Wednesday, August 31, 2011

Install and Configure Mail Server on Linux System

Mail Transfer Agent
A Mail Transfer Agent (MTA) is the program which receives and sends out the email from your server, and is therefore the key part. The default MTA in Ubuntu is Postfix, but exim4 is also fully supported and in the main repository.
Postfix - this guide explains how to set up Postfix.

In order to install Postfix with SMTP-AUTH and TLS, first install the postfix package from the Main repository using your favorite package manager. For example:
sudo aptitude install postfix


Configuration
From a terminal prompt:
sudo dpkg-reconfigure postfix
Insert the following details when asked (replacing server1.example.com with your domain name if you have one):
General type of mail configuration: Internet Site
NONE doesn't appear to be requested in current config
System mail name: server1.example.com
Root and postmaster mail recipient: <admin_user_name>
Other destinations for mail: server1.example.com, example.com, localhost.example.com, localhost
Force synchronous updates on mail queue?: No
Local networks: 127.0.0.0/8
Yes doesn't appear to be requested in current config
Mailbox size limit (bytes): 0 
Local address extension character: + 
Internet protocols to use: all



To configure the mailbox format for Maildir: 
sudo postconf -e 'home_mailbox = Maildir/'
You may need to issue this as well:
sudo postconf -e 'mailbox_command ='
Note: This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent to use the same path.

Configure Postfix to do SMTP AUTH using SASL (saslauthd):
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'
Next edit /etc/postfix/sasl/smtpd.conf and add the following lines:
pwcheck_method: saslauthd
mech_list: plain login


Generate certificates to be used for TLS encryption and/or certificate Authentication: 
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/


Configure Postfix to do TLS encryption for both incoming and outgoing mail: 
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = server1.example.com' # remember to change this to yours


Authentication
The next steps are to configure Postfix to use SASL for SMTP AUTH.
First you will need to install the libsasl2-2, sasl2-bin and libsasl2-modules from the Main repository [i.e. sudo apt-get install them all].

We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have change a couple paths to live in the false root. (ie. /var/run/saslauthd becomes /var/spool/postfix/var/run/saslauthd):

 Note: by changing the saslauthd path other applications that use saslauthd may be affected.
First we edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes, add the PWDIR, PARAMS, and PIDFILE lines and edit the OPTIONS line at the end:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"


# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"

#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Note: If you prefer, you can use "shadow" instead of "pam". This will use MD5 hashed password transfer and is perfectly secure. The username and password needed to authenticate will be those of the users on the system you are using on the server.
Next, we update the dpkg "state" of /var/spool/postfix/var/run/saslauthd. The saslauthd init script uses this setting to create the missing directory with the appropriate permissions and ownership:


dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

This may report an error that "--update given" and the "/var/spool/postfix/var/run/saslauthd" directory does not exist. You can ignore this because when you start saslauthd next it will be created.
Finally, start saslauthd:
sudo /etc/init.d/saslauthd start


Testing
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25 
After you have established the connection to your postfix mail server type
ehlo localhost 
If you see the lines 
250-STARTTLS
250-AUTH
among others, everything is working.
Type quit to return to the system's shell.


Dovecot
Dovecot is a Mail Delivery Agent, written with security primarily in mind. It supports the major mailbox formats: mbox or Maildir. It is a simple and easy to install MDA. This guide explains how to set it up as an IMAP or POP3 server.

Installation
sudo apt-get install dovecot-imapd dovecot-pop3d
Configuration
To configure dovecot, you edit the file /etc/dovecot/dovecot.conf. There are a couple of choices which you need to make.

Once you have chosen, amend the following line in the file /etc/dovecot/dovecot.conf:
protocols = pop3 pop3s imap imaps

This enables those protocols when dovecot is started. Note: if you like, you can enable all the above protocols, or you can choose to enable just one or any number of them. In addition, add the following line in the "protocol pop3" section in the /etc/dovecot/dovecot.conf:
pop3_uidl_format = %08Xu%08Xv
To configure Dovecot for your mailbox format use (for maildir):
mail_location = maildir:~/Maildir
or, for mbox; 
mail_location = mbox:~/mail:INBOX=/var/mail/%u

If you have trouble figuring out what you are using, it's most likely mbox. Maildir mails are almost always stored in ~/Maildir/ directory, which contains cur/, new/ and tmp/ subdirectories. In maildir each mail is stored in a separate file, while with the mbox format one file contains all mails in the mailbox. Files in /var/mail/ are nearly always mbox files, one for each user.
Maildir is better overall because it is more scalable and can't get corrupted so easily. So, if you have trouble figuring out what you should be using and have a choice, choose maildir.
To configure Dovecot for your mailbox format use (for maildir): 
mail_location = maildir:~/Maildir
or, for mbox;
mail_location = mbox:~/mail:INBOX=/var/mail/%u
Note: You will also need to configure your MTA to transfer the incoming mail to this type of mailbox. (If you installed Postfix with instructions from the previous wiki, then choose mbox.)


