A file /etc/apache2/conf.d/postfixadmin will be created and will set Alias /postfixadmin /usr/share. Download the source from http. PostfixBasicSetupHowto. Installing courier IMAP and POP3. The material on this wiki is available under a free license. Installing and configuring postfixadmin as web based. Postfix is a free and open. Mailboxes so we will download the.
Get A Sys Admin A sysadmin. Start building and installing the RPMs. 34 thoughts on “Postfixadmin – setup/install guide for virtual mail users on Postfix”. How To Install and Setup Postfix on Ubuntu 14.04. You can find help on setting up your domain name with DigitalOcean by clicking here. Install the Software. Step #4: Configure PostfixAdmin Download PostfixAdmin and extract it to /var/www/PostfixAdmin. Yes it seems to be a better plan for free SSL now.
I wanted to learn how to build a reasonably secure mail system and to understand how things interact with each other on such a setup so that I can later debug problems that arise with it. Most of the steps can be found in different other howtos, but they're generally split apart the Internet. I'll be stitching, cutting, upgrading and completing the steps needed to have a full setup with the postfixadmin web interface. You can find the bibliography at the end of the article. I will probably skip over some details if there's already a good howto that explains things very well. I'll try and point out those reference materials as I go along, so make sure to consult them if there's something you don't understand.
Note: this howto can very well be used with Debian Wheezy. Simply skip the steps about adding . This server will give users control over e- mail redirections and . The whole thing needs to filter out unwanted crap like spam and virii.
Implementation. In order to give users control over mailboxes and mail aliases, and also over auto- reply messages, we'll install postfixadmin. We'll need to integrate the underlying tools to postfixadmin's database. Since I already have My. SQL, Apache. 2 and PHP5 in place on the target machine, I won't cover installation of these components. We'll be concentrating on the mail- related software in this howto, and the database and webserver setup will be left out as an exercise. You can easily find documentation about setting up a LAMP server on the Internetz. Visualising the message flow.
With e- mail, the way I like to conceptualize things is by imagining the path the email will follow along the course of its life. From the sender, to the SMTP server, via a bunch of checks, then to storage, and to the receiver via IMAP. The setup can be complexified for scaling to a lot more users with larger infrastructures in order to include multiple underlying machines. Simply make sure to always see the whole system as a pipeline through which an email transits. For this howto, we'll be keeping things relatively simple and install everything on the same machine.
We will be using Milters (mail filters). Milter comes from Sendmail, and is a protocol used for filtering mail during or after the SMTP session (reception). They usually use a unix socket file to communicate with the MTA, which is faster than initializing TCP connections to localhost. They let your server decide whether it wants to accept the email or not while it is still being fed to it - - in other words, before the mail is even queued - - so it can potentially free your system of some costly (slow) disk operations.
Postfix is fully capable of delivering mail to users' Maildir storage, but for performance reasons, we'll let Dovecot handle final delivery. This is because Dovecot automatically generates an index of messages while storing it to disk, which should make accessing them via IMAP much faster. Let's visualize things a bit. They say a picture is worth a thousand words, so let's use words to draw a picture: ,- -> spamass- milter < -- > Spam. Assassin. other MTAs .
We'll start with unauthenticated SMTP and see if mail gets to the the local mailboxes, then we'll add Dovecot and see if we can retrieve the stored email, and finally we'll setup the authenticated SMTP and see if we can use it to send email abroad. The milters will be kept out till the end: this'll keep the other steps easier to test because we won't risk having our tests rejected or delayed. Installing. If you're using wheezy, skip adding squeeze- backports to sources. Also, you won't need to specify any release from which to install packages (everything can just come from wheezy directly). We'll be installing dovecot 2.
However, since it's quite simply a web application that doesn't require specific versions of its dependencies, we can install the package directly in squeeze. So first, we'll want to ensure we can access wheezy packages, but that they don't upgrade automatically: echo deb http: //debian. We'll want to install postfixadmin's dependencies from squeeze, but the package itself from wheezy: apt- get update. Let postfixadmin create its own database during installation. This'll make our work easier. Configuring. Priming the database. Since we'd like to be able to test each step of the configuration, we'll need to start by building the database structure and by priming it with some data.
