Postfix Mail Server

POSTFIX MAIL SERVER
Switch to Postfix from Sendmail
1. Click System, select Administration, and click Mail Transport Agent Switcher. This
will launch the system-switch-mail window.
2. In the system-switch-mail window, select Postfix and click Ok
Configure Postfix
1. Click Applications, select System Tools then click File Browser. This will launch the
File Browser window.
2. In the Location field, type in /etc/postfix and press Enter. If you don’t see the Location
field, click the notepad button to toggle to text-based location bar.
3. Double click on the file main.cf to open it for editing. We need to make it listen to
network request, accept mails bound to our domain and use maildir which is a better
mailbox format than mbox the default.
Find the following keys and change its values as follows
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/
In main.cf, lines starting with # are comments. Save the file after completing your
changes.
Make sure that all mail_spool_directory lines are commented out. Otherwise, it
will override the setting in the home_mailbox line above.
4. Restart the postfix service
[root@mail ~]# telnet localhost smtp
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 mail.acme.local ESMTP Postfix
ehlo host
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: johndoe
250 2.1.0 Ok
rcpt to: johndoe
250 2.1.5 Ok
data
354 End data with .
test
.
250 2.0.0 Ok: queued as 9729067C17
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#
To check if the mail indeed exists
[root@mail ~]# cd /home/johndoe/Maildir/new
[root@mail new]# ls
1185669817.Vfd00I18012M795756.mail.acme.local
[root@mail new]# cat 1185669817.Vfd00I18012M795756.mail.acme.local
Don’t worry, you don’t have to type in the whole filename above. Just type in the first
few characters say 118 then press Tab to activate automatic completion.
From johndoe@mail.acme.local Thu Feb 22 21:48:28 2007
Return-Path:
X-Original-To: johndoe
Delivered-To: johndoe@mail.acme.local
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by mail.acme.local (Postfix) with SMTP id 9729067C17
for ; Thu, 22 Feb 2007 21:48:26 -0500 (EST)
Message-Id: <20070222134827.9729067c17@mail.acme.local>
Date: Thu, 22 Feb 2007 21:48:26 -0500 (EST)
From: johndoe@mail.acme.local
To: undisclosed-recipients:;
test
Installing and setting up Dovecot in Red Hat Enterprise Linux 5 or CentOS 5 is easy. All
we have to do is to enable the services we would like to provide and we are good to go.
1. Click Applications, select System Tools then click File Browser. This will launch the
File Browser window.
2. In the Location field, type in /etc and press Enter. If you don’t see the Location field,
click the notepad button to toggle to text-based location bar.
3. Double click on the file dovecot.conf to open it for editing. We need to change a few
key items.
Find the following keys and change its values as follows
protocols = pop3 pop3s imap imaps
mail_location = maildir:~/Maildir/
pop3_uidl_format = %08Xu%08Xv
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
For 64-bit users: Add the line login_process_size = 64 in the file
/etc/dovecot.conf.
Lines starting with # are comments. The last two line enables workarounds for various
client bugs. Save the file after completing your changes.
4. Start the dovecot service.
1. Click Applications, select Accessories, and click Terminal. This will launch the
Terminal window
2. In the Terminal window, type in the highlighted commands below.
Sample dovecot session. Replace johndoe and password with any valid user name and
password.
[root@mail ~]# telnet localhost pop3
+OK dovecot ready.
user johndoe
+OK
pass password
+OK Logged in.
list
+OK 1 messages:
1 622
.
retr 1
+OK 622 octets
Return-Path:
X-Original-To: johndoe
Delivered-To: johndoe@mail.acme.local
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by mail.acme.local (Postfix) with SMTP id 9729067C17
for ; Thu, 22 Feb 2007 09:06:37 -0500 (EST)
Message-Id: <20070222140640.9729067c17@mail.acme.local>
Date: Thu, 22 Feb 2007 09:06:37 -0500 (EST)
From: johndoe@mail.acme.local
To: undisclosed-recipients:;
X-IMAPbase: 1172153557 1
Status: O
X-UID: 1
Content-Length: 5
X-Keywords:
test
.
quit
+OK Logging out.
Connection closed by foreign host.
SMTP Authentication (SMTP Auth) provides an access control mechanism that can be
used to allow legitimate users to relay mail while denying relay service to unauthorized
users, such as spammers.
