Howto: set up a mail server in Ubuntu

[fedef63]

Hi Duceduc,
unfortunately I've not been able to make Maildrop working, in the post #364 or 365 above indeed I'm asking help about, since the document lack of some informations..example what maildrop has been used if courier-maildrop or standalone package..
the doc i followed is linked to Flurdy's document...
here the link http://ubuntuforums.org/showpost.php...&postcount=223
it is in the same in my post post above

Regards

[fedef63]

Huge thanks for this Federico - I can't tell you what a pleasure it is just to see something working. Quite right this is not enough for a production system, though.

What I can't quite understand - cos there are a few bits where Flurdy's doc is just a tiny bit vague - having got to the minimally configured stage should I be able to use a mail client to send mail using smtp/starttls or is that only going to be possible once I've got all the sasl stuff configured up?

Because now I don't know whether to try and debug my current setup or to push on with the next area of work in the doc.

Many thanks, beautiful people.

Hi,
I wish just to tell you, that I've also Sasl working.
The value in the field "user" and "password" in the file /etc/pam.d/smtp are the same used to access maildb. And now it 's working.
I was thinking i must select "use crypted password" in the smtp panel of thunderbird. probably it was a bad assumption.

Mar 2 00:00:27 mail postfix/smtpd[2940]: 4508DC150E: client=unknown[192.168.254.2], sasl_method=PLAIN, sasl_username=pluto@xxx.it

Regards

[khaeru]

I'm curious—is everyone implementing this guide on EC2 using 'small' instances? Has anyone tried on a 'micro' instance, or any other size? If so, please share.

[flurdy]

I'm curious—is everyone implementing this guide on EC2 using 'small' instances? Has anyone tried on a 'micro' instance, or any other size? If so, please share.

My current server postfix servers on ec2 are all micro. The memory footprint of postfix++ is tiny.

[jlsm]

Hi,

Firstly, I would like to give a big Kudos to flurdy for an excellent how to.

I am relatively a beginner Ubuntu user, and was currently tasked to create a mail server for our small office. The how-to was a great resource for this project.

Initally, I was able to make the setup work until the Basic setup, I tested everything and it works: using telnet to EHLO and send mail, using webmail both within the network and outside the network, and even using Outlook on my ******* laptop, again both from inside and outside the network.

My problem arose when I proceeded to the Advanced Mail Setup. Everything still seems to be working except when using a mail client on another PC. When using Thunderbird on the server to test, I can send and receive mail without any problems. When using Outlook or Thunderbird on my laptop, I can't login, but webmail (and even telnet) on the same laptop works. Upon setting up Thunderbird, it can automatically detect the servers, IMAP on port 143 and SMTP on port 25, but cannot login to the server. I'm guessing authentication is causing the problems. I've been working on this for days now and reading on different posts and sites, but still with no luck.

I can post the config files if anyone should need it. Any help would be greatly appreciated.

Thanks again for the invaluable how-to.


jlsm

[jlsm]

Bump.

Hope someone could help. I really need this coz i've driven to a blank right now.

Thanks.

jlsm

[fedef63]

Hi,
I wish just to tell you, that I've also Sasl working.
The value in the field "user" and "password" in the file /etc/pam.d/smtp are the same used to access maildb. And now it 's working.
I was thinking i must select "use crypted password" in the smtp panel of thunderbird. probably it was a bad assumption.

Mar 2 00:00:27 mail postfix/smtpd[2940]: 4508DC150E: client=unknown[192.168.254.2], sasl_method=PLAIN, sasl_username=pluto@xxx.it

Regards

If somebody using roundcube after SASL is enabled, if using SMTPS port 465 to send mail will get an error SMTP Error 554.
To solve it..here the few changes required in roundcube config:

// use this host for sending mails.
// to use SSL connection, set ssl://smtp.host.com
// if left blank, the PHP mail() function is used
// Use %h variable as replacement for user's IMAP hostname
$rcmail_config['smtp_server'] = 'ssl://localhost';

// SMTP port (default is 25; 465 for SSL)
$rcmail_config['smtp_port'] = 465;
// SMTP username (if required) if you use %u as the username RoundCube
// will use the current username for login
$rcmail_config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password RoundCube
// will use the current user's password for login
$rcmail_config['smtp_pass'] = '%p';
// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
$rcmail_config['smtp_auth_type'] = 'PLAIN';

[fedef63]

Hi jlsm,
please post your postifx config: master.cf and main.cf ,
and /etc/shorewall/rules

Do you have enabled the ports required in the firewall (shorewall) ?

