Linux Mail Server Setup and Howto Guide » Postfix

MailScanner, Postfix, ClamAV and SpamAssassin Setup Howto for Ubuntu 10.04

consultant — Sun, 18 Sep 2011 20:59:11 +0000

This page will guide you in configuring MailScanner, ClamAV and SpamAssassin to work in Postfix. Before proceeding, make sure Postfix is installed and working.

Configuring MailScanner

1. Install MailScanner using the command below.

sudo apt-get install mailscanner

2. Edit the file /etc/MailScanner/virus.scanners.conf and change the path of clamav to /usr.

3. Edit the file /etc/MailScanner/MailScanner.conf and update the lines below.

%org-name% = your organization name
%org-long-name% = your full organization name
%web-site% = your mail support website or company website
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Group = clamav
Incoming Work Permissions = 0640
MTA = postfix
Virus Scanners = clamd
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

4. Edit the file /etc/default/mailScanner and update the line below

run_mailscanner=1

5. Edit the file /usr/sbin/mailscanner and add a -U parameter on the first line.

Integrating MailScanner into Postfix

1. Edit the file /etc/postfix/main.cf and add the line below

header_checks = regexp:/etc/postfix/header_checks

2. Create the file /etc/postfix/header_checks and add the line below

/^Received:/ HOLD

This will now place all incoming mail into the holding area until released by MailScanner.

3. Use the commands below to start MailScanner.

sudo service postfix restart
sudo service clamav-daemon start
sudo service mailscanner start

4. Test if Postfix is still working. See Test Postfix using Telnet.

If you encounter any problems, check the log file at /var/log/mail.log.

Congratulations

Congratulations, your mails are now checked for spam and viruses. Each mail you send or receive will now contain the lines below to indicate that MailScanner is doing its job.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

The English language message templates used in MailScanner is stored in /etc/MailScanner/reports/en and can even be configured to add a disclaimer message to outgoing mails.

Postfix SMTP Server Setup Howto for Ubuntu 10.04

consultant — Sun, 11 Sep 2011 21:45:19 +0000

Installing and setting up Postfix SMTP Server in Ubuntu 10.04 is easy. Postfix by default uses the mbox mail format so we’ll just change it to maildir.

Configure Postfix

1. Edit the file /etc/postfix/main.cf using the command

sudo vi /etc/postfix/main.cf

and add the line below

home_mailbox = Maildir/

In main.cf, lines starting with # are comments. Save the file after completing your changes.

Make sure that the mail_spool_directory and mailbox_command lines are commented out. Otherwise, it will override the setting in the home_mailbox line.

If you are not familiar with vi, check out this quick vi tutorial.

2. Restart postfix using the command

sudo service postfix restart

Test Postfix

Here is a sample postfix session. Replace johndoe with any valid user account. The dot after the line test is a command that should be typed in.

If you need to add new user accounts, learn how to add or remove user accounts here.

johndoe@mail:~$ telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail ESMTP Postfix (Ubuntu)
ehlo localhost
250-mail
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:
250 2.1.0 Ok
rcpt to:
250 2.1.5 Ok
data
354 End data with .
test
.
250 2.0.0 Ok: queued as 9729067C17
quit
221 2.0.0 Bye
Connection closed by foreign host.
johndoe@mail:~$

To check if the mail indeed exists

johndoe@mail:~$ cd /home/johndoe/Maildir/new
johndoe@mail:~/Maildir/new$ ls
1185669817.Vfd00I18012M795756.mail
johndoe@mail:~/Maildir/new$ cat 1185669817.Vfd00I18012M795756.mail

Don’t worry, you don’t have to type in the whole filename above. Just type in the first few characters say 118 then press Tab to activate automatic completion.

From johndoe@mail.acme.local  Thu Feb 22 21:48:28 2007
Return-Path: 
X-Original-To: johndoe
Delivered-To: johndoe@mail.acme.local
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
        by mail.acme.local (Postfix) with SMTP id 9729067C17
        for ; Thu, 22 Feb 2007 21:48:26 -0500 (EST)
Message-Id: <20070222134827.9729067C17@mail.acme.local>
Date: Thu, 22 Feb 2007 21:48:26 -0500 (EST)
From: johndoe@mail.acme.local
To: undisclosed-recipients:;

test

johndoe@mail:~/Maildir/new$

If you encounter any problems, check the log file at /var/log/mail.log.

Postfix SMTP Authentication and Dovecot SASL for RHEL/CentOS 6

consultant — Sun, 31 Jul 2011 12:28:15 +0000

SMTP Authentication (SMTP Auth) provides an access control mechanism that can be used to allow legitimate users to relay mail while denying relay service to unauthorized users, such as spammers.

Configure Postfix and Dovecot

1. Edit the file /etc/dovecot/conf.d/10-master.conf and make sure your service auth section has the lines below.

service auth {	
  unix_listener /var/spool/postfix/private/auth {
	mode = 0666
	user = postfix
	group = postfix
  }	
}

2. Edit the file /etc/dovecot/conf.d/10-auth.conf and update the line below.

auth_mechanisms = plain login

3. Edit /etc/postfix/main.cf, find the keys below and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.

mynetworks = 127.0.0.0/8
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_unauth_destination
broken_sasl_auth_clients = yes

The first line says trust only localhost, meaning only localhost can send email outside the network (relay). The last line is there to support old clients like Microsoft Outlook Express 4.0 and Microsoft Exchange 5.0 just in case someone is still using it.

Lines starting with # are comments. Save the file after completing your changes.

4. Configure SELinux using the commands below. Here’s the content of postfixdovecotsasl.te

wget linuxmail.info/files/rhel6/postfixdovecotsasl.te
checkmodule -M -m -o postfixdovecotsasl.mod postfixdovecotsasl.te
semodule_package -o postfixdovecotsasl.pp -m postfixdovecotsasl.mod
semodule -i postfixdovecotsasl.pp

5. Restart the Dovecot and Postfix service. But if you installed MailScanner, restart MailScanner instead of Postfix. Learn how to restart services here.

Test Postfix

In a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

Replace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address. And make sure the domain name you specified does not resolve to 127.0.0.1 which is the IP address of localhost.

Trying 192.168.0.1...
Connected to mail.acme.local (192.168.0.1).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo localhost
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines. See the old SMTP Telnet Test.

mail from:
250 2.1.0 Ok
rcpt to:
554 5.7.1 : Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2UAcGFzc3dvcmQ=
235 2.0.0 Authentication successful
rcpt to:
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

You can send to email addresses belonging to your domain without authentication. This is normal as it enables you to receive mail from the outside.

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe and password password. You can generate your own base64 text using the form below.

If you encounter any problems, check the log file at /var/log/maillog.

«« Previous: How to Setup Dovecot

Next: How to Install SquirrelMail »»

Postfix SMTP Server Setup Howto for RHEL/CentOS 6

consultant — Thu, 21 Jul 2011 23:57:37 +0000

Installing and setting up Postfix SMTP Server in Red Hat Enterprise Linux 6 or CentOS 6 is easy. Postfix has secure default settings so we just need to open it up a bit.

Configure Postfix

1. Edit the file /etc/postfix/main.cf and update the lines below.

inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/

In main.cf, lines starting with # are comments. Save the file after completing your changes.

Make sure that all mail_spool_directory lines are commented out. Otherwise, it will override the setting in the home_mailbox line above.

2. Restart the postfix service. Learn how to restart services here.

Test Postfix

1. Click Applications, select System Tools, and click Terminal. This will launch the Terminal window.

2. In the Terminal window, type in the highlighted commands below.

Sample postfix session. Replace johndoe with any valid user account. The dot after the line test is a command that should be typed in.

If you need to add new user accounts, learn how to add or remove user accounts here.

[root@mail ~]# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo localhost
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:
250 2.1.0 Ok
rcpt to:
250 2.1.5 Ok
data
354 End data with .
test
.
250 2.0.0 Ok: queued as 9729067C17
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

To check if the mail indeed exists

[root@mail ~]# cd /home/johndoe/Maildir/new
[root@mail new]# ls
1185669817.Vfd00I18012M795756.mail.acme.local
[root@mail new]# cat 1185669817.Vfd00I18012M795756.mail.acme.local

Don’t worry, you don’t have to type in the whole filename above. Just type in the first few characters say 118 then press Tab to activate automatic completion.

From johndoe@mail.acme.local  Thu Feb 22 21:48:28 2007
Return-Path: 
X-Original-To: johndoe
Delivered-To: johndoe@mail.acme.local
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
        by mail.acme.local (Postfix) with SMTP id 9729067C17
        for ; Thu, 22 Feb 2007 21:48:26 -0500 (EST)
Message-Id: <20070222134827.9729067C17@mail.acme.local>
Date: Thu, 22 Feb 2007 21:48:26 -0500 (EST)
From: johndoe@mail.acme.local
To: undisclosed-recipients:;

test

[root@mail mail]#

If you encounter any problems, check the log file at /var/log/maillog.

Review your Postfix aliases configuration file. There are some predefined email aliases that might conflict with your existing mail accounts like sales, marketing, info, etc.

«« Previous: How to Setup CentOS 6 Linux

Next: How to Setup Dovecot »»

Static DB Virtual Users in Postfix and Dovecot

consultant — Sat, 29 May 2010 05:44:44 +0000

This article describes how to use a text file or static db file as the source for user accounts in Postfix and Dovecot. This is suitable for very simple mail account requirements. For larger implementations, check out the MySQL virtual accounts or Active Directory/LDAP virtual accounts.

