Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 05/23/2011
This tutorial is Copyright (c) 2011 by Falko Timme. It is derived from a tutorial from Christoph Haas which you can find at http://workaround.org. You are free to use this tutorial under the Creative Commons license 2.5 or any later version.
This document describes how to install a Postfix mail server that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I’ll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier-IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.
The resulting Postfix server is capable of SMTP-AUTH and TLS and quota (quota is not built into Postfix by default, I’ll show how to patch your Postfix appropriately). Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk). In addition to that, this tutorial covers the installation of Amavisd, SpamAssassin and ClamAV so that emails will be scanned for spam and viruses. I will also show how to install SquirrelMail as a webmail interface so that users can read and send emails and change their passwords.
The advantage of such a “virtual” setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on “real” system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the MySQL database when you add new users/domains or edit existing ones. No more postmap commands to create db files, no more reloading of Postfix, etc. For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. The third advantage is that users have an email address as user name (instead of a user name + an email address) which is easier to understand and keep in mind.
This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.
This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Preliminary Note
This tutorial is based on Ubuntu 11.04 Server (Natty Narwhal), so you should set up a basic Ubuntu 11.04 server installation before you continue with this tutorial (e.g. as shown on the pages 1 – 3 in this tutorial: The Perfect Server – Ubuntu Natty Narwhal (Ubuntu 11.04) [ISPConfig 2]). The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.
Make sure that you are logged in as root (type in
sudo su
to become root), because we must run all the steps from this tutorial as root user.
It is very important that you make /bin/sh a symlink to /bin/bash…
dpkg-reconfigure dash
Use dash as the default system shell (/bin/sh)? <– No
… and that you disable AppArmor:
/etc/init.d/apparmor stop update-rc.d -f apparmor remove apt-get remove apparmor apparmor-utils
2 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin
To install Postfix, Courier, Saslauthd, MySQL, and phpMyAdmin, we simply run
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl phpmyadmin apache2 libapache2-mod-php5 php5 php5-mysql libpam-smbpass
You will be asked a few questions:
New password for the MySQL "root" user: <-- yourrootsqlpassword Repeat password for the MySQL "root" user: <-- yourrootsqlpassword Create directories for web-based administration? <-- No General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com SSL certificate required <-- Ok Web server to reconfigure automatically: <-- apache2 Configure database for phpmyadmin with dbconfig-common? <-- No
3 Apply The Quota Patch To Postfix
We have to get the Postfix sources, patch it with the quota patch, build new Postfix .deb packages and install those .deb packages:
apt-get build-dep postfix cd /usr/src apt-get source postfix
(Make sure you use the correct Postfix version in the following commands. I have Postfix 2.8.2 installed. You can find out your Postfix version by running
postconf -d | grep mail_version
The output should look like this:
root@server1:/usr/src# postconf -d | grep mail_version mail_version = 2.8.2 milter_macro_v = $mail_name $mail_version root@server1:/usr/src#
)
At the time of this writing there was no quota patch for Postfix 2.8.2, therefore I use the one for 2.8.1 (postfix-vda-v10-2.8.1.patch) – it works for Postfix 2.8.2 as well:
wget http://vda.sourceforge.net/VDA/postfix-vda-v10-2.8.1.patch cd postfix-2.8.2 patch -p1 < ../postfix-vda-v10-2.8.1.patch dpkg-buildpackage
Now we go one directory up, that’s where the new .deb packages have been created:
cd ..
