Feel free with Open Source Software

Mailserver - Postfix Dovecot

You can use the port submission (587) instead of port smtp (25) to send mail. Because many ISP's block port 25. This way you can use the smtp server anywhere on this planet with a internet connection. You also can use a secure connection (TLS or SSL) to fetch your mail via imap or pop3. There is a dutch article howto use this mailserver for clients.

Below the mailserver configuration on Ubuntu-server 9.10.

Postfix

 apt-get install postfix 

My /etc/postfix/main.cf file

 smtpd_banner = $myhostname ESMTP·
 biff = no
 append_dot_mydomain = no
 readme_directory = no
 
 # TLS parameters
 smtpd_tls_cert_file=/etc/ssl/certs/mail.filmer.nl.crt
 smtpd_tls_key_file=/etc/ssl/private/server-nopass.key
 smtp_tls_CAfile = /etc/ssl/certs/server-bundle.crt
 smtpd_tls_security_level = may
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 
 myhostname = mail.filmer.nl
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = localhost
 relayhost =·
 mynetworks = 127.0.0.0/8 194.242.19.102
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 
 ######## NON DEFAULT ###############
 
 home_mailbox= Maildir/
 
 # For ClamAV
 content_filter = clamav:127.0.0.1:10025
 receive_override_options = no_address_mappings
 
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = »reject_unauth_pipelining,
                               permit_mynetworks,
                               reject_unknown_sender_domain,
                               permit_sasl_authenticated,
                               reject_unknown_recipient_domain,
                               reject_unlisted_recipient,
                               reject_unauth_destination
                               reject_rbl_client zen.spamhaus.org,
                               reject_rbl_client bl.spamcop.net,
                               reject_rbl_client virbl.dnsbl.bit.nl,
                               reject_unauth_pipelining,
                               reject_unverified_recipient,
                               check_client_access cidr:/etc/postfix/postfix-dnswl-permit 
 # For DKIM
 milter_default_action = accept
 milter_protocol = 2
 smtpd_milters = inet:localhost:8891
 non_smtpd_milters = inet:localhost:8891
 
 virtual_transport = dovecot
 dovecot_destination_recipient_limit = 1
 virtual_mailbox_base = /home/vmail/
 virtual_mailbox_domains = hash:/etc/postfix/vdomains
 virtual_mailbox_maps = hash:/etc/postfix/vmailboxes
 virtual_alias_maps = hash:/etc/postfix/valiases

My /etc/postfix/master.cf

 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 smtp      inet  n       -       -       -       -       smtpd
   -o content_filter=spamassassin
 submission inet n       -       -       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
 #qmgr     fifo  n       -       -       300     1       oqmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
 relay     unix  -       -       -       -       -       smtp
    -o smtp_fallback_relay=
    -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
 #
 # ====================================================================
 # NON default
 # ====================================================================
 #
 spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e  
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}
 
 clamav   unix  -    -       n       -       16      smtp
   -o smtp_send_xforward_command=yes
 
 # For injecting mail back into postfix from the filter
 127.0.0.1:10026 inet  n -       n       -       16      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
 
 dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

Resources:

• http://www.postfix.org
• https://help.ubuntu.com/community/PostfixCompleteVirtualMailSystemHowto

Dovecot

 apt-get install dovecot dovecot-pop3d

Create vmail user and vmail group. This is the user/group that's used to access the mails.

 groupadd vmail
 useradd -g vmail -s /bin/false -d /home/vmail vmail

Create /home/vmail directory owned by vmail:vmail. The mails for all users are stored under this directory.

 mkdir /home/vmail

Create /var/log/dovecot.log and /var/log/dovecot-info.log files owned by vmail:vmail, so that deliver can write to them.

 touch /var/log/dovecot.log
 touch /var/log/dovecot-info.log 
 chown vmail:vmail /var/log/dovecot.log
 chown vmail:vmail /var/log/dovecot-info.log 

Create password file /etc/dovecot/passwd. If you want to store passwords encrypted

