Mail Server
From charlesreid1
This page documents my adventure in setting up a working Postfix mail server that resides on my home server.
Contents
Installing
One of my goals was to get a mail server working so that I could send out emails through MediaWiki. In order to get this all working, I had to install several pieces of software.
Postfix
I used the following website to help me get Postfix and Dovecot installed: http://www.mysql-apache-php.com/#mailserver
I used aptitude to install Postfix:
$ apt-get install postfix postfix-tls
This installs postfix, and a patch for postfix that incorporates support for TLS (TLS is transport layer security wikipedia:Transport Layer Security, a child protocol of wikipedia:Secure Socket Layer). It is used by Postfix to encrypt sessions (see http://www.postfix.org/TLS_README.html).
Next, I needed to install SASL (wikipedia:Simple Authentication and Security Layer), which is used by Postfix as part of authentication (see http://www.postfix.org/SASL_README.html):
$ aptitude search sasl
$ apt-get install sasl2-bin libsasl2-2 libsasl2-modules libsasl2-dev
And just for good measure (see website referenced above):
$ apt-get install popa3d
which is a small POP3 daemon designed for security.
Next, the Postfix configuration file is located at /etc/postfix/main.cf
, or in your installation prefix if you installed from source.
Finally, if you want to restart your Postfix server, you can run
$ /etc/init.d/postfix restart
or, wherever your Postfix has been installed. Different Linux distros will put it in different places.
Dovecot
I installed Dovecot, which is a POP3 and IMAP server. It uses Postfix as a mail transfer application, and it provides the POP3 and IMAP interface.
A really slick way to use this feature is to set up your Gmail to check email from your POP or IMAP server, so you get your domain email delivered directly to your inbox. You can also set up Gmail so that you can send email from your domain email address.
$ apt-get install dovecot-common dovecot-imapd dovecot-pop3d dovecot-dev
Next, if you want to edit the Dovecot configuration file, it's located at /etc/dovecot/dovecot.conf
. I changed/added the following lines:
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
And finally, to restart Dovecot, run
$ /etc/init.d/dovecot restart
SASL Authentication + TLS
This is a way to protect a mailserver from being used by spammers. It requres authentication of users before it sends emails out.
The first step is to set up SMTP authentication (using SASL) with Postfix and Dovecot.
In the file /etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = yourdomain.com
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
This will require you to set the variable mynetworks
, and will not allow anyone outside of "mynetworks" to use your mail server.
In the file /etc/dovecot/dovecot.conf:
First, rename the line starting with "auth default" to "auth default2".
Before that line, put this block:
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
You'll now have to restart the SASL authentication daemon, Postfix, and Dovecot (with root privileges):
$ /etc/init.d/saslauthd restart
$ /etc/init.d/postfix restart
$ /etc/init.d/dovecot restart
Also remember that you should open up port 25 (or whatever port you end up using for your email server) in your Firewall. (And if you don't have a firewall, GET ONE!!!)
PHP Pear
Pear is a way of extending the functionality of PHP. In my case, I had to install a Pear module named Mail in order to get MediaWiki's mail functionality working. The Mail module depends on a couple of other modules. I ran the following commands to install these:
$ pear install Net_Socket
$ pear install Auth_SASL
$ pear install Net_SMTP
$ pear install Mail
This was using my installed-from-source version of PHP, which was already on my $PATH
. You can also use a package manager like aptitude or yum to install PHP, e.g. apt-get install php
. This will automatically install Pear.
If you set up authentication for your SMTP server (e.g. when you set up Postfix), then you'll need to edit the corresponding Pear PHP files to add the username and password. The smtp.php file (which you'll have to edit) should be at /path/to/php/lib/php/Mail/smtp.php
.
Finally, I had to add this to my php.ini
file:
; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
sendmail_path = /usr/sbin/sendmail
MediaWiki
You can find mail-related notification settings for LocalSettings.php here: http://www.mediawiki.org/wiki/Manual:Configuration_settings#Email_settings
You can get an extension that requires new users to be confirmed after registering, to prevent random people from creating accounts and vandalizing your wiki: http://www.mediawiki.org/wiki/Extension:ConfirmAccount
Mailman
GNU Mailman is a program for creating and managing mailing lists. I set this up to work with my mail server. Instructions are at the Mailman page.
Relaying Through Gmail
One of the biggest issues with setting up your own mail server is, anyone can do it. That's nice, but also not so nice: it means it's easy for spammers to set up their own mail server and spam the world. So, most email services (Gmail, Yahoo Mail, etc.) will not accept email from residential (or otherwise blacklisted) IP addresses. That means you'll have a very hard time emailing your buddies at Yahoo and Gmail.
