OpenBSD Mail Server

OpenBSD as a Mail Server
Author: Daniele Mazzocchio

Last update: Dec 21, 2008
Latest version: http://www.kernel-panic.it/openbsd/mail/
Table of Contents
1. Introduction......................................................................................................................................2
2. Preliminary installation steps...........................................................................................................
!. Post"i#...............................................................................................................................................$
!.1 %on"i&uration.............................................................................................................................$
!.2 'nablin& ()*...........................................................................................................................1+
. My*,)...........................................................................................................................................12
.1 (he socket dilemma.................................................................................................................12
.2 %on"i&uration...........................................................................................................................1!
$. %ourier-IM-P.................................................................................................................................1.
$.1 Installation and con"i&uration..................................................................................................1.
$.2 -ddin& P/P! access................................................................................................................10
$.! *M(P authentication with *-*)............................................................................................10
$. Mana&in& disk space................................................................................................................2+
.. %ontent "ilterin&..............................................................................................................................21
..1 *pam-ssassin..........................................................................................................................21
..2 %lam-1...................................................................................................................................22
..! -ma2isd-new...........................................................................................................................2
3. *4uirrelMail....................................................................................................................................23
3.1 Preliminary steps......................................................................................................................23
3.2 Installation and con"i&uration..................................................................................................23
0. -ppendi#........................................................................................................................................25
0.1 6e"erences................................................................................................................................25
0.2 7iblio&raphy............................................................................................................................25
OpenBSD as a mail server
1. Introduction
In a pre2ious document8 we built redundant "irewalls usin& the %-6P and P9*:;% protocols< these were
the "irst buildin& blocks o" a hypothetical8 /pen7*D-based8 small pri2ate networkthat we are &oin& to
build step by step across se2eral documents.
;ow that we ha2e raised the =de"ensi2e walls= o" our network8 it>s time to think about the ser2ices we
want to pro2ide. /""erin& a reliable and secure email ser2ice is probably one o" the top priorities o" most
system administrators< there"ore8 in the ne#t chapters8 we will build a "ull-"eatured mail ser2er8 based on
open-source so"tware and "ocusin& on security. (he "ollowin& is the list o" the pieces o" so"tware we will
use:
2
/pen7*D
the ?secure by deault@ operatin& system8 with ?only t!o remote holes in the deault install, in more
than 10 years"@<
Post"i#
an M(- ?that started lie as an alternative to the !idely#used Sendmail pro$ram@ and which
?attempts to be ast, easy to administer, and secure@<
My*,)
the ?!orld%s most popular open source database@<
%ourier-IM-P
a ?ast, scalable, enterprise &'A( server@ that supports My*,) and maildirs<
%yrus *-*)
the %yrus implementation o" the *-*) protocol<
-ma2isd-new
a ?hi$h#perormance interace bet!een mailer )'*A+ and content chec,ers@ Aanti2irus and
antispamB8 written in Perl and optimized "or Post"i#<
*pam-ssassin
a Perl-based ?mail ilter to identiy Spam@8 usin& ?a variety o mechanisms includin$ header and
te-t analysis, Bayesian ilterin$, D.S bloc,lists, and collaborative ilterin$ databases@<
%lam-1
a "ast and easy-to-use open-source 2irus scanner.
- &ood knowled&e o" /pen7*D is assumed8 since we won>t del2e into system mana&ement topics such as
base con"i&uration or packa&es/ports installation.
!
2. Preliminary installation steps
7e"ore del2in& into the installation and con"i&uration o" all the mail-handlin& so"tware8 we will take a
brie" look at the operatin& system that will host it.
-s usual8 my choice &oes to /pen7*D "or its pro2en security8 reliability and ease o" use. ;eedless to say8
all these "eatures are essential "or a system that will ha2e to handle a lar&e 2olume o" email tra""ic while
still makin& li"e hard "or spammers and malicious users.
Ce won>t dwell upon the installation procedure here8 which is documented in "ull detail on the /pen7*D
web site. Dust a couple o" notes:
while partitionin& the hard dri2e8 bear in mind that we will con"i&ure Post"i# to use 2irtual
domains and8 conse4uently8 it will store all users> mail "olders in a sin&le directory
A/var/vmailB. (here"ore8 it is recommended to assi&n a Alar&eB dedicated slice to this
"ilesystem8 in order to pre2ent mails "rom "illin& up any critical "ilesystem8 should 4uotas "ail.
9urthermore8 i" you choose to install My*,) on the mail ser2er itsel"8 it is usually recommended
to assi&n one o" the "irst slices to /var/mysql8 in order to allow "or "aster disk access by the
database en&ine<
the only "ile sets we will need to install are those marked as ?required@ on the documentation8 i.e.
bsd Athe kernelB8 base//.tgz Athe base systemB8 and etc//.tgz Athe con"i&uration "iles in /
etcB plus comp//.tgz Athe % compilerB8 since we will also ha2e to install some ports not
a2ailable as precompiled packa&es "or licensin& reasons. .ote: since lea2in& a compiler on a
publicly accessible ser2er is a de"inite security risk8 it is recommended that you remo2e the
compiler when the installation is o2er or that you compile on another machine.
-"ter the "irst reboot8 we can disable some de"ault network ser2ices mana&ed by inetd(8):
$ grep -v ^# /etc/inetd.conf
ident stream tcp nowait _identd /usr/libexec/identd identd -el
ident stream tcp nowait _identd /usr/libexec/identd identd -el
!"#.$.$.!%comsat dgram udp wait root /usr/libexec/comsat comsat
&%%!'%comsat dgram udp wait root /usr/libexec/comsat comsat
daytime stream tcp nowait root internal
daytime stream tcp nowait root internal
time stream tcp nowait root internal
time stream tcp nowait root internal
$
by commentin& them out in /etc/inetd.con( and reloadin& inetd(8):
) pkill -HUP inetd
-nyway8 /pen7*D is considered secure also with those ser2ices turned on and the mail ser2er should be
"irewalled< ne2ertheless8 I pre"er stayin& on the sa"e side and disable them all Aincludin& comsat(8)8
since we won>t ha2e any interacti2e user recei2in& mail on the systemB.
(o modi"y the ser2er network con"i&uration8 please re"er to the related chapter in the pre2ious document
about redundant "irewalls or to the networkin& 9-,.

3. Postfix
Post"i# is a M(- AMail (ransport -&entB de2eloped by Cietse 1enema ?as an alternative to the !idely#
used Sendmail pro$ram@. It ?attempts to be ast, easy to administer, and secure, !hile at the same time
bein$ sendmail compatible enou$h to not upset e-istin$ users0 *hus, the outside has a sendmail#ish
lavor, but the inside is completely dierent@. Post"i# also comes with e#cellent documentation and a lot
o" howtos.
/ur mail ser2er re4uirements will be 4uite simple: it will be "inal destination solely "or its canonical
domains and it will only relay mail "rom systems on the internal network Athou&h we will also consider
relayin& "rom untrusted networks by means o" *M(P authenticationB. %anonical domains include the
hostname Ain our case8 =mail.kernel-panic.it=B and the IP address A132.1..2+.1$+B o" the machine that
Post"i# runs on8 and the parent domain o" the hostname A=kernel-panic.it=B.
%anonical domains are usually implemented with the Post"i# local domain address class8 which8
un"ortunately8 has one maEor drawback "or me: it re4uires each e-mail account to ha2e a correspondin&
Fni# account. /n the contrary8 I pre"er:
1. keepin& Fni# and e-mail accounts apart and
2. ha2in& all mailbo#es well-ordered inside a sin&le directory.
(here"ore8 we will use Post"i# 1irtual Domain Gostin&8 which is normally used "or hostin& multiple
internet domains on the same ser2er8 but will also allow us to achie2e our two &oals.
3.1 onfi!uration
In this para&raph8 we will con"i&ure Post"i# to work standalone8 with no back-end database. (hen8 in the
ne#t chapter8 when e2erythin& will be workin& "ine8 we will hook up Post"i# to a My*,) database< this
will allow us to centrally store con"i&uration in"ormation that both Post"i# and %ourier-IM-P will need to
access.
