Creating an ISP web and mail server in your LAN

[TheFu]

so far I made progresses learning about postfix and being able to get it to work as Smart Host.
I wish to ask few additional questions.

Questions are good.

1. if I wish to have mixed delivery of main (locally on localhost and Smart Host) is this possible? If so, where would I set this up so that if I send a mail to @localhost it would be delivered locally anf if I send a mail to user_xx@gmail.com it will be delivered via Smart Host?

Setup a local domain, like "angeli.lan", then this will work automatically with just a few settings. In postfix there is a local delivery options. Any emails send there will be delivered locally. Everything else will be sent either to a relay server that you configured or directly to the remote systems based on their MX DNS records (if the ISP doesn't firewall email). You can also setup specific transport rules to specific domains (man transport explains all). For local delivery, you do not need any MX records for your domain. Inside the /etc/postfix/main.cf file are all the settings.

Code:

mydomain =
mydestination = 
local_recipient_maps =

are the main ones. I didn't check that these were all of them - only connected to my email gateway (main job is to block spam emails), not the real email server.

Code:

$ dig google.com mx

will show the MX (Mail eXchange DNS record) You can do this for any domain. That is how email systems know where to send non-local emails.

2. so far I installed postfix and Postfixc Admin. In order to also manage mail locally with the use of a web interface, what do I need to install?

I don't use any web interfaces for server admin. Sorry. I think that is a security issue. Learn to do the configs manually. There are lots of how-tos and it really is easy.

Hi,So far, I understood I have to install Dovecot (for POP3 and IMAP) and I would prefer Roundcube as webmail. Is this all?

Don't know. I haven't used dovecot in years and never used roundcube. I would highly recommend only using imaps, not pop3 or pop3s, unless you want to force all email to be downloaded. This is fine for an ISP, but terrible for a business. Webmail, the last time I tried, it was trivial to setup. I used squirrelmail then. Something like 4 settings was it related to the SMTP/IMAP connections. Simple.

3. Is it possible to have a complete string "atp-get install" listing all packages needed, starting from scratch, for setting up a mail server with Smart Host and local mail + web?

Sure, but the postfix package requires configuration during install. I almost always setup postfix as a satellite mail server (all email gets forwarded to the main server) so I don't recall many setup details. Sorry.

Also please consider including in the list spamassassing and clamAV. Beside the fact that MySQL is already installed (as part of LAMP) do I also need any additional MySQL components to install? I read it is needed to manage user accounts and e-mail forwarding or can it be avoided?

Good luck with that. The magic of APT is that dependencies are almost always automatically completed. I'm not going to check this, but something like:

Code:

$ sudo apt-get install postfix spamassassing clamAV dovecot roundcube

would seem to be reasonable starting point - you'll need to spell the names of the packages correctly, of course. I used your spellings for consistency in this post.

MySQL is not required for email. I do not use it at all. However, for an ISP with 20,000 users, I can see where have a relational DB involved could be handy. I've never run email servers for orgs with more than 300 people, so never use mysql.

4. Integration between the mail server and Webmin is done automatically or is there anything needed to be done manually or install additiona packages?

Like I said before, I consider any webgui management tool to be an added security risk on already sensitive servers. I don't use them. I don't know any professional sys admins who do in any corporate environments either. Only ISPs seem to do this where email is a free service expected, but not where they make money. Why do you think more and more ISPs are outsourcing email to Yahoo and Microsoft?

[SeijiSensei]

There are most certainly ways to make Webmin more secure than the TheFu suggests. Just don't bind the server to any Internet-facing interface. On a dual-homed machine, bind it to the LAN-facing interface. On an Internet server, install OpenVPN and bind Webmin to the tunnel interface. Add some iptables rules to restrict access to the Webmin port, usually 10000, by client IP address. Use a port scanner on a remote machine to insure that port 10000 is invisible to Internet hosts.

[TheFu]

There are most certainly ways to make Webmin more secure than the TheFu suggests. Just don't bind the server to any Internet-facing interface. On a dual-homed machine, bind it to the LAN-facing interface. On an Internet server, install OpenVPN and bind Webmin to the tunnel interface. Add some iptables rules to restrict access to the Webmin port, usually 10000, by client IP address. Use a port scanner on a remote machine to insure that port 10000 is invisible to Internet hosts.

I agree - it can be made much more secure, but new users of these tools are not often very experienced. Also, I still see more than a few attempts on my servers to access these web-administration tools for systems, databases, and applications even though I never have used them. In the last 30 minutes, 47 attempts were made on my tiny blog server. The risk is real, so if you must run these tools, please, please, please secure them with more than a plaintext password that will be hacked. Use the network layer to make it impossible to access by outsiders.

My security training tells me not to load anything on a system that isn't needed. "Needed" is highly subjective so my "needed" and your "needed" will not always be the same.

BTW, it isn't just web-guis that I avoid. There are some fantastic CM tools that I won't load either, just because they require a non-default language to be loaded. Puppet is one of those. It uses Ruby. I like Ruby, but still don't want to load it on a system that has ZERO other use for it. Saying that I like Ruby is a little bit of an understatement.

SeijiSensei is a very smart person, so it would be smart to follow his recommendations.

[SAngeli]

Hi and thanks for your answers.
I wish to only focus on getting this prject completed. After that I can spend some time learning more. So, I believe it is best to narrow down only what I really need.
Webmail was a way to check mail for local users when symolating for CMS new account creation. I will use local mail client for this.
- Smart Host is already working so that I can use any CMS;
- Webmin is already working but I need to customize (also for security) and learn about it;
- I need to learn and finish customizing phpMyAdmin (config.inc.php) as it complaints that its configuration is not complete;
- I need to slightly lear about Apache2, the basics:
- SFTP is alredy running via the openSSH.

This is what is left:

- What do I have to install in order to have only IMAP for local users? What parameters do I have to use for setting up the mail client using SSL I assume? How to know?
- From Windows 7 client to server: Is there a reason why sftp to my server (on my LAN) I copy a file at 4.1Mbit when insteas if I go through Samba (via Explorer) I get 51MB? How come is it so slow? Do I have to change sftp softwre on the server or is there a setting I have to do? This is strange.
- How to manage FTP user accounts? Is this done simply by adding a user to the ftp group?

Thank you,
Spiro