Most Popular Pages....


My Clients....

litigious bastards

- Whats this?

Configuring a mail server with Postfix-Procmail-Fetchmail-SpamAssassin-ClamAV-Courier IMAP

After struggling for days to get my mail server working as I wished I put this piece together both as an 'aide memoire' to myself, and the possible help of others.

This configuration is quite comprehensive. Many stages can be left out if you only require a simple mailserver setup.

Configuring a Postfix mail server.

Mail is received both directly via SMTP , and from ISPs mail servers using fetchmail.

On receipt mail is checked for Windows viruses using ClamAV, and then checked for Spam using Spamassassin and will be placed in a Qmail style Mail directory.

A Qmail directory uses one file for each mail message which is moved between three different folders. By comparison a standard Unix mail file is one long file with new mails appended to the end. Maildirs are used in this application because the Courier-IMAP application requires them. In turn Courier-IMAP is used in preference to another IMAP/POP3 server because of its ability to disassociate mail boxes from System logins for greater security.

Clients will access their mail in two ways

SoftwareUsed

Make sure that the 'mailman' package is not installed. If when installing Mandriva you select the 'Mail' tick box during package selection, the installer will install mailman as well as Postfix. Mailman alters the config files of Postfix, and Postfix will not work so long as mailman is unconfigured. It is much easier to simply not install mailman.

Fetchmail Configuration

Mail comes from a variety of sources some of which are various ISP who provide access via POP3 protocol. Fetchmail is used to read mail from the ISP mailbox and pass it over to a local MTA (Mail Transfer Agent- Postfix) which in turn will pass it to a Mail Delivery Agent (Procmail) for final delivery.

Fetchmail may be used either in single user mode, or in system wide mode. In this case I am using fetchmail in system mode to collect mail for all users.

The fetchmail-daemon RPM allows fetchmail to be started as a system service which is configured by the file /etc/rc.d/init.d/fetchmail

This file will by default cause fetchmail to poll the ISPs POP3 servers every 180 seconds.

The configuration of fetchmail is controlled by the file /etc/fetchmailrc which is easily configured with an editor.

My/etc/fetchmailrc now looks like this :-


set postmaster derek
set bouncemail
set no spambounce
set properties
poll pop.ispsrus.com with proto POP3 
	user 'username' there with password 'obscured' is 'derek' here options fetchall antispam 501
poll email.isp.net with proto POP3 interval 2
	user 'myuser' there with password 'obscured'is 'derek' here options fetchall antispam 501
poll pop.anisp.com with proto POP3 interval 10
	user 'anotheruser' there with password 'obscured' is 'rosie' here options fetchall antispam 501

Note: The 'antispam 501' option tells fetchmail that if Postfix refuses to accept the mail with an error 501, that it is OK to discard the mail as spam and not leave it on the POP3 server. I had to put this in because some Spam mails had illegal headers which Postfix refused to accept.
Note: The 'interval N' option tells fetchmail to only poll that server once every 'N' poll cycles. So for example N=2 will cause the server to be polled every 6 minutes.

By default fetchmail will pass each mail as it is received to port 25 on the local host, or if there is nothing listening on port 25, the mails will be passed to procmail. So there is no point testing fetchmail until Postfix is installed and listening on Port 25.

PostfixConfiguration

Postfix is used as the mail server in favour over the most popular mail server on the internet Sendmail, because of its much more simple configuration, and its reputation for security. It is also the mail server of choice of MandrivaSoft, and I figured they probably know better than I do. There are many other mail server applications which could be used in place of Postfix such as Qmail, Courier, and Exim.

Postfix may be configured either by editing text files, or by a Webmin module. If you have never used webmin, then simply install the webmin module, and in Mandriva ControlCentre>System>Services start the webmin service and then point your browser at 

 https://localhost:10000
 
 Note: https NOT http
You will then be able to manage many applications including Postfix with a web based GUI. In this guide however I am going to describe configuring by editing the configuration files directly since you will get a much better understanding of what is going on.

