After struggling for days to get my mail server working as I wished I put
this piece together both as an 'aide memoire' to myself, and the
possible help of others.
This configuration is quite comprehensive. Many stages can be left out if you only require a simple mailserver setup.
Configuring a Postfix mail server.
Mail is received both directly via SMTP , and from ISPs mail servers using fetchmail.
On receipt mail is checked for Windows viruses using ClamAV, and then checked for
Spam using Spamassassin and will be placed in a Qmail style Mail directory.
A Qmail directory uses one file for each mail message which is moved between three different folders. By comparison
a standard Unix mail file is one long file with new mails appended to the end.
Maildirs are used in this application because the Courier-IMAP application
requires them. In turn Courier-IMAP is used in preference to another
IMAP/POP3 server because of its ability to disassociate mail boxes
from System logins for greater security.
Clients will access their mail in two ways
- Local users use Kmail as a client to read mail either directly from the Maildirs, or using IMAP.
- Remote users will use Kmail or Sylpheed to access the Maildirs using IMAP
protocol over SSH. For additional security these users will be not
be using their normal login password, but will use a different
password. The Courier-imap authentication daemon will perform the
mapping between the mail password, and the login password. Because
IMAP is being used, all mails remain on the mail server so users can
check their mails either locally or remotely and see exactly the
same thing.
SoftwareUsed
Mandriva 2005LE Operating System
- postfix-2.1.5-6mdk
- fetchmail-6.2.5-10mdk
- fetchmail-daemon-6.2.5-10mdk
- procmail-3.22-5mdk
- spamassassin-3.0.4-0.1.102mdk (
- spamassassin-spamc-3.0.4-0.1.102mdk
- spamassassin-spamd-3.0.4-0.1.102mdk
- spamassassin-tools-3.0.4-0.1.102mdk
- perl-Mail-SpamAssassin-3.0.4-0.1.102mdk
- clamav-0.83-6mdk
- clamav-db-0.83-6mdk
- metamail-2.7-11mdk
- lha-1.14i-11mdk (in contrib)
- unarj-2.43-19plf (in plf)
- unrar-3.30-2plf (in plf)
- courier-imap--3.0.8-5mdk
- courier-imap-pop-3.0.8-5mdk
- TrashScan v0.12 from http://trashware.mirrorz.com/
In Mandriva 2006 the packages spamassassin-spamc and spamassassin-spamd have been left off the CDs. They are however in the 'main' folders on the online mirrors. Refer to http://easyurpmi.zarb.org/ to set up an online urpmi source for 'main'.
Make sure that the 'mailman' package is not installed.
If when installing Mandriva you select the 'Mail' tick box during package
selection, the installer will install mailman as well as Postfix.
Mailman alters the config files of Postfix, and Postfix will not work so long as
mailman is unconfigured. It is much easier to simply not install mailman.
Fetchmail Configuration
Mail comes from a variety of sources some of which are various ISP who
provide access via POP3 protocol. Fetchmail is used to read mail from
the ISP mailbox and pass it over to a local MTA (Mail Transfer Agent- Postfix) which
in turn will pass it to a Mail Delivery Agent (Procmail) for final delivery.
Fetchmail may be used either in single user mode, or in system wide mode.
In this case I am using fetchmail in system mode to collect mail for all
users.
The fetchmail-daemon RPM allows fetchmail to be started as a system
service which is configured by the file /etc/rc.d/init.d/fetchmail
This file will by default cause fetchmail to poll the ISPs POP3 servers every 180 seconds.
The configuration of fetchmail is controlled by the file
/etc/fetchmailrc which is easily configured with an editor.
My/etc/fetchmailrc now looks like this :-
set postmaster derek
set bouncemail
set no spambounce
set properties
poll pop.ispsrus.com with proto POP3
user 'username' there with password 'obscured' is 'derek' here options fetchall antispam 501
poll email.isp.net with proto POP3 interval 2
user 'myuser' there with password 'obscured'is 'derek' here options fetchall antispam 501
poll pop.anisp.com with proto POP3 interval 10
user 'anotheruser' there with password 'obscured' is 'rosie' here options fetchall antispam 501
Note: The 'antispam 501' option tells fetchmail that if Postfix refuses to
accept the mail with an error 501, that it is OK to discard the mail as spam and
not leave it on the POP3 server. I had to put this in because some Spam mails
had illegal headers which Postfix refused to accept.