The command
ls -l
shows you the available packages:
root@server1:/usr/src# ls -l total 6764 drwxr-xr-x 24 root root 4096 2011-04-29 13:53 linux-headers-2.6.38-8 drwxr-xr-x 7 root root 4096 2011-04-29 13:53 linux-headers-2.6.38-8-server drwxr-xr-x 19 root root 4096 2011-05-23 14:23 postfix-2.8.2 -rw-r--r-- 1 root src 3939 2011-05-23 14:24 postfix_2.8.2-1ubuntu1_amd64.changes -rw-r--r-- 1 root src 1505940 2011-05-23 14:24 postfix_2.8.2-1ubuntu1_amd64.deb -rw-r--r-- 1 root src 236146 2011-05-23 14:21 postfix_2.8.2-1ubuntu1.diff.gz -rw-r--r-- 1 root src 1338 2011-05-23 14:21 postfix_2.8.2-1ubuntu1.dsc -rw-r--r-- 1 root src 3644570 2011-04-05 08:06 postfix_2.8.2.orig.tar.gz -rw-r--r-- 1 root src 43636 2011-05-23 14:24 postfix-cdb_2.8.2-1ubuntu1_amd64.deb -rw-r--r-- 1 root src 151012 2011-05-23 14:24 postfix-dev_2.8.2-1ubuntu1_all.deb -rw-r--r-- 1 root src 1059534 2011-05-23 14:24 postfix-doc_2.8.2-1ubuntu1_all.deb -rw-r--r-- 1 root src 52252 2011-05-23 14:24 postfix-ldap_2.8.2-1ubuntu1_amd64.deb -rw-r--r-- 1 root src 45446 2011-05-23 14:24 postfix-mysql_2.8.2-1ubuntu1_amd64.deb -rw-r--r-- 1 root src 45394 2011-05-23 14:24 postfix-pcre_2.8.2-1ubuntu1_amd64.deb -rw-r--r-- 1 root src 45496 2011-05-23 14:24 postfix-pgsql_2.8.2-1ubuntu1_amd64.deb -rw-r--r-- 1 root src 56777 2011-03-03 09:30 postfix-vda-v10-2.8.1.patch root@server1:/usr/src#
Pick the postfix and postfix-mysql packages and install them like this:
dpkg -i postfix_2.8.2-1ubuntu1_amd64.deb postfix-mysql_2.8.2-1ubuntu1_amd64.deb
4 Create The MySQL Database For Postfix/Courier
Now we create a database called mail:
mysqladmin -u root -p create mail
Next, we go to the MySQL shell:
mysql -u root -p
On the MySQL shell, we create the user mail_admin with the passwort mail_admin_password (replace it with your own password) who has SELECT,INSERT,UPDATE,DELETE privileges on the mail database. This user will be used by Postfix and Courier to connect to the mail database:
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password'; GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password'; FLUSH PRIVILEGES;
Still on the MySQL shell, we create the tables needed by Postfix and Courier:
USE mail;
CREATE TABLE domains ( domain varchar(50) NOT NULL, PRIMARY KEY (domain) ) TYPE=MyISAM;
CREATE TABLE forwardings ( source varchar(80) NOT NULL, destination TEXT NOT NULL, PRIMARY KEY (source) ) TYPE=MyISAM; CREATE TABLE users ( email varchar(80) NOT NULL, password varchar(20) NOT NULL, quota INT(10) DEFAULT '10485760', PRIMARY KEY (email) ) TYPE=MyISAM; CREATE TABLE transport ( domain varchar(128) NOT NULL default '', transport varchar(128) NOT NULL default '', UNIQUE KEY domain (domain) ) TYPE=MyISAM; quit;
As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.
The domains table will store each virtual domain that Postfix should receive emails for (e.g. example.com).
| domain |
| example.com |
The forwardings table is for aliasing one email address to another, e.g. forward emails for info@example.com to sales@example.com.
| source | destination |
| info@example.com | sales@example.com |
The users table stores all virtual users (i.e. email addresses, because the email address and user name is the same) and passwords (in encrypted form!) and a quota value for each mail box (in this example the default value is 10485760 bytes which means 10MB).
| password | quota | |
| sales@example.com | No9.E4skNvGa. (“secret” in encrypted form) | 10485760 |
The transport table is optional, it is for advanced users. It allows to forward mails for single users, whole domains or all mails to another server. For example,
| domain | transport |
| example.com | smtp:[1.2.3.4] |
would forward all emails for example.com via the smtp protocol to the server with the IP address 1.2.3.4 (the square brackets [] mean “do not make a lookup of the MX DNS record” (which makes sense for IP addresses…). If you use a fully qualified domain name (FQDN) instead you would not use the square brackets.).
