How to set up a mail server on a GNU / Linux system

Step by step guide to install Postfix

Ubuntu + Postfix + Courier/Dovecot IMAP + MySQL + Amavisd-new + SpamAssassin + ClamAV + SASL + TLS + Roundcube + Postgrey

Easy to follow howto on setting up a mail server with unlimited users and domains, with IMAP access, anti-spam, anti-virus, secure authentication, encrypted traffic, web mail interface and more.

Based on an Ubuntu distribution platform, but instructions are distro generic. Examples are run on Amazon AWS ec2, but only for demonstration purposes.

Author Ivar Abrahamsen

Last Update: 2020-05-08

Contents

Editions

Edition State Started Updated Description 1st Released (outdated) 2004-01 2004-02 Based on Mandrake 9.1. 2nd Released (outdated) 2004-02 2004-07 Based on Mandrake 10.x. Very thorough with advanced server sections. 3rd Released (outdated) 2005-05 2005-11 Based on Ubuntu 5.04, Hoary Hedgehog. Now includes SASL & TLS integration. 4th Released (outdated) 2005-10 2005-12 Based on Breezy Badger, Ubuntu 5.10. Includes Postgrey. 5th Released (outdated) 2006-05 2006-11 Based on Ubuntu 6.06 LTS, Dapper Drake. 6th Scrapped 2006-11 2007-10 Was to be based on Edgy Eft, Ubuntu 6.10 or 7.04. include Domain Key signing. include my mail admin or my catchall aliases admin. 7th Released (outdated) 2008-04 2009-06 Updated, based on Ubuntu 8.04 LTS Hardy Heron. Using Amazon EC2 as example. (Tested with 8.10 & 9.04 as well) 8th Released (outdated) 2009-05 2009-11 Based on Ubuntu 8.10 (intrepid), then tested with 9.04 (jaunty) & 9.10 (karmic) as well. Using official Ubuntu ec2 as examples. 9th Released (outdated) 2009-11 2010-05 Based on Ubuntu 9.10 (karmic) using Canonical's cloud images. Added Roundcube webmail option. 10th Released (outdated) 2009-12 2013-01 Based on Ubuntu 10.04 LTS (lucid) using Canonical's cloud images. Tested on 10.10 (maverick). Tested on 11.04 (natty) 11th Released 2012-11 2014-05 Based on Ubuntu 12.04 LTS (precise). Tested with 12.10 (quantal) and 13.04 (raring) 12th Released 2014-05 2016-03 Based on Ubuntu 14.04 LTS (trusty). 13th Released 2016-03 2017-11 Based on Ubuntu 14.04 LTS (trusty). Added Dovecot. 14th (this) Released 2017-11 2018-09 Based on Ubuntu 16.04 LTS (xenial). Added DKIM. 15th Draft 2020-04 2020-05 Based on Ubuntu 20.04 LTS (focal). Further details available in the change log and below in the introduction.

Introduction

Software

























What software packages did/will I use and why. OS: Ubuntu Linux www.ubuntu.com This howto initially used Mandrake (now Mandriva), a little tangent into Gentoo, before settling on Ubuntu. As Ubuntu extends Debian most of this howo also works with Debian. Please refer to older editions for details on RPM or source based installations.

MTA: Postfix www.postfix.org Simple, free and slick. Yup I am a sucker for anything that works easily. Postfix is powerful, well established, but not too bloated, and is security conscious from the start.

Pop/IMAP: Courier IMAP or Dovecot www.courier-mta.org/imap/ My first mail server installation was with Courier. I have not found a reason to change this as again it is simple, and free. www.dovecot.org A popular alternative, is Dovecot.

Database: MySQL www.mysql.com MySQL is a popular relational database and with good support for the sort of lookups required in a mail server. Postgres can also be used, but not supported by all the tools used for this set up.

Content Check: Amavisd-new www.ijs.si/software/amavisd/ Easy plug in solution for spam, virus checking etc.

