Mail Server Installation and Configuration

by rey on May.27, 2009, under Linux Tutorial

links http://www.geroleo.com/?p=304

Introduction

With all of the tutorials posted here, this is one of the most complex setup that I want to share with you. If you haven’t read my previous post regarding “DNS Installation and Configuration” please have a look at it because mail required a valid MX record. I am not saying that, you need to install your own name server. You can use name server somewhere but the most important thing is that, there must be an MX record pointing to the IP address of your mail server.

My mail setup consists of the following software:

1. Postfix – The SMTP Server;2. Cyrus SASL – SMTP Authentication;

3. pam_pgsql – Pluggable Authentication Module, sits in between Cyrus SASL & PostgreSQL;

4. Spamassassin – Spam filter which is equipped with:

o DCC – Distributed Checksum Clearinghouses

o Pyzor

o Razor

5. ClamAV – Clam Antivirus;

6. ClamSMTP – An SMTP filter sits in between the SMTP Server and ClamAV;

7. Dovecot – POP3, POP3S, IMAP & IMAPS Server;

8. PostgreSQL – Domain and User database;

9. Squirrelmail – Webmail IMAP client;

10. And my very own cPanel web interface.

The mail server which I am going to build supports multiple domains. Each domain has their own unique users which means that user@domain1 is totally different from user@domain2, they have separate mailboxes.

Procedure

1. Database Installation & Configuration;

Install the postgresql database server# yum -y install postgresql postgresql-server postgresql-contrib

Enable postgresql to start at boot in runlevel 2,3,4 & 5# chkconfig ––level 2345 postgresql on

Start the postgresql server now# service postgresql start

Modify postgresql.conf# vi /var/lib/pgsql/data/postgresql.conf

listen_addresses = ‘localhost’port = 5432datestyle = ’sql, mdy’

Modify pg_hba.conf# vi /var/lib/pgsql/data/pg_hba.conf

local all all trusthost all all 127.0.0.1/32 trusthost all all ::1/128 trust

Disable selinux protection for postgresql otherwise it will give us headache;# setsebool -P postgresql_disable_trans=on

Restart the database server to activate the changes# service postgresql restart

Create the database user “mail”# createuser -U postgres mail

Create the database “mail”# createdb -U postgres -E utf-8 mail

Download the database schema then load to the database server# wget -O – http://www.geroleo.com/wp-content/uploads/2009/05/mail.sql | psql -U postgres -d mail -f -

Create the admin user to be use for the cpanel web interface. Please notice the password and changed it with your own.# psql -U postgres -d mail -c "INSERT INTO sysusers (username,password,name) VALUES ('admin',crypt('Pass123',gen_salt('md5')),'System Administrator')"

Allow access to user admin with read/write permission to the module “access” in cpanel web interface.# psql -U postgres -d mail -c "INSERT INTO access (username,module,read,write,mode) VALUES ('admin','access','true','true','rw')"

2. Web server intallation and configuration and the cPanel web interface

Install the http server and other required softwares# yum -y install httpd perl-DBI perl-DBD-Pg

Allow httpd to connect to the database server# setsebool -P httpd_can_network_connect_db=on

Download and uncompress the cPanel# wget -O – http://www.geroleo.com/wp-content/uploads/2009/05/cpanel.tgz | tar -zxpf – -C /

Change some selinux attributes# chcon -R -u system_u -t httpd_sys_content_t /usr/local/cpanel/# chcon -t httpd_unconfined_script_exec_t /usr/local/cpanel/index.cgi# chcon -R -t httpd_sys_script_exec_t /usr/local/cpanel/bin/

The http configuration file for my webmail and the cpanel# vi /etc/httpd/conf/httpd.conf

# At line 972 I put this lineNameVirtualHost 192.168.56.2:80

# At line 211 I put this entryInclude vhost.d/*.conf

Create the virtual host directory# mkdir /etc/httpd/vhost.d

Create my virtual host configuration# vi /etc/httpd/vhost.d/geroleo.com.conf

Allow http,https,mail,postgres,pop3 & imap traffic, Other ports entry are:postgres:tcp,pop3:tcp,imap:tcp# system-config-securitylevel-tui

Enable httpd to start at boot in runlevel 2,3,4 & 5# chkconfig ––level 2345 httpd on

Start the httpd server# service httpd start

3. cPanel is my custom web application to manage domain, users and mail aliases. You can use this program at your own risk. I will not be liable if your server explodes due to the use of this program. I want you to know that cPanel runs in suid mode as “root” which means that even though httpd process is owned by user and group “apache” this program has the access level as root which has access to everything in the server.

