ISP-Style Mail-Server

This document describes how to install a mail server based on Postfix that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I'll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier-IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.

The resulting Postfix server is capable of SMTP-AUTH and TLS and quota. Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk). In addition to that, this tutorial covers the installation of Amavisd, SpamAssassin and ClamAV so that emails will be scanned for spam and viruses.

The advantage of such a “virtual” setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on “real” system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the Web-GUI. No more postmap commands to create db files, no more reloading of Postfix, etc.

PoCoMy is a data base-supported software for the control and configuration of a mail system consisting of the components: Postfix, Courier and Mysql.

Features:

• multi language (up-to-date: translations for German and English)
• multi-user with a administrative rights system (kind of AAA)
• Database environment (up-to-date supported: mysql)
• simple operation/configuration using a Webbrowser
• Consiting of 2 modules: a adminand a user module

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This tutorial is based on Debian Etch, so you should set up a basic Debian Etch installation before you continue with this tutorial.

apt-get install postfix-mysql postfix-pcre postfix-cdb postfix sasl2-bin libsasl2-modules libsasl2-modules-sql courier-authlib-mysql courier-pop-ssl courier-pop courier-imap courier-imap-ssl libapache2-mod-php5 php5-mysql apache2

The current version of PoCoMy may be found here:

Download the current version of PoCoMy and extract the archive into a directory accessible through your webserver. e.g. /var/www/:

tar xz -f PoCoMy-0.9.tgz -C /var/www/

In order to simplify the URL for the access of the webapplication you may create a link to the PoCoMy-0.8-directory:

mv /var/www/PoCoMy-0.9/ /var/www/pocomy

Change into the PoCoMy-directory; all examples in this HowTo assume that your working directory is the newly created PoCoMy-directory.

cd /var/www/pocomy

Create the database: Use the command listed below to create the database and the database-user:

mysql -u root -p < sql/pocomy.sql;

Edit the file config/config.php and adjust:

POCOMY__SITENAME 	eloquent name of your mailsystem
POCOMY__ENABLE_USERINTERFACE 	false - no; true - yes; If this is set to true, the PoCoMy User-Module will be activated and the users will gain some control over their account.
see: The PoCoMy User-Module (NOTE: the user interface is not extensively tested!)
POCOMY__USERINTERFACE_URL 	URL pointing to the User-Module (if this remains unconfigured, the URL will be guessed)
POCOMY__ENABLE_NEWUSEREMAIL 	false - no; true - yes; controls if a email will be send to a newly created user
POCOMY__POSTMASTERMAIL 	mail of the postmaster for the system; if this remains unconfigured, the email of the admin will be used;
POCOMY__SERVERNAME_SMTP
POCOMY__SERVERNAME_POP3
POCOMY__SERVERNAME_IMAP 	Servername for the smtp, pop3 and imap server; if this remains unconfigured, the servername of the webserver running PoCoMy will be used;

The directory etc/postfix contains a example configuration for postfix. Copy the files to /etc/postfix (please backup the original files)

cp -r etc/postfix/* /etc/postfix

On some systems you must create a symbolic link for SASL:

ln -sv /etc/postfix/sasl/smtpd.conf /usr/lib/sasl2/smtpd.conf

NOTE: the provided file main.cf is only a example configuration. Use at your own risk! You must edit at least the variable myhostname!

Please edit the file with care!

The directory etc/courier contains a example configuration for courier. Copy the files to /etc/courier (please backup the original files)

cp -r etc/courier/* /etc/courier

NOTE: The provided files contain only a sample working configuration. Use at your own risk and edit the files with care!

