How to Setup a Home Made eMail Server
using Postfix, Dovecot, SASL and Squirrel (and a Google account)
A message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client-server application architecture. An MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol (SMTP). Postfix is a free and open-source mail transfer agent (MTA). Postfix routes and delivers electronic mail.
A mail delivery agent (MDA) is a computer software component that is responsible for the delivery of e-mail messages to a local recipient's mailbox. Also called an LDA, or local delivery agent. Within the Internet mail architecture, local message delivery is achieved through a process of handling messages from the MTA, and storing mail into the recipient's environment (typically a mailbox). Dovecot is a mail server suite that includes a mail delivery agent. Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver.
An email client, email reader, or more formally mail user agent (MUA), is a computer program used to access and manage a user's email. The term can refer to any system capable of accessing the user's email mailbox. SquirrelMail is an Open Source project that provides a web-based email application written in the PHP scripting language. It can be installed on almost all web servers as long as PHP is present. SquirrelMail webmail outputs valid HTML 4.0 for its presentation, making it compatible with a majority of current web browsers. SquirrelMail webmail uses a plugin architecture to accommodate additional features around the core application, and over 200 plugins are available on the SquirrelMail website.
The three elements cited above are the basic elements for a complete web e-mail server. However, we have to care also about security. Authentication mechanism is a client/server protocol. It's about how the client and server talk to each others in order to perform the authentication. Most people use only PLAIN authentication, which basically means that the user and password are sent without any kind of encryption to server. SSL/TLS can then be used to provide the encryption to make PLAIN authentication secure. The Simple Authentication and Security Layer (SASL) is a framework for providing authentication and data security services in many connection-oriented protocols. Our implementation of SASL will use the Transport Layer Security (TLS) to encrypt the segments of network connections.
To install and configure all this software in Debian Squeeze 6.0.x is a bit long but pretty straightforward. Problems may come (at least in my case) from the fact that I am running my server on an ip address provided by the ISP and I do not have a proper reversed dns. In simple words, imagine you have a dyndns service working, and today your IP is 80.59.67.40 and your DNS is www.myhomeserver.net. If you try to obtain your IP from your DNS there is no trouble , but if you try to otain your DNS from your IP... things fail!!! So people from Google, for instance, will not accept messages from your server. To check if you have this problem, open a terminal and execute:
sudo host www.myhomeserver.net
andsudo host 80.59.67.40
In the second case, you may get something horrible, like 80.pool59-67-40.dynamic.companyname.com. If you have this problem, you will need to have a Google's e-mail account, so we may use a SMPT relay service, that takes care of the problem. Gmail will rewrite the From field with whatever the default account's email address is. Changing the default to our e-mail address everything will be fine. So bear with us until the end!!!!We imagine from now on that the name of the server is cosmolinux.no-ip.org and the e-mail address will be something like [email protected]. In such case the hostname of our computer should be cosmolinux. Then edit the file /etc/hostname
sudo gedit /etc/hostname
and change the hostname. We have to edit also the file /etc/hosts. Change the file so we have something like this:
127.0.0.1 localhost
127.0.1.1 cosmolinux.no-ip.org cosmolinux
192.168.1.10 cosmolinux.no-ip.org
where 192.168.1.10 should be the internal IP of your server. To make all this changes to take full effect, the easiest thing to do is to restart the computer. After restarting, open a terminal and type
sudo hostname --fqd
and you should get cosmolinux.no-ip.org. Now we are ready to start the real party. Open a terminal and type:
aptitude install postfix postfix-tls libsasl2-2 sasl2-bin libsasl2-modules nmap popa3d
During installation, postfix will ask a few questions that you have to answer:
Simply accept the defaults for any other questions. Let us edit now the configuration file:
sudo gedit /etc/postfix/main.cf
Add the following:
# Add the following 4 lines to enable authentication of our users
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = cosmolinux.no-ip.org
smtpd_sasl_security_options = noanonymous
# Add the following 10 lines ONLY IF YOU NEED GOOGLE'S SMTP RELAY
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# Secure channel TLS with exact nexthop name match.