Anti-Spam: SpamAssassin spamassassin.apache.org Powerful renowned spam fighting tool.

Anti-Virus: ClamAV www.clamav.net Free virus scanner that can be trusted and includes update daemon.

Authentication: Cyrus SASL www.imc.org/ietf-sasl/ Secure and trusted cryptography technology for authentication of SMTP traffic.

PostGrey isg.ee.ethz.ch/tools/postgrey/ Postgrey is an excellent little script to stop 99% of all spam. All it does is on first contact for specific from-to combinations, tell the sender server to try again in a little while, which most spammers can't afford to do. When proper servers try again after a few minutes it lets it through.

Encryption: TLS www.ietf.org/html.charters/tls-charter.html Secure and trusted cryptography technology for encryption of SMTP traffic. Not to be confused with client encryption technology like GnuPG and S/MIME. They are covered in the extend section. Formerly referenced as SSL.

WebMail: SquirrelMail or Roundcube www.squirrelmail.org Easy to set up php based web mail client. Extensive plugin selection. www.roundcube.net Ajaxified prettier web mail client.

Platform: Amazon ec2 aws.amazon.com/ec2 This guide can be installed locally, co-located or in the cloud.

I provide some ec2 based examples, however it makes no difference where you install your mail server. Please see software links appendix for further information about these software packages. In that section there are more links to documentation or forums, and viable alternatives, downloadable packages, versions details etc. Further software and tweaks are discussed in the extension section. Also review other peoples opinion on these packages via my references.

Installation

Distribution

Base Install

Repositories

Packages Distribution This section is different for every distribution and for every version. This howto is based on Ubuntu and its base of debian which uses apt-get. Therefore this section uses apt packages to its fullest. For other installation methods please refer to previous edition's software links and your own distribution for the documentation for other ways of installing. My 2nd edition (outdated) has instructions for Mandriva, general RPM and tarball compiling. To follow the rest of this howto with another distribution, you need to ensure all your packages have been installed with the same modules, i.e. MySQL lookup on postfix and sasl, php in apache etc. I have set up mail servers using the 32bit and 64bit x86 platforms, and if all the packages are available then other platforms, e.g. Mac, should work too. Base Install With installing Ubuntu you have a choice of which base system to install. You may choose server or desktop image or very basic setups. I will assume a server install, but it should not differ. If you have chosen an ec2 based server you should follow my ec2 suggestions first. I strongly suggest choosing the latest LTS version of Ubuntu, not the versions in between. Once this is set up you will tinker very little with it, and it will quickly be annoying to upgrade distributions once a year. P.S. Please note that after a while I'll stop specifying the use of sudo, as it is up to yourselves if you use it or use a privileged user, e.g. root. My advice is to use 'sudo'. Repositories For assistance with repositories, refer to this article on ubuntu's wiki. I would recommend to find a repository archive close to your server's location. For example a country specific one or if hosted on AWS EC2 an archive in your AWS region. Remember these are highly security sensitive so choose one you trust. You need the main and universe repositories. The multiverse, restricted and partner can be added but are not needed. Do not add backports. sudo vi /etc/apt/sources.list Uncomment the lines that have commented out universe. E.g. here are mine for ec2 in Europe: deb http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty universe deb-src http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty universe deb http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates universe deb-src http://eu-west-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates universe deb http://security.ubuntu.com/ubuntu trusty-security universe deb-src http://security.ubuntu.com/ubuntu trusty-security universe Note the security repository always has to go to the non-mirrored server. As mentioned in the previous edition you also might want to find a repository closer to your server. Packages You need to install a whole bunch of packages. We will install them bit by bit. But first check your package sources are correctly pointing to main multiverse restricted universe repositories of your current Ubuntu version. sudo vi /etc/apt/sources.list Secondly update your current system: sudo apt-get update sudo apt-get upgrade Note: aptitude is no longer supplied in the base install of Ubuntu. This is due to some concurrency issues. Some part of this document may still refer to aptitude. You should use the original apt-get instead. Additional packages I also install a few other packages that I personally prefer. But they have nothing to do with the mail server. sudo apt-get install vim lynx curl git Mutt is a very useful command line mail client that I always install but I usually do that at the end when testing so that it doesn't install its dependency on Postfix before I am ready. sudo apt-get install mutt Package status5> To find out which packages you may have installed, you can use for example: sudo dpkg --list | grep postfix And to find which are available: apt-cache search postfix