Thanks to the new SASL support in Dovecot 1.0 and the new Dovecot SASL support in
Postfix 2.3, setting up SMTP authentication is now easier. Instead of setting up two
separate authentication for Postfix and Dovecot, we can now just setup the authentication
in Dovecot and just let Postfix talk to Dovecot.
Configure Postfix and Dovecot
1. Edit the file /etc/dovecot.conf and make sure your auth default section has the lines
below.
auth default {
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
mechanisms = plain login
}
2. Edit /etc/postfix/main.cf, find the keys below and change its values
as follows or add it at the bottom of the file if the key (the word
before the = sign) cannot be found.
mynetworks = 127.0.0.0/8
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_invalid_hostname, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org, reject_rbl_client
dul.dnsbl.sorbs.net, reject_unlisted_recipient, check_policy_service
unix:postgrey/socket, check_client_access
regexp:/etc/postfix/blacklist_clients
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
vi /etc/postfix/blacklist_clients
# IP
/^10\.10\.1\.2$/ REJECT UCE black-listed
P
/^10\.10\.1\.2$/ REJECT UCE black-listed
# IP block
/^10\.10\.1/ REJECT UCE black-listed
# exact domain
/^example\.com$/ REJECT UCE black-listed
# everything in a domain
/example\.com$/ REJECT UCE black-listed
# specific hosts
/^uce-relay\.example\.com$/ REJECT UCE black-listed
The first line says trust only localhost, meaning only localhost can send email outside the
network (relay). The last line is there to support old clients like Microsoft Outlook
Express 4.0 and Microsoft Exchange 5.0 just in case someone is still using it.
Lines starting with # are comments. Save the file after completing your changes.
3. Restart the Dovecot and Postfix service. But if you installed MailScanner, restart
MailScanner instead of Postfix.
In a Terminal window, type in the highlighted commands below.
telnet mail smtp
Replace mail with the name of your server. We should not use localhost since
localhost is a trusted client ip address.
Trying 192.168.0.1...
Connected to mail.acme.local (192.168.0.1).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo host
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Note the new 250-AUTH lines. See the old SMTP Telnet Test.
mail from: johndoe
250 2.1.0 Ok
rcpt to: test@domain.local
554 5.7.1 : Relay access denied
It works, now to check if we can send it after authenticating.
auth plain AGpvaG5kb2VAYWNtZS5sb2NhbABwYXNzd29yZA==
235 2.0.0 Authentication successful
rcpt to: test@domain.local
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#
Starting the Web Server
1. If you did not add Web Server and squirrelmail during installation, you can add it now.
Using the Package Manager tool, add the Web Server package in the Servers category.
Also add the optional package squirrelmail located in the Mail Server package under the
category Servers.
2. Start the httpd service.
1. Click the globe icon at the top near the System menu to launch the Firefox web
browser.
If an error occurs, you probably did not install the Graphical Internet package. You can
add it now using the Package Manager tool.
2. In the address box, type in http://localhost/webmail and press Enter. Type in a valid
username and password and click Login.
3. That’s it, it’s working.
Locating SquirrelMail into the domain root
By default, SquirrelMail is located in the /webmail of your domain. If you prefer to
access SquirrelMail from the root of your domain, follow the steps below.
1. Create the file /etc/httpd/conf.d/sqroot.conf containing the lines below.

DocumentRoot /usr/share/squirrelmail

2. Restart the httpd service.
3. Now try browsing http://localhost
How to add a password change utility.
If you are using Linux system accounts as your mail accounts, you can install the
change_passwd plugin to enable SquirrelMail to provide a password change utility.
Install the SquirrelMail Change Password Plugin
1. Connect to your SquirrelMail server and note down its version.
2. Download the Change Passwd 4.2 and Compatibility 2.0.11 plugins.
3. Extract the downloaded files and put them into the /usr/share/squirrelmail/plugins
directory.
4. From a Terminal window, type in /usr/share/squirrelmail/config/conf.pl and
press Enter. This will launch the SquirrelMail Configuration utility.
If your Terminal window has a white background, make sure that the colors are off by
looking for the command Turn color on. If the command is Turn color off, type in
C and press Enter to turn the colors off. This will ensure that you will be able to read all
of the text.
