Mail Server for Fedora Directory Server domain

[barry905]

Having created a local domain using Linux and Fedora Directory Server as the Domain Controller (see http://forums.fedoraforum.org/showthread.php?t=183837), the time has come to document how I added the mail server.

The first step was to install a fresh copy of the Operating System. As this is a server, I did not want/need the leading edge capabilities of Fedora 11 but a stable, non-changing environment. I also wanted to stay within the Red Hat environment, to keep some commonality with the rest of my network. This led me to select Centos as the OS, and I used the latest version, 5.3. This was to be configured to be part of my domain so that it could get/verify user information from the Fedora Directory Server on the domain controller.

For the mail server applications, I went with Dovecot as the mailserver (IMAP and POP3 server), and Postfix as the Mail Transport Agent (MTA). I selected SquirrelMail to provide a web based mail interface, and clamav and spamassassin for virus and spam checking capability, both of which were accessed through amavisd.

So how to do it. Start with a clean install of Centos. I just picked the minimum of options from the configuration menus so that I ended up with a fairly light OS. At this point I also installed the postfix, dovecot, spamassassin and squirrelmail applications. To avoid complications with the security components I did not enable the firewall or SELinux capabilities.

Once the installation was completed I added the server to my domain by configuring samba to use the LDAP server for user information and to use winbind for connectivity. This I did by running the Authenication Configuration (menu Administration > Authentication) and enabling and configuring Winbind, SMB and LDAP. As I do not want users to be able to logon to the server I did not perform the other steps (see reference above). Next I actually joined the domain and tested to make sure that everything was set up correctly. I did this with:

$ net join
$ wbinfo -t
$ net rpc testjoin
$ wbinfo -t
$ wbinfo -u

I then edited /etc/samba/smb.conf to be the following:

#======================= Global Settings =====================================

[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/03/07 02:20:25
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = home
password server = seagoon
security = domain
idmap uid = 15000-20000
idmap gid = 15000-20000
template shell = /bin/false
winbind use default domain = true
winbind offline logon = false

#--authconfig--end-line--

server string = server minnie
netbios name = minnie

interfaces = lo eth0 192.168.1.6/24
hosts allow = 127. 192.168.1.
log file = /var/log/samba/%m.log
max log size = 50
encrypt passwords = yes
wins server = 192.168.1.2

local master = no
domain master = no
domain logons = no

os level = 33
preferred master = no
case sensitive = no
dns proxy = yes

# Winbind options

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

load printers = yes
cups options = raw


#============================ Share Definitions ==============================

Now I edited the services to start the SMB service at boot time, and then rebooted the server just to check that everything was working correctly.

Upon restart I rechecked to make sure that my domain menbership was still working with:

$ wbinfo -t
$ net rpc testjoin
$ wbinfo -t
$ wbinfo -u


Next I added the rpm fusion repository to enable access to the software I needed. To do this I downloaded the rpm packages needed and then installed them:

$ rpm -i epel-release-5-2.noarch.rpm
$ rpm -i rpmfusion-free-release-5-0.1.noarch.rpm

Having done this I installed the rest of the software packages using the "Add/Remove Software" utility. I used the "search" tab and added amavisd, which also installed (most of) clamav as dependencies. FInally I installed the remaining parts of clamav (the updater and user utilities).

Now I configured dovecot by editing the configuration file (/etc/dovecot.conf) to be:

## Dovecot configuration file

# Base directory where to store runtime data.
base_dir = /var/run/dovecot/

# Protocols we want to be serving: imap imaps pop3 pop3s
protocols = imap pop3

# IP or host address where to listen in for connections. It
protocol imap {
listen = *:10143
ssl_listen = *:10943
}
protocol pop3 {
listen = *:10100
}
listen = *

# Disable LOGIN command and all other plaintext authentications
disable_plaintext_auth = no

## Login processes

login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 3
login_max_processes_count = 128
login_max_connections = 256
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
login_log_format = %$: %s

## Mailbox locations and namespaces

# Location for users' mailboxes.
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u

# Allow full filesystem access to clients.
mail_full_filesystem_access = no

## Mail processes

# Enable mail process debugging.
mail_debug = no

# Log prefix for mail processes.
mail_log_prefix = "%Us(%u): "

# Max. number of lines a mail process is allowed to log per second
mail_log_max_lines_per_sec = 10

# Don't use mmap() at all.
mmap_disable = no

# Don't write() to mmaped files.
#mmap_no_write = no

# Don't use fsync() or fdatasync() calls.
fsync_disable = no

# Drop all privileges before exec()ing the mail process.
mail_drop_priv_before_exec = no

# Valid UID range for users.
first_valid_uid = 500
last_valid_uid = 0

# Valid GID range for users, defaults to non-root/wheel.
first_valid_gid = 1
last_valid_gid = 0

# Maximum number of running mail processes.
max_mail_processes = 1024

# Set max. process size in megabytes.
mail_process_size = 256

# Maximum allowed length for mail keyword name.
mail_max_keyword_length = 50

## IMAP specific settings
##

protocol imap {
# Login executable location.
}

## POP3 specific settings

protocol pop3 {
# Login executable location.
login_executable = /usr/libexec/dovecot/pop3-login