Configuration



Somewhere, something went terribly wrong Advanced mail server Now let's extend this setup with more useful content checks, security and user interfaces. Content Checks (Anti spam & anti virus) Amavisd-new Amavisd ties together all the different ways of checking email content for spam and viruses. Install amavids-new sudo apt-get install amavisd-new The defaults are pretty good and also the ubuntu documentation is pretty clear, and recommended. Here is a tweaked version of it:

Initially we will not enable spam or virus detection! This is so we can get amavis set up to receive, check and pass on emails before we go on and over-complicate it. All of amavis' configuration files are in /etc/amavisd. They are now spread across several files in conf.d. Debian and Ubuntu defaults are now very sensible and spread into separate files. cd /etc/amavis/conf.d 01-debian defaults are fine.

Have a look at less 05-domain_id but don't change anything in it. Have a look at less 05-node_id but don't change anything in it. Have a look at less 15-av_scanners but don't change anything in it. Edit content check file sudo vi 15-content_filter_mode Comment out both virus and spam scans. (Default). Have a look at less 20-debian_defaults and less 21-ubuntu_defaults but don't change anything in them. 25-amavis_helpers defaults are fine.

30-template-localization defaults are fine.

Edit user file sudo vi 50-user In the middle insert: @local_domains_acl = qw(.); $log_level = 2; $syslog_priority = 'debug'; $sa_kill_level_deflt = 8.0; $final_spam_destiny = D_PASS; We have now set up amavis to scan and pass along incomming email. Next we will set up postfix to talk to amavis. sudo vi /etc/postfix/master.cf Append these lines to the end of the file (make sure they are not already present). (Note the -o lines have spaces in front of them. amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks Also add the following two lines immediately below the "pickup" transport service: -o content_filter= -o receive_override_options=no_header_body_checks and then added to main.cf sudo vi /etc/postfix/main.cf content_filter = amavis:[127.0.0.1]:10024 This should be it to get amavis working. If emails are picked up by amavis and passed back to postfix then it looks okay. Only when finished testing do you proced to uncomment the anti virus and anti spam lines in sudo vi 15-content_filter_mode @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); But do that after the next section (SpamAssassin). When things are working we will turn down logging level, and start bouncing/discarding spam. sudo vi /etc/amavis/conf.d/50-user @local_domains_acl = qw(.); $log_level = 1; $syslog_priority = 'info'; $sa_kill_level_deflt = 8.0; $final_spam_destiny = D_DISCARD; Return to top. Anti-Spam SpamAssassin Installation: sudo apt-get install spamassassin spamc The default config of spam assassin is okay. You could refer to a previous edition for more configuration options. You do need to tell SpamAssassin to start smapd on boot. sudo vi /etc/default/spamassassin ENABLED=1 One configuration option you could tweak is to enable Bayes and auto learning. sudo vi /etc/spamassassin/local.cf

I read your email Return to top.

