Mail Server Setup for CentOS 5

Switch to Postfix from Sendmail

1. If you did not add postfix and system-switch-mail-gnome during the CentOS installation, you can add it now using
Package Manager tool.

Switch to Postfix from Sendmail

By default, Sendmail is the active SMTP server. Here.s how to change it.
1. Click System, select Administration, and click Mail Transport Agent Switcher. This will launch the system-switch-mail
window.

2. In the system-switch-mail window, select Postfix and click Ok.

Configure Postfix

1. Click Applications, select System Tools then click File Browser. This will launch the File Browser window.

2. In the Location field, type in /etc/postfix and press Enter. If you don't see the Location field, click the notepad button to
toggle to text-based location bar.

3. Double click on the file main.cf to open it for editing. We need to make it listen to network request, accept mails bound to
our domain and use maildir which is a better mailbox format than mbox the default.

Find the following keys and change its values as follows

inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/

In main.cf, lines starting with # are comments. Save the file after completing your changes.

Note: Make sure that all mail_spool_directory lines are commented out. Otherwise, it will override the setting in the
home_mailbox line above.

4. Restart the postfix service. Learn how to restart services here.

Test Postfix

1. Click Applications, select Accessories, and click Terminal. This will launch the Terminal window.

2. In the Terminal window, type in the highlighted commands below.

Sample postfix session. Replace johndoe with any valid user account. The dot after the line test is a command that should be
typed in.

Add or Remove User:

In Linux, new user accounts automatically receive mail accounts. Here are the steps for add ing a new user account in Red
Hat Enterprise Linux 5 and its derivative CentOS 5.

1. Click Applications then select System Settings and click Users and Groups. This will launch the User Manager window.

2. In the User Manager window, click Add User. This will show the Create New User window.

3. In the Create New User window, fill in the User Name, Full Name, Password and Confirm Password. Click Ok when
you.re done.
4. That.s it, you have just created a new user. To remove a user, select the user you want to remove and click Delete.

[zubzero@mail ~]# telnet localhost smtp

Trying 127.0.0.1.
Connected to localhost.localdomain (127.0.0.1).
Escape character is .^]..
220 mail.acme.local ESMTP Postfix
ehlo host
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: johndoe
250 2.1.0 Ok
rcpt to: johndoe
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as 9729067C17
quit
221 2.0.0 Bye
Connection closed by foreign host.
[zubzerol@mail ~]#

To check if the mail indeed exists

[zubzero@mail ~]# cd /home/johndoe/Maildir/new

[zubzero@mail new]# ls
1185669817.Vfd00I18012M795756.mail.acme.local
[zubzero@mail new]# cat 1185669817.Vfd00I18012M795756.mail.acme.local

Don.t worry, you don.t have to type in the whole filename above. Just type in the first few characters say 118 then press Tab
to activate automatic completion.

From zubzero@mail.dfnn.com Thu Feb 22 21:48:28 2007

Return-Path: <zubzero@mail.dfnn.com>
X-Original-To: zubzero
Delivered-To: zubzero@mail.dfnn.com
Received: from localhost.dfnn.com (localhost.dfnn.com [127.0.0.1])
by mail.dfnn.com (Postfix) with SMTP id 9729067C17
for <zubzero>; Thu, 22 Feb 2007 21:48:26 -0500 (EST)
Message-Id: <20070222134827.9729067C17@mail.dfnn.com>
Date: Thu, 22 Feb 2007 21:48:26 -0500 (EST)
From: zubzero@mail.dfnn.com
To: undisclosed-recipients:;

test

[root@mail mail]#
NoteIf you encounter any problems, check the log file at /var/log/maillog.

ImportantBy default Postfix does not require authentication to send emails. This means any Tom, Dick and Harry that have
access to your network can use your SMTP server to send spam emails.

How to install and setup Dovecot POP3 and IMAP server.

Install Dovecot

1. If you did not add dovecot during the CentOS installation, you can add it now using Package Manager.

Configure Dovecot

1. Click Applications, select System Tools then click File Browser. This will launch the File Browser window.

2. In the Location field, type in /etc and press Enter. If you don.t see the Location field, click the notepad button to toggle to
text-based location bar.