BTW, (I’m assuming that the IP address of your mail server system is 192.168.0.100) you can access phpMyAdmin over http://192.168.0.100/phpmyadmin/ in a browser and log in as mail_admin. Then you can have a look at the database. Later on you can use phpMyAdmin to administrate your mail server.
5 Configure Postfix
Now we have to tell Postfix where it can find all the information in the database. Therefore we have to create six text files. You will notice that I tell Postfix to connect to MySQL on the IP address 127.0.0.1 instead of localhost. This is because Postfix is running in a chroot jail and does not have access to the MySQL socket which it would try to connect if I told Postfix to use localhost. If I use 127.0.0.1 Postfix uses TCP networking to connect to MySQL which is no problem even in a chroot jail (the alternative would be to move the MySQL socket into the chroot jail which causes some other problems).
Please make sure that /etc/mysql/my.cnf contains the following line:
vi /etc/mysql/my.cnf
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. bind-address = 127.0.0.1 [...] |
If you had to modify /etc/mysql/my.cnf, please restart MySQL now:
/etc/init.d/mysql restart
Run
netstat -tap | grep mysql
to make sure that MySQL is listening on 127.0.0.1 (localhost.localdomain):
root@server1:/usr/src# netstat -tap | grep mysql tcp 0 0 localhost.localdo:mysql *:* LISTEN 19109/mysqld root@server1:/usr/src#
Now let’s create our six text files.
vi /etc/postfix/mysql-virtual_domains.cf
user = mail_admin password = mail_admin_password dbname = mail query = SELECT domain AS virtual FROM domains WHERE domain='%s' hosts = 127.0.0.1 |
vi /etc/postfix/mysql-virtual_forwardings.cf
user = mail_admin password = mail_admin_password dbname = mail query = SELECT destination FROM forwardings WHERE source='%s' hosts = 127.0.0.1 |
vi /etc/postfix/mysql-virtual_mailboxes.cf
user = mail_admin password = mail_admin_password dbname = mail query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s' hosts = 127.0.0.1 |
vi /etc/postfix/mysql-virtual_email2email.cf
user = mail_admin password = mail_admin_password dbname = mail query = SELECT email FROM users WHERE email='%s' hosts = 127.0.0.1 |
vi /etc/postfix/mysql-virtual_transports.cf
user = mail_admin password = mail_admin_password dbname = mail query = SELECT transport FROM transport WHERE domain='%s' hosts = 127.0.0.1 |
vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf
user = mail_admin password = mail_admin_password dbname = mail query = SELECT quota FROM users WHERE email='%s' hosts = 127.0.0.1 |
Then change the permissions and the group of these files:
chmod o= /etc/postfix/mysql-virtual_*.cf chgrp postfix /etc/postfix/mysql-virtual_*.cf
Now we create a user and group called vmail with the home directory /home/vmail. This is where all mail boxes will be stored.
groupadd -g 5000 vmail useradd -g vmail -u 5000 vmail -d /home/vmail -m
Next we do some Postfix configuration. Go sure that you replace server1.example.com with a valid FQDN, otherwise your Postfix might not work properly!
postconf -e 'myhostname = server1.example.com' postconf -e 'mydestination = server1.example.com, localhost, localhost.localdomain' postconf -e 'mynetworks = 127.0.0.0/8' postconf -e 'virtual_alias_domains =' postconf -e 'virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf' postconf -e 'virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf' postconf -e 'virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf' postconf -e 'virtual_mailbox_base = /home/vmail' postconf -e 'virtual_uid_maps = static:5000' postconf -e 'virtual_gid_maps = static:5000' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtpd_tls_cert_file = /etc/postfix/smtpd.cert' postconf -e 'smtpd_tls_key_file = /etc/postfix/smtpd.key' postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf' postconf -e 'virtual_create_maildirsize = yes' postconf -e 'virtual_maildir_extended = yes' postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf' postconf -e 'virtual_mailbox_limit_override = yes' postconf -e 'virtual_maildir_limit_message = "The user you are trying to reach is over quota."' postconf -e 'virtual_overquota_bounce = yes' postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps'
Afterwards we create the SSL certificate that is needed for TLS:
cd /etc/postfix openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509 Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE"). State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name. Locality Name (eg, city) []: <-- Enter your City. Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company). Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department"). Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com"). Email Address []: <-- Enter your Email Address.
