https://wiki.archlinux.org/api.php?action=feedcontributions&user=Timesqueezer&feedformat=atomArchWiki - User contributions [en]2024-03-28T10:01:05ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube&diff=169930Virtual user mail system with Postfix, Dovecot and Roundcube2011-11-14T06:16:06Z<p>Timesqueezer: </p>
<hr />
<div>{{i18n|Simple Virtual User Mail System}}<br />
[[Category:Web Server (English)]]<br />
<br />
This article describes how to set up a complete virtual user mail system on an Arch Linux system in the simplest manner possible. However, since a mail system consists of many complex components, quite a bit of configuration will still be necessary. Roughly, the components used in this article are Postfix, Cyrus, Courier, PAM, PostfixAdmin and Roundcube.<br />
<br />
In the end, the provided solution will allow you to use the best currently available security mechanisms, you will be able to send mails using SMTP and SMTPS and receive mails using POP3, POP3S, IMAP and IMAPS. Additionally, configuration will be easy thanks to PostfixAdmin and users will be able to login using Roundcube. What a deal!<br />
<br />
This article assumes that you have a working [[LAMP]] setup as we will need a working Apache2 as well as MYSQL database. Of course, with a few changes to these instructions you could easily use another httpd and database. For the purposes of this tutorial, however, the choice made above will be used. Additionally, the article assumes all-default settings for every package installed below. No changes except for those mentioned will be required.<br />
<br />
Should any unforeseen problems occur, feel free to use the discussion page to voice your problems and I will try to answer.<br />
<br />
== Installation ==<br />
# pacman -S gamin postfix courier-imap cyrus-sasl cyrus-sasl-sql pam_mysql<br />
<br />
== Configuration ==<br />
=== User ===<br />
For security reasons, a new user should be created to store the mails:<br />
groupadd -g 5000 vmail<br />
useradd -u 5000 -g vmail -s /sbin/nologin -d /home/vmail -m vmail<br />
A gid and uid of 5000 is used in both cases so that we do not run into conflicts with regular users. All your mail will then be stored in '''/home/vmail'''. You could change the home dir to something like '''/var/mail/vmail''' but careful to change this in any configuration below as well.<br />
<br />
=== Database ===<br />
{{Expansion}}<br />
You will need to create an empty database and corresponding user. We will be using PostfixAdmin's tables to fill the database later on. In this article, ''postfix_user'' will have read/write access to ''postfix_db'' using ''hunter2'' for a password. You are expected to create your database and user yourself. Make sure to assign proper permissions.<br />
<br />
=== Postfix ===<br />
There are basically 2 ways for of doing SMTPS. <br />
<br />
One is using the wrapper mode which enables even old/odd clients like Outlook to use TLS. The wrapper mode uses the system service "smtps" which is a non-standard service and runs on port 465. <br />
<br />
The other, more proper method is to use a port that simply enforces TLS without any wrapping. The system service for this is "submission" which is standard and uses port 587.<br />
<br />
For the improper variant uncomment this in {{filename|/etc/postfix/master.cf}}:<br />
smtps inet n - n - - smtpd<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
<br />
For the proper variant uncomment this in {{filename|/etc/postfix/master.cf}}:<br />
submission inet n - n - - smtpd<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
<br />
To {{filename|/etc/postfix/main.cf}} append:<br />
relay_domains = *<br />
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf<br />
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_domains_maps.cf<br />
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf<br />
virtual_mailbox_base = /home/vmail<br />
virtual_mailbox_limit = 512000000<br />
virtual_minimum_uid = 5000<br />
virtual_transport = virtual<br />