Configuring /etc/postfix/main.cf

In this application very few parameters needed changing from the system defaults.

Here are my changes to the /etc/postfix/main.cf file 


command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
myhostname = mail.mymailaddy.net
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
alias_maps = hash:/etc/postfix/aliases
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
debug_peer_level = 1
debugger_command = PATH=/usr/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
delay_warning_time = 4
relayhost = smtp.myisp.com

The trailing '/' in the home_mailbox line is very important. It defines Qmail type Mailboxes instead of the default Unix type. This is important because I shall be using the courier-imap IMAP server which requires Qmail format.

I am on an ADSL service from my ISP which does not guarantee I will always have the same IP address. Normally I would not be able to run a mailserver on such a service because people sending me mails need to translate between a domain name and an IP address. I get around this problem by using a Dynamic DNS Service.

Dyndns.org provides a free DNS service. You can choose your own Fully Quallified Domain Name, and whenever anyone tries to send you a mail their mail server will be directed to your IP address. The Dynamic DNS service is informed any time your IP address changes by a little daemon called ddclient available as an rpm package on any Mandriva contrib mirror. Ddclient runs as a service under Mandriva. Just edit the ddclient file in /etc to define your dyndns.org login and your hostname.

The relayhost line is needed because I am on a cable modem and when I send mails some recipients will perform a reverse DNS lookup to check if the IP address matches the hostname in the header. Since I use Dynamic DNS the reverse DNS will return my ISPs host name and my mails will be rejected. Forwarding mails via my ISPs SMTP server gets around this issue.

In order to have the mail for 'root' to be forwarded to a user, an entry is added to the /etc/postfix/aliases file. Be aware. Postfix will continuously put error messages in the log until a root alias has been defined.

#Person who should get root's mail
root:derek

As well as defining a root alias we shall also define two other aliases called 'ham' and 'spam'. Their use will become clear when we discuss Procmail and Spamassassin.

#Account to receive redirected spam and ham mails
spam:root
ham: root

Now create the aliases database by typing in a root terminal :- 

newaliases
postfix reload

Virtual Addressing

In my application I am receiving emails for two different domains, my normal domain, and a domain I host for some friends.I therefore need to activate a virtual domain in Postfix. This is done by adding a line to /etc/postfix/main.cf

virtual_maps = hash:/etc/postfix/virtual

The file /etc/postfix/virtual is then edited to include the lines

friendsdomain.homeip.net friendsdomain.homeip.net   
postmaster@friendsdomain.homeip.net     postmaster          
sue@friendsdomain.homeip.net	sue                   
grant@friendsdomain.homeip.net	grant

An alias database must then be created by executing the command

postmap /etc/postfix/virtual

and then users must be created for the users on the Linux system. Since these users do not require log on access to the Linux computer.They can be created without a /home directory

adduser -c Grant -M -p xxxxxx grant

Then restart Postfix and you should be able to receive mails addressed to the virtual domain.

ProcmailConfiguration

The mailbox_command parameter in the postfix configuration causes procmail to run as the final delivery agent, and to use ~/.procmailrc as its configuration file.

Procmail is organised as a sequence of 'recipes'. Each recipe starts with a test, followed by an action if the test is met.

In my example the first recipe tests the 'To: ' header of each mail. If the mail is 'To: spam@foobar' then this mail is a spam mail which had previously made it to my inbox, and I had redirected it in order that spamassassin could 'learn' it's characteristics and become better at detecting spam.

The second recipe is similar, but this time it is non-spam mail which had been falsely recognised as spam. (Note : I have never actually had spamassassin falsely detect a non spam mail as spam) In both cases 'sa-learn' is invoked to train spamassassin.

Note : Training spamassassin with sa-learn will improve its effectiveness, but even without these recipes Spamassassin is very effective.

The third recipe calls trashscan which will run the mail through the ClamAV anti-virus engine. Infected mails will go into the 'virus' mail folder, and emails will be sent to alert the recipient, and the mail administrator.

