A mail server with Postfixadmin, Postfix and Dovecot on Debian Lenny ¶
This HOWTO will explain the installation and configuration of a full featured mail server using Postfix as SMTP server, Dovecot as POP/IMAP server and Postfixadmin as management interface. As Postfixadmin need a database to maintain account and domain informations we will use MySQL (but also PostgresSQL or SQLite can be used). All the configurations were done on a Debian Lenny system.
Postfixadmin Installation ¶
Postfixadmin is distributed as Debian package directly by the maintainer, but we need to download just the .deb file from here because there is no repository. Before installing it we will need to install some dependencies (a web server, and because we want to use it on a standalone server, also a database server). We choose to use Apache as web server and MySQL as database server, so we will need to install these packages and all the other Postfixadmin dependencies; this can be done the Debian way with the command:
aptitude install dbconfig-common wwwconfig-common \
libapache2-mod-php5 php5 php5-imap php5-mysql \
mysql-client mysql-server postfix-mysql
we will also have to answer to the ordinary setup questions made by debconf; we can just accept the default values, but we will have to choose a password for the MySQL root administrative account.
Before installing the Postfixadmin from the .deb file we will need to create a database and a database account that will be used by Postfixadmin for its data; we can do this with the following commands:
mysqladmin -u root -p create postfixadmin
mysql -u root -p
mysql> grant create, select, insert, update, delete, lock, index, alter, drop
on postfixadmin.* to 'postfixadmin'@'localhost'
identified by 'secretandcomplexpassword';
mysql> flush privileges;
mysql> \q
(they will ask for the root account password that was given in the previous step). After this we can install the .deb file with:
dpkg -i postfixadmin_*.deb
There are two possible choices for Postfixadmin: the 2.2 stable version and the new 2.3 release candidate; this last one supports more features and is almost production ready. If you use the 2.2 stable version you will need to modify the following lines of the /etc/postfixadmin/config.inc.php file to setup the access to the previously created database:
$CONF['configured'] = true;
...
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'secretandcomplexpassword';
$CONF['database_name'] = 'postfixadmin';
If instead you use the 2.3 development version, having dbconfig-common and wwwconfig-common installed, the previous step of the database creation is managed by the package itself and it is no more needed. Also the database access configuration inside /etc/postfixadmin/config.inc.php is automatically done by debconf, so all is needed is to give to debconf the password of the MySQL root user that you setup at the beginning, and then answer to the debconf questions about the password used for the Postfixadmin dedicated database user.
After this we can proceed to populate the database, this will be done by Postfixadmin itself using the following link in a browser (we can use the same link for database upgrade when installing a new Postfixadmin version, or to reset the Postfixadmin superuser password):
http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin/setup.php
Up to 2.2 version this PHP script should be run once, and then removed after its use. With the 2.3 version when it is used for the first time it would ask for a setup password, and then print an hashed value that must be put inside /etc/postfixadmin/config.inc.php; the browser will show the line that should replace this one:
$CONF['setup_password'] = 'changeme';
With this modification done we can re-execute the script going back to http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin/setup.php; this time can use the setup password to create an administrative Postfixadmin account having full access to all management functions. It should be noted that like all Postfixadmin accounts also this one should be given in the form of an email address (i.e. something like admin@mydomain.it).
To check that this initial setup has been completed successfully we can see if everything is working fine going to the http://MY.POSTFIXADMIN.SERVER.IP/postfixadmin address and logging in using the superuser account we just created. After this check we can proceed doing some more specific configuration; the first one is to put proper references to our main domain in the web interface; this can be done with the following commands:
cd /etc/postfixadmin/
mv config.inc.php config.inc.php.orig
sed -e 's/change-this-to-your.domain.tld/mydomain.it/g' config.inc.php.orig > config.inc.php
and to be sure we can check the file to see if all link to web pages are correct (they will be always something like http://mydomain.it).
An important step is to configure the mailbox pathname that will be used by both Postfix and Dovecot, we choose to map an email account like username@mydomain.it) to a mailbox pathname like mydomain.it/username, to do this we have to put the following configuration values in the /etc/postfixadmin/config.inc.php file:
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
Then to enable quotas we will need to modify also the following line:
$CONF['quota'] = 'YES';
and to enable the vacation support we will need to modify the following lines:
$CONF['vacation'] = 'YES';
$CONF['vacation_domain'] = 'autoreply.mydomain.it'
where autoreplay.mydomain.it is the domain used by Postfix to manage vacation email (we'll look at this in the following).
