Difference between revisions of "Virtual user mail system"

From ArchWiki
Jump to: navigation, search
(Cyrus: Updating for new Arch changes)
(Changed to use dovecot instead of courier to simplify things)
Line 2: Line 2:
 
[[Category:Web Server]]
 
[[Category:Web Server]]
  
This article describes how to set up a complete virtual user mail system on an Arch Linux system in the simplest manner possible. However, since a mail system consists of many complex components, quite a bit of configuration will still be necessary. Roughly, the components used in this article are Postfix, Cyrus, Courier, PAM, PostfixAdmin and Roundcube.
+
This article describes how to set up a complete virtual user mail system on an Arch Linux system in the simplest manner possible. However, since a mail system consists of many complex components, quite a bit of configuration will still be necessary. Roughly, the components used in this article are Postfix, Dovecot, PostfixAdmin and Roundcube.
  
 
In the end, the provided solution will allow you to use the best currently available security mechanisms, you will be able to send mails using SMTP and SMTPS and receive mails using POP3, POP3S, IMAP and IMAPS. Additionally, configuration will be easy thanks to PostfixAdmin and users will be able to login using Roundcube. What a deal!
 
In the end, the provided solution will allow you to use the best currently available security mechanisms, you will be able to send mails using SMTP and SMTPS and receive mails using POP3, POP3S, IMAP and IMAPS. Additionally, configuration will be easy thanks to PostfixAdmin and users will be able to login using Roundcube. What a deal!
Line 11: Line 11:
  
 
== Installation ==
 
== Installation ==
  # pacman -S gamin postfix courier-imap cyrus-sasl cyrus-sasl-sql pam_mysql
+
  # pacman -S dovecot postfix
  
 
== Configuration ==
 
== Configuration ==
Line 57: Line 57:
 
   
 
   
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_auth_enable = yes
 +
smtpd_sasl_type = dovecot
 +
smtpd_sasl_path = /var/run/dovecot/auth-client
 
  smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 
  smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 
  smtpd_sasl_security_options = noanonymous
 
  smtpd_sasl_security_options = noanonymous
Line 108: Line 110:
 
  mv server.key /etc/ssl/private/
 
  mv server.key /etc/ssl/private/
  
=== Courier ===
+
=== Dovecot ===
In {{ic|/etc/authlib/authdaemonrc}} make sure that ''authmodulelist'' only contains ''authmysql'':
+
Start by getting a fresh config file from the pre-existing sample config:
authmodulelist="authmysql"
+
cp /etc/dovecot/dovecot.conf.sample /etc/dovecot/dovecot.conf
  
Next, we need to configure the field names used by PostfixAdmin in {{ic|/etc/authlib/authmysqlrc}}. Search and replace values provided here. Uncomment commented entries if necessary:
+
In {{ic|/etc/dovecot/dovecot.conf}} we'll need to do quite some configuration:
  MYSQL_HOST          localhost
+
  protocols = imap pop3
  MYSQL_PORT         3306
+
  auth default {
MYSQL_USERNAME     postfix_user
+
    mechanisms = plain
MYSQL_PASSWORD     hunter2
+
    passdb sql {
MYSQL_DATABASE     postfix_db
+
         args = /etc/dovecot/dovecot-sql.conf
  MYSQL_USER_TABLE    mailbox
+
     }
  MYSQL_CRYPT_PWFIELD password
+
     userdb sql {
  MYSQL_UID_FIELD    5000
+
        args = /etc/dovecot/dovecot-sql.conf
  MYSQL_GID_FIELD    5000
+
     }
  MYSQL_LOGIN_FIELD  username
+
  }
  MYSQL_HOME_FIELD    "/home/vmail"
+
   
  MYSQL_NAME_FIELD    name
+
  service auth {
  MYSQL_MAILDIR_FIELD maildir
+
    unix_listener auth-client {
  MYSQL_QUOTA_FIELD  quota
+
        group = postfix
 +
        mode = 0660
 +
        user = postfix
 +
    }
 +
    user = root
 +
  }
 +
   