Note: The 'interval N' option tells fetchmail to only poll that server once every 'N'
poll cycles. So for example N=2 will cause the server to be polled every 6 minutes.
By default fetchmail
will pass each mail as it is received to port 25 on the local host, or if
there is nothing listening on port 25, the mails will be passed to procmail. So there
is no point testing fetchmail until Postfix is installed and listening on Port
25.
PostfixConfiguration
Postfix is used as the mail server in favour over the most popular mail server on the internet Sendmail, because of its
much more simple configuration, and its reputation for security. It is also the mail server of choice
of MandrivaSoft, and I figured they probably know better than I do. There are many other mail server applications which could
be used in place of Postfix such as Qmail, Courier, and Exim.
Postfix may be configured either by editing text files, or by a Webmin
module. If you have never used webmin, then simply install the webmin module, and in Mandriva ControlCentre>System>Services start
the webmin service and then point your browser at
https://localhost:10000
Note: https NOT http
You will then be able to manage many applications including Postfix with a web based GUI. In this guide however I am going to describe configuring by editing the configuration files directly since you will get a much better understanding of what is going on.
Configuring /etc/postfix/main.cf
In this application very few parameters needed changing from the system
defaults.
- Postfix will complain if your computer does not have a hostname and domain name defined (Such as
MyComputer.anyolddomain.co.uk, or myhost.localdomain) Simply calling your computer 'Fred' is not acceptable.The hostname may
be set using drakconnect in Mandriva Control Centre, or by editing /etc/sysconfig/network .
If you do not want to use your Fully Qualified Domain Name as the name of your computer, then it is essential to set the
myhostname parameter in the Postfix configuration file.
Here are my changes to the /etc/postfix/main.cf file
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
myhostname = mail.mymailaddy.net
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
alias_maps = hash:/etc/postfix/aliases
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
debug_peer_level = 1
debugger_command = PATH=/usr/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
delay_warning_time = 4
relayhost = smtp.myisp.com
The trailing '/' in the
home_mailbox line is very important. It defines Qmail type Mailboxes
instead of the default Unix type. This is important because I shall
be using the courier-imap IMAP server which requires Qmail format.
I am on an ADSL service from my ISP which does not guarantee I will always have the same IP address. Normally I would not be able to run a mailserver on such a service because people sending me mails need to translate between a domain name and an IP address. I get around this problem by using a Dynamic DNS Service.
Dyndns.org provides a free DNS service. You can choose your own Fully Quallified Domain Name, and whenever anyone tries to send you a mail their mail server will be directed to your IP address. The Dynamic DNS service is informed any time your IP address changes by a little daemon called ddclient available as an rpm package on any Mandriva contrib mirror. Ddclient runs as a service under Mandriva. Just edit the ddclient file in /etc to define your dyndns.org login and your hostname.
The relayhost line is needed because I am on a cable modem and when I send mails some recipients will perform a reverse DNS lookup to check if the IP address matches the hostname in the header. Since I use Dynamic DNS the reverse DNS will return my ISPs host name and my mails will be rejected. Forwarding mails via my ISPs SMTP server gets around this issue.
In
order to have the mail for 'root' to be forwarded to a user, an entry
is added to the /etc/postfix/aliases file. Be aware. Postfix will continuously put error messages in the log until a root alias has been defined.
#Person who should get root's mail
root:derek
As well as defining a root alias we shall also define two other aliases called 'ham' and 'spam'. Their use will become clear when we discuss Procmail and Spamassassin.
#Account to receive redirected spam and ham mails
spam:root
ham: root
Now create the aliases database by typing in a root terminal :-
newaliases
postfix reload
Virtual Addressing
In my application I am
receiving emails for two different domains, my normal domain, and a domain I
host for some friends.I therefore need to activate a virtual domain in Postfix.