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /usr/share/ncat/ca-bundle.crt
relayhost = smtp.gmail.com:587
#Add the following Security Restrictions
# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
permit
# Recipient restrictions:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_sender_access
hash:/etc/postfix/sender_access,
permit
smtpd_data_restrictions = reject_unauth_pipelining
Please check the location of the file ca-bundle.crt (Notice the sentence starting by smtp_tls_CAfile) in your system with the command: sudo find / -name 'ca-bundle.crt'. Check if it it is the same as the one in the configuration file. If your file is in a different folder you have to change the sentence.
Add the following two lines:
smtpd_sasl_type = dovecot
The full configuration file follows. Please check everything:
----------------------------------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = cosmolinux.no-ip.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = cosmolinux.no-ip.org, cosmolinux.home, localhost.home, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Add this to enable authentication of our users using SASL-TLS
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = cosmolinux.no-ip.org
smtpd_sasl_security_options = noanonymous
# Add this if you need Google's SMTP relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# Secure channel TLS with exact nexthop name match.
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /usr/share/ncat/ca-bundle.crt
relayhost = smtp.gmail.com:587
#Add the following Security Restrictions if you want a secure mail server
# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
permit
# Recipient restrictions:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_sender_access
hash:/etc/postfix/sender_access,
permit
smtpd_data_restrictions = reject_unauth_pipelining
We need to create the file /etc/postfix/sender_access where we whitelist or blacklist clients with the following content:
-----------------------------------------------------When you are finished, then execute:
postmap /etc/postfix/sender_access
You should do that every time you change the list.
Postfix does a chroot so it can't communicate with saslauthd. Then do the following:
rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
By default Postfix will use mbox for the mailbox format. This means that the mail will go to the file /var/mail/username. This file is called INBOX in IMAP world. We shall take this into account in the configuration of dovecot.
To use Google's SMTP relay it is also necessary to create a password file so that Postfix can authenticate to Gmail's servers. You do this by creating a file named sasl_passwd in /etc/postfix. Replace smtp_user and smtp_passwd with their respective values (your username and password of your gmail account) in the following command:
echo "smtp.gmail.com smtp_user:smtp_passwd" > /etc/postfix/sasl_passwd
You then hash that file so that the password is not stored in clear text. This command will create a file named sasl_passwd.db in the /etc/postfix/ directory:
postmap hash:/etc/postfix/sasl_passwd
And that's all for Postfix for now... Oh no! wait, it is a good idea to limit the maximum size that e-mails may have. Default is about 10MB. If you want to change this, and have a maximum size of 30MB, you add the following to the configuration file /etc/postfix/main.cf
message_size_limit = 30000000
Last step for postfix is to create an SSL certificate. To create a certificate to be used by Postfix use:
sudo openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem -keyout /etc/ssl/private/postfix.pem
What you enter in the fields is entirely your choice. The only notable exception is the "Common Name" which has to be exactly the name of your server in the way that users will access it. So if you tell your users to access your mail server at "cosmolinux.no-ip.org" then this has to be entered here. This certificate will be valid for 10 years (10 times 365 days).
You will have to tell Postfix where to find your certificate and private key because by default it will look for a dummy certificate file called "ssl-cert-snakeoil":
sudo postconf -e smtpd_tls_cert_file=/etc/ssl/certs/postfix.pem sudo postconf -e smtpd_tls_key_file=/etc/ssl/private/postfix.pem
So much for postfix.
First we download and install the following:
sudo aptitude install dovecot-imapd dovecot-pop3d dovecot-common
Dovecot configuration file is located at: /etc/dovecot/dovecot.conf. We edit this file
sudo gedit /etc/dovecot/dovecot.conf
Double check the following entries in the file if the values are entered properly.
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
#In the section Mailbox locations and namespaces use the following
mail_location = mbox:~/mail:INBOX=/var/mail/%u
We need to specify the dovecot authentication daemon socket. Look for the line that starts with auth default, before that insert the lines below.
auth default {Now, rename previous auth default to auth default2.
