Last update: Dec 21, 2008 Latest version: http://www.kernel-panic.it/openbsd/mail/ Table of Contents 1. Introduction......................................................................................................................................2 2. Preliminary installation steps........................................................................................................... !. Post"i#...............................................................................................................................................$ !.1 %on"i&uration.............................................................................................................................$ !.2 'nablin& ()*...........................................................................................................................1+ . My*,)...........................................................................................................................................12 .1 (he socket dilemma.................................................................................................................12 .2 %on"i&uration...........................................................................................................................1! $. %ourier-IM-P.................................................................................................................................1. $.1 Installation and con"i&uration..................................................................................................1. $.2 -ddin& P/P! access................................................................................................................10 $.! *M(P authentication with *-*)............................................................................................10 $. Mana&in& disk space................................................................................................................2+ .. %ontent "ilterin&..............................................................................................................................21 ..1 *pam-ssassin..........................................................................................................................21 ..2 %lam-1...................................................................................................................................22 ..! -ma2isd-new...........................................................................................................................2 3. *4uirrelMail....................................................................................................................................23 3.1 Preliminary steps......................................................................................................................23 3.2 Installation and con"i&uration..................................................................................................23 0. -ppendi#........................................................................................................................................25 0.1 6e"erences................................................................................................................................25 0.2 7iblio&raphy............................................................................................................................25 OpenBSD as a mail server 1. Introduction In a pre2ious document8 we built redundant "irewalls usin& the %-6P and P9*:;% protocols< these were the "irst buildin& blocks o" a hypothetical8 /pen7*D-based8 small pri2ate networkthat we are &oin& to build step by step across se2eral documents. ;ow that we ha2e raised the =de"ensi2e walls= o" our network8 it>s time to think about the ser2ices we want to pro2ide. /""erin& a reliable and secure email ser2ice is probably one o" the top priorities o" most system administrators< there"ore8 in the ne#t chapters8 we will build a "ull-"eatured mail ser2er8 based on open-source so"tware and "ocusin& on security. (he "ollowin& is the list o" the pieces o" so"tware we will use: 2 OpenBSD as a mail server /pen7*D the ?secure by deault@ operatin& system8 with ?only t!o remote holes in the deault install, in more than 10 years"@< Post"i# an M(- ?that started lie as an alternative to the !idely#used Sendmail pro$ram@ and which ?attempts to be ast, easy to administer, and secure@< My*,) the ?!orld%s most popular open source database@< %ourier-IM-P a ?ast, scalable, enterprise &'A( server@ that supports My*,) and maildirs< %yrus *-*) the %yrus implementation o" the *-*) protocol< -ma2isd-new a ?hi$h#perormance interace bet!een mailer )'*A+ and content chec,ers@ Aanti2irus and antispamB8 written in Perl and optimized "or Post"i#< *pam-ssassin a Perl-based ?mail ilter to identiy Spam@8 usin& ?a variety o mechanisms includin$ header and te-t analysis, Bayesian ilterin$, D.S bloc,lists, and collaborative ilterin$ databases@< %lam-1 a "ast and easy-to-use open-source 2irus scanner. - &ood knowled&e o" /pen7*D is assumed8 since we won>t del2e into system mana&ement topics such as base con"i&uration or packa&es/ports installation. ! OpenBSD as a mail server 2. Preliminary installation steps 7e"ore del2in& into the installation and con"i&uration o" all the mail-handlin& so"tware8 we will take a brie" look at the operatin& system that will host it. -s usual8 my choice &oes to /pen7*D "or its pro2en security8 reliability and ease o" use. ;eedless to say8 all these "eatures are essential "or a system that will ha2e to handle a lar&e 2olume o" email tra""ic while still makin& li"e hard "or spammers and malicious users. Ce won>t dwell upon the installation procedure here8 which is documented in "ull detail on the /pen7*D web site. Dust a couple o" notes: while partitionin& the hard dri2e8 bear in mind that we will con"i&ure Post"i# to use 2irtual domains and8 conse4uently8 it will store all users> mail "olders in a sin&le directory A/var/vmailB. (here"ore8 it is recommended to assi&n a Alar&eB dedicated slice to this "ilesystem8 in order to pre2ent mails "rom "illin& up any critical "ilesystem8 should 4uotas "ail. 9urthermore8 i" you choose to install My*,) on the mail ser2er itsel"8 it is usually recommended to assi&n one o" the "irst slices to /var/mysql8 in order to allow "or "aster disk access by the database en&ine< the only "ile sets we will need to install are those marked as ?required@ on the documentation8 i.e. bsd Athe kernelB8 base//.tgz Athe base systemB8 and etc//.tgz Athe con"i&uration "iles in / etcB plus comp//.tgz Athe % compilerB8 since we will also ha2e to install some ports not a2ailable as precompiled packa&es "or licensin& reasons. .ote: since lea2in& a compiler on a publicly accessible ser2er is a de"inite security risk8 it is recommended that you remo2e the compiler when the installation is o2er or that you compile on another machine. -"ter the "irst reboot8 we can disable some de"ault network ser2ices mana&ed by inetd(8): $ grep -v ^# /etc/inetd.conf ident stream tcp nowait _identd /usr/libexec/identd identd -el ident stream tcp nowait _identd /usr/libexec/identd identd -el !"#.$.$.!%comsat dgram udp wait root /usr/libexec/comsat comsat &%%!'%comsat dgram udp wait root /usr/libexec/comsat comsat daytime stream tcp nowait root internal daytime stream tcp nowait root internal time stream tcp nowait root internal time stream tcp nowait root internal $ by commentin& them out in /etc/inetd.con( and reloadin& inetd(8): ) pkill -HUP inetd -nyway8 /pen7*D is considered secure also with those ser2ices turned on and the mail ser2er should be "irewalled< ne2ertheless8 I pre"er stayin& on the sa"e side and disable them all Aincludin& comsat(8)8 since we won>t ha2e any interacti2e user recei2in& mail on the systemB. (o modi"y the ser2er network con"i&uration8 please re"er to the related chapter in the pre2ious document about redundant "irewalls or to the networkin& 9-,.