3. Double click on the file dovecot.conf to open it for editing. We need to change a few key items.

Find the following keys and change its values as follows

protocols = pop3 pop3s imap imaps

mail_location = maildir:~/Maildir/
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

Lines starting with # are comments. The last two line enables workarounds for various client bugs. Save the file after
completing your changes.

4. Start the dovecot service.

Test Dovecot

1. Click Applications, select System Tools, and click Terminal. This will launch the Terminal window.

2. In the Terminal window, type in the highlighted commands below.

Sample dovecot session. Replace johndoe and password with any valid user name and password.

[ruel@wmail ~]# telnet localhost pop3

+OK dovecot ready.
user ruel
+OK
pass password
+OK Logged in.
list
+OK 1 messages:
1 622
.
retr 1
+OK 622 octets
Return-Path: <zubzero@mail.dfnn.com>
X-Original-To: zubzero
Delivered-To: zubzero@mail.dfnn.com
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by mail.dfnn.com (Postfix) with SMTP id 9729067C17
for <zubzero>; Thu, 22 Feb 2007 09:06:37 -0500 (EST)
Message-Id: <20070222140640.9729067C17@mail.dfnn.com>
Date: Thu, 22 Feb 2007 09:06:37 -0500 (EST)
From: zubzero@mail.dfnn.com
To: undisclosed-recipients:;
X-IMAPbase: 1172153557 1
Status: O
X-UID: 1
Content-Length: 5
X-Keywords:

test
.
quit
+OK Logging out.
Connection closed by foreign host.
[zubzero@wmail ~]#

Note: If you encounter any problems, check the log file at /var/log/maillog.

How to install and setup SquirrelMail WebMail.

SquirrelMail is an open source standards-based webmail package written in PHP. When installed, SquirrelMail is ready out
of the box. All it needs is an installed web server like Apache, SMTP server like Postfix, and IMAP server like Dovecot.

Starting the Web Server

1. If you did not add Web Server and squirrelmail during installation, you can add it now. Using the Package Manager tool,
add the Web Server package in the Servers category. Also add the optional package squirrelmail located in the Mail Server
package under the category Servers.

2. Start the httpd service.

How to Start and Stop Services in CentOS 5

Starting and stopping services is easy in CentOS 5. Both includes the Service Configuration tool which simplifies service
administration.

a. Click System, select Administration, select Server Settings and click Services. This will launch the Service Configuration
window.

b. In the Service Configuration window, check the service you wish to start on the next system startup, in this case the
service postfix. To start the service immediately, press Start.

Unchecked services will not be started on the next system startup. To immediately stop a service, select the service and
press Stop.

To restart a service, select the service and press Restart.

c. Press Save to save your changes.

Testing SquirrelMail
1. Click the globe icon at the top near the System menu to launch the Firefox web browser.

If an error occurs, you probably did not install the Graphical Internet package. You can add it now using the Package
Manager tool.

2. In the address box, type in http://localhost/webmail and press Enter. Type in a valid username and password and click
Login.

3. That.s it, it.s working.

If you encounter any problems, check the log file at /var/log/maillog.

How to add a password change utility.

If you are using Linux system accounts as your mail accounts, you can install the change_passwd plugin to enable
SquirrelMail to provide a password change utility.

Install the SquirrelMail Change Password Plugin

1. Download the change_passwd and compatibility plugins.

http://www.linux-mail.info/files/change_passwd-4.0-1.2.8a.tar.gz
http://www.linux-mail.info/files/compatibility-1.3.tar.gz

2. Extract the downloaded files and put them into the /usr/share/squirrelmail/plugins directory.

3. From a Terminal window, type in /usr/share/squirrelmail/config/conf.pl and press Enter. This will launch the
SquirrelMail Configuration utility.

4. Type in 8 and press Enter to list the Plugins submenu.

5. Install the change_passwd plugin by typing in the number corresponding to it and press Enter. Do the same for the
compatibility plugin. When you are done, type in q and press Enter to quit then type in y and press Enter to save your
changes.

Test the SquirrelMail Change Password

1. Login to SquirrelMail and go to the Options page. You should see the new Change Password section.

2. Click the Change Password link to view the new Change Password page.

How to add Active Directory/LDAP into the SquirrelMail Addressbook

This guide will show you how to integrate Active Directory/LDAP into the SquirrelMail addressbook. In this page, you will
learn how to configure SquirrelMail to activate the Javascript addressbook and to include your Active Directory or LDAP
server into the addressbook lookup list.

