Progetto

Generale

Profilo

EnPostfixAdminInst » Cronologia » Versione 21

Amministratore Truelite, 10-12-2010 13:07

1 1 Amministratore Truelite
[[TracNav(EnTOC)]]
2
3
4 21 Amministratore Truelite
h2. A mail server with Postfixadmin, Postfix and Dovecot on Debian Lenny
5 1 Amministratore Truelite
6
7 21 Amministratore Truelite
This HOWTO will explain the installation and configuration of a full featured mail server using Postfix as SMTP server, Dovecot as POP/IMAP server and Postfixadmin as management interface. As Postfixadmin need a database to maintain account and domain informations we will use [[MySQL]] (but also [[PostgresSQL]] or SQLite can be used). All the configurations were done on a Debian Lenny system.
8
9
10
h3. Postfixadmin Installation
11
12
13
<pre>
14
<pre>
15 1 Amministratore Truelite
aptitude install dbconfig-common wwwconfig-common  \
16
      libapache2-mod-php5 php5 php5-imap php5-mysql \
17 6 Amministratore Truelite
      mysql-client mysql-server postfix-mysql
18 21 Amministratore Truelite
</pre>
19
<pre>
20 1 Amministratore Truelite
21 21 Amministratore Truelite
<pre>
22
<pre>
23 1 Amministratore Truelite
mysqladmin -u root -p create postfixadmin
24
mysql -u root -p
25
mysql> grant create, select, insert, update, delete, lock, index, alter, drop 
26
             on postfixadmin.* to 'postfixadmin'@'localhost' 
27 2 Amministratore Truelite
             identified by 'secretandcomplexpassword';
28 1 Amministratore Truelite
mysql> flush privileges;
29
mysql> \q
30 21 Amministratore Truelite
</pre>
31
<pre>
32
<pre>
33 1 Amministratore Truelite
dpkg -i postfixadmin_*.deb 
34 21 Amministratore Truelite
</pre>
35 1 Amministratore Truelite
36 21 Amministratore Truelite
<pre>
37
<pre>
38 1 Amministratore Truelite
$CONF['configured'] = true;
39
...
40
$CONF['database_type'] = 'mysql';
41
$CONF['database_host'] = 'localhost';
42 6 Amministratore Truelite
$CONF['database_user'] = 'postfixadmin';
43 1 Amministratore Truelite
$CONF['database_password'] = 'secretandcomplexpassword';
44
$CONF['database_name'] = 'postfixadmin';
45 21 Amministratore Truelite
</pre>
46 1 Amministratore Truelite
47 21 Amministratore Truelite
<pre>
48 1 Amministratore Truelite
49
After this we can proceed to populate the database, this will be done by Postfixadmin itself using the following link in a browser (we can use the same link for database upgrade when installing a new Postfixadmin version, or to reset the Postfixadmin superuser password):
50 21 Amministratore Truelite
<pre>
51 1 Amministratore Truelite
http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin/setup.php
52 21 Amministratore Truelite
</pre>
53 3 Amministratore Truelite
54 21 Amministratore Truelite
<pre>
55
<pre>
56 1 Amministratore Truelite
$CONF['setup_password'] = 'changeme';
57 21 Amministratore Truelite
</pre>
58 1 Amministratore Truelite
59 21 Amministratore Truelite
<pre>
60 3 Amministratore Truelite
61 21 Amministratore Truelite
<pre>
62
<pre>
63 1 Amministratore Truelite
cd /etc/postfixadmin/
64
mv config.inc.php config.inc.php.orig
65
sed -e 's/change-this-to-your.domain.tld/mydomain.it/g' config.inc.php.orig > config.inc.php
66 21 Amministratore Truelite
</pre>
67
<pre>
68 2 Amministratore Truelite
69 21 Amministratore Truelite
<pre>
70
<pre>
71 1 Amministratore Truelite
$CONF['domain_path'] = 'YES';
72
$CONF['domain_in_mailbox'] = 'NO';
73 21 Amministratore Truelite
</pre>
74 3 Amministratore Truelite
75 1 Amministratore Truelite
Then to enable quotas we will need to modify also the following line:
76 21 Amministratore Truelite
<pre>
77 3 Amministratore Truelite
$CONF['quota'] = 'YES';
78 21 Amministratore Truelite
</pre>
79
<pre>
80
<pre>
81 1 Amministratore Truelite
$CONF['vacation'] = 'YES';
82
$CONF['vacation_domain'] = 'autoreply.mydomain.it'
83 21 Amministratore Truelite
</pre>
84
<pre>
85 1 Amministratore Truelite
86
Other configuration lines that can be modified are the following:
87 21 Amministratore Truelite
<pre>
88 1 Amministratore Truelite
$CONF['default_language'] = 'it';
89
$CONF['min_password_length'] = 6;
90
$CONF['aliases'] = '50';
91
$CONF['mailboxes'] = '50';
92
$CONF['maxquota'] = '50';
93 21 Amministratore Truelite
</pre>
94 1 Amministratore Truelite
respectively to setup the web interface language, a minimum length for the accounts password, and the default values for limit on number of alias, mailbox and megabytes for the quota. These last three will be proposed by the management interface when creating a new domain (a 0 means no limit).