Note : Virus protection is only required if your mail server is going to have clients using Windows. Effectively there are no Linux viruses so you will not need ClamAV if all your clients are Linux users.

The next recipes detect if the mail has come from a newsgroup to which I am subscribed, and will place the mail in a folder for that group.

The last recipe runs Spamassassin and depending on the result will put spam mails into a junkmail folder. Any mail which does not meet any of the procmail recipes will go into the default folder.


[root@jennings root]# more /home/derek/.procmailrc

SHELL=/bin/sh
PATH="$HOME/bin:/usr/bin:/usr/local/bin:/usr/include:/usr/local/sbin:/bin:/sbin:/usr/sbin"
LOCKFILE=$HOME/lockfile.lock
ASSASSINLOCK=$HOME/assassin.lock
DEFAULT=$HOME/Maildir/
JUNKMAIL=$HOME/Maildir/.junkmail/
TRASH=$HOME/Maildir/.Trash
NEWBIE=$HOME/Maildir/.LinuxNewbie/
EXPERT=$HOME/Maildir/.LinuxExpert/
VIRUS=$HOME/Maildir/.virus/
BITBUCKET=/dev/null
LOCKTIMEOUT=10
#LOGFILE=/tmp/procmail_log
#LOGABSTRACT=no
#VERBOSE=no


# Feed redirected spam to sa-learn
# If a spam does make it past spamassassin I redirect it to spam@mymailaddy
#It will then be added to the spam database

:0
* ^To:.*spam@foobar
* < 256000

{
:0c: spamassassin.spamlock
| sa-learn --spam

:0
$JUNKMAIL
}

# Feed redirected ham to sa-learn
#If spamassassin falsely declares a non spam mail as spam
#I can forward it to ham@mymailaddy
#so it can be removed from the spam database.
#NOTE: THIS HAS NEVER HAPPENED YET!!

:0
* ^To:.*ham@foobar
* < 256000

{
:0c: spamassassin.hamlock
| sa-learn --ham

:0
$TRASH
}

#Run TrashScan
:0
* multipart
* !^X-Virus-Scan:
| /usr/local/bin/trashscan

#Filter tagged virus mails
:0
* ^X-Virus-Scan: Suspicious
$VIRUS



#Filter out Mails from Newgroups
#There is no need to test these for spam

:0 :
* ^Sender: newbie-owner
$NEWBIE

:0 :
* ^Sender: expert-owner
$EXPERT


#Junk mail from unwanted sources
:0
* ^From: Sms Message
$BITBUCKET


#Run SpamAssassin daemon mode
#spamc is the daemon for spamassassin
#spam mails will come back marked with a spam header
:0 fw : $ASSASSINLOCK
| spamc


:0
* ^X-Spam-Flag: YES
$JUNKMAIL


# Catches everything else.
#Anything left over goes into the DEFAULT folder

SpamAssassinConfiguration

SpamAssassin needs little setup other than to install the RPM, and then start the spamd service in Mandriva Control Centre>System>Services.

Spamassassin runs many tests on each mail. Some of them are textual (looks for spammish words like viagra), others test the mail headers (check for header spoofing), while others look for other spammer behaviour (such as BIG FONTS)

One of the most effective tests is Bayesian analysis.

Bayesian analysis works by comparing the words in a mail with words that appear in known spam, and known non spam, then calculating the probability of the mail being spam. In order for Bayesian analysis to work it must have a database of known spam and non -spam (ham) to work on.
Spamassassin will not use Bayes until it has a database of 200 spam mails and 200 non spam mails.
Each time a mail has a score above 12 points, Spamassassin will add it to its spam database, and will add it to its ham database if the score is below 0.1 points ( I set this to 1.0 in my network)

If you have folders of spam or ham mails you can use them to initialise the Bayes database using the utility 'sa-learn'. See 'man sa-learn' for details.