Anti Virus ClamAV Installation: sudo apt-get install clamav clamav-base libclamav7 clamav-daemon clamav-freshclam (Earlier vesions of Ubuntu may use libclamav5 or libclam6) ClamAV does not need setting up. Configuration files are in /etc/clamav, but they are automatically generated, so do not edit. By default freshclam, the daemon that updates the virus definition database, is run 24 times a day. That seems a little excessive, so I tend to set that to once a day. sudo dpkg-reconfigure clamav-freshclam It will also ask if you want it to be daemon (yes) and which server is closest to you. If needed, the command below will redefine the configuration with a lot of questions. Not needed unless you need to configure. sudo dpkg-reconfigure clamav-base Enable scanning by ClamAV of amavis' temporary files. sudo adduser clamav amavis Return to top. Postgrey Installation: sudo apt-get install postgrey The default config of postgrey is okay. However you need to tell Postfix to use it. sudo vi /etc/postfix/main.cf And then edit the recipient restrictions: smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit You can tweak whitelisting in /etc/postgrey. You can tweak postgrey configuration by tweaking /etc/default/postgrey. E.g. delay, auto whitelisting, or reject message. POSTGREY_OPTS="--inet=10023 --max-age=365" Return to top. You now have an advanced mail server. You can use this, but I'd recommend continuing. However this is a good point to test the setup so far and to insert some data in the db.



No, I will not fix your computer Secure mail server Stopping hackers, phishers, spammers, your boss and your neighbour from accessing your server or the traffic in between is important, and easily done. Authentication Normal email traffic between clients and servers is in open plain text. That includes passwords and content of emails. SASL SASL secures the actual authentication (login), by encoding the passwords so that it cannot be easily intercepted. The rest of the emails are however in clear plain text. SASL can be a royal pain to set up, especially as it does not support storing encrypted passwords by default in Ubuntu.

Therefore my previous editions described how to configure SASL using plain text passwords in the database. Obviously this is not ideal, so there are ways to combine SASL and storing encrypted passwords. In the future the packages that come with Ubuntu may support the password_format configuration option for SASL. But until then you can configure SASL to ask PAM to compare the passwords: Installation sudo apt-get install libsasl2-modules libsasl2-modules-sql libgsasl7\ libauthen-sasl-cyrus-perl sasl2-bin libpam-mysql Configuration Enable postfix to access SASL files: sudo adduser postfix sasl Create sasl files accessibly even by chrooted Postfix: sudo mkdir -p /var/spool/postfix/var/run/saslauthd Add SASL configurations to Postfix: sudo vi /etc/postfix/main.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = Modify these existing configurations: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit Change how SASLAUTHD is run: sudo vi /etc/default/saslauthd START=yes OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd" Tell postfix how to interact with SASL: sudo vi /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login cram-md5 digest-md5 log_level: 7 allow_plaintext: true auxprop_plugin: sql sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: mail sql_passwd: mailPASSWORD sql_database: maildb sql_select: select crypt from users where id='%[email protected]%r' and enabled = 1 (When SASL is working you can remove the log_level line.)

(Note: While sql_passw is the original parameter name (without the d), a more obvious sql_passwd will also work in later versions) Tell pam how to to authenticate smtp via mysql: sudo vi /etc/pam.d/smtp These must be on 2 lines only, but I have broken them up for easier reading. auth required pam_mysql.so user=mail passwd=mailPASSWORD host=127.0.0.1 db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1 account sufficient pam_mysql.so user=mail passwd=mailPASSWORD host=127.0.0.1 db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1 In addition to tailing var/log/mail.log and /var/log/mysql/mysql.log it is quite useful to tail the auth.log as well when testing SASL. tail -f /var/log/auth.log Restart postfix and saslauthd to enable SASL for sending emails. sudo /etc/init.d/saslauthd restart sudo /etc/init.d/postfix restart Imap SASL / Courier I tend not to have SASL for my courier authentication, as I enforce TLS for all my clients.

However if you have a more lenient access policy which is wise if you have many users, then you may want SASL in Courier as well: sudo vi /etc/courier/imapd This may already be available as a commented out line. If not replace the current line by adding UTH=CRAM-MD5 AUTH=CRAM-SHA1 so it resembles something like this: (Again on one line) IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE" sudo /etc/init.d/courier-authdaemon restart; sudo /etc/init.d/courier-imap restart; sudo /etc/init.d/courier-imap-ssl restart Return to top.