(here are a "ew packa&es we need to install:
mys4l-client--.-.-.t&z
pcre--.-.t&z
post"i#--.-.--mys4l.t&z
.ote: i" you>re plannin& to use *M(P authentication8 you will need to compile Post"i# "rom the ports8
because there>s no pre-compiled packa&e a2ailable with both My*,) and *-*) support:
) cd /usr/ports/mail/postfix/snapshot
) env FL!"#$%m&s'l sasl(% make install
(he installation will create the /etc/post(ix directory8 containin& all the con"i&uration "iles. Post"i#
has se2eral hundred con"i&uration parameters that are controlled 2ia the /etc/post(ix/main.c(
"ile8 but don>t worry: "or the 2ast maEority o" these parameters8 the de"ault 2alue is the best option Asee
postcon((*) "or a detailed list o" all the a2ailable con"i&uration parameters8 their description and their
de"ault 2alueB and we will only ha2e to o2erride a 2ery small subset o" them:
/etc/post(ix/main.c(
# Directory containing all the post* commands
command_directory + /usr/local/sbin
# Directory containing all the Postfix daemon programs
daemon_directory + /usr/local/libexec/post(ix
# Full pathnames of various Postfix commands
sendmail_pat, + /usr/local/sbin/sendmail
$
newaliases_pat, + /usr/local/sbin/newaliases
mailq_pat, + /usr/local/sbin/mailq
# Directories containing documentation
,tml_directory + /usr/local/s,are/doc/post(ix/,tml
manpage_directory + /usr/local/man
readme_directory + /usr/local/s,are/doc/post(ix/readme
# The owner of the Postfix queue and of most Postfix daemon processes
mail_owner + _post(ix
# The group for mail submission and queue management commands
setgid_group + _postdrop
# The myhostname parameter specifies the internet hostname of this mail system. t
# is used as default for many other configuration parameters !default " system#s
# F$D%&
my,ostname + mail.-ernel-panic.it
# The internet domain name of this mail system. 'sed as default for many other
# configuration parameters !default " (myhostname minus the first component&
mydomain + -ernel-panic.it
# The domain name that locally)posted mail appears to come from* and that locally
# posted mail is delivered to. +s you can see* a parameter value may refer to other
# parameters
myorigin + $my,ostname
# %etwor, interface addresses that this mail system receives mail on
inet_inter(aces + all
# %etwor, interface addresses that this mail system receives mail on by way of a
# proxy or %+T unit
proxy_inter(aces + router.-ernel-panic.it
# -ist of domains that this machine considers itself the final destination for.
# .irtual domains must not be specified here
mydestination + $my,ostname. local,ost.$mydomain. local,ost
# -ist of /trusted/ 01TP clients allowed to relay mail through Postfix.
mynetwor-s + !"#.$.$.$/8. !#".!.$.$/"/. !#".!."/$.$/"/
# 2hat destination !sub&domains this system will relay mail to
relay_domains + $mydestination
# The default host to send mail to when no entry is matched in the optional
# transport!3& table. 0quare brac,ets turn off 14 loo,ups
relay,ost + &smtp.isp.com'
# -ist of alias databases used by the local delivery agent
alias_maps + ,as,%/etc/post(ix/aliases
# +lias database!s& built with /newaliases/ or /sendmail )bi/. This is a separate
# configuration parameter* because alias5maps may specify tables that are not
# necessarily all under control by Postfix
alias_database + ,as,%/etc/post(ix/aliases
# 01TP greeting banner
smtpd_banner + $my,ostname 01234 $mail_name
# Postfix is final destination for the specified list of /virtual/ domains
virtual_mailbox_domains + -ernel-panic.it
# .irtual mailboxes base directory
.
virtual_mailbox_base + /var/vmail
# 6ptional loo,up tables with all valid addresses in the domains that match
# (virtual5mailbox5domains.
virtual_mailbox_maps + ,as,%/etc/post(ix/vmailbox
# The minimum user D value accepted by the virtual!7& delivery agent
virtual_minimum_uid + "$$$
# 'ser D that the virtual!7& delivery agent uses while writing to the recipient#s
# mailbox
virtual_uid_maps + static%"$$$
# 8roup D that the virtual!7& delivery agent uses while writing to the recipient#s
# mailbox
virtual_gid_maps + static%"$$$
# 6ptional loo,up tables that alias specific mail addresses or domains to other
# local or remote address
virtual_alias_maps + ,as,%/etc/post(ix/virtual
)et>s take a closer look at some o" the abo2e con"i&uration parameters.
/ne o" the &oals we had was to a2oid ha2in& a separate Fni# account "or each e-mail account. Ce ha2e
achie2ed this by con"i&urin& Post"i# to write to the mailbo#es usin& uid 2+++ and &id 2+++ Asee the
virtual_uid_maps and virtual_gid_maps parameters abo2eB. ;ow we only ha2e to create a
user with this pair o" uid and &id:
) useradd -d /var/vmail -g $uid -u ())) -s /s*in/nologin +
5 -c %!irtual ,ail*oxes "-ner% -m vmail
/ur second &oal was ha2in& all mailbo#es &rouped to&ether in a sin&le directory< this is achie2ed by
settin& the 2alue o" the virtual_mailbox_base parameter to the path o" that directory Ain our
con"i&uration8 /var/vmailB. In matter o" "act8 this parameter is a pre"i# that the virtual(8) a&ent
prepends to all pathname results "rom virtual_mailbox_maps table lookups.
In our con"i&uration8 the virtual_mailbox_maps parameter re"ers to the
/etc/post(ix/vmailbox "ile8 containin& the list o" all 2alid addresses in the 2irtual domains
Avirtual_mailbox_domains parameterB and the path to the correspondin& mailbo#es or maildirs Aa
mailbo# is a sin&le "ile containin& all the emails< a maildir8 instead8 is a directory8 with a de"ined
structure8 containin& all the emails in separate "ilesB:
/etc/post(ix/vmailbox
in(o6-ernel-panic.it -ernel-panic.it/in(o/
d.mazzocc,io6-ernel-panic.it -ernel-panic.it/d.mazzocc,io/
&...'
Please pay attention to the trailin& slashes: they tell Post"i# that the pathname re"ers to a maildir instead o"
a mailbo# "ile8 and maildirs are our only option8 since %ourier-IM-P doesn>t support mailbo# "iles.
(he virtual_alias_maps parameter allows to alias speci"ic mail addresses or domains to other
local or remote address. Its 2alue is the pathname to a "ile Ain our case /etc/post(ix/virtualB
containin& the alias mappin&s:
/etc/post(ix/virtual
root6-ernel-panic.it root6local,ost.-ernel-panic.it
postmaster6-ernel-panic.it postmaster6local,ost.-ernel-panic.it
abuse6-ernel-panic.it postmaster6local,ost.-ernel-panic.it
3
&...'
9inally8 the /etc/post(ix/aliases "ile contains the addresses to which Post"i# will redirect mail
"or local recipients Asee aliases(*)B. *ince many accounts point to root>s email address8 you should
check root email "re4uently or "orward it all to another account. '.&.:
/etc/post(ix/aliases
root% d.mazzocc,io6-ernel-panic.it
27890:-;702<=% postmaster
postmaster% root
bin% root
&...'
;ow we only ha2e to reload Post"i# lookup tables:
) /usr/local/s*in/postmap /etc/postfix/vmail*ox
) /usr/local/s*in/postmap /etc/postfix/virtual
) /usr/local/s*in/ne-aliases
replace *endmail:
) /usr/local/s*in/postfix-ena*le
old /etc/mailer.con( saved as /etc/mailer.con(.pre-post(ix
post(ix /etc/mailer.con( enabled
=<30% do not (orget to add sendmail_(lags+>-bd> to
/etc/rc.con(.local to startup post(ix correctly.
=<30% do not (orget to add >-a /var/spool/post(ix/dev/log> to
syslogd_(lags in /etc/rc.con(.local and restart syslogd.
=<30% do not (orget to remove t,e >sendmail clientmqueue runner>
(rom root?s crontab.
)
and "ollow the abo2e ad2ice8 by commentin& out the =sendmail clientm4ueue runner= in root>s crontab:
# sendmail clientmqueue runner
#*9:; * * * * 9usr9sbin9sendmail )- sm)msp)queue )+c )q
and addin& a couple o" 2ariables in the /etc/rc.con(.local(8) "ile.