SquirrelMail will be using the following attributes

* cn - Common Name
* mail - Email Address
Configure the SquirrelMail Addressbook

We will be using the Perl based SquirrelMail configuration utility to configure the addressbook.

1. Launch the Terminal application.

2. In the Terminal window, type in /usr/share/squirrelmail/config/conf.pl and press Enter. This will launch the SquirrelMail
Configuration utility.

If your Terminal window has a white background, make sure that the colors are off by looking for the command Turn color
on. If the command is Turn color off, type in C and press Enter to turn the colors off. This will ensure that you will be able
to read all of the text.

3. Type in 6 and press Enter to list the Address Books submenu.

4. Select the Javascript address book as the default by typing in 2 and press Enter then type in y and press Enter.

5. Add your Active Directory/LDAP server by typing in 1 and press Enter then type in + and press Enter. You will now be
asked a series of questions regarding your Active Directory/LDAP server configuration, see the sample session below.

First, we need to have the hostname or the IP address where

this LDAP server resides. Example: ldap.iwiphil.com.com
hostname: server

Next, we need the server root (base dn). For this, an empty
string is allowed.
Example: ou=member_directory,o=netcenter.com
base: dc=acme,dc=local

This is the TCP/IP port number for the LDAP server. Default
port is 389. This is optional. Press ENTER for default.
port:

This is the charset for the server. Default is utf-8. This

is also optional. Press ENTER for default.
charset:

This is the name for the server, used to tag the results of
the search. Default it .LDAP: hostname.. Press ENTER for default
name:

You can specify the maximum number of rows in the search result.
Default is unlimited. Press ENTER for default.
maxrows:

If your LDAP server does not like anonymous logins, you can specify.
Default is none, anonymous bind. Press ENTER for default.
binddn: cn=mailuser,dc=acme,dc=local

If you are connecting to an Active Directory server, binddn can also be in the form of acme\mailuser or
mailuser@acme.local

Now, please specify password for that DN.

bindpw: password

You can specify bind protocol version here.

Default protocol version depends on your php ldap settings.
Press ENTER for default.
protocol: 3

[ldap] command (?=help) > d

You should now be back at the Address Books sub menu, type in q and press Enter to quit and type in y and press Enter to
save your changes.

Test the SquirrelMail Addressbook

1. Login to SquirrelMail and compose a new mail.

2. Click the Addresses button (not the Addresses link). This will launch the SquirrelMail Addressbook window. Click the
List all button, you should now see your Active Directory/LDAP email addresses.

If you are querying a Windows 2003 Server and you are encountering an Operations error message, try enabling the
Windows 2003 Active Directory anonymous ldap operations.

If you are querying a Windows 2003 Active Directory, some query operations does not work. This is because certain
queries performs anonymous LDAP operations even if you have binded your connection. To fix this problem, you have to
implement the change specified in the Microsoft Knowledge Base at http://support.microsoft.com/kb/326690. The steps
below describes one way to implement this change using ADSI Edit included in the Windows Server 2003 Support Tools.

The Windows Support Tools are not automatically installed when you install Windows Server 2003. To install the Windows
Support Tools on a computer that is running Windows Server 2003, run the Suptools.msi program that is in the Support\
Tools folder on the Windows Server 2003 CD.

1. Click Start then click Run and type in adsiedit.msc. This will launch the ADSI Edit application.

2. In the ADSI Edit window, navigate to Configuration, CN=Configuration, CN=Services, CN=Windows NT and right click
CN=Directory Service and click on Properties.

3. Find dsHeuristics and click on Edit.

4. Set the value of dsHeuristics to 0000002. If a previous value already exists, set the seventh character of the previous
value to 2.

How to automatically update the user.s personal information

Before using SquirrelMail, the user should first fill in at least the name and email address in the Personal Information
option. But we can eliminate this step by using the RetrieveUserData plugin to retrieve this information from a variety of
sources and automatically update this information.