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Last step is to create an SSL certificate for Dovecot. Here comes the command to create a Dovecot certificate:
sudo openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem
What you enter in the fields is again entirely your choice. And again the "Common Name" has to be exactly the name of your server in the way that users will access it. So if you tell your users to access your mail server at "cosmolinux.no-ip.org" then this has to be entered here. This certificate will also be valid for 10 years (10 times 365 days).
So much for Dovecot.
Together with SquirrelMail, we need to install apache2 with php support (since we will access SquirrelMail through Apache web server)
sudo aptitude install apache2 libapache2-mod-php5 php5-cli php5-common php5-cgi squirrelmail squirrelmail-decode squirrelmail-compatibility squirrelmail-spam-buttons
Squirrelmail configuration file is located in: /etc/squirrelmail/ folder. By default all settings are preloaded. Run squirrelmail configuration utility:sudo /usr/sbin/squirrelmail-configure
We have to tell Squirrel we are using dovecot and the domain name of our mail server. Go to "2. Server Settings": and take care of the following:
Then go to "A. update IMAP Settings" and enter the following:
Go to "B. SMTP settings" and check the following:
Later on you can check other options like plugins. Basic configuration is over.
Now we have to tell Apache webserver about some configuration of SquirrelMail. Edit apache configuration file /etc/apache2/apache2.conf and insert the following lines at the end of the file
# Squirrel configuration
Include /etc/squirrelmail/apache.conf
Restart everything....
sudo /etc/init.d/apache2 restart
sudo /etc/init.d/saslauthd restart
sudo /etc/init.d/postfix restart
sudo /etc/init.d/dovecot restart
Now you can access your webmail using the following link
http://yourdomain_or_server_ip/squirrelmail
You may login with your system username and password. If you have problems with your reverse DNS (remember what we said in the introduction) you still need to do make a last step before being able to send e-mail to a gmail client from your server.
Now you have squirrelmail in bare bones. You can install so many optional plugins to take care of better aesthetics and functionality. Some few examples:
You need to enter you user account in gmail. Then go to Settings --> Accounts. In the section "Add another e-mail address, enter the e-mail address in your server. Then, after it is accepted, make it the default e-mail address. And that's all. Now everything should work and you should be able to both send and receive e-mails.
You may be interested in forwarding all the mail that you get in your Gmail account, including spam. Among other reasons, it can be a good way to test your setup. To forward spam e-mail, you have to followa curious procedure. You have to define a filter. In the field "Has the words" you enter is:spam. Then you click on the link below all the fields "Create filter with this search". You have to activate the option "Never send it to spam" and then "Create filter". And you are done.
It is interesting to check the logs even if you have no trouble and check what is being written in the logs when you get or send messages. You will have the logs in the folder /var/log and the files mail.log, mail.warn, mail.info. Main information for troubleshooting will be contained in the mail.log file. I hope all this works in your computer!!!!
If things do not work properly, first thing to do is to recheck the configuration files.
After having played with our new toy, we need now to protect it farther from unwanted e-mails. To do that we install SpamAssassin. SpamAssassin works together with postfix to mark possible unwanted e-mail. SpamAssassin may for instance add to the subject of an e-mail the mark *****SPAM*****. This will allows us to setup a filter in SquirrelMail, in order to send such an e-mail to a spam folder. SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.
To install SpamAssassin we do the following:
sudo apt-get install spamassassin spamc
By default Spamassassin will run as root when you install from debian repository and is not started to avoid that. Now we are going to create a specific user and group for spamassassin.
groupadd -g 5001 spamd
useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd
mkdir /var/lib/spamassassin
chown spamd:spamd /var/lib/spamassassin
Let us configure now SpamAssassin. We need to change some settings in the file /etc/default/spamassassin in order to get the following values
ENABLED=1
SAHOME="/var/lib/spamassassin/"
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${SAHOME} -s ${SAHOME}spamd.log"
PIDFILE="${SAHOME}spamd.pid"
This way we run spamd daemon as user spamd, and make it use its own home dir (/var/lib/spamassassin/) and is going to output its logs in /var/lib/spamassassin/spamd.log
Now we need to give spamassassin some rules. So let's edit /etc/spamassassin/local.cf:
sudo gedit /etc/spamassassin/local.cf
We modify this file, so it looks like below:
rewrite_header Subject [*****SPAM*****]
required_score 2.0
#If this option is set to 0, incoming spam is only modified by adding some "X-Spam-" headers and no changes will be made to the body.