virtual_uid_maps = static:5000<br />
virtual_gid_maps = static:5000<br />
local_transport = virtual<br />
local_recipient_maps = $virtual_mailbox_maps<br />
transport_maps = hash:/etc/postfix/transport<br />
<br />
smtpd_sasl_auth_enable = yes<br />
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br />
smtpd_sasl_security_options = noanonymous<br />
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options<br />
smtpd_tls_auth_only = yes<br />
smtpd_tls_cert_file = /etc/ssl/certs/server.crt<br />
smtpd_tls_key_file = /etc/ssl/private/server.key<br />
smtpd_sasl_local_domain = $mydomain<br />
broken_sasl_auth_clients = yes<br />
smtpd_tls_loglevel = 1<br />
<br />
This references a lot of files that do not even exist yet. Let's create them.<br />
<br />
Edit {{filename|/etc/postfix/virtual_alias_maps.cf}} as new and add:<br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT goto FROM alias WHERE address='%s' AND active = true<br />
<br />
Edit {{filename|/etc/postfix/virtual_domains_maps.cf}} as new and add:<br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true<br />
<br />
Edit {{filename|/etc/postfix/virtual_mailbox_limits.cf}} as new and add:<br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT quota FROM mailbox WHERE username='%s'<br />
<br />
Edit {{filename|/etc/postfix/virtual_mailbox_maps.cf}} as new and add:<br />
user = postfix_user<br />
password = hunter2<br />
hosts = localhost<br />
dbname = postfix_db<br />
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true<br />
<br />
Run ''postmap'' on ''transport'' to generate its db:<br />
postmap /etc/postfix/transport<br />
<br />
We still need the SSL cert and private key:<br />
cd /etc/ssl/certs<br />
openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout server.key -out server.crt<br />
openssl rsa -in server.key -out server.key<br />
chown nobody:nobody server.key<br />
chmod 600 server.key<br />
mv server.key /etc/ssl/private/<br />
<br />
=== Courier ===<br />
In {{filename|/etc/authlib/authdaemonrc}} make sure that ''authmodulelist'' only contains ''authmysql'':<br />
authmodulelist="authmysql"<br />
<br />
Next, we need to configure the field names used by PostfixAdmin in {{filename|/etc/authlib/authmysqlrc}}. Search and replace values provided here. Uncomment commented entries if necessary:<br />
MYSQL_HOST localhost<br />
MYSQL_PORT 3306<br />
MYSQL_USERNAME postfix_user<br />
MYSQL_PASSWORD hunter2<br />
MYSQL_DATABASE postfix_db<br />
MYSQL_USER_TABLE mailbox<br />
MYSQL_CRYPT_PWFIELD password<br />
MYSQL_UID_FIELD 5000<br />
MYSQL_GID_FIELD 5000<br />
MYSQL_LOGIN_FIELD username<br />
MYSQL_HOME_FIELD "/home/vmail"<br />
MYSQL_NAME_FIELD name<br />
MYSQL_MAILDIR_FIELD maildir<br />
MYSQL_QUOTA_FIELD quota<br />
<br />
Edit the ''[ reg_dn ]'' part in {{filename|/etc/imapd.cnf}} and {{filename|/etc/pop3d.cnf}} to correctly state your mail server's location. E.g.:<br />
[ req_dn ]<br />
C=DE<br />
ST=Hamburg<br />
L=Hamburg<br />
O=Courier Mail Server<br />
OU=Automatically-generated IMAP SSL key<br />
CN=localhost<br />
emailAddress=god@world.com<br />
<br />
Next, generate the certificates and move them into position:<br />
mkimapdcert<br />
mv /usr/share/imapd.pem /etc/courier-imap/<br />
mkpop3dcert<br />
mv /usr/share/pop3d.pem /etc/courier-imap/<br />
<br />
=== Cyrus ===<br />
If you are using the smtps system service as explained [[#Postfix|above]] you will need to edit {{filename|/etc/services}} and add <br />
smtps 465/tcp # Secure Simple Mail Transfer<br />
smtps 465/udp # Secure Simple Mail Transfer<br />
to it.<br />
<br />
If you use submission, you do not have to do add anything. You can run both services at the same time, though, in which case you will still need to add the smtps system service or postfix will refuse to start.<br />
<br />
Contents of {{filename|/etc/pam.d/smtp}} should be:<br />
auth required /lib/security/pam_mysql.so user=postfix_user passwd=hunter2 host=localhost db=postfix_db table=mailbox usercolumn=username passwdcolumn=password crypt=1<br />