Install the RetrieveUserData Plugin

1. Download the retrieveuserdata plugin.

http://www.linux-mail.info/files/retrieveuserdata.0.9-1.4.1.tar.gz

2. Extract the downloaded file and put it into the /usr/share/squirrelmail/plugins directory.

3. From a Terminal window, type in /usr/share/squirrelmail/config/conf.pl and press Enter. This will launch the
SquirrelMail Configuration utility.

If your Terminal window has a white background, make sure that the colors are off by looking for the command Turn color
on. If the command is Turn color off, type in C and press Enter to turn the colors off. This will ensure that you will be able
to read all of the text.

4. Type in 8 and press Enter to list the Plugins submenu.

5. Install the retrieveuserdata plugin by typing in the number corresponding to it and press Enter.

6. Return to the Main Menu by typing in 9 and press Enter. Go to the General Options by typing in 4 and press Enter. In the
General Options, type in 9 and press Enter to configure the editing of identity. This option will allow you to disable editing
of the name and email address since this will be automatically updated. Save your changes when you are done.

7. Login to SquirrelMail and go to the Options page and click Personal Information. The Full Name and E-mail Address
should have been automatically filled up.

By default, RetrieveUserData will retrieve the name and email address from the Linux system accounts, but you can
configure this by editing the file /usr/share/squirrelmail/plugins/retrieveuserdata/config.php. If you will be retrieving user
information from an Active Directory or LDAP server, it will be easier if you setup the LDAP addressbook first so that the
plugin can use the LDAP connection details there. Then all you have to do is comment the line
$SQRUD_RETRIEVE_DATA_FROM = .passwd.php. and uncomment the line $SQRUD_RETRIEVE_DATA_FROM
= .ldap.php. in the configuration file.

4. How to configure the firewall.

Red Hat Enterprise Linux 5 and its derivative CentOS 5 includes a graphical tool called Security Level Configuration for
configuring the firewall options. This guide describes how to use this tool to open up the ports necessary for providing an
email server.

1. Click System, select Administration and click Security Level and Firewall. This will launch the Security Level
Configuration window.

2. For a mail server with webmail, check Mail (SMTP), Secure WWW (HTTPS) and WWW (HTTP) in the Trusted services
list.

3. We also need to open the ports for the POP3 and IMAP services. In the Other ports field, add the port numbers below.

Service
Port
POP3
110:tcp
POP3S
995:tcp
IMAP
143:tcp
IMAPS
993:tcp

Important: You can see more service and port numbers by typing in "/usr/bin/getent services" from the Terminal window.

How to add antivirus and antispam filtering

We will be using Clam AntiVirus for virus scanning, SpamAssassin for the spam tagging and MailScanner to integrate them
into Postfix.
To install MailScanner, we are going to download the latest source code from the MailScanner web site and build it. For this
to work, it needs the Development Tools package. If you did not include this during installation, you must add it now.

Add or Remove Applications in CentOS 5

Red Hat Enterprise Linux 5 and its derivative CentOS 5 includes an extensive list of applications that can be easily added or
removed. This guide will show you how to do it using the Package Manager tool.

1. Click Applications and click Add/Remove Software. This will launch the Package Manager window.

2. Select the Category of the package on the left column. On the right column, check the package you wish to install or
uncheck it to remove it.

3. Click Optional packages to to check or uncheck the individual application inside the package you wish to install or
remove respectively. Click Close when you.re done.

You can also check or uncheck the individual applications by searching for it in the Search tab.

Or you can locate individual applications in a list by clicking the List tab.

4. Finally, click Apply. You will be asked to verify your changes. Just click Continue to proceed.

Getting MailScanner

1. Click the globe icon at the top near the System menu to launch the Firefox web browser.

If an error occurs, you probably did not install the Graphical Internet package. You can add it now using the Package
Manager tool.

2. In the address box, type in http://www.mailscanner.info/downloads.html and press Enter. Download the stable version for
RedHat, Fedora and Mandrake Linux.

Building and Installing MailScanner

1. The MailScanner source code should now be on your desktop. Right click the newly downloaded file and click Extract
Here.

2. After extracting, a MailScanner folder should be found on your Desktop. Double click the MailScanner folder to open it.

3. Next, double click the file install.sh. On the Run or Display window, select Run in Terminal. This will now build and
install MailScanner. This will take a while so just wait until the Terminal window disappears.