 #This is a un-encrypted example file
 test:{PLAIN}pass
 bill:{PLAIN}secret
 timo@example.com:{PLAIN}hello123
 dave@example.com:{PLAIN}world234
 joe@elsewhere.org:{PLAIN}whee
 jane@elsewhere.org:{PLAIN}mypass

My /etc/dovecot/dovecot.conf

 protocols = imap imaps pop3 pop3s managesieve
 disable_plaintext_auth = no
 mail_debug=no
 log_path = /var/log/dovecot.log
 info_log_path = /var/log/dovecot-info.log
 log_timestamp = "%Y-%m-%d %H:%M:%S "
 
 ssl_disable = no
 ssl_cert_file = /etc/ssl/certs/mail.filmer.nl.crt
 ssl_key_file = /etc/ssl/private/server-nopass.key
 ssl_ca_file = /etc/ssl/certs/server-bundle.crt
 
 mail_location = maildir:/home/vmail/%d/%n/Maildir
 mail_privileged_group = mail
 
 namespace private {
    separator = .
    prefix = INBOX.
    inbox = yes
 }
 
 protocol imap {
   mail_plugins = fts fts_squat
 }
 
 auth default {
   mechanisms = plain
   passdb passwd-file {
     # File contains a list of usernames, one per line
     args = /etc/dovecot/passwd
     }
   userdb static {
     args = uid=vmail gid=vmail home=/home/vmail/%d/%n
   }
   socket listen {
     master {
       path = /var/run/dovecot/auth-master
       mode = 0600 
       user = vmail
       group = vmail
     }
     client {
       # Typical use is to export it to your SMTP server so it can 
       # do SMTP AUTH lookups using it.
       path = /var/spool/postfix/private/dovecot-auth
       mode = 0660
       # Assuming the default Postfix user and group
       user = postfix
       group = postfix
       }
    }
 }
 
 protocol lda {
   postmaster_address = andries@filmer.nl
   mail_plugins = cmusieve
   rejection_reason = Uw bericht aan <%t> werd geweigerd:%nYour message to <%t> was rejected:%n%n%r
 }
 
 plugin {
   fts = squat
   fts_squat = partial=4 full=10
   sieve=/home/vmail/%d/%n/.dovecot.sieve
   sieve_global_path=/etc/dovecot/default.sieve
 }

Resources:

• http://wiki.dovecot.org/HowTo/SimpleVirtualInstall

Certificates

We have to create a rsa private key and csr (certificate signing request).

 cd /etc/ssl
 openssl req -new -nodes -keyout private/server.key -out server.csr -outform PEM

To create the self-signed certificate, run the following command at a terminal prompt

 openssl x509 -req -days 365 -in server.csr -signkey private/server.key -out certs/server.crt

Resources

• http://www.postfix.org/TLS_README.html#quick-start

Real live Godaddy request example (only € 11,- per year for a single domain -> mail.filmer.nl)

 openssl genrsa -des3 -out private/server.key 2048
 openssl req -new -key private/server.key -out server.csr

Remove a passphrase from a private key

 openssl rsa -in private/server.key -out private/server-nopass.key

Spamassassin

 apt-get install spamassassin

Configure Spamassassin user and group

We want it to run as non-root, so add a spamd user and group

 groupadd spamd
 useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd
 mkdir /var/log/spamassassin
 chown spamd:spamd /var/log/spamassassin

Edit /etc/default/spamassassin so these options are set:

 ENABLED=1
 OPTIONS="-x --virtual-config-dir=/home/vmail/%d/%l/.spamassassin --create-prefs --max-children 5 \
  --helper-home-dir --username spamd -H /var/log/spamassassin/ -s /var/log/spamassassin/spamd.log" 
 NICE="--nicelevel 15"