OpenBSD as a mail server
3. Postfix Post"i# is a M(- AMail (ransport -&entB de2eloped by Cietse 1enema ?as an alternative to the !idely# used Sendmail pro$ram@. It ?attempts to be ast, easy to administer, and secure, !hile at the same time bein$ sendmail compatible enou$h to not upset e-istin$ users0 *hus, the outside has a sendmail#ish lavor, but the inside is completely dierent@. Post"i# also comes with e#cellent documentation and a lot o" howtos. /ur mail ser2er re4uirements will be 4uite simple: it will be "inal destination solely "or its canonical domains and it will only relay mail "rom systems on the internal network Athou&h we will also consider relayin& "rom untrusted networks by means o" *M(P authenticationB. %anonical domains include the hostname Ain our case8 =mail.kernel-panic.it=B and the IP address A132.1..2+.1$+B o" the machine that Post"i# runs on8 and the parent domain o" the hostname A=kernel-panic.it=B. %anonical domains are usually implemented with the Post"i# local domain address class8 which8 un"ortunately8 has one maEor drawback "or me: it re4uires each e-mail account to ha2e a correspondin& Fni# account. /n the contrary8 I pre"er: 1. keepin& Fni# and e-mail accounts apart and 2. ha2in& all mailbo#es well-ordered inside a sin&le directory. (here"ore8 we will use Post"i# 1irtual Domain Gostin&8 which is normally used "or hostin& multiple internet domains on the same ser2er8 but will also allow us to achie2e our two &oals. 3.1 onfi!uration In this para&raph8 we will con"i&ure Post"i# to work standalone8 with no back-end database. (hen8 in the ne#t chapter8 when e2erythin& will be workin& "ine8 we will hook up Post"i# to a My*,) database< this will allow us to centrally store con"i&uration in"ormation that both Post"i# and %ourier-IM-P will need to access. (here are a "ew packa&es we need to install: mys4l-client--.-.-.t&z pcre--.-.t&z post"i#--.-.--mys4l.t&z .ote: i" you>re plannin& to use *M(P authentication8 you will need to compile Post"i# "rom the ports8 because there>s no pre-compiled packa&e a2ailable with both My*,) and *-*) support: ) cd /usr/ports/mail/postfix/snapshot ) env FL!"#$%m&s'l sasl(% make install (he installation will create the /etc/post(ix directory8 containin& all the con"i&uration "iles. Post"i# has se2eral hundred con"i&uration parameters that are controlled 2ia the /etc/post(ix/main.c( "ile8 but don>t worry: "or the 2ast maEority o" these parameters8 the de"ault 2alue is the best option Asee postcon((*) "or a detailed list o" all the a2ailable con"i&uration parameters8 their description and their de"ault 2alueB and we will only ha2e to o2erride a 2ery small subset o" them: /etc/post(ix/main.c( # Directory containing all the post* commands command_directory + /usr/local/sbin # Directory containing all the Postfix daemon programs daemon_directory + /usr/local/libexec/post(ix # Full pathnames of various Postfix commands sendmail_pat, + /usr/local/sbin/sendmail $ OpenBSD as a mail server newaliases_pat, + /usr/local/sbin/newaliases mailq_pat, + /usr/local/sbin/mailq # Directories containing documentation ,tml_directory + /usr/local/s,are/doc/post(ix/,tml manpage_directory + /usr/local/man readme_directory + /usr/local/s,are/doc/post(ix/readme # The owner of the Postfix queue and of most Postfix daemon processes mail_owner + _post(ix # The group for mail submission and queue management commands setgid_group + _postdrop # The myhostname parameter specifies the internet hostname of this mail system. t # is used as default for many other configuration parameters !default " system#s # F$D%& my,ostname + mail.-ernel-panic.it # The internet domain name of this mail system. 'sed as default for many other # configuration parameters !default " (myhostname minus the first component& mydomain + -ernel-panic.it # The domain name that locally)posted mail appears to come from* and that locally # posted mail is delivered to. +s you can see* a parameter value may refer to other # parameters myorigin + $my,ostname # %etwor, interface addresses that this mail system receives mail on inet_inter(aces + all # %etwor, interface addresses that this mail system receives mail on by way of a # proxy or %+T unit proxy_inter(aces + router.-ernel-panic.it # -ist of domains that this machine considers itself the final destination for. # .irtual domains must not be specified here mydestination + $my,ostname. local,ost.$mydomain. local,ost # -ist of /trusted/ 01TP clients allowed to relay mail through Postfix. mynetwor-s + !"#.$.$.$/8. !#".!.$.$/"/. !#".!."/$.$/"/ # 2hat destination !sub&domains this system will relay mail to relay_domains + $mydestination # The default host to send mail to when no entry is matched in the optional # transport!3& table. 0quare brac,ets turn off 14 loo,ups relay,ost + &smtp.isp.com' # -ist of alias databases used by the local delivery agent alias_maps + ,as,%/etc/post(ix/aliases # +lias database!s& built with /newaliases/ or /sendmail )bi/. This is a separate # configuration parameter* because alias5maps may specify tables that are not # necessarily all under control by Postfix alias_database + ,as,%/etc/post(ix/aliases # 01TP greeting banner smtpd_banner + $my,ostname 01234 $mail_name # Postfix is final destination for the specified list of /virtual/ domains virtual_mailbox_domains + -ernel-panic.it # .irtual mailboxes base directory . OpenBSD as a mail server virtual_mailbox_base + /var/vmail # 6ptional loo,up tables with all valid addresses in the domains that match # (virtual5mailbox5domains. virtual_mailbox_maps + ,as,%/etc/post(ix/vmailbox # The minimum user D value accepted by the virtual!7& delivery agent virtual_minimum_uid + "$$$ # 'ser D that the virtual!7& delivery agent uses while writing to the recipient#s # mailbox virtual_uid_maps + static%"$$$ # 8roup D that the virtual!7& delivery agent uses while writing to the recipient#s # mailbox virtual_gid_maps + static%"$$$ # 6ptional loo,up tables that alias specific mail addresses