Whenever a spam mail gets past spamassassin and makes it through to my inbox, I redirect it back to my mailserver addressed to spam@foobar where it goes back to my procmail recipes where it is recognised, and the mail is passed through sa-learn to improve spamassassin. (Replace foobar with the address of your mail server)

When spamassassin is first run it will create a file ~/.spamassassin/user_prefs which may be modified to suit your taste.

By default spamassassin misses out some tests which are free for personal use, but require a subscription from third parties for commercial use. Since those tests are very useful it is worth adding them.

You can also change the score threshold for detecting spam, and add addresses to the whitelist if they keep getting detected as false positives.

There is also a global configuration file at /etc/mail/spamassassin/local.cf which will set the defaults for all users.
Here is mine :-


# This is the right place to customize your installation of SpamAssassin.
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
#rewrite_subject 0
#report_safe 1
    auto_whitelist_path        /var/spool/spamassassin/auto-whitelist
    auto_whitelist_file_mode   0666
use_bayes 1
bayes_auto_learn 1
use_razor2 1

# How many hits before a mail is considered spam.
required_hits		6

# score SYMBOLIC_TEST_NAME n.nn
    score RCVD_IN_BL_SPAMCOP_NET    4

The autowhitelist is a feature that will recognise if people have sent you spam or non spam (ham) mails in the past and weight theur scores accordingly. So it is unlikely spamassassin will reject mails from your regular correspondents.

Here is my /home/derek/.spamassassin/user.prefs file which will override the global file. :- 


dns_available yes

# Bayes filters requires at least 200 entries of spam and 200 of ham 
# for start working
use_bayes 1
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 1
skip_rbl_checks 0
#If Vipul's razor is installed it can be used to check
#if a mail has been reported as spam
use_razor2 1
#pyzor is another database of reported spams
use_pyzor 0
#My spamasssin crashes if I enable dcc checking
use_dcc 0
dcc_timeout 5
#dcc_add_header 1



# How many hits before a mail is considered spam.
required_hits		5

# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from	someone@somewhere.com
whitelist_from	*.mandrakeclub.com

blacklist_from *@recessionspecials.com
blacklist_from *@amazingwebspecials.com


# Add your own customised scores for some tests below.  The default scores are
# read from the installed spamassassin rules files, but you can override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
# I change these because when Bayes is enabled other scores are
#too low in my opinion
score MISSING_OUTLOOK_NAME 0.100 0.576 0.1 0.1
score HTML_60_70 0.527 0.100 0.200 0.200
score HTML_SHOUTING3 0.108 0.333 0.1 0.1
score HTML_TAG_EXISTS_TBODY 0.496 0.201 0.439 0.200
score MISSING_MIMEOLE 0.501 0.501 0.241 0.200
score MISSING_OUTLOOK_NAME 0.100 0.576 0.1 0.1
score IN_REP_TO 0 0 0 0
score REFERENCES 0 0 0 0
score BAYES_60 0 0 2.502 2.502
score BAYES_70 0 0 3.637 3.637
score BAYES_80 0 0 4.1 4.1
score BAYES_90 0 0 4.2 4.2
score BAYES_99 0 0 4.300 4.3

It is possible to extend spamassassin to do additional tests. I like to check a variety of DNSBL locations so I can check for example if a mail has come from China for example. I know no one in China, so to receive a mail from there is very suspicious. To enable DNSBL checking create a file /etc/mail/spamassassin/dnsbl.cf containing the text here

(Thanks to Bryan Phinney for providing this list)

It is possible to add many more customised rule sets. A visit to SpamAssassin Rules Emporium can provide you with many custom rule sets, and a utility called "RulesDuJour" to automatically update them.

Clam Anti Virus Configuration

Once Clamav has been installed run 'freshclam' from a root terminal to bring the virus database up to date.

However the clamav RPM package will have put a cron job in /etc/cron.daily to update the virus database every day. Unfortunately the way this job is written you will get a warning email from cron even if the update completes successfully.

