Mail Server Installation and Configuration

by rey on May.27, 2009, under Linux Tutorial links

Introduction With all of the tutorials posted here, this is one of the most complex setup that I want to share with you. If you haven’t read my previous post regarding “DNS Installation and Configuration” please have a look at it because mail required a valid MX record. I am not saying that, you need to install your own name server. You can use name server somewhere but the most important thing is that, there must be an MX record pointing to the IP address of your mail server. My mail setup consists of the following software: 1. Postfix – The SMTP Server; 2. Cyrus SASL – SMTP Authentication; 3. pam_pgsql – Pluggable Authentication Module, sits in between Cyrus SASL & PostgreSQL; 4. Spamassassin – Spam filter which is equipped with: o DCC – Distributed Checksum Clearinghouses o Pyzor o Razor 5. ClamAV – Clam Antivirus; 6. ClamSMTP – An SMTP filter sits in between the SMTP Server and ClamAV; 7. Dovecot – POP3, POP3S, IMAP & IMAPS Server; 8. PostgreSQL – Domain and User database; 9. Squirrelmail – Webmail IMAP client; 10. And my very own cPanel web interface. The mail server which I am going to build supports multiple domains. Each domain has their own unique users which means that user@domain1 is totally different from user@domain2, they have separate mailboxes. Procedure
1. Database Installation & Configuration;

Install the postgresql database server # yum -y install postgresql postgresql-server postgresqlcontrib

Enable postgresql to start at boot in runlevel 2,3,4 & 5 # chkconfig ––level 2345 postgresql on Start the postgresql server now # service postgresql start Modify postgresql.conf # vi /var/lib/pgsql/data/postgresql.conf listen_addresses = ‘localhost’ port = 5432 datestyle = ’sql, mdy’ Modify pg_hba.conf # vi /var/lib/pgsql/data/pg_hba.conf local all all trust host all all trust host all all ::1/128 trust Disable selinux protection for postgresql otherwise it will give us headache; # setsebool -P postgresql_disable_trans=on Restart the database server to activate the changes # service postgresql restart Create the database user “mail” # createuser -U postgres mail

Create the database “mail” # createdb -U postgres -E utf-8 mail Download the database schema then load to the database server # wget -O – | psql -U postgres -d mail -f Create the admin user to be use for the cpanel web interface. Please notice the password and changed it with your own. # psql -U postgres -d mail -c "INSERT INTO sysusers (username,password,name) VALUES ('admin',crypt('Pass123',gen_salt('md5')),'System Administrator')" Allow access to user admin with read/write permission to the module “access” in cpanel web interface. # psql -U postgres -d mail -c "INSERT INTO access (username,module,read,write,mode) VALUES ('admin','access','true','true','rw')"

conf # At line 972 I put this line NameVirtualHost 192.d/geroleo.d/*.conf Create the virtual host directory # mkdir /etc/httpd/vhost.d Create my virtual host configuration # vi /etc/httpd/ | tar -zxpf – -C / Change some selinux attributes # chcon -R -u system_u -t httpd_sys_content_t /usr/local/cpanel/ # chcon -t httpd_unconfined_script_exec_t /usr/local/cpanel/index.56.geroleo.cgi # chcon -R -t httpd_sys_script_exec_t /usr/local/cpanel/bin/ The http configuration file for my webmail and the cpanel # vi /etc/httpd/conf/httpd.2. Web server intallation and configuration and the cPanel web interface Install the http server and other required softwares # yum -y install httpd perl-DBI perl-DBD-Pg Allow httpd to connect to the database server # setsebool -P httpd_can_network_connect_db=on Download and uncompress the cPanel # wget -O – http://www.conf .2:80 # At line 211 I put this entry Include

pop3 & imap traffic.imap:tcp # system-config-securitylevel-tui .postgres. Other ports entry are: postgres:tcp.pop3:tcp.https.Allow http.mail.

I will not be liable if your server explodes due to the use of this program.3. . You can use this program at your own risk. The cPanel login screen. I want you to know that cPanel runs in suid mode as “root” which means that even though httpd process is owned by user and group “apache” this program has the access level as root which has access to everything in the server. cPanel is my custom web application to manage domain. users and mail aliases.4 & 5 # chkconfig ––level 2345 httpd on Start the httpd server # service httpd start 3.Enable httpd to start at boot in runlevel 2.

.Setting up the access permission.


cPanel will add it to the database in “domains” table and will create a folder in /home. Once you create a domain. .See the POSTFIX sub-menu as it appears when you click it.


it will add directory in /home/$(domain)/$ (user) and will served as the user’s mailbox. .And here is the User Manager. If you create user on the selected domain.