or domains to other # local or remote address virtual_alias_maps + ,as,%/etc/post(ix/virtual )et>s take a closer look at some o" the abo2e con"i&uration parameters. /ne o" the &oals we had was to a2oid ha2in& a separate Fni# account "or each e-mail account. Ce ha2e achie2ed this by con"i&urin& Post"i# to write to the mailbo#es usin& uid 2+++ and &id 2+++ Asee the virtual_uid_maps and virtual_gid_maps parameters abo2eB. ;ow we only ha2e to create a user with this pair o" uid and &id: ) useradd -d /var/vmail -g $uid -u ())) -s /s*in/nologin + 5 -c %!irtual ,ail*oxes "-ner% -m vmail /ur second &oal was ha2in& all mailbo#es &rouped toðer in a sin&le directory< this is achie2ed by settin& the 2alue o" the virtual_mailbox_base parameter to the path o" that directory Ain our con"i&uration8 /var/vmailB. In matter o" "act8 this parameter is a pre"i# that the virtual(8) a&ent prepends to all pathname results "rom virtual_mailbox_maps table lookups. In our con"i&uration8 the virtual_mailbox_maps parameter re"ers to the /etc/post(ix/vmailbox "ile8 containin& the list o" all 2alid addresses in the 2irtual domains Avirtual_mailbox_domains parameterB and the path to the correspondin& mailbo#es or maildirs Aa mailbo# is a sin&le "ile containin& all the emails< a maildir8 instead8 is a directory8 with a de"ined structure8 containin& all the emails in separate "ilesB: /etc/post(ix/vmailbox in(o6-ernel-panic.it -ernel-panic.it/in(o/ d.mazzocc,io6-ernel-panic.it -ernel-panic.it/d.mazzocc,io/ &...' Please pay attention to the trailin& slashes: they tell Post"i# that the pathname re"ers to a maildir instead o" a mailbo# "ile8 and maildirs are our only option8 since %ourier-IM-P doesn>t support mailbo# "iles. (he virtual_alias_maps parameter allows to alias speci"ic mail addresses or domains to other local or remote address. Its 2alue is the pathname to a "ile Ain our case /etc/post(ix/virtualB containin& the alias mappin&s: /etc/post(ix/virtual root6-ernel-panic.it root6local,ost.-ernel-panic.it postmaster6-ernel-panic.it postmaster6local,ost.-ernel-panic.it abuse6-ernel-panic.it postmaster6local,ost.-ernel-panic.it 3 OpenBSD as a mail server &...' 9inally8 the /etc/post(ix/aliases "ile contains the addresses to which Post"i# will redirect mail "or local recipients Asee aliases(*)B. *ince many accounts point to root>s email address8 you should check root email "re4uently or "orward it all to another account. '.&.: /etc/post(ix/aliases root% d.mazzocc,io6-ernel-panic.it 27890:-;702<=% postmaster postmaster% root bin% root &...' ;ow we only ha2e to reload Post"i# lookup tables: ) /usr/local/s*in/postmap /etc/postfix/vmail*ox ) /usr/local/s*in/postmap /etc/postfix/virtual ) /usr/local/s*in/ne-aliases replace *endmail: ) /usr/local/s*in/postfix-ena*le old /etc/mailer.con( saved as /etc/mailer.con(.pre-post(ix post(ix /etc/mailer.con( enabled =<30% do not (orget to add sendmail_(lags+>-bd> to /etc/rc.con(.local to startup post(ix correctly. =<30% do not (orget to add >-a /var/spool/post(ix/dev/log> to syslogd_(lags in /etc/rc.con(.local and restart syslogd. =<30% do not (orget to remove t,e >sendmail clientmqueue runner> (rom root?s crontab. ) and "ollow the abo2e ad2ice8 by commentin& out the =sendmail clientm4ueue runner= in root>s crontab: # sendmail clientmqueue runner #*9:; * * * * 9usr9sbin9sendmail )- sm)msp)queue )+c )q and addin& a couple o" 2ariables in the /etc/rc.con(.local(8) "ile. /etc/rc.con(.local # 0pecify a location where syslogd!7& should place an additional log soc,et # for Postfix syslogd_(lags+>-a /var/spool/post(ix/dev/log> # 1a,e Postfix start in bac,ground and process queued messages every :; min sendmail_(lags+>-bd> ;ow we can restart the processes Aor simply rebootB: ) pkill -HUP s&slogd ) pkill sendmail ) /usr/local/s*in/sendmail -*d and test our hard workH # telnet mail.kernel-panic.it (. 0 OpenBSD as a mail server 3rying !#".!."/$.!*$... @onnected to mail.-ernel-panic.it. 0scape c,aracter is ?A'?. ""$ mail.-ernel-panic.it 01234 4ost(ix H/L" somedomain.org "*$ mail.-ernel-panic.it mail from0 someone1somedomain.org "*$ <- rcpt to0 d.ma22occhio1kernel-panic.it "*$ <- data B*/ 0nd data wit, C@:5C9D5.C@:5C9D5 From0 someone1somedomain.org 3o0 d.ma22occhio1kernel-panic.it 4u*5ect0 3est mail 6t -orks7 . "*$ <-% queued as */8;#"8 'uit ""! Eye @onnection closed by (oreign ,ost. ) tail /var/log/maillog ;ec ! !$ !*%"%B* mail post(ix/smtpd&"F"!"'% connect (rom ws!.lan.-ernel- panic.it&!#".!.$.!*' ;ec ! !*%"%*B mail post(ix/smtpd&"F"!"'% *#$#"""% client+ws!.lan.-ernel- panic.it&!#".!.$.!*' ;ec ! !*%"#%$" mail post(ix/cleanup&!B/"8'% *#$#"""% message- id+C"$$#$"!$!/"*B.*#$#"""6mail.-ernel-panic.it5 ;ec ! !*%"#%$" mail post(ix/qmgr&"##'% *#$#"""% (rom+Csomeone6somedomain.org5. size+BF". nrcpt+! (queue active) ;ec ! !*%"#%$" mail post(ix/virtual&!/B8!'% *#$#"""% to+Cd.mazzocc,io6-ernel- panic.it5. relay+virtual. delay+!*. delays+!*/$."8/$/$.$B. dsn+".$.$. status+sent (delivered to maildir) ;ec ! !*%"#%$" mail post(ix/qmgr&"##'% *#$#"""% removed ;ec ! !*%"#%$ mail post(ix/smtpd&"F"!"'% disconnect (rom ws!.lan.-ernel- panic.it&!#".!.$.!*' ) cat /var/vmail/kernel-panic.it/d.ma22occhio/ne-/88898:;)8:.!<6=::9,988;;).mail .kernel-panic.it :eturn-4at,% Csomeone6somedomain.org5 G-<riginal-3o% d.mazzocc,io6-ernel-panic.it ;elivered-3o% d.mazzocc,io6-ernel-panic.it :eceived% (rom somedomain.org (ws!.lan.-ernel-panic.it &!#".!.$.!*') by mail.-ernel-panic.it (4ost(ix) wit, 1234 id *#$#""" (or Cd.mazzocc,io6-ernel-panic.it5 1at. ! ;ec "$$# !*%"%/# H$!$$ (@03) Drom% someone6somedomain.org 3o% d.mazzocc,io6-ernel-panic.it 1ubIect% 3est mail 2essage-8d% C"$$#$"!$!/"*B.*#$#"""6mail.-ernel-panic.it5 ;ate% 1at. ! ;ec "$$# !*%"%/# H$!$$ (@03) 8t wor-sJ ) 3.2 "na#lin! $%S 'nablin& ()* support in Post"i# allows you to encrypt *M(P sessions and *-*) authentication e#chan&es and to optionally authenticate remote *M(P clients and/or ser2ers. Gowe2er8 keep in mind that8 by enablin& ()* support8 you also turn on thousands and thousands o" lines o" /pen**) library code. -ssumin& that /pen**) is written as care"ully as Cietse>s own code8 e2ery 1+++ lines introduce one additional bu& into Post"i# I()*J. (here"ore8 i" you think you don>t need these "eatures8 "eel "ree to 5 OpenBSD as a mail server skip directly to the ne#t chapter. ()* relies on public key certi"icates "or authentication and there"ore re4uires that you "irst set up a basic Public Key In"rastructure APKIB "or mana&in& di&ital certi"icates. -s a preliminary step8 we will create the directories where certi"icates will be stored: ) install -m >)) -d /etc/postfix/ssl/private (he "irst step in settin& up the PKI is the creation o" the root %- certi"icate A/etc/ssl/ca.crtB and pri2ate key A/etc/ssl/private/ca.-eyB usin& openssl(!): ) openssl re' -da&s <;.) -nodes -ne- -x.)