![\"Postfix\"](\"http:\/\/tom.scholten.nu\/weblog\/wp-content\/uploads\/2007\/03\/postfix1.gif\" "\\"Postfix\\"")
<\/td>\n![\"OpenLDAP\"](\"http:\/\/tom.scholten.nu\/weblog\/wp-content\/uploads\/2007\/03\/ldap1.gif\" "\\"OpenLDAP\\"")
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/p>\n
<\/p>\n
\n
This document tens to provide a description of how to set up a ‘full fledge’ mailserver using Postfix as it’s core. It will be extended using mailing list managers and webmail on the frontend side but will feature spam- and virus detection and avoidance software to handle the backend. There will also be a backend interface for mailhandling (web-based). All software used is available from the web and open source. The solution chosen will provide capabilities for multiple users and multiple domains, so you might use it for your small\/average ISP solutions. This document can be used as a HOWTO document on FreeBSD or likewise systems, but will also apply to generic Unices like Solaris or Linuces (e.g. RedHat\/Ubuntu\/Debian\/etc. There are other documents describing how to implement Postfix and LDAP, and this howto is based upon them, but is written as a ‘from-scratch’ to ‘fully-operational’ manual, as i found a great tutorial on Postfix-Mysql including a nice PHP admin frontend besides the great JAMM approach which has also a nice, but in java (server pages), admin tool. Plans for now are to deliver both a perl\/cgi interface AND a PHP interface to administrate you’re very own Postfix-LDAP mail system.<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
\n
This page describes how i installed and configured the solution on a FreeBSD 6.x system. There is no reason why this wouldn’t work on any other UN*X system, including all flavors of linux, *bsd, hpux, tru64, solaris or aix. Maybe on SCO but i don’t like either there OS nor their attitude. Ofcourse no responsibility or liability blah blah blah, to be continued<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
\n
Installed software (on FreeBSD)<\/h2>\n
Today, 05th of August 2007, I started updating this howto by building a complete new mailsystem. It should be fairly up to date and fully usable for you! Installing using the order provided might ensure you have all the packages required (due to their dependencies).<\/p>\n
- \n
- lang\/perl58 v5.8.8 (either as additional package during install or usinig ports)<\/li>\n
- mail\/p5-Mail-ClamAV and security\/p5-File-Scan-ClamAV<\/li>\n
- databases\/p5-DBD-mysql50<\/li>\n
- net\/openldap23-server v2.3.37 (check dependencies first, as v2.4 might become dependent instead of v2.3)<\/li>\n
- www\/apache22 v2.2.4_2 (WITH_LDAP_MODULES=yes)<\/li>\n
- mail\/postfix (using pcre, sasl, tls, mysql, openldap, vda and test) v2.54<\/li>\n
- lang\/php5 v5.2.3 and lang\/php5-extensions (at least enable openldap, mysql and imap)<\/li>\n
- databases\/mysql50-server v5.0.45<\/li>\n
- mail\/dovecot v1.0.2 (with LDAP and MYSQL enabled)<\/li>\n
- security\/clamav v0.91.1<\/li>\n
- mail\/mailscanner v4.61.7<\/li>\n
- net\/phpldapadmin<\/li>\n
- mail\/roundcube<\/li>\n
- Optionally you could install these packages:<\/em><\/li>\n
- procmail<\/li>\n
- phpldapadmin<\/li>\n
- phpmyadmin<\/li>\n<\/ul>\n
\nAssumptions<\/h2>\n
Assumptions made for this howto<\/p>\n
- \n
- The example domain name will be ‘example.org’<\/li>\n
- The virtual users (mail)directory store will live under \/usr\/virtual<\/li>\n
- The virtual user used is vmail (group vmail) uid\/gid are both 2001<\/li>\n
- The scanner runs as vscan\/vscan (2002\/2002)<\/li>\n<\/ul>\n
\nOpenLDAP configuration<\/h2>\n
First edit \/usr\/local\/etc\/openldap\/slapd.conf, the example below does NOT have a safe password (secret), which you should create using slappasswd from the commandline. It asks you to type you\u00e2\u20ac\u2122re password twice and then prints out the string to be used. You can use another (than SSHA, the default) algorythm, man slappasswd for more information!<\/p>\n
Also in the example below there are no acl\u00e2\u20ac\u2122s so anyone has access to you\u00e2\u20ac\u2122re information, consider RTFM on (Open)LDAP to secure you\u00e2\u20ac\u2122re LDAPtree some more.\/usr\/local\/etc\/openldap\/slapd.conf <\/em><\/p>\n
[code]<\/p>\n
#
\n# See slapd.conf(5) for details on configuration options.