This might seem a bit backwards, since our starting point is the web app that will control accounts when everything is set up, but actually the web app only depends on the presence of the database and the web server to let us play with it (e. Postfix and Dovecot will be using the data from the database when we'll tell them to). We'll start by modifying the config file to our needs. Let's use the /etc/postfixadmin/config. Here's an example of what you might want to override (declare) in this file: < ?
This password will ensure that setup. Enter a password for the setup page and send the form. Then, copy the line that's printed out with your password's hash (should look like a line with $CONF in the example configuration overrides above) and paste it at the end of /etc/postfixadmin/config. Visit setup. php again (reload the page). This time, type in the setup password, then an email address, and enter a password for the new super admin account and send the form. This email address needs to be from a domain that actually exists, not on the server you're setting up, else you'll get the message .
If you really need to use an address from a domain that does not resolve, you can add the line . That email will then have super admin privileges on the data: this means that it can administrate all of the domains understood by postfix and manage administrator accounts (other accounts that can administrate a subset of the domains). Now go to the main postfix admin page and login with the super admin you've just created.
Once inside, create a new domain: in the menus, hover over 'Domain List' and click on 'New Domain'. For this howto, I'll create the domain example. Create a new mailbox by hovering over 'Virtual List' and clicking on 'Add Mailbox'. I'll create the mailbox named someone, thus creating the e- mail someone@example.
Now we should have enough info in the database for testing the next steps. Basic SMTP with virtual domains and mailboxes with Postfix. Create the directory that will hold the mailboxes for the virtual accounts and give it to the mail user so that Dovecot, our final LDA, can create directories and files in there: mkdir /var/mail/vmail.
Create a read- only user on the postfixadmin database: mysql - p - e . This is because what they teach you is buggy! When you disable a domain in postfixadmin you expect that domain to cease working altogether. With simple SELECT statements you can still login to individual mailboxes and send out e- mail even though the domain has been disabled! So to fix that I use an INNER JOIN on the domain table to check whether the appropriate domain is active or not. With this, when you disable a domain in the web interface, it stops working for real; expect support calls if users were still working with their accounts at that moment The newly created files contain a database password so you might like to tighten permissions a little bit so that only the postfix daemon is authorized to read them: chown - R root: postfix /etc/postfix/virtual. With the above permissions you should be fine, but if the postfix daemon logs a bunch of messages like the following in /var/log/mail.
Sep 2. 1 2. 3: 5. Delivery and retrieval will use a little more CPU with this setting, but e- mail files should take at least twice as less disk space. Add the following line to /etc/dovecot/conf. You can either comment out.
It's not yet fit for relaying mail for users of the domains your server is hosting, but that'll come later. If you'd like to test out your setup, you can use the following: apt- get install swaks. You should see the delivered mail there. In dovecot 2. x, most of the configuration has been broken down into files in /etc/dovecot/conf. Let's begin by configuring the SQL connection. We need to tell dovecot where to find user passwords. Remove contents of /etc/dovecot/dovecot- sql.
For the howto, we'll be using the self- signed certificate that's created by the dovecot package upon installation. If you're using your own certificate change the path to point to the right files for your case: ssl = required. There's no quick and handy tool for testing this out, so brace yourselves: we'll have to make an IMAP session manually (it's not very complicated, really).
From your computer, or another point which should have acces to the IMAP server: openssl s. If the server responds that login was successful there's a problem somewhere. If anyone was listening, the password was exposed. We'll configure SMTP to let people relay mail to external domains (e.
Authentication and reception of e- mails that are to be relayed elsewhere needs to be encrypted. We'll need to configure Postfix so that it knows how to behave with SSL connections, and then we'll tell Postfix to use Dovecot's SASL library for authentication (Postfix will use Dovecot's authentication mechanism we configured earlier). Dovecot SASLFirst things first: let's tell Dovecot how to . In /etc/dovecot/conf. For this example, I'll use the same cert as was used with Dovecot: postconf - e 'smtpd.
For those users, mail delivery will not work. So we need to configure Postfix to listen to another port: the Mail Submission port, 5. In /etc/postfix/master. Watch out not to put any sensible password here. We'll use four different tools to reject undesired messages: Clam. AV, greylisting, Spam. Assassin and Sender Policy Framework checking.
Postfix, Dovecot, My. SQL – Ex Ratione. This long post contains a recipe for building a reasonably secure Ubuntu 1.