Encryption TLS Encrypting the traffic stops anyone else from listening in on your email communications. And is very recommended. There are different types of communication to encrypt: The data traffic between your email applications and the server when you read emails or when you send emails, and communication between other email servers and your server. For the encryption of reading emails, it is Courier you need to configure. For sending, and beetwen server encryption it is Postfix. TLS in Postfix To encrypt you need certificates. Ubuntu creates some for you for which you can use while setting up the server. However before you go live, it is recommended to create your own with your proper domain name etc. Please refer to previous edition for more detail. vi /etc/postfix/main.cf There are already some TLS settings in the default debian/ubuntu version of this file. I moved these to the end, for clarity, but that is up to you. # TLS parameters smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt Next we have a look at the master.cf file. vi /etc/postfix/master.cf By default only the normal smtp service is enabled, which is fine. But I prefer to enable submission (port 587), so that clients can use it, and I can restrict them to TLS only. Also enabled smtps service (port 465), for some compatibility with some older clients (outlook express etc). submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous < smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous TLS in Courier Again Ubuntu has created a certificate for you, but if you want to create your own, especially for a properly named server, then do this. cd /etc/courier openssl req -x509 -newkey rsa:1024 -keyout imapd.pem \ -out imapd.pem -nodes -days 999 For more details review an earlier edition. Then you need to edit vi /etc/courier/imapd-ssl By default Ubuntu already points to you certificate TLS_CERTFILE=/etc/courier/imapd.pem Modify this if needed. Also you if want to restrict IMAP users to SSL/TLS only toggle this setting to 1. IMAP_TLS_REQUIRED=1



For maximum compatibility it is not wise to restrict to TLS only for the traffic between servers. As this means not all valid emails sent by others can reach your server. However enabling the option to encrypt is a good idea. Be aware that the emails are not encrypted on your machine, nor on the server. For this type of client encryption, please refer to previous edition for more on GnuPG. In some situations SASL and TLS do not play well together. Those situations are in combinations of storing encrypted passwords, using MD5 authentication over encrypted traffic. I recommend insisting on TLS traffic with your authenticating clients, which then negates the need for SASL. HTTPS You probably also want to insist on https connections over tls if you below add webmail that is exposed to the public. Securing a web server is out of scope for this howto, but will not be a lot different than the mail server tls settings. You know have an advanced secure mail server. Now is another good point to test the setup so far and to insert some data in the db.

Webmail Enable web access You may need to enable web access in the firewall. Check the firewall configuration if this necessary. Alternative: SquirrelMail This howto in previous editions used to have SquirrelMail as the webmail client. It is more mature with a longer testing record. It has a large library of various plugins. Please read the SquirrelMail extension further down on how to install it instead if preferred. Roundcube webmail client To install Roundcube sudo apt-get install roundcube roundcube-mysql roundcube-plugins It will ask you if you want to configure its database access, answer yes, then select mysql. Then it will ask for the root mysql uses password, which it will create a roundcube mysql user and ask for its desired password. This will create a symblink in /etc/apache2/conf.d/ to /etc/roundcube/apache.conf. Edit this file. sudo vi /etc/roundcube/apache.conf Depending on your setup you may want to move those Alias commands at the top to your virtual hosts configuration, or for this example enable them here for all hosts. Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/ Alias /roundcube /var/lib/roundcube Next edit the configuration file sudo vi /etc/roundcube/main.inc.php Modify these lines for added security and ease of log in: $rcmail_config['default_host'] = 'ssl://localhost'; $rcmail_config['default_port'] = '993'; $rcmail_config['imap_force_ns'] = true; $rcmail_config['smtp_server'] = 'ssl://localhost'; $rcmail_config['smtp_port'] = 465; $rcmail_config['smtp_helo_host'] = 'mail.example.com'; $rcmail_config['create_default_folders'] = TRUE; There are other tweaks and security features you can enable such as: $rcmail_config['sendmail_delay'] = 1; But perhaps concentrate on getting the basics working first... Save, exit and reload Apache to enable these aliases for Roundcube to work sudo /etc/init.d/apache2 reload Then go to your roundcube installation depending where and how you modified those Aliases, e.g. at http://mail.example.com/roundcube.