5. Type in 8 and press Enter to list the Plugins submenu.
6. Install the change_passwd plugin by typing in the number corresponding to it and
press Enter. When you are done, type in q and press Enter to quit then type in y and press
Enter to save your changes.
7. If your version of SquirrelMail is not 1.4.13 and higher or 1.5.1 and higher, you need
to patch your SquirrelMail source. Go to /usr/share/squirrelmail/plugins/compatibility
and apply the compatibility patch by typing in the command below.
patch -p0 < patches/compatibility_patch-1.4.8.diff
Replace 1.4.8 with your SquirrelMail version.
8. In the /usr/share/squirrelmail/plugins/change_passwd directory, copy the file
config.sample.php and save it as config.php. Edit config.php and review the default
settings.
Here are some useful settings in config.php
· $minimumPasswordLength - Minimum length of the password.
· $seeOutput - Shows the output of the change password program. Useful for
tracing problems.
· $changePasswdInLogin - Change password from the login form.
Test the SquirrelMail Change Password
1. Login to SquirrelMail and go to the Options page. You should see the new Change
Password section.
2. Click the Change Password link to view the new Change Password page.
Increase the size of attachment
Edit /etc/php.ini
upload_max_filesize = 10M
From a Terminal window, type in /usr/share/squirrelmail/config/conf.pl and
press Enter. This will launch the SquirrelMail Configuration utility.
1 ) Change the Server name
2) Add the Plugins and etc
Configure the Firewall
Red Hat Enterprise Linux 5 and its derivative CentOS 5 includes a graphical tool called
Security Level Configuration for configuring the firewall options. This guide describes
how to use this tool to open up the ports necessary for providing an email server.
1. Click System, select Administration and click Security Level and Firewall. This will
launch the Security Level Configuration window.
2. For a mail server with webmail, check Mail (SMTP), Secure WWW (HTTPS) and
WWW (HTTP) in the Trusted services list.
3. 3. We also need to open the ports for the POP3 and IMAP services. In the Other ports
field, add the port numbers below.
Service
Port
POP3
110:tcp
POP3S
995:tcp
IMAP
143:tcp
IMAPS
993:tcp
Mail Scanner
To install MailScanner, we are going to download the latest source code from the
MailScanner web site and build it. For this to work, it needs the Development Tools
package. If you did not include this during installation, you must add it now.
Getting MailScanner
1. Click the globe icon at the top near the System menu to launch the Firefox web
browser.
If an error occurs, you probably did not install the Graphical Internet package. You can
add it now using the Package Manager tool.
2. In the address box, type in http://www.mailscanner.info/downloads.html and press
Enter. Download the stable version for RedHat, Fedora and Mandrake Linux.
Building and Installing MailScanner
1. The MailScanner source code should now be on your desktop. Right click the newly
downloaded file and click Extract Here.
2. After extracting, a MailScanner folder should be found on your Desktop. Double click
the MailScanner folder to open it.
3. Next, double click the file install.sh. On the Run or Display window, select Run in
Terminal. This will now build and install MailScanner. This will take a while so just wait
until the Terminal window disappears.
ANTIVIRUS CLAMAV
Adding RPMForge to Yum
1. Launch Firefox and go to http://dag.wieers.com/rpm/FAQ.php#B2. Click on the
package appropriate for your version of Red Hat Enterprise Linux or CentOS.
2. Choose Open with Software Installer (default) and click Ok.
3. The Installing packages window will appear. Click Apply to proceed.
4. Finally click Ok. You now have access to an extensive library of precompiled binaries.
Installing Clam AntiVirus
If you prefer not to use the GUI tool below, you can also install the Clam AntiVirus by
typing in yum install clamd in a Terminal window.
1. Click Applications then click Add/Remove Software. This will launch the Package
Manager window.
2. Click the Search tab. Next type in clamd and click the Search button.
3. Select the latest version of clamd then click Apply. Next click on Continue until it
proceeds with the installation.
4. After installation, click Ok. You now have successfully installed Clam Antivirus.
5. Start the clamd service.
6. To test ClamAV AntiVirus, type in the command clamscan in a terminal window.
Configuring MailScanner
1. Edit the file /etc/MailScanner/MailScanner.conf
Find the following keys and change the values as follows
%org-name% = your organization name
%org-long-name% = your full organization name
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Group = clamav
Incoming Work Permissions = 0640
MTA = postfix
Virus Scanners = clamd
Clamd Socket = /tmp/clamd.socket
Use SpamAssassin = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
2. Click Applications and click File Browser to launch the File Browser window and go
to the /var/spool/MailScanner directory.
3. In the File Browser window, click File and click Create Folder. Name the new folder
spamassassin.
4. Right click on the folder incoming and click Properties.
5. In the Properties window, click the Permissions tab. In the Permissions page, set the
Owner as postfix and its Folder Access as Create and delete files. Set the Group as
clamav and its Folder Access as Access files. Finally, set the Folder Access of Others as
None. Click Close when you are done. Repeat this for the quarantine and spamassassin
folders.
6. From a terminal window, type in
ln -s /usr/bin/freshclam /usr/local/bin/freshclam
MailScanner will be looking for freshclam in the /usr/local/bin directory so we’ll create a
symbolic link to it in that directory.
Integrating MailScanner into Postfix
1. Edit the file /etc/postfix/main.cf and remove the # in front of the line below
header_checks = regexp:/etc/postfix/header_checks
2. Edit the file /etc/postfix/header_checks and add the line below to the bottom of the file
/^Received:/ HOLD
This will now place all incoming mail into the holding area until released by
MailScanner.
3. MailScanner should now be the one to start the Postfix service. Stop the Postfix service
and start the MailScanner service in that order.
4. Test if Postfix is still working
Postgrey, Anti-Spam for Postfix
Postgrey is a simple and powerful anti-spam tool for Postfix. It works by using a
technique called Greylisting. Adding greylisting in Postfix will give your Postfix mail
server a simple and effective first line of defense against spam, at a cost of a few minor
delays for newly identified senders. To install Postgrey, we are going to use the
precompiled binaries from Dag Wieers RPM packages for Red Hat, RHEL, CentOS and
Fedora.
Adding RPMForge to Yum
1. Launch
Firefox and go to http://dag.wieers.com/rpm/FAQ.php#B2. Click on the package
appropriate for your version of Red Hat Enterprise Linux or CentOS.. Choose Open with
Software Installer (default) and click Ok.
3. The Installing packages window will appear. Click Apply to proceed.
4. Finally click Ok. You now have access to an extensive library of precompiled binaries.
Installing Postgrey Greylisting Policy Server
If you are using Red Hat Enterprise Linux 4 or CentOS 4, you have an older version of
the Package Manager tool. Instead of using the GUI tool below, you can use the
command yum install postgrey in a Terminal window to install Postgrey.
1. Click Applications then click Add/Remove Software. This will launch the Package
Manager window.
2. Click the Search tab. Next type in postgrey and click the Search button.
3. Select the latest version of postgrey then click Apply. Next click on Continue until it
proceeds with the installation.
4. After installation, click Ok. You now have successfully installed Postgrey Postfix
Greylisting Policy Server.
Configuring Postfix
1. Edit /etc/postfix/main.cf and add reject_unlisted_recipient and check_policy_service
unix:postgrey/socket to the value of smtpd_recipient_restrictions.
check_policy_service unix:postgrey/socket performs the greylisting while adding
reject_unlisted_recipient before it enables Postfix to immediately reject unknown
recipients instead of having clients go through the greylisting process before being
informed that the recipient does not exist. 2. Start Postgrey and restart Postfix or
MailScanner (if you have installed MailScanner). Learn how to start and restart services
here3. Test Postfix. Do not use localhost to connect to Postfix since localhost will bypass
Postgrey. After typing in the rcpt to command, it should reply with Recipient
address rejected: Greylisted and it should work if you try it again after at least five
minutes.
Configuring the Whitelist in Postgrey
Whitelist enables you to disable greylisting for certain email accounts or client ip
addresses or hostnames. 1. To disable greylisting for certain email accounts, add their
address into the file /etc/postfix/postgrey_whitelist_recipients.
2. To disable greylisting for certain IP addresses or hostnames, add the IP address,
hostname or regular expression to match hostnames into the file
/etc/postfix/postgrey_whitelist_clients.local. Hostnames are identified by performing a
reverse DNS on the client’s IP address. For sample entries, view the file
/etc/postfix/postgrey_whitelist_clients.