Anda di halaman 1dari 34

Mail Server Installation and Configuration

by rey on May.27, 2009, under Linux Tutorial

links http://www.geroleo.com/?p=304

Introduction

With all of the tutorials posted here, this is one of the most complex setup that I want to share
with you. If you haven’t read my previous post regarding “DNS Installation and Configuration”
please have a look at it because mail required a valid MX record. I am not saying that, you need
to install your own name server. You can use name server somewhere but the most important
thing is that, there must be an MX record pointing to the IP address of your mail server.

My mail setup consists of the following software:

1. Postfix – The SMTP Server;


2. Cyrus SASL – SMTP Authentication;
3. pam_pgsql – Pluggable Authentication Module, sits in between Cyrus SASL &
PostgreSQL;
4. Spamassassin – Spam filter which is equipped with:
o DCC – Distributed Checksum Clearinghouses
o Pyzor
o Razor
5. ClamAV – Clam Antivirus;
6. ClamSMTP – An SMTP filter sits in between the SMTP Server and ClamAV;
7. Dovecot – POP3, POP3S, IMAP & IMAPS Server;
8. PostgreSQL – Domain and User database;
9. Squirrelmail – Webmail IMAP client;
10. And my very own cPanel web interface.

The mail server which I am going to build supports multiple domains. Each domain has their
own unique users which means that user@domain1 is totally different from user@domain2, they
have separate mailboxes.

Procedure

1. Database Installation & Configuration;

Install the postgresql database server


# yum -y install postgresql postgresql-server postgresql-
contrib
Enable postgresql to start at boot in runlevel 2,3,4 & 5
# chkconfig ––level 2345 postgresql on

Start the postgresql server now


# service postgresql start

Modify postgresql.conf
# vi /var/lib/pgsql/data/postgresql.conf

listen_addresses = ‘localhost’
port = 5432
datestyle = ’sql, mdy’

Modify pg_hba.conf
# vi /var/lib/pgsql/data/pg_hba.conf

local all all trust


host all all 127.0.0.1/32 trust
host all all ::1/128 trust

Disable selinux protection for postgresql otherwise it will


give us headache;
# setsebool -P postgresql_disable_trans=on

Restart the database server to activate the changes


# service postgresql restart

Create the database user “mail”


# createuser -U postgres mail
Create the database “mail”
# createdb -U postgres -E utf-8 mail

Download the database schema then load to the database


server
# wget -O – http://www.geroleo.com/wp-
content/uploads/2009/05/mail.sql | psql -U postgres -d mail
-f -

Create the admin user to be use for the cpanel web


interface. Please notice the password and changed it with
your own.
# psql -U postgres -d mail -c "INSERT INTO sysusers
(username,password,name) VALUES
('admin',crypt('Pass123',gen_salt('md5')),'System
Administrator')"

Allow access to user admin with read/write permission to


the module “access” in cpanel web interface.
# psql -U postgres -d mail -c "INSERT INTO access
(username,module,read,write,mode) VALUES
('admin','access','true','true','rw')"
2. Web server intallation and configuration and the cPanel web interface

Install the http server and other required softwares


# yum -y install httpd perl-DBI perl-DBD-Pg

Allow httpd to connect to the database server


# setsebool -P httpd_can_network_connect_db=on

Download and uncompress the cPanel


# wget -O – http://www.geroleo.com/wp-
content/uploads/2009/05/cpanel.tgz | tar -zxpf – -C /

Change some selinux attributes


# chcon -R -u system_u -t httpd_sys_content_t
/usr/local/cpanel/
# chcon -t httpd_unconfined_script_exec_t
/usr/local/cpanel/index.cgi
# chcon -R -t httpd_sys_script_exec_t /usr/local/cpanel/bin/

The http configuration file for my webmail and the cpanel


# vi /etc/httpd/conf/httpd.conf

# At line 972 I put this line


NameVirtualHost 192.168.56.2:80

# At line 211 I put this entry


Include vhost.d/*.conf

Create the virtual host directory


# mkdir /etc/httpd/vhost.d

Create my virtual host configuration


# vi /etc/httpd/vhost.d/geroleo.com.conf
Allow http,https,mail,postgres,pop3 & imap traffic, Other
ports entry are:
postgres:tcp,pop3:tcp,imap:tcp
# system-config-securitylevel-tui
Enable httpd to start at boot in runlevel 2,3,4 & 5
# chkconfig ––level 2345 httpd on

