Progetto

Generale

Profilo

EnPostfixAdminInst » Cronologia » Versione 11

Amministratore Truelite, 02-10-2009 12:57

1 1 Amministratore Truelite
[[TracNav(EnTOC)]]
2
3
== A mail server with Postfixadmin, Postfix and Dovecot on Debian Lenny ==
4
5 2 Amministratore Truelite
This HOWTO will explain the installation and configuration of a full featured mail server using Postfix as SMTP server, Dovecot as POP/IMAP server and Postfixadmin as management interface. As Postfixadmin need a database to maintain account and domain informations we will use MySQL (but also PostgresSQL or SQLite can be used). All the configurations were done on a Debian Lenny system.
6 1 Amministratore Truelite
7
=== Postfixadmin Installation ===
8
9 6 Amministratore Truelite
Postfixadmin is distributed as Debian package directly by the maintainer, but we need to download just the {{{.deb}}} file from [http://sourceforge.net/project/showfiles.php?group_id=191583&package_id=225300 here] because there is no repository. Before installing it we will need to install some dependencies (a web server, and because we want to use it on a standalone server, also a database server). We choose to use Apache as web server and MySQL as database server, so we will need to install these packages and all the other Postfixadmin dependencies; this can be done the Debian way with the command:
10 1 Amministratore Truelite
{{{
11
aptitude install dbconfig-common wwwconfig-common  \
12
      libapache2-mod-php5 php5 php5-imap php5-mysql \
13
      mysql-client mysql-server postfix-mysql
14
}}}
15 6 Amministratore Truelite
we will also have to answer to the ordinary setup questions made by ''debconf''; we can just accept the default values, but we will have to choose a password for the MySQL {{{root}}} administrative account.
16 1 Amministratore Truelite
17 6 Amministratore Truelite
Before installing the Postfixadmin from the {{{.deb}}} file we will need to create a database and a database account that will be used by Postfixadmin for its data; we can do this with the following commands:
18 1 Amministratore Truelite
{{{
19
mysqladmin -u root -p create postfixadmin
20
mysql -u root -p
21
mysql> grant create, select, insert, update, delete, lock, index, alter, drop 
22
             on postfixadmin.* to 'postfixadmin'@'localhost' 
23
             identified by 'secretandcomplexpassword';
24
mysql> flush privileges;
25
mysql> \q
26
}}}
27 2 Amministratore Truelite
(they will ask for the {{{root}}} account password that was given in the previous step). After this we can install the {{{.deb}}} file with:
28 1 Amministratore Truelite
{{{
29
dpkg -i postfixadmin_*.deb 
30
}}}
31
32 2 Amministratore Truelite
There are two possible choices for Postfixadmin: the 2.2 stable version and the new 2.3 release candidate; this last one supports more features and is almost production ready. If you use the 2.2 stable version you will need to modify the following lines of the {{{/etc/postfixadmin/config.inc.php}}} file to setup the access to the previously created database:
33 1 Amministratore Truelite
{{{
34
$CONF['configured'] = true;
35
...
36
$CONF['database_type'] = 'mysql';
37
$CONF['database_host'] = 'localhost';
38
$CONF['database_user'] = 'postfixadmin';
39
$CONF['database_password'] = 'secretandcomplexpassword';
40
$CONF['database_name'] = 'postfixadmin';
41
}}}
42
43 6 Amministratore Truelite
If instead you use the 2.3 development version, having {{{dbconfig-common}}} and {{{wwwconfig-common}}} installed, the previous step of the database creation is managed by the package itself and it is no more needed. Also the database access configuration inside {{{/etc/postfixadmin/config.inc.php}}} is automatically done by ''debconf'', so all is needed is to give to ''debconf'' the password of the MySQL {{{root}}} user that you setup at the beginning, and then answer to the ''debconf'' questions about the password used for the Postfixadmin dedicated database user.