= -ke&out /etc/ssl/private/ca.ke& + 5 -out /etc/ssl/ca.crt & ... ' @ountry =ame (" letter code) &'% IT 1tate or 4rovince =ame ((ull name) &'% Italy 9ocality =ame (eg. city) &'% Milan <rganization =ame (eg. company) &'% Kernel Panic Inc. <rganizational Knit =ame (eg. section) &'% Postfix CA @ommon =ame (eg. (ully quali(ied ,ost name) &'% ca.lan.kernel-panic.it 0mail 7ddress &'% ?enter@ ) (he ne#t step is the creation o" the pri2ate key A/etc/post(ix/ssl/private/server.-eyB and %erti"icate *i&nin& 6e4uest A/etc/post(ix/ssl/private/server.csrB "or the mail ser2er: ) openssl re' -da&s <;.) -nodes -ne- -ke&out /etc/postfix/ssl/private/server.ke& + 5 -out /etc/postfix/ssl/private/server.csr & ... ' @ountry =ame (" letter code) &'% IT 1tate or 4rovince =ame ((ull name) &'% Italy 9ocality =ame (eg. city) &'% Milan <rganization =ame (eg. company) &'% Kernel Panic Inc. <rganizational Knit =ame (eg. section) &'% Postfix Server @ommon =ame (eg. (ully quali(ied ,ost name) &'% mail.kernel-panic.it 0mail 7ddress &'% ?enter@ 4lease enter t,e (ollowing ?extra? attributes to be sent wit, your certi(icate request 7 c,allenge password &'% ?enter@ 7n optional company name &'% ?enter@ ) 9inally8 the %- will &enerate the si&ned certi"icate out o" the certi"icate re4uest: ) openssl x.)= -re' -da&s <;.) -in /etc/postfix/ssl/private/server.csr + 5 -out /etc/postfix/ssl/server.crt -A /etc/ssl/ca.crt + 5 -Ake& /etc/ssl/private/ca.ke& -Acreateserial 1ignature o- subIect+/@+83/13+8taly/9+2ilan/<+Lernel 4anic 8nc./<K+4ost(ix 1erver/@=+mail.-ernel- panic.it Metting @7 4rivate Ley ) I" you want the mail ser2er to authenticate *M(P clients8 you can &enerate any number o" client certi"icates by repeatin& the last two steps. 1+ OpenBSD as a mail server (o actually turn on ()* support in Post"i#8 we need to add a "ew parameters to the /etc/post(ix/main.c( con"i&uration "ile: /etc/post(ix/main.c( # <nable !optional& T-0 encryption smtpd_tls_security_level + may # <nable looging of T-0 handsha,e and certificate information smtpd_tls_loglevel + ! # T-0 certificates smtpd_tls_cert_(ile + /etc/post(ix/ssl/server.crt smtpd_tls_-ey_(ile + /etc/post(ix/ssl/private/server.-ey smtpd_tls_@7(ile + /etc/ssl/ca.crt # <xternal entropy source for the pseudo random number generator pool. # 0pecify 9dev9arandom when 9dev9urandom gives timeout errors. tls_random_source + dev%/dev/urandom and uncomment the smtps ser2ice in /etc/post(ix/master.c((*): /etc/post(ix/master.c( smtps inet n - n - - smtpd -o smtpd_tls_wrappermode+yes -o smtpd_sasl_aut,_enable+yes -o smtpd_client_restrictions+permit_sasl_aut,enticated.reIect -o milter_macro_daemon_name+<:8M8=738=M 9inally8 we can reload Post"i# con"i&uration to apply the chan&es made: ) postfix reload post(ix/post(ix-script% re(res,ing t,e 4ost(ix mail system 11 OpenBSD as a mail server &. MyS'% I" Post"i# is workin& "ine8 we can proceed to the ne#t step and install My*,). My*,) is ?the !orld%s most popular open source database@8 combinin& per"ormance8 reliability and ease o" use. It will ensure "aster data access times and allow us to centralize con"i&uration in"ormation that both Post"i# and %ourier-IM-P will need to access. (here are a "ew packa&es we need to install: p$-;et-Daemon--.--.t&z p$-Pl6P%--.----.t&z p$-D7I--.--.t&z p$-D7D-mys4l--.----.t&z mys4l-ser2er--.-.--.t&z -"ter the installation8 you will "ind 2arious sample con"i&uration "iles in the /usr/local/s,are/mysql directory< choose the most suitable to your needs and copy it to /etc/ my.cn(. '.&.: ) cp /usr/local/share/m&s'l/m&-small.cnf /etc/m&.cnf &.1 $(e soc)et dilemma %hoosin& a &ood location "or the My*,) socket "ile is sometimes hard because o" chrooted processes8 which need to access it "rom inside their =reduced= "ilesystem. 7ut Post"i# &oes e2en "urther: o" its many processes8 most are chrooted to the /var/spool/post(ix directory8 but a "ew are notH -s a conse4uence8 by de"ault8 part o" the Post"i# processes will look "or the socket "ile in the /var/run/mysql/ directory8 while the others will look "or it in the /var/spool/post(ix/var/ run/mysql/ directoryH -nyway8 there are many possible workarounds: 1. i" the database runs on a remote ser2er8 there is no need to bother with the socket "ileH Ce will later see how to con"i&ure Post"i# and %ourier-IM-P "or connectin& to a remote database< 2. i" you want to preser2e the de"aults as much as possible8 you can create a symbolic link to the socket inside the chroot be"ore the database startup: ) mkdir -p /var/spool/postfix/var/run/m&s'l/ ) ln -f /var/run/m&s'l/m&s'l.sock /var/spool/postfix/var/run/m&s'l/m&s'l.sock !. 6emember to add the abo2e commands to the /etc/rc.local(8) script to automatically create the link at boot time. . you can place the socket inside the Post"i# chroot Aby settin& the 2alue o" the soc-et 2ariable in the &mysqld' section o" /etc/my.cn( to the path o" the socket8 e.&. /var/spool/post(ix/mysql/mysql.soc-B8 and &i2e Post"i# the possibility to choose between two distinct paths: /var/spool/post(ix/mysql/mysql.soc-8 "or non-chrooted processes8 and /mysql/mysql.soc-8 "or chrooted processes< $. "inally8 you can "or&et about socket "iles and connect throu&h the loopback network inter"ace. Mmmh... what to chooseL -"ter a moment>s thou&ht8 I chose the latter solution8 which is probably the simplest. (here"ore8 I le"t =s-ip networ-ing= commented out in /etc/my.cn( and added the "ollowin& line in the &mysqld' section : 12 OpenBSD as a mail server /etc/my.cn( bind-address + !"#.$.$.! thus pre2entin& My*,) "rom listenin& on the e#ternal network inter"aces. &.2 onfi!uration 9irst and "oremost8 we need to install the de"ault databases8 chan&e the password o" the My*,) root user Adon>t take my passwords as an e#ampleHB: ) /usr/local/*in/m&s'lBinstallBd* & ... ' ) m&s'ldBsafe C & ... ' # /usr/local/*in/m&s'lBsecureBinstallation & ... ' 0nter current password (or root (enter (or none)% ?/nter@ <L. success(ully used password. moving on... & ... ' 1et root passwordN &O/n' D =ew password% root :e-enter new password% root 4assword updated success(ullyJ & ... ' :emove anonymous usersN &O/n' D ... 1uccessJ & ... ' ;isallow root login remotelyN &O/n' D ... 1uccessJ & ... ' :emove test database and access to itN &O/n' D - ;ropping test database... ... 1uccessJ - :emoving privileges on test database... ... 1uccessJ & ... ' :eload privilege tables nowN &O/n' D ... 1uccessJ & ... ' ) and con"i&ure the system to start My*,) on boot: /etc/rc.local i( & -x /usr/local/bin/mysqld_sa(e 'P t,en ec,o -n ? 