Dovecot Installation and Configuration.conf # vi /etc/dovecot-sql.conf Create /etc/dovecot-sql.4.conf # vi /etc/dovecot.4 & 5 # chkconfig ––level 2345 dovecot on Modify /etc/dovecot.conf . Install dovecot package with yum # yum -y install dovecot Enable dovecot to start at boot in run level 2.3.

Note if telnet is not yet installed. First is for POP3. After writing and installed tons of semodule and yet keep on failing. My nose bleeds struggling dovecot and selinux because selinux prohibits dovecot to authenticate user and to access user’s mailbox as well. use “yum -y install telnet”. I have no choice but to disable it: # setsebool -P dovecot_disable_trans=on && service dovecot restart The final test for my dovecot.Start the dovecot daemon # service dovecot start My next step is to test dovecot. .

and then for IMAP. .

5. Squirrelmail Installation and Configuration You can download squirrelmail web client from . Download and extract the file.squirrelmail.geroleo. The following procedure is applicable if you use the copy from here.tgz | tar -zxf – -C / Fix but I have a copy of squirrelmail which is built with MS Outlook skin and a password changer designed to fit my PostgreSQL database. # chown -R root:root /usr/local/squirrelmail/ # chown -R apache:apache /usr/local/squirrelmail/data # chmod 0755 /usr/local/squirrelmail/data # chcon -R -u system_u -t httpd_sys_content_t /usr/local/squirrelmail/ Modify the configuration file to fit my needs. # vi /usr/local/squirrelmail/config/config. # wget -O – http://www.

Install php and restart httpd # yum -y install php php-pgsql php-pear php-pear-DB # service httpd restart Access the webmail now. The login screen. and the main screen. .

# yum -y install rpm-build gcc make automake autoconf .6. # rpm -ivh http://apt.3.6-1.i386. # yum ––enablerepo=\* -y install clamav clamd clamav-db clamav-devel Install the compiler and rpm builder. we will install and configure ClamAV and ClamSMTP The easiest way to install ClamAV is to install the rpmforge repository. We are almost 50% done.sw.rpm Then install clamav packages using yum.el5. there should be written file /usr/src/redhat/RPMS/i386/clamsmtp-1.10-1. If so. Please always get the latest version. then install it. # chkconfig ––level 2345 clamd on # chkconfig ––level 2345 clamsmtpd on I found no way to deal with selinux and clamav.0.rpm Build the source rpm.conf Configure clamsmtpd.1:10026 Listen: 127.inet.10-1.0.1:10025 ClamAddress: /var/run/clamav/clamd. # vi /etc/clamd.conf # This is my working configuration OutAddress: 127. If you are curious. Installing postfix is not just as simple as “yum -y install . Postfix Installation. # rpm -ivh /usr/src/redhat/RPMS/i386/clamsmtp-1. # rpmbuild ––rebuild clamsmtp-1. the only possible way is to disable protection for just take a look at that file.src.101.rpm.rpm Configure clamd.i386. # vi /etc/clamsmtpd. # setsebool -P clamd_disable_trans=on # setsebool -P clamscan_disable_trans=on # setsebool -P freshclam_disable_trans=on Start the service now # service clamd start # service clamsmtpd start 7.rpm After successful build. # wget http://www.inet.sock Header: X-Virus-Scanned: ClamAV using ClamSMTP Action: drop User: clamav Enable clamd & clamsmtpd at boot process. normally the default configuration runs perfectly.Download ClamSMTP rpm source from http://www.src.

src.rpm Before the build. # rpm -ivh /usr/src/redhat/RPMS/i386/postfix-2. Download.33. Install the required dependencies. # wget -O – http://puzzle. you have to download the source from the distro’s repo and modify the spec file. please check the site and take the latest as possible. # .src.postfix” because the default rpm build doesn’t compiled to support pgsql though postfix does support # cd /usr/src Download and extract the source.7 # cd pam-pgsql-0. # yum -y install db4-devel pkgconfig zlib-devel openldapdevel cyrus-sasl-devel pcre-devel openssl-devel postgresqldevel The actual build.gz | tar -zxf Change directory pam-pgsql-0.7. compile and install # setsebool -P postfix_disable_trans=on 8.3. we need to install all the required dependencies.dl. # yum -y install pam-devel libmhash-devel libmhash postgresql-devel Change directory /usr/src. # rpmbuild ––rebuild postfix-2.tar.3-3.3.geroleo.7 Start to compile. Here is the source RPM I’d been customized to support pgsql otherwise.sourceforge./configure # make .rpm Install postfix now.rpm Disable selinux protection for postfix. # wget http://www.i386.

so Configure /usr/lib/sasl2/smtpd.conf host = localhost database = mail user = mail table = users user_column = userid pwd_column = password expired_column = expired newtok_column = newtok debug = 0 pw_type = crypt Configure /etc/pam. # vi /etc/pam.Install now.conf pwcheck_method: saslauthd mech_list: login plain 9. # vi /usr/lib/sasl2/smtpd. # yum -y install cyrus-sasl cyrus-sasl-plain Configure saslauthd start-up account required pam_pgsql.d/smtp.conf.d/smtp #%PAM-1. configure and test Cyrus SASL. Install.0 #auth include system-auth #account include system-auth auth required pam_pgsql. # make install Configure pam_pgsql. # vi /etc/pam_pgsql. # vi /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=pam FLAGS=-r . use tabs to align. Install cyrus sasl package and its dependencies.

