Turnkey mail server HOWTO

= Background =

Contact
Iain Brown, [mailto:iain@iain.com iain@iain.com]. Please see Intended Audience before contacting me.

Motivation
There are several excellent HOWTOs covering various aspects of setting up a mail server. So far, though, I haven't found one that completely covers all phases, and extending each to cover the whole requirement set introduces incompatible requirements (permissions, user names, Unix socket vs. TCP socket etc.). I want a simple set of instructions to link together all parts of a mail server: MTA, IMAP / POP3 server, administration, spam detection, etc.

A turnkey system built from these instructions should be suitable for a home or small business, or for a host serving multiple domains at low volume. It isn't intended for use at a large-scale ISP or large corporation.

Intended Audience
Me. Basically, just me. However, since I'd figure that I'm not the only one needing an integrated turnkey mail system, anyone who stumbles across this page is welcome to use it. Just beware that I haven't figured out everything in here, I've merely made the server work for my requirements. I may have made mistakes, and I haven't even looked at well over half of the configuration options over most products.

So, even though following this HOWTO should produce a working system, if you're not willing or able to chase down bugs afterwards, you probably should find yourself a Microsoft Exchange seminar or guru.

If you want to contact me with suggestions for improvements, or point out places where I've missed the boat, drop me email at [mailto:iain@iain.com iain@iain.com]. But if you're looking for technical help, I doubt I know enough to justify the fee I'd need to charge.

Requirements
"Turnkey" mail system including Including all configuration instructions.
 * Postfix
 * Cyrus-imapd
 * Postgrey
 * Web-cyradmin
 * spam / virus checking
 * multiple virtual domains

Debian
Minor rant and rationale

Limitations
User names can not include a period, as that is the heirarchy separator. I don't recall why it needed to be, but that's how I made everything work.

If you need Fred.Smith@domain.com, you can always make the username Fred_Smith and add an alias.

To Do

 * 1) Document setting up web-cyradm on SSL connection only.
 * 2) Add Squirrel Mail webmail.
 * 3) Attempt to move back to original web-cyradm codebase now that I understand settings a little better. I still need to change the odd way it creates a user map using aliases, but if I can go back to / as a heirarchy separator I can allow Firstname.Lastname@domain.
 * 4) Replace web-cyradm, but keep MySQL database structure intact.

Current HOWTOs
Postfix-Cyrus-Web-cyradm-HOWTO is great, but doesn't cover everything I need, is somewhat dated, and filling in the gaps meant learning more than I'd wanted to know about configuring each of these packages. So this guide is loosely based on the HOWTO, but includes sample configurations without explanation for all packages, including those in that document.

Hacks
I had a heck of a time making Web-cyradm work with Postfix virtual domains, even though it's supposed to. I don't recall the exact problems now, but it was easier for me to solve by hacking Web-cyradm than by configuration. (One problem may have been handling addresses like joe.blow@domain.com, but I really don't recall.) What I finally came up with works well enough that I'm not going to try to understand it further.

Update: I'm still making tweaks to Web-cyradm. It isn't maintained, and as far as I can see the alias scheme is broken. I have commented it out where I encounter new problems, but I just discovered another which killed my ability to change passwords. I seriously need to rewrite it to match this scheme, but it isn't going to happen any time soon.

If you don't need multiple domains, you don't need the hacks. This document is for multiple domains, but I'll try to edit in the changes for a single domain Real Soon Now. Update: I've added the single domain changes, but they work with my hacked Web-cyradm. I still have trouble with the original.

For multiple virtual domains: Note that usernames using this scheme are of the form name@domain.com instead of just name. E.g. if you're configuring Thunderbird for email address name@domain.com, it will suggest 'name' as a username. You must add @domain.com back to the username.

= References =

Postfix-Cyrus-Web-cyradm-HOWTO

= Passwords =

For the purposes of this document, I generated random passwords:

MySQL root: trade!spy!dded mail: shaky+robot:plumy admin: fleas!alibi:glut cyrus: bruin:booze.arid

= Installation =

Install Debian Etch

 * This HOWTO assumes that all package options (base, server, desktop etc.) are unchecked.
 * Install from Debian Net 4.0 CD
 * Add screen and ssh
 * apt-get install screen sshd
 * From now on, always screen sessions for recovery
 * From Linux shell prompt, screen to start the session
 * From Linux shell prompt, screen -r to resume the session
 * Edit /etc/apt/sources.list and comment out the cdrom line, so that you don't keep getting prompted to insert the CD.

SSH notes
All of this HOWTO assumes that you are logged in as root. If you are installing / configuring through ssh (recommended if you're not at the console) you need to be sure that ssh is secure.


 * Be sure that you disable password authentication. Only use DSA/RSA authentication. I've been hacked by a worm that found a weak password. Even not running as root, an intruder can do plenty of damage.
 * Run ssh on a non-standard port to minimize the chance of being discovered by a worm.
 * Get all of this in place so that you can ssh in as root before you continue installing.