44 1 Amministratore Truelite
45 6 Amministratore Truelite
After this we can proceed to populate the database, this will be done by Postfixadmin itself using the following link in a browser (we can use the same link for database upgrade when installing a new Postfixadmin version, or to reset the Postfixadmin superuser password):
46 1 Amministratore Truelite
{{{
47
http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin/setup.php
48
}}}
49 3 Amministratore Truelite
50
Up to 2.2 version this PHP script should be run once, and then removed after its use. With the 2.3 version when it is used for the first time it would ask for a setup password, and then print an hashed value that must be put inside {{{/etc/postfixadmin/config.inc.php}}}; the browser will show the line that should replace this one:
51 1 Amministratore Truelite
{{{
52
$CONF['setup_password'] = 'changeme';
53
}}}
54
55 3 Amministratore Truelite
With this modification done we can re-execute the script going back to {{{http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin/setup.php}}}; this time can use the setup password to create an administrative Postfixadmin account having full access to all management functions. It should be noted that like all Postfixadmin accounts also this one should be given in the form of an email address (i.e. something like {{{admin@mydomain.it}}}).
56
57
To check that this initial setup has been completed successfully we can see if everything is working fine going to the {{{http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin}}} address and logging in using the superuser account we just created.  After this check we can proceed doing some more specific configuration; the first one is to put proper references to our main domain in the web interface; this can be done with the following commands:
58 1 Amministratore Truelite
{{{
59
cd /etc/postfixadmin/
60
mv config.inc.php config.inc.php.orig
61
sed -e 's/change-this-to-your.domain.tld/mydomain.it/g' config.inc.php.orig > config.inc.php
62 2 Amministratore Truelite
}}}
63 3 Amministratore Truelite
and to be sure we can check the file to see if all link to web pages are correct (they will be always something like {{{http://mydomain.it}}}).
64 1 Amministratore Truelite
65 3 Amministratore Truelite
An important step is to configure the mailbox pathname that will be used by both Postfix and Dovecot, we choose to map an email account like {{{username@mydomain.it}}}) to a mailbox pathname like {{{mydomain.it/username}}}, to do this we have to put the following configuration values in the {{{/etc/postfixadmin/config.inc.php}}} file:
66 1 Amministratore Truelite
{{{
67
$CONF['domain_path'] = 'YES';
68
$CONF['domain_in_mailbox'] = 'NO';
69
}}}
70
71 3 Amministratore Truelite
Then to enable quotas we will need to modify also the following line:
72 1 Amministratore Truelite
{{{
73 2 Amministratore Truelite
$CONF['quota'] = 'YES';
74 1 Amministratore Truelite
}}}
75 3 Amministratore Truelite
and to enable the {{{vacation}}} support we will need to modify the following lines:
76 1 Amministratore Truelite
{{{
77
$CONF['vacation'] = 'YES';
78
$CONF['vacation_domain'] = 'autoreply.mydomain.it'
79
}}}
80 3 Amministratore Truelite
where {{{autoreplay.mydomain.it}}} is the domain used by Postfix to manage {{{vacation}}} email (we'll look at this in the following).  
81
82
Other configuration lines that can be modified are the following:
83 1 Amministratore Truelite
{{{
84
$CONF['default_language'] = 'it';
85
$CONF['min_password_length'] = 6;
86
$CONF['aliases'] = '50';
87
$CONF['mailboxes'] = '50';
88
$CONF['maxquota'] = '50';
89
}}}
90 3 Amministratore Truelite
respectively to setup the web interface language, a minimum length for the accounts password, and the default values for limit on number of alias, mailbox and megabytes for the quota. These last three will be proposed by the management interface when creating a new domain (a 0 means no limit).
91 1 Amministratore Truelite
92 5 Amministratore Truelite
The Postfixadmin 2.3 version has a new simplified management for having the same aliases on more than on domain; this new feature need more database queries and a modified Postfix configuration, so is better to disable it; this can be done with the following line:
93 1 Amministratore Truelite
{{{
94
$CONF['alias_domain'] = 'NO';
95
}}}
96
97 7 Amministratore Truelite
To check if everything is working fine we can login as administrator in the web interfaces to create a new domain and some user accounts. Then we can logout and check if that those account are working by re-logging as that users. 