Setting up Maildir

Do these steps ONLY if you want Maildir. This setup will put the Maildir in each user's home directory.
If you are using Postfix as your MTA, then add the following line to your /etc/postfix/main.cf file:
home_mailbox = Maildir/
Edit /etc/dovecot/dovecot.conf: 
mail_location = maildir:/home/%u/Maildir
It's a good idea to pre-create the Maildir for future users: 
sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates

Then, for an existing user:
sudo cp -r /etc/skel/Maildir /home/myuser/
sudo chown -R myuser:usergroup /home/myuser/Maildir
sudo chmod -R 700 /home/myuser/Maildir


Test
Start dovecot:
/etc/init.d/dovecot start
To check that it is running, type the command
ps -A | grep dovecot
You should see the dovecot service running. If you have enabled imap, or pop3, you can also try to log in with the commands
telnet localhost pop3
or 
telnet localhost imap2
If you see something like the following, the installation has been successful.
$ telnet localhost pop3
Trying localhost...
Connected to localhost.
Escape character is '^]'.
+OK dovecot ready.
Or

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 host.example.com ESMTP Postfix>
EHLO testdomain.com
250-host.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
MAIL FROM: <user@testdomain.com>
250 2.1.0 Ok


RCPT TO: <local-user@example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Hello local-user
Hey local-user,
I just wanted to send some test mail to you :-)
.
250 2.0.0 Ok: queued as B95C8110064
QUIT


SSL
To configure Dovecot to use SSL, edit the file /etc/dovecot/dovecot.conf and amend the following lines (in some cases you may simply have to remove the # symbol from the beginning of the line):
ssl = yes
ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
The cert and key files are created automatically by Dovecot when you install it. (The keys mentioned above are actually the ones created by Postfix, however, but are suitable for use by Dovecot as well). Please note, that these keys are not signed and will give "bad signature" errors when connecting from a client. To avoid this, you can use commercial certificates, or even better, you can use your own SSL certificates. Hopefully, a guide will appear soon on this wiki on how to do this. In the meantime, here are some good ones: this guide on the Linux howto database, and this guide on the Debian Administration website.

Accessing from Outside
In order to access your mail server from another computer, you'll have to configure your firewall or router to allow connections to the server on the necessary ports:
IMAP - 143 
IMAPS - 993 
POP3 - 110 
POP3S - 995 
You'll also need to uncomment following line in /etc/dovecot/dovecot.conf:
listen = *
However, this method may cause conflicts with other servers already listening on other ports. The alternative (and probably more desirable) method, then, is to enable the specific listening ports for the protocols that are intended to be used. For example, for IMAP/IMAPS and POP3/POP3S, add to the correct protocol imap and protocol pop3 sections:
protocol imap {
     listen = *:143
     ssl_listen = *:993
     ...
     }
protocol pop3 {
     listen = *:110
     ssl_listen = *:995
     ...
     }
Squirrelmail Configuration
#sudo apt-get install squirrelmail

Squirrelmail has a very simple configuration menu. To run it, type:
sudo squirrelmail-configure
Apache Configuration
Squirrelmail comes with a sample apache configuration file in /etc/squirrelmail/apache.conf. You can copy this file to /etc/apache2/sites-available/squirrelmail with the command:
sudo cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail
then link it to the sites-enabled directory with the command:
sudo ln -s /etc/apache2/sites-available/squirrelmail /etc/apache2/sites-enabled/squirrelmail
Reload Apache Configuration:
sudo /etc/init.d/apache2 force-reload
If you ever wish to disable squirrelmail, you may simply delete the link in the site-enabled directory and Reload Apache's Configuration.

Roundcube 

You'll need apache, and mysql installed. If they are not already installed the following command will install them.
$sudo aptitude install apache2
Run the following command to install roundcube
$sudo aptitude install roundcube roundcube-mysql
Configure roundcube 
$dpkg-reconfigure roundcube-core
Next create a symbolic link to apache's document root, in this case /var/www
$sudo ln -s /usr/share/roundcube /var/www/roundcube 
Restart Apache 
$sudo service apache2 restart 
Now browse to your machine at http://localhost/roundcube

No comments:

Post a Comment