Truedoc

TracNav(EnTOC)

A mail server with Postfixadmin, Postfix and Dovecot on Debian Lenny¶

This HOWTO will explain the installation and configuration of a full featured mail server using Postfix as SMTP server, Dovecot as POP/IMAP server and Postfixadmin as management interface. As Postfixadmin need a database to maintain account and domain informations we will use MySQL (but also PostgresSQL or SQLite can be used). All the configurations were done on a Debian Lenny system.

Postfixadmin Installation¶

<pre>
aptitude install dbconfig-common wwwconfig-common  \
      libapache2-mod-php5 php5 php5-imap php5-mysql \
      mysql-client mysql-server postfix-mysql
</pre>
<pre>

<pre>
<pre>
mysqladmin -u root -p create postfixadmin
mysql -u root -p
mysql> grant create, select, insert, update, delete, lock, index, alter, drop 
             on postfixadmin.* to 'postfixadmin'@'localhost' 
             identified by 'secretandcomplexpassword';
mysql> flush privileges;
mysql> \q
</pre>
<pre>
<pre>
dpkg -i postfixadmin_*.deb 
</pre>

<pre>
<pre>
$CONF['configured'] = true;
...
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'secretandcomplexpassword';
$CONF['database_name'] = 'postfixadmin';
</pre>

<pre>

After this we can proceed to populate the database, this will be done by Postfixadmin itself using the following link in a browser (we can use the same link for database upgrade when installing a new Postfixadmin version, or to reset the Postfixadmin superuser password):
<pre>
http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin/setup.php
</pre>

<pre>
<pre>
$CONF['setup_password'] = 'changeme';
</pre>

<pre>

<pre>
<pre>
cd /etc/postfixadmin/
mv config.inc.php config.inc.php.orig
sed -e 's/change-this-to-your.domain.tld/mydomain.it/g' config.inc.php.orig > config.inc.php
</pre>
<pre>

<pre>
<pre>
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
</pre>

Then to enable quotas we will need to modify also the following line:
<pre>
$CONF['quota'] = 'YES';
</pre>
<pre>
<pre>
$CONF['vacation'] = 'YES';
$CONF['vacation_domain'] = 'autoreply.mydomain.it'
</pre>
<pre>

Other configuration lines that can be modified are the following:
<pre>
$CONF['default_language'] = 'it';
$CONF['min_password_length'] = 6;
$CONF['aliases'] = '50';
$CONF['mailboxes'] = '50';
$CONF['maxquota'] = '50';
</pre>
respectively to setup the web interface language, a minimum length for the accounts password, and the default values for limit on number of alias, mailbox and megabytes for the quota. These last three will be proposed by the management interface when creating a new domain (a 0 means no limit).

The Postfixadmin 2.3 version has a new simplified management for having the same aliases on more than on domain; this new feature need more database queries and a modified Postfix configuration, so is better to disable it; this can be done with the following line:
<pre>
$CONF['alias_domain'] = 'NO';
</pre>

To check if everything is working fine we can login as administrator in the web interfaces to create a new domain and some user accounts. Then we can logout and check if that those account are working by re-logging as that users. 

h3. Postfix configuration

Having user account and domain data managed by Postfixadmin, we need to configure Postfix virtual mailbox according to the data stored in [[MySQL]]. The first step is to create a base directory where to put all the virtual mailboxes; we will also need a system user that will own all the files. We can do this with the following commands:
<pre>
mkdir /var/mail/vmail
useradd -d /var/mail/vmail vmail
chown vmail:vmail /var/mail/vmail/
chmod o-xr /var/mail/vmail/
</pre>

We also need to avoid the use of procmail as LDA so we will need to comment the following standard line in ad Debian installed Postfix configuration:
<pre>
#mailbox_command = procmail -a "$EXTENSION" 
</pre>

<pre>
<pre>
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /var/mail/vmail
virtual_minimum_uid = 106
virtual_transport = virtual
virtual_uid_maps = static:106
virtual_gid_maps = static:61
</pre>
<pre>

<pre>
<pre>
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = 1
</pre>
<pre>
<pre>
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '0' and active = '1'
</pre>
<pre>
<pre>
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1
</pre>

<pre>
<pre>
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
</pre>
<pre>
<pre>
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1' and active = '1'
</pre>

Because these files contains a clean text password they must be unreadable by anyone, so at least verify that they have right permissions or otherwise set them with:
<pre>
chgrp postfix /etc/postfix/mysql_*
chmod 640 /etc/postfix/mysql_*
</pre>