/etc/rc.con(.local
# 0pecify a location where syslogd!7& should place an additional log soc,et
# for Postfix
syslogd_(lags+>-a /var/spool/post(ix/dev/log>
# 1a,e Postfix start in bac,ground and process queued messages every :; min
sendmail_(lags+>-bd>
;ow we can restart the processes Aor simply rebootB:
) pkill -HUP s&slogd
) pkill sendmail
) /usr/local/s*in/sendmail -*d
and test our hard workH
# telnet mail.kernel-panic.it (.
0
3rying !#".!."/$.!*$...
@onnected to mail.-ernel-panic.it.
0scape c,aracter is ?A'?.
""$ mail.-ernel-panic.it 01234 4ost(ix
H/L" somedomain.org
"*$ mail.-ernel-panic.it
mail from0 someone1somedomain.org
"*$ <-
rcpt to0 d.ma22occhio1kernel-panic.it
"*$ <-
data
B*/ 0nd data wit, C@:5C9D5.C@:5C9D5
From0 someone1somedomain.org
3o0 d.ma22occhio1kernel-panic.it
4u*5ect0 3est mail
6t -orks7
.
"*$ <-% queued as */8;#"8
'uit
""! Eye
@onnection closed by (oreign ,ost.
) tail /var/log/maillog
;ec ! !$ !*%"%B* mail post(ix/smtpd&"F"!"'% connect (rom ws!.lan.-ernel-
panic.it&!#".!.$.!*'
;ec ! !*%"%*B mail post(ix/smtpd&"F"!"'% *#$#"""% client+ws!.lan.-ernel-
panic.it&!#".!.$.!*'
;ec ! !*%"#%$" mail post(ix/cleanup&!B/"8'% *#$#"""% message-
id+C"$$#$"!$!/"*B.*#$#"""6mail.-ernel-panic.it5
;ec ! !*%"#%$" mail post(ix/qmgr&"##'% *#$#"""% (rom+Csomeone6somedomain.org5.
size+BF". nrcpt+! (queue active)
;ec ! !*%"#%$" mail post(ix/virtual&!/B8!'% *#$#"""% to+Cd.mazzocc,io6-ernel-
panic.it5. relay+virtual. delay+!*. delays+!*/$."8/$/$.$B. dsn+".$.$. status+sent
(delivered to maildir)
;ec ! !*%"#%$" mail post(ix/qmgr&"##'% *#$#"""% removed
;ec ! !*%"#%$ mail post(ix/smtpd&"F"!"'% disconnect (rom ws!.lan.-ernel-
panic.it&!#".!.$.!*'
) cat /var/vmail/kernel-panic.it/d.ma22occhio/ne-/88898:;)8:.!<6=::9,988;;).mail
.kernel-panic.it
:eturn-4at,% Csomeone6somedomain.org5
G-<riginal-3o% d.mazzocc,io6-ernel-panic.it
;elivered-3o% d.mazzocc,io6-ernel-panic.it
:eceived% (rom somedomain.org (ws!.lan.-ernel-panic.it &!#".!.$.!*')
by mail.-ernel-panic.it (4ost(ix) wit, 1234 id *#$#"""
(or Cd.mazzocc,io6-ernel-panic.it5 1at. ! ;ec "$$# !*%"%/# H$!$$ (@03)
Drom% someone6somedomain.org
3o% d.mazzocc,io6-ernel-panic.it
1ubIect% 3est mail
2essage-8d% C"$$#$"!$!/"*B.*#$#"""6mail.-ernel-panic.it5
;ate% 1at. ! ;ec "$$# !*%"%/# H$!$$ (@03)
8t wor-sJ
)
3.2 "na#lin! $%S
'nablin& ()* support in Post"i# allows you to encrypt *M(P sessions and *-*) authentication
e#chan&es and to optionally authenticate remote *M(P clients and/or ser2ers. Gowe2er8 keep in mind
that8 by enablin& ()* support8 you also turn on thousands and thousands o" lines o" /pen**) library
code. -ssumin& that /pen**) is written as care"ully as Cietse>s own code8 e2ery 1+++ lines introduce
one additional bu& into Post"i# I()*J. (here"ore8 i" you think you don>t need these "eatures8 "eel "ree to
5
skip directly to the ne#t chapter.
()* relies on public key certi"icates "or authentication and there"ore re4uires that you "irst set up a basic
Public Key In"rastructure APKIB "or mana&in& di&ital certi"icates. -s a preliminary step8 we will create the
directories where certi"icates will be stored:
) install -m >)) -d /etc/postfix/ssl/private
(he "irst step in settin& up the PKI is the creation o" the root %- certi"icate A/etc/ssl/ca.crtB and
pri2ate key A/etc/ssl/private/ca.-eyB usin& openssl(!):
) openssl re' -da&s <;.) -nodes -ne- -x.)= -ke&out /etc/ssl/private/ca.ke& +
5 -out /etc/ssl/ca.crt
& ... '
@ountry =ame (" letter code) &'% IT
1tate or 4rovince =ame ((ull name) &'% Italy
9ocality =ame (eg. city) &'% Milan
<rganization =ame (eg. company) &'% Kernel Panic Inc.
<rganizational Knit =ame (eg. section) &'% Postfix CA
@ommon =ame (eg. (ully quali(ied ,ost name) &'% ca.lan.kernel-panic.it
0mail 7ddress &'% ?enter@
)
(he ne#t step is the creation o" the pri2ate key A/etc/post(ix/ssl/private/server.-eyB and
%erti"icate *i&nin& 6e4uest A/etc/post(ix/ssl/private/server.csrB "or the mail ser2er:
) openssl re' -da&s <;.) -nodes -ne- -ke&out /etc/postfix/ssl/private/server.ke& +
5 -out /etc/postfix/ssl/private/server.csr
& ... '
@ountry =ame (" letter code) &'% IT
1tate or 4rovince =ame ((ull name) &'% Italy
9ocality =ame (eg. city) &'% Milan
<rganization =ame (eg. company) &'% Kernel Panic Inc.
<rganizational Knit =ame (eg. section) &'% Postfix Server
@ommon =ame (eg. (ully quali(ied ,ost name) &'% mail.kernel-panic.it
0mail 7ddress &'% ?enter@
4lease enter t,e (ollowing ?extra? attributes
to be sent wit, your certi(icate request
7 c,allenge password &'% ?enter@
7n optional company name &'% ?enter@
)
9inally8 the %- will &enerate the si&ned certi"icate out o" the certi"icate re4uest:
) openssl x.)= -re' -da&s <;.) -in /etc/postfix/ssl/private/server.csr +
5 -out /etc/postfix/ssl/server.crt -A /etc/ssl/ca.crt +
5 -Ake& /etc/ssl/private/ca.ke& -Acreateserial
1ignature o-
subIect+/@+83/13+8taly/9+2ilan/<+Lernel 4anic 8nc./<K+4ost(ix 1erver/@=+mail.-ernel-
panic.it
Metting @7 4rivate Ley
)
I" you want the mail ser2er to authenticate *M(P clients8 you can &enerate any number o" client
certi"icates by repeatin& the last two steps.
1+
(o actually turn on ()* support in Post"i#8 we need to add a "ew parameters to the
/etc/post(ix/main.c( con"i&uration "ile:
# <nable !optional& T-0 encryption
smtpd_tls_security_level + may
# <nable looging of T-0 handsha,e and certificate information
smtpd_tls_loglevel + !
# T-0 certificates
smtpd_tls_cert_(ile + /etc/post(ix/ssl/server.crt
smtpd_tls_-ey_(ile + /etc/post(ix/ssl/private/server.-ey
smtpd_tls_@7(ile + /etc/ssl/ca.crt
# <xternal entropy source for the pseudo random number generator pool.
# 0pecify 9dev9arandom when 9dev9urandom gives timeout errors.
tls_random_source + dev%/dev/urandom
and uncomment the smtps ser2ice in /etc/post(ix/master.c((*):
/etc/post(ix/master.c(
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode+yes
-o smtpd_sasl_aut,_enable+yes
-o smtpd_client_restrictions+permit_sasl_aut,enticated.reIect
-o milter_macro_daemon_name+<:8M8=738=M
9inally8 we can reload Post"i# con"i&uration to apply the chan&es made:
) postfix reload
post(ix/post(ix-script% re(res,ing t,e 4ost(ix mail system
11
&. MyS'%
I" Post"i# is workin& "ine8 we can proceed to the ne#t step and install My*,). My*,) is ?the !orld%s
most popular open source database@8 combinin& per"ormance8 reliability and ease o" use. It will ensure
"aster data access times and allow us to centralize con"i&uration in"ormation that both Post"i# and
%ourier-IM-P will need to access.