The cPanel login screen;

Setting up the access permission;

See the POSTFIX sub-menu as it appears when you click it. Once you create a domain, cPanel will add it to the database in “domains” table and will create a folder in /home.

And here is the User Manager. If you create user on the selected domain, it will add directory in /home/$(domain)/$(user) and will served as the user’s mailbox.

4. Dovecot Installation and Configuration;

Install dovecot package with yum# yum -y install dovecot

Enable dovecot to start at boot in run level 2,3,4 & 5# chkconfig ––level 2345 dovecot on

Modify /etc/dovecot.conf# vi /etc/dovecot.conf

Create /etc/dovecot-sql.conf# vi /etc/dovecot-sql.conf

Start the dovecot daemon# service dovecot start

My next step is to test dovecot. My nose bleeds struggling dovecot and selinux because selinux prohibits dovecot to authenticate user and to access user’s mailbox as well. After writing and installed tons of semodule and yet keep on failing, I have no choice but to disable it:# setsebool -P dovecot_disable_trans=on && service dovecot restart

The final test for my dovecot. First is for POP3. Note if telnet is not yet installed, use “yum -y install telnet”;

and then for IMAP.

5. Squirrelmail Installation and Configuration

You can download squirrelmail web client from http://www.squirrelmail.org/ but I have a copy of squirrelmail which is built with MS Outlook skin and a password changer designed to fit my PostgreSQL database. The following procedure is applicable if you use the copy from here;

Download and extract the file;# wget -O – http://www.geroleo.com/wp-content/uploads/2009/05/squirrelmail.tgz | tar -zxf – -C /

Fix permissions;# chown -R root:root /usr/local/squirrelmail/# chown -R apache:apache /usr/local/squirrelmail/data# chmod 0755 /usr/local/squirrelmail/data# chcon -R -u system_u -t httpd_sys_content_t /usr/local/squirrelmail/

Modify the configuration file to fit my needs;# vi /usr/local/squirrelmail/config/config.php

Install php and restart httpd# yum -y install php php-pgsql php-pear php-pear-DB# service httpd restart

Access the webmail now;

The login screen;

and the main screen.

6. We are almost 50% done. Next, we will install and configure ClamAV and ClamSMTP

The easiest way to install ClamAV is to install the rpmforge repository;# rpm -ivh http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Then install clamav packages using yum;# yum ––enablerepo=\* -y install clamav clamd clamav-db clamav-devel

Install the compiler and rpm builder;# yum -y install rpm-build gcc make automake autoconf

Download ClamSMTP rpm source from http://www.inet.lt/clamsmtp/. Please always get the latest version;# wget http://www.inet.lt/clamsmtp/clamsmtp-1.10-1.src.rpm

Build the source rpm;# rpmbuild ––rebuild clamsmtp-1.10-1.src.rpm

After successful build, there should be written file /usr/src/redhat/RPMS/i386/clamsmtp-1.10-1.i386.rpm, If so, then install it;# rpm -ivh /usr/src/redhat/RPMS/i386/clamsmtp-1.10-1.i386.rpm

Configure clamd, normally the default configuration runs perfectly. If you are curious, just take a look at that file;# vi /etc/clamd.conf

Configure clamsmtpd;# vi /etc/clamsmtpd.conf

# This is my working configurationOutAddress: 127.0.0.1:10026Listen: 127.0.0.1:10025ClamAddress: /var/run/clamav/clamd.sockHeader: X-Virus-Scanned: ClamAV using ClamSMTPAction: dropUser: clamav

Enable clamd & clamsmtpd at boot process;# chkconfig ––level 2345 clamd on# chkconfig ––level 2345 clamsmtpd on