This is done by adding a line to /etc/postfix/main.cf
virtual_maps = hash:/etc/postfix/virtualThe file /etc/postfix/virtual is then edited to include the lines
friendsdomain.homeip.net friendsdomain.homeip.net
postmaster@friendsdomain.homeip.net postmaster
sue@friendsdomain.homeip.net sue
grant@friendsdomain.homeip.net grant
An alias database must then be created by executing the command
postmap /etc/postfix/virtualand then users must be created for the users on the Linux system. Since
these users do not require log on access to the Linux computer.They can be
created without a /home directory
adduser -c Grant -M -p xxxxxx grant
Then restart Postfix and you should be able to
receive mails addressed to the virtual domain.
ProcmailConfiguration
The mailbox_command parameter in the postfix configuration
causes procmail to run as the final delivery agent, and to use ~/.procmailrc as
its configuration file.
Procmail is organised as a sequence of 'recipes'. Each recipe starts with a test, followed by an action if the test is met.
In my example the first recipe tests the 'To: ' header of each mail. If the mail is 'To: spam@foobar' then this mail is a spam mail which had previously made it to my inbox, and I had redirected it in order that spamassassin could 'learn' it's characteristics and become better at detecting spam.
The second recipe is similar, but this time it is non-spam mail which had been falsely recognised as spam. (Note : I have never actually had spamassassin falsely detect a non spam mail as spam)
In both cases 'sa-learn' is invoked to train spamassassin.
Note : Training spamassassin with sa-learn will improve its effectiveness, but even without these recipes Spamassassin is very effective.
The third recipe calls trashscan which will run the mail through the ClamAV anti-virus engine. Infected mails will go into the 'virus' mail folder, and emails will be sent to alert the recipient, and the mail administrator.
Note : Virus protection is only required if your mail server is going to have clients using Windows. Effectively there are no Linux viruses so you will not need ClamAV if all your clients are Linux users.
The next recipes detect if the mail has come from a newsgroup to which I am subscribed, and will place the mail in a folder for that group.
The last recipe runs Spamassassin and depending on the result will put spam mails into a junkmail folder.
Any mail which does not meet any of the procmail recipes will go into the default folder.
[root@jennings root]# more /home/derek/.procmailrc
SHELL=/bin/sh
PATH="$HOME/bin:/usr/bin:/usr/local/bin:/usr/include:/usr/local/sbin:/bin:/sbin:/usr/sbin"
LOCKFILE=$HOME/lockfile.lock
ASSASSINLOCK=$HOME/assassin.lock
DEFAULT=$HOME/Maildir/
JUNKMAIL=$HOME/Maildir/.junkmail/
TRASH=$HOME/Maildir/.Trash
NEWBIE=$HOME/Maildir/.LinuxNewbie/
EXPERT=$HOME/Maildir/.LinuxExpert/
VIRUS=$HOME/Maildir/.virus/
BITBUCKET=/dev/null
LOCKTIMEOUT=10
#LOGFILE=/tmp/procmail_log
#LOGABSTRACT=no
#VERBOSE=no
# Feed redirected spam to sa-learn
# If a spam does make it past spamassassin I redirect it to spam@mymailaddy
#It will then be added to the spam database
:0
* ^To:.*spam@foobar
* < admin="postmaster@mymailaddy" quar="~/Maildir/virus" mta="/usr/sbin/postfix--">
#Filter out Mails from Newgroups
#There is no need to test these for spam
:0 :
* ^Sender: newbie-owner
$NEWBIE
:0 :
* ^Sender: expert-owner
$EXPERT
#Junk mail from unwanted sources
:0
* ^From: Sms Message
$BITBUCKET
#Run SpamAssassin daemon mode
#spamc is the daemon for spamassassin
#spam mails will come back marked with a spam header
:0 fw : $ASSASSINLOCK
| spamc
:0
* ^X-Spam-Flag: YES
$JUNKMAIL
# Catches everything else.
#Anything left over goes into the DEFAULT folder
SpamAssassinConfiguration
SpamAssassin needs little
setup other than to install the RPM, and then start the spamd service in Mandriva Control Centre>System>Services.
Spamassassin runs many tests on each mail. Some of them are textual (looks for spammish words like viagra), others test the mail headers (check for header spoofing), while others look for other spammer behaviour (such as BIG FONTS)
One of the most effective tests is Bayesian analysis.
Bayesian analysis works by comparing the words in a mail with words that appear in known spam, and known non spam, then calculating the probability of the mail being spam.