(here are a "ew packa&es we need to install:
p$-;et-Daemon--.--.t&z
p$-Pl6P%--.----.t&z
p$-D7I--.--.t&z
p$-D7D-mys4l--.----.t&z
mys4l-ser2er--.-.--.t&z
-"ter the installation8 you will "ind 2arious sample con"i&uration "iles in the
/usr/local/s,are/mysql directory< choose the most suitable to your needs and copy it to /etc/
my.cn(. '.&.:
) cp /usr/local/share/m&s'l/m&-small.cnf /etc/m&.cnf
&.1 $(e soc)et dilemma
%hoosin& a &ood location "or the My*,) socket "ile is sometimes hard because o" chrooted processes8
which need to access it "rom inside their =reduced= "ilesystem. 7ut Post"i# &oes e2en "urther: o" its many
processes8 most are chrooted to the /var/spool/post(ix directory8 but a "ew are notH -s a
conse4uence8 by de"ault8 part o" the Post"i# processes will look "or the socket "ile in the
/var/run/mysql/ directory8 while the others will look "or it in the /var/spool/post(ix/var/
run/mysql/ directoryH
-nyway8 there are many possible workarounds:
1. i" the database runs on a remote ser2er8 there is no need to bother with the socket "ileH Ce will
later see how to con"i&ure Post"i# and %ourier-IM-P "or connectin& to a remote database<
2. i" you want to preser2e the de"aults as much as possible8 you can create a symbolic link to the
socket inside the chroot be"ore the database startup:
) mkdir -p /var/spool/postfix/var/run/m&s'l/
) ln -f /var/run/m&s'l/m&s'l.sock /var/spool/postfix/var/run/m&s'l/m&s'l.sock
!. 6emember to add the abo2e commands to the /etc/rc.local(8) script to automatically
create the link at boot time.
. you can place the socket inside the Post"i# chroot Aby settin& the 2alue o" the soc-et 2ariable in
the &mysqld' section o" /etc/my.cn( to the path o" the socket8 e.&.
/var/spool/post(ix/mysql/mysql.soc-B8 and &i2e Post"i# the possibility to choose
between two distinct paths: /var/spool/post(ix/mysql/mysql.soc-8 "or non-chrooted
processes8 and /mysql/mysql.soc-8 "or chrooted processes<
$. "inally8 you can "or&et about socket "iles and connect throu&h the loopback network inter"ace.
Mmmh... what to chooseL -"ter a moment>s thou&ht8 I chose the latter solution8 which is probably the
simplest. (here"ore8 I le"t =s-ip networ-ing= commented out in /etc/my.cn( and added the
"ollowin& line in the &mysqld' section :
12
/etc/my.cn(
bind-address + !"#.$.$.!
thus pre2entin& My*,) "rom listenin& on the e#ternal network inter"aces.
&.2 onfi!uration
9irst and "oremost8 we need to install the de"ault databases8 chan&e the password o" the My*,) root user
Adon>t take my passwords as an e#ampleHB:
) /usr/local/*in/m&s'lBinstallBd*
& ... '
) m&s'ldBsafe C
& ... '
# /usr/local/*in/m&s'lBsecureBinstallation
& ... '
0nter current password (or root (enter (or none)% ?/nter@
<L. success(ully used password. moving on...
& ... '
1et root passwordN &O/n' D
=ew password% root
:e-enter new password% root
4assword updated success(ullyJ
& ... '
:emove anonymous usersN &O/n' D
... 1uccessJ
& ... '
;isallow root login remotelyN &O/n' D
... 1uccessJ
& ... '
:emove test database and access to itN &O/n' D
- ;ropping test database...
... 1uccessJ
- :emoving privileges on test database...
... 1uccessJ
& ... '
:eload privilege tables nowN &O/n' D
... 1uccessJ
& ... '
)
and con"i&ure the system to start My*,) on boot:
/etc/rc.local
i( & -x /usr/local/bin/mysqld_sa(e 'P t,en
ec,o -n ? 2y1Q9?
/usr/local/bin/mysqld_sa(e 5/dev/null "5R! R
(i
;e#t8 we will hook Post"i# up to the database. In particular8 we will modi"y the 2alue o" a "ew parameters
in the /etc/post(ix/main.c( "ile:
virtual_mailbox_domains + mysql%/etc/post(ix/mysql_virtual_domains.c(
virtual_mailbox_maps + mysql%/etc/post(ix/mysql_virtual_mailboxes.c(
virtual_alias_maps + mysql%/etc/post(ix/mysql_virtual_alias_maps.c(
Ce will see in a moment the contents o" those "iles< but "irst8 we are &oin& to create the database. (ables
1!
don>t need to ha2e any particular structure8 since we will tell Post"i# which 4ueries to use to e#tract the
data. (here"ore8 this will actually be Eust one amon& the many possible implementations: "eel "ree to
modi"y it accordin& to your taste and needs.
.ote: Post"i# obtains the "ull pathname o" the maildirs by Eoinin& the 2alues o" the
virtual_mailbox_base and virtual_mailbox_maps parameters8 while %ourier-IM-P
obtains it by Eoinin& the 2alues o" the 2O1Q9_S<20_D809; and 2O1Q9_2789;8:_D809;
parameters. -s a conse4uence8 we will create two separate "ields in the users table A,ome and
maildirB and make those 2ariables point to them in order "or Post"i# and %ourier-IM-P to &et alon&.
) m&s'l -u root -p
password% root
mysql5 A#/3/ E3F4/ mailG
Query <L. ! row a((ected ($.$! sec)
mysql5 use mail
;atabase c,anged
mysql5 A#/3/ 3FL/ domains H
-5 id 6I3 I"3 IULL P#6,#D J/D U3"B6IA#/,/I3K
-5 domain !#AH#H(..L I"3 IULL UI6MU/LG
Query <L. $ rows a((ected ($.$" sec)
mysql5 A#/3/ 3FL/ users H
-5 login !#AH#H(..L I"3 IULL UI6MU/K
-5 name !#AH#H(..L I"3 IULLK
-5 pass-ord AH#H8<L I"3 IULLK
-5 uid 4,LL6I3 I"3 IULL E/FUL3 ()))K
-5 gid 4,LL6I3 I"3 IULL E/FUL3 ()))K
-5 home !#AH#H(..L I"3 IULL E/FUL3 N/var/vmailNK
-5 maildir !#AH#H(..L I"3 IULLK
-5 'uota !#AH#H8)L I"3 IULL E/FUL3 N8)))))))4NLG
Query <L. $ rows a((ected ($.$! sec)
mysql5 A#/3/ 3FL/ aliasBmaps H
-5 account !#AH#H(..L I"3 IULL UI6MU/K
-5 alias !#AH#H(..L I"3 IULLLG
Query <L. $ rows a((ected ($.$$ sec)
mysql5 O#I3 4/L/A3 "I mail.P to NvmailN1NlocalhostN 6E/I36F6/E FD NvmailNG
Query <L. $ rows a((ected ($.$! sec)
mysql5 6I4/#3 6I3" domains HdomainL !LU/4 HNkernel-panic.itNLG
mysql5 6I4/#3 6I3" users HloginK nameK pass-ordK maildirL
-5 !LU/4 HNd.mazzocchiokernel-panic.itNK N!aniele MazzocchioNK
-5 /IA#DP3HNdanixNLK Nkernel-panic.it"d.mazzocchio"NLG
mysql5 6I4/#3 6I3" aliasBmaps HaccountK aliasL
-5 !LU/4 HNpostmasterkernel-panic.itNK
-5 Npostmasterlocalhost.kernel-panic.itNLG
Query <L. ! row a((ected ($.$$ sec)
mysql5 6I4/#3 6I3" aliasBmaps HaccountK aliasL
-5 !LU/4 HNrootkernel-panic.itNK Nrootlocalhost.kernel-panic.itNLG
Query <L. ! row a((ected ($.$$ sec)
;ow let>s take a brie" look at the new Post"i# con"i&uration "iles8 which include con"i&uration settin&s "or
My*,).
1
/etc/post(ix/mysql_virtual_domains.c(
user + vmail
password + vmail
# solution =>
# hosts " db5server5name
# 0olution ?> s,ip this parameter
# 0olution : !this file is required only by chrooted processes&>
# hosts " unix>9mysql9mysql.soc,
# 0olution @>
,osts + !"#.$.$.!
dbname + mail
query + 1090@3 domain D:<2 domains TS0:0 domain+?Us?
/etc/post(ix/mysql_virtual_alias_maps.c(
user + vmail
password + vmail
# solution =>
# 0olution : !this file is required only by chrooted processes&>
# hosts " unix>9mysql9mysql.soc,
# 0olution @>
,osts + !"#.$.$.!
dbname + mail
query + 1090@3 alias D:<2 alias_maps TS0:0 account+?Us?
/etc/post(ix/mysql_virtual_mailboxes.c(
user + vmail
password + vmail
# solution =>
# 0olution : !this file is required by both chrooted and non)chrooted processes&>
# hosts " unix>9mysql9mysql.soc, unix>9var9spool9postfix9mysql9mysql.soc,
# 0olution @>
,osts + !"#.$.$.!
dbname + mail
query + 1090@3 maildir D:<2 users TS0:0 login+?Us?
(hat>s all: now we can reload Post"i# con"i&uration:
) postfix reload
and test our work< e2erythin& should run e#actly as be"oreH
1$
*. ourier+IM,P
;ow that our ser2er can send and recei2e email8 it may be use"ul to let users read itH 9or this purpose8
we>re &oin& to install %ourier-IM-P8 ?a ast, scalable, enterprise &'A( server that uses 'aildirs@. (his
is the same IM-P ser2er that>s included in the %ourier mail ser2er8 but con"i&ured as a standalone IM-P
ser2er that can be used with other mail ser2ers8 such as Post"i#.
*.1 Installation and confi!uration
(he "ollowin& is the list o" the re4uired packa&es:
&dbm--.-.-.t&z
libltdl--.-.-.t&z
tcl--.-.-.t&z
e#pect--.-.--noMtk.t&z
courier-authlib--.-.t&z
courier-imap--.-.-.t&z
courier-authlib-mys4l--.-.-.t&z
/nce you ha2e added all the packa&es8 you will "ind a "resh new /etc/courier/ directory containin&
%ourier IM-P>s con"i&uration "iles. )et>s take a brie" look at each o" them.
(he /etc/courier/aut,daemonrc con"i&uration "ile sets se2eral operational parameters "or the
aut,daemond process Athe resident authentication daemonB< "ortunately8 we only need to edit the
aut,modulelist parameter8 which speci"ies the list o" the authentication modules a2ailable< set it to
aut,mysql to allow "or My*,) based authentication:
/etc/courier/aut,daemonrc
& ... '
aut,modulelist+>aut,mysql>
& ... '
(he /etc/courier/aut,mysqlrc con"i&uration "ile contains the aut,mysql database connection
parameters< below is a sample con"i&uration "ile:
/etc/courier/aut,mysqlrc
2O1Q9_10:V0: !"#.$.$.!
2O1Q9_K10:=720 vmail
2O1Q9_4711T<:; vmail
# f you connect through the soc,et>
#1A0$-506BC<T 9path9to9mysql.soc,
#1A0$-5P6DT ;
2O1Q9_4<:3 BB$
2O1Q9_<43 $
2O1Q9_;737E710 mail
2O1Q9_K10:_37E90 users
2O1Q9_@:O43_4TD809; password
2O1Q9_;0D7K93_;<278= -ernel-panic.it
2O1Q9_K8;_D809; uid
2O1Q9_M8;_D809; gid
2O1Q9_9<M8=_D809; login
2O1Q9_S<20_D809; ,ome
2O1Q9_=720_D809; name
2O1Q9_2789;8:_D809; maildir
2O1Q9_QK<37_D809; quota
# 1A0$-52E<D<5B-+'0< field"value +%D field"value...
1.
(he ne#t step is creatin& the **) certi"icate "or the IM-P* protocol. (o make your li"e easier8 %ourier-
IM-P comes with a script8 m-imapdcert(8)8 which will create the certi"icate a"ter readin& all the
necessary in"ormation "rom the /etc/courier/imapd.cn( con"i&uration "ile. (here"ore8 you
should "irst customize the latter "ile Ain particular8 pay close attention to the common name A%;B
parameter8 which must match the name o" the ser2er the users will connect toB and then run
m-imapdcert(8):
# /usr/local/s*in/mkimapdcert
& ... '
;ow we only ha2e to start the daemons:
) mkdir -p /var/run/courierQK-authR/
) /usr/local/s*in/authdaemond start
) /usr/local/li*exec/imapd.rc start
) /usr/local/li*exec/imapd-ssl.rc start
con"i&ure the system to start %ourier-IM-P on boot:
/etc/rc.local
ec,o -n ? @ourier-8274?
/bin/m-dir -p /var/run/courierW.-aut,X/
& -x /usr/local/sbin/aut,daemond ' RR /usr/local/sbin/aut,daemond start
& -x /usr/local/libexec/imapd.rc ' RR /usr/local/libexec/imapd.rc start
& -x /usr/local/libexec/imapd-ssl.rc ' RR /usr/local/libexec/imapd-ssl.rc start
...and test our hard workH I su&&est usin& a simple Python script8 Eust to &i2e our weary "in&ers a break:
8274_test.py
)J/usr/bin/env pyt,on
import imaplib
# Bonstants
8274_1:V + >mail.-ernel-panic.it>
K10: + >d.mazzocc,io6-ernel-panic.it>
4711T; + >danix>
# Bonnect to server
imap_srv + imaplib.8274/(8274_1:V)
imap_srv.login(K10:. 4711T;)
# 0elect the %F64 folder
imap_srv.select()
# Detrieve message list
msg_nums + imap_srv.searc,(=one. ?799?)&!'
# Print all messages
(or num in msg_nums&$'.split()%
msg + imap_srv.(etc,(num. ?(:D@8"")?)&!'
print ?2essage UsYnUsYn? U (num. msg&$'&!')
# Disconnect from server
imap_srv.close()
imap_srv.logout()
13
*.2 ,ddin! POP3 access
It is usually desirable that email users be o""ered the choice between IM-P and P/P! remote access< a"ter
all8 P/P! users tend to use less disk space8 bandwidth and resources on the ser2er.
-ddin& P/P! support to our mail ser2er is "airly simple< "irst8 we need to add the appropriate packa&e:
courier-pop!--.-.-.t&z
(hen8 we ha2e to run m-popBdcert(8) to &enerate the **) certi"icate "or P/P! o2er **) Asimilarly
to m-imapdcert(8)8 **) parameters are read "rom a con"i&uration "ile8
/etc/courier/popBd.cn(B and start the daemons:
) /usr/local/s*in/mkpop<dcert
& ... '
) /usr/local/li*exec/pop<d.rc start
) /usr/local/li*exec/pop<d-ssl.rc start
-dd the "ollowin& lines to /etc/rc.local(8) to start the P/P! ser2er on boot:
/etc/rc.local
& -x /usr/local/libexec/popBd.rc ' RR /usr/local/libexec/popBd.rc start
& -x /usr/local/libexec/popBd-ssl.rc ' RR /usr/local/libexec/popBd-ssl.rc start
9inally8 we can per"orm a 4uick test to make sure e2erythin& works as e#pected:
) telnet mail.kernel-panic.it 88)
3rying !#".!."/$.!*$...
H<L Sello t,ere.
user d.ma22occhio1kernel-panic.it
H<L 4assword required.
pass danix
H<L logged in.
list
! "*B!
& ... '
'uit
H<L Eye-bye.
