Howto: set up a mail server in Ubuntu

[cazador2011]

I'm at this point in the guide:

Code:

cd /etc/courier 

openssl req -x509 -newkey rsa:1024 -keyout imapd.pem \ -out imapd.pem -nodes -days 999

I get the following error:

Code:

unknown option  -out
req [options] <infile >outfile

I have no idea what to do. I'm stuck.

This is what you want:

Code:

cd /etc/courier 

openssl req -x509 -newkey rsa:1024 -keyout imapd.pem -out imapd.pem -nodes -days 999

[spackard]

I built a server using ami-c0ee06a9 and was seeing errors attributed to authdaemond.

mail.log.1:Apr 21 17:02:56 ip-10-212-82-179 authdaemond: SQL query: SELECT id, crypt, "", uid, gid, home, contact(home,'/',maildir), "", name, "" FROM users WHERE id = 'packard' AND (enabled=1)
mail.log.1:Apr 21 17:02:56 ip-10-212-82-179 authdaemond: mysql_query failed, reconnecting: FUNCTION maildb.contact does not exist
mail.log.1:Apr 21 17:02:56 ip-10-212-82-179 authdaemond: mysql_query failed second time, giving up: FUNCTION maildb.contact does not exist

I traced the problem to /etc/courier/authmysqlrc.
Original: MYSQL_MAILDIR_FIELD contact(home,'/',maildir)
Correction: MYSQL_MAILDIR_FIELD CONCAT(home,'/',maildir)

I guess this was noticed/posted about on page 30. Sorry for the duplicate info.

[glacebeast]

Has anyone figured out an elegant solution to the problem outlined by Ontolog and oziemike a few pages back that isn't reverting to storing plaintext passwords and dropping down to PLAIN and LOGIN auth methods?

There is a pretty major problem with the way MySQL's ENCRYPT() function is being used in conjunction with the mail server setups. Actually I had to revert to using the plaintext password for both Postfix and Courier. In the case of Postfix I also had to restrict the AUTH types to 'LOGIN' because programs that were using CRAM-MD5 were failing authentication. One major problem here is that ENCRYPT is using whatever the OS's low-level crypt() is which can be anything. Furthermore since we are not supplying any salt, the salt is random! So now we can't reproduce the crypted string since we don't know the salt.

I found myself running into the same issues when trying to negotiate an authorized login via any method that was not LOGIN. For example, trying to login through roundcube:

Code:

Jun 14 01:59:03 authdaemond: received auth request, service=imap, authtype=cram-md5
Jun 14 01:59:03 authdaemond: authmysql: trying this module
Jun 14 01:59:03 authdaemond: cram: challenge=PDczQTVGNEI0NjI2NkVBQjE3NTQxMjY4QzYwMEFFQTRBQHNtdHAuZHJ1bmtiYWJpZXMuY29tPg==, response=Zm9ydW1zQGRydW5rYmFiaWVzLmNvbSBiNGVhOGI5ZThlMzdjMDE3NjAxOWUxOTIyZGRjZTM5Nw==
Jun 14 01:59:03 authdaemond: cram: decoded challenge/response, username 'forums@xxxxx.com'
Jun 14 01:59:03 authdaemond: authmysqllib: connected. Versions: header 50137, client 50141, server 50141
Jun 14 01:59:03 authdaemond: SQL query: SELECT id, crypt, "", uid, gid, home, concat(home,'/',maildir), "", name, "" FROM users WHERE id = 'forums@xxxx.com'  AND (enabled=1 )
Jun 14 01:59:03 authdaemond: authmysql: REJECT - try next module
Jun 14 01:59:03 authdaemond: FAIL, all modules rejected
Jun 14 01:59:03 imapd-ssl: LOGIN FAILED, method=CRAM-MD5, ip=[::1]
Jun 14 01:59:08 imapd-ssl: Disconnected, ip=[::1], time=5, starttls=1

Also, when trying to send a mass e-mail through my phpBB3 setup with any auth method other than LOGIN, I get:

Code:

Jun 14 02:09:41 postfix/smtpd[1985]: connect from xxxxx.com[127.0.1.1]
Jun 14 02:09:41 postfix/smtpd[1985]: warning: SASL authentication failure: no secret in database
Jun 14 02:09:41 postfix/smtpd[1985]: warning: xxxx.com[127.0.1.1]: SASL CRAM-MD5 authentication failed: authentication failure
Jun 14 02:09:41 postfix/smtpd[1985]: lost connection after AUTH from xxxxx.com[127.0.1.1]
Jun 14 02:09:41 postfix/smtpd[1985]: disconnect from xxxx.com[127.0.1.1]

I must say, I'm a little disappointed that:

1) the problems were brought up ~10 pages ago and kind of faded away with out any more dialogue about them
2) I spent the better part of 4 days scouring my configuration and setup thinking I did something wrong and just stumbled on those tidbits... haha.