Therefore I have altered /etc/cron.daily/freshclam like this :-

#!/bin/sh

# A simple update script for the clamav virus database. This could as well
# be replaced by a SysV script.

# fix log file if needed
LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f ${LOG_FILE} ]; then
    touch $LOG_FILE
    chmod 644 $LOG_FILE
    chown clamav.clamav $LOG_FILE
fi

/usr/bin/freshclam \
    --quiet \
    --datadir=/var/lib/clamav \
    --log=$LOG_FILE \
    --log-verbose \
    --daemon-notify=/etc/clamav.conf 

es=$?
if [ $es="1" ]; then
    	exit 0
    else
	exit $es    
fi

It should be remembered that cron will not run jobs which were missed because the computer was switched off, and since cron.daily runs at 4am each morning the jobs will never be run if you switch the computer off at night. To avoid this issue install the 'anacron' package which will run missed jobs when the computer is powered on.

A simple shell script called trashscan is used to pass mails through the ClamAV scanner. Trashscan used to be included in the ClamAV package, but is no longer provided. You can download the latest version from Here. (currently 0.12) Unpack the compressed folder and put the trashscan file into /usr/local/bin/trashscan edit the variables to suit your environment and make the file executable.Here are the changes I made to trashscan:-


SCANDIR=/tmp
VSCANNER=clamav
VSCANPRG=/usr/bin/clamscan
VSCANSUSP=virus
ALERT=yes
ALERTRCVR=postmaster@foobar                                     # Receiver of virus alert messages
ALERTSNDR=postmaster@foobar                                     # Sender of virus alert messages
ALERTCTCT=postmaster@foobar 
NOTIFY=no
#(${CAT} ${TASKDIR}/head.rep; ${CAT} ${TASKDIR}/body.rep) | ${SENDMAIL} -t -oi	# Comment this line out to suppress notification to sender
# they are all spoofed anyway, so there is no point

Replace 'foobar' with the name of your mail domain.

Installing metamail is required for trashcan, and installing unrar, lha, and unarj will enable trashscan to find viruses in compressed archives.

In operation Procmail will pass all mails through trashscan which will run clamscan on them. A header is placed in the mail indicating whether it is suspicious or not, and the next procmail recipe will put infected mails into a virus mail folder. A warning email will be sent to the mail recipient, and to the mail administrator. Being a Bash script trashscan is not suitable for use on high volume mail servers. I am using it because I was having trouble with clamdmail which I was previously using.

Maildir Configuration

Our remote users will be serviced by Courier-Imap which only supports Maildir type mailboxes, so our local users are also going to use Maildir format for consistency. (This also allows local users to retrieve their mail when travelling).

A Maildir mailbox consists of a directory in the users $HOME with a default name of Maildir. Inside this directory are three other directories with the names cur, new, and tmp

Subfolders may also be placed in the Maildir directory. Their names should be prefixed with . To denote them as a subdirectory. The remote clients will be using Sylpheed which requires specific names for certain folders. The easiest way to define mail folders is using the maildirmake command which is part of the courier-base package. In the users home directory enter this command (as the user not root) :-

maildirmake Maildir
maildirmake -f Sent Maildir
maildirmake -f Queue Maildir
maildirmake -f junkmail Maildir
maildirmake -f virus Maildir
maildirmake -f Drafts Maildir
maildirmake -f Trash Maildir

YourMaildir will then have this structure


Now we can test out using Kmail to receive mails directly from the Maildir folder. When first starting Kmail it will default to Unix style mailboxes (flatfiles) To make Kmail use Maildir folders :-

Settings>ConfigureKMail>Folders
Select "By default mail folders are :-directories(maildirformat)"
Nextyou must define an account to recieve mails on
Settings>ConfigureKMail>Network>Receiving>Add
Select'Maildir mailbox'>OK
Pick a name for the account, select 'location'= ~/Maildir
Enable Interval mail checking.
Next we will define a sending account
Settings>ConfigureKMail>Network>Sending>Add
SelectSMTP account>OK
Name=pickaname
Host=Your_host_name.your_domain_name>Port=25>OK
When you restart kmail it should find the Maildir folder which will be listed in addition to the normal kmail folders.<> Note: We are not yet using IMAP to access the mails. IMAP is actually more flexible than accessing the maildirs directly with kamail, so I recommend that IMAP should be used even when the mail server is local.