Use the following commands to create and configure the mailstore:

mkdir /srv/mail 
chown postfix:mail /srv/mail 
chmod 770 /srv/mail 

Files containing sensitive informations should be secured by assigning them restrictive user rights:

chown root.postfix /etc/postfix/mysql-* 
chmod 640 /etc/postfix/mysql-* 
chown root.postfix /etc/postfix/sasl/smtpd.conf 
chmod 640 /etc/postfix/sasl/smtpd.conf 
chown daemon.daemon /etc/courier/* 
chmod 640 /etc/courier/* 

The URL pointing to the Admin-Module is http://SERVERNAME/pocomy/admin.html For the first time you login into the PoCoMy Admin-Module please use the following account data:

username: 	pocomy
password: 	admin

Change the username and / or password for the admin ASAP!!!

To install amavisd-new, spamassassin and clamav, run the following command:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop pax

Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify three files:

First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:

vim /etc/amavis/conf.d/15-content_filter_mode

The file should look like this:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return

Finally, edit /etc/amavis/conf.d/50-user and add the line $pax='pax'; in the middle:

vim /etc/amavis/conf.d/50-user

use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#

$pax='pax';

#------------ Do not modify anything below this line -------------
1;  # insure a defined return

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart
/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
postconf -e 'receive_override_options = no_address_mappings'

Afterwards append the following lines to /etc/postfix/master.cf:

vim /etc/postfix/master.cf

[...]
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

Then restart Postfix

/etc/init.d/postfix restart

Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vim /etc/spamassassin/local.cf

[...]

# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

/etc/init.d/amavis restart

To see if Postfix is ready for SMTP-AUTH and TLS, run

nc localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine:

server1:/usr/local/sbin# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (Debian/GNU)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
server1:/usr/local/sbin#

Type

quit

to return to the system shell.

The URL pointing to the Admin-Module is http://SERVERNAME/pocomy/admin.html For the first time you login into the PoCoMy Admin-Module please use the following account data:

username: 	pocomy
password: 	admin

Change the username and / or password for the admin ASAP!!!

Using the menu link “new domain” you can create a new domain for the system. (For this you need the authorization level SUPERADMIN or DOMAINADMIN).

Using the menu link “domain-list” you may view a list of all configured domains according to your authorization.

Using the action link ” create new mail-account” (available in the domain-list and the domain view) you can create a new mail account.

A short explanation of the most important fields:

• email: Email address without the domain part
• language: select one of the available languages.
• name: Name of the account owner
• firstname: firstname of the account owner (optional)
• quota: Quota in MB
• forward: List of forwarding (email addresses) (see details below)
• keep a local copy if forward: yes / no
• allow web-administration: allow this user to use the User-Module?
• allow POP3: permit POP3 access
• allow IMAP: permit IMAP access
• maximum number of aliases: maximum number of aliases the user may configure (Administrators may exceed this number)
• allow configuration of aliases: yes / no
• maximum number of sender-aliases: see “maximum number of aliases”
• allow configuration of sender-aliases: yes / no
• password: password (requirements: min. 5 characters long, contain at least one letter and a number!)
• repeat password: confirm password

Here a short explanation concerning the configuration possibilities for forwardings, aliases and senderaliases.

You may configure PoCoMy / postfix to forward incoming emails for an account to one or more emails. In order to do this, enter a list of all email addresses to forward into the corresponding field (use ; as a separator for multiple emails). The email addresses may be external! example:

user1@domain1.de; user2@domain1.de; userx@domainx.de

Corresponding to the setting “keep a local copy if forward” you can configure if a copy of the message should be delivered to the original recipient.

You could regard Aliases as “nicknames” for email address. Therefore only local domains are permitted for aliases. All emails that have a configured alias as recipient will be delivered to the corresponding user. jump to the table of contents

User are allowed to send mails after they authenticate with their email address as username and their password AND if the sender of the email is equal to the users email address or is a valid alias for the user. Senderaliases allow user to use spacial sender for their emails. Enter the the full email address into the senderalias form input.

With the help of this menu link you can perform a search for email and alias owners. Enter the email or alias name without the domain part into the form. jump to the table of contents

For the majority of the user administrative tasks you need the authorization level SUPERADMIN. Administrators without this authorization level can only change their own password.