I found no way to deal with selinux and clamav, the only possible way is to disable protection for it;# setsebool -P clamd_disable_trans=on# setsebool -P clamscan_disable_trans=on# setsebool -P freshclam_disable_trans=on

Start the service now# service clamd start# service clamsmtpd start

7. Postfix Installation;

Installing postfix is not just as simple as “yum -y install

postfix” because the default rpm build doesn’t compiled to support pgsql though postfix does support it;

Here is the source RPM I’d been customized to support pgsql otherwise, you have to download the source from the distro’s repo and modify the spec file;# wget http://www.geroleo.com/wp-content/uploads/2009/05/postfix-2.3.3-3.src.rpm

Before the build, we need to install all the required dependencies;# yum -y install db4-devel pkgconfig zlib-devel openldap-devel cyrus-sasl-devel pcre-devel openssl-devel postgresql-devel

The actual build;# rpmbuild ––rebuild postfix-2.3.3-3.src.rpm

Install postfix now;# rpm -ivh /usr/src/redhat/RPMS/i386/postfix-2.3.3-3.i386.rpm

Disable selinux protection for postfix;# setsebool -P postfix_disable_trans=on

8. Download, compile and install pam_pgsql;

Install the required dependencies;# yum -y install pam-devel libmhash-devel libmhash postgresql-devel

Change directory /usr/src;# cd /usr/src

Download and extract the source, please check the site and take the latest as possible;# wget -O – http://puzzle.dl.sourceforge.net/sourceforge/pam-pgsql/pam-pgsql-0.7.tar.gz | tar -zxf -

Change directory pam-pgsql-0.7# cd pam-pgsql-0.7

Start to compile;# ./configure# make

Install now;# make install

Configure pam_pgsql;# vi /etc/pam_pgsql.conf

host = localhostdatabase = mailuser = mailtable = usersuser_column = useridpwd_column = passwordexpired_column = expirednewtok_column = newtokdebug = 0pw_type = crypt

Configure /etc/pam.d/smtp, use tabs to align;# vi /etc/pam.d/smtp

#%PAM-1.0#auth include system-auth#account include system-auth

auth required pam_pgsql.soaccount required pam_pgsql.so

Configure /usr/lib/sasl2/smtpd.conf;# vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthdmech_list: login plain

9. Install, configure and test Cyrus SASL;

Install cyrus sasl package and its dependencies;# yum -y install cyrus-sasl cyrus-sasl-plain

Configure saslauthd start-up config;# vi /etc/sysconfig/saslauthd

SOCKETDIR=/var/run/saslauthdMECH=pamFLAGS=-r

Disable selinux protection for saslauthd;# setsebool -P saslauthd_disable_trans=on && service saslauthd restart

Enbale saslauthd to start at boot in run level 2,3,4 &5;# chkconfig ––level 2345 saslauthd on

Start saslauthd now;# service saslauthd start

Test SASL;# testsaslauthd -u test@geroleo.com -p 1234 -s smtp

10. Postfix Configuration, the heart of the system. Please read the documents located in /usr/share/doc/postfix*/ to learn more about postfix and to know how it works.

# cd /etc/postfix

Create/modify postfix main configuration file# vi main.cf

# Postfix General Configtransport_maps = pgsql:/etc/postfix/transport.cf

virtual_uid_maps = pgsql:/etc/postfix/uids.cfvirtual_gid_maps = pgsql:/etc/postfix/gids.cfvirtual_mailbox_base = /homevirtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cfvirtual_mailbox_domains = pgsql:/etc/postfix/virtual_domains.cfvirtual_alias_maps = pgsql:/etc/postfix/virtual_aliases.cf

# Don’t just invent this one, If you’re using an unregistered domain/hostname,# you can simple add it to /etc/hosts bound to the IP address of your# network interface card.myhostname = mail.geroleo.com

myorigin = $myhostnamemynetworks = localhost.localdomain $myhostnamemydestination = localhost.localdomain $myhostnamemailbox_size_limit = 0message_size_limit = 0virtual_mailbox_limit = 0