 +
  mail_home = /home/vmail/%u
 +
  mail_location = maildir:~
 +
   
 +
  ssl_cert = </etc/httpd/conf/server.crt
 +
ssl_key = </etc/httpd/conf/server.key
  
Edit the ''[ reg_dn ]'' part in {{ic|/etc/imapd.cnf}} (or {{ic|/etc/courier-imap/imapd.cnf}}) and {{ic|/etc/pop3d.cnf}} (or {{ic|/etc/courier-imap/pop3d.cnf}})to correctly state your mail server's location. E.g.:
+
Now obviously we also need the {{ic|/etc/dovecot/dovecot-sql.conf}} we just referenced in the config above. Go ahead and create a {{ic|/etc/dovecot/dovecot-sql.conf}} with these contents:
  [ req_dn ]
+
  driver = mysql
C=DE
+
  connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2
  ST=Hamburg
+
  # The new name for MD5 is MD5-CRYPT so you might need to change this depending on version
L=Hamburg
+
  default_pass_scheme = MD5-CRYPT
O=Courier Mail Server
+
  # Get the mailbox
  OU=Automatically-generated IMAP SSL key
+
  user_query = SELECT '/home/vmail/%u' as home, 'maildir:/home/vmail/%u' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
  CN=localhost
+
  # Get the password
  emailAddress=god@world.com
+
password_query = SELECT username as user, password, '/home/vmail/%u' as userdb_home, 'maildir:/home/vmail/%u' as userdb_mail, 5000 as userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
 
+
  # If using client certificates for authentication, comment the above and uncomment the following
Next, generate the certificates and move them into position:
+
  #password_query = SELECT null AS password, ‘%u’ AS user
  mkimapdcert
+
mv /usr/share/imapd.pem /etc/courier-imap/
+
mkpop3dcert
+
mv /usr/share/pop3d.pem /etc/courier-imap/
+
 
+
=== Cyrus ===
+
If you are using the smtps system service as explained [[#Postfix|above]] you will need to edit {{ic|/etc/services}} and add
+
smtps          465/tcp  # Secure Simple Mail Transfer
+
smtps          465/udp  # Secure Simple Mail Transfer
+
to it.
+
 
+
If you use submission, you do not have to do add anything. You can run both services at the same time, though, in which case you will still need to add the smtps system service or postfix will refuse to start.
+
 
+
Contents of {{ic|/etc/pam.d/smtp}} should be:
+
  auth required /usr/lib/security/pam_mysql.so user=postfix_user passwd=hunter2 host=localhost db=postfix_db table=mailbox usercolumn=username passwdcolumn=password crypt=1
+
  account sufficient /usr/lib/security/pam_mysql.so user=postfix_user passwd=hunter2 host=localhost db=postfix_db table=mailbox usercolumn=username passwdcolumn=password crypt=1
+
 
+
Modify {{ic|/etc/conf.d/saslauthd}} to say:
+
SASLAUTHD_OPTS="-m /var/run/saslauthd -r -a pam"
+
 
+
Finally, {{ic|/usr/lib/sasl2/smtpd.conf}} should have:
+
  pwcheck_method: saslauthd
+
  mech_list: plain login
+
  saslauthd_path: /var/run/saslauthd/mux
+
log_level: 7
+
  
 
=== PostfixAdmin ===
 
=== PostfixAdmin ===
 
To install PostfixAdmin, we need to manually get its upstream package and extract it to our web root (or other desired directory). You should use the most recent version available at the time. This article will use the most recent version at the time of writing.
 
To install PostfixAdmin, we need to manually get its upstream package and extract it to our web root (or other desired directory). You should use the most recent version available at the time. This article will use the most recent version at the time of writing.
 
  cd /srv/http/
 
  cd /srv/http/
  wget http://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-2.3.2/postfixadmin-2.3.2.tar.gz/download
+
  wget http://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-2.3.5/postfixadmin-2.3.5.tar.gz/download
  tar xzf postfixadmin-2.3.2.tar.gz
+
  tar xzf postfixadmin-2.3.5.tar.gz
  cd postfixadmin-2.3.2
+
  cd postfixadmin-2.3.5
  
 
Next, PostfixAdmin needs to be configured. Assuming localhost is the hostname of the machine you are installing this on, navigate to ''http://localhost/postfixadmin-2.3.2/setup.php''. The setup will guide you through the remaining steps to set up PostfixAdmin.
 
Next, PostfixAdmin needs to be configured. Assuming localhost is the hostname of the machine you are installing this on, navigate to ''http://localhost/postfixadmin-2.3.2/setup.php''. The setup will guide you through the remaining steps to set up PostfixAdmin.
Line 177: Line 165:
 
As with PostfixAdmin, this article will use the most recent version as of the time of writing. You should always use the most recent version available.
 
As with PostfixAdmin, this article will use the most recent version as of the time of writing. You should always use the most recent version available.
 
  cd /srv/http/
 
  cd /srv/http/
  wget http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.4/roundcubemail-0.4.tar.gz/download
+
  wget http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7.2/roundcubemail-0.7.2.tar.gz/download
  tar xzf roundcubemail-0.4.tar.gz
+
  tar xzf roundcubemail-0.7.2.tar.gz
  cd roundcubemail-0.4
+
  cd roundcubemail-0.7.2
  
 
Make some directories writable by the webserver:
 
Make some directories writable by the webserver:
 
  chown -R http:http temp logs
 
  chown -R http:http temp logs
  
Assuming that localhost is your current host, navigate a browser to ''http://localhost/roundcubemail-0.4/installer/'' and follow the instructions. You could use the same database for Roundcube that you already used for PostfixAdmin though you shouldn't. For a proper setup, create a second database "roundcube_db" and a "roundcube_user" for use with Roundcube.  
+
Assuming that localhost is your current host, navigate a browser to ''http://localhost/roundcubemail-0.7.2/installer/'' and follow the instructions. You could use the same database for Roundcube that you already used for PostfixAdmin though you shouldn't. For a proper setup, create a second database "roundcube_db" and a "roundcube_user" for use with Roundcube.  
  
 
While running the installer, make sure to address the IMAP host with '''tls://localhost/''' instead of just '''localhost'''. Use port 993. Likewise with SMTP, make sure to provide '''ssl://localhost/''' on port 465 if you used the wrapper mode and '''tls://localhost/''' on port 587 if you used the proper TLS mode. See [[#Postfix|here]] for an explanation on that.
 
While running the installer, make sure to address the IMAP host with '''tls://localhost/''' instead of just '''localhost'''. Use port 993. Likewise with SMTP, make sure to provide '''ssl://localhost/''' on port 465 if you used the wrapper mode and '''tls://localhost/''' on port 587 if you used the proper TLS mode. See [[#Postfix|here]] for an explanation on that.
  
 
=== rc.conf ===
 
=== rc.conf ===
The services should be restarted in the correct order on system restart. Make sure your DAEMONS array in {{ic|/etc/rc.conf}} contains:
+
Make sure your DAEMONS array in {{ic|/etc/rc.conf}} contains:
  DAEMONS=( ... saslauthd postfix authdaemond imapd imapd-ssl pop3d pop3d-ssl ... )
+
  DAEMONS=( ... dovecot postfix ... )
Make sure to keep this order.
+
  
 
== Fire it up ==
 
== Fire it up ==
 
Since now hopefully everything is set up correctly, all necessary daemons should be started for a test run:
 
Since now hopefully everything is set up correctly, all necessary daemons should be started for a test run:
  for daemon in saslauthd postfix authdaemond imapd imapd-ssl pop3d pop3d-ssl; do /etc/rc.d/$daemon start; done
+
  for daemon in dovecot postfix; do /etc/rc.d/$daemon start; done
The order in which the daemons are started up is actually important here.
+
 
+
As a final bit of configuration, Postfix needs to be able to write to saslauth. Thus:
+
chown postfix:postfix /var/run/saslauthd
+
  
 
Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.
 
Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.
  
 
== Troubleshooting ==
 
== Troubleshooting ==
If you get errors like your imap/pop3 client failing to receive mails, take a look into your /var/log/mail.log file. Make sure your saslauth daemon is running:
+
If you get errors like your imap/pop3 client failing to receive mails, take a look into your /var/log/mail.log file.
# rc.d restart saslauthd
+
If imapd-ssl tells you that it want to chdir into a specific directory but that directory is not available, just send one email to the account and try again.
+
 
It turned out that the maildir /home/vmail/mail@domain.tld is just being created if there is at least one email waiting. Otherwise there wouldn't be any need for the directory.
 
It turned out that the maildir /home/vmail/mail@domain.tld is just being created if there is at least one email waiting. Otherwise there wouldn't be any need for the directory.
  

Revision as of 07:42, 11 May 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

This article describes how to set up a complete virtual user mail system on an Arch Linux system in the simplest manner possible. However, since a mail system consists of many complex components, quite a bit of configuration will still be necessary. Roughly, the components used in this article are Postfix, Dovecot, PostfixAdmin and Roundcube.

In the end, the provided solution will allow you to use the best currently available security mechanisms, you will be able to send mails using SMTP and SMTPS and receive mails using POP3, POP3S, IMAP and IMAPS. Additionally, configuration will be easy thanks to PostfixAdmin and users will be able to login using Roundcube. What a deal!

This article assumes that you have a working LAMP setup as we will need a working Apache2 as well as MYSQL database. Of course, with a few changes to these instructions you could easily use another httpd and database. For the purposes of this tutorial, however, the choice made above will be used. Additionally, the article assumes all-default settings for every package installed below. No changes except for those mentioned will be required.

Should any unforeseen problems occur, feel free to use the discussion page to voice your problems and I will try to answer.

Installation

# pacman -S dovecot postfix

Configuration

User

For security reasons, a new user should be created to store the mails:

groupadd -g 5000 vmail
useradd -u 5000 -g vmail -s /sbin/nologin -d /home/vmail -m vmail

A gid and uid of 5000 is used in both cases so that we do not run into conflicts with regular users. All your mail will then be stored in /home/vmail. You could change the home dir to something like /var/mail/vmail but careful to change this in any configuration below as well.

Database

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Virtual user mail system#)

You will need to create an empty database and corresponding user. We will be using PostfixAdmin's tables to fill the database later on. In this article, postfix_user will have read/write access to postfix_db using hunter2 for a password. You are expected to create your database and user yourself. Make sure to assign proper permissions.

Postfix

There are basically 2 ways for of doing SMTPS.

One is using the wrapper mode which enables even old/odd clients like Outlook to use TLS. The wrapper mode uses the system service "smtps" which is a non-standard service and runs on port 465.

The other, more proper method is to use a port that simply enforces TLS without any wrapping. The system service for this is "submission" which is standard and uses port 587.

For the improper variant uncomment this in /etc/postfix/master.cf:

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

For the proper variant uncomment this in /etc/postfix/master.cf:

submission     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes

To /etc/postfix/main.cf append:

relay_domains = *
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = virtual
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
transport_maps = hash:/etc/postfix/transport

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_tls_loglevel = 1

This references a lot of files that do not even exist yet. Let's create them.

Edit /etc/postfix/virtual_alias_maps.cf as new and add:

user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
query = SELECT goto FROM alias WHERE address='%s' AND active = true

Edit /etc/postfix/virtual_domains_maps.cf as new and add:

user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true

Edit /etc/postfix/virtual_mailbox_limits.cf as new and add:

user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
query = SELECT quota FROM mailbox WHERE username='%s'

Edit /etc/postfix/virtual_mailbox_maps.cf as new and add:

user = postfix_user
password = hunter2
hosts = localhost
dbname = postfix_db
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

Run postmap on transport to generate its db:

postmap /etc/postfix/transport

We still need the SSL cert and private key:

cd /etc/ssl/certs
openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout server.key -out server.crt
openssl rsa -in server.key -out server.key
chown nobody:nobody server.key
chmod 600 server.key
mv server.key /etc/ssl/private/