account sufficient /lib/security/pam_mysql.so user=postfix_user passwd=hunter2 host=localhost db=postfix_db table=mailbox usercolumn=username passwdcolumn=password crypt=1<br />
<br />
Modify {{filename|/etc/conf.d/saslauthd}} to say:<br />
SASLAUTHD_OPTS="-m /var/run/saslauthd -r -a pam"<br />
<br />
Finally, {{filename|/usr/lib/sasl2/smtpd.conf}} should have:<br />
pwcheck_method: saslauthd<br />
mech_list: plain login<br />
saslauthd_path: /var/run/saslauthd/mux<br />
log_level: 7<br />
<br />
=== PostfixAdmin ===<br />
To install PostfixAdmin, we need to manually get its upstream package and extract it to our web root (or other desired directory). You should use the most recent version available at the time. This article will use the most recent version at the time of writing.<br />
cd /srv/http/<br />
wget http://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-2.3.2/postfixadmin-2.3.2.tar.gz/download<br />
tar xzf postfixadmin-2.3.2.tar.gz<br />
cd postfixadmin-2.3.2<br />
<br />
Next, PostfixAdmin needs to be configured. Assuming localhost is the hostname of the machine you are installing this on, navigate to ''http://localhost/postfixadmin-2.3.2/setup.php''. The setup will guide you through the remaining steps to set up PostfixAdmin.<br />
<br />
=== Roundcube ===<br />
As with PostfixAdmin, this article will use the most recent version as of the time of writing. You should always use the most recent version available.<br />
cd /srv/http/<br />
wget http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.4/roundcubemail-0.4.tar.gz/download<br />
tar xzf roundcubemail-0.4.tar.gz<br />
cd roundcubemail-0.4<br />
<br />
Make some directories writable by the webserver:<br />
chown -R http:http temp logs<br />
<br />
Assuming that localhost is your current host, navigate a browser to ''http://localhost/roundcubemail-0.4/installer/'' and follow the instructions. You could use the same database for Roundcube that you already used for PostfixAdmin though you shouldn't. For a proper setup, create a second database "roundcube_db" and a "roundcube_user" for use with Roundcube. <br />
<br />
While running the installer, make sure to address the IMAP host with '''tls://localhost/''' instead of just '''localhost'''. Use port 993. Likewise with SMTP, make sure to provide '''ssl://localhost/''' on port 465 if you used the wrapper mode and '''tls://localhost/''' on port 587 if you used the proper TLS mode. See [[#Postfix|here]] for an explanation on that.<br />
<br />
=== rc.conf ===<br />
The services should be restarted in the correct order on system restart. Make sure your DAEMONS array in {{filename|/etc/rc.conf}} contains:<br />
DAEMONS=( ... saslauthd postfix authdaemond imapd imapd-ssl pop3d pop3d-ssl ... )<br />
Make sure to keep this order.<br />
<br />
== Fire it up ==<br />
Since now hopefully everything is set up correctly, all necessary daemons should be started for a test run:<br />
for daemon in saslauthd postfix authdaemond imapd imapd-ssl pop3d pop3d-ssl; do /etc/rc.d/$daemon start; done<br />
The order in which the daemons are started up is actually important here.<br />
<br />
As a final bit of configuration, Postfix needs to be able to write to saslauth. Thus:<br />
chown postfix:postfix /var/run/saslauthd<br />
<br />
Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.<br />
<br />
== Troubleshooting ==<br />
If you get errors like your imap/pop3 client failing to receive mails, take a look into your /var/log/mail.log file. Make sure your saslauth daemon is running:<br />
# rc.d restart saslauthd<br />
If imapd-ssl tells you that it want to chdir into a specific directory but that directory is not available, just send one email to the account and try again.<br />
It turned out that the maildir /home/vmail/mail@domain.tld is just being created if there is at least one email waiting. Otherwise there wouldn't be any need for the directory.<br />
<br />
==See also==<br />
*[[Courier MTA]]<br />
*[[Postfix]]<br />
*[[SOHO Postfix]]</div>Timesqueezer