95
96
The Postfixadmin 2.3 version has a new simplified management for having the same aliases on more than on domain; this new feature need more database queries and a modified Postfix configuration, so is better to disable it; this can be done with the following line:
97 21 Amministratore Truelite
<pre>
98 1 Amministratore Truelite
$CONF['alias_domain'] = 'NO';
99 21 Amministratore Truelite
</pre>
100 1 Amministratore Truelite
101
To check if everything is working fine we can login as administrator in the web interfaces to create a new domain and some user accounts. Then we can logout and check if that those account are working by re-logging as that users. 
102 19 Amministratore Truelite
103
104 21 Amministratore Truelite
h3. Postfix configuration
105
106
107
Having user account and domain data managed by Postfixadmin, we need to configure Postfix virtual mailbox according to the data stored in [[MySQL]]. The first step is to create a base directory where to put all the virtual mailboxes; we will also need a system user that will own all the files. We can do this with the following commands:
108
<pre>
109 1 Amministratore Truelite
mkdir /var/mail/vmail
110
useradd -d /var/mail/vmail vmail
111
chown vmail:vmail /var/mail/vmail/
112
chmod o-xr /var/mail/vmail/
113 21 Amministratore Truelite
</pre>
114 1 Amministratore Truelite
115
We also need to avoid the use of procmail as LDA so we will need to comment the following standard line in ad Debian installed Postfix configuration:
116 21 Amministratore Truelite
<pre>
117 1 Amministratore Truelite
#mailbox_command = procmail -a "$EXTENSION"
118 21 Amministratore Truelite
</pre>
119 1 Amministratore Truelite
120 21 Amministratore Truelite
<pre>
121
<pre>
122 1 Amministratore Truelite
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
123
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
124
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
125
virtual_mailbox_base = /var/mail/vmail
126
virtual_minimum_uid = 106
127
virtual_transport = virtual
128
virtual_uid_maps = static:106
129
virtual_gid_maps = static:61
130 21 Amministratore Truelite
</pre>
131
<pre>
132 1 Amministratore Truelite
133 21 Amministratore Truelite
<pre>
134
<pre>
135 1 Amministratore Truelite
user = postfixadmin
136
password = secretandcomplexpassword
137
hosts = localhost
138
dbname = postfixadmin
139
query = SELECT goto FROM alias WHERE address='%s' AND active = 1
140 21 Amministratore Truelite
</pre>
141
<pre>
142
<pre>
143 1 Amministratore Truelite
user = postfixadmin
144
password = secretandcomplexpassword
145
hosts = localhost
146
dbname = postfixadmin
147
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '0' and active = '1'
148 21 Amministratore Truelite
</pre>
149
<pre>
150
<pre>
151 1 Amministratore Truelite
user = postfixadmin
152
password = secretandcomplexpassword
153
hosts = localhost
154
dbname = postfixadmin
155
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1
156 21 Amministratore Truelite
</pre>
157 1 Amministratore Truelite
158 21 Amministratore Truelite
<pre>
159
<pre>
160 18 Amministratore Truelite
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
161 21 Amministratore Truelite
</pre>
162
<pre>
163
<pre>
164 1 Amministratore Truelite
user = postfixadmin
165
password = secretandcomplexpassword
166
hosts = localhost
167
dbname = postfixadmin
168
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1' and active = '1'
169 21 Amministratore Truelite
</pre>
170 1 Amministratore Truelite
171
Because these files contains a clean text password they must be unreadable by anyone, so at least verify that they have right permissions or otherwise set them with:
172 21 Amministratore Truelite
<pre>
173 1 Amministratore Truelite
chgrp postfix /etc/postfix/mysql_*