Dovecot

Start by getting a fresh config file from the pre-existing sample config:

cp /etc/dovecot/dovecot.conf.sample /etc/dovecot/dovecot.conf

In /etc/dovecot/dovecot.conf we'll need to do quite some configuration:

protocols = imap pop3
auth default {
    mechanisms = plain
    passdb sql {
        args = /etc/dovecot/dovecot-sql.conf
    }
    userdb sql {
        args = /etc/dovecot/dovecot-sql.conf
    }
}

service auth {
    unix_listener auth-client {
        group = postfix
        mode = 0660
        user = postfix
    }
    user = root
}

mail_home = /home/vmail/%u
mail_location = maildir:~

ssl_cert = </etc/httpd/conf/server.crt
ssl_key = </etc/httpd/conf/server.key

Now obviously we also need the /etc/dovecot/dovecot-sql.conf we just referenced in the config above. Go ahead and create a /etc/dovecot/dovecot-sql.conf with these contents:

driver = mysql
connect = host=localhost dbname=postfix_db user=postfix_user password=hunter2
# The new name for MD5 is MD5-CRYPT so you might need to change this depending on version
default_pass_scheme = MD5-CRYPT
# Get the mailbox
user_query = SELECT '/home/vmail/%u' as home, 'maildir:/home/vmail/%u' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=',  quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
# Get the password
password_query = SELECT username as user, password, '/home/vmail/%u' as userdb_home, 'maildir:/home/vmail/%u' as userdb_mail, 5000 as  userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
# If using client certificates for authentication, comment the above and uncomment the following
#password_query = SELECT null AS password, ‘%u’ AS user

PostfixAdmin

To install PostfixAdmin, we need to manually get its upstream package and extract it to our web root (or other desired directory). You should use the most recent version available at the time. This article will use the most recent version at the time of writing.

cd /srv/http/
wget http://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-2.3.5/postfixadmin-2.3.5.tar.gz/download
tar xzf postfixadmin-2.3.5.tar.gz
cd postfixadmin-2.3.5

Next, PostfixAdmin needs to be configured. Assuming localhost is the hostname of the machine you are installing this on, navigate to http://localhost/postfixadmin-2.3.2/setup.php. The setup will guide you through the remaining steps to set up PostfixAdmin.

Roundcube

As with PostfixAdmin, this article will use the most recent version as of the time of writing. You should always use the most recent version available.

cd /srv/http/
wget http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7.2/roundcubemail-0.7.2.tar.gz/download
tar xzf roundcubemail-0.7.2.tar.gz
cd roundcubemail-0.7.2

Make some directories writable by the webserver:

chown -R http:http temp logs

Assuming that localhost is your current host, navigate a browser to http://localhost/roundcubemail-0.7.2/installer/ and follow the instructions. You could use the same database for Roundcube that you already used for PostfixAdmin though you shouldn't. For a proper setup, create a second database "roundcube_db" and a "roundcube_user" for use with Roundcube.

While running the installer, make sure to address the IMAP host with tls://localhost/ instead of just localhost. Use port 993. Likewise with SMTP, make sure to provide ssl://localhost/ on port 465 if you used the wrapper mode and tls://localhost/ on port 587 if you used the proper TLS mode. See here for an explanation on that.

rc.conf

Make sure your DAEMONS array in /etc/rc.conf contains:

DAEMONS=( ... dovecot postfix ... )

Fire it up

Since now hopefully everything is set up correctly, all necessary daemons should be started for a test run:

for daemon in dovecot postfix; do /etc/rc.d/$daemon start; done

Now for testing purposes, create a domain and mail account in PostfixAdmin. Try to login to this account using Roundcube. Now send yourself a mail.

Troubleshooting

If you get errors like your imap/pop3 client failing to receive mails, take a look into your /var/log/mail.log file. It turned out that the maildir /home/vmail/mail@domain.tld is just being created if there is at least one email waiting. Otherwise there wouldn't be any need for the directory.

See also