Amazon Web Services, using Postfix, Dovecot, and My. SQL, with anti- spam packages in the form of amavisd- new, Clam Anti. Virus, Spam. Assassin, and Postgrey. Local users are virtual rather than being system users. Administration of users and domains is achieved through the Postfix Admin web interface. Webmail is provided by Roundcube. A number of people graciously helped to fix bugs and make improvements in the original, so should you find a blocking issue here please do let me know.
A mailserver generally consists of a range of different packages that separately handle SMTP, POP/IMAP, local storage of mail, and spam- related tasks: they must all talk to one another correctly, all have small novels in place of configuration documentation, and there is no one obvious best practice for how users are managed, how to store user data, or how to glue the various different components together. There are any number of different viable setups for moving mail between Postfix and Dovecot, for example.
Further, the whole assembly tends to be unforgiving on matters such as file ownership and permissions, choice of users for specific processes, and tiny errors in esoteric configuration files. Unless you know what you are doing the end result will likely be either insecure or otherwise subtly non- functional. Merely not working is perhaps the best of bad outcomes. It's a good set of documents, as the author places an emphasis on producing a secure mailserver as the end result. In the past I have made good use of Abrahamsen's guide as a basis for my mail servers, and recommend it. The configuration is completely different, and so are many of the administrative and tool binaries. When I chose to migrate my servers from Courier to Dovecot it was a challenge to find a good all- in- one- place guide, and hence the existence of this document.
That should help to avoid unpleasant surprises, and there are some notes at the end on alternative options and additions that are worth reading before you get started. It will only relay mail on to other mailservers if the mail is sent by an authenticated user, but anyone can send mail to this server for local delivery. Dovecot: a POP and IMAP server that manages local mail directories and allows users to log in and download their mail. It also handles user authentication. Postgrey: greylists incoming mail, requiring unfamiliar deliverers to wait for a while and then resend.
This is one of the better tools for cutting down on spam. Clam Anti. Virus: a virus detection suite. Spam. Assassin: for sniffing out spam in emails. Postfix Admin: a web front end for administering mail users and domains. Roundcube: a webmail interface for users. It will pass through a minimal set of mail headers for mail sent by local users, removing identifying information from the original sender's mail software.
Very little of the material here is concerned with Amazon- specific issues. So if you are working with another service, just skip over the AWS- specific instructions and perform the equivalent operations in the service that you have chosen to use.
In services such as Digital Ocean a virtual server is completely exposed to the internet, so you would want to lock it down immediately with something like Uncomplicated Firewall. For example, as below, replacing MY. So wherever you see these items be sure to replace them with your chosen domain and mail server hostname. At the time of writing, Ubuntu 1.
Mail servers don't generally have to be all that big if you aren't in the business of email: 2. G of RAM is enough for the recipe here, and that much is needed only because Clam. AV and Amavis are memory hogs. Thus while micro instances are too small any of the larger instance types should be more than enough to support a personal mail server, a small business mail server, or the throughput of a mailing list of a few thousand members. You'll probably want to create one before starting the server.
The Security Group should allow inbound TCP traffic from any IP address to these ports. SMTP)8. 0 (HTTP)1. POP3)1. 43 (IMAP)4. HTTPS)4. 65 (SMTPS)9.
IMAPS)9. 95 (POP3. S). The above is in addition to whatever rules you might have for SSH access over port 2. IP address ranges you use. In fact it is a good idea to restrict all inbound traffic to the server to your own IP addresses while you are building it. You can adjust the rules to allow traffic from the rest of the world after you're certain that everything is secure and shipshape. You'll log in as the .
By default, an AWS instance will have its own strange- looking hostname, so changing to the domain the server will have is the first item on the list. You may have purchased an SSL certificate for your mail server, but it is perfectly possible and completely secure to run a mail server using a self- signed certificate. The only consequences will be warning screens when using webmail hosted on the server and warnings from Microsoft Outlook when connecting via POP, IMAP, or SMTP.
Fortunately there is a shortcut to install all of the basic LAMP packages, so start by updating the repository data and installing those packages. Choose something sensible and wait for the remaining installations to complete. Then you can move on to adding an array of must- have additional packages for PHP, such as APC bytecode caching, Mcrypt support, Memcache support, c. URL, an XML parser, and GD image processing support. You may also choose to add more to suite your own taste and any other applications you might want to support on this server.