In order for Bayesian analysis to work it must have a database of known spam and non -spam (ham) to work on.
Spamassassin will not use Bayes until it has a database of 200 spam mails and 200 non spam mails.
Each time a mail has a score above 12 points, Spamassassin will add it to its spam database, and will add it to its ham database if the score is below 0.1 points ( I set this to 1.0 in my network)
If you have folders of spam or ham mails you can use them to initialise the Bayes database using the utility 'sa-learn'. See 'man sa-learn' for details.
Whenever a spam mail gets past spamassassin and makes it through to my inbox, I redirect it back to my mailserver addressed to spam@foobar where it goes back to my procmail recipes where it is recognised, and the mail is passed through sa-learn to improve spamassassin. (Replace foobar with the address of your mail server)
When spamassassin is first run it will create a file ~/.spamassassin/user_prefs which may be modified to
suit your taste.
By default spamassassin misses out some tests which
are free for personal use, but require a subscription from third
parties for commercial use. Since those tests are very useful it is
worth adding them.
You can also change the score threshold for
detecting spam, and add addresses to the whitelist if they keep
getting detected as false positives.
There is also a global configuration file at /etc/mail/spamassassin/local.cf which will set the defaults for all users.
Here is mine :-
# This is the right place to customize your installation of SpamAssassin.
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
#rewrite_subject 0
#report_safe 1
auto_whitelist_path /var/spool/spamassassin/auto-whitelist
auto_whitelist_file_mode 0666
use_bayes 1
bayes_auto_learn 1
use_razor2 1
# How many hits before a mail is considered spam.
required_hits 6
# score SYMBOLIC_TEST_NAME n.nn
score RCVD_IN_BL_SPAMCOP_NET 4
The autowhitelist is a feature that will recognise if people have sent you spam or non spam (ham) mails in the past and weight theur scores accordingly. So it is unlikely spamassassin will reject mails from your regular correspondents.
Here is my /home/derek/.spamassassin/user.prefs file which will override the global file. :-
dns_available yes
# Bayes filters requires at least 200 entries of spam and 200 of ham
# for start working
use_bayes 1
bayes_auto_learn 1
bayes_auto_learn_threshold_nonspam 1
skip_rbl_checks 0
#If Vipul's razor is installed it can be used to check
#if a mail has been reported as spam
use_razor2 1
#pyzor is another database of reported spams
use_pyzor 0
#My spamasssin crashes if I enable dcc checking
use_dcc 0
dcc_timeout 5
#dcc_add_header 1
# How many hits before a mail is considered spam.
required_hits 5
# Whitelist and blacklist addresses are now file-glob-style patterns, so
# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.
# whitelist_from someone@somewhere.com
whitelist_from *.mandrakeclub.com
blacklist_from *@recessionspecials.com
blacklist_from *@amazingwebspecials.com
# Add your own customised scores for some tests below. The default scores are
# read from the installed spamassassin rules files, but you can override them
# here. To see the list of tests and their default scores, go to
# http://spamassassin.org/tests.html .
#
# score SYMBOLIC_TEST_NAME n.nn
# I change these because when Bayes is enabled other scores are
#too low in my opinion
score MISSING_OUTLOOK_NAME 0.100 0.576 0.1 0.1
score HTML_60_70 0.527 0.100 0.200 0.200
score HTML_SHOUTING3 0.108 0.333 0.1 0.1
score HTML_TAG_EXISTS_TBODY 0.496 0.201 0.439 0.200
score MISSING_MIMEOLE 0.501 0.501 0.241 0.200
score MISSING_OUTLOOK_NAME 0.100 0.576 0.1 0.1
score IN_REP_TO 0 0 0 0
score REFERENCES 0 0 0 0
score BAYES_60 0 0 2.502 2.502
score BAYES_70 0 0 3.637 3.637
score BAYES_80 0 0 4.1 4.1
score BAYES_90 0 0 4.2 4.2
score BAYES_99 0 0 4.300 4.3
It is possible to extend spamassassin to do additional tests.