2y1Q9? /usr/local/bin/mysqld_sa(e 5/dev/null "5R! R (i ;e#t8 we will hook Post"i# up to the database. In particular8 we will modi"y the 2alue o" a "ew parameters in the /etc/post(ix/main.c( "ile: /etc/post(ix/main.c( virtual_mailbox_domains + mysql%/etc/post(ix/mysql_virtual_domains.c( virtual_mailbox_maps + mysql%/etc/post(ix/mysql_virtual_mailboxes.c( virtual_alias_maps + mysql%/etc/post(ix/mysql_virtual_alias_maps.c( Ce will see in a moment the contents o" those "iles< but "irst8 we are &oin& to create the database. (ables 1! OpenBSD as a mail server don>t need to ha2e any particular structure8 since we will tell Post"i# which 4ueries to use to e#tract the data. (here"ore8 this will actually be Eust one amon& the many possible implementations: "eel "ree to modi"y it accordin& to your taste and needs. .ote: Post"i# obtains the "ull pathname o" the maildirs by Eoinin& the 2alues o" the virtual_mailbox_base and virtual_mailbox_maps parameters8 while %ourier-IM-P obtains it by Eoinin& the 2alues o" the 2O1Q9_S<20_D809; and 2O1Q9_2789;8:_D809; parameters. -s a conse4uence8 we will create two separate "ields in the users table A,ome and maildirB and make those 2ariables point to them in order "or Post"i# and %ourier-IM-P to &et alon&. ) m&s'l -u root -p password% root mysql5 A#/3/ E3F4/ mailG Query <L. ! row a((ected ($.$! sec) mysql5 use mail ;atabase c,anged mysql5 A#/3/ 3FL/ domains H -5 id 6I3 I"3 IULL P#6,#D J/D U3"B6IA#/,/I3K -5 domain !#AH#H(..L I"3 IULL UI6MU/LG Query <L. $ rows a((ected ($.$" sec) mysql5 A#/3/ 3FL/ users H -5 id 6I3 I"3 IULL P#6,#D J/D U3"B6IA#/,/I3K -5 login !#AH#H(..L I"3 IULL UI6MU/K -5 name !#AH#H(..L I"3 IULLK -5 pass-ord AH#H8<L I"3 IULLK -5 uid 4,LL6I3 I"3 IULL E/FUL3 ()))K -5 gid 4,LL6I3 I"3 IULL E/FUL3 ()))K -5 home !#AH#H(..L I"3 IULL E/FUL3 N/var/vmailNK -5 maildir !#AH#H(..L I"3 IULLK -5 'uota !#AH#H8)L I"3 IULL E/FUL3 N8)))))))4NLG Query <L. $ rows a((ected ($.$! sec) mysql5 A#/3/ 3FL/ aliasBmaps H -5 id 6I3 I"3 IULL P#6,#D J/D U3"B6IA#/,/I3K -5 account !#AH#H(..L I"3 IULL UI6MU/K -5 alias !#AH#H(..L I"3 IULLLG Query <L. $ rows a((ected ($.$$ sec) mysql5 O#I3 4/L/A3 "I mail.P to NvmailN1NlocalhostN 6E/I36F6/E FD NvmailNG Query <L. $ rows a((ected ($.$! sec) mysql5 6I4/#3 6I3" domains HdomainL !LU/4 HNkernel-panic.itNLG Query <L. ! row a((ected ($.$! sec) mysql5 6I4/#3 6I3" users HloginK nameK pass-ordK maildirL -5 !LU/4 HNd.mazzocchiokernel-panic.itNK N!aniele MazzocchioNK -5 /IA#DP3HNdanixNLK Nkernel-panic.it"d.mazzocchio"NLG Query <L. ! row a((ected ($.$! sec) mysql5 6I4/#3 6I3" aliasBmaps HaccountK aliasL -5 !LU/4 HNpostmasterkernel-panic.itNK -5 Npostmasterlocalhost.kernel-panic.itNLG Query <L. ! row a((ected ($.$$ sec) mysql5 6I4/#3 6I3" aliasBmaps HaccountK aliasL -5 !LU/4 HNrootkernel-panic.itNK Nrootlocalhost.kernel-panic.itNLG Query <L. ! row a((ected ($.$$ sec) ;ow let>s take a brie" look at the new Post"i# con"i&uration "iles8 which include con"i&uration settin&s "or My*,). 1 OpenBSD as a mail server /etc/post(ix/mysql_virtual_domains.c( user + vmail password + vmail # solution => # hosts " db5server5name # 0olution ?> s,ip this parameter # 0olution : !this file is required only by chrooted processes&> # hosts " unix>9mysql9mysql.soc, # 0olution @> ,osts + !"#.$.$.! dbname + mail query + 1090@3 domain D:<2 domains TS0:0 domain+?Us? /etc/post(ix/mysql_virtual_alias_maps.c( user + vmail password + vmail # solution => # hosts " db5server5name # 0olution ?> s,ip this parameter # 0olution : !this file is required only by chrooted processes&> # hosts " unix>9mysql9mysql.soc, # 0olution @> ,osts + !"#.$.$.! dbname + mail query + 1090@3 alias D:<2 alias_maps TS0:0 account+?Us? /etc/post(ix/mysql_virtual_mailboxes.c( user + vmail password + vmail # solution => # hosts " db5server5name # 0olution ?> s,ip this parameter # 0olution : !this file is required by both chrooted and non)chrooted processes&> # hosts " unix>9mysql9mysql.soc, unix>9var9spool9postfix9mysql9mysql.soc, # 0olution @> ,osts + !"#.$.$.! dbname + mail query + 1090@3 maildir D:<2 users TS0:0 login+?Us? (hat>s all: now we can reload Post"i# con"i&uration: ) postfix reload post(ix/post(ix-script% re(res,ing t,e 4ost(ix mail system and test our work< e2erythin& should run e#actly as be"oreH 1$ OpenBSD as a mail server *. ourier+IM,P ;ow that our ser2er can send and recei2e email8 it may be use"ul to let users read itH 9or this purpose8 we>re &oin& to install %ourier-IM-P8 ?a ast, scalable, enterprise &'A( server that uses 'aildirs@. (his is the same IM-P ser2er that>s included in the %ourier mail ser2er8 but con"i&ured as a standalone IM-P ser2er that can be used with other mail ser2ers8 such as Post"i#. *.1 Installation and confi!uration (he "ollowin& is the list o" the re4uired packa&es: &dbm--.-.-.t&z libltdl--.-.-.t&z tcl--.-.-.t&z e#pect--.-.--noMtk.t&z courier-authlib--.-.t&z courier-imap--.-.-.t&z courier-authlib-mys4l--.-.-.t&z /nce you ha2e added all the packa&es8 you will "ind a "resh new /etc/courier/ directory containin& %ourier IM-P>s con"i&uration "iles. )et>s take a brie" look at each o" them. (he /etc/courier/aut,daemonrc con"i&uration "ile sets se2eral operational parameters "or the aut,daemond process Athe resident authentication daemonB< "ortunately8 we only need to edit the aut,modulelist parameter8 which speci"ies the list o" the authentication modules a2ailable< set it to aut,mysql to allow "or My*,) based authentication: /etc/courier/aut,daemonrc & ... ' aut,modulelist+>aut,mysql> & ... ' (he /etc/courier/aut,mysqlrc con"i&uration "ile contains the aut,mysql database connection parameters< below is a sample con"i&uration "ile: /etc/courier/aut,mysqlrc 2O1Q9_10:V0: !"#.$.$.! 2O1Q9_K10:=720 vmail 2O1Q9_4711T<:; vmail # f you connect through the soc,et> #1A0$-506BC<T 9path9to9mysql.soc, #1A0$-5P6DT ; 2O1Q9_4<:3 BB$ 2O1Q9_<43 $ 2O1Q9_;737E710 mail 2O1Q9_K10:_37E90 users 2O1Q9_@:O43_4TD809; password 2O1Q9_;0D7K93_;<278= -ernel-panic.it 2O1Q9_K8;_D809; uid 2O1Q9_M8;_D809; gid 2O1Q9_9<M8=_D809; login 2O1Q9_S<20_D809; ,ome 2O1Q9_=720_D809; name 2O1Q9_2789;8:_D809; maildir 2O1Q9_QK<37_D809; quota # 1A0$-52E<D<5B-+'0< field"value +%D field"value... 1. OpenBSD as a mail server (he ne#t step is creatin& the **) certi"icate "or the IM-P* protocol. (o make your li"e easier8 %ourier- IM-P comes with a script8 m-imapdcert(8)8 which will create the certi"icate a"ter readin& all the necessary in"ormation "rom the /etc/courier/imapd.cn( con"i&uration "ile. (here"ore8 you should "irst customize the latter "ile Ain particular8 pay close attention to the common name A%;B parameter8 which must match the name o" the ser2er the users will connect toB and then run m-imapdcert(8): # /usr/local/s*in/mkimapdcert & ... ' ;ow we only ha2e to start the daemons: ) mkdir -p /var/run/courierQK-authR/ ) /usr/local/s*in/authdaemond start ) /usr/local/li*exec/imapd.rc start ) /usr/local/li*exec/imapd-ssl.rc start con"i&ure the system to start %ourier-IM-P on boot: /etc/rc.local ec,o -n ? @ourier-8274? /bin/m-dir -p /var/run/courierW.-aut,X/ & -x /usr/local/sbin/aut,daemond ' RR /usr/local/sbin/aut,daemond start & -x /usr/local/libexec/imapd.rc ' RR /usr/local/libexec/imapd.rc start & -x /usr/local/libexec/imapd-ssl.rc ' RR /usr/local/libexec/imapd-ssl.rc start ...and test our hard workH I su&&est usin& a simple Python script8 Eust to &i2e our weary "in&ers a break: 8274_test.py )J/usr/bin/env pyt,on import imaplib # Bonstants 8274_1:V + >mail.-ernel-panic.it> K10: + >d.mazzocc,io6-ernel-panic.it> 4711T; + >danix> # Bonnect to server imap_srv + imaplib.8274/(8274_1:V) imap_srv.login(K10:. 