<pre>

h3. Postfix/Postfixadmin vacation configuration

<pre>
<pre>
groupadd -g 65501 vacation
useradd -g 65501 -u 65501 -c Vacation -s /sbin/nologin -d /nonexistent vacation
</pre>
then we will need a directory for temporary files accessible only for this user, we can create it with the following commands:
<pre>
mkdir /var/spool/vacation
chown -R vacation.vacation /var/spool/vacation
chmod o-xr /var/spool/vacation 
</pre>

The second step is to setup the vacation script, we need to put a copy (it's distributed with Postfixadmin) in the previous directory; this can be done with the following commands:
<pre>
cd /usr/share/doc/postfixadmin/examples/VIRTUAL_VACATION/
zcat vacation.pl.gz > /var/spool/vacation/vacation.pl
chmod 700 /var/spool/vacation/vacation.pl
chown vacation.vacation /var/spool/vacation/vacation.pl
</pre>
to have the script working correctly we will also need some perl modules; these can be installed with the command:
<pre>
aptitude install libemail-valid-perl libmime-encwords-perl libmime-perl \
         libmail-sender-perl liblog-log4perl-perl
</pre>
and at last we will need to setup the script to access to the database, this can be done modifying the following lines at the beginning of it (note that we are using the same values used in the Postfixadmin configuration):
<pre>
our $db_type = 'mysql';
our $db_host = 'localhost';
our $db_username = 'postfixadmin';
our $db_password = 'secretandcomplexpassword';
our $db_name     = 'postfixadmin';

our $vacation_domain = 'autoreply.mydomain.it';
</pre>

<pre>
<pre>
vacation    unix  -       n       n       -       -       pipe
  flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}
</pre>
<pre>
<pre>
autoreply.mydomain.it       vacation:
</pre>
<pre>
<pre>
transport_maps = hash:/etc/postfix/transport
</pre>

This done we can tell Postfix to use the new configuration with the following commands:
<pre>
postmap /etc/postfix/transport
postfix reload
</pre>

h3. Dovecot configuration

<pre>
:
<pre>
aptitude install dovecot-imapd dovecot-pop3d ntp
</pre>
then we will need to tell Dovecot where to find the emails and how to authenticate users. 

<pre>
<pre>
mail_location = maildir:/var/mail/vmail/%d/%n
mail_privileged_group = vmail
first_valid_uid = 106
</pre>
<pre>

<pre>
<pre>
  passdb sql {
    args = /etc/dovecot/dovecot-mysql.conf
  }
  userdb sql {
    args = /etc/dovecot/dovecot-mysql.conf
  }
</pre>
<pre>
<pre>
driver = mysql
connect = host=localhost dbname=postfixadmin user=postfixadmin password=secretandcomplexpassword client_flags=0
default_pass_scheme = MD5
user_query = SELECT maildir, 106 AS uid, 61 AS gid FROM mailbox WHERE username = '%u'
password_query = SELECT password FROM mailbox WHERE username = '%u' AND active = '1' 
</pre>
<pre>

To check if everything is working fine you can connect to the server with an email client and look at the email you previously sent. 

h3. Authenticated SMTP

<pre>
<pre>
socket listen {
        client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
        }
}
</pre>
<pre>
<pre>
# ls /var/spool/postfix/private/auth -l
srw-rw---- 1 postfix postfix 0 29 set 18:59 /var/spool/postfix/private/auth
</pre>

<pre>
<pre>
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
</pre>

<pre>
<pre>
smtpd_sasl_auth_enable = yes
smtp_sasl_application_name = smtpd
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
</pre>
and force use of TLS:
<pre>
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
</pre>
<pre>
<pre>
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_rbl_client zen.spamhaus.org,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unauth_destination
</pre>

h3. CLI script for massive account creation

Postfixadmin is a very nice web interface to manage email accounts and domain, but like all GUI or web based interfaces using it is not so practical when you have to create hundreds of accounts in a single shot. For this reason we developed a simple Python script that will do mass account creation. You can find it in the attachment. 

<pre>

|| user     || user part of the email (like user in user@domain.com)
|| password || cleartext password
|| domain   || domain name (like 'domain.com')
|| name     || full user name ('Name Surname')

<pre>

<pre>

The script doesn't do data validation, so it is published without any warranty (under the GPL licence). This means that making a database backup before using it is strongly suggested. It will print errors if some accounts or domains are already present in the database, skipping creation (i.e. it will not overwrite them), but it will create all other accounts and domains not already present. It will also skip the creation of a duplicated account.