Email Server using Postfix, Dovecot, Squirrelmail, Spamassassin, ClamAV and Amavisd

[nephila]

I noticed a number of people have questions regarding these setups, I'm no expert on email systems or the programs described here, but I do have an email server running on Fedora Core 2 that serves about 30 users and its working quite well so here's what I have learnt in setting up and maintaining that server.

This howto will explain how to go about setting up an email server on Fedora Core 3 using Postfix, Dovecot, Squirrelmail, Spamassassin, ClamAV and Amavisd. I have also done a similar setup on Fedora Core 2. My best advice is to set this up first on a workstation and test it thoroughly before setting up on a server and going live with it!

This howto does not go into much detail, if you are looking for a full explanation of what is going on then read the documentation for each progarm. This is merely a step by step guide to get you up and running. You may use apt / yum to install software. I do not use these programs so these instructions do not include the use of them, feel free to adjust these
instructions as you see fit.

STEPS

* Assume a clean install of fedora core 3.
* Commands run as root.

1. Run System Settings > Add/Remove Applications
Under the Email Server sections select Spamassassin,
Postfix, Squirrelmail and Dovecot then click ok and update the system.

2. Run the command:

Code:

system-switch-mail

and choose postfix as the default MTA.

3. Configure postfix by changing the following in /etc/postfix/main.cf

Code:

myhostname = ~YOUR IP ADDRESS OR DOMAIN NAME~
	myorigin = $mydomain
	inet_interfaces = $myhostname, localhost
	mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
	home_mailbox = Maildir/

4. Start Postfix and Test
Run

Code:

/etc/rc.d/init.d/postfix start

If it doesn't start check /var/log/maillog for specific errors
Run:

Code:

echo "hello" | mail root

Check /root/Maildir/new for a message. You can read the message
with the less command or any text editor you prefer.

5. Configure Dovecot by changing the following in /etc/dovecot.conf

Code:

protocols = imap pop3

6. Start Dovecot and Test
Run

Code:

echo "hello" | mail ~NON ROOT USER~

Run

Code:

/etc/rc.d/init.d/httpd restart

Run

Code:

/etc/rc.d/init.d/dovecot start

Browse http://localhost/webmail
Login with the non root user's username and password
You should have an email with the message "hello"

7. Setup Thunderbird mail to use pop3 and check for email.
Use your IP address as the server and log in using the same
non root user. You should get the same email with the message
"hello".

You now have a usable email system running but you should set up postfix so
that it isn't an open relay by making it require authentication on SMTP
transactions. you also want to setup virus scanners and spam filters, so lets
get to it...

8. Enable SMTP Authentication
8.1 Check that Cyrus SASL is installed
Run as root:

Code:

rpm -qa | grep sasl

You should get:

Code:

            cyrus-sasl-2.1.19-3
            cyrus-sasl-devel-2.1.19-3
            cyrus-sasl-plain-2.1.19-3
            cyrus-sasl-md5-2.1.19-3

there may be a few others, that's ok.
If these are not installed, find the rpms on your distro cdroms and
install them.
8.2 Edit /etc/postfix/main.cf and add the following to the bottom of the file:

Code:

smtpd_sasl_auth_enable = yes
        smtpd_sasl_security_options = noanonymous
        smtpd_sasl_local_domain = $myhostname
        broken_sasl_auth_clients = yes
        smtpd_recipient_restrictions =
           permit_sasl_authenticated,
           check_relay_domains

8.3 Start the saslauthd by running

Code:

/etc/rc.d/init.d/saslauthd start

8.4 Reload postfix by running

Code:

/etc/rc.d/init.d/postfix restart

8.5 Try sending mail to yourself using a pop3 client. You must have
the right settings in your mail client, be sure to use SMTP auth!

Check http://postfix.state-of-mind.de/patr...etter/smtpauth
for more information on this.

9. Install ClamAv from RPM
Run:

Code:

rpm -Uvh clamav-0.83-1.i386.rpm

Finally we install amavisd-new and configure it appropriately.

