6 Konfiguration von Saslauthd

Führe zuerst Folgendes aus

mkdir -p /var/spool/postfix/var/run/saslauthd

Bearbeite dann /etc/default/saslauthd. Entferne das # vor START=yes und füge die Zeilen PARAMS=”-m /var/spool/postfix/var/run/saslauthd -r” und PIDFILE=”/var/spool/postfix/var/run/${NAME}/saslauthd.pid” hinzu. Die Datei sollte dann wie folgt aussehen:

vi /etc/default/saslauthd

# This needs to be uncommented before saslauthd will be run automatically
START=yes

PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

Erstelle dann die Datei /etc/pam.d/smtp. Sie sollte lediglich folgende zwei Zeilen beinhalten (pass auf, dass Du die richtigen Datenbank Angaben eingibst):

vi /etc/pam.d/smtp

auth    required   pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1

Erstelle als Nächstes die Datei /etc/postfix/sasl/smtpd.conf. So sollte sie aussehen:

vi /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: mail_admin_password
sql_database: mail
sql_select: select password from users where email = '%u'

Starte Postfix und Saslauthd dann neu:

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart

7 Konfiguration von Courier

Nun müssen wir Courier mitteilen, dass es sich gegenüber unserer MySQL Datenbank authentifizieren soll. Bearbeite zunächst /etc/courier/authdaemonrc und ändere den Wert von authmodulelist so dass es heißt:

vi /etc/courier/authdaemonrc

[...]
authmodulelist="authmysql"
[...]

Nimm dann ein Backup von /etc/courier/authmysqlrc vor und leere die alte Datei:

cp /etc/courier/authmysqlrc /etc/courier/authmysqlrc_orig
cat /dev/null > /etc/courier/authmysqlrc

Öffne dann /etc/courier/authmysqlrc und füge folgende Zeilen ein:

vi /etc/courier/authmysqlrc

MYSQL_SERVER localhost
MYSQL_USERNAME mail_admin
MYSQL_PASSWORD mail_admin_password
MYSQL_PORT 0
MYSQL_DATABASE mail
MYSQL_USER_TABLE users
MYSQL_CRYPT_PWFIELD password
#MYSQL_CLEAR_PWFIELD password
MYSQL_UID_FIELD 5000
MYSQL_GID_FIELD 5000
MYSQL_LOGIN_FIELD email
MYSQL_HOME_FIELD "/home/vmail"
MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
#MYSQL_NAME_FIELD
MYSQL_QUOTA_FIELD quota

Starte Courier dann neu:

/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop restart
/etc/init.d/courier-pop-ssl restart

Indem Du dies ausführst

telnet localhost pop3

überprüfst Du, ob Dein POP3 Server richtig funktioniert. Es sollte +OK Hello there zurückgegeben werden. (Gib quit ein um zur Linux Kommandozeile zurückzukehren.)

root@server1:/etc/postfix# telnet localhost pop3
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
+OK Hello there.
quit
+OK Better luck next time.
Connection closed by foreign host.

8 Bearbeite /etc/aliases

Nun sollten wir /etc/aliases modifizieren und einen alias für postmaster darin festlegen. Du kannst eine Deiner vorhandenen E-Mail Adressen angeben, damit Du Benachrichtigungen an postmaster erhältst. Ändere außerdem die Root Zeile, damit Mails für Root an postmaster weitergeleitet werden:

vi /etc/aliases

# Added by installer for initial user
root:   postmaster
postmaster: postmaster@yourdomain.tld

Immer wenn Du /etc/aliases bearbeitest, musst Du dies danach ausführen

newaliases

und Postfix neu starten:

/etc/init.d/postfix restart

9 Installation von amavisd-new, SpamAssassin und ClamAV

Um amavisd-new, spamassassin und clamav zu installieren, führe diesen Befehl aus:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 unzoo libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop pax

Danach müssen wir amavisd-new konfigurieren. Die Konfiguration ist auf verschiedene Dateien aufgesplittet, die sich im /etc/amavis/conf.d Verzeichnis befinden. Sieh Dir jede einzeln an um Dich mit der Konfiguration vertraut zu machen. Die meisten Einstellungen sind in Ordnung, allerdings müssen wir drei Dateien modifizieren:

First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:

vi /etc/amavis/conf.d/15-content_filter_mode

Die Datei sollte wie folgt aussehen:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it back
#

@bypass_virus_checks_maps = (
   %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);

#
# Default SPAM checking mode
# Uncomment the two lines below to enable it back
#

@bypass_spam_checks_maps = (
   %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);

1;  # insure a defined return

Dann solltest Du Dir die Spam Einstellungen und die Aktionen für Spam-/Virus-Mails in /etc/amavis/conf.d/20-debian_defaults ansehen. Es besteht kein Grund irgendwas zu ändern, wenn die Standardeinstellungen für Dich in Ordnung sind. Die Datei beinhaltet viele Erklärungen, ich muss die Einstellungen hier also nicht näher erläutern:

vi /etc/amavis/conf.d/20-debian_defaults

$QUARANTINEDIR = "$MYHOME/virusmails";

$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug';  # switch to info to drop debug output, etc

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # default listenting socket

$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?

[...]
$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_BOUNCE;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
[...]

Bearbeite schließlich /etc/amavis/conf.d/50-user und füge die Zeile $pax=’pax’; in der Mitte ein:

vi /etc/amavis/conf.d/50-user

[...]
$pax='pax';
[...]

Führe danach diese Befehle aus um den neuen clamav Benutzer der amavis Gruppe hinzuzufügen und starte amavisd-new und ClamAV neu:

adduser clamav amavis
/etc/init.d/amavis restart
/etc/init.d/clamav-daemon restart

Als Nächstes müssen wir die Konfigurationsdatei des Freshclam Daemons (das ist der Daemon, der regelmäßig und automatisch die neusten Virussignaturen von einem ClamAV Spiegel abruft) bearbeiten, da sie einen kleinen Fehler enthält. Öffne /etc/clamav/freshclam.conf und modifiziere die NotifyClamd Zeile, wie unten angezeigt wird:

vi /etc/clamav/freshclam.conf

[...]
NotifyClamd /etc/clamav/clamd.conf
[...]

Then restart Freshclam (make sure no other Freshclam process (maybe of another ClamAV installation) is running because then our Freshclam will fail to start):

/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e ‘content_filter = amavis:[127.0.0.1]:10024′
postconf -e ‘receive_override_options = no_address_mappings’

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf

[...]
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

root@server1:/usr/local/sbin# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdo:10024 *:* LISTEN 16043/amavisd (mast
tcp 0 0 localhost.localdo:10025 *:* LISTEN 15794/master
tcp 0 0 localhost.localdo:mysql *:* LISTEN 4783/mysqld
tcp 0 0 *:smtp *:* LISTEN 15794/master
tcp6 0 0 *:imaps *:* LISTEN 13452/couriertcpd
tcp6 0 0 *:pop3s *:* LISTEN 13517/couriertcpd
tcp6 0 0 *:pop3 *:* LISTEN 13480/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 13412/couriertcpd
tcp6 0 0 *:www *:* LISTEN 4489/apache2
tcp6 0 0 *:ssh *:* LISTEN 3193/sshd

10 Install Razor, Pyzor And DCC And Configure SpamAssassin

Razor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install them, run

apt-get install razor pyzor dcc-client

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vi /etc/spamassassin/local.cf

[...]

# dcc
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_add_header 1
dcc_dccifd_path /usr/sbin/dccifd

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_add_header 1

#razor
use_razor2 1
razor_config /etc/razor/razor-agent.conf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

11 Quota Exceedance Notifications

If you want to get notifications about all the email accounts that are over quota, then do this:

cd /usr/local/sbin/
wget http://puuhis.net/vhcs/quota.txt
mv quota.txt quota_notify
chmod 755 quota_notify