Then change the permissions of the smtpd.key:
chmod o= /etc/postfix/smtpd.key
6 Configure Saslauthd
First run
mkdir -p /var/spool/postfix/var/run/saslauthd
Then edit /etc/default/saslauthd. Set START to yes and change the line OPTIONS=”-c -m /var/run/saslauthd” to OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”:
vi /etc/default/saslauthd
# # Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. # # Should saslauthd run automatically on startup? (default: no) START=yes # Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="SASL Authentication Daemon" # Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd" # Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="pam" # Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS="" # How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5 # Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general # information about these options. # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" #OPTIONS="-c -m /var/run/saslauthd" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r" |
Then create the file /etc/pam.d/smtp. It should contain only the following two lines (go sure to fill in your correct database details):
vi /etc/pam.d/smtp
auth required pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1 account sufficient pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1 |
Next create the file /etc/postfix/sasl/smtpd.conf. It should look like this:
vi /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd mech_list: plain login allow_plaintext: true auxprop_plugin: mysql sql_hostnames: 127.0.0.1 sql_user: mail_admin sql_passwd: mail_admin_password sql_database: mail sql_select: select password from users where email = '%u' |
Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):
adduser postfix sasl
Then restart Postfix and Saslauthd:
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
7 Configure Courier
Now we have to tell Courier that it should authenticate against our MySQL database. First, edit /etc/courier/authdaemonrc and change the value of authmodulelist so that it reads:
vi /etc/courier/authdaemonrc
[...] authmodulelist="authmysql" [...] |
Then make a backup of /etc/courier/authmysqlrc and empty the old file:
cp /etc/courier/authmysqlrc /etc/courier/authmysqlrc_orig
cat /dev/null > /etc/courier/authmysqlrc
Then open /etc/courier/authmysqlrc and put the following lines into it:
vi /etc/courier/authmysqlrc
MYSQL_SERVER localhost MYSQL_USERNAME mail_admin MYSQL_PASSWORD mail_admin_password MYSQL_PORT 0 MYSQL_DATABASE mail MYSQL_USER_TABLE users MYSQL_CRYPT_PWFIELD password #MYSQL_CLEAR_PWFIELD password MYSQL_UID_FIELD 5000 MYSQL_GID_FIELD 5000 MYSQL_LOGIN_FIELD email MYSQL_HOME_FIELD "/home/vmail" MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') #MYSQL_NAME_FIELD MYSQL_QUOTA_FIELD quota |
During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates…
cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem
… and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):
vi /etc/courier/imapd.cnf
[...] CN=server1.example.com [...] |
vi /etc/courier/pop3d.cnf
[...] CN=server1.example.com [...] |
Then recreate the certificates…
mkimapdcert
mkpop3dcert
… and restart Courier:
/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop restart
/etc/init.d/courier-pop-ssl restart
By running
telnet localhost pop3
you can see if your POP3 server is working correctly. It should give back +OK Hello there. (Type quit to get back to the Linux shell.)
root@server1:/etc/courier# telnet localhost pop3
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
+OK Hello there.
quit
+OK Better luck next time.
Connection closed by foreign host.
root@server1:/etc/courier#
8 Modify /etc/aliases
Now we should open /etc/aliases. Make sure that postmaster points to root and root to your own username or your email address, e.g. like this:
vi /etc/aliases
[...] postmaster: root root: postmaster@yourdomain.tld [...] |
or like this (if administrator is your own username):
[...] postmaster: root root: administrator [...] |
Whenever you modify /etc/aliases, you must run
newaliases
afterwards and restart Postfix:
/etc/init.d/postfix restart
发表回复