Start the httpd server


# service httpd start

3. cPanel is my custom web application to manage domain, users and mail aliases. You can
use this program at your own risk. I will not be liable if your server explodes due to the
use of this program. I want you to know that cPanel runs in suid mode as “root” which
means that even though httpd process is owned by user and group “apache” this program
has the access level as root which has access to everything in the server.

The cPanel login screen;


Setting up the access permission;
See the POSTFIX sub-menu as it appears when you click it.
Once you create a domain, cPanel will add it to the
database in “domains” table and will create a folder in
/home.
And here is the User Manager. If you create user on the
selected domain, it will add directory in /home/$(domain)/$
(user) and will served as the user’s mailbox.
4. Dovecot Installation and Configuration;

Install dovecot package with yum


# yum -y install dovecot

Enable dovecot to start at boot in run level 2,3,4 & 5


# chkconfig ––level 2345 dovecot on

Modify /etc/dovecot.conf
# vi /etc/dovecot.conf

Create /etc/dovecot-sql.conf
# vi /etc/dovecot-sql.conf
Start the dovecot daemon
# service dovecot start

My next step is to test dovecot. My nose bleeds struggling


dovecot and selinux because selinux prohibits dovecot to
authenticate user and to access user’s mailbox as well.
After writing and installed tons of semodule and yet keep
on failing, I have no choice but to disable it:
# setsebool -P dovecot_disable_trans=on && service dovecot
restart

The final test for my dovecot. First is for POP3. Note if


telnet is not yet installed, use “yum -y install telnet”;
and then for IMAP.
5. Squirrelmail Installation and Configuration

You can download squirrelmail web client from http://www.squirrelmail.org/ but I have a
copy of squirrelmail which is built with MS Outlook skin and a password changer
designed to fit my PostgreSQL database. The following procedure is applicable if you use
the copy from here;

Download and extract the file;


# wget -O – http://www.geroleo.com/wp-
content/uploads/2009/05/squirrelmail.tgz | tar -zxf – -C /

Fix permissions;
# chown -R root:root /usr/local/squirrelmail/
# chown -R apache:apache /usr/local/squirrelmail/data
# chmod 0755 /usr/local/squirrelmail/data
# chcon -R -u system_u -t httpd_sys_content_t /usr/local/squirrelmail/

Modify the configuration file to fit my needs;


# vi /usr/local/squirrelmail/config/config.php
Install php and restart httpd
# yum -y install php php-pgsql php-pear php-pear-DB
# service httpd restart

Access the webmail now;

The login screen;

and the main screen.


6. We are almost 50% done. Next, we will install and configure ClamAV and ClamSMTP

The easiest way to install ClamAV is to install the


rpmforge repository;
# rpm -ivh
http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-
release-0.3.6-1.el5.rf.i386.rpm

Then install clamav packages using yum;


# yum ––enablerepo=\* -y install clamav clamd clamav-db
clamav-devel

Install the compiler and rpm builder;


# yum -y install rpm-build gcc make automake autoconf
Download ClamSMTP rpm source from
http://www.inet.lt/clamsmtp/. Please always get the latest
version;
# wget http://www.inet.lt/clamsmtp/clamsmtp-1.10-1.src.rpm

Build the source rpm;


# rpmbuild ––rebuild clamsmtp-1.10-1.src.rpm

After successful build, there should be written file


/usr/src/redhat/RPMS/i386/clamsmtp-1.10-1.i386.rpm, If so,
then install it;
# rpm -ivh /usr/src/redhat/RPMS/i386/clamsmtp-1.10-
1.i386.rpm

Configure clamd, normally the default configuration runs


perfectly. If you are curious, just take a look at that
file;
# vi /etc/clamd.conf

Configure clamsmtpd;
# vi /etc/clamsmtpd.conf

# This is my working configuration


OutAddress: 127.0.0.1:10026
Listen: 127.0.0.1:10025
ClamAddress: /var/run/clamav/clamd.sock
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav

Enable clamd & clamsmtpd at boot process;


# chkconfig ––level 2345 clamd on
# chkconfig ––level 2345 clamsmtpd on

I found no way to deal with selinux and clamav, the only


possible way is to disable protection for it;
# setsebool -P clamd_disable_trans=on
# setsebool -P clamscan_disable_trans=on
# setsebool -P freshclam_disable_trans=on

Start the service now


# service clamd start
# service clamsmtpd start

7. Postfix Installation;

Installing postfix is not just as simple as “yum -y install


postfix” because the default rpm build doesn’t compiled to
support pgsql though postfix does support it;

Here is the source RPM I’d been customized to support pgsql


otherwise, you have to download the source from the
distro’s repo and modify the spec file;
# wget http://www.geroleo.com/wp-
content/uploads/2009/05/postfix-2.3.3-3.src.rpm

Before the build, we need to install all the required


dependencies;
# yum -y install db4-devel pkgconfig zlib-devel openldap-
devel cyrus-sasl-devel pcre-devel openssl-devel postgresql-
devel

The actual build;


# rpmbuild ––rebuild postfix-2.3.3-3.src.rpm

Install postfix now;


# rpm -ivh /usr/src/redhat/RPMS/i386/postfix-2.3.3-
3.i386.rpm

Disable selinux protection for postfix;


# setsebool -P postfix_disable_trans=on

8. Download, compile and install pam_pgsql;

Install the required dependencies;


# yum -y install pam-devel libmhash-devel libmhash
postgresql-devel

Change directory /usr/src;


# cd /usr/src

Download and extract the source, please check the site and
take the latest as possible;
# wget -O –
http://puzzle.dl.sourceforge.net/sourceforge/pam-pgsql/pam-
pgsql-0.7.tar.gz | tar -zxf -

Change directory pam-pgsql-0.7


# cd pam-pgsql-0.7

Start to compile;
# ./configure
# make
Install now;
# make install

Configure pam_pgsql;
# vi /etc/pam_pgsql.conf

host = localhost
database = mail
user = mail
table = users
user_column = userid
pwd_column = password
expired_column = expired
newtok_column = newtok
debug = 0
pw_type = crypt

Configure /etc/pam.d/smtp, use tabs to align;


# vi /etc/pam.d/smtp

#%PAM-1.0
#auth include system-auth
#account include system-auth

auth required pam_pgsql.so


account required pam_pgsql.so

Configure /usr/lib/sasl2/smtpd.conf;
# vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: login plain

9. Install, configure and test Cyrus SASL;

Install cyrus sasl package and its dependencies;


# yum -y install cyrus-sasl cyrus-sasl-plain

Configure saslauthd start-up config;


# vi /etc/sysconfig/saslauthd

SOCKETDIR=/var/run/saslauthd
MECH=pam
FLAGS=-r
Disable selinux protection for saslauthd;
# setsebool -P saslauthd_disable_trans=on && service
saslauthd restart

Enbale saslauthd to start at boot in run level 2,3,4 &5;


# chkconfig ––level 2345 saslauthd on

Start saslauthd now;


# service saslauthd start

Test SASL;
# testsaslauthd -u test@geroleo.com -p 1234 -s smtp

10. Postfix Configuration, the heart of the system. Please read the documents located in
/usr/share/doc/postfix*/ to learn more about postfix and to know how it works.

# cd /etc/postfix

Create/modify postfix main configuration file


# vi main.cf

# Postfix General Config


transport_maps = pgsql:/etc/postfix/transport.cf
virtual_uid_maps = pgsql:/etc/postfix/uids.cf
virtual_gid_maps = pgsql:/etc/postfix/gids.cf
virtual_mailbox_base = /home
virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
virtual_mailbox_domains =
pgsql:/etc/postfix/virtual_domains.cf
virtual_alias_maps =
pgsql:/etc/postfix/virtual_aliases.cf