98 5 Amministratore Truelite
99 1 Amministratore Truelite
=== Postfix configuration ===
100
101 7 Amministratore Truelite
Having user account and domain data managed by Postfixadmin, we need to configure Postfix virtual mailbox according to the data stored in MySQL. The first step is to create a base directory where to put all the virtual mailboxes; we will also need a system user that will own all the files. We can do this with the following commands:
102 1 Amministratore Truelite
{{{
103
mkdir /var/mail/vmail
104
useradd -d /var/mail/vmail vmail
105
chown vmail:vmail /var/mail/vmail/
106
chmod o-xr /var/mail/vmail/
107
}}}
108
109 7 Amministratore Truelite
Then we need to setup Postfix to use virtual mailboxes getting the informations about users, domain and pathnames from the database; this can be done adding the following lines to {{{/etc/postfix/main.cf}}}:
110 1 Amministratore Truelite
{{{
111
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
112
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
113
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
114
virtual_mailbox_base = /var/mail/vmail
115
virtual_minimum_uid = 106
116
virtual_transport = virtual
117
virtual_uid_maps = static:106
118
virtual_gid_maps = static:61
119 2 Amministratore Truelite
}}}
120 1 Amministratore Truelite
where 106 e 61 are the numeric uid and gid for the {{{vmail}}} user (these number can be different in each system so you have to check them yourself with something like {{{getent passwd|grep vmail}}}).
121
122 7 Amministratore Truelite
After this we need to create all the {{{mysql_*}}} files to tell Postfix how to access to the database to get the  information it needs. The first file, {{{mysql_virtual_alias_maps.cf}}}, configure the access to aliases definitions and it should be something like:
123 1 Amministratore Truelite
{{{
124
user = postfixadmin
125
password = secretandcomplexpassword
126
hosts = localhost
127
dbname = postfixadmin
128
query = SELECT goto FROM alias WHERE address='%s' AND active = 1
129
}}}
130 7 Amministratore Truelite
the second file, {{{mysql_virtual_domains_maps.cf}}}, configure the access to domain definitions, and it should be something like:
131 1 Amministratore Truelite
{{{
132
user = postfixadmin
133
password = secretandcomplexpassword
134
hosts = localhost
135
dbname = postfixadmin
136
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '0' and active = '1'
137 2 Amministratore Truelite
}}}
138 7 Amministratore Truelite
the third file, {{{mysql_virtual_mailbox_maps.cf}}}, configure the access to mailbox pathname (relative to the base directory {{{/var/mail/vmail}}}), and it should be something like:
139 1 Amministratore Truelite
{{{
140
user = postfixadmin
141 2 Amministratore Truelite
password = secretandcomplexpassword
142 1 Amministratore Truelite
hosts = localhost
143
dbname = postfixadmin
144
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1
145
}}}
146
147 7 Amministratore Truelite
If we want to use Postfixadmin to manage secondary mail server for some domains we will need to add to {{{/etc/postfix/main.cf}}} also the following line:
148 1 Amministratore Truelite
{{{
149
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
150
}}}
151 3 Amministratore Truelite
where {{{mysql_relay_domains_maps.cf}}} should be something like:
152 1 Amministratore Truelite
{{{
153
user = postfixadmin
154 3 Amministratore Truelite
password = secretandcomplexpassword
155 1 Amministratore Truelite
hosts = localhost
156
dbname = postfixadmin
157
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1' and active = '1'
158
}}}
159
160 5 Amministratore Truelite
To check if everything is working fine you can send an email to an user you previously created with Postfixadmin and check the {{{mail.log}}} file to see if it is accepted. 