10. Install Required Programs and Packages
Get the following rpms from
http://dag.wieers.com/packages/
http://dries.studentenweb.org/apt/
http://freshrpms.net/packages/
http://rpmfind.net/linux/RPM/fedora/...4-40.i386.html

arc
cabextract
freeze
lzo
lzop
ncompress
nomarch
unarj
unrar
zoo

perl-Archive-Zip-1.09-0.1.fc3.rf.noarch.rpm
perl-BerkeleyDB-0.26-1.1.fc3.rf.i386.rpm
perl-Convert-BinHex-1.119-1.1.fc3.rf.noarch.rpm
perl-Convert-TNEF-0.17-2.1.fc3.rf.noarch.rpm
perl-Convert-UUlib-1.03-1.1.fc3.rf.i386.rpm
perl-IO-stringy-2.109-1.1.fc3.rf.noarch.rpm
perl-MailTools-1.66-1.1.fc3.rf.noarch.rpm
perl-MIME-tools-5.415-1.1.fc3.test.noarch.rpm
perl-Net-Server-0.86-0.1.fc3.rf.noarch.rpm
perl-TimeDate-1.16-1.1.fc3.rf.noarch.rpm
perl-Unix-Syslog-0.100-0.1.fc3.rf.i386.rpm

Install the Following from the CDROM distros
perl-Archive-Tar-1.08-3.noarch.rpm
perl-Compress-Zlib-1.33-6.i386.rpm

These are all required by amavisd-new

11. Install the amavisd-new rpm
Run:

Code:

rpm -Uvh amavisd-new-2.2.0-3.1.fc3.rf.i386.rpm

12. Test amavisd-new
Run:

Code:

/etc/rc.d/init.d/amavisd start

Run:

Code:

telnet localhost 10024

you should be greeted by amavisd-new.

13. Configure postfix
add the following to /etc/postfix/master.cf at the bottom

Code:

smtp-amavis unix -	-	y/n	-	2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes

127.0.0.1:10025 inet n	-	y/n	-	-  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

test it by doing the following:
Run:

Code:

telnet localhost 10025

you should be greeted by postfix

Run:

Code:

postconf -e 'content_filter=smtp-amavis:[127.0.0.1]:10024'

14. Test
Run:

Code:

echo "hello" | mail ~NON ROOT USER~

check mail for the non root user, you should have recieved mail.

15. Configure ClamAV
Run:

Code:

mkdir /var/run/amavis
    chown amavis /var/run/amavis
    chown amavis /var/run/clamav

Edit /etc/clamd.conf making the following changes:

Code:

LocalSocket /var/run/amavis/clamd.ctl
    #TCPSocket 3310 -- comment this out!!
    User amavis

Run:

Code:

/etc/rc.d/init.d/clamd restart

Check /var/log/maillog and make sure that clamd has no errors

16. Configure Amavisd
Edit /etc/amavisd.conf making the following changes

Code:

$sa_tag_level_deflt  = 0.0; 
    ...
     ['ClamAV-clamd',
       \&ask_daemon, ["CONTSCAN {}\n", "/var/run/amavis/clamd.ctl"],
       qr/\bOK$/, qr/\bFOUND$/,
       qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

restart amavisd:

Code:

/etc/rc.d/init.d/amavisd restart

17. Test again
Run:

Code:

echo "this is a test" | mail ~NON ROOT USER~

log in as the non root user, read the email and view the full
headers, you should see that the message passes through amavisd.


That's all folks! Play around with the configuration settings and tweak it to your tatse!
If I screwed up something somewhere please let me know. Also if you find this helpful let me know too.

[snurckle]

Awesome Post, this helped me alot.

I started with a new install of Fedora Core 3, and for the most part it was easy to do (with the aid of your howto).

I did have a few problems though. When installing clamd, I had to edit my yum.conf file to add [DAG]. I also had to import the keys for the it as well.

You didn't go through any spamassassin setup, just an install.

Thanks for the post, it was VERY HELPFUL.