Create the Virtual Mail User Account

1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Learn how to use the User Manager application here.

2. Take note of the User ID and Home Directory of vmail.

3. Click the Groups tab and now note down the Group ID of vmail. We’ll be needing all of them later.

Configure Postfix for Virtual User Accounts

1. Edit the postfix configuration file /etc/postfix/main.cf and edit the line below

mydestination = $myhostname, localhost.$mydomain, localhost

and add the lines below

virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail/
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:501
virtual_gid_maps = static:501

virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.

2. Create the file /etc/postfix/vmailbox containing the mapping from an email address to a mailbox path relative to virtual_mailbox_base. See the example below.

johndoe@acme.local johndoe/Maildir/
janedoe@acme.local janedoe/Maildir/

3. Type in the command below to generate the static db that will be used for the lookup.

postmap /etc/postfix/vmailbox

4. Restart the Postfix or MailScanner service if you have installed MailScanner. Learn how to start and stop services here.

5. Try sending an email. See Test Postfix using Telnet. New mails should now be stored under the path specified in virtual_mailbox_base.

Configure Dovecot Virtual User Accounts

1. Edit the file /etc/dovecot.conf and change the value of the following keys below

passdb static {
  args = /etc/dovecot-passdb
}

userdb static {
  args = uid=501 gid=501 home=/home/vmail/%u
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

Make sure comment out all the other passdb and userdb sections to avoid any conflicts.

2. Create the file /etc/dovecot-passdb containing the password of a user name. See the example below.

johndoe:{PLAIN}secret
janedoe:{HMAC-MD5}dd59f669267e9bb13d42a1ba57c972c5b13a4b2ae457c9ada803dc7d8bae4ab

You can generate a hash password using the dovecotpw command.

3. Restart the dovecot service. Learn how to start and stop services here.

4. Test Dovecot using Telnet. You should be able to read the recently sent mail which was stored in a new location.

Postfix Restrict Senders or Recipients

consultant — Mon, 17 May 2010 12:52:16 +0000

This article describes how to configure Postfix to restrict mails from a sender, to a recipient, or both.

Restrict Sender

This section describes how to allow/reject a specific sender or a specific domain.

1. Edit the file /etc/postfix/main.cf and add the line below.

smtpd_sender_restrictions = 
  check_sender_access hash:/etc/postfix/sender_access

2. Create the file /etc/postfix/sender_access and review the example below.

janedoe@acme.local  REJECT
bugsbunny@acme.com  OK
acme.com            REJECT

3. Type in the command below in a terminal window to create a hash file.

postmap /etc/postfix/sender_access

4. Restart the Postfix or MailScanner service. Learn how to restart services.

Restrict Recipient

This section describes how to allow/reject a specific recipient or a specific domain.

1. Edit the file /etc/postfix/main.cf and add the line below.

smtpd_recipient_restrictions = 
  check_recipient_access hash:/etc/postfix/recipient_access,
  reject_unauth_destinations

2. Create the file /etc/postfix/recipient_access and review the example below.

janedoe@acme.local  REJECT
bugsbunny@acme.com  OK
acme.com            REJECT

3. Type in the command below in a terminal window to create a hash file.

postmap /etc/postfix/recipient_access

4. Restart the Postfix or MailScanner service. Learn how to restart services.

Restrict Sender and Recipient

This section describes how to restrict both the sender and recipient. Example usage of this is when you have a private domain which should not be allowed to send to the internet.

1. Edit the file /etc/postfix/main.cf and add the lines below.

smtpd_recipient_restrictions = 
  check_sender_access hash:/etc/postfix/sender_access,
  reject_unauth_destinations

smtpd_restriction_classes = local_only
local_only = check_recipient_access hash:/etc/postfix/local_domains, 
  reject

2. Create the file /etc/postfix/sender_access and review the example below.

acme.local  local_only

3. Create the file /etc/postfix/local_domains and review the example below.

acme.local  OK

4. Type in the command belows in a terminal window to create the hash files.

postmap /etc/postfix/sender_access
postmap /etc/postfix/local_domains

5. Restart the Postfix or MailScanner service. Learn how to restart services.

Add a Disclaimer to Outgoing Postfix Emails

consultant — Sun, 16 May 2010 10:55:14 +0000

This article describes how to use MailScanner to add a disclaimer message to outgoing mails in Postfix. Make sure MailScanner is integrated into Postfix and tested to be working.

1. Edit the file /etc/MailScanner/reports/en/inline.sig.txt and /etc/MailScanner/reports/en/inline.sig.html and replace it with your own message.