Testing Local delivery

If all is correct (and I have written this guide correctly) you will now be able to test mails which originate from your local computer back to yourself.

Using kmail send a mail to your local mail address (make sure you use the smtp account we just set up)
your_user@localhost

The mail will be delivered from Kmail to postfix which will recognise this as a local user, and pass the mail to procmail, then to spamassassin, then to /home/your_user/Maildir/new where it will be found by Kmail after a short wait who will then put it into~/home/Mail/inbox/cur

If your mail does not arrive trace it back through the system to see where it is stuck. Do not forget to look in /var/log/mail/errors,/var/log/mail/info, and the procmail log if enabled.

The relayhost=smtp.myisp.com statement in /etc/postfix/main.cf is used to tell postfix which mail server to relay mails through which terminate somewhere else on the internet. Postfix could send mails directly to the final destination in a single hop without going through a relay server, but many mail servers will compare the host names in the header of a mail with the IP address listed in DNS servers, and reject them if they do not match on the assumption the mail has been sent by a spammer trying to impersonate another mailserver. By putting my ISPs mailserver name in this field the header of the mail will have the same name and IP address as the previous hop, and receiving mail servers will be satisfied.

If you send a mail using Kmail to your ISPs account you can check if you can send mails using postfix, and that fetchmail is corrrectly configured to receive them using POP3 protocol.

If the mails never arrive back in your inbox stop the fetchmail daemon and run fetchmail manually. In a root terminal :- 

service fetchmail stop
fetchmail -v -f /etc/fetchmailrc
Examine output then
service fetchmail start

Configuring Courier-imap

The next step is to enable IMAP access to allow mail clients to log in to check their mail.

Install the courier-imap RPM.

Courier-imap is started by the command

service courier-imap start

or by setting the service in Mandriva Control Centre>System>Services

If OpenSSL is also installed courier-imap will automatically support logins over ssl when requested.

With default settings courier-imap will work with the configuration described so far. By default courier-imap will use the directory 'Maildir' in a users home. If you require it to use a different directory edit the 'MAILDIRPATH=' parameter in /etc/courier/imapd (and pop3d, pop3d-ssl) file. There are also lots of other intereseting parameters in the courier-imap configuration to play with.

To use imap with sylpheed

In Sylpheed
Configuration>CreateNewAccount
Name=pickaname
Protocol=IMAP4
Server for receiving=your_mail_servername.and_domain
smtpserver
(send)=your_mail_servername.and_domain
UserID=your_user_name
Password+your_password
SelectSSL Tab and set
UseSSL for IMAP4 connections>OK
Right clicking on the account and selecting Rescan Folder Tree should cause an IMAP login, and you should see your mail and folders.

If you do not see all the folders you defined in ~/Maildir, then that is probably because they do not start with a '.' character, or they are not Maildir type directories with a cur,new, and tmp subdirectory. It is also essential that maildir directories named .Sent , .Drafts, and .Trash are present.

You should now be able to send and receive mails from Sylpheed.using IMAP.

Using remote Imap folders with Kmail

Create a new account with Settings>ConfigureKmail>Network>Recieving>Add>Imap. Choose a name for the account and give the connection details. Once the account is added you will see it appear in Kmail's folder list.

Right click on the base Imap folder and select 'Subscription'. A window will appear to allow you to select which of the subfolders are going to be visible. Once a folder is subscribed to it will appear under the base folder. Right clicking on a subfolder and selecting 'Properities' allows you to select if the subfolder is checked for new mail.

