Read here for tips on securing AMIs.
Also do not terminate your instances without backing up your machine. This you can do by either create your own image. Or backup certain data if you got an image to instantiate from. Back up to S3 or your local machine. Create images only now and then. Backup configurations, database, maildirs more regularily.
Note: You probably want to remove my ssh key from root's authorized_keys2 file.
2nd Note: Spamhaus.org lists amazons ec2 ip ranges as dynamic, thus many mail servers will reject emails from it. (Including other people using this howto.) But Spamhaus has a simple web page to remove ips, which they link to in rejection messages. Simple look in your logs, click on the link on follow the instrucions: basically fill in your ip, email and state its for a mail server. Then Spamhaus will remove your IP from their database.
3rd Note: This fix needs to applied to the instances.
Amazon EC2 Images: AMIs
Public AMIs to use as base: AMI Description S3 Name Extended from
ami-ce44a1a7
Eric Hammond's base Ubuntu 8.04 Hardy Heron
ami-0f41a466
Clean with packages but no configuration
flurdy-amis/ubuntu-mail-server-clean-080502-1
ami-ce44a1a7 (Eric Hammond's base)
ami-8541a4ec
Just mysql, postfix and courier configured
flurdy-amis/ubuntu-mail-server-simple-080504-1
ami-0f41a466 (Clean)
ami-9941a4f0
Including anti spam and anit virus
flurdy-amis/ubuntu-mail-server-spam-080504-1
ami-8541a4ec (Simple)
ami-395fba50
Including TLS and SASL encryption and authentication
flurdy-amis/ubuntu-mail-server-secure-080527-2
ami-9941a4f0 (Spam)
ami-275fba4e
With webmail and admin enabled
flurdy-amis/ubuntu-mail-server-webmail-080527-1
ami-395fba50 (Secure)
ami-xxx
With back up mx
flurdy-amis/ubuntu-mail-server-backup-xxx
ami-275fba4e (Webmail)
ami-xxx
With back up mx only
flurdy-amis/ubuntu-mail-server-backup-only-xxx
ami-395fba50 (Secure)
EC2 Links
Amazon web services (AWS)
Elastic Computing Cloud (EC2)
Simple Storage Service (S3)
AWS Cost Calculator
EC2 Resource Centre
EC2 Starter Guide
EC2 Firefox extension: Elasticfox
Elasticfox for Firefox 3
S3 Firefox extension: S3Fox
EC2 to S3 Admin Scripts
Return to top.
Appendix
About author
Contact
Why
References
Software Links
Difference between Ubuntu versions
Download
Todo
Change Log
About author
Ivar Abrahamsen, an IT Consultant from Norway. Specialising in developing and integrating middleware application systems. Recently moved back to Norway after 15 years in Manchester.
Return to top.
Contact
Any problems with using this guide, have any question, or any issues with this guide, please use the forum.
Any technical difference of opinion, please use the forum.
Any clear technical mistakes by me in this guide, then let me know.
If you find any spelling mistakes or broken links, please let me know.
Thank you messages are very appreciated however.
Forums
Use the forums! :)
Here is a thread on this specific mail server howto.
I am rubbish in replying to emails, and the forums are read by people whom know a lot more about Postfix than me.
I do appreciate Thank you messages however, so you can contact me. However questions may not be answered for a while or at all.
Return to top.
Why
Why your own mail server
Main reason: Because you can.
Other good reasons: Basically it leaves you in complete control, to expand, customize and tweak your mail server to your needs. You are not dependant on 3rd party providers, limited by their technology contraints or your budgets. With your own mail server you can add as many aliases, users and domain as you'd like, be as restrictive or open about security, virus, spam, file sizes etc as you prefer. And is it is well known, frequently updated, open source application stack, you can also trust the software you use.
Why I wrote this howto
When I set up my first email server I used a mix of other howtos on the net. And they were so helpfull that I though I would contribute back with my experience. And it has been useful as a recipe script for myself every time I need to install/update a server.
A less angelic reason is that back in 2003 I was setting up mail server for a few friends and collegues. Soon I was getting more request, and being a lazy programmer, I thought.. "Why don't I write a howto and let them do it themselves..." Soon it was listed on postfix.org and I was getting thousends of hits and lots of emails. (blessing in disguise)
Why I wrote this edition
Or rather why no new edition or updates for two years? Well basically no time or need to do so, so basically lazyness...
My last edition was written two years ago, and was pretty complete and thorough so my inclination to write a new one has been low, especially as my own mail server had not changed since then either.
But then my server started crashing so I upgraded it to Ubuntu 8.04 which went pretty smooth, but with a few tweaks. So time for another edition.
This time I expanded reliability to include the possibility of running backup mx servers using Amazon's Elastic Computing Cloud. Note, however this is an optional extra at the end.
Return to top.
References
Postfix howtos
Kyle's book
John Locke on TechRepublic
Hildebrandt's book
Hildebrandt's website
List-Petersen
Genco Yilmaz
Christop Haas
Nenzel & Peet
Peters
Matthews
Stepanov
Andy "Besy"
Meta Consultancy
New references
Postfix TLS
Postfix main.cf doc
saslauthd
Bypassing amavisd
Ubuntu Help: Squirrelmail
Todo
Populate some of the: Refer to previous edition...
Spell check!
Pad with better text. Copy some across from last edition.
Check bookmark links
remove uid and guid
Create backup mx AMI
Please refer to the previous edition for some old todos....
Software Links
Please refer to the previous edition.
Difference between Ubuntu versions
Please refer to the previous edition.
Download
Please refer to the previous edition.
Change log
Please refer to the previous edition.
Return to top.
This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 License.
EmoticonEmoticon