2. How to install Clam AntiVirus (ClamAV).

To install Clam AntiVirus (ClamAV), we are going to use the precompiled binaries from Dag Wieers RPM packages for
Red Hat, RHEL, CentOS and Fedora.

Adding RPMForge to Yum

1. Launch Firefox and go to http://dag.wieers.com/rpm/FAQ.php#B2. Click on the package appropriate for your version of
Red Hat Enterprise Linux or CentOS.

2. Choose Open with Software Installer (default) and click Ok.

3. The Installing packages window will appear. Click Apply to proceed.

4. Finally click Ok. You now have access to an extensive library of precompiled binaries.

Installing Clam AntiVirus

If you prefer not to use the GUI tool below, you can also install the Clam AntiVirus by typing in yum install clamd in a
Terminal window.

1. Click Applications then click Add/Remove Software. This will launch the Package Manager window.

2. Click the Search tab. Next type in clamd and click the Search button.

3. Select the latest version of clamd then click Apply. Next click on Continue until it proceeds with the installation.

4. After installation, click Ok. You now have successfully installed Clam Antivirus.

5. To test ClamAV AntiVirus, type in the command "clamscan" in a terminal window.

3. MailScanner, ClamAV, SpamAssassin and Postfix Integration Guide.

This page will guide you in configuring MailScanner, ClamAV and SpamAssassin to work in Postfix. Before proceeding,
please make sure that all of the above components are already installed.

Here are the installation guides for the above components.

* How to install Postfix SMTP Server

* How to install Clam Anti-virus (ClamAV)
* How to install MailScanner

SpamAssassin is included in Red Hat Enterprise Linux 5 and CentOS 5 and it.s ready to go out of the box. Just add it using
the Package Manager tool if you haven.t done so during installation.

Configuring MailScanner

1. Edit the file /etc/MailScanner/MailScanner.conf

Find the following keys and change the values as follows

%org-name% = your organization name

%org-long-name% = your full organization name
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Virus Scanners = clamd
Clamd Socket = /tmp/clamd.socket
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

2. Click Applications and click File Browser to launch the File Browser window and go to the /var/spool/MailScanner
directory.

3. In the File Browser window, click File and click Create Folder. Name the new folder spamassassin.

4. Right click on the folder incoming and click Properties.

5. In the Properties window, click the Permissions tab. In the Permissions page, set the Owner as postfix, the Group as
postfix and the Owner Folder Access as Create and delete files. Set the rest of the Folder Access as None. Click Close when
you are done. Repeat this for the quarantine and spamassassin folders.

Integrating MailScanner into Postfix

1. Edit the file /etc/postfix/main.cf and remove the # in front of the line below

header_checks = regexp:/etc/postfix/header_checks

2. Edit the file /etc/postfix/header_checks and add the line below to the bottom of the file

/^Received:/ HOLD

This will now place all incoming mail into the holding area until released by MailScanner.

3. MailScanner should now be the one to start the Postfix service. Stop the Postfix service and start the MailScanner service
in that order. Learn how to stop and start services here.

4. Test if Postfix is still working. See Test Postfix using Telnet.

Your mails are now checked for spam and viruses. Each mail you send or receive will now contain the lines below to
indicate that MailScanner is doing its job.

This message has been scanned for viruses and

dangerous content by MailScanner, and is
believed to be clean.

You can greatly reduce the volume of spam and viruses reaching your mail server if you are willing to give up something. If
you are willing to have your mail delayed (time), install Postgrey.

Postgrey is a simple and powerful anti-spam tool for Postfix. It works by using a technique called Greylisting. Adding
greylisting in Postfix will give your Postfix mail server a simple and effective first line of defense against spam, at a cost of
a few minor delays for newly identified senders. To install Postgrey, we are going to use the precompiled binaries from Dag
Wieers RPM packages for Red Hat, RHEL, CentOS and Fedora.

Adding RPMForge to Yum

1. Launch Firefox and go to http://dag.wieers.com/rpm/FAQ.php#B2. Click on the package appropriate for your version of
Red Hat Enterprise Linux or CentOS.

2. Choose Open with Software Installer (default) and click Ok.

3. The Installing packages window will appear. Click Apply to proceed.

4. Finally click Ok. You now have access to an extensive library of precompiled binaries.

Installing Postgrey Greylisting Policy Server

If you are using Red Hat Enterprise Linux 4 or CentOS 4, you have an older version of the Package Manager tool. Instead
of using the GUI tool below, you can use the command yum install postgrey in a Terminal window to install Postgrey.