# Don’t just invent this one, If you’re using an


unregistered domain/hostname,
# you can simple add it to /etc/hosts bound to the IP
address of your
# network interface card.
myhostname = mail.geroleo.com

myorigin = $myhostname
mynetworks = localhost.localdomain $myhostname
mydestination = localhost.localdomain $myhostname
mailbox_size_limit = 0
message_size_limit = 0
virtual_mailbox_limit = 0

#Cyrus SASL
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
unknown_local_recipient_reject_code = 450

# SpamAssassin
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_helo_required = yes

# ClamAV
content_filter = scan:[127.0.0.1]:10025
receive_override_options = no_address_mappings

# Others
header_checks = regexp:/etc/postfix/regexp_header

# Added by postfix
readme_directory = /usr/share/doc/postfix-
2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail
html_directory = no
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/share/man
daemon_directory = /usr/libexec/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
queue_directory = /var/spool/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 450

# vi transport.cf

user=mail
password=”
dbname=mail
table=transport
select_field=transport
where_field=domain
hosts=localhost

# vi uids.cf

user=mail
password=”
dbname=mail
table=users
select_field=uid
where_field=userid
hosts=localhost

# vi gids.cf

user=mail
password=”
dbname=mail
table=users
select_field=gid
where_field=userid
hosts=localhost

# vi mailboxes.cf

user=mail
password=”
dbname=mail
table=mailboxes
select_field=mailbox
where_field=userid
hosts=localhost

# vi virtual_domains.cf

user=mail
password=”
dbname=mail
table=domains
select_field=domain
where_field=domain
hosts=localhost

# vi virtual_aliases.cf

user=mail
password=”
dbname=mail
table=aliases
select_field=address
where_field=userid
hosts=localhost

As specified in main.cf “header_checks =


regexp:/etc/postfix/regexp_header” this file will decide to
those emails marked as Spam. For me, I have no time to
check those spam. My rule is to discard those emails
without informing the sender that his email was discarded.
# vi regexp_header

/^X-Spam-Flag: YES/ DISCARD

Modify the master.cf file


# vi master.cf

This is the beginning of the file. This tells postfix to


pass the email to the spamassassin content filter after
performing access check;
Then under the “spamassassin” service, we will do the
actual filtering by calling an external program
“/usr/local/bin/spamfilter.sh” passing all the required
parameters. Spamassassin job is to check and mark the email
either spam or not then send it back to postfix.

Postfix will then pass the email to the antivirus filter


service “scan” which is according to main.cf is on port
10025. Remember that, it is the ClamSMTP who is listening
on this port. ClamSMTP after receiving the email will
perform scan through the help of Clam Antivirus which is
listening on unix local socket
“/var/run/clamav/clamd.sock”. All infected emails will be
discarded immediately while clean emails will go out at
port 10026 which is again a postfix owned socket. The email
will then proceed to its final destination finally!.
Create /usr/local/bin/spamfilter.sh
# vi /usr/local/bin/spamfilter.sh

#!/bin/bash
spamassassin -e | /usr/sbin/sendmail.postfix -i “$@”
exit $?

# chmod 0755 /usr/local/bin/spamfilter.sh

Install spamassassin using yum because postfix will cry


without it and it is not neccessary to start the daemon. We
will call spamassassin directly, this is for fastest
process as possible;
# yum -y install spamassassin

Add user & group spamassassin with uid/gid 106, this is for
security reasons;
# groupadd -g 106 spamassassin
# useradd -g 106 -u 106 spamassassin

Afterwards, we will start now the postfix mail server;


# service postfix start
# chkconfig ––level 2345 postfix on
If everything is done accordingly, postfix should be up and
running now and we need to test it;

First, we will generate an encoded base 64 string to be use


for smtp authentication;
# perl -MMIME::Base64 -e 'print
encode_base64("test\@geroleo.com\000test\@geroleo.com\00012
34");'

The above command is in the form of


"username\000username\000password" (\000 is a null byte and
\@ is a escape sequence for perl because perl interprets @
as an array. The output for this command is:

dGVzdEBnZXJvbGVvLmNvbQB0ZXN0QGdlcm9sZW8uY29tADEyMzQ=

We can start the test now;


# telnet localhost 25
Checking the email in Squirrelmail, look at the mail
headers;
/etc/hosts – Plays an important part for your postfix mail
transport agent, it must be setup correctly. The above
main.cf configuration file will work with /etc/hosts setup
below:

# Do not remove the following line, or various programs


# that require network functionality will fail.
192.168.56.2 mail.geroleo.com mail
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

Postfix should now working with the default spamassassin


rules. Our final step is to configure spamassassin to make
it smarter.