)
*.3 SM$P aut(entication -it( S,S%
Chen con"i&urin& Post"i#8 we ha2e restricted mail relay to a limited number o" trusted networks8 i.e. the
internal corporate )-;s. *ometimes8 howe2er8 such a relay policy may not "it your or&anization>s
re4uirements: a typical e#ample is the need to let mobile users Asuch as sales peopleB send messa&es "rom
anywhere o2er the Internet.
In these cases8 the best solution to allow relay "rom le&itimate users Awhile still blockin& F%' so"twareB
is certainly usin& *M(P authentication8 by means o" the *-*) protocol Ade"ined in I69%5$JB.
Gowe2er8 there are some downsides to enablin& *-*) authentication: it will "orce us to unchroot the
smtpd(8) process and8 since the %yrus *-*) library is a lot o" code8 Post"i# will become as secure as
other mail systems that use the %yrus *-*) library Asee I*-*)JB. *o8 i" you don>t need this "eature8 "eel
"ree to skip to the ne#t para&raph.
(o enable *-*) authentication in Post"i#8 we Eust ha2e to add a "ew parameters in the
/etc/post(ix/main.c( con"i&uration "ile:
10
# <nable 0+0- authentication in the Postfix 01TP server
smtpd_sasl_aut,_enable + yes
# 6nly accept mail from trusted networ,s* authenticated clients or mail with
# a #DBPT T6# address that Postfix is forwarder or final destination for
smtpd_recipient_restrictions + permit_mynetwor-s permit_sasl_aut,enticated
reIect_unaut,_destination
# <nable inter)operability with old 01TP clients
bro-en_sasl_aut,_clients + yes
# %ame of the Postfix 01TP server#s local 0+0- authentication realm
smtpd_sasl_local_domain + $mydomain
*-*) con"i&uration parameters must be contained in a "ile named smtpd.con(8 located in
/usr/local/lib/sasl". (he *-*) library will rely on %ourier>s aut,daemond process as the
authentication backend Athe My*,) backend only supports passwords stored in clear-te#tB:
/usr/local/lib/sasl"/smtpd.con(
pwc,ec-_met,od% aut,daemond
aut,daemond_pat,% /var/run/courier-aut,/soc-et
mec,_list% 4978= 9<M8=
;e#t8 we need to edit the /etc/post(ix/master.c((*) "ile to make smtpd(8) run unchrooted
AEust put a =n= in the process>s c,root "ieldB:
smtp inet n - n - - smtpd
& ... '
and reload Post"i# con"i&uration.
) postfix reload
9inally8 we can per"orm a simple test to make sure e2erythin& works as e#pected. -uthentication
in"ormation is sent as the base.-encodin& o" the strin& =Y$usernameY$password=8 where =Y$= is a
null byte.
$ perl -,,6,/00Fase;: +
5 -e Nprint encodeB*ase;:H%+)d.ma22occhio+1kernel-panic.it+)danix%LGN
7MQubTDemFIO",pb$ErZG[uZTwtcMDuaT2uaGQ7ZMDuaGg+
$ telnet mail.kernel-panic.it (.
3rying !#".!."/$.!*$...
""$ mail.-ernel-panic.it 01234 4ost(ix
/HL" somedomain.org
"*$-mail.-ernel-panic.it
"*$-484098=8=M
"*$-18Z0 !$"/$$$$
"*$-V:DO
"*$-03:=
"*$-7K3S 4978= 9<M8=
"*$-7K3S+4978= 9<M8=
"*$-0=S7=@0;1373K1@<;01
"*$-8E832820
15
"*$ ;1=
U3H PL6I OMu*SF;em=5D(hp*)FrTUVuTS-tcOFuaS,uaUMTOFuaUg$
"B* ".$.$ 7ut,entication success(ul
'uit
""! ".$.$ Eye
$
*.& Mana!in! dis) space
,uotas allow you to speci"y the ma#imum size o" maildirs8 in order to pre2ent the /var/vmail
"ilesystem "rom "illin& up. (he best option would certainly be to use the operatin& system>s built-in 4uota
support8 but we can>t8 because we ha2e a sin&le user writin& to all the maildirs. (here"ore8 we must rely
on the mail so"tware to &et 4uota support on maildirs.
%ourier-IM-P comes with built-in 4uota support8 but this sol2es only one hal" o" the problem: in "act8
also Post"i# must be able to reEect mail sent to o2er-4uota users. (o achie2e this8 we will rely on the
deliverquota(8) utility8 which deli2ers mail takin& into account any so"tware-imposed 4uota on
maildirs.
(he "irst step is assi&nin& a 4uota to each maildir with maildirma-e(!). '.&.:
) /usr/local/*in/maildirmake -' 8)))))))4 +
5 /var/vmail/kernel-panic.it/d.mazzocchio
(he abo2e command installs an Aappro#imatelyB 1+M7 4uota on the /var/vmail/-ernel-
panic.it/d.mazzocc,io maildir.
;e#t8 we need to de"ine8 in /etc/post(ix/master.c((*)8 a special Post"i# daemon "or deli2ery
throu&h deliverquota(8):
& ... '
qdeliver unix - n n - - pipe
user+vmail argv+/usr/local/bin/deliverquota -w F$
/var/vmail/$WdomainX/$WuserX
and tell Post"i# to use this daemon "or "inal deli2ery to 2irtual domains8 by settin& the 2alue o" the
virtual_transport parameter in /etc/post(ix/main.c(:
virtual_transport + qdeliver
deliverquota(8) will place a warnin& messa&e into the maildir i"8 a"ter the messa&e is success"uly
deli2ered8 the maildir is at least 5+ percent "ull A-w F$B. (he body o" the warnin& messa&e is copied
2erbatim "rom the /etc/courier/quotawarnmsg "ile.
2+
.. ontent filterin!
;ow we ha2e a "ully-"unctional mail ser2er8 able to send and recei2e email and pro2idin& remote access
to users> mailbo#es. Gowe2er8 i" we don>t want our ser2er to become an immune carrier o" computer
2iruses or to be drowned under a sea o" spam8 we need to install all the necessary content-"ilterin& tools.
(hou&h Post"i# nati2ely supports multiple content inspection mechanisms8 the documentation itsel"
?encoura$es the use o e-ternal ilters and standard protocols because this allo!s you to choose the best
'*A and the best content inspection sot!are or your purpose@. (here"ore8 we will rely on third-party
so"tware "or content "ilterin&< in particular8 we will use *pam-ssassin to "ilter spam8 %lam-1 to check
emails "or 2iruses and -ma2isd-new to coordinate it all. 7elow is the outline o" the whole architecture:

..1 Spam,ssassin
*pam-ssassin is a ?mature, !idely#deployed open source pro1ect that serves as a mail ilter to identiy
Spam0 SpamAssassin uses a variety o mechanisms includin$ header and te-t analysis, Bayesian ilterin$,
D.S bloc,lists, and collaborative ilterin$ databases@.
(here are 4uite a "ew packa&es we need to install:
p$-%ompress-6aw-Nlib--.-.t&z
p$-I/-%ompress-7ase--.-.t&z
p$-I/-%ompress-Nlib--.-.t&z
p$-%ompress-Nlib--.-.t&z
p$-I/-Nlib--.-.t&z
p$-I/-*trin&--.-.t&z
p$--l&orithm-Di""--.-.t&z
p$-(e#t-Di""--.-.t&z
p$--rchi2e-(ar--.-.t&z
re2c--.-.-.t&z
p$-;et-%ID6-)ite--.-.t&z
p$-;et-IP--.-.t&z
p$-Di&est-*G-1--.-.t&z
p$-Di&est-GM-%--.-.t&z
p$-;et-D;*--.-.t&z
p$-*ys-Gostname-)on&--.-.t&z
p$-F6I--.-.t&z
21
p$-Mail-*P9-,uery--.-.t&z
p$-*ocket.--.-.t&z
p$-I/-I;'(.--.-.t&z
bzip2--.-.-.t&z
libicon2--.-.-.t&z
&ette#t--.-.-.t&z
libidn--.-.-.t&z
curl--.-.-.t&z
&nup&--.-.-.t&z
p$-;et-**)eay--.-.t&z
p$-I/-*ocket-**)--.-.t&z
p$-G(M)-(a&set--.-.t&z
p$-G(M)-Parser--.-.t&z
p$-%rypt-**)eay--.-.t&z
lib&http--.-.-.t&z
p$-G((P-OG((P--.-.t&z
p$-libwww--.-.t&z
p$-Mail-*pam-ssassin--.-.-.t&z
-"ter the packa&es installation8 you will "ind the main *pam-ssassin con"i&uration "ile Alocal.c(B in
the "resh new /etc/mail/spamassassin directory. (he con"i&uration phase can be 2ery comple#
and &oes beyond the scope o" this document< anyway8 you can "ind all the details in the man pa&e
A2ail%%1pam7ssassin%%@on(B.