1. Click Applications then click Add/Remove Software. This will launch the Package Manager window.

2. Click the Search tab. Next type in postgrey and click the Search button.

3. Select the latest version of postgrey then click Apply. Next click on Continue until it proceeds with the installation.

4. After installation, click Ok. You now have successfully installed Postgrey Postfix Greylisting Policy Server.

Configuring Postfix

1. Edit /etc/postfix/main.cf and add reject_unlisted_recipient and check_policy_service unix:postgrey/socket to the value of
smtpd_recipient_restrictions.

check_policy_service unix:postgrey/socket performs the greylisting while adding reject_unlisted_recipient before it enables
Postfix to immediately reject unknown recipients instead of having clients go through the greylisting process before being
informed that the recipient does not exist.

2. Start Postgrey and restart Postfix or MailScanner (if you have installed MailScanner). Learn how to start and restart
services here.

3. Test Postfix. Do not use localhost to connect to Postfix since localhost will bypass Postgrey. After typing in the rcpt to
command, it should reply with Recipient address rejected: Greylisted and it should work if you try it again after at least five
minutes.

Configuring the Whitelist in Postgrey

Whitelist enables you to disable greylisting for certain email accounts or client ip addresses or hostnames.

1. To disable greylisting for certain email accounts, add their email address into the file
/etc/postfix/postgrey_whitelist_recipients.

2. To disable greylisting for certain IP addresses or hostnames, add the IP address, hostname or regular expression to match
hostnames into the file /etc/postfix/postgrey_whitelist_clients.local. Hostnames are identified by performing a reverse DNS
on the client.s IP address. For sample entries, view the file /etc/postfix/postgrey_whitelist_clients.

How to integrate Active Directory/LDAP

Integrating Active Directory/LDAP into your mail server will turn your Linux email server into a lean and mean Exchange
like server.

This guide will show you how to integrate Active Directory/LDAP into Postfix and Dovecot. In this page, you will learn
how to enable Postfix to lookup email addresses in LDAP and how to enable Dovecot to authenticate to an LDAP server.

We will be using the following attributes

* samaccountname or uid - User Name for Active Directory or OpenLDAP respectively

* mail - Email Address. For Active Directory users, you need to fill-up the E-mail field of the User.

Create the Virtual Mail User Account

Since the Active Directory/OpenLDAP user names are not part of the Linux system, we will have to create a user that will
be the owner for all the files belonging to the LDAP user names.

. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for
logging in.

2. Take note of the User ID and Home Directory of vmail.

3. Click the Groups tab and now note down the Group ID of vmail. We.ll be needing all of them later.

Postfix Active Directory/LDAP Integration

1. Create the file /etc/postfix/ldap-users.cf containing the lines below

erver_host = your ldap server

search_base = your search base
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname
result_format = %s/Maildir/

Change samaccountname to uid if you will be connecting to an OpenLDAP server. If your server requires authentication,
add the lines below

bind = yes
bind_dn = cn=mailuser,dc=acme,dc=local
bind_pw = password

Replace the value of bind_dn and bind_pw with a valid user account and password respectively. If you will be connecting to
an Active Directory server, bind_dn can also be

bind_dn = acme\mailuser

or

bind_dn = mailuser@acme.local

2. Test your postfix configuration file by typing in the command

postmap -q [email] ldap:/etc/postfix/ldap-users.cf

in a terminal window. It should return the path to a mailbox file.

3. Edit the postfix configuration file /etc/postfix/main.cf and edit the line below

mydestination = $myhostname, localhost

and add the lines below

virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail/
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:501
virtual_gid_maps = static:501

virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of
vmail respectively.

4. Restart the Postfix or MailScanner service if you have installed it.

5. You should now be able to send email to addresses found in your LDAP server.

Dovecot Active Directory/LDAP Integration

1. Create the file /etc/dovecot-ldap.conf containing the lines below

hosts = your ldap server

base = your search base
ldap_version = 3
auth_bind = yes

Depending on the LDAP server and the layout you are going query, you have 3 ways to enable Dovecot to authenticate to
your LDAP server.

Option 1: Active Directory

Replace acme with your own domain name.

auth_bind_userdn = acme\%u

Option 2: Distinguished Name Template

Change the sample value to one that is appropriate for your layout.

auth_bind_userdn = uid=%u,ou=people,dc=acme,dc=local

Option 3: Search Filter

This should work with any layout but requires an additional search operation to find the correct distinguished name. Change
the sample value to one that is appropriate for your layout.

pass_filter = (&(objectclass=person)(uid=%u))

2. Edit the file /etc/dovecot.conf and change the value of the following keys below

passdb ldap {
args = /etc/dovecot-ldap.conf
}
userdb static {
args = uid=501 gid=501 home=/home/vmail/%u
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

3. Restart the dovecot service.

4. You should now be able to login using the user names found in your LDAP server.

How to use the Active Directory Distribution Group in Postfix.

Active Directory has a type of grouping called Distribution group used solely as an email distribution list. This page will
show you how to use the distribution group as a mailing list for Postfix. But first, you need to upgrade Postfix to version
2.4. You can download Postfix RPM Packages here.

http://postfix.wl0.org/en/available-packages/

We will be using the following attributes

* mail - Email Address

* member - Distinguished Name of the group members

How to setup

1. Create the file /etc/postfix/ldap-groups.cf containing the following lines below.

server_host = your domain controller

search_base = your search base
version = 3
query_filter = (&(objectclass=group)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member
bind = yes
bind_dn = user name
bind_pw = password

leaf_result_attribute only works with Postfix 2.4 or higher which is why we really need to upgrade to version 2.4.

2. Test your postfix configuration file by typing in the command

postmap -q [email] ldap:/etc/postfix/ldap-groups.cf

in a terminal window. It should return the email addresses of the members.

3. Edit the file /etc/postfix/main.cf. You have 2 ways to add the configuration file into Postfix depending on how you
integrated Active Directory. If you used the virtual user solution, add this line

virtual_alias_maps = ldap:/etc/postfix/ldap-groups.cf
But if you used Winbind and the Active Directory users are part of your system account then use this line

alias_maps = ldap:/etc/postfix/ldap-groups.cf

4. Restart Postfix or MailScanner (depends if you installed MailScanner).

That.s it. You should now be able to send email to your distribution group.

Postfix With SMTP-AUTH And TLS Implementation

- is a protocol for establishing a secure connection between a client and

a server. It is capable of authenticating both the client and the server and
creating a encrypted connection between the two.

Installation:

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5

cyrus-sasl-plain

Next we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='

postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN

logins. On a 64Bit Centos 5.1 you must edit the file
/usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem
-days 3650

Next we configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'

postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace
server1.example.com with your own hostname):

postconf -e 'myhostname = server1.example.com'

After these configuration steps you should now have a /etc/postfix/main.cf

that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com

Now start Postfix, saslauthd, and Dovecot:

chkconfig --levels 235 saslauthd on

chkconfig --levels 235 dovecot on
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost smtp

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

[root@server1 ssl]# telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system's shell.

How to add Active Directory/LDAP into the SquirrelMail Addressbook.

This guide will show you how to integrate Active Directory/LDAP into the SquirrelMail addressbook. In this page, you will
learn how to configure SquirrelMail to activate the Javascript addressbook and to include your Active Directory or LDAP
server into the addressbook lookup list.

SquirrelMail will be using the following attributes

* cn - Common Name
* mail - Email Address

Configure the SquirrelMail Addressbook

We will be using the Perl based SquirrelMail configuration utility to configure the addressbook.

1. Launch the Terminal application.

2. In the Terminal window, type in /usr/share/squirrelmail/config/conf.pl and press Enter. This will launch the SquirrelMail
Configuration utility.

If your Terminal window has a white background, make sure that the colors are off by looking for the command Turn color
on. If the command is Turn color off, type in C and press Enter to turn the colors off. This will ensure that you will be able
to read all of the text.

3. Type in 6 and press Enter to list the Address Books submenu.

4. Select the Javascript address book as the default by typing in 2 and press Enter then type in y and press Enter.

5. Add your Active Directory/LDAP server by typing in 1 and press Enter then type in + and press Enter. You will now be
asked a series of questions regarding your Active Directory/LDAP server configuration, see the sample session below.