11. Spamassassin Configuration/Add-ons Installation and Configuration;

We need 2 terminals to accomplish this task. On first


terminal, we must switch to user “spamassassin” to be use
for testing. On the other terminal, we must stay as root to
do the compilation;

Download, compile and install DCC. Do it on the second


terminal with root user logged in;
# cd /usr/src
# wget -O – http://www.dcc-servers.net/dcc/source/dcc.tar.Z
| tar -zxf -
# cd dcc-1.3.105
# ./configure
# make
# make install
# chown -R spamassassin:spamassassin /var/dcc
# vi /etc/mail/spamassassin/v310.pre

Remove the comment “#”;


loadplugin Mail::SpamAssassin::Plugin::DCC

Switch on first terminal with “spamassassin” user;


# su – spamassassin
$ cdcc “delete 127.0.0.1″
$ crontab -e

0 5 * * * /var/dcc/libexec/cron-dccd

Download, compile & install Pyzor (on terminal 2);


# cd /usr/src
# wget -O –
http://softlayer.dl.sourceforge.net/sourceforge/pyzor/pyzor
-0.5.0.tar.bz2 | tar -jxf -
# cd pyzor-0.5.0
# python setup.py build
# python setup.py install

Switch to terminal 1;
$ pyzor discover

Download, compile & install Razor (on terminal 2);


# cd /usr/src/
# wget -O –
http://puzzle.dl.sourceforge.net/sourceforge/razor/razor-
agents-2.84.tar.bz2 | tar -jxf -
# cd razor-agents-2.84
# perl Makefile.PL
# make
# make install
# cd ../
# wget -O –
http://puzzle.dl.sourceforge.net/sourceforge/razor/razor-
agents-sdk-2.07.tar.bz2 | tar -jxf -
# cd razor-agents-sdk-2.07
# perl Makefile.PL
# make
# make install
Switch to terminal 1;
$ razor-admin -d -create
$ ls -la

This directories should be present;


.pyzor
.razor

Switch to terminal 2;
# vi /etc/mail/spamassassin/local.cf

# This is my required hits, change it according to


your requirements
required_hits 3.5

use_bayes 1
bayes_auto_learn 1
bayes_auto_learn 1
bayes_path /var/lib/spamassassin/bayes/bayes
bayes_file_mode 0666

use_razor2 1
use_pyzor 1

use_dcc 1
dcc_path /usr/local/bin/dccproc
dcc_body_max 999999
dcc_timeout 10
dcc_fuz1_max 999999
dcc_fuz2_max 999999
dcc_home /var/dcc

# mkdir /var/lib/spamassassin/bayes/
# touch /var/lib/spamassassin/bayes/bayes
# chown -R spamassassin:spamassassin
/var/lib/spamassassin/bayes/

Test spamassassin on terminal 1;


$ spamassassin < /usr/share/doc/spamassassin-3.2.5/sample-
spam.txt
NOTE: Don’t forget to consult your log files if something
goes wrong or in any way your mail server is keep on
failing. It is a good practice to watch the logs while you
are configuring your system. In my case, I opened 2 ssh
sessions with PuTTY just for the log. On first session, I
execute the command:
# tail -f /var/log/messages

and on the other window:

# tail -f /var/log/maillog

I am so lazy to type those commands and I frequently use


them so, I added those commands in my .bashrc file.
# vi ~/.bashrc

# User specific aliases and functions


alias rm=’rm -i’
alias cp=’cp -i’
alias mv=’mv -i’
alias ls=’ls -Fa –color=always’
alias log=’tail -n 23 -f /var/log/messages’
alias maillog=’tail -n 23 -f /var/log/maillog’
Now, I can easily type “log” or “maillog” whenever I need
them.

CONGRATULATIONS!!! You have now a complete and secured mail server.