Other configuration lines that can be modified are the following:
$CONF['default_language'] = 'it';
$CONF['min_password_length'] = 6;
$CONF['aliases'] = '50';
$CONF['mailboxes'] = '50';
$CONF['maxquota'] = '50';
respectively to setup the web interface language, a minimum length for the accounts password, and the default values for limit on number of alias, mailbox and megabytes for the quota. These last three will be proposed by the management interface when creating a new domain (a 0 means no limit).
The Postfixadmin 2.3 version has a new simplified management for having the same aliases on more than on domain; this new feature need more database queries and a modified Postfix configuration, so is better to disable it; this can be done with the following line:
$CONF['alias_domain'] = 'NO';
To check if everything is working fine we can login as administrator in the web interfaces to create a new domain and some user accounts. Then we can logout and check if that those account are working by re-logging as that users.
Postfix configuration ¶
Having user account and domain data managed by Postfixadmin, we need to configure Postfix virtual mailbox according to the data stored in MySQL. The first step is to create a base directory where to put all the virtual mailboxes; we will also need a system user that will own all the files. We can do this with the following commands:
mkdir /var/mail/vmail
useradd -d /var/mail/vmail vmail
chown vmail:vmail /var/mail/vmail/
chmod o-xr /var/mail/vmail/
Then we need to setup Postfix to use virtual mailboxes getting the informations about users, domain and pathnames from the database; this can be done adding the following lines to /etc/postfix/main.cf:
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_base = /var/mail/vmail
virtual_minimum_uid = 106
virtual_transport = virtual
virtual_uid_maps = static:106
virtual_gid_maps = static:61
where 106 e 61 are the numeric uid and gid for the vmail user (these number can be different in each system so you have to check them yourself with something like getent passwd|grep vmail).
After this we need to create all the mysql_* files to tell Postfix how to access to the database to get the information it needs. The first file, mysql_virtual_alias_maps.cf, configure the access to aliases definitions and it should be something like:
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = 1
the second file, mysql_virtual_domains_maps.cf, configure the access to domain definitions, and it should be something like:
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '0' and active = '1'
the third file, mysql_virtual_mailbox_maps.cf, configure the access to mailbox pathname (relative to the base directory /var/mail/vmail), and it should be something like:
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1
If we want to use Postfixadmin to manage secondary mail server for some domains we will need to add to /etc/postfix/main.cf also the following line:
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
where mysql_relay_domains_maps.cf should be something like:
user = postfixadmin
password = secretandcomplexpassword
hosts = localhost
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1' and active = '1'
To check if everything is working fine you can send an email to an user you previously created with Postfixadmin and check the mail.log file to see if it is accepted.
Postfix/Postfixadmin vacation configuration ¶
If we want to manage vacation trough Postfixadmin we need some additional Postfix configurations. As first step we need a system user dedicated to the automatic answer management, with the lowest possible privileges; we can create it with the following commands:
groupadd -g 65501 vacation
useradd -g 65501 -u 65501 -c Vacation -s /sbin/nologin -d /nonexistent vacation
then we will need a directory for temporary files accessible only for this user, we can create it with the following commands:
mkdir /var/spool/vacation
chown -R vacation.vacation /var/spool/vacation
chmod o-xr /var/spool/vacation
The second step is to setup the vacation script, we need to put a copy (it's distributed with Postfixadmin) in the previous directory; this can be done with the following commands:
cd /usr/share/doc/postfixadmin/examples/VIRTUAL_VACATION/
zcat vacation.pl.gz > /var/spool/vacation/vacation.pl
chmod 700 /var/spool/vacation/vacation.pl
to have the script working correctly we will also need some perl modules; these can be installed with the command:
aptitude install libemail-valid-perl libmime-encwords-perl libmime-perl \
libmail-sender-perl liblog-log4perl-perl
and at last we will need to setup the script to access to the database, this can be done modifying the following lines at the beginning of it (note that we are using the same values used in the Postfixadmin configuration):
our $db_type = 'mysql';
our $db_host = 'localhost';
our $db_username = 'postfixadmin';
our $db_password = 'secretandcomplexpassword';
our $db_name = 'postfixadmin';
our $vacation_domain = 'autoreply.mydomain.it';
The last step is the Postfix configuration; we will need to setup a new transport dedicates to vacation, so we need to add to /etc/postfix/master.cf the following lines:
vacation unix - n n - - pipe
flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}
then we will need to use this transport for all mail directed to the dedicated autoreply.mydomain.it domain, so first we need to create the /etc/postfix/transport file with the following line:
autoreply.mydomain.it vacation:
and then add to /etc/postfix/main.cf the following line:
transport_maps = hash:/etc/postfix/transport
This done we can tell Postfix to use the new configuration with the following commands:
postmap /etc/postfix/transport
postfix reload
Dovecot configuration ¶
To make emails available to the users we well need a POP/IMAP server, we choose to use Dovecot, so we will need to install it, we will do the Debian way with the following command (we will install ntp also, that is needed because Dovecot could have problem if time is moving backwards); :
aptitude install dovecot-imapd dovecot-pop3d ntp
then we will need to tell Dovecot where to find the emails and how to authenticate users.