#Cyrus SASLsmtp_sasl_auth_enable = nosmtpd_sasl_auth_enable = yessmtpd_sasl_authenticated_header = yesbroken_sasl_auth_clients = yessmtpd_sasl_security_options = noanonymoussmtpd_sasl_local_domain = $mydomainunknown_local_recipient_reject_code = 450

# SpamAssassinstrict_rfc821_envelopes = yesdisable_vrfy_command = yessmtpd_helo_required = yes

# ClamAVcontent_filter = scan:[127.0.0.1]:10025receive_override_options = no_address_mappings

# Othersheader_checks = regexp:/etc/postfix/regexp_header

# Added by postfixreadme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

sample_directory = /usr/share/doc/postfix-2.3.3/samplessendmail_path = /usr/sbin/sendmailhtml_directory = nosetgid_group = postdropcommand_directory = /usr/sbinmanpage_directory = /usr/share/mandaemon_directory = /usr/libexec/postfixnewaliases_path = /usr/bin/newaliasesmailq_path = /usr/bin/mailqqueue_directory = /var/spool/postfixmail_owner = postfixunknown_local_recipient_reject_code = 450

# vi transport.cf

user=mailpassword=”dbname=mailtable=transportselect_field=transportwhere_field=domainhosts=localhost

# vi uids.cf

user=mailpassword=”dbname=mailtable=usersselect_field=uidwhere_field=useridhosts=localhost

# vi gids.cf

user=mailpassword=”dbname=mailtable=usersselect_field=gidwhere_field=useridhosts=localhost

# vi mailboxes.cf

user=mailpassword=”

dbname=mailtable=mailboxesselect_field=mailboxwhere_field=useridhosts=localhost

# vi virtual_domains.cf

user=mailpassword=”dbname=mailtable=domainsselect_field=domainwhere_field=domainhosts=localhost

# vi virtual_aliases.cf

user=mailpassword=”dbname=mailtable=aliasesselect_field=addresswhere_field=useridhosts=localhost

As specified in main.cf “header_checks = regexp:/etc/postfix/regexp_header” this file will decide to those emails marked as Spam. For me, I have no time to check those spam. My rule is to discard those emails without informing the sender that his email was discarded.# vi regexp_header

/^X-Spam-Flag: YES/ DISCARD

Modify the master.cf file# vi master.cf

This is the beginning of the file. This tells postfix to pass the email to the spamassassin content filter after performing access check;

Then under the “spamassassin” service, we will do the actual filtering by calling an external program “/usr/local/bin/spamfilter.sh” passing all the required parameters. Spamassassin job is to check and mark the email either spam or not then send it back to postfix.

Postfix will then pass the email to the antivirus filter service “scan” which is according to main.cf is on port 10025. Remember that, it is the ClamSMTP who is listening on this port. ClamSMTP after receiving the email will perform scan through the help of Clam Antivirus which is listening on unix local socket “/var/run/clamav/clamd.sock”. All infected emails will be discarded immediately while clean emails will go out at port 10026 which is again a postfix owned socket. The email will then proceed to its final destination finally!.

Create /usr/local/bin/spamfilter.sh# vi /usr/local/bin/spamfilter.sh

#!/bin/bashspamassassin -e | /usr/sbin/sendmail.postfix -i “$@”exit $?

# chmod 0755 /usr/local/bin/spamfilter.sh

Install spamassassin using yum because postfix will cry without it and it is not neccessary to start the daemon. We will call spamassassin directly, this is for fastest process as possible;# yum -y install spamassassin

Add user & group spamassassin with uid/gid 106, this is for security reasons;# groupadd -g 106 spamassassin# useradd -g 106 -u 106 spamassassin

Afterwards, we will start now the postfix mail server;# service postfix start# chkconfig ––level 2345 postfix on

If everything is done accordingly, postfix should be up and running now and we need to test it;

First, we will generate an encoded base 64 string to be use for smtp authentication;# perl -MMIME::Base64 -e 'print encode_base64("test\@geroleo.com\000test\@geroleo.com\0001234");'

The above command is in the form of "username\000username\000password" (\000 is a null byte and \@ is a escape sequence for perl because perl interprets @ as an array. The output for this command is:

dGVzdEBnZXJvbGVvLmNvbQB0ZXN0QGdlcm9sZW8uY29tADEyMzQ=

We can start the test now;# telnet localhost 25

Checking the email in Squirrelmail, look at the mail headers;

/etc/hosts – Plays an important part for your postfix mail transport agent, it must be setup correctly. The above main.cf configuration file will work with /etc/hosts setup below:

# Do not remove the following line, or various programs# that require network functionality will fail.192.168.56.2 mail.geroleo.com mail127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6

Postfix should now working with the default spamassassin rules. Our final step is to configure spamassassin to make it smarter.