# POP3 executable location.
mail_executable = /usr/libexec/dovecot/pop3

# Don't try to set mails non-recent or seen with POP3 sessions.
pop3_no_flag_updates = no

# Support LAST command which exists in old POP3 specs,
pop3_enable_last = no

# If mail has X-UIDL header, use it as the mail's UIDL.
pop3_reuse_xuidl = no

# Keep the mailbox locked for the entire POP3 session.
pop3_lock_session = no

# POP3 UIDL (unique mail identifier) format to use.
pop3_uidl_format = %08Xu%08Xv

# Workarounds for various client bugs:
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

## LDA specific settings

protocol lda {
# Address to use when sending rejection mails.
postmaster_address = postmaster@minnie.home
}

## Authentication processes

auth default {
# Space separated list of wanted authentication mechanisms:
mechanisms = plain

passdb pam {
}
# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
#passdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
#args =
#}

userdb passwd {
}

# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
#userdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap-example.conf
#args =
#}

# User to use for the process.
user = root

}

## Dictionary server settings

# Dictionary can be used by some plugins to store key=value lists.

dict {
}

## Plugin settings

plugin {
}

[barry905]

Then I configured postfix by editing to postfix configuration files in /etc/postfix to be:

main.cf

# SOFT BOUNCE
#
#soft_bounce = no

# LOCAL PATHNAME INFORMATION
#
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix

# QUEUE AND PROCESS OWNERSHIP
#
mail_owner = postfix
#default_privs = nobody

# INTERNET HOST AND DOMAIN NAMES
#
myhostname = minnie.home
mydomain = home

# SENDING MAIL
#
myorigin = $myhostname

# RECEIVING MAIL

inet_interfaces = $myhostname, localhost
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
#local_recipient_maps = proxy:unixasswd.byname $alias_maps
#local_recipient_maps =
unknown_local_recipient_reject_code = 550

# TRUST AND RELAY CONTROL
#
#mynetworks_style = host
#relay_domains = $mydestination

# INTERNET OR INTRANET

#relayhost = $mydomain

# REJECTING UNKNOWN RELAY USERS
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients

# INPUT RATE CONTROL
#
#in_flow_delay = 1s

# ALIAS DATABASE
#
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# ADDRESS EXTENSIONS (e.g., user+foo)
#
#recipient_delimiter = +

# DELIVERY TO MAILBOX
#
#home_mailbox = Mailbox
mail_spool_directory = /var/spool/mail

# JUNK MAIL CONTROLS
#
#header_checks = regexp:/etc/postfix/header_checks

# FAST ETRN SERVICE
#
#fast_flush_domains = $relay_domains

# SHOW SOFTWARE VERSION OR NOT
#
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
#default_destination_concurrency_limit = 20

# DEBUGGING CONTROL
#
debug_peer_level = 2
#debug_peer_list = 127.0.0.1

debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

# INSTALL-TIME CONFIGURATION INFORMATION
#
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
#content_filter = smtp-amavis:[127.0.0.1]:10024

and master.cf:

#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_retrictions=permit_mynetworks,reje ct
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_ unknown_recipient_checks

Now we need to configure the system to use postfix rather than sendmail, so select the sendmail.postfix option using:

$ alternatives --config mta

And now stop the sendmail service (to avoid confusion) and start the postfix and dovecot services and test the postfix configuration

$ service sendmail stop
$ service postfix start
$ service dovecot start
$ postfix check
$ echo hello | mail root
$ echo hello | mail ~non-root-user~

The "postfix check" command hopefully will return no errors (i.e nothing at all), and you can check for mail delivery simply by using the "mail" command.

Now for SquirrelMail. All you have to do is to enable world write permission for the user home directories and start the apache server with:

$ chmod 777 /home
$ service httpd start

and that's done. Test this by running your favourite browser and typing "http://localhost/webmail/". That should get you the SquirrelMail login page. Just login as your non-root user and check that you have a message (from above).

To clean up this section edit the services configuration to start postfix, dovecot and httpd on system startup and then reboot and retest.

So now we have a working mail server.The only problem is that we are not checking for spam and virii. So let's do that now. First of all we will configure amavisd-new. All this takes is a quick edit to the /etc/amavisd/amavisd.conf file to set the lines

$mydomain = 'home';
$myhostname = 'minnie.home';

to their appropriate values. We also need to configure freshclam (the clamav update program) to automatically update the virus definition files. This we do by commenting out the line

FRESHCLAM_DELAY=disabled-warn # REMOVE ME

in the file /etc/sysconfig/freshclam. Also /etc/freshclam.conf needs to have the line

Example

commented out. The final step is to edit the last line in /etc/postfix/main.cf to remove the comment # and enable content filtering. This line is now:

content_filter = smtp-amavis:[127.0.0.1]:10024

and restart postfix. The Spamassassin configuration file should become:

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5
report_safe 1
use_bayes 1
bayes_auto_learn 1
skip_rbl_checks 0
use_razor2 1
use_dcc 1
use_pyzor 1
whitelist_from *@example.com
rewrite_header Subject [SPAM]


Finally start the requisite services (amavisd, clamd.amavisd)and edit crontab to run freshclam hourly. Now you are good to go.

Good luck!!!!