The way around this is to authenticate your email server by tying it to a Gmail account.
I followed this guide: http://souptonuts.sourceforge.net/postfix_tutorial.html
(Except I installed everything through a package manager rather than building everything from source, meaning I skipped to step 3)
And also this guide: http://prantran.blogspot.com/2007/01/getting-postfix-to-work-on-ubuntu-with.html
(This guy is going for the same setup that I am going for)
SSL Certificate
Step Number One is to Create an SSL Certificate.
Once you've created your certificates, you'll have to copy your Certificate of Authority (CA) file, your private key, and your server certificate (signed with your private key) to some location where Postfix can access them.
$ cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
You will also need to change the permissions so that no one can steal your private key, &c.:
$ chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
$ chmod 400 /etc/postfix/FOO-key.pem
</syntaxhighglight>
=== Postfix User/Group ===
The following commands must be run to create a postfix user and group:
<syntaxhighlight>
$ useradd -M -s /usr/sbin/nologin postfix
$ groupadd postdrop
Transport and SASL and Generic Files
Create a transport file that will route email through another SMTP server (Gmail's server):
# File /etc/postfix/transport
# When done editing, run
# postmap transport
#
# This sends mail to Gmail
* smtp:[smtp.gmail.com]:587
Next, set the SASL (Gmail) username and password:
# Contents of /etc/postfix/sasl_passwd
# When done editing, run
# postmap sasl_passwd
#
[smtp.gmail.com]:587 your_username@gmail.com:password
The postmap
command will create a hash of each file.
This sasl_password file then needs to be protected:
$ chown root.postfix sasl_passwd*
$ chmod 0640 sasl_passwd*
You can also use a "Generic" maps file to map a local address to a Gmail address. For example, the file /etc/postfix/generic
might contain:
your_username@yourdomain.com your_gmail_username@gmail.com
And the postmap command can be run to create a hashed version:
$ postmap /etc/postfix/generic
Main.cf
I was then able to copy, with little modification, the block for main.cf
into my main.cf
file:
## Add these lines to the bottom on main.cf
##
##
## TLS Settings
#
# For no logs set = 0
smtp_tls_loglevel = 1
#
# smtp_enforce_tls = yes
# Above is commented because doing it site by site below
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd
## Gmail Relay
relayhost = [smtp.gmail.com]:587
## Good for Testing
# sender_bcc_maps = hash:/etc/postfix/bcc_table
# Disable DNS Lookups
disable_dns_lookups = yes
#
# Great New feature Address Mapping
# for example make someone@localhost to someone@gmail.com
smtp_generic_maps = hash:/etc/postfix/generic
#
#
transport_maps = hash:/etc/postfix/transport
Verifying It's Gmail
In order to verify you're setting up an ecrypted session with Gmail, and not a man-in-the-middle, you can use the file /etc/postfix/tls_per_site
to demand certificate verification:
# Contents of /etc/postfix/tls_per_site
# After changes run:
# postmap /etc/postfix/tls_per_site
smtp.gmail.com MUST
no-certificate-needed.com MAY
(And as before, this file should be hashed).
Using a Mail Backup Server
I forgot what I meant to put here.
Using Local Domains From Gmail
This would be, for example, if I wanted to use an email address with @mydomain.com.
(Repeat above, but use GApps email addresses instead of Gmail addresses)
References
http://www.macos.utah.edu/documentation/system_utilities/superduper_diskutil_and_log_script.html
http://www.mediawiki.org/wiki/Manual:Configuration_settings#Email_settings
http://chris.brandlehner.at/Brandlehner/cab_blog.nsf/d6plinks/DOMO-6KJH4T
http://www.mysql-apache-php.com/#mailserver
http://souptonuts.sourceforge.net/postfix_tutorial.html
http://prantran.blogspot.com/2007/01/getting-postfix-to-work-on-ubuntu-with.html
http://www.google.com/support/forum/p/Google%20Apps/thread?tid=0cce162b213f7e66&hl=en
http://blog.sethladd.com/2007/08/using-gmail-to-relay-email.html
http://www.linuxquestions.org/questions/linux-software-2/postfix-cannot-send-e-mail-186776/
http://www.postfix.org/postconf.5.html
http://en.gentoo-wiki.com/wiki/Mailman_with_Postfix_and_Dovecot