You'll notice its absence when webmail fails to work later on. The following command fixes that issue by enabling the module. Configure PHP. The default configuration settings for PHP and the additional packages mentioned above are sufficient for most casual usage. So unless you have something complicated or high- powered in mind, you should probably only change the expose. One of the more recent attacks on SSL is known as Logjam, and defending against it requires what is presently a non- standard addition to your SSL configuration in applications using it. Creating your own Diffie- Helman groups and saving them to configuration files is the first step.
Configure Apache. The expected end result for the Apache webserver is that it will serve a single site with a couple of running web applications: (a) Roundcube for webmail, and (b) Postfix Admin hidden away in a subdirectory. All HTTP requests will be redirected to use HTTPS, as there is no good reason to allow non- secure access to any of applications that will reside on the server. The default is 'Full' which sends information about the OS- Type.
See. # https: //weakdh. SSLCipher. Suite ECDHE- RSA- AES1.
GCM- SHA2. 56: ECDHE- ECDSA- AES1. GCM- SHA2. 56: ECDHE- RSA- AES2. GCM- SHA3. 84: ECDHE- ECDSA- AES2. GCM- SHA3. 84: DHE- RSA- AES1. GCM- SHA2. 56: DHE- DSS- AES1.
GCM- SHA2. 56: k. EDH+AESGCM: ECDHE- RSA- AES1. SHA2. 56: ECDHE- ECDSA- AES1. SHA2. 56: ECDHE- RSA- AES1. SHA: ECDHE- ECDSA- AES1.
SHA: ECDHE- RSA- AES2. SHA3. 84: ECDHE- ECDSA- AES2. SHA3. 84: ECDHE- RSA- AES2. SHA: ECDHE- ECDSA- AES2. SHA: DHE- RSA- AES1. SHA2. 56: DHE- RSA- AES1. SHA: DHE- DSS- AES1.
SHA2. 56: DHE- RSA- AES2. SHA2. 56: DHE- DSS- AES2. SHA: DHE- RSA- AES2. SHA: AES1. 28- GCM- SHA2. AES2. 56- GCM- SHA3.
AES1. 28- SHA2. 56: AES2. SHA2. 56: AES1. 28- SHA: AES2. SHA: AES: CAMELLIA: DES- CBC3- SHA: ! NULL: ! e. NULL: ! EXPORT: ! DES: ! RC4: ! MD5: ! PSK: ! a. ECDH: ! EDH- DSS- DES- CBC3- SHA: !
EDH- RSA- DES- CBC3- SHA: ! KRB5- DES- CBC3- SHA. SSLHonor. Cipher. Order on. # The protocols to enable. Keeping the same simple approach, the upper portion of the SSL configuration in /etc/apache.
If. Module mod. You may have a wildcard certificate for *. Place the relevant certificate, private key, and CA certificate bundle in the following locations.
The key must not be password protected, and it must be locked down such that only the root user can read it. Now change these lines in /etc/apache. A self- signed (snakeoil) certificate can be created by installing. See. # /usr/share/doc/apache. README. Debian. gz for more info. Alternatively. # the referenced file can be the same as SSLCertificate.
File. # when the CA certificates are directly appended to the server. You can find your version by running. If you are running 2. SSLOpen. SSLConf. Cmd DHParameters . For example. cat /etc/ssl/private/dhparams.
Now restart Apache to pick up the changes, after which you should be able to load the default Apache homepage and see that you are automatically redirected to HTTPS. If you are building a larger machine for heavy usage, you will probably want to bump the memory allocation to be higher than the default of 6.
M. # Start with a cap of 6. It's reasonable, and the daemon default. Note that the daemon will grow to this size, but does not start out holding this much. Install the Mailserver Packages. Now we're ready to start in on the harder stuff. As for the LAMP server, there is a shortcut for installing the basic packages for a mail server.
At this point select . You will be asked for the system mail name, which is the hostname of your mailserver, e.
When Dovecot installs you will be asked whether you want to create an SSL certificate. That is not the goal here, so we need the rest of the cast, such as My. SQL support for Postfix and Dovecot, and a coterie of spam- mashing packages. The php. 5- imap package actually provides support for POP3 as well as the IMAP protocol, and will be needed by Postfix Admin and most of the possible options for PHP webmail applications. It isn't automatically enabled, however. You must run this command to ensure that it is. You will want to restart Apache at this point to have php.
Next you'll want to install a few optional packages that extend the abilities of the spam and virus detection packages by allowing greater inspection of attached files. Create a Mail Database and User in My. SQL. Log in to My.