Install MySQL

 * apt-get install mysql-server-5.0 mysql-client-5.0

Install PHP

 * apt-get install php5 php-db php5-mysql

Install Postfix, Postgrey, Amavisd, Spamassassin, ClamAV

 * apt-get install postfix-mysql postfix postfix-doc postgrey amavisd-new spamassassin spamc clamav clamav-docs clamav-daemon

Configuration: General Type: Internet Site Mail name: machine.domain.com

Install Cyrus

 * apt-get install cyrus-admin-2.2 cyrus-clients-2.2 cyrus-common-2.2 cyrus-dev-2.2 cyrus-doc-2.2 cyrus-imapd-2.2 cyrus-murder-2.2 cyrus-pop3d-2.2 sasl2-bin cyrus-sasl2-doc

Edit /etc/default/saslauthd Change START=no to START=yes For multiple virtual domains only: Change OPTIONS="-c" to OPTIONS="-c -r" #FIXME: -c -r -m /var/spool/postfix/var/run/saslauthd

This enables saslauthd and allows cyrus-imapd to pass the realm as part of the authentication string.

The sasl default authentication mechanism is PAM, which is correct, so there is no need to change this.

Install apache

 * apt-get install apache2 libapache2-mod-php5

Install web-cyradm
Download from http://www.web-cyradm.org/.

I keep 0.5.4.1 here, and my hacks here. The hacks are only needed for multiple virtual domains.

Install iptables

 * apt-get install iptables

Install misc stuff

 * apt-get install libpam-mysql mailx arj nomarch bzip2 lzop zoo binutils less telnet

= Setup =

User / Group changes
Note: the group numbers are probably different from those here.

Edit /etc/group

Add postfix to the sasl group, e.g. sasl:x:45:cyrus,postfix

Add clamav to the amavis group, e.g. amavis:x:109:clamav (Note: this one may be unneeded. Check later. It needs to be amavis added to the clamav group, so that amavis can write to the clamd daemon.)

Add amavis to the clamav group, e.g. clamav:x:110:amavis

Create Certificates
See Creating Certificates.

MySQL
Set root password

http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html

mysql -u root mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('trade!spy!dded'); mysql> SET PASSWORD FOR 'root'@'machine' = PASSWORD('trade!spy!dded'); mysql> quit where machine is the hostname of the mail server.

Test the password with mysql -u root -p and use the password trade!spy!dded

Web-Cyradmin
See Configuring Web-Cyradmin.

PAM
Create /etc/pam.d/imap: auth sufficient pam_mysql.so user=mail passwd=shaky+robot:plumy \ host=localhost db=mail table=accountuser usercolumn=username \ passwdcolumn=password crypt=1 verbose=0 account required pam_mysql.so user=mail passwd=shaky+robot:plumy \ host=localhost db=mail table=accountuser usercolumn=username \ passwdcolumn=password crypt=1 verbose=0

Copy this file to other PAM services cp /etc/pam.d/imap /etc/pam.d/pop cp /etc/pam.d/imap /etc/pam.d/sieve cp /etc/pam.d/imap /etc/pam.d/smtp

Set permissions: chmod 600 /etc/pam.d/imap /etc/pam.d/pop /etc/pam.d/sieve /etc/pam.d/smtp

These files all include the mail user's database access password, so need to be protected.

Postfix
See Configuring Postfix

Cyrus-IMAP
See Configuring Cyrus-IMAP

Amavisd and SpamAssassin
See Configuring Amavisd and SpamAssassin

Configuring iptables
See Configuring iptables

= Final Tweaks =

Likely I should have set the machine name here as domain.com, not machine.domain.com. I may check that on my next installation to see if it has any adverse effects. In lieu of testing a new procedure, though:

Before starting services, edit /etc/mailname and change machine.domain.com to domain.com.

This is used by amavisd to determine the local domain, and if it includes the hostname, the domain will not match when tagging messages with spam headers.

For multiple domains, this is not sufficient. See Updating Amavisd configuration for multiple domains.

= Starting Services =

Check log files /var/log/mail.err /var/log/mail.info /var/log/mail.warn /var/log/mail.log

while running.

Start Postfix (it's probably already running): /etc/init.d/postfix restart

= Administering =

Without Virtual Domains
Web-cyradm is at http://machine.domain.com/web-cyradm/

Log in as admin, password fleas!alibi:glut

When creating a domain, use something mnemonic as the prefix (e.g. example if the domain is example.com).

Check "allow free names", or user names will be prefix + number.

= Managing trash =

(From https://support.mayfirst.org/wiki/configure_new_server)

As root, edit /etc/crontab.

Add the following lines:

2 4 * * *      amavis  find /var/lib/amavis/virusmails -mtime +14  -exec rm '{}' \;
 * 1) Find and delete all emails older than 14 days