I like to check a variety of DNSBL locations so I can check for example if a mail has come from China for example. I know no one in China, so to receive a mail from there is very suspicious. To enable DNSBL checking create a file /etc/mail/spamassassin/dnsbl.cf containing the text here
(Thanks to Bryan Phinney for providing this list)
It is possible to add many more customised rule sets. A visit to SpamAssassin Rules Emporium can provide
you with many custom rule sets, and a utility called "RulesDuJour" to automatically update them.
Clam Anti Virus Configuration
Once Clamav has been installed run 'freshclam' from a root terminal to bring the virus database up to date.
However the clamav RPM package will have put a cron job in /etc/cron.daily to update the virus database every day. Unfortunately the way this job is written you will get a warning email from cron even if the update completes successfully.
Therefore I have altered /etc/cron.daily/freshclam like this :-
#!/bin/sh
# A simple update script for the clamav virus database. This could as well
# be replaced by a SysV script.
# fix log file if needed
LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f ${LOG_FILE} ]; then
touch $LOG_FILE
chmod 644 $LOG_FILE
chown clamav.clamav $LOG_FILE
fi
/usr/bin/freshclam \
--quiet \
--datadir=/var/lib/clamav \
--log=$LOG_FILE \
--log-verbose \
--daemon-notify=/etc/clamav.conf
es=$?
if [ $es="1" ]; then
exit 0
else
exit $es
fi
It should be remembered that cron will not run jobs which were missed because the computer was switched off, and since cron.daily runs at 4am each morning the jobs will never be run if you switch the computer off at night. To avoid this issue install the 'anacron' package which will run missed jobs when the computer is powered on.
A simple shell script called trashscan is used to pass mails through the ClamAV scanner.
Trashscan used to be included in the ClamAV package, but is no longer provided. You can download the latest version from
Here. (currently 0.12)
Unpack the compressed folder and put the trashscan file into /usr/local/bin/trashscan edit the variables to suit your environment and make the
file executable.Here are the changes I made to trashscan:-
SCANDIR=/tmp
VSCANNER=clamav
VSCANPRG=/usr/bin/clamscan
VSCANSUSP=virus
ALERT=yes
ALERTRCVR=postmaster@foobar # Receiver of virus alert messages
ALERTSNDR=postmaster@foobar # Sender of virus alert messages
ALERTCTCT=postmaster@foobar
NOTIFY=no
#(${CAT} ${TASKDIR}/head.rep; ${CAT} ${TASKDIR}/body.rep) | ${SENDMAIL} -t -oi # Comment this line out to suppress notification to sender
# they are all spoofed anyway, so there is no point
Replace 'foobar' with the name of your mail domain.
Installing metamail is required for trashcan, and installing unrar, lha, and unarj will enable trashscan to find viruses in compressed archives.
In operation Procmail will pass all mails through trashscan which will run clamscan on them. A header is placed in the mail indicating whether it is suspicious or not, and the next procmail recipe will put infected mails into a virus mail folder. A warning email will be sent to the mail recipient, and to the mail administrator.
Being a Bash script trashscan is not suitable for use on high volume mail servers. I am using it because I was having trouble with clamdmail which I was previously using.
Maildir Configuration
Our remote users will be serviced by Courier-Imap which only
supports Maildir type mailboxes, so our local users are also going to use Maildir
format for consistency. (This also allows local users to retrieve their mail when
travelling).
A Maildir mailbox
consists of a directory in the users $HOME with a default name of Maildir. Inside
this directory are three other directories with the names cur, new, and
tmp
Subfolders may also be placed in the Maildir
directory. Their names should be prefixed with . To denote them as a
subdirectory. The remote clients will be using Sylpheed which requires specific
names for certain folders.
The easiest way to define mail folders is using the maildirmake++ command
which is part of the courier-imap package.
In the users home directory enter this command (as the user not root)
:-
maildirmake++ Maildir
maildirmake++ -f Sent Maildir
maildirmake++ -f Queue Maildir
maildirmake++ -f junkmail Maildir
maildirmake++ -f virus Maildir
maildirmake++ -f Drafts Maildir
maildirmake++ -f Trash Maildir
YourMaildir will then have this structure
Now we can test out using Kmail to receive mails directly from the Maildir folder.