The first step is to modify the default configuration to access to the /var/mail/vmail directory as the user vmail, having mailbox in the form username/mydomain.it; this can be done putting the following lines in /etc/dovecot/dovecot.conf:
mail_location = maildir:/var/mail/vmail/%d/%n
mail_privileged_group = vmail
first_valid_uid = 106
where 106 is the vmail uid (as before this could be different on different installations).
The second step is to enable the user authentication over the MySQL data, this can be done removing the default PAM configuration for the userdb and passdb directives, putting instead something like the following in /etc/dovecot/dovecot.conf:
passdb sql {
args = /etc/dovecot/dovecot-mysql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-mysql.conf
}
then we will need to create the file /etc/dovecot/dovecot-mysql.conf to tell Dovecot how to access to the database; it should be something like:
driver = mysql
connect = host=localhost dbname=postfixadmin user=postfixadmin password=secretandcomplexpassword client_flags=0
default_pass_scheme = MD5
user_query = SELECT maildir, 106 AS uid, 61 AS gid FROM mailbox WHERE username = '%u'
password_query = SELECT password FROM mailbox WHERE username = '%u' AND active = '1'
where 106 and 61 are respectively the uid and gid of the user vmail.
To check if everything is working fine you can connect to the server with an email client and look at the email you previously sent.
Authenticated SMTP ¶
This will be provided by telling Postfix to use Dovecot as authentication provider. The first step is to setup Dovecot to provide an authentication socket for Postfix; this can be done by adding the following lines to /etc/dovecot/dovecot.conf:
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
after restarting Dovecot this will create the socket in the Postfix chroot as private/auth, and it should look like this:
# ls /var/spool/postfix/private/auth -l
srw-rw---- 1 postfix postfix 0 29 set 18:59 /var/spool/postfix/private/auth
The second step is to configure Postfix to use this socket, this will be done adding the following lines to /etc/postfix/main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
The rest is just the ordinary Postfix configuration needed to accept SASL authenticated sessions, forcing them to be done using TLS for security, so you will need to enable SASL authentication under TLS adding the following lines to /etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
smtp_sasl_application_name = smtpd
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
and force use of TLS:
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
and then give relay permission to authenticated users adding the line permit_sasl_authenticated to the smtpd_recipient_restrictions parameter, that should look like:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unauth_destination
Postfixadmin is a very nice web interface to manage email accounts and domain, but like all GUI or web based interfaces using it is not so practical when you have to create hundreds of accounts in a single shot. For this reason we developed a simple Python script that will do mass account creation. You can find it in the attachment.
The script is quite easy to use, it just need a CSV file with the account list; it should work with any kind of CSV file, but it was tested just with the default output of OpenOffice?.org Calc. The first line of the file should contains the column names, the script will look only to columns named user, domain, password and name (case sensitive!); they will have the meaning explained in the following table:
user | user part of the email (like user in user@…) |
password | cleartext password |
domain | domain name (like 'domain.com') |
name | full user name ('Name Surname') |
It's only needed to provide at least the user, domain and password columns, and the script will fill the database tables creating accounts and domains. The email accounts will be in the form user@domain, with password password for each line present in the CSV file. It will also create all domains present in the file and, if the -A option is given, also the default accounts (abuse, hostmaster, postmaster, webmaster) for each domain.
The script requires a single argument, the name of the CSV file, and the -p option followed by the database access password (i.e., following the previous instructions, "secretandcomplexpassword"). There are some more option to set database name, database user name, database host, etc. but the default values should be good because they are the same used by the default installation of Postfixadmin. The whole list of options can be printed executing the script without arguments or with the -h option.
The script doesn't do data validation, so it is published without any warranty (under the GPL licence). This means that making a database backup before using it is strongly suggested. It will print errors if some accounts or domains are already present in the database, skipping creation (i.e. it will not overwrite them), but it will create all other accounts and domains not already present. It will also skip the creation of a duplicated account.
Attachments
REFERENCEhttp://labs.truelite.it/truedoc/wiki/EnPostfixAdminInst