\n# This file should NOT be world readable.
\n#<\/p>\npidfile \/var\/run\/openldap\/slapd.pid
\nargsfile \/var\/run\/openldap\/slapd.args<\/p>\n# Load dynamic backend modules:
\nmodulepath \/usr\/local\/libexec\/openldap\/
\nmoduleload back_bdb<\/p>\n# Sample security restrictions
\n# Require integrity protection (prevent hijacking)
\n# Require 112-bit (3DES or better) encryption for updates
\n# Require 63-bit encryption for simple bind
\n# security ssf=1 update_ssf=112 simple_bind=64<\/p>\n# Sample access control policy:
\n# Root DSE: allow anyone to read it
\n# Subschema (sub)entry DSE: allow anyone to read it
\n# Other DSEs:
\n# Allow self write access
\n# Allow authenticated users read access
\n# Allow anonymous users to authenticate
\n# Directives needed to implement policy:
\n# access to dn.base=”” by * read
\n# access to dn.base=”cn=Subschema” by * read
\n# access to *
\n# by self write
\n# by users read
\n# by anonymous auth
\n#
\n# if no access controls are present, the default policy
\n# allows anyone and everyone to read anything but restricts
\n# updates to rootdn. (e.g., “access to * by * read”)
\n#
\n# rootdn can always read and write EVERYTHING!<\/p>\n#######################################################################
\n# BDB database definitions
\n#######################################################################<\/p>\n# OpenLDAP configuration for example.org<\/p>\n
# Core schema’s delivered with OpenLDAP
\ninclude \/usr\/local\/etc\/openldap\/schema\/core.schema
\ninclude \/usr\/local\/etc\/openldap\/schema\/cosine.schema
\ninclude \/usr\/local\/etc\/openldap\/schema\/inetorgperson.schema
\ninclude \/usr\/local\/etc\/openldap\/schema\/nis.schema<\/p>\n# Mailserver schema used with postfix
\ninclude \/usr\/local\/etc\/openldap\/schema\/mailserver.schema<\/p>\n#<\/p>\n
# ldbm database definitions
\n#<\/p>\ndatabase bdb
\nsuffix “dc=example,dc=org”<\/p>\nrootdn “cn=Manager,dc=example,dc=org”
\nrootpw secret<\/p>\npidfile \/var\/run\/openldap\/slapd.pid<\/p>\n
# The database directory MUST exist prior to running slapd AND
\n# should only be accessable by the slapd\/tools. Mode 700 recommended.
\ndirectory \/var\/db\/openldap-data<\/p>\n# Indices to maintain
\nindex objectClass pres,eq
\nindex mail,cn eq,sub<\/p>\n# logging
\nloglevel 256<\/p>\naccess to attrs=userPassword
\nby self write
\nby anonymous auth
\nby peername.ip=127.0.0.1 read
\nby dn=”cn=dovecot,dc=example,dc=org” read
\nby * none<\/p>\naccess to *
\nby dn=”cn=postfix,dc=example,dc=org” read
\nby dn=”cn=courier,dc=example,dc=org” read
\nby peername.ip=127.0.0.1 read
\nby * read<\/p>\n[\/code]<\/p>\n
\nOpenLDAP scheme for mailserver<\/h2>\n
Next, create the LDAPscheme to be used for our mailserver in \/usr\/local\/etc\/openldap\/schemaDownload mailserver.schema<\/a><\/p>\n
\nReady, Aim, OpenLDAP<\/h2>\n
Now start up you\u00e2\u20ac\u2122re OpenLDAP server either by hand or set slapd_enable=\u00e2\u20ac\u009dYES\u00e2\u20ac\u009d in \/etc\/rc.conf and use \/usr\/local\/etc\/rc.d\/slapd start and verify that slapd is running.If it\u00e2\u20ac\u2122s running were ready to fill \u00e2\u20ac\u00a6<\/p>\n
\nInitial LDIF<\/h2>\n
OpenLDAP tree layout and initial ldif. You can load this to your serverusing<\/p>\n
[code] cat \/home\/user\/ldap\/initial.ldif | ldapadd -x -D “cn=Manager,dc=example,dc=org” -W<\/p>\n
[\/code]<\/p>\n
[code]<\/p>\n
# example
\ndn: dc=example, dc=org
\nobjectClass: top
\nobjectClass: organization
\nobjectClass: dcObject
\no: example