)ike Post"i#8 *pam-ssassin has a lot o" con"i&uration parameters8 althou&h8 in most cases8 de"ault 2alues
can be preser2ed and only a "ew parameters need to be o2erridden:
/etc/mail/spamassassin/local.c(
rewrite_,eader 1ubIect \\\\\ 1472 \\\\\
report_sa(e !
loc-_met,od (loc-
required_score 8.$
..2 lam,/
%lam-1 is an ?open source )2(L+ anti#virus tool,it or 3.&/4< the main purpose o" this so"tware is the
inte&ration with mail ser2ers Ai.e. attachment scannin&B. -ll the anti2irus tasks are handled by three
processes:
(res,clam
which automatically updates the 2irus de"initions8 by connectin& to one o" the %lam-1 mirrors< its
con"i&uration "ile is /etc/(res,clam.con(<
clamd
a "le#ible and scalable multi-threaded anti2irus daemon< its con"i&uration "ile is
/etc/clamd.con(<
clamscan
a command line anti2irus scanner.
(he re4uired packa&es are:
arc--.--.t&z
lha--.--.------.t&z
unzip--.-.t&z
zoo--.-.-.t&z
&mp--.-.-.t&z
22
unarE--.- A"rom the portsB
unrar--.- A"rom the portsB
clama2--.-.t&z
(he (res,clam.con( con"i&uration "ile re4uires only a "ew parameters:
/etc/(res,clam.con(
;atabase;irectory /var/db/clamav
;atabase<wner _clamav
;=1;atabase8n(o current.cvd.clamav.net
;atabase2irror db.it.clamav.net
;atabase2irror database.clamav.net
2ax7ttempts B
c,ec-s "/
;ow we can update the 2irus de"inition database by runnin& the (res,clam command. Please make
sure you ha2e installed the latest release o" %lam-18 or you>ll &et warnin& messa&es about reduced
"unctionality8 like the "ollowin&:
) freshclam
@lam7V update process started at 3ue ;ec !8 $$%B*%"* "$$#
T7:=8=M% Oour @lam7V installation is <K3;730;J
T7:=8=M% 9ocal version% $.F$.B :ecommended version% $.F"
;<=?3 47=8@J :ead ,ttp%//www.clamav.net/support/(aq
;ownloading main.cvd &!$$U'main.cvd & ""U'
main.cvd updated (version% /*. sigs% !F#. (-level% "!. builder% sven)
T7:=8=M% @urrent (unctionality level + !. recommended + "!
;ownloading daily.cvd &!$$U'
daily.cvd updated (version% *!$. sigs% 8F8. (-level% "!. builder% sven)
T7:=8=M% @urrent (unctionality level + !. recommended + "!
;atabase updated (!#8B#/ signatures) (rom db.it.clamav.net (84% !FB."$.!BF.B#)
)
(he reduced ="unctionality le2el= means that you may not be able to use all the a2ailable 2irus si&natures
and8 conse4uently8 "ail to detect the latest 2iruses. (o automatically update the database8 we simply ha2e
to schedule (res,clam in crontab e2ery hour Apre"erably not on the hour8 Eust to a2oid tra""ic peaksB:
! \ \ \ \ /usr/local/bin/(res,clam 5/dev/null "5R!
-lso the /etc/clamd.con( con"i&uration "ile needs editin& only 2ery "ew parameters:
/etc/clamd.con(
;atabase;irectory /var/db/clamav
9ocal1oc-et /var/clamav/clamd.soc-
Kser _clamav
&...'
;ow we can run clamd:
) touch /var/log/clamd.log
) cho-n Bclamav /var/log/clamd.log
) clamd
:unning as user _clamav (K8; *BF. M8; *BF)
and add the "ollowin& lines to /etc/rc.local(8) to start it on system boot:
2!
/etc/rc.local
i( & -x /usr/local/sbin/clamd 'P t,en
ec,o -n ? clamd?
& -1 /var/clamav/clamd.soc- ' RR rm -( /var/clamav/clamd.soc-
/usr/local/sbin/clamd 5/dev/null "5R!
(i
..3 ,mavisd+ne-
-ma2isd-new is a hi&h-per"ormance inter"ace between mailer AM(-B and content checkers. Ce will
con"i&ure it to bind to port 1++2 on the loopback inter"ace8 where Post"i# will "orward all incomin& e-
mails. I" the e-mail success"ully passes all the checks8 it will be "orwarded back to Post"i#8 listenin& on
localhost port 1++2$< otherwise8 mails may be deleted or 4uarantined and the administrator and recepients
may be noti"ied.
(he "ollowin& is the list o" the re4uired packa&es:
cabe#tract--.-.t&z
"reeze--.- A"rom the portsB
p$-%on2ert-7inGe#--.-.t&z
p$-I/-strin&y--.-.t&z
p$-Mail-(ools--.-.t&z
p$-(ime-(imeDate--.-.t&z
p$-MIM'-tools--.-.t&z
p$-%on2ert-(;'9--.-.t&z
p$-%on2ert-FFlib--.-.t&z
rpm2cpio--.-.t&z
p$-;et-*er2er--.-.t&z
p$-Fni#-*yslo&--.-.t&z
ama2isd-new--.-.-.t&z
(he installation procedure creates a new user and &roup called _vscan< howe2er8 the easiest way to &et
-ma2isd-new to cooperate with %lam-18 is to run them both under the same user A_clamavB. (he
con"i&uration "ile is /etc/amavisd.con(8 which is actually a perl script Aso pay attention to the semi-
colons at the end o" the linesHB< below are the options you will most likely want to tweak:
/etc/amavisd.con(
# B6116%-A +DG'0T<D 0<TT%80>
$max_servers + "P
$daemon_user + ?_clamav?P # Dun under the same user as Blam+.
$daemon_group + ?_clamav?P # Dun under the same group as Blam+.
$mydomain + ?,ernel)panic.it?P
$2OS<20 + ?/var/amavisd?P
$3024E710 + >$2OS<20/tmp>P # wor,ing directory* needs to be created manually
$0=VW324;8:X + $3024E710P
$QK7:7=38=0;8: + ?/var/clamav/quarantine?P
&...'
# -eave only Blam+. uncommented
6av_scanners + (
&?@lam7V-clamd?.
YRas-_daemon. &>@<=31@7= WXYn>. >/var/clamav/clamd.soc->'.
qr/Yb<L$/. qr/YbD<K=;$/.
2
qr/A.\N% (NJ8n(ected 7rc,ive)(.\) D<K=;$/ '.
)P
&...'
# -eave only Blam+. uncommented
6av_scanners_bac-up + (
&?@lam7V-clamscan?. ?clamscan?.
>--stdout --disable-summary -r --tempdir+$3024E710 WX>. &$'. &!'.
qr/A.\N% (NJ8n(ected 7rc,ive)(.\) D<K=;$/ '.
)P
!P
-"ter manually creatin& -ma2isd-new>s workin& directory A/var/amavisd/tmpB8 we can start the
daemon in debu& mode Ai.e. in "ore&roundB8 Eust to check any errors:
) mkdir /var/amavisd/tmp
) cho-n -# Bclamav0Bclamav /var/amavisd/
) /usr/local/s*in/amavisd de*ug
;ec !8 ""%$#%!! mail.-ernel-panic.it /usr/local/sbin/amavisd&"//"F'% starting.
/usr/local/sbin/amavisd at mail.-ernel-panic.it amavisd-new-".B." ("$$*$"F).