4711T;) # 0elect the %F64 folder imap_srv.select() # Detrieve message list msg_nums + imap_srv.searc,(=one. ?799?)&!' # Print all messages (or num in msg_nums&$'.split()% msg + imap_srv.(etc,(num. ?(:D@8"")?)&!' print ?2essage UsYnUsYn? U (num. msg&$'&!') # Disconnect from server imap_srv.close() imap_srv.logout() 13 OpenBSD as a mail server *.2 ,ddin! POP3 access It is usually desirable that email users be o""ered the choice between IM-P and P/P! remote access< a"ter all8 P/P! users tend to use less disk space8 bandwidth and resources on the ser2er. -ddin& P/P! support to our mail ser2er is "airly simple< "irst8 we need to add the appropriate packa&e: courier-pop!--.-.-.t&z (hen8 we ha2e to run m-popBdcert(8) to &enerate the **) certi"icate "or P/P! o2er **) Asimilarly to m-imapdcert(8)8 **) parameters are read "rom a con"i&uration "ile8 /etc/courier/popBd.cn(B and start the daemons: ) /usr/local/s*in/mkpop<dcert & ... ' ) /usr/local/li*exec/pop<d.rc start ) /usr/local/li*exec/pop<d-ssl.rc start -dd the "ollowin& lines to /etc/rc.local(8) to start the P/P! ser2er on boot: /etc/rc.local & -x /usr/local/libexec/popBd.rc ' RR /usr/local/libexec/popBd.rc start & -x /usr/local/libexec/popBd-ssl.rc ' RR /usr/local/libexec/popBd-ssl.rc start 9inally8 we can per"orm a 4uick test to make sure e2erythin& works as e#pected: ) telnet mail.kernel-panic.it 88) 3rying !#".!."/$.!*$... @onnected to mail.-ernel-panic.it. 0scape c,aracter is ?A'?. H<L Sello t,ere. user d.ma22occhio1kernel-panic.it H<L 4assword required. pass danix H<L logged in. list ! "*B! & ... ' 'uit H<L Eye-bye. @onnection closed by (oreign ,ost. ) *.3 SM$P aut(entication -it( S,S% Chen con"i&urin& Post"i#8 we ha2e restricted mail relay to a limited number o" trusted networks8 i.e. the internal corporate )-;s. *ometimes8 howe2er8 such a relay policy may not "it your or&anization>s re4uirements: a typical e#ample is the need to let mobile users Asuch as sales peopleB send messa&es "rom anywhere o2er the Internet. In these cases8 the best solution to allow relay "rom le&itimate users Awhile still blockin& F%' so"twareB is certainly usin& *M(P authentication8 by means o" the *-*) protocol Ade"ined in I69%5$JB. Gowe2er8 there are some downsides to enablin& *-*) authentication: it will "orce us to unchroot the smtpd(8) process and8 since the %yrus *-*) library is a lot o" code8 Post"i# will become as secure as other mail systems that use the %yrus *-*) library Asee I*-*)JB. *o8 i" you don>t need this "eature8 "eel "ree to skip to the ne#t para&raph. (o enable *-*) authentication in Post"i#8 we Eust ha2e to add a "ew parameters in the /etc/post(ix/main.c( con"i&uration "ile: 10 OpenBSD as a mail server /etc/post(ix/main.c( # <nable 0+0- authentication in the Postfix 01TP server smtpd_sasl_aut,_enable + yes # 6nly accept mail from trusted networ,s* authenticated clients or mail with # a #DBPT T6# address that Postfix is forwarder or final destination for smtpd_recipient_restrictions + permit_mynetwor-s permit_sasl_aut,enticated reIect_unaut,_destination # <nable inter)operability with old 01TP clients bro-en_sasl_aut,_clients + yes # %ame of the Postfix 01TP server#s local 0+0- authentication realm smtpd_sasl_local_domain + $mydomain *-*) con"i&uration parameters must be contained in a "ile named smtpd.con(8 located in /usr/local/lib/sasl". (he *-*) library will rely on %ourier>s aut,daemond process as the authentication backend Athe My*,) backend only supports passwords stored in clear-te#tB: /usr/local/lib/sasl"/smtpd.con( pwc,ec-_met,od% aut,daemond aut,daemond_pat,% /var/run/courier-aut,/soc-et mec,_list% 4978= 9<M8= ;e#t8 we need to edit the /etc/post(ix/master.c((*) "ile to make smtpd(8) run unchrooted AEust put a =n= in the process>s c,root "ieldB: /etc/post(ix/master.c( smtp inet n - n - - smtpd & ... ' and reload Post"i# con"i&uration. ) postfix reload post(ix/post(ix-script% re(res,ing t,e 4ost(ix mail system 9inally8 we can per"orm a simple test to make sure e2erythin& works as e#pected. -uthentication in"ormation is sent as the base.-encodin& o" the strin& =Y$usernameY$password=8 where =Y$= is a null byte. $ perl -,,6,/00Fase;: + 5 -e Nprint encodeB*ase;:H%+)d.ma22occhio+1kernel-panic.it+)danix%LGN 7MQubTDemFIO",pb$ErZG[uZTwtcMDuaT2uaGQ7ZMDuaGg+ $ telnet mail.kernel-panic.it (. 3rying !#".!."/$.!*$... @onnected to mail.-ernel-panic.it. 0scape c,aracter is ?A'?. ""$ mail.-ernel-panic.it 01234 4ost(ix /HL" somedomain.org "*$-mail.-ernel-panic.it "*$-484098=8=M "*$-18Z0 !$"/$$$$ "*$-V:DO "*$-03:= "*$-7K3S 4978= 9<M8= "*$-7K3S+4978= 9<M8= "*$-0=S7=@0;1373K1@<;01 "*$-8E832820 15 OpenBSD as a mail server "*$ ;1= U3H PL6I OMu*SF;em=5D(hp*)FrTUVuTS-tcOFuaS,uaUMTOFuaUg$ "B* ".$.$ 7ut,entication success(ul 'uit ""! ".$.$ Eye @onnection closed by (oreign ,ost. $ *.& Mana!in! dis) space ,uotas allow you to speci"y the ma#imum size o" maildirs8 in order to pre2ent the /var/vmail "ilesystem "rom "illin& up. (he best option would certainly be to use the operatin& system>s built-in 4uota support8 but we can>t8 because we ha2e a sin&le user writin& to all the maildirs. (here"ore8 we must rely on the mail so"tware to &et 4uota support on maildirs. %ourier-IM-P comes with built-in 4uota support8 but this sol2es only one hal" o" the problem: in "act8 also Post"i# must be able to reEect mail sent to o2er-4uota users. (o achie2e this8 we will rely on the deliverquota(8) utility8 which deli2ers mail takin& into account any so"tware-imposed 4uota on maildirs. (he "irst step is assi&nin& a 4uota to each maildir with maildirma-e(!). '.&.: ) /usr/local/*in/maildirmake -' 8)))))))4 + 5 /var/vmail/kernel-panic.it/d.mazzocchio (he abo2e command installs an Aappro#imatelyB 1+M7 4uota on the /var/vmail/-ernel- panic.it/d.mazzocc,io maildir. ;e#t8 we need to de"ine8 in /etc/post(ix/master.c((*)8 a special Post"i# daemon "or deli2ery throu&h deliverquota(8): /etc/post(ix/master.c( & ... ' qdeliver unix - n n - - pipe user+vmail argv+/usr/local/bin/deliverquota -w F$ /var/vmail/$WdomainX/$WuserX and tell Post"i# to use this daemon "or "inal deli2ery to 2irtual domains8 by settin& the 2alue o" the virtual_transport parameter in /etc/post(ix/main.c(: /etc/post(ix/main.c( virtual_transport + qdeliver deliverquota(8) will place a warnin& messa&e into the maildir i"8 a"ter the messa&e is success"uly deli2ered8 the maildir is at least 5+ percent "ull A-w F$B. (he body o" the warnin& messa&e is copied 2erbatim "rom the /etc/courier/quotawarnmsg "ile. 2+ OpenBSD as a mail server .. ontent filterin! ;ow we ha2e a "ully-"unctional mail ser2er8 able to send and recei2e email and pro2idin& remote access to users> mailbo#es. Gowe2er8 i" we don>t want our ser2er to become an immune carrier o" computer 2iruses or to be drowned under a sea o" spam8 we need to install all the necessary content-"ilterin& tools. (hou&h Post"i# nati2ely supports multiple content inspection mechanisms8 the documentation itsel" ?encoura$es the use o e-ternal ilters and standard protocols because this allo!s you to choose the best '*A and the best content inspection sot!are or your purpose@. (here"ore8 we will rely on third-party so"tware "or content "ilterin&< in particular8 we will use *pam-ssassin to "ilter spam8 %lam-1 to check emails "or 2iruses and -ma2isd-new to coordinate it all. 7elow is the outline o" the whole architecture:
..1 Spam,ssassin *pam-ssassin is a ?mature, !idely#deployed open source pro1ect that serves as a mail ilter to identiy Spam0 SpamAssassin uses a variety o mechanisms includin$ header and te-t analysis, Bayesian ilterin$, D.S bloc,lists, and collaborative ilterin$ databases@. (here are 4uite a "ew packa&es we need to install: p$-%ompress-6aw-Nlib--.-.t&z p$-I/-%ompress-7ase--.-.t&z p$-I/-%ompress-Nlib--.-.t&z p$-%ompress-Nlib--.-.t&z p$-I/-Nlib--.-.t&z p$-I/-*trin&--.-.t&z p$--l&orithm-Di""--.-.t&z p$-(e#t-Di""--.-.t&z p$--rchi2e-(ar--.-.t&z re2c--.-.-.t&z p$-;et-%ID6-)ite--.-.t&z p$-;et-IP--.-.t&z p$-Di&est-*G-1--.-.t&z p$-Di&est-GM-%--.-.t&z p$-;et-D;*--.-.t&z p$-*ys-Gostname-)on&--.-.t&z p$-F6I--.-.t&z 21 OpenBSD as a mail server p$-Mail-*P9-,uery--.-.t&z p$-*ocket.--.-.t&z p$-I/-I;'(.--.-.t&z bzip2--.-.-.t&z libicon2--.-.-.t&z &ette#t--.-.-.t&z libidn--.-.-.t&z curl--.-.-.t&z &nup&--.-.-.t&z p$-;et-**)eay--.-.t&z p$-I/-*ocket-**)--.-.t&z p$-G(M)-(a&set--.-.t&z p$-G(M)-Parser--.-.t&z p$-%rypt-**)eay--.-.t&z lib&http--.-.-.t&z p$-G((P-OG((P--.-.t&z p$-libwww--.-.t&z p$-Mail-*pam-ssassin--.-.-.t&z -"ter the packa&es installation8 you will "ind the main *pam-ssassin con"i&uration "ile Alocal.c(B in the "resh new /etc/mail/spamassassin directory. (he con"i&uration phase can be 2ery comple# and &oes beyond the scope o" this document< anyway8 you can "ind all the details in the man pa&e A2ail%%1pam7ssassin%%@on(B. )ike Post"i#8 *pam-ssassin has a lot o" con"i&uration parameters8 althou&h8 in most cases8 de"ault 2alues can be preser2ed and only a "ew parameters need to be o2erridden: /etc/mail/spamassassin/local.c( rewrite_,eader 1ubIect \\\\\ 1472 \\\\\ report_sa(e ! loc-_met,od (loc- required_score 8.$ ..2 lam,/ %lam-1 is an ?open source )2(L+ anti#virus tool,it or 3.&/4< the main purpose o" this so"tware is the inte&ration with mail ser2ers Ai.e. attachment scannin&B. -ll the anti2irus tasks are handled by three processes: (res,clam which automatically updates the 2irus de"initions8 by connectin& to one o" the %lam-1 mirrors< its con"i&uration "ile is /etc/(res,clam.con(< clamd a "le#ible and scalable multi-threaded anti2irus daemon< its con"i&uration "ile is /etc/clamd.con(< clamscan a command line anti2irus scanner. (he re4uired packa&es are: arc--.--.t&z lha--.--.------.t&z unzip--.-.t&z zoo--.-.-.t&z &mp--.-.-.t&z 22 OpenBSD as a mail server unarE--.- A"rom the portsB unrar--.- A"rom the portsB clama2--.-.t&z (he (res,clam.con( con"i&uration "ile re4uires only a "ew parameters: /etc/(res,clam.con( ;atabase;irectory /var/db/clamav ;atabase<wner _clamav ;=1;atabase8n(o current.cvd.clamav.net ;atabase2irror db.it.clamav.net ;atabase2irror database.clamav.net 2ax7ttempts B c,ec-s "/ ;ow we can update the 2irus de"inition database by runnin& the (res,clam command. Please make sure you ha2e installed the latest release o" %lam-18 or you>ll &et warnin& messa&es about reduced "unctionality8 like the "ollowin&: ) freshclam @lam7V update process started at 3ue ;ec !8 $$%B*%"* "$$# T7:=8=M% Oour @lam7V installation is <K3;730;J T7:=8=M% 9ocal version% $.F$.B :ecommended version% $.F" ;<=?3 47=8@J :ead ,ttp%//www.clamav.net/support/(aq ;ownloading main.cvd &!$$U'main.cvd & ""U' main.cvd updated (version% /*. sigs% !F#. (-level% "!. builder% sven) T7:=8=M% Oour @lam7V installation is <K3;730;J T7:=8=M% @urrent (unctionality level + !. recommended + "! ;<=?3 47=8@J :ead ,ttp%//www.clamav.net/support/(aq ;ownloading daily.cvd &!$$U' daily.cvd updated (version% *!$. sigs% 8F8. (-level% "!. builder% sven) T7:=8=M% Oour @lam7V installation is <K3;730;J T7:=8=M% @urrent (unctionality level + !. recommended + "! ;<=?3 47=8@J :ead ,ttp%//www.clamav.net/support/(aq ;atabase updated (!#8B#/ signatures) (rom db.it.clamav.net (84% !FB."$.!BF.B#) ) (he reduced ="unctionality le2el= means that you may not be able to use all the a2ailable 2irus si&natures and8 conse4uently8 "ail to detect the latest 2iruses. (o automatically update the database8 we simply ha2e to schedule (res,clam in crontab e2ery hour Apre"erably not on the hour8 Eust to a2oid tra""ic peaksB: ! \ \ \ \ /usr/local/bin/(res,clam 5/dev/null "5R! -lso the /etc/clamd.con( con"i&uration "ile needs editin& only 2ery "ew parameters: /etc/clamd.con( ;atabase;irectory /var/db/clamav 9ocal1oc-et /var/clamav/clamd.soc- Kser _clamav &...' ;ow we can run clamd: ) touch /var/log/clamd.log ) cho-n Bclamav /var/log/clamd.log ) clamd :unning as user _clamav (K8; *BF. M8; *BF) and add the "ollowin& lines to /etc/rc.local(8) to start it on system boot: 2! OpenBSD as a mail server /etc/rc.local i( & -x /usr/local/sbin/clamd 'P t,en ec,o -n ? clamd? & -1 /var/clamav/clamd.soc- ' RR rm -( /var/clamav/clamd.soc- /usr/local/sbin/clamd 5/dev/null "5R! (i ..3 ,mavisd+ne- -ma2isd-new is a hi&h-per"ormance inter"ace between mailer AM(-B and content checkers. Ce will con"i&ure it to bind to port 1++2 on the loopback inter"ace8 where Post"i# will "orward all incomin& e- mails. I" the e-mail success"ully passes all the checks8 it will be "orwarded back to Post"i#8 listenin& on localhost port 1++2$< otherwise8 mails may be deleted or 4uarantined and the administrator and recepients may be noti"ied. (he "ollowin& is the list o" the re4uired packa&es: cabe#tract--.-.t&z "reeze--.- A"rom the portsB p$-%on2ert-7inGe#--.-.t&z p$-I/-strin&y--.-.t&z p$-Mail-(ools--.-.t&z p$-(ime-(imeDate--.-.t&z p$-MIM'-tools--.-.t&z p$-%on2ert-(;'9--.-.t&z p$-%on2ert-FFlib--.-.t&z rpm2cpio--.-.t&z p$-;et-*er2er--.-.t&z p$-Fni#-*yslo&--.-.t&z ama2isd-new--.-.-.t&z (he installation procedure creates a new user and &roup called _vscan< howe2er8 the easiest way to &et -ma2isd-new to cooperate with %lam-18 is to run them both under the same user A_clamavB. (he con"i&uration "ile is /etc/amavisd.con(8 which is actually a perl script Aso pay attention to the semi- colons at the end o" the linesHB< below are the options you will most likely want to tweak: /etc/amavisd.con( # B6116%-A +DG'0T<D 0<TT%80> $max_servers + "P $daemon_user + ?_clamav?P # Dun under the same user as Blam+. $daemon_group + ?_clamav?P # Dun under the same group as Blam+. $mydomain + ?,ernel)panic.it?P $2OS<20 + ?/var/amavisd?P $3024E710 + >$2OS<20/tmp>P # wor,ing directory* needs to be created manually $0=VW324;8:X + $3024E710P $QK7:7=38=0;8: + ?/var/clamav/quarantine?P &...' # -eave only Blam+. uncommented 6av_scanners + ( &?@lam7V-clamd?. YRas-_daemon. &>@<=31@7= WXYn>. >/var/clamav/clamd.soc->'. qr/Yb<L$/. qr/YbD<K=;$/. 2 OpenBSD as a mail server qr/A.\N% (NJ8n(ected 7rc,ive)(.