174
chmod 640 /etc/postfix/mysql_*
175 21 Amministratore Truelite
</pre>
176 1 Amministratore Truelite
177 21 Amministratore Truelite
<pre>
178 1 Amministratore Truelite
179
180 20 Amministratore Truelite
181 21 Amministratore Truelite
h3. Postfix/Postfixadmin vacation configuration
182
183
184
<pre>
185
<pre>
186 1 Amministratore Truelite
groupadd -g 65501 vacation
187
useradd -g 65501 -u 65501 -c Vacation -s /sbin/nologin -d /nonexistent vacation
188 21 Amministratore Truelite
</pre>
189 1 Amministratore Truelite
then we will need a directory for temporary files accessible only for this user, we can create it with the following commands:
190 21 Amministratore Truelite
<pre>
191 1 Amministratore Truelite
mkdir /var/spool/vacation
192
chown -R vacation.vacation /var/spool/vacation
193
chmod o-xr /var/spool/vacation 
194 21 Amministratore Truelite
</pre>
195 1 Amministratore Truelite
196 3 Amministratore Truelite
The second step is to setup the vacation script, we need to put a copy (it's distributed with Postfixadmin) in the previous directory; this can be done with the following commands:
197 21 Amministratore Truelite
<pre>
198 3 Amministratore Truelite
cd /usr/share/doc/postfixadmin/examples/VIRTUAL_VACATION/
199 1 Amministratore Truelite
zcat vacation.pl.gz > /var/spool/vacation/vacation.pl
200
chmod 700 /var/spool/vacation/vacation.pl
201
chown vacation.vacation /var/spool/vacation/vacation.pl
202 21 Amministratore Truelite
</pre>
203 3 Amministratore Truelite
to have the script working correctly we will also need some perl modules; these can be installed with the command:
204 21 Amministratore Truelite
<pre>
205 1 Amministratore Truelite
aptitude install libemail-valid-perl libmime-encwords-perl libmime-perl \
206
         libmail-sender-perl liblog-log4perl-perl
207 21 Amministratore Truelite
</pre>
208 1 Amministratore Truelite
and at last we will need to setup the script to access to the database, this can be done modifying the following lines at the beginning of it (note that we are using the same values used in the Postfixadmin configuration):
209 21 Amministratore Truelite
<pre>
210 1 Amministratore Truelite
our $db_type = 'mysql';
211
our $db_host = 'localhost';
212
our $db_username = 'postfixadmin';
213
our $db_password = 'secretandcomplexpassword';
214 3 Amministratore Truelite
our $db_name     = 'postfixadmin';
215 1 Amministratore Truelite
216
our $vacation_domain = 'autoreply.mydomain.it';
217 21 Amministratore Truelite
</pre>
218 7 Amministratore Truelite
219 21 Amministratore Truelite
<pre>
220
<pre>
221 1 Amministratore Truelite
vacation    unix  -       n       n       -       -       pipe
222
  flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}
223 21 Amministratore Truelite
</pre>
224
<pre>
225
<pre>
226 1 Amministratore Truelite
autoreply.mydomain.it       vacation:
227 21 Amministratore Truelite
</pre>
228
<pre>
229
<pre>
230 16 Amministratore Truelite
transport_maps = hash:/etc/postfix/transport
231 21 Amministratore Truelite
</pre>
232 1 Amministratore Truelite
233 16 Amministratore Truelite
This done we can tell Postfix to use the new configuration with the following commands:
234 21 Amministratore Truelite
<pre>
235 4 Amministratore Truelite
postmap /etc/postfix/transport
236 3 Amministratore Truelite
postfix reload
237 21 Amministratore Truelite
</pre>
238 1 Amministratore Truelite
239
240
241 21 Amministratore Truelite
h3. Dovecot configuration
242
243
244
<pre>
245 4 Amministratore Truelite
:
246 21 Amministratore Truelite
<pre>
247 1 Amministratore Truelite
aptitude install dovecot-imapd dovecot-pop3d ntp
248 21 Amministratore Truelite
</pre>
249 1 Amministratore Truelite
then we will need to tell Dovecot where to find the emails and how to authenticate users. 