Now close Kmail, restart it, and go back to Settings>ConfigureKmail>Network>Receiving and Modify your Imap account. You will now be able to select your Imap Trash folder as the 'Deleted Items folder'. Restarting Kmail is necessary because the Imap folder will not appear in the drop down selection box if the base folder has only just been subscribed to.

Similarly go to Settings>ConfigureKmail>Identities, select an identity to modify>Advanced, and select your Imap Drafts and Sent folder as 'Drafts folder' and 'Sent Mail folder'

Configuring Courier-imap-pop

Some of my users need POP3 access to their mails. The courier-imap-pop package supports pop3 and pop3 over SSL. It uses the same Qmail folders as the Imap server, but can only support one folder. So all that is required is to create a single mail folder

maildirmake++ Maildir

The Pop3 service will not start until the file /etc/courier/pop3.dist is renamed to /etc/courier/pop3 (for normal POP3) and/or the file /etc/courier/pop3d-ssl.dist is renamed to /etc/courier/pop3d-ssl (for secure pop3 access)

Then restart the courier imap service with

service courier-imap restart

And both imap and pop3 services should be running.

If you are not concerned with increasing system security the mail server configuration is now complete, and you can give yourself a pat on the back.

Securing your System

Using the same username/password combination for login and for remote mail access is a security risk.

If your username/password were to be intercepted when retrieving e-mails, then they could be used to attack your computer with telnet (if you were foolish enough to enable it), or even ssh (if you did not depend on public/private key combinations)

So I decided to enforce a system whereby my remote users had a different password to the local login.

The simplest way of configuring this with courier-imap is to use 'authuserdb' authenticationwhich is possible with the standard courier-imap RPM without any additional modules.

Normally when you use imap authentication is performed by PAM. Any remote users who offer a valid login password will be granted access. To disable this; edit the file/etc/courier/authdaemonrc and comment out and insert as shown 


#authmodulelist="authcustom authcram authuserdb authldap authpgsql authmysqlauthpam"
authmodulelist="authuserdb"

This will disable all methods of user authentication other than the 'userdb' method.

Restart the authdaemond with the commands

/usr/lib/courier/authlib/authdaemond stop
/usr/lib/courier/authlib/authdaemond start

You will now find your imap access no longer works!!!

Now we must create a user database in the file /etc/userdb

First we have to pick passwords for each form of access we want to permit, e,g imap, pop3, pop3 secure etc.

A password is created using the command

userdbpw

When prompted give the password you wish to use. An encrypted string will be returned.

Now create the file /etc/userdb in the format shown below for each local user who will require remote E-mail access. Where I have put 'obscured' insert the encrypted password string. You must insert a password string for each method of access you want to enable, e.g. impappw,pop3pw, pop3spw. Be sure also to insert the correct uid/gid and home directory information for each user. The uid/gid numbers may be ascertained by typing ' /usr/sbin/pw2userdb'


derek	uid=501|gid=501|home=/home/derek|shell=/bin/bash|imappw=obscured|pop3pw=obscured

Note:There is one Tab character after the username.There must beNO spaces

Now rebuild the binary database with the commands

/usr/lib/courier/authlib/authdaemond stop
makeuserdb
/usr/lib/courier/authlib/authdaemond start

Your imap server should resume working. The authentication daemon will be looking up the password supplied by remote IMAP clients in the binary database for the rquested service type, and only allowing access if there is a match.

Restart the authdaemond again, and change your password in your mail client(e.g. sylpheed) to be the new password (unencrypted), and your Imap should be working again.

Firewall Considerations - To send/receive mail via SMTP port 25 must be open. To check mail with Pop3 from a computer in the local network, port 110 must be open. (Do not open port 110 to the Internet unless you want to be able to check mail remotely). To retrieve mail with IMAP port 143 must be open. A convenient tool to manage the shorewall firewall is webmin. Install the webmin RPM, start webmin service using Mandriva control Centre>System>Services, and then enter https://localhost:10000 in a browser.

Wednesday 11th August, 2004

Top Home