Disable selinux protection for saslauthd. # cd /etc/postfix Create/modify postfix main configuration file # vi main. # testsaslauthd -u test@geroleo. # setsebool -P saslauthd_disable_trans=on && service saslauthd restart Enbale saslauthd to start at boot in run level 2. # chkconfig ––level 2345 saslauthd on Start saslauthd now. the heart of the -p 1234 -s smtp 10. Postfix .4 & # Postfix General Config transport_maps = pgsql:/etc/postfix/transport. # service saslauthd start Test SASL. Please read the documents located in /usr/share/doc/postfix*/ to learn more about postfix and to know how it works.3.

cf virtual_mailbox_domains = pgsql:/etc/postfix/ virtual_mailbox_base = /home virtual_mailbox_maps = pgsql:/etc/postfix/ virtual_gid_maps = pgsql:/etc/postfix/gids.0. If you’re using an unregistered domain/ virtual_alias_maps = pgsql:/etc/postfix/virtual_aliases.1]:10025 receive_override_options = no_address_mappings # Others header_checks = regexp:/etc/postfix/regexp_header # Added by postfix readme_directory = /usr/share/doc/ # Don’t just invent this myorigin = $myhostname mynetworks = localhost.geroleo.localdomain $myhostname mailbox_size_limit = 0 message_size_limit = 0 virtual_mailbox_limit = 0 #Cyrus SASL smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $mydomain unknown_local_recipient_reject_code = 450 # SpamAssassin strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_helo_required = yes # ClamAV content_filter = scan:[127.localdomain $myhostname mydestination = localhost.3/README_FILES . myhostname = mail. # you can simple add it to /etc/hosts bound to the IP address of your # network interface card.virtual_uid_maps = pgsql:/etc/postfix/uids.

cf user=mail password=” dbname=mail table=users select_field=gid where_field=userid hosts=localhost # vi user=mail password=” .3/samples sendmail_path = /usr/sbin/sendmail html_directory = no setgid_group = postdrop command_directory = /usr/sbin manpage_directory = /usr/share/man daemon_directory = /usr/libexec/postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq queue_directory = /var/spool/postfix mail_owner = postfix unknown_local_recipient_reject_code = 450 # vi user=mail password=” dbname=mail table=users select_field=uid where_field=userid hosts=localhost # vi gids.sample_directory = /usr/share/doc/ user=mail password=” dbname=mail table=transport select_field=transport where_field=domain hosts=localhost # vi uids.3.

# vi regexp_header /^X-Spam-Flag: YES/ DISCARD Modify the file # vi master.dbname=mail table=mailboxes select_field=mailbox where_field=userid hosts=localhost # vi virtual_domains. .cf user=mail password=” dbname=mail table=domains select_field=domain where_field=domain hosts=localhost # vi virtual_aliases. My rule is to discard those emails without informing the sender that his email was discarded. For me. This tells postfix to pass the email to the spamassassin content filter after performing access check. I have no time to check those “header_checks = regexp:/etc/postfix/regexp_header” this file will decide to those emails marked as user=mail password=” dbname=mail table=aliases select_field=address where_field=userid hosts=localhost As specified in This is the beginning of the file.

sock”. Remember that. Postfix will then pass the email to the antivirus filter service “scan” which is according to” passing all the required parameters. it is the ClamSMTP who is listening on this port. ClamSMTP after receiving the email will perform scan through the help of Clam Antivirus which is listening on unix local socket “/var/run/clamav/clamd. All infected emails will be discarded immediately while clean emails will go out at port 10026 which is again a postfix owned is on port 10025. . we will do the actual filtering by calling an external program “/usr/local/bin/spamfilter.Then under the “spamassassin” service. Spamassassin job is to check and mark the email either spam or not then send it back to postfix. The email will then proceed to its final destination finally!.

this is for fastest process as possible.Create /usr/local/bin/spamfilter. We will call spamassassin directly. this is for security reasons. we will start now the postfix mail # vi /usr/local/bin/spamfilter. # groupadd -g 106 spamassassin # useradd -g 106 -u 106 spamassassin #!/bin/bash spamassassin -e | /usr/sbin/sendmail. # yum -y install spamassassin Add user & group spamassassin with uid/gid 106. # service postfix start # chkconfig ––level 2345 postfix on .postfix -i “$@” exit $? # chmod 0755 /usr/local/bin/ Install spamassassin using yum because postfix will cry without it and it is not neccessary to start the daemon.