\ndc: example<\/p>\n# MAnager
\ndn: cn=Manager,dc=example,dc=org
\nobjectClass: top
\nobjectClass: organizationalRole
\ncn: Manager<\/p>\n# mail, example
\ndn: dc=mail, dc=example, dc=org
\nobjectClass: top
\nobjectClass: organizationalunit
\nobjectClass: dcObject
\nou: mail
\ndc: mail<\/p>\ndn: cn=postfix,dc=example,dc=org
\nobjectClass: top
\nobjectClass: simpleSecurityObject
\nobjectClass: organizationalRole
\nuserPassword:: secret
\ncn: postfix<\/p>\ndn: cn=dovecot,dc=example,dc=org
\nobjectClass: top
\nobjectClass: simpleSecurityObject
\nobjectClass: organizationalRole
\nuserPassword:: secret
\ncn: dovecot<\/p>\n# example.org, mail, example
\ndn: dc=example.org, dc=mail, dc=example,dc=org
\naccountActive: TRUE
\neditPostmasters: TRUE
\neditAccounts: TRUE
\nobjectClass: top
\nobjectClass: mailDomain
\ndc: example.org
\ndelete: FALSE
\nlastChange: 111
\npostfixTransport: virtual:<\/p>\n# somenudomain.nu, mail, example
\ndn: dc=somenudomain.nu, dc=mail, dc=example,dc=org
\naccountActive: TRUE
\neditPostmasters: TRUE
\neditAccounts: TRUE
\nobjectClass: top
\nobjectClass: mailDomain<\/p>\ndc: somenudomain.nu
\ndelete: FALSE
\nlastChange: 111
\npostfixTransport: virtual:<\/p>\n# someoldaccount.demon.org, mail, example
\ndn: dc=someoldaccount.demon.org, dc=mail, dc=example,dc=org
\naccountActive: TRUE
\neditPostmasters: TRUE
\neditAccounts: TRUE
\nobjectClass: top
\nobjectClass: mailDomain
\ndc: someoldaccount.demon.org
\ndelete: FALSE
\nlastChange: 111
\npostfixTransport: virtual:<\/p>\n# domain3.org, mail, example
\ndn: dc=domain3.org, dc=mail, dc=example,dc=org
\naccountActive: TRUE
\neditPostmasters: TRUE
\neditAccounts: TRUE
\nobjectClass: top
\nobjectClass: mailDomain
\ndc: domain3.org
\ndelete: FALSE
\nlastChange: 111
\npostfixTransport: virtual:<\/p>\n[\/code]<\/p>\n
Apache webserver<\/h2>\n
Add the following lines to your\/usr\/local\/etc\/apache22\/httpd.conf and make sure \u00e2\u20ac\u02dcDirectoryIndex\u00e2\u20ac\u2122 also contains index.php[code]AddType application\/x-httpd-php .phpAddType application\/x-httpd-php-source .phps[\/code]<\/p>\n
\nphpLdapAdmin<\/h2>\n
Since not all people are keen on adding\/removing\/changing users by hand using scripts there is also \u00e2\u20ac\u02dcphpldapadmin\u00e2\u20ac\u2122 in the portstree that makes things a little easier, after installing the port (assuming apache+php are up and running!!!) add the following lines to a secure (https) instance of your webserver \/usr\/local\/etc\/apache22\/extra\/httpd-ssl.conf<\/p>\n
[code]<\/p>\n
Alias \/phpldapadmin “\/usr\/local\/www\/phpldapadmin\/”<\/p>\n
AllowOverride AuthConfig<\/p>\n
Allow from all<\/p>\n
[\/code]<\/p>\n
And put a .htaccess file in \/usr\/local\/www\/phpldapadmin containing<\/p>\n
[code]<\/p>\n
AuthUserFile \/usr\/local\/etc\/apache22\/htpasswd.admin<\/p>\n
AuthName “\/admin auth”<\/p>\n
AuthType Basicrequire valid-user[\/code]<\/p>\n
Next create the htpasswd file using \u00e2\u20ac\u0153htpasswd -cm \/usr\/local\/etc\/apache22\/htpasswd.admin {username}\u00e2\u20ac\u009d and any further users leaving the -c out.Next edit the \/usr\/local\/www\/phpldapadmin\/config\/config.php and change\/add the following lines<\/p>\n
[code]$ldapservers->SetValue($i,’server’,’host’,’127.0.0.1′);<\/p>\n
$ldapservers->SetValue($i,’server’,’port’,’389′);<\/p>\n
$ldapservers->SetValue($i,’server’,’auth_type’,’config’);<\/p>\n
$ldapservers->SetValue($i,’login’,’dn’,’cn=Manager,dc=example,dc=org’);<\/p>\n
$ldapservers->SetValue($i,’login’,’pass’,’secret’);<\/p>\n
$ldapservers->SetValue($i,’server’,’tls’,false);[\/code]<\/p>\n
Restart your webserver and test if everything works The reason i use plain htpasswd authentication instead of ldap authentication (that is possible by using the example .htaccess below) is that any FU in your ldap would knock yourself out of it.Example .htaccess using ldap authentication<\/p>\n
[code]AuthName “\/auth required”<\/p>\n
AuthType BasicAuthLDAPURL ldap:\/\/localhost\/dc=employees,dc=example,dc=org?name??<\/p>\n
require valid-user[\/code]<\/p>\n
\nClamAV, virusscanner<\/h2>\n
You might want to run it by enabling clamav_clamd_enable and clamav_freshclam_enable in \/etc\/rc.conf<\/p>\n
\nDOVECOT imap server<\/h2>\n
Copy \/usr\/local\/etc\/dovecot-example to dovecot.conf and adjust the
\nfollowing lines<\/p>\n[code]
\nprotocols = imaps pop3s
\ndisable_plaintext_auth = no
\nsyslog_facility = mail
\nssl_disable = no
\nssl_cert_file = \/etc\/ssl\/certs\/mailserver.pem
\nssl_key_file = \/etc\/ssl\/certs\/mailserver.pem
\nlogin_user = dovecot
\nmail_location = maildir:\/usr\/virtual\/%d\/%n\/Maildir
\nfirst_valid_uid = 500
\nlast_valid_uid = 0
\nlast_valid_gid = 0
\nvalid_chroot_dirs = \/usr\/virtual
\npassdb ldap {
\nargs = \/usr\/local\/etc\/dovecot-ldap.conf
\n}
\nuserdb ldap {
\nargs = \/usr\/local\/etc\/dovecot-ldap.conf
\n} [\/code]
\nCopy \/usr\/local\/etc\/dovecot-ldap-example.conf to dovecot-ldap.conf and
\nadjust the following lines<\/p>\n[code]
\nhosts = localhost
\ndn=”cn=dovecot,dc=example,dc=org”
\ndnpass=”secret”
\ntls = no
\nauth_bind = no
\nldap_version = 3
\nbase = dc=mail,dc=example,dc=org
\nuser_filter =
\n(&(objectClass=MailAccount)(accountActive=TRUE)(delete=FALSE))
\nuser_attrs = mail,homeDirectory,,,,
\npass_attrs = mail=user,userPassword=password
\npass_attrs = mail,userPassword
\npass_filter = (&(objectClass=MailAccount)(mail=%u))
\ndefault_pass_scheme = CRYPT
\nuser_global_uid = 5000
\nuser_global_gid = 5000[\/code]<\/p>\nNext start dovecot using \/usr\/local\/etc\/rc.d\/dovecot start<\/p>\n
\nRoundCube Webmail<\/h2>\n
Make sure mysql is started (\/usr\/local\/etc\/rc.d\/mysql_server start) next issue<\/p>\n
mysql -uroot -p (depending on if you already secured your database)<\/p>\n
[code]> create database roundcube;<\/p>\n
> grant all on roundcube.* to roundcube@localhost identified by \u00e2\u20ac\u2122secret\u00e2\u20ac\u2122;<\/p>\n
[\/code]<\/p>\n
Issue cat \/usr\/ports\/mail\/roundcube\/work\/roundcube*\/SQL\/mysql5.initial.sql | mysql -u roundcube -psecret roundcube and add the following lines to your \/usr\/local\/etc\/apache22\/extra\/httpd-ssl.conf<\/p>\n
[code]Alias \/webmail \/usr\/local\/www\/roundcube><\/p>\n
<Directory \u00e2\u20ac\u0153\/usr\/local\/www\/roundcube\u00e2\u20ac\u009d><\/p>\n
Allow from all<\/p>\n
<\/Directory> [\/code]<\/p>\n
\nOpenLDAP scripts<\/h2>\n
Using the script provide below we can add users, according to the domain setup shown below using the following commands example\u00c2\u00b7 .\/ldapadduser.pl vivian example.org \u00e2\u20ac\u0153Secret123? mailbox | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl alexander example.org \u00e2\u20ac\u0153Dog=Cr@zy\u00e2\u20ac\u009d mailbox | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl roland_dg example.org \u00e2\u20ac\u0153a1zihw\u00e2\u20ac\u009d mailbox | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl postmaster example.org alexander@example.org,vivian@example.org alias | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl webmaster example.org john@webbuilders.com alias | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl \u00e2\u20ac\u0153*\u00e2\u20ac\u009d example.org vivian@example.org alias | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secretsomenudomain.nu\u00c2\u00b7 .\/ldapadduser.pl ian somenudomain.nu \u00e2\u20ac\u0153vivian\u00e2\u20ac\u009d mailbox | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl postmaster somenudomain.nu alexander@example.org alias | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl webmaster somenudomain.nu \u00e2\u20ac\u0153w3bs1t3? mailbox | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secretsomeoldaccount.demon.org\u00c2\u00b7 .\/ldapadduser.pl \u00e2\u20ac\u0153*\u00e2\u20ac\u009d someoldaccount.demon.org @somenudomain.nu alias | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secretdomain3.org\u00c2\u00b7 .\/ldapadduser.pl postmaster domain3.org alexander@example.org alias | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret\u00c2\u00b7 .\/ldapadduser.pl webmaster domain3.org alexander@example.org alias | ldapadd -x -D \u00e2\u20ac\u02dccn=Manager,dc=example,dc=org\u00e2\u20ac\u2122 -w secret<\/del>And so, we should have created a tree looking like this, with vivian@example.org receiving all \u00e2\u20ac\u02dcnon-existing-mailbox\u00e2\u20ac\u2122 mail from example.org and all mail from \u00e2\u20ac\u2122someoldaccount.demon.org\u00e2\u20ac\u2122 delivered to somenudomain.nu (so you can email ian@someoldaccount.demon.org and still reach ian, whom (ofcourse) should have procmail or so set up to warn people about his changed domain name, but that\u00e2\u20ac\u2122s outside the scope of this document). Also mind that postmaster@example.org is delivered to BOTH alexander AND vivian. The add-script just makes to \u00e2\u20ac\u02dcmaildrop\u00e2\u20ac\u2122s in the LDAP tree!<\/p>\n
\nMailScanner<\/h2>\n
First of all, copy all .sample files to their respective realnames (and make changes if you like) in \/usr\/local\/etc\/MailScanner and subdirectories. Do the same for \/usr\/local\/share\/MailScanner\/reports\/en\/ (or other languages). To enable \u00e2\u20ac\u02dcautofinding\u00e2\u20ac\u2122 clamav, also issue acp \/usr\/local\/libexec\/MailScanner\/clamav-wrapper.sample \/usr\/local\/libexec\/MailScanner\/clamav-wrapper<\/p>\n
I recommend using clamavmodule however, this will save you overhead and time of seperate clamav processes on your precious system!<\/p>\n
Adjust \/usr\/local\/etc\/MailScanner\/MailScanner.conf with at least the following lines.<\/p>\n
[code]<\/p>\n
%org-name% = YourOrg
\n%org-long-name% = Your Full Organisation Name
\n%web-site% = www.example.org
\nRun As User = postfix
\nRun As Group = postfix
\nIncoming Queue Dir = \/var\/spool\/postfix\/hold
\nOutgoing Queue Dir = \/var\/spool\/postfix\/incoming
\nMTA = postfix
\nQuarantine User = postfix
\nQuarantine Group = www
\nDeliver Disinfected Files = yes
\nQuarantine Whole Message = yes
\nInformation Header Value = See you’re providers webpage or
\nwww.mailscanner.info for more information
\nNotify Senders = no
\nRequired SpamAssassin Score = 3
\nHigh SpamAssassin Score = 5
\nDepending on your choice you might change :
\n#High Scoring Spam Actions = deliver header “X-Spam-Status: Yes”
\nHigh Scoring Spam Actions = store<\/p>\nMonitors for ClamAV Updates = \/var\/db\/clamav\/*.inc\/* \/var\/db\/clamav\/*.cvd<\/p>\n
[\/code]<\/p>\n
\nMailWatch (MailScanner front-end)<\/h2>\n
Download the package from http:\/\/mailwatch.sf.net<\/a> and untar in \/tmp and change to the directory.<\/p>\n
[code]$ mysql -uroot -p < create.sql[\/code]<\/p>\n
[code]$ mysql -uroot -p [\/code]<\/p>\n
[mysql]mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY ‘secret’;<\/p>\n
mysql> GRANT FILE ON *.* TO mailwatch@localhost IDENTIFIED BY ‘secret’;<\/p>\n
mysql> FLUSH PRIVILEGES;<\/p>\n
mysql > use mailscanner;<\/p>\n
mysql > INSERT INTO users (username, password, fullname, type) VALUES (‘<username’>,md5(‘<password>’),'<name>’,’A’);[\/mysql]<\/p>\n
Edit the MailWatch.pm file and change the database configuration<\/p>\n
[code]my($db_user) = ‘mailwatch’;<\/p>\n
my($db_pass) = ‘secret’;[\/code]<\/p>\n
Next copy this file to the MailScanner directories : cp MailWatch.pm \/usr\/local\/lib\/MailScanner\/MailScanner\/CustomFunctions\/Move the mailscanner directory to your webroot and “chown www:www” it (i.e. \/usr\/local\/www\/mailscanner) and add the following lines to your apache configuration<\/p>\n
[code]Alias \/mailscanner \/usr\/local\/www\/mailscanner<\/p>\n
Directory \u00e2\u20ac\u0153\/usr\/local\/www\/mailscanner\u00e2\u20ac\u009d<\/p>\n
Allow from all<\/p>\n
\/Directory<[\/code]<\/p>\n
Next restart your mailscanner (\/usr\/local\/etc\/rc.d\/mailscanner restart) and watch the \/var\/log\/maillog closely. If no obvious errors or warnings occur try to send yourself an email. If it all works (email received) just go ahead and browse to MailWatch to see some stats!<\/p>\n
\nConfigure postfix<\/h2>\n
Changes to postfix\u00e2\u20ac\u2122 main.cf, also change other settings to customize you\u00e2\u20ac\u2122re requirements. Setting \u00e2\u20ac\u2122soft_bounce=yes\u00e2\u20ac\u2122 for testing purposes while starting out using you\u00e2\u20ac\u2122re new mailserver would be a wise decision!We also need to change some things regarding to sending Postfix\u00e2\u20ac\u2122 incoming mail through MailScanner first in main.cf
\n[code]<\/p>\nhash_queue_depth = 1
\nhash_queue_names = incoming,hold,deferred,defer
\ninet_protocols = all
\nheader_checks = regexp:\/usr\/local\/etc\/postfix\/header_checks
\nAnd add the following line to \/usr\/local\/etc\/postfix\/header_checks
\n\/^Received:\/ HOLD
\nFurther, change your main.cf to contain the following ldap-related stuff.
\nqueue_directory = \/var\/spool\/postfix
\ncommand_directory = \/usr\/local\/sbin
\ndaemon_directory = \/usr\/local\/libexec\/postfix
\nmail_owner = postfix
\nmyhostname = mail.example.org
\nmydomain = example.org
\nmyorigin = $mydomain
\nlocal_recipient_maps =
\nunknown_local_recipient_reject_code = 550<\/p>\ndebug_peer_level = 2
\ndebugger_command =
\nPATH=\/bin:\/usr\/bin:\/usr\/local\/bin:\/usr\/X11R6\/bin
\nxxgdb $daemon_directory\/$process_name $process_id & sleep 5
\nsendmail_path = \/usr\/local\/sbin\/sendmail
\nnewaliases_path = \/usr\/local\/bin\/newaliases
\nmailq_path = \/usr\/local\/bin\/mailq
\nsetgid_group = maildrop
\nhtml_directory = no
\nmanpage_directory = \/usr\/local\/man
\nsample_directory = \/usr\/local\/etc\/postfix
\nreadme_directory = no
\ndomains_server_host = 127.0.0.1
\ndomains_search_base = dc=mail,dc=example,dc=org
\ndomains_query_filter =
\n(&(dc=%s)(objectClass=mailDomain)(accountActive=TRUE)(delete=FALSE))
\ndomains_result_attribute = postfixTransport
\ndomains_bind = no
\ndomains_scope = one
\naliases_server_host = 127.0.0.1
\naliases_search_base = dc=mail,dc=example,dc=org
\naliases_query_filter =
\n(&(objectClass=mailAlias)(mail=%s)(accountActive=TRUE))