11. Spamassassin Configuration/Add-ons Installation and Configuration;

We need 2 terminals to accomplish this task. On first terminal, we must switch to user “spamassassin” to be use for testing. On the other terminal, we must stay as root to do the compilation;

Download, compile and install DCC. Do it on the second terminal with root user logged in;# cd /usr/src# wget -O – http://www.dcc-servers.net/dcc/source/dcc.tar.Z

| tar -zxf -# cd dcc-1.3.105# ./configure# make# make install# chown -R spamassassin:spamassassin /var/dcc# vi /etc/mail/spamassassin/v310.pre

Remove the comment “#”;loadplugin Mail::SpamAssassin::Plugin::DCC

Switch on first terminal with “spamassassin” user;# su – spamassassin$ cdcc “delete 127.0.0.1″$ crontab -e

0 5 * * * /var/dcc/libexec/cron-dccd

Download, compile & install Pyzor (on terminal 2);# cd /usr/src# wget -O – http://softlayer.dl.sourceforge.net/sourceforge/pyzor/pyzor-0.5.0.tar.bz2 | tar -jxf -# cd pyzor-0.5.0# python setup.py build# python setup.py install

Switch to terminal 1;$ pyzor discover

Download, compile & install Razor (on terminal 2);# cd /usr/src/# wget -O – http://puzzle.dl.sourceforge.net/sourceforge/razor/razor-agents-2.84.tar.bz2 | tar -jxf -# cd razor-agents-2.84# perl Makefile.PL# make# make install# cd ../# wget -O – http://puzzle.dl.sourceforge.net/sourceforge/razor/razor-agents-sdk-2.07.tar.bz2 | tar -jxf -# cd razor-agents-sdk-2.07# perl Makefile.PL# make# make install

Switch to terminal 1;$ razor-admin -d -create$ ls -la

This directories should be present;.pyzor.razor

Switch to terminal 2;# vi /etc/mail/spamassassin/local.cf

# This is my required hits, change it according to your requirementsrequired_hits 3.5

use_bayes 1bayes_auto_learn 1bayes_auto_learn 1bayes_path /var/lib/spamassassin/bayes/bayesbayes_file_mode 0666

use_razor2 1use_pyzor 1

use_dcc 1dcc_path /usr/local/bin/dccprocdcc_body_max 999999dcc_timeout 10dcc_fuz1_max 999999dcc_fuz2_max 999999dcc_home /var/dcc

# mkdir /var/lib/spamassassin/bayes/# touch /var/lib/spamassassin/bayes/bayes# chown -R spamassassin:spamassassin /var/lib/spamassassin/bayes/

Test spamassassin on terminal 1;$ spamassassin < /usr/share/doc/spamassassin-3.2.5/sample-spam.txt

NOTE: Don’t forget to consult your log files if something goes wrong or in any way your mail server is keep on failing. It is a good practice to watch the logs while you are configuring your system. In my case, I opened 2 ssh sessions with PuTTY just for the log. On first session, I execute the command:# tail -f /var/log/messages

and on the other window:

# tail -f /var/log/maillog

I am so lazy to type those commands and I frequently use them so, I added those commands in my .bashrc file.# vi ~/.bashrc

# User specific aliases and functionsalias rm=’rm -i’alias cp=’cp -i’alias mv=’mv -i’alias ls=’ls -Fa –color=always’alias log=’tail -n 23 -f /var/log/messages’alias maillog=’tail -n 23 -f /var/log/maillog’

Now, I can easily type “log” or “maillog” whenever I need them.

CONGRATULATIONS!!! You have now a complete and secured mail server.