Train the Spamassassin filter

Option is to train the filter on a Junk folder, I used sa-learn like this (you need to be root, which is why the sudo is there)

 sudo sa-learn --spam -u spamd --dir /home/vmail/user/Maildir/.Junk/* -D

You can also train it what the good stuff looks like, e.g. run it over a clean inbox (no spam):

 sudo sa-learn --ham -u spamd --dir /home/vmail/user/Maildir/.INBOX/* -D

In /etc/mail/spamassassin/v312.pre uncomment the line if you want to use DKIM

 loadplugin Mail::SpamAssassin::Plugin::DKIM in v312.pre

Resource: http://townx.org/blog/elliot/simple_spamassassin_setup_with_postfix_and_dovecot_on_ubuntu_breezy

Clamav

 apt-get install clamsmtp clamav-freshclam

Edit the /etc/clamsmtpd.conf file and change outaddress and lissten address (visa versa) This is needed to use spamassassin & ClamAV together.

 OutAddress: 10026 
 Listen: 127.0.0.1:10025

Sender Policy Framework (SPF)

We want to enabled SPF, so we create a TXT DNS record with the mailservers ipnrs.

 @         TXT           "v=spf1 ip4:82.201.119.0/24 -all"

Resources:

• http://www.openspf.org/

DomainKey Identification Mail (DKIM)

 apt-get install dkim-filter libmail-dkim-perl
 mkdir /etc/ssl/dkim-filter
 cd /etc/ssl/dkim-filter
 openssl genrsa -out private.key 1024
 openssl rsa -in private.key -out public.key -pubout -outform PEM

Edit dkim-filter configuration file, almost everything is commented out by default. Uncomment and change the next lines in: vi /etc/dkim-filter.conf

 Domain       filmer.net
 KeyFile      /etc/ssl/dkim-filter/private.key
 Selector     mail

At this point you should be able to successfully start the service and check for any errors in the syslog.

 /etc/init.d/dkim-filter start

Configure the public key in the dns!

 mail._domainkey	TXT	"k=rsa; t=y;p=MIGfMA....the-long-public-key........AQAB"

Resources:

• http://www.dkim.org/
• http://www.howtoforge.com/quick-and-easy-setup-for-domainkeys-using-ubuntu-postfix-and-dkim-filter

DNS Whitelist

DNSWL.org provides a Whitelist of known legitimate email servers to reduce the chances of false positives while spam filtering. We have the entry check_client_access cidr:/etc/postfix/postfix-dnswl-permit in /etc/postfix/main.cf to do the job.

 rsync --times rsync1.dnswl.org::dnswl/postfix-dnswl-permit /etc/postfix/

Resources:

• http://www.dnswl.org

Autoreply and Spambox

We need Sieve plugin for autoreply (vacation) message and we want to move Spam to the spambox. We have configured /etc/dovecot/dovecot.conf to use managesieve.

Create a /home/vmail/domain/mailbox/.dovecot.sieve file

 require ["fileinto", "vacation", "copy"];
 # Move spam to spambox
 if header :contains "X-Spam-Flag" "YES" {
   fileinto "INBOX.Spam";
   stop;
 }
 #end spam
 #forward
 
 #end forward
 #autoreply
 vacation
 :days 1
 "I'm out of office, please contact Anja Filmer instead.
 Best regards
 Andries Filmer";
 #end autoreply

Create a sievec file.

 /usr/lib/dovecot/sievec .dovecot.sieve .dovecot.sievec

Resources:

• http://wiki.dovecot.org/LDA/Sieve

Crontab

 0 1 * * * /usr/bin/freshclam
 0 6 * * * /usr/sbin/ntpdate -s nl.pool.ntp.org
 0 7 1 * * /usr/bin/rsync --times rsync1.dnswl.org::dnswl/postfix-dnswl-permit /etc/postfix/

Maintainance

View postfix queue

 postqueue -p

Retry sending of all messages in queue

 postqueue -f

Empty postfix queue

 postsuper -d ALL

I appreciate if you give some comment about this page. Please go ahead.
Your e-mailaddress will not be published it is only to contact you (if needed).

 

Your name
Your e-mailaddress
Your comment here...
To prefent robots to use this form I ask you kindly to type the next characters in the input field.