When first starting Kmail it will default to Unix style mailboxes (flatfiles) To make Kmail use Maildir
folders :-
Settings>ConfigureKMail>Folders
Select "By default mail folders are :-directories(maildirformat)"
Nextyou must define an account to recieve mails on
Settings>ConfigureKMail>Network>Receiving>Add
Select'Maildir mailbox'>OK
Pick a name for the account, select 'location'= ~/Maildir
Enable Interval mail checking.
Next we will define a sending
account
Settings>ConfigureKMail>Network>Sending>Add
SelectSMTP account>OK
Name=pickaname
Host=Your_host_name.your_domain_name>Port=25>OK
When you restart kmail it should find the Maildir folder which will be listed in addition to the
normal kmail folders.<>
Note: We are not yet using IMAP to access the mails. IMAP is actually more flexible than accessing the maildirs directly with kamail, so I recommend that IMAP should be used even when the mail server is local.Testing Local delivery
If all is correct (and I have written this guide
correctly) you will now be able to test mails which originate from your local
computer back to yourself.
Using kmail send a mail to your local mail address (make
sure you use the smtp account we just set up)
your_user@localhost
The mail will be delivered from Kmail to postfix which will recognise this as a local user, and pass the mail to procmail, then to spamassassin, then to /home/your_user/Maildir/new where it will be found
by Kmail after a short wait who will then put it into~/home/Mail/inbox/cur
If your mail does not arrive trace it back through the system to see where it is stuck. Do not forget to look in /var/log/mail/errors,/var/log/mail/info, and the procmail log if
enabled.
The relayhost=smtp.myisp.com statement in /etc/postfix/main.cf is used to tell postfix which mail server to relay mails
through which terminate somewhere else on the internet. Postfix could send mails
directly to the final destination in a single hop without going through a relay
server, but many mail servers will compare the host names in the header of a mail
with the IP address listed in DNS servers, and reject them if they do not match on
the assumption the mail has been sent by a spammer trying to impersonate another
mailserver. By putting my ISPs mailserver name in this field the header of the
mail will have the same name and IP address as the previous hop, and receiving mail
servers will be satisfied.
If you send a mail using Kmail to your ISPs account you can check if
you can send mails using postfix, and that fetchmail is corrrectly configured to
receive them using POP3 protocol.
If the mails never arrive back in your inbox stop the fetchmail daemon and run fetchmail manually. In a root terminal :-
service fetchmail stop
fetchmail -v -f /etc/fetchmailrc
Examine output then
service fetchmail start
Configuring Courier-imap
The next step is to enable IMAP access to allow mail clients to log in to check their
mail.
Install the courier-imap RPM.
Courier-imap is started by the command
service courier-imap start
or by setting the service in Mandriva Control Centre>System>Services
If OpenSSL is also installed courier-imap will automatically support
logins over ssl when requested.
With default settings courier-imap will work with the configuration
described so far. By default courier-imap will use the directory 'Maildir' in a users home. If you
require it to use a different directory edit the 'MAILDIRPATH=' parameter in /etc/courier/imapd (and pop3d, pop3d-ssl) file.
There are also lots of other intereseting parameters in the courier-imap configuration to play with.
To use imap with sylpheed
In Sylpheed
Configuration>CreateNewAccount
Name=pickaname
Protocol=IMAP4
Server for receiving=your_mail_servername.and_domain
smtpserver
(send)=your_mail_servername.and_domain
UserID=your_user_name
Password+your_password
SelectSSL Tab and set
UseSSL for IMAP4 connections>OK
Right clicking on the account and selecting Rescan Folder Tree should cause an IMAP login, and you should see your mail and folders.
If you do not see all the folders you defined in ~/Maildir, then
that is probably because they do not start with a '.' character, or they are
not Maildir type directories with a cur,new, and tmp subdirectory. It is also
essential that maildir directories named .Sent , .Drafts, and .Trash are
present.
You should now be able to send and receive mails from Sylpheed.using IMAP.
Using remote Imap folders with Kmail
Create a new account with Settings>ConfigureKmail>Network>Recieving>Add>Imap.
Choose a name for the account and give the connection details. Once the account is added you will see
it appear in Kmail's folder list.
Right click on the base Imap folder and select 'Subscription'. A window will appear to allow you to select which of the subfolders
are going to be visible. Once a folder is subscribed to it will appear under the base folder. Right clicking on a subfolder
and selecting 'Properities' allows you to select if the subfolder is checked for new mail.