[nephila]

Glad it helped! A lot of spamassin conf is done through amavis so tweaking that will tweak sa. There's also a lot of doc on the web, the goal of the howto was to get readers up and running! I dont use yum or apt or anything else, so I didn't include any info about that, sorry that you had issues with that.

[sportq]

nephila,

I've followed the guide and everything happens as expected until I get to the stage where the filters are added to /etc/postfix/master.cf (I restart postfix although the procedure doesn't say I should).

When I try this test....

Code:

telnet localhost 10025

I get nothing.

Peter

[snurckle]

Quote:

Originally Posted by nephila

Glad it helped! A lot of spamassin conf is done through amavis so tweaking that will tweak sa. There's also a lot of doc on the web, the goal of the howto was to get readers up and running! I dont use yum or apt or anything else, so I didn't include any info about that, sorry that you had issues with that.

This was probably the best HOWTO for this setup I've seen. I went off of it, almost entirely. Deviated a little to set up TLS, but very good.

Thanks for posting it. The only thing I don't like is how amavisd-new and spamassassin talk, but perhaps it's better than spamassassin hogging resources.

Your setup doesn't send ALL email through spamassassin, it does if the email is HTML encoded, and if it's 'suspected' of being SPAM. Perhaps it only adds a header entry if it hits a certain number of points. Not sure what is going on, but I'll research and see if I can adjust it a little.

I receive a log entry about spamassassin to connected, but I suspect this is normal, and spamassassin just doesn't have the control it's used to when running behind amavisd-new. Almost switched to MIME-Defang because of this, but realized spamassassin was doing what it shoud, and backed off.

Thanks again!

[objec]

Fabulous instructions!

I too am looking for how to configure SpamAssassin.

nephila, you mention that there are many posts on how to do this. I have seen quite a few, but they all seam to differ either slightly or dramatically.

Do you have a recommendation on where to look, that the instructions will be compatible with what you've posted here?

I suspect that many users are like me - they followed your instructions perfectly and now have a fully functioning system, but didn't know really what they did or where to begin tweaking the amavis.conf file to get SpamAssissin hooked up.

thanks.
-peter

[deceive]

I've got my mail server configured completely but I'm still running into some problems with sasl auth. I've always used pop-before-smtp, but have wanted to switch to sasl auth. I've got everything working correctly, except as soon as I add the code for the sasl, I get these errors in the log and postfix dies out. Otherwise, everything runs smooth as silk. I've double checked and I have all the cyrus-sasl packages installed. I did however install postfix first through apt-get, then cyrus-sasl afterwards. Could this have anything to do with it? Anyway, any suggestions are welcome.

Code:

Sep 16 15:08:41 twodogs postfix/master[32148]: warning: process /usr/libexec/postfix/smtpd pid 32171 exit status 1

Sep 16 15:08:41 twodogs postfix/master[32148]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

Sep 16 15:09:41 twodogs postfix/smtpd[32173]: fatal: bad boolean configuration: smtpd_sasl_auth_enable = yes        smtpd_sasl_security_options = noanonymous        smtpd_sasl_local_domain = twodogs.surginer.net        broken_sasl_auth_clients = yes

Thanks,
Nathan

[thedude]

Thanks for a great tutorial. I have run into a couple of problems tho. At step 13 Now I cannot telnet to localhost 10025 - connection refused. As a matter of fact I cannot get port 25 to open at all, no matter what I do. All other ports are fine. My isp does NOT have it blocked, SElinux is turned off, my router has port 25 turned on, I've entered port 25 in the iptables, etc. etc. I've looked through the forums and have tried many suggestions, but still can't get it opened....

Also now I cannot view the maillog or messages - access denied. (logged in as root)

Also when I do a restart of postfix, shutdown fails, but start is ok...

Interestingly enough, I can send and recieve emails. From an xp box (on local network)with outlook, it sees the smtp and pop3, but can't send a test msg because it can't see the smtp server...??? weird....
Any help or suggestions will be greatly appreciated.

btw - running fc4 with all latest updates. Had to use alