Help - Search - Members - Calendar
Full Version: Installing A Postfix Mail Server
Linuxhelp > Support > Guides Forum
hughesjr
This is going to be a Postfix mail server install on WhiteBox Enterprise Linux (or another RHEL clone like TaoLinux or CentOS). There are several items in that install that could be removed if absolutely necessary ... however, I will only remove sendmail, because I am going to install PostFix as the MTA.

This install is as lean as possible, and does not contain a GUI. You will need to know how to use an editor in console mode. There are several, I use vi ... nano is also in this install. Either can be used ... please become familiar with a console editor before attempting this install. You will see steps that say edit file /xxx/xxxx ... you should use your perferred editor to do these steps.

All commands are done at the command prompt as root.

Here is the procedure.

1. Perform at least a minimum WBEL (or CentOS, or TaoLinux) install per this Guide.

Steps 2 - 4 are deleted ... they are now included in the above guide.

5. Now we need to install, or verify installed all the packages that we need for setting up Postfix with SASL, SMTP AUTH, IMAP and POP3. This will install all the required packages:

yum install postfix imap imap-devel cyrus-sasl cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain cyrus-sasl-devel

{the above is all one line with a space between each name (if it wraps)}

6. Now we need to remove sendmail, since postfix is the new MTA.

yum remove sendmail

7. Now is a good time to discuss what needs to be set up for naming. There are specific naming requirements for an e-mail server. The first is the name of the server itself. In WBEL, there are 2 places the server name needs to be ... and it needs to be the same in each place. The places are:

a. The file /etc/sysconfig/network ... mine says this:
CODE
NETWORKING=yes
HOSTNAME=mail.home.local


(mail is the computer name .... home.local is the domain name.)

b. The file /etc/hosts needs the same entry ... here is my /etc/hosts:
CODE
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.0.29 mail.home.local


8. Another requirement for a mail server is to have an DNS MX record for the domain (in my case home.local) that points to the e-mail server (in my case mail.home.local). This domain is not real outside my test network, it does work inside my network (on a 192.168.0.0 network) because I have a DNS server for testing. You would need to add (or have your service provider add) an MX record for your domain. Here is what a dig lookup looks like for my MX record on home.local.
QUOTE
dig -t mx home.local

; <<>> DiG 9.2.2 <<>> -t mx home.local
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16265
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;home.local.                    IN      MX

;; ANSWER SECTION:
home.local.            3600    IN      MX      10 mail.home.local.

;; ADDITIONAL SECTION:
mail.home.local.        3600    IN      A      192.168.0.29

;; Query time: 2 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Mon May 17 21:12:39 2004
;; MSG SIZE  rcvd: 65


The question in the question section is home.local's mx record ... the answer sections says home.local's email server is mail.home.local ... and the additional section says mail.home.local is 192.168.0.29. I have a seperate A record for 192.168.0.29 tied to the name mail.home.local in the DNS server.

In order for your e-mail server to really work (to recieve mail from the internet), you need a real domain name that you own, an IP address, and a valid DNS MX record and A record pointing to your mail server. You can use services like zoneedit.com and dyndns.org (or others) to apply a domain name to a dynamic IP address (like a cable or DSL account) ... then setup A and MX records there.

9. Once you have your MX and A DNS records set, you are ready to configure your Postfix ... first we will edit the file /etc/postfix/main.cf and setup the important parameters. I am only going to list the parameters to get one fully functional domain working ... where there is no relaying except for users who have logged on. I will only discuss the parameters that need changing from the default:

myhostname = mail.home.local

mydomain = home.local

myorigin = $mydomain

inet_interfaces = $myhostname

mydestination = $myhostname, $mydomain, localhost

local_recipient_maps = unix:passwd.byname $alias_maps

unknown_local_recipient_reject_code = 550

mynetworks_style = subnet

(this will allow me to relay mail on my 192.168.0.0/255.255.255.0 subnet ... if you only own 1 IP ... you will leave this remarked out and use mynetworks_style = host instead.

relay_domains = $mydestination

mail_spool_directory = /var/spool/mail


That is all the original stuff that needed changing .... here are the items added for SASL / SMTP AUTH (added to the bottom of the /etc/postfix/main.cf file):

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains


Also in the bottom of the /etc/postfix/main.cf file, you can add a setting for max mail box size and max attachment size ... I will assume 20mb max attachment and 100mb max mailbox size...here is what to add for that:

message_size_limit = 20971520
mailbox_size_limit = 104857600


Here is my current /etc/postfix/main.cf file for this install ...
http://www.hughesjr.com/wbel/postfix/main.cf.txt

10. Now we need to turn on IMAP, POP3, IMAPs, POP3s. All these are optional. You want to edit the following files in the directory /etc/xinetd.d:

ipop3
pop3s
imap
imaps


For the services you want to turn on, change the line:

disable = yes

to

disable = no

I turned on imap, imaps, pop3s ... but not ipop3.

To restart xinetd,issue the command:

/etc/init.d/xinetd restart

11. Next we want to get saslauthd working. We need to edit the file /etc/sysconfig/saslauthd and make sure it says this:

MECH=pam

Next we need to edit the file /usr/lib/sasl2/smtpd.conf and make sure it says:

pwcheck_method: saslauthd

Now we need to set postfix as the MTA ... do this:

alternatives --config mta

... select postfix (on my setup the number 1)

Now we need to start the saslauthd service with this command:

/etc/init.d/saslauthd restart
(if it wan't previously running, the first shutdown may fail .. but the start should say [OK].

restart postfix with the command:

/etc/init.d/postfix restart

12. Next we need to make sure postfix and saslauthd will start on reboot in at least modes 3,4,5 ... to do this issue the following command:

chkconfig --list | grep postfix

The output should be similar to this:
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Then do:
chkconfig --list | grep saslauthd

It should also look like this:
saslauthd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

If it is off all across the board, issue this command:

chkconfig saslauthd on

Then redo the chkconfig --list | grep saslauthd command ... it should now be good.

Now we should check pop and imap services with the command:

chkconfig --list | grep pop

and

chkconfig --list | grep imap

The services pop3 and imap services you want to start should say on, the ones you don't want should say off.

13. If you have iptables on, you can adjust the open ports with the command:

redhat-config-securitylevel-tui

Select enable and then Customize ...

You will need to open imap:tcp imaps:tcp pop3:tcp pop3s:tcp https:tcp in the bottom, as well as checking ssh and www at the top (that includes the later squirrelmail addon as well) and it allows you to ssh into the box ... or you can use the below file in /etc/sysconfig/iptables:

http://www.hughesjr.com/wbel/postfix/iptables.txt

This is a very basic iptables that is fairly secure for the e-mail server as a standalone machine inside your network ... security of your server is your call, not mine, this is just a suggested iptables that should allow you to have an e-mail server that works and is fairly secure.

14. In order to use PAM (ie, normal linux users with passwd / shadow usernames and passwords) as your SMTP authentication method, you MUST allow (and use) PLAIN text or Login as your Mail Client authenication method.

There is an indicated security problem with some older software concerning the permissions of the /var/spool/mail directory ... the error in /var/log/maillog is:

Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

According to the RedHat mailing list, this is not really a problem ... although the fetchmail and ipop3d software included with RHEL and the clones think it is. You can ignore the error ... or ... you can use the command:

chmod 1777 /var/spool/mail

Either solution is acceptable.

15. In this setup, all users who have accounts on this server with a password can send and receive e-mail.

16. I am going to close this topic for posting ... if you have questions about this guide or your implementation of it, please post a topic in the Technical support forum.

I will next add httpd (apache), php and squirrelmail to this server in another post, so your users can also have webmail.
hughesjr
Next comes adding squirrelmail to the server. This will require, at a minumum, squirrelmail, php, httpd and curl to be installed.

1. The first part is installing the new packages. The command to do that is:

yum install squirrelmail php httpd curl

2. The /etc/php.ini file needs to be editied and have the value register_globals set to on. Find register_globals = Off and change it to:

register_globals = On

Also in /etc/php.ini is the variable upload_max_filesize ... it is normally set to 2M (that is 2 mb) ... set this to the max size for your attachments....I'll assume 20M

upload_max_filesize = 20M
post_max_size = 20M
memory_limit = 20M

(you may need to adjust the post_max_size and memory_limit to be higher than 20M ... maybe as high as 40M to get 20M attachments.

3. You need to configure squirrelmail by doing the following:

cd /usr/share/squirrelmail/config
perl ./conf.pl


select the options that you want in each area. This will make changes in the file /etc/squirrelmail/config.php.

The type of imap server is uw.

4. You must start the httpd server to run squirrel mail ... to make it start at every bootup, issue the command:

chkconfig httpd on

to start it now without rebooting, issue this command:

/etc/init.d/httpd start

5. You can download plugins (I downloaded and installed the change_passwd plugin and the Compatibility plugin so users can change their password) from SquirrelMail.org.

6. To login to the squirrelmail, use http://servername/webmail/

7. The home directory of your webserver is still default at this point, you can add items to /var/www/html to get rid of the default page ... or change the /etc/httpd/conf/httpd.conf file to point directly to /usr/share/squirrelmail as it's root directory.

8. Just for info, this server is now only up to 578Mb of ued hard drive space. (540Mb when starting with the Minimal install).

Next will be adding MailScanner with Spamassassin to filter incoming SPAM and Clam AntiVirus for scanning all incoming mail for viruses.
hughesjr
Here comes the last part of the PostFix E-mail server install.

That is to install Mailscanner utilizing Spamassassin and ClamAV.

There is going to be 3 ways to do this install ... one way is to add Dag Wieers' RHEL 3 yum repository to your /etc/yum.conf file. If you do this, it can upgrade several of your files to newer versions that Dag has compiled to work with RHEL 3. Most, if not all, of these programs work perfectly ... however, they are NOT standard RHEL (and therefore WBEL) programs. If you use this method, you get a newer version of Spam Assassin than that included with WBEL (2.63 instead of 2.55 at the time of this guide), and you won't have to build the ClamAV files. I will not use this method though, because I want the server to be as close to WBEL as possible.

Step 1 (Option 1)
If you want to use Dag's yum repository, add this to the bottom of your /etc/yum.conf file :

[extras]
name=Dag-RHEL-Yum
baseurl=http://apt.sw.be/redhat/el3/en/i386/dag/



Now to install the spamassassin and clamav like this (also includes other packages that will be required later for other parts of this install):

yum install spamassassin clamav clamav-devel sendmail-devel bzip2-devel gmp-devel zlib-devel autoconf automake rpm-build rpm-devel gcc perl-CPAN
(this is all one line)

It will take several minutes for all the new headers to download. If you want to upgrade all your packages to the latest ones that Dag has, when this completes, issue the command:

yum upgrade

I have never had a problem with any files in Dag's repository, but if you want to maintain your Enterprise distro as close to RHEL as possible, then skip the above steps and use Step 1 (option 2) below.
-------------------------------------------------
Step 1 (Option 2)
If you choose this method, don't add the info for Dag's yum repository above to you /etc/yum.conf file. We will first install the spamassassin that comes with WBEL like this:

yum install spamassassin

Next we will download the latest source RPM for ClamAV and build the RPM files we need for install. You can get the latest RedHat SRPM from HERE. At the time of this guide, you can issue the command:

CODE
wget http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.74-1.src.rpm


In order to build the ClamAV rpms, we need to install several rpms ... use this command:

yum install sendmail-devel bzip2-devel gmp-devel zlib-devel autoconf automake rpm-build rpm-devel gcc perl-CPAN

Now go to the directory where you downloaded the ClamAV source file to and issue the command:

rpmbuild --rebuild clamav-0.74-1.src.rpm

This should complete with a + exit 0 ... if it does, issue this command to install ClamAV:

cd /usr/src/redhat/RPMS/i386
rm *debug*
rpm -Uvh clamav-0.74-1.i386.rpm clamav-devel-0.74-1.i386.rpm

-------------------------------------------------
Step 1 (Option 3)
There is now a third option. First we will install all the required packages except ClamAV:

yum install spamassassin sendmail-devel bzip2-devel gmp-devel zlib-devel autoconf automake rpm-build rpm-devel gcc perl-CPAN

Then you can download the 2 required ClamAV files, already built for WBEL/CentOS/TaoLinux from HughesJR.com HERE. You want the files clamav-0.74-1.EL.i386.rpm and clamav-devel-0.74-1.EL.i386.rpm. You would install them with the command:

rpm -Uvh clamav-0.74-1.EL.i386.rpm clamav-devel-0.74-1.EL.i386.rpm

OK ... regardless of the install method you chose for getting ClamAV and Spamassassin installed ... Option 1, Option 2, or Option 3 ... the rest of this should be followed to get MailScanner working with those 2 programs.....
---------------------------
2. Install the ClamAV Perl module via these instructions. I was able to accept all the defaults in the install all the way down to picking the closest CPAN servers (for step 1). I chose a couple from the first USA page. I did not upgrade CPAN ... I just installed the module via Steps 1, 2 and 3. SKIP steps 4 and 5 until we install MailScanner below....you are finished with this page and should now have the ClamAV perl module installed.

3.Download the latest MailScanner from here:

http://www.sng.ecs.soton.ac.uk/mailscanner...er/files/4/rpm/

Currently, MailScanner-4.32.2-1.rpm.tar.gz ... you can download this version with:
CODE
wget http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.32.2-1.rpm.tar.gz

4. Now we will unpack it with the command:

tar -xvzf MailScanner-4.32.2-1.rpm.tar.gz

5.Now we will install MailScanner by going into the extracted directory and issuing these commands:

cd MailScanner-4.32.2-1
export LANG=C; ./install.sh


6. After this completes, you need to turn off the startup of postfix and make MailScanner start on bootup like this:

/etc/init.d/postfix stop
chkconfig postfix off
chkconfig --level 2345 MailScanner on


7.Now we will configure MailScanner to run with postfix. We will have 2 instances of postfix running ... one that receives the mail and delivers it to the scan directories, the other that delivers scanned mail to the users.

8. Copy the directory /etc/postfix directory to /etc/postfix.in with the following command:

cp -rp /etc/postfix /etc/postfix.in

9.Tell the incoming Postfix not to deliver mail: Edit /etc/postfix.in/main.cf and add a line at the top that says this:
defer_transports = smtp local virtual relay

10.In the same file, look for the definition
queue_directory = /var/spool/postfix
and change it to
queue_directory = /var/spool/postfix.in

11.Copy the current postfix spool area to the new incoming setup area using a command:

cp -rp /var/spool/postfix /var/spool/postfix.in

12.Tell the outgoing Postfix not to provide an SMTP service: Edit /etc/postfix/master.cf and comment out the following line by inserting a # at the start of the line:

CODE
smtp   inet    n       -       n       -       -       smtpd

so it looks like this:

CODE
#smtp   inet    n       -       n       -       -       smtpd


13.Now we are ready to setup the file /etc/MailScanner/MailScanner.conf, which is the configuration file for MailScanner. In this file, edit it to show the following values:

%org-name% = yoursite
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix.in/deferred
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
File Timeout = 120
Maximum Archive Depth = 20
Virus Scanners = clamavmodule
Monitors for ClamAV Updates = /var/lib/clamav/*.cvd
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin


The MailScanner file is very well documented, and here is a guide to help you configure other parts of this file so you can get the most out of your Spamassassin and have more control over how mail is delivered to your users.

Here are a couple other optional setting in MailScanner.conf:

Spam List = ORDB-RBL SBL+XBL SORBS-DNSBL CBL RSL DSBL spamcop
Allow IFrame Tags = yes
Log IFrame Tags = yes
Allow Script Tags = yes
Allow Object Codebase Tags = yes
Convert Dangerous HTML To Text = yes
Minimum Stars If On Spam List = 3
Spam Lists To Reach High Score = 3




14. Edit /etc/sysconfig/MailScanner and set
MTA=postfix

(on versions of MailScanner > 4.32, there is code to read the info directly from /etc/MailScanner/MailScanner.conf ... so you don't have to change that, as long as MTA=postfix is set in correctly /etc/MailScanner/MailScanner.conf)

15. You will need to ensure that the user "postfix" can write to /var/spool/MailScanner/incoming and /var/spool/MailScanner/quarantine with the commands:

chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine
mkdir /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin


If you upgrade your copy of MailScanner, these directories may be changed back to being owned by root, so you may have to do the chown commands again.