I'm not an expert but i will have a look if I can Help.
regards
Federico

[jlsm]

Thanks so much for looking into this Federico.

I also tried using clear passwd, but it's still not authenticating. I was able to make it work using POP3, but not using SASL, i'm afraid it might be prone to attacks or interception.

I'm still working on a testbed, not the production server yet, until I'm sure it is secure and stable.

Following are the main and master config files, as well the the shorewall rules.

I removed some of the commented lines in the config files (not all to retain section breaks)

main.cf

Code:

myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

append_dot_mydomain = no

readme_directory = no

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes

btree:${data_directory}/smtpd_scache
btree:${data_directory}/smtp_scache


myhostname = subdomain.domain.com  #I used a subdomain with an A and MX record, registered at freedns.afraid.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination =
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
mailbox_command =

mynetworks_style = host

masquerade_domains = mail.subdomain.domain.com
masquerade_exceptions = root

local_recipient_maps =

delay_warning_time = 4h

unknown_local_recipient_reject_code = 450

maximal_queue_lifetime = 3d
bounce_queue_lifetime = 3d

minimal_backoff_time = 900s
maximal_backoff_time = 1800s

smtp_helo_timeout = 60s

smtpd_recipient_limit = 16

smtpd_soft_error_limit = 3

smtpd_hard_error_limit = 12

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit

smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_data_restrictions = reject_unauth_pipelining

smtpd_helo_required = yes

smtpd_delay_reject = yes
disable_vrfy_command = yes
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
option is there) 

virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
inet_protocols = all

content_filter = amavis:[127.0.0.1]:10024
Secure mail server, authentication section

smtpd_sasl_auth_enable = no  # I changed this to no to accept clear passwd

broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =

master.cf

Code:

==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination, reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd


pickup    fifo  n       -       -       60      1       pickup

#### added below 'pickup' transport service as prescribed by the tutorial
	-o content_filter=
	-o receive_override_options=no_header_body_checks
#### end of addition

cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
====================================================================
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#### This section is added as prescribed in the tutorial
amavis	unix	-	-	-	-	2	smtp
	-o smtp_data_done_timeout=1200
	-o smtp_send_xforward_command=yes
	-o disable_dns_lookups=yes
	-o max_use=20

#### Continuation of added section
127.0.0.1:10025	inet	n	-	-	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_delay_reject=no
	-o smtpd_client_restrictions=permit_mynetworks,reject
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o smtpd_data_restrictions=reject_unauth_pipelining
	-o smtpd_end_of_data_restrictions=
	-o mynetworks=127.0.0.0/8
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000
	-o smtpd_client_connection_count_limit=0
	-o smtpd_client_connection_rate_limit=0
	-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
#### End of added section

shorewall rules

Code:

#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
SSH/ACCEPT	net		$FW

Ping/ACCEPT 	net 		$FW 

# Permit all ICMP traffic FROM the firewall TO the net zone 
ACCEPT 		$FW 		net 	icmp 

# mail lines 
SMTP/ACCEPT 	net 		$FW 
SMTPS/ACCEPT 	net 		$FW 
Submission/ACCEPT net 		$FW 
IMAP/ACCEPT 	net 		$FW 
IMAPS/ACCEPT 	net 		$FW 
POP3/ACCEPT	net		$FW

#web 
Web/ACCEPT 	net 		$FW

Again, thank you for taking time to look into this. Kindly let me know if you need anything else.


jlsm

[sixstorm]

I followed the basic Dovecot+Postfix+SquirrelMail how-tos over at help.ubuntu.com and I now have a sandbox, internal only email server. Very easy to setup, I figured it would be something extremely complicated TBH. I'm not tempted to buy a domain name and SSL to try and get to work with it.