161
162
163 9 Amministratore Truelite
=== Postfix/Postfixadmin vacation configuration ===
164 1 Amministratore Truelite
165 7 Amministratore Truelite
If we want to manage {{{vacation}}} trough Postfixadmin we need some additional Postfix configurations. As first step we need a system user dedicated to the automatic answer management, with the lowest possible privileges; we can create it with the following commands:
166 1 Amministratore Truelite
{{{
167
groupadd -g 65501 vacation
168
useradd -g 65501 -u 65501 -c Vacation -s /sbin/nologin -d /nonexistent vacation
169
}}}
170 3 Amministratore Truelite
then we will need a directory for temporary files accessible only for this user, we can create it with the following commands:
171 1 Amministratore Truelite
{{{
172
mkdir /var/spool/vacation
173
chown -R vacation.vacation /var/spool/vacation
174
chmod o-xr /var/spool/vacation 
175
}}}
176 3 Amministratore Truelite
177 7 Amministratore Truelite
The second step is to setup the vacation script, we need to put a copy (it's distributed with Postfixadmin) in the previous directory; this can be done with the following commands:
178 1 Amministratore Truelite
{{{
179
cd /usr/share/doc/postfixadmin/examples/VIRTUAL_VACATION/
180
zcat vacation.pl.gz > /var/spool/vacation/vacation.pl
181
chmod 700 /var/spool/vacation/vacation.pl
182
}}}
183 7 Amministratore Truelite
to have the script working correctly we will also need some perl modules; these can be installed with the command:
184 1 Amministratore Truelite
{{{
185
aptitude install libemail-valid-perl libmime-encwords-perl libmime-perl \
186
         libmail-sender-perl liblog-log4perl-perl
187
}}}
188 7 Amministratore Truelite
and at last we will need to setup the script to access to the database, this can be done modifying the following lines at the beginning of it (note that we are using the same values used in the Postfixadmin configuration):
189 1 Amministratore Truelite
{{{
190
our $db_type = 'mysql';
191
our $db_host = 'localhost';
192
our $db_username = 'postfixadmin';
193 3 Amministratore Truelite
our $db_password = 'secretandcomplexpassword';
194 1 Amministratore Truelite
our $db_name     = 'postfixadmin';
195
196 3 Amministratore Truelite
our $vacation_domain = 'autoreply.mydomain.it';
197 1 Amministratore Truelite
}}}
198
199 7 Amministratore Truelite
The last step is the Postfix configuration; we will need to setup a new transport dedicates to {{{vacation}}}, so we need to add to {{{/etc/postfix/master.cf}}} the following lines:
200 3 Amministratore Truelite
{{{
201 1 Amministratore Truelite
vacation    unix  -       n       n       -       -       pipe
202
  flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}
203
}}}
204 7 Amministratore Truelite
then we will need to use this transport for all mail directed to the dedicated {{{autoreply.mydomain.it}}} domain, so first we need to create the {{{/etc/postfix/transport}}} file with the following line:
205 3 Amministratore Truelite
{{{
206 1 Amministratore Truelite
autoreply.mydomain.it       vacation:
207 3 Amministratore Truelite
}}}
208 1 Amministratore Truelite
and then add to {{{/etc/postfix/main.cf}}} the following line:
209 3 Amministratore Truelite
{{{
210 1 Amministratore Truelite
transport_maps = hash:/etc/postfix/transport
211
}}}
212 7 Amministratore Truelite
213
This done we can tell Postfix to use the new configuration with the following commands:
214 1 Amministratore Truelite
{{{
215
postmap /etc/postfix/transport
216
postfix reload
217
}}}
218
219
220 3 Amministratore Truelite
=== Dovecot configuration ===
221 1 Amministratore Truelite
222 4 Amministratore Truelite
To make emails available to the users we well need a POP/IMAP server, we choose to use Dovecot, so we will need to install it, we will do the Debian way with the following command:
223 1 Amministratore Truelite
{{{
224
aptitude install dovecot-imapd dovecot-pop3d
225
}}}
226 4 Amministratore Truelite
then we will need to tell Dovecot where to find the emails and how to authenticate users. 
227 3 Amministratore Truelite
228 4 Amministratore Truelite
The first step is to modify the default configuration to access to the {{{/var/mail/vmail}}} directory as the user {{{vmail}}}, having mailbox in the form {{{username/mydomain.it}}}; this can be done putting the following lines in {{{/etc/dovecot/dovecot.conf}}}:
229 1 Amministratore Truelite
{{{
230
mail_location = maildir:/var/mail/vmail/%d/%n
231
mail_privileged_group = vmail
232
first_valid_uid = 106
233
}}}
234 4 Amministratore Truelite
where 106 is the {{{vmail}}} uid (as before this could be different on different installations). 