First, we need to have the hostname or the IP address where

this LDAP server resides. Example: ldap.bigfoot.com
hostname: server

Next, we need the server root (base dn). For this, an empty
string is allowed.
Example: ou=member_directory,o=netcenter.com
base: dc=acme,dc=local

This is the TCP/IP port number for the LDAP server. Default
port is 389. This is optional. Press ENTER for default.
port:

This is the charset for the server. Default is utf-8. This

is also optional. Press ENTER for default.
charset:

This is the name for the server, used to tag the results of
the search. Default it .LDAP: hostname.. Press ENTER for default
name:

You can specify the maximum number of rows in the search result.
Default is unlimited. Press ENTER for default.
maxrows:

If your LDAP server does not like anonymous logins, you can specify.
Default is none, anonymous bind. Press ENTER for default.
binddn: cn=mailuser,dc=acme,dc=local

If you are connecting to an Active Directory server, binddn can also be in the form of acme\mailuser or
mailuser@acme.local

Now, please specify password for that DN.

bindpw: password

You can specify bind protocol version here.

Default protocol version depends on your php ldap settings.
Press ENTER for default.
protocol: 3

[ldap] command (?=help) > d

You should now be back at the Address Books sub menu, type in q and press Enter to quit and type in y and press Enter to
save your changes.

Test the SquirrelMail Addressbook

1. Login to SquirrelMail and compose a new mail.

2. Click the Addresses button (not the Addresses link). This will launch the SquirrelMail Addressbook window. Click the
List all button, you should now see your Active Directory/LDAP email addresses.

Using Winbind to integrate Active Directory user accounts.

This page will show you how to join your Linux server into the Active Directory domain, how to integrate the Active
Directory user accounts into the Linux user accounts and how to authenticate users in Active Directory using Winbind, a
component of Samba.

Samba is installed by default when you select the Server installation type during the installation process. In case you need to
install or reinstall it, just add the Windows File Server package located in the Servers category using the Package Manager
tool.

Setup and Configure Winbind

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Check the Enable Winbind Support and click Configure Winbind. This will launch the Winbind Settings window.

3. In the Winbind Settings window, set the Security Model to ads and fill in the Winbind Domain, Winbind ADS Realm and
Winbind Domain Controllers. See sample settings below.

Winbind Domain
acme
Winbind ADS Realm
acme.local
Domain Controllers
server1.acme.local,server2.acme.local

Important: To ensure the success of the Active Directory integration, make sure that you can ping the domain controllers
and that the difference between the domain controllers. clock and the mail server.s clock is not more than five minutes.

4. Click Join Winbind Domain. You will be asked to save your changes, click Save. In the Joining Winbind Domain
window, fill in the Domain Administrator and Password. Click Ok when you are done. Click Ok again to close the Winbind
Settings window.

5. Click the Authentication tab and check the Enable Winbind Support.

6. Click the Options tab and check the Local authorization is sufficient for local users. Click Ok when you are done.

7. Open the file /etc/samba/smb.conf for editing and change the key values below.

winbind use default domain = yes

winbind enum users = yes
obey pam restrictions = yes

8. Create the folder that will contain the home directory of the Active Directory users. From the terminal window, type in
the commands below.

mkdir /home/DOMAIN
chmod 777 /home/DOMAIN

Replace DOMAIN with your domain. Make sure to capitalize your domain like ACME in our example.

Changed the directory permission to 777, meaning anyone can read, write and execute because the users. home directory
will be created later by Postfix or Dovecot when a mail is received or a user checks his email. The created home directory
on the other hand will have its permission set to read, write and execute by the owner only.

9. Edit the file /etc/pam.d/system-auth and add the line session required pam_mkhomedir.so skel=/etc/skel/ umask=0022.
This will automatically create the user.s home directory whenever a PAM session is opened. Dovecot will be opening the
PAM session thus automatically creating the user.s home directory.

10. Restart the winbind service.

Test the Active Directory Integration

1. From a terminal window, type in wbinfo -u. You should see the Active Directory user accounts.

2. Try the Active Directory authentication, type in wbinfo -a .username.%.password.

3. Finally, type in getent passwd. You should see the Linux system accounts along with the Active Directory user accounts.