16.Now you can start MailScanner by issuing the command:

/etc/init.d/MailScanner start

If you get an error concerning Zip.pm when starting MailScanner, goto the place you unzipped the MailScanner into and ran ./install from (this is outlined in step 5. above) ... and rebuild the perl-Archive-Zip-1.09-3.src.rpm package with this command (if you didn't have any errors loading MailScanner, don't do this section, but skip to Step 17):

export LANG=C; rpmbuild --rebuild perl-Archive-Zip-1.09-3.src.rpm
(see entry #22 in this bug from redhat)

Then install the package perl-Archive-Zip-1.09-3.noarch.rpm using this command:

cd /usr/src/redhat/RPMS/noarch
rpm -Uvh perl-Archive-Zip-1.09-3.noarch.rpm


Now restart MailScanner with the following command:

/etc/init.d/MailScanner restart


You should now have a fully working email server that is POSTFIX + SASL + IMAP/POP3 + SMTP AUTH + SQUIRRELMAIL + MAILSCANNER + SPAMASSASSIN + CLAMAV

17. You can now remove all the rpms from the directories under /usr/src/redhat, and you can delete all the files you downloaded and the MailScanner-4.32.2-1 directory that was created when you extracted the MailScanner file.

18. ClamAV should try to update hourly, controlled by MailScanner (via the cron job /etc/cron.hourly/update_virus_scanners).

To setup ClamAV for auto updates, edit the file /etc/MailScanner/virus.scanners.conf. Find the line:

CODE
clamav          /usr/lib/MailScanner/clamav-wrapper     /usr/local


Change it to

CODE
clamav          /usr/lib/MailScanner/clamav-wrapper     /usr


This will allow clamav to get hourly updates via /etc/cron.hourly/update_virus_scanners.

19. After this install is completely finished, my server has 668Mb used space....not to bad for a fully functional mail server.

20. Here are the final config files for my test server:

PostFix
/etc/postfix/main.cf
/etc/postfix/master.cf
/etc/postfix.in/main.cf
/etc/postfix.in/master.cf

MailScanner
/etc/MailScanner/MailScanner.conf

SquirrelMail
/etc/squirrelmail/config.php
hughesjr
The next installment is the addition of a mysql database to store the address books and the preferences in for SquirrelMail. You can see the full directions in the file /usr/share/doc/squirrelmail-x.x.x/db-backend.txt.

1. First we need to install the package php-devel to install the PEAR classes. Use the command:

yum install php-devel

2. Now we need to add the path to the PEAR classes in our PHP include path ... edit the file /etc/php.ini and find the line:

;include_path = ".:/php/includes"

and change it to:

include_path = ".:/php/includes:/usr/share/pear"

3. Now we need to install the MySQL database and the required support packages for MySQL.

yum install php-mysql mysql mod_auth_mysql mysql-server

After install, we need to make MySQL start at boot time ... and turn it on now with these commands:

chkconfig mysqld on
/etc/init.d/mysqld start


4. Now we need to create the a database in MySQL (named squirrelmail) with this command:

mysqladmin create squirrelmail

Then we will create a user that will write the information into the database. First enter mysql with this command:

mysql

You should now be at the mysql> prompt...issue this command:

GRANT select,insert,update,delete ON squirrelmail.* TO squirreluser@localhost IDENTIFIED BY 'sqpassword';
(you can substitute a different user for squirreluser and another password for sqpassword)

Next we will create the table where we will store the data. First, we want to select the database we will use to create our table in like this:

use squirrelmail

then paste this into the MySQL prompt (and press enter):

CODE
CREATE TABLE address (
    owner varchar(128) DEFAULT '' NOT NULL,
    nickname varchar(16) DEFAULT '' NOT NULL,
    firstname varchar(128) DEFAULT '' NOT NULL,
    lastname varchar(128) DEFAULT '' NOT NULL,
    email varchar(128) DEFAULT '' NOT NULL,
    label varchar(255),
    PRIMARY KEY (owner,nickname),
    KEY firstname (firstname,lastname)
  );


While we are logged in as root, let's do the preferences table as well, paste this into the prompt:

CODE
CREATE TABLE userprefs (
   user varchar(128) DEFAULT '' NOT NULL,
   prefkey varchar(64) DEFAULT '' NOT NULL,
   prefval BLOB DEFAULT '' NOT NULL,
   PRIMARY KEY (user,prefkey)
 );


Now exit mysql with the command quit.

5. Now we will configure squirrelmail to point to the databases like this:

cd /usr/share/squirrelmail/config
./conf.pl


In the menu, select Database, then select DSN for Address Book. Enter your string, mine is this:

mysql://squirreluser:sqpassword@localhost/squirrelmail

Now pick DSN for Preferences and enter the same thing again. (Remember, the format is mysql://user:password@host/database)

Restart the webserver with the command:

/etc/init.d/httpd restart and see if it works by logging into your http://server/webmail.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.