That should be it. If you have enabled session encryption then also enable the mcrypt library sudo ln -s /etc/php5/mods-available/mcrypt.ini /etc/php5/apache2/conf.d/20-mcrypt.ini You can obviously modify and tweak further. One thing that may be useful is to have the Roundcube Apache Alias on different virtual hosts.

Other is to configure username_domain in main.inc.php to append different email addresses

Or configure the default_host to a different mail server depending on virtual host

For security enforcing https for the webmail is probably smart.

Adding your own skin logo etc to customize the look is likely. ( $rcmail_config['skin_logo'] = 'yourlogo.png'; )

If your webmail is not on the same server as your MTA (Postfix), then the MTA might not have the webmail server's IP listed in permit_mynetworks, so you might want to log into the smtp when sending email: $rcmail_config['smtp_user'] = '%u'; $rcmail_config['smtp_pass'] = '%p'; $rcmail_config['smtp_auth_type'] = 'login';

More details on the Roundcube Wiki. Return to top. Administration Enable web access You may need to enable web access in the firewall. Check the firewall configuration if this neccessary. Install phpmyadmin sudo apt-get install phpmyadmin Enter Yes to set it up, enter root mysql password, enter a phpmyadmin mysql user password twice. Accept apache2 as the web server. You may choose to restrict phpMyAdmin to a spefic virtual host. If so you need to edit sudo vi /etc/apache2/conf.d/phpmyadmin.conf and comment out the alias. And insert the alias instead into a virtual host configuration in /etc/apache2/sites-available/. For this example we are not, and for testing we keep the Alias uncommented. Reload apache to activate changes. First test if ok. sudo apache2ctl -t Then reload it. sudo /etc/init.d/apache2 reload You can now go to http://yourdomain.com/phpmyadmin/, and login with the mail user. You can use it as it is, but I recommend securing it a bit more. One simple way is adding apache's .htaccess login requirement. Further restrictions can be restricting to a specific virtual host. Or renaming the folder. Purely obfuscating, but simple. Or using the example in the webmail section, and adding SSL requirement to the connection. Or disable mysql root's access via phpMyAdmin. Please refer to a previous edition for an example on htaccess and mysql user restriction. Return to top. External changes Before making any changes you need to have done a few steps externally. (Or at least before you start testing). Domain name You need a domain name to use with your email server. This may be one you purchased, or a subdomain of an existing one, or a dynamic one e.g. dyndns.org. DNS You will also need to configure the MX details for the DNS of this server. This is done via your domain registrar, or sometimes an external nameserver(DNS) provider. You can also host your own DNS via packages such as Bind. Your provider might let you do this through a GUI, but this is technically what the configuration should look like: domain.tld IN MX 10 yourmailserver.domain.tld (Replace domain.tld with your domain name, and yourmailserver.domain.tld with the full name of your mail server). Repeat this for each domain that you want the server to handle. Further mx entries are possible in the same file, if there are subdomains. And also if you have backup MX servers. Refer to my backup MX section if interested. Note: Some other mail systems will check via reverse DNS for a match between IP and mail server name, as part of their spam scoring. If people need suggestions for domain registrars or dns providers then let me know.

You now have a finished mail server. This is as far as the main guide goes. Hope it was clear enough to follow. Now it is time to insert data, and to test how it works. Feel free to extend it with my suggestions further down.

Data

Test

Initialize

Brief hints if you receive a ready set up machine (or EC2 AMI), and what then to check and to customize it to your setup. Stop services

Restrict firewall

Change passwords

Check configurations

Set machine name

Certificates

Start and test services

Insert data

Reload postfix

Open firewall

Test Stop services First stop services so they wont accidentally do something. sudo /etc/init.d/postfix stop sudo /etc/init.d/courier-imap-ssl stop sudo /etc/init.d/courier-imap stop sudo /etc/init.d/courier-authdaemon stop sudo /etc/init.d/mysql stop sudo /etc/init.d/amavisd stop sudo /etc/init.d/spamassassin stop sudo /etc/init.d/clamav stop Restrict firewall Check what the firewall rules are. vi /etc/shorewall/rules Refer to the firewall settings. Restrict to just SSH access for now. Change passwords Next the passwords needs to be changed. For both the system and mysql. System passwords Check which users are defined on the system. cat /etc/passwd Apart from all the system ones, there should probably be none (if EC2 AMI) or just your user if it is a standard Ubuntu install. If there are some users, you need to change their passwords. SSH Access Next we check who got SSH access. If there were any users defined, check their home folders for ssh keys. cat /home/username/.ssh/auth* Remove any you do not expect to be there. Next check if and which specific users have been defined for SSH access in vi /etc/ssh/sshd Usually this is fine. MySQL passwords First you need to change the root mysql user. If none has been set do this mysqladmin -u root password new_password Otherwise do this and you will be prompted for the old password mysqladmin -u root password new_password -p Then the default mail user as well. If you know the old password mysqladmin -u mail password new_password -p Otherwise log into mysql as root: mysql -u root -p Enter new root password specified above, then: update mysql.user set password=password('apassword') where user='mail'; flush privileges; You may need to revisit the top of the MySQL section to re-grant the mail use rights on the database. If you do not know the old root password, you have to restart mysql without grant rights. Google it... :) Update postfix mysql configuration files with the new password. sudo vi /etc/postfix/mysql* password=apassword Update courier's authmysql file with the new password as well. sudo vi /etc/courier/authmysqlrc MYSQL_PASSWORD apassword If SASL is set up, then you need to update its passwords. First in postfix SASL file: sudo vi /etc/postfix/sasl/smtpd.conf sql_passw: aPASSWORD Then on both lines in: sudo vi /etc/pam.d/smtp passwd=aPASSWORD Check configurations You should scan the postfix, courier, etc. configurations to check if they match what you expect. Set machine name Now you need to define your machine name, e.g. something like smtp.yourdomain.com. You need to define it in sudo vi /etc/mailname And then your domain name in sudo vi /etc/postfix/main.cf under the mydomain setting myorigin=yourdomain.com It could also be smart to check what the unix hostname is specified as hostname This can be reset by sudo hostname smtp.yourdomain.com. All though this does not have to be the same as your postfix mail server name. You may want to speficiy some hosts in hosts file as well, sudo vi /etc/hosts 127.0.0.1 localhost.localdomain localhost 127.0.0.1 smtp.yourdomain.com smtp Certificates You could go along with the generated certificates (if they are there, default for Ubuntu). Or you could create new ones with the correct machine name in them. Especially if this is a mail server used by many, and authenticity is important. Follow the TLS certificate instructions for Postfix and Courier. Start and test services Next you need to start your mail services and test them. sudo /etc/init.d/mysql start sudo /etc/init.d/spamassassin start sudo /etc/init.d/clamav start sudo /etc/init.d/amavisd start sudo /etc/init.d/postfix start sudo /etc/init.d/courier-imap-ssl start sudo /etc/init.d/courier-imap start sudo /etc/init.d/courier-authdaemon start So test the services via testing section. Insert data Insert your mail domains, aliases and users using the data section. Sometimes there are test data already in the database. Remove them. E.g.: mysql -u mail -papassword maildb delete from domains where domain = 'bar.com'; delete from aliases where mail = '[email protected]'; Open firewall Then open up the firewall, follow the world access bit in the firewall configuration. Voila. Up and running. Well we hope.

Extend

Elastic Compute Cloud

Appendix

This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 License.