report_safe 0
# Enable the Bayes system
use_bayes 1
use_bayes_rules 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 0
use_razor2 0
use_dcc 0
use_pyzor 0
We set spamassassin' spamd default settings to rewrite email subject to [*****SPAM*****]. To every mail spamassassin assigns a score after running different tests. Email with a score lower than 2 won't be modified. We also tell spamassassin to use bayes classifier and to improve itself by auto-learning from the messages it will analyse. Finally, we disable collaborative network such as pyzor, razor2 and dcc. Those collaborative network keep an up-to-date catalogue of know mail checksum to be recognized as spam. Those might be interresting to use, but we shall not use at the momemnt for the sake of speed. After all this process we restart spamassassin using the following command:
sudo /etc/init.d/spamassassin start
Now we need Postfix to call Spamassassin. Spamassassin will be invoked only once postfix has finished with the email. To tell postfix to use spamassassin, we are going to edit /etc/postfix/master.cf:
sudo gedit /etc/postfix/master.cf
Change the following line
smtp inet n - - - - smtpd
to
smtp inet n - - - - smtpd -o content_filter=spamassassin
And then, at the end of master.cf file add the following lines:
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Save and exit the file. That's it our spam filter is setted up, we need to reload postfix settings and everything should be ready:
sudo /etc/init.d/postfix reload
Read the log files and make sure everything is fine so far.
We now configure a filter in SquirrelMail. This filter will send spam mail to a spam folder. First of all we use the configuration script to activate a filter plugin:
sudo /usr/sbin/squirrelmail-configure
Go to "8. Plugins" and select filters. Save changes and quit. Then log-in to SquirrelMail and follow the following steps:
SquirrelMail also has an anti-spam service. Prior to enable this service in the future, you need to make a change in the following file:
sudo gedit /usr/share/squirrelmail/plugins/filters/setup.php
Go the section "SpamFilters YourHop Setting" and change$SpamFilters_YourHop = ' ';
for this
$SpamFilters_YourHop = 'yourdomain';
where yourdomain is whaever you have after the @ in your e-mail address.
After this is changed, if you are interested in further spam protection, go to options, spam filters, and select whatever you need.
Spamassassin is a wonderful tool. It really works!. But... it is am memory hungry application. If you have limited resources of RAM memory it will be good to limit the maximum number of "child processes" running at the same time. To control that, edit the configuration file:
sudo gedit /etc/default/spamassassin
And change the number of children (default is 5... I set to 1 because I am using this in a system with only 128Mb and I get few mails at the same time):
OPTIONS="--create-prefs --max-children 1 --username spamd --helper-home-dir ${SAHOME} -s ${SAHOME}spamd.log"
This choice saved the life of my e-mail server.
After reading about mbox and Maildir, I decided to use Maildir. Maildir has some advantages over mbox format. It keeps emails in separate files, allows for multiple applications to read mail, etc.
To use maildir format in your mailbox which creates separate files for each email you can use the following commands:
postconf -e "home_mailbox = Maildir/" postconf -e "mailbox_command ="
Then edit the configuration file of dovecot
sudo gedit /etc/dovecot/dovecot.conf
and change frommail_location = mbox:~/mail:INBOX=/var/mail/%u
tomail_location = maildir:~/Maildir
and restart both postfix and dovecot
sudo /etc/init.d/postfix
sudo /etc/init.d/dovecot
This tutorial is based on all the following web pages and some trouble shooting:
http://www.debianadmin.com/debian-mail-server-setup-with-postfix-dovecot-sasl-squirrel-mail.htmlAnd this is the end of this tutorial.