2. Edit the file /etc/MailScanner/MailScanner.conf and update the line below.

Sign Clean Messages = /etc/MailScanner/rules/signing.rules

3. Create the file /etc/MailScanner/rules/signing.rules and add the lines below.

From:      *@acme.local  yes
FromOrTo:  default       no

Replace acme.local with your own domain name.

4. Restart the MailScanner service. Learn how to restart services.

5. You should now see your disclaimer message on outbound emails.

Backup Postfix Mailbox

consultant — Sun, 09 May 2010 12:36:48 +0000

Backing up your mailboxes is a simple as copying your mailbox folder. This article describes how to backup and restore your Postfix mailboxes using the tar command.

To backup the mailbox, type the command below in a terminal window.

tar cvzf mailbox-`date +%F_%H%M`.tar.gz /home/vmail

Replace /home/vmail with the location of your own mailbox.

To restore the mailbox, type the command below in a terminal window.

tar xvzf mailbox.tar.gz -C /

Replace mailbox.tar.gz with the name of your backup file.

Ideally, the Postfix and Dovecot configurations should be documented, or better yet, maintained using a change configuration process. But you can also use the procedure above to backup the /etc directory although it is not recommended since you may restore your configuration on an updated OS.

Postfix SMTP Gateway

consultant — Sun, 02 May 2010 23:12:21 +0000

To improve security or offload services like virus and spam checking, you may want to implement an SMTP gateway. This article describes how to configure Postfix as an SMTP gateway.

DMZ Mail Server

The DMZ mail server forwards the inbound mail to the internal mail server and delivers the outbound mail.

1. Edit /etc/postfix/main.cf and update the lines below.

mydestination = 
local_recipient_maps = 
local_transport = error:local mail delivery is disabled

mynetworks = 127.0.0.0/8 192.168.1.3
relay_domains = example.com
transport_maps = hash:/etc/postfix/transport
smtpd_recipient_restrictions = permit_mynetworks
    reject_unauth_destination

The first three lines above disables local delivery. Replace 192.168.1.3 with the IP address of your internal mail server.

2. Edit the file /etc/postfix/transport and add the line below.

example.com :[192.168.1.3]

Replace 192.168.1.3 with the hostname or IP address of your internal mail server.

3. Type the line command below to create a transport database file.

postmap /etc/postfix/transport

4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

5. You should now be able to send mails to your DMZ mail server and those mails will be automatically relayed to your internal mail server. See Test Postfix using Telnet.

Internal Mail Server

The internal mail server holds the mailbox and forward all outbound mail to the DMZ mail server for delivery. Make sure you have working Postfix mail server.

1. Edit /etc/postfix/main.cf and update the lines below.

transport_maps = hash:/etc/postfix/transport

2. Edit the file /etc/postfix/transport and add the lines below.

example.com    :
.example.com   :
*              smtp:[192.168.3.2]

Replace 192.168.3.2 with the hostname or IP address of your DMZ mail server.

3. Type the line command below to create a transport database file.

postmap /etc/postfix/transport

4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

5. Your outbound mail should now be sent the DMZ mail server. See Test Postfix using Telnet.

SMTP Gateway Notes

It is easy to setup an SMTP gateway mail server but you also need to consider the items below.

Add Antivirus and Antispam Filtering. Since the DMZ mail server is exposed on the internet, make sure it has anti-virus and anti-spam filtering.
Verify Recipient. If possible, you also need to apply the same recipient verification method you used in your internal mail server. This will allow your DMZ mail server to reject all invalid recipient address instead of having the internal mail server bounce the relayed emails with invalid recipients. Use the relay_recipient_maps setting in /etc/postfix/main.cf to specify the valid recipients.
Use IP Address. By specifying the hostname or IP address in the transport file, the DNS MX lookup can be eliminated. Specifying the IP address will be even better since this will eliminate the need for any DNS lookup.
Flush Mail Queue. You can force Postfix to immediately send all the mail in its queue by typing in the command below.
```
postfix flush
```

Prevent Sender From Spoofing Email Address

consultant — Fri, 30 Apr 2010 15:22:59 +0000

Postfix can be configured to prevent email senders from using an email address that does not belong to them. This article describes how to configure the sender restriction in Postfix to prevent senders from spoofing email addresses.

1. Make sure SMTP authentication in Postfix is working.

2. Create a Postfix map file which returns a user name given an email address. The line below is a regular expression that returns the user part from an email address. Example, bugsbunny@acme.local returns bugsbunny as the user name. If this works for you, then save it into the file /etc/postfix/sender_login.pcre

/(.*)@.*/ $1

3. Edit the file /etc/postfix/main.cf and add the lines below.

smtpd_sender_login_maps = pcre:/etc/postfix/sender_login.pcre
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

If you have a different map file, specify it in the smtpd_sender_login_maps line.

4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.

5. Try sending an email using an address that does not belong to you, Postfix should reject your attempt.