# perl -MMIME::Base64 -e 'print encode_base64("test\@geroleo.' The above command is in the form of "username\000username\000password" (\000 is a null byte and \@ is a escape sequence for perl because perl interprets @ as an array. postfix should be up and running now and we need to test it.\000test\@geroleo. we will generate an encoded base 64 string to be use for smtp authentication.If everything is done accordingly. The output for this command is: dGVzdEBnZXJvbGVvLmNvbQB0ZXN0QGdlcm9sZW8uY29tADEyMzQ= We can start the test now. # telnet localhost 25 .com\00012 34").

look at the mail headers. .Checking the email in Squirrelmail.

Our final step is to configure spamassassin to make it smarter. we must switch to user “spamassassin” to be use for testing. Do it on the second terminal with root user logged in.localdomain localhost ::1 localhost6.localdomain6 localhost6 Postfix should now working with the default spamassassin rules.0.tar. 11. The above main.168. it must be setup correctly.2 mail. Download. 192./etc/hosts – Plays an important part for your postfix mail transport agent. Spamassassin Configuration/Add-ons Installation and Configuration.56. On first terminal.dcc-servers. we must stay as root to do the compilation. On the other terminal. compile and install DCC.Z .com mail 127.0.geroleo.1 configuration file will work with /etc/hosts setup below: # Do not remove the following line. or various programs # that require network functionality will fail. # cd /usr/src # wget -O – We need 2 terminals to accomplish this task.

3.07 # perl″ $ crontab -e 0 5 * * * /var/dcc/libexec/cron-dccd Download.bz2 | tar -jxf # cd pyzor-0.dl.105 . # cd /usr/src/ # wget -O – http://puzzle.0.pre Remove the comment “#” build # python setup.PL # make # make install . loadplugin Mail::SpamAssassin::Plugin::DCC Switch on first terminal with “spamassassin” user. # su – spamassassin $ cdcc “delete 127.5.| # # # # # # tar -zxf cd dcc-1./ # wget -O – http://puzzle./configure make make install chown -R spamassassin:spamassassin /var/dcc vi /etc/mail/spamassassin/ -0.0.0 # python setup.84. $ pyzor discover Download. # cd /usr/src # wget -O – http://softlayer.84 # perl Makefile.tar.tar.PL # make # make install # cd .sourceforge. compile & install Pyzor (on terminal 2).07.sourceforge.tar.bz2 | tar -jxf # cd install Switch to terminal 1.bz2 | tar -jxf # cd razor-agents-sdk-2.0.5.dl. compile & install Razor (on terminal 2).

pyzor . $ spamassassin < /usr/share/doc/spamassassin-3. . $ razor-admin -d -create $ ls -la This directories should be # This is my required hits.5 use_bayes 1 bayes_auto_learn 1 bayes_auto_learn 1 bayes_path /var/lib/spamassassin/bayes/bayes bayes_file_mode 0666 use_razor2 1 use_pyzor 1 use_dcc 1 dcc_path /usr/local/bin/dccproc dcc_body_max 999999 dcc_timeout 10 dcc_fuz1_max 999999 dcc_fuz2_max 999999 dcc_home /var/dcc # mkdir /var/lib/spamassassin/bayes/ # touch /var/lib/spamassassin/bayes/bayes # chown -R spamassassin:spamassassin /var/lib/spamassassin/bayes/ Test spamassassin on terminal 1.Switch to terminal 1.txt .razor Switch to terminal 2. change it according to your requirements required_hits 3. # vi /etc/mail/spamassassin/local.5/samplespam.

I execute the command: # tail -f /var/log/messages and on the other window: # tail -f /var/log/maillog I am so lazy to type those commands and I frequently use them so. On first session. I opened 2 ssh sessions with PuTTY just for the log. It is a good practice to watch the logs while you are configuring your system. I added those commands in my .bashrc # User specific aliases and functions alias rm=’rm -i’ alias cp=’cp -i’ alias mv=’mv -i’ alias ls=’ls -Fa –color=always’ alias log=’tail -n 23 -f /var/log/messages’ alias maillog=’tail -n 23 -f /var/log/maillog’ .bashrc file. # vi ~/.NOTE: Don’t forget to consult your log files if something goes wrong or in any way your mail server is keep on failing. In my case.

.Now. I can easily type “log” or “maillog” whenever I need them. CONGRATULATIONS!!! You have now a complete and secured mail server.

Sign up to vote on this title
UsefulNot useful