Open /usr/local/sbin/quota_notify and edit the variables at the top. Further down in the file (towards the end) there are two lines where you should add a % sign:

vi /usr/local/sbin/quota_notify

[...]
my $POSTFIX_CF = "/etc/postfix/main.cf";
my $MAILPROG = "/usr/sbin/sendmail -t";
my $WARNPERCENT = 80;
my @POSTMASTERS = ('postmaster@yourdomain.tld');
my $CONAME = 'My Company';
my $COADDR = 'postmaster@yourdomain.tld';
my $SUADDR = 'postmaster@yourdomain.tld';
my $MAIL_REPORT = 1;
my $MAIL_WARNING = 1;
[...]
           print "Subject: WARNING: Your mailbox is $lusers{$luser}% full.n";
[...]
           print "Your mailbox: $luser is $lusers{$luser}% full.nn";
[...]

Run

crontab -e

to create a cron job for that script:

0 0 * * * /usr/local/sbin/quota_notify &> /dev/null

(Note (a little off-topic): on Ubuntu crontab -e will automatically open the editor nano. If you are used to working with the editor vi (like me), run the following commands:

rm -f /etc/alternatives/editor
ln -s /usr/bin/vi /etc/alternatives/editor

Afterwards, run crontab -e, and vi will come up.)

12 Test Postfix

To see if Postfix is ready for SMTP-AUTH and TLS, run

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine:

root@server1:/usr/local/sbin# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server1:/usr/local/sbin#

Type

quit

to return to the system shell.

13 Populate The Database And Test

To populate the database you can use the MySQL shell:

mysql -u root -p
USE mail;

At least you have to create entries in the tables domains and users:

INSERT INTO `domains` (`domain`) VALUES (‘example.com’);
INSERT INTO `users` (`email`, `password`, `quota`) VALUES (’sales@example.com’, ENCRYPT(’secret’), 10485760);

(Please take care you use the ENCRYPT syntax in the second INSERT statement in order to encrypt the password!)

If you want to make entries in the other two tables, that would look like this:

INSERT INTO `forwardings` (`source`, `destination`) VALUES (‘info@example.com’, ’sales@example.com’);
INSERT INTO `transport` (`domain`, `transport`) VALUES (‘example.com’, ’smtp:mail.example.com’);

To leave the MySQL shell, type

quit;

For most people it is easier if they have a graphical front-end to MySQL; therefore you can also use phpMyAdmin (in this example under http://192.168.0.100/phpmyadmin/ or http://server1.example.com/phpmyadmin/) to administrate the mail database. Again, when you create a user, go sure that you use the ENCRYPT function to encrypt the password:

I do not think I have to explain the domains and users table further.

The forwardings table can have entries like the following:

The transport table can have entries like these:

See

man transport

for more details.

Please keep in mind that the order of entries in the transport table is important! The entries will be followed from the top to the bottom.

Important: Postfix uses a caching mechanism for the transports, therefore it might take a while until you changes in the transport table take effect. If you want them to take effect immediately, run

postfix reload

after you have made your changes in the transport table.

14 References

• Tutorial: ISP-style Email Service with Debian-Sarge and Postfix 2.1: http://workaround.org/articles/ispmail-sarge/
• Postfix + Quota: http://vhcs.net/new/modules/newbb/viewtopic.php?topic_id=3496&forum=17
• Mail Passwords Encrypted using saslauthd: http://www.syscp.de/docs/public/contrib/cryptedmailpws

15 Links

• Postfix MTA: http://www.postfix.org/
• Postfix Quota Patch: http://web.onda.com.br/nadal/
• phpMyAdmin: http://www.phpmyadmin.net/
• Ubuntu: http://www.ubuntu.com/

• Virtuelle Benutzer und Domains mit Postfix, Courier und MySQL (Ubuntu 6.10 Edgy Eft) - Seite 1
• Virtuelle Benutzer und Domains mit Postfix, Courier und MySQL (Ubuntu 6.10 Edgy Eft) - Seite 2

Dieses Howto wurde veröffentlicht am 25.07.2008 um 10:46 am in der Kategorie Anleitungen, Email, Linux, Postfix, Ubuntu. Kommentare sind auch als RSS 2.0 Feed verfügbar. Es kann ein Kommentar, oder Trackback hinterlassen werden.