Knicode aware
;ec !8 ""%$#%!! mail.-ernel-panic.it /usr/local/sbin/amavisd&"//"F'% user+.
0K8;% $ ($)P group+. 0M8;% $ B! "$ * / B " $ ($ B! "$ * / B " $)
;ec !8 ""%$#%!! mail.-ernel-panic.it /usr/local/sbin/amavisd&"//"F'% 4erl version
*.$$8$$8
&...'
;ow we can con"i&ure the system to start -ma2isd-new on boot:
/etc/rc.local
i( & -x /usr/local/sbin/amavisd 'P t,en
ec,o -n ? amavisd?
/usr/local/sbin/amavisd 5/dev/null "5R!
(i
(he last step is to update Post"i# con"i&uration to enable inter"acin& between Post"i# and -ma2isd-new.
(o achie2e this8 we ha2e to add a couple o" ser2ices to the /etc/post(ix/master.c((*)
con"i&uration "ile: one to "orward all incomin& emails to -ma2id-new8 and the other to &et emails back
a&ain:
smtp-amavis unix - - - - " smtp
-o smtp_data_done_timeout+!"$$
-o smtp_send_x(orward_command+yes
-o disable_dns_loo-ups+yes
-o max_use+"$
!"#.$.$.!%!$$"* inet n - - - - smtpd
-o content_(ilter+
-o local_recipient_maps+
-o relay_recipient_maps+
-o smtpd_restriction_classes+
-o smtpd_delay_reIect+no
-o smtpd_client_restrictions+permit_mynetwor-s.reIect
-o smtpd_,elo_restrictions+
-o smtpd_sender_restrictions+
-o smtpd_recipient_restrictions+permit_mynetwor-s.reIect
-o mynetwor-s_style+,ost
2$
-o mynetwor-s+!"#.$.$.$/8
-o strict_r(c8"!_envelopes+yes
-o smtpd_error_sleep_time+$
-o smtpd_so(t_error_limit+!$$!
-o smtpd_,ard_error_limit+!$$$
-o smtpd_client_connection_count_limit+$
-o smtpd_client_connection_rate_limit+$
-o receive_override_options+no_,eader_body_c,ec-s.no_un-nown_recipient_c,ec-s
9inally8 we need to tell Post"i# to start "orwardin& all the emails it recei2es to ama2isd-new "or content
inspection and reload the con"i&uration.
) postconf -e NcontentBfilter$smtp-amavis0W8(>.).).8X08))(:N
) postfix reload
2.
0. SquirrelMail
In addition to IM-P and P/P!8 most end-users will be &lad to ha2e also web-based access to their
mailbo#. (here"ore8 we will install *4uirrelMail8 a ?standards#based !ebmail pac,a$e !ritten in (5(@8
with built-in support "or the IM-P and *M(P protocols. It is written "or ma#imum compatibility across
browsers and has 2ery "ew re4uirements< *4uirrelMail is 2ery easy to install and con"i&ure and pro2ides a
lot o" plu&ins to allow administrators to deeply customize its look and "eel.
Please note that the webmail so"tware doesn>t ha2e to necessarily reside on the mail host: indeed8 i" you
ha2e a dedicated web ser2er a2ailable8 that>s certainly the best place to install it.
0.1 Preliminary steps
(he re4uired packa&es are:
lib#ml--.-.-.t&z
php$-core.-.-.-.t&z
php$-mbstrin&--.-.-.t&z
I" PGP wasn>t already installed on your system8 don>t "or&et to enable it8 as well as the mbstring
module:
) ln -s /var/---/conf/modules.sample/php..conf /var/---/conf/modules
) ln -fs /var/---/conf/php..sample/m*string.ini /var/---/conf/php./m*string.ini
:ou also ha2e to uncomment the "ollowin& line in the -pache con"i&uration "ile8
/var/www/con(/,ttpd.con(:
/var/www/con(/,ttpd.con(
7dd3ype application/x-,ttpd-p,p .p,p
and restart -pache:
) apachectl restart
/usr/sbin/apac,ectl restart% ,ttpd restarted
0.2 Installation and confi!uration
;ow we can download *4uirrelMail8 e#tract it inside -pache>s chroot and &i2e the newly-created
directory a nicer name:
) tar -2xvf s'uirrelmail-x.x.x.tar.g2 -A /var/---/htdocs
) mv /var/---/htdocs/s'uirrelmail-x.x.x /var/---/htdocs/-e*mail
;e#t8 we need to create three directories:
the data directory A/var/www/squirrelmail/dataB8 which will contain user pre"erences
and will ha2e to belon& to -pache>s www user<
the attachment directory A/var/www/squirrelmail/attac,mentsB8 where email
attachments will be uploaded and which will ha2e to be readable only by the root user8 but
writable by the www user too<
the temporary directory where session data will be stored A/var/www/tmpB8 which must be
accessible only to the www user.
# mkdir -p /var/---/s'uirrelmail/data
23
# mkdir /var/---/s'uirrelmail/attachments
# mkdir /var/---/tmp
# cho-n ---0--- /var/---/s'uirrelmail/data
# chgrp --- /var/---/s'uirrelmail/attachments
# chmod ><) /var/---/s'uirrelmail/attachments
# cho-n ---0--- /var/---/tmp
# chmod >)) /var/---/tmp
9urther con"i&uration can be easily mana&ed throu&h a menu dri2en Perl script8
/var/www/,tdocs/webmail/con(ig/con(.pl. *ome o" the parameters you will certainly ha2e
to customize are:
<rganization 4re(erences -5 <rganization =ame
(he or&anization name8 which will appear here and there in the web pa&es.
1erver 1ettings -5 ;omain
(he domain name.
Meneral <ptions -5 ;ata ;irectory
(he pathname to the directory in which user pre"erences will be stored Ain our case
/squirrelmail/data/B.
Meneral <ptions -5 7ttac,ment ;irectory
(he pathname to the directory in which attachments will be temporarily stored Ain our case
/squirrelmail/attac,ments/B.
1et pre-de(ined settings (or speci(ic 8274 servers -5 courier
'nable the prede"ined settin&s optimized "or %ourier-IM-P.
20
1. ,ppendix
*pecial thanks to (omazN "or his detailed notes on con"i&urin& ()* in Post"i#.
1.1 2eferences
6edundant "irewalls with /pen7*D8 %-6P and p"sync
/pen7*D 8 a 96''8 multi-plat"orm .7*D-based F;IP-like operatin& system
Post"i# 8 an /pen source email ser2er "or Fni#
I()*J - Post"i# ()* *upport
My*,) 8 the world>s most popular open source database
%ourier-IM-P 8 a "ast8 scalable8 enterprise IM-P ser2er that uses Maildirs
%yrus *-*) 8 the %yrus *-*) -PI implentation
-ma2isd-new 8 a hi&h-per"ormance inter"ace between mailer AM(-B and content checkers: 2irus
scanners and/or *pam-ssassin
*pam-ssassin 8 a mail "ilter to identi"y spam usin& a wide ran&e o" heuristic tests on mail headers
and body te#t
%lam-1 8 an open source AOP)B anti-2irus toolkit "or Fni#
Post"i# 1irtual Domain Gostin& Gowto
I69%5$J - 69% 5$8 *M(P *er2ice '#tension "or -uthentication
I*-*)J - Post"i# *-*) Gowto
1.2 Bi#lio!rap(y
/pen7*D Documentation and 9re4uently -sked ,uestions
Post"i# %on"i&uration - F%' %ontrols
Post"i# 7asic %on"i&uration
Post"i# My*,) Gowto
Post"i# 1irtual Domain Gostin& Gowto
Mail::*pam-ssassin::%on"
Gow to use ama2isd-new with Post"i#
%lam -nti1irus +.52 Fser Manual
9airly-*ecure -nti-*P-M Oateway Fsin& /pen7*D8 Post"i#8 -ma2isd-new8 *pam-ssassin8
6azor and D%%
25

OpenBSD Mail Server

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

OpenBSD Mail Server

Încărcat de

Drepturi de autor:

Formate disponibile

OpenBSD as a Mail Server

Author: Daniele Mazzocchio

OpenBSD as a mail server

S-ar putea să vă placă și