235 1 Amministratore Truelite
236 4 Amministratore Truelite
The second step is to enable the user authentication over the MySQL data, this can be done removing the default PAM configuration for the {{{userdb}}} and {{{passdb}}} directives, putting instead something like the following in {{{/etc/dovecot/dovecot.conf}}}:
237 1 Amministratore Truelite
{{{
238
  passdb sql {
239
    args = /etc/dovecot/dovecot-mysql.conf
240
  }
241
  userdb sql {
242
    args = /etc/dovecot/dovecot-mysql.conf
243
  }
244
}}}
245 4 Amministratore Truelite
then we will need to create the file {{{/etc/dovecot/dovecot-mysql.conf}}} to tell Dovecot how to access to the database; it should be something like:
246 1 Amministratore Truelite
{{{
247
driver = mysql
248 8 Amministratore Truelite
connect = host=localhost dbname=postfixadmin user=postfixadmin password=secretandcomplexpassword client_flags=0
249 1 Amministratore Truelite
default_pass_scheme = MD5
250
user_query = SELECT maildir, 106 AS uid, 61 AS gid FROM mailbox WHERE username = '%u'
251
password_query = SELECT password FROM mailbox WHERE username = '%u' AND active = '1' 
252
}}}
253
where 106 and 61 are respectively the uid and gid of the user {{{vmail}}}.
254 5 Amministratore Truelite
255
To check if everything is working fine you can connect to the server with an email client and look at the email you previously sent. 
256 10 Amministratore Truelite
257
=== Authenticated SMTP ===
258
259
This will be provided by telling Postfix to use Dovecot as authentication provider. The first step is to setup Dovecot to provide an authentication socket for Postfix; this can be done by adding the following lines to {{{/etc/dovecot/dovecot.conf}}}:
260
{{{
261
socket listen {
262
        client {
263
        path = /var/spool/postfix/private/auth
264
        mode = 0660
265
        user = postfix
266
        group = postfix
267
        }
268
}
269
}}}
270
after restarting Dovecot this will create the socket in the Postfix chroot as {{{private/auth}}}, and it should look like this:
271
{{{
272
# ls /var/spool/postfix/private/auth -l
273
srw-rw---- 1 postfix postfix 0 29 set 18:59 /var/spool/postfix/private/auth
274
}}}
275
276
The second step is to configure Postfix to use this socket, this will be done adding the following lines to {{{/etc/postfix/main.cf}}}:
277
{{{
278
smtpd_sasl_type = dovecot
279
smtpd_sasl_path = private/auth
280
}}}
281
282
The rest is just the ordinary Postfix configuration needed to accept SASL authenticated sessions, forcing them to be done using TLS for security, so you will need to enable SASL authentication under TLS adding the following lines to {{{/etc/postfix/main.cf}}}:
283
{{{
284
smtpd_sasl_auth_enable = yes
285
smtp_sasl_application_name = smtpd
286
smtpd_sasl_local_domain = $myhostname
287
broken_sasl_auth_clients = yes
288
}}}
289
and force use of TLS:
290
{{{
291
smtpd_use_tls = yes
292
smtpd_tls_auth_only = yes
293
smtpd_tls_loglevel = 1
294
smtpd_tls_received_header = yes
295
smtpd_tls_session_cache_timeout = 3600s
296
tls_random_source = dev:/dev/urandom
297
}}}
298 11 Amministratore Truelite
and then give relay permission to authenticated users adding the line {{{permit_sasl_authenticated}}} to the {{{smtpd_recipient_restrictions}}} parameter, that should look like:
299 10 Amministratore Truelite
{{{
300
smtpd_recipient_restrictions =
301
        permit_mynetworks,
302
        permit_sasl_authenticated,
303
        reject_rbl_client zen.spamhaus.org,
304
        reject_non_fqdn_sender,
305
        reject_non_fqdn_recipient,
306
        reject_unknown_sender_domain,
307
        reject_unauth_destination
308 1 Amministratore Truelite
}}}
309 11 Amministratore Truelite
310
=== CLI script to massive account creation ===