Now close Kmail, restart it, and go back to Settings>ConfigureKmail>Network>Receiving and Modify your Imap account.
You will now be able to select your Imap Trash folder as the 'Deleted Items folder'. Restarting Kmail is necessary because
the Imap folder will not appear in the drop down selection box if the base folder has only just been subscribed to.
Similarly go to Settings>ConfigureKmail>Identities, select an identity to modify>Advanced, and select your Imap Drafts
and Sent folder as 'Drafts folder' and 'Sent Mail folder'
Configuring Courier-imap-pop
Some of my users need POP3 access to their mails. The courier-imap-pop package supports pop3 and pop3 over SSL. It uses the same Qmail folders as the Imap server, but can only support one folder. So all that is
required is to create a single mail folder
maildirmake++ MaildirThe Pop3 service will not start until the file /etc/courier/pop3.dist is renamed to /etc/courier/pop3 (for normal POP3) and/or the file /etc/courier/pop3d-ssl.dist is renamed to /etc/courier/pop3d-ssl (for
secure pop3 access)
Then restart the courier imap service with
service courier-imap restartAnd both imap and pop3 services should be running.
If you are not concerned with increasing system security the mail server configuration is now complete, and you can give yourself a pat on the back.
Securing your System
Using the same username/password combination for login and for remote mail access is a
security risk.
If your username/password were to be intercepted when retrieving e-mails, then
they could be used to attack your computer with telnet (if you were foolish
enough to enable it), or even ssh (if you did not depend on public/private key
combinations)
So I decided to enforce a system whereby my remote users had a different
password to the local login.
The simplest way of configuring this with courier-imap is to use 'authuserdb'
authenticationwhich is possible with the standard courier-imap RPM without any
additional modules.
Normally when you use imap authentication is performed by PAM. Any remote users
who offer a valid login password will be granted access.
To disable this; edit the file/etc/courier/authdaemonrc and comment out and
insert as shown
#authmodulelist="authcustom authcram authuserdb authldap authpgsql authmysqlauthpam"
authmodulelist="authuserdb"
This will disable all methods of user authentication other than the
'userdb' method.
Restart the authdaemond with the commands
/usr/lib/courier/authlib/authdaemond stop
/usr/lib/courier/authlib/authdaemond start
You will now find your imap access no longer works!!!
Now we must create a user database in the file /etc/userdb
First we have to pick passwords for each form of access we want to permit, e,g
imap, pop3, pop3 secure etc.
A password is created using the command
userdbpwWhen prompted give the password you wish to use. An encrypted string will be
returned.
Now create the file /etc/userdb in the format shown below for
each local user who will require remote E-mail access. Where I have put
'obscured' insert the encrypted password string. You must insert a
password string for each method of access you want to enable, e.g.
impappw,pop3pw, pop3spw. Be sure also to insert the correct
uid/gid and home directory information for each user.
The uid/gid numbers may be ascertained by typing ' /usr/sbin/pw2userdb'
derek uid=501|gid=501|home=/home/derek|shell=/bin/bash|imappw=obscured|pop3pw=obscured
Note:There is one Tab character after the username.There must beNO
spaces
Now rebuild the binary database with the commands
/usr/lib/courier/authlib/authdaemond stop
makeuserdb
/usr/lib/courier/authlib/authdaemond start
Your imap server should resume working. The authentication daemon will be looking
up the password supplied by remote IMAP clients in the binary database for the rquested service type, and only
allowing access if there is a match.
Restart the authdaemond again, and change your password in your mail
client(e.g. sylpheed) to be the new password (unencrypted), and your Imap should
be working again.
Firewall Considerations -
To send/receive mail via SMTP port 25 must be open. To check mail with Pop3 from a computer in the local network, port 110
must be open. (Do not open port 110 to the Internet unless you want to be able to check mail remotely). To retrieve mail with IMAP
port 143 must be open. A convenient tool to manage the shorewall firewall is webmin. Install the webmin RPM, start webmin service using
Mandriva control Centre>System>Services, and then enter https://localhost:10000 in a browser.
Wednesday 11th August, 2004