\) D<K=;$/ '. )P &...' # -eave only Blam+. uncommented 6av_scanners_bac-up + ( &?@lam7V-clamscan?. ?clamscan?. >--stdout --disable-summary -r --tempdir+$3024E710 WX>. &$'. &!'. qr/A.\N% (NJ8n(ected 7rc,ive)(.\) D<K=;$/ '. )P !P -"ter manually creatin& -ma2isd-new>s workin& directory A/var/amavisd/tmpB8 we can start the daemon in debu& mode Ai.e. in "ore&roundB8 Eust to check any errors: ) mkdir /var/amavisd/tmp ) cho-n -# Bclamav0Bclamav /var/amavisd/ ) /usr/local/s*in/amavisd de*ug ;ec !8 ""%$#%!! mail.-ernel-panic.it /usr/local/sbin/amavisd&"//"F'% starting. /usr/local/sbin/amavisd at mail.-ernel-panic.it amavisd-new-".B." ("$$*$"F). Knicode aware ;ec !8 ""%$#%!! mail.-ernel-panic.it /usr/local/sbin/amavisd&"//"F'% user+. 0K8;% $ ($)P group+. 0M8;% $ B! "$ * / B " $ ($ B! "$ * / B " $) ;ec !8 ""%$#%!! mail.-ernel-panic.it /usr/local/sbin/amavisd&"//"F'% 4erl version *.$$8$$8 &...' ;ow we can con"i&ure the system to start -ma2isd-new on boot: /etc/rc.local i( & -x /usr/local/sbin/amavisd 'P t,en ec,o -n ? amavisd? /usr/local/sbin/amavisd 5/dev/null "5R! (i (he last step is to update Post"i# con"i&uration to enable inter"acin& between Post"i# and -ma2isd-new. (o achie2e this8 we ha2e to add a couple o" ser2ices to the /etc/post(ix/master.c((*) con"i&uration "ile: one to "orward all incomin& emails to -ma2id-new8 and the other to &et emails back a&ain: /etc/post(ix/master.c( smtp-amavis unix - - - - " smtp -o smtp_data_done_timeout+!"$$ -o smtp_send_x(orward_command+yes -o disable_dns_loo-ups+yes -o max_use+"$ !"#.$.$.!%!$$"* inet n - - - - smtpd -o content_(ilter+ -o local_recipient_maps+ -o relay_recipient_maps+ -o smtpd_restriction_classes+ -o smtpd_delay_reIect+no -o smtpd_client_restrictions+permit_mynetwor-s.reIect -o smtpd_,elo_restrictions+ -o smtpd_sender_restrictions+ -o smtpd_recipient_restrictions+permit_mynetwor-s.reIect -o mynetwor-s_style+,ost 2$ OpenBSD as a mail server -o mynetwor-s+!"#.$.$.$/8 -o strict_r(c8"!_envelopes+yes -o smtpd_error_sleep_time+$ -o smtpd_so(t_error_limit+!$$! -o smtpd_,ard_error_limit+!$$$ -o smtpd_client_connection_count_limit+$ -o smtpd_client_connection_rate_limit+$ -o receive_override_options+no_,eader_body_c,ec-s.no_un-nown_recipient_c,ec-s 9inally8 we need to tell Post"i# to start "orwardin& all the emails it recei2es to ama2isd-new "or content inspection and reload the con"i&uration. ) postconf -e NcontentBfilter$smtp-amavis0W8(>.).).8X08))(:N ) postfix reload post(ix/post(ix-script% re(res,ing t,e 4ost(ix mail system 2. OpenBSD as a mail server 0. SquirrelMail In addition to IM-P and P/P!8 most end-users will be &lad to ha2e also web-based access to their mailbo#. (here"ore8 we will install *4uirrelMail8 a ?standards#based !ebmail pac,a$e !ritten in (5(@8 with built-in support "or the IM-P and *M(P protocols. It is written "or ma#imum compatibility across browsers and has 2ery "ew re4uirements< *4uirrelMail is 2ery easy to install and con"i&ure and pro2ides a lot o" plu&ins to allow administrators to deeply customize its look and "eel. Please note that the webmail so"tware doesn>t ha2e to necessarily reside on the mail host: indeed8 i" you ha2e a dedicated web ser2er a2ailable8 that>s certainly the best place to install it. 0.1 Preliminary steps (he re4uired packa&es are: lib#ml--.-.-.t&z php$-core.-.-.-.t&z php$-mbstrin&--.-.-.t&z I" PGP wasn>t already installed on your system8 don>t "or&et to enable it8 as well as the mbstring module: ) ln -s /var/---/conf/modules.sample/php..conf /var/---/conf/modules ) ln -fs /var/---/conf/php..sample/m*string.ini /var/---/conf/php./m*string.ini :ou also ha2e to uncomment the "ollowin& line in the -pache con"i&uration "ile8 /var/www/con(/,ttpd.con(: /var/www/con(/,ttpd.con( 7dd3ype application/x-,ttpd-p,p .p,p and restart -pache: ) apachectl restart /usr/sbin/apac,ectl restart% ,ttpd restarted 0.2 Installation and confi!uration ;ow we can download *4uirrelMail8 e#tract it inside -pache>s chroot and &i2e the newly-created directory a nicer name: ) tar -2xvf s'uirrelmail-x.x.x.tar.g2 -A /var/---/htdocs ) mv /var/---/htdocs/s'uirrelmail-x.x.x /var/---/htdocs/-e*mail ;e#t8 we need to create three directories: the data directory A/var/www/squirrelmail/dataB8 which will contain user pre"erences and will ha2e to belon& to -pache>s www user< the attachment directory A/var/www/squirrelmail/attac,mentsB8 where email attachments will be uploaded and which will ha2e to be readable only by the root user8 but writable by the www user too< the temporary directory where session data will be stored A/var/www/tmpB8 which must be accessible only to the www user. # mkdir -p /var/---/s'uirrelmail/data 23 OpenBSD as a mail server # mkdir /var/---/s'uirrelmail/attachments # mkdir /var/---/tmp # cho-n ---0--- /var/---/s'uirrelmail/data # chgrp --- /var/---/s'uirrelmail/attachments # chmod ><) /var/---/s'uirrelmail/attachments # cho-n ---0--- /var/---/tmp # chmod >)) /var/---/tmp 9urther con"i&uration can be easily mana&ed throu&h a menu dri2en Perl script8 /var/www/,tdocs/webmail/con(ig/con(.pl. *ome o" the parameters you will certainly ha2e to customize are: <rganization 4re(erences -5 <rganization =ame (he or&anization name8 which will appear here and there in the web pa&es. 1erver 1ettings -5 ;omain (he domain name. Meneral <ptions -5 ;ata ;irectory (he pathname to the directory in which user pre"erences will be stored Ain our case /squirrelmail/data/B. Meneral <ptions -5 7ttac,ment ;irectory (he pathname to the directory in which attachments will be temporarily stored Ain our case /squirrelmail/attac,ments/B. 1et pre-de(ined settings (or speci(ic 8274 servers -5 courier 'nable the prede"ined settin&s optimized "or %ourier-IM-P. 20 OpenBSD as a mail server 1. ,ppendix *pecial thanks to (omazN "or his detailed notes on con"i&urin& ()* in Post"i#. 1.1 2eferences 6edundant "irewalls with /pen7*D8 %-6P and p"sync /pen7*D 8 a 96''8 multi-plat"orm .7*D-based F;IP-like operatin& system Post"i# 8 an /pen source email ser2er "or Fni# I()*J - Post"i# ()* *upport My*,) 8 the world>s most popular open source database %ourier-IM-P 8 a "ast8 scalable8 enterprise IM-P ser2er that uses Maildirs %yrus *-*) 8 the %yrus *-*) -PI implentation -ma2isd-new 8 a hi&h-per"ormance inter"ace between mailer AM(-B and content checkers: 2irus scanners and/or *pam-ssassin *pam-ssassin 8 a mail "ilter to identi"y spam usin& a wide ran&e o" heuristic tests on mail headers and body te#t %lam-1 8 an open source AOP)B anti-2irus toolkit "or Fni# Post"i# 1irtual Domain Gostin& Gowto I69%5$J - 69% 5$8 *M(P *er2ice '#tension "or -uthentication I*-*)J - Post"i# *-*) Gowto 1.2 Bi#lio!rap(y /pen7*D Documentation and 9re4uently -sked ,uestions Post"i# %on"i&uration - F%' %ontrols Post"i# 7asic %on"i&uration Post"i# My*,) Gowto Post"i# 1irtual Domain Gostin& Gowto Mail::*pam-ssassin::%on" Gow to use ama2isd-new with Post"i# %lam -nti1irus +.52 Fser Manual 9airly-*ecure -nti-*P-M Oateway Fsin& /pen7*D8 Post"i#8 -ma2isd-new8 *pam-ssassin8 6azor and D%% 25