\naliases_result_attribute = maildrop
\naliases_bind = no
\naliasalternates_server_host = 127.0.0.1
\naliasalternates_search_base = dc=mail,dc=example,dc=org
\naliasalternates_query_filter =
\n(&(objectClass=mailAlias)(mailalternateaddress=%s)(accountActive=TRUE))
\naliasalternates_result_attribute = maildrop
\naliasalternates_bind = no
\naccounts_server_host = 127.0.0.1
\naccounts_search_base = dc=mail,dc=example,dc=org
\naccounts_query_filter =
\n(&(objectClass=mailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
\naccounts_result_attribute = mailbox
\naccounts_bind = no<\/p>\naccountsmap_server_host = 127.0.0.1
\naccountsmap_search_base = dc=mail,dc=example,dc=org
\naccountsmap_query_filter =
\n(&(objectClass=mailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
\naccountsmap_result_attribute = mail
\naccountsmap_bind = no
\naccountalternates_server_host = 127.0.0.1
\naccountalternates_search_base = dc=mail,dc=example,dc=org
\naccountalternates_query_filter =
\n(&(objectClass=mailAccount)(mailalternateaddress=%s)(accountActive=TRUE)(del
\nete=FALSE))
\naccountalternates_result_attribute = mail
\naccountalternates_bind = no
\ntransport_maps = ldap:domains
\nmasquerade_domains = ldap:domains
\nvirtual_maps = ldap:accountsmap, ldap:aliases, ldap:accountalternates,
\nldap:aliasalternates
\nvirtual_transport = local
\nvirtual_mailbox_base = \/usr\/virtual
\nvirtual_mailbox_maps = ldap:accounts
\nvirtual_mailbox_domains = ldap:domains
\nvirtual_minimum_uid = 5000
\nvirtual_uid_maps = static:5000
\nvirtual_gid_maps = static:5000
\nlocal_alias_maps = hash:\/etc\/mail\/aliases
\nlocal_transport = local
\nmailbox_command = \/usr\/local\/bin\/procmail
\nmydestination = localhost.example.org, localhost
\nrelay_domains = localhost
\nmynetworks = localhost, mail.example.org<\/p>\nowner_request_special = no
\nrecipient_delimiter = +
\nunknown_local_recipient_reject_code = 550
\nsmtpd_client_restrictions = check_client_access
\nhash:\/usr\/local\/etc\/postfix\/access, permit
\nsmtpd_sender_restrictions = hash:\/usr\/local\/etc\/postfix\/access
\nheader_checks = regexp:\/usr\/local\/etc\/postfix\/header_checks<\/p>\nhash_queue_depth = 1
\nhash_queue_names = incoming,hold,deferred,defer<\/p>\ninet_protocols = all
\ndebug_peer_level = 9<\/p>\n[\/code]<\/p>\n
And finally some code to protect your drive from flooding<\/p>\n
[code] # A maximum limit of a mailbox
\nvirtual_mailbox_limit = 1000000<\/p>\n# Limits only INBOX part (usefull when
\n# using when you have IMAP users)
\nvirtual_mailbox_limit_inbox = yes [\/code]<\/p>\nYou may want to add a few dnsbl statements to limit the amount of unwanted
\nmail in your main.cf using<\/p>\n[code]smtpd_recipient_restrictions =
\npermit_mynetworks,
\nreject_unauth_destination,
\nreject_unknown_recipient_domain,
\nreject_invalid_hostname,
\nreject_non_fqdn_hostname,
\nreject_non_fqdn_sender,
\nreject_non_fqdn_recipient,
\nreject_unknown_sender_domain,
\nreject_rbl_client list.dsbl.org,
\nreject_rbl_client sbl.spamhaus.org,
\nreject_rbl_client cbl.abuseat.org,
\nreject_rbl_client dul.dnsbl.sorbs.net,
\npermit<\/p>\n[\/code]<\/p>\n
Starting you\u00e2\u20ac\u2122re mailserver<\/h2>\n
Next again edit \/etc\/rc.conf to disable sendmail and enable postfix Insert<\/p>\n
- \n
- sendmail_enable=\u00e2\u20ac\u009dNONE\u00e2\u20ac\u009d<\/li>\n<\/ul>\n
Comment out\/remove<\/p>\n
- \n
- sendmail_enable=\u00e2\u20ac\u009dYES\u00e2\u20ac\u009d<\/li>\n
- sendmail_flags=\u00e2\u20ac\u009d-bd\u00e2\u20ac\u009d<\/li>\n