250
251 21 Amministratore Truelite
<pre>
252
<pre>
253 1 Amministratore Truelite
mail_location = maildir:/var/mail/vmail/%d/%n
254 4 Amministratore Truelite
mail_privileged_group = vmail
255 1 Amministratore Truelite
first_valid_uid = 106
256 21 Amministratore Truelite
</pre>
257
<pre>
258 1 Amministratore Truelite
259 21 Amministratore Truelite
<pre>
260
<pre>
261 1 Amministratore Truelite
  passdb sql {
262
    args = /etc/dovecot/dovecot-mysql.conf
263 5 Amministratore Truelite
  }
264
  userdb sql {
265 10 Amministratore Truelite
    args = /etc/dovecot/dovecot-mysql.conf
266
  }
267 21 Amministratore Truelite
</pre>
268
<pre>
269
<pre>
270 10 Amministratore Truelite
driver = mysql
271
connect = host=localhost dbname=postfixadmin user=postfixadmin password=secretandcomplexpassword client_flags=0
272
default_pass_scheme = MD5
273
user_query = SELECT maildir, 106 AS uid, 61 AS gid FROM mailbox WHERE username = '%u'
274
password_query = SELECT password FROM mailbox WHERE username = '%u' AND active = '1' 
275 21 Amministratore Truelite
</pre>
276
<pre>
277 10 Amministratore Truelite
278
To check if everything is working fine you can connect to the server with an email client and look at the email you previously sent. 
279
280
281 21 Amministratore Truelite
h3. Authenticated SMTP
282
283
284
<pre>
285
<pre>
286 10 Amministratore Truelite
socket listen {
287
        client {
288
        path = /var/spool/postfix/private/auth
289
        mode = 0660
290
        user = postfix
291
        group = postfix
292
        }
293
}
294 21 Amministratore Truelite
</pre>
295
<pre>
296
<pre>
297 10 Amministratore Truelite
# ls /var/spool/postfix/private/auth -l
298
srw-rw---- 1 postfix postfix 0 29 set 18:59 /var/spool/postfix/private/auth
299 21 Amministratore Truelite
</pre>
300 10 Amministratore Truelite
301 21 Amministratore Truelite
<pre>
302
<pre>
303 10 Amministratore Truelite
smtpd_sasl_type = dovecot
304
smtpd_sasl_path = private/auth
305 21 Amministratore Truelite
</pre>
306 10 Amministratore Truelite
307 21 Amministratore Truelite
<pre>
308
<pre>
309 10 Amministratore Truelite
smtpd_sasl_auth_enable = yes
310
smtp_sasl_application_name = smtpd
311
smtpd_sasl_local_domain = $myhostname
312
broken_sasl_auth_clients = yes
313 21 Amministratore Truelite
</pre>
314 10 Amministratore Truelite
and force use of TLS:
315 21 Amministratore Truelite
<pre>
316 10 Amministratore Truelite
smtpd_use_tls = yes
317 1 Amministratore Truelite
smtpd_tls_auth_only = yes
318 11 Amministratore Truelite
smtpd_tls_loglevel = 1
319 17 Amministratore Truelite
smtpd_tls_received_header = yes
320 13 Amministratore Truelite
smtpd_tls_session_cache_timeout = 3600s
321 14 Amministratore Truelite
tls_random_source = dev:/dev/urandom
322 21 Amministratore Truelite
</pre>
323
<pre>
324
<pre>
325 13 Amministratore Truelite
smtpd_recipient_restrictions =
326
        permit_mynetworks,
327
        permit_sasl_authenticated,
328
        reject_rbl_client zen.spamhaus.org,
329
        reject_non_fqdn_sender,
330 15 Amministratore Truelite
        reject_non_fqdn_recipient,
331 13 Amministratore Truelite
        reject_unknown_sender_domain,
332
        reject_unauth_destination
333 21 Amministratore Truelite
</pre>
334 17 Amministratore Truelite
335 1 Amministratore Truelite
336 21 Amministratore Truelite
h3. CLI script for massive account creation
337
338
339 1 Amministratore Truelite
Postfixadmin is a very nice web interface to manage email accounts and domain, but like all GUI or web based interfaces using it is not so practical when you have to create hundreds of accounts in a single shot. For this reason we developed a simple Python script that will do mass account creation. You can find it in the attachment. 
340
341 21 Amministratore Truelite
<pre>
342 1 Amministratore Truelite
343
|| user     || user part of the email (like user in user@domain.com)
344
|| password || cleartext password
345
|| domain   || domain name (like 'domain.com')
346
|| name     || full user name ('Name Surname')
347
348 21 Amministratore Truelite
<pre>
349 1 Amministratore Truelite
350 21 Amministratore Truelite
<pre>
351 1 Amministratore Truelite
352
The script doesn't do data validation, so it is published without any warranty (under the GPL licence). This means that making a database backup before using it is strongly suggested. It will print errors if some accounts or domains are already present in the database, skipping creation (i.e. it will not overwrite them), but it will create all other accounts and domains not already present. It will also skip the creation of a duplicated account.