Thoughts?

*Edit: As an edit, I just wanted to reiterate that, although not a newcomer to computing in any facet, I'm very new to ubuntu and mailservers in general so I wanted to ensure that my server and it's users would be free from possible malicious activity. Thanks.

*Edit 2: Does 11.04 better support this deployment? I noticed in earlier pages people were claiming no issues with 9.xx ubuntu but as soon as they upgraded to 10.xx problems started.

[highbomber]

My mail server currently can't make any folders. It is only creating the inbox. If I try to create a folder remotely I get an error, and if I try to e-mail I get an error saying something along the lines of, "Could not create sendmail folder." Has anyone experienced this? Can someone help me with this? Thanks.

[highbomber]

Bump.

[sprior]

I've also run into the CRAM problem mentioned above when setting up SASL/TLS on an Ubuntu 10.04 machine (64 bit). Is there a current best recommendation to work around this problem? Is SASL actually necessary when TLS is required for all connections? There is a strong desire to use an Ubuntu LTS release when setting up a mail server, but has anyone checked yet to see if this problem persists with Ubuntu 11.04?

[glacebeast]

I've also run into the CRAM problem mentioned above when setting up SASL/TLS on an Ubuntu 10.04 machine (64 bit). Is there a current best recommendation to work around this problem?

I just disabled CRAM-MD5 in the courier-imap config and all seems to be running smooth; whether or not that is a smart solution, I can't really answer that. I do have a webmail client running and this is the only way I could make it work, but the data isn't sensitive and as long as the passwords aren't transmitted in plaintext I'm ok with it.

Is SASL actually necessary when TLS is required for all connections?

I was thinking the same thing; per my understanding, SASL is just another layer of protection... a compliment if you will. Most of us are paranoid enough to probably want maximum security though, lol.

There is a strong desire to use an Ubuntu LTS release when setting up a mail server, but has anyone checked yet to see if this problem persists with Ubuntu 11.04?

My thoughts exactly. I haven't cause I run a completely headless server sans an ethernet connection, so upgrading is a bit of a hassle. However, if it would enable a ramp up in security I'd almost definitely do it.

With that said, my knowledge of all of this is probably amateur at best compared to some of those lurking out there, and I was hoping we could suck some of those folk in here to answer some of these concerns.

[airtonix]

It would be useful if you started your guide with :

Customise the editor you want

Code:

export $EDITOR=nano

Then through out the document use

Code:

$EDITOR something something something

instead of assuming people want to use vi...

vi makes me rage HARD. I want to kill kittens when i use it.

[mikeleonard]

SO valuable information .i also searching for these valuable informations.

[karka91]

I followed your instructions on the tutorial however when I want to send an email not from the server (using an email client) I get rejected:

Jun 30 00:54:30 servername postfix/smtpd[32289]: NOQUEUE: reject: RCPT from --.kava.lt[my-ip]: 554 5.7.1 <--@gmail.com>: Relay access denied; from=<karolis@--.ie> to=<--@gmail.com> proto=ESMTP helo=<[server-ip]>

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = --.ie
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = --.ie
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
local_recipient_maps =

# how long if undelivered before sending warning update to sender
delay_warning_time = 4h
# will it be a permanent error or temporary
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.
# some have 3 days, I have 16 days as I am backup server for some people
# whom go on holiday with their server switched off.
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12

# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
# Requirements for the sender details
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
# Requirements for the connecting server
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
# Requirement for the recipient address
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, perm$
smtpd_data_restrictions = reject_unauth_pipelining

# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes

# not sure of the difference of the next two
# but they are needed for local aliasing
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# this is how to connect to the domains (all virtual, but the option is there)
# not used yet
# transport_maps = mysql:/etc/postfix/mysql_transport.cf

virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

What should be changed so that sending email via client would be possible? Not only for me but for registered users in the database