- sendmail_pidfile=\u00e2\u20ac\u009d\/var\/spool\/postfix\/pid\/master.pid\u00e2\u20ac\u009d<\/li>\n
- sendmail_outbound_enable=\u00e2\u20ac\u009dNO\u00e2\u20ac\u009d<\/li>\n
- sendmail_submit_enable=\u00e2\u20ac\u009dNO\u00e2\u20ac\u009d<\/li>\n
- sendmail_msp_queue_enable=\u00e2\u20ac\u009dNO\u00e2\u20ac\u009dNow would be a great time to start postfix, but before you do touch \/var\/log\/maillog and open a second terminal, screen or whatever and do a tail -f \/var\/log\/maillog there (as well as maybe a tail on \/var\/log\/messages) to see what\u00e2\u20ac\u2122s going on.First start mailscanner (\/usr\/local\/etc\/rc.d\/mailscanner start) but remember to add mailscanner_enable=\u00e2\u20ac\u009dYES\u00e2\u20ac\u009d to your \/etc\/rc.conf watch your logging for a while before proceeding with the next step.Now you\u00e2\u20ac\u2122re ready to start postfix simply by typing postfix start
\n
\nVerify mail sending and receiving<\/h2>\n
Verify that you can send mail by sending yourself mail. If using an address@example.org which is an alias (pointing outside one of the domains for wich your new postfix server receives mail) please check you\u00e2\u20ac\u2122re headers and confirm their ok. If receiving on a mailbox address (at your new postfix server), look in \/usr\/virtual and confirm you have a new directory named example.org (depending on the recipient). Below that directory your mailbox name (as a directory) should emerge, containing various maildir files. Besides checking that your mail was received also check the headers!Note that users of a mailbox should have received at least one email to have their directory (and maildir files) in place When you create a new mailbox (not alias), you should send the new user a \u00e2\u20ac\u02dcwelcome\u00e2\u20ac\u2122 mail of some kind to let postfix create their \u00e2\u20ac\u02dchomedirectory\u00e2\u20ac\u2122 in \/usr\/virtual. When omitted the user will receive an error when checking mail (either via imap\/pop or when using webmail)<\/p>\n
\nDocuments and resources used<\/h2>\n
Besides RTFM on various packages used to install a number of special resources will be named below the packages linklist; (in no particular order)<\/li>\n
- Postfix, MTA used<\/li>\n
- Spam tagging software<\/li>\n
- LDAP software<\/li>\n
- Webmail software<\/li>\n
- Mailinglist software (when done, you could add mailinglists, not captured in this document)<\/li>\n
- ClamAV Antivirus software<\/li>\n
- Short for [A] [MA]il [VI]rus [S]canner<\/li>\n
- Apache webserver for webmail and admin (php) interface<\/li>\n
- The admin interface was build using phpMost usefull to produce this document was :http:\/\/janus.errornet.de\/ with his pdf and schema ((mirrored here) pdf and schema)
\n
\nOthers resources used<\/h2>\n
- \n
- http:\/\/jamm.sourceforge.net everything else seems to be based upon this<\/li>\n
- http:\/\/www.vriesman.tk detailed enough for me<\/li>\n<\/ul>\n
\nTom Scholten<\/a> is consultant with Snow B.V.<\/a>, a Dutch Technical Consultancy Company supplying specialists in the fields of Storage, Networking and Unix<\/p>\n
- sendmail_enable=\u00e2\u20ac\u009dNONE\u00e2\u20ac\u009d<\/li>\n<\/ul>\n
![\"Snow](\"http:\/\/tom.scholten.nu\/weblog\/wp-content\/uploads\/2007\/03\/snow-logo1.jpg\" "\\"Snow"){kind=logo}
<\/a><\/td>\n![\"FreeBSD\"](\"http:\/\/tom.scholten.nu\/weblog\/wp-content\/uploads\/2007\/03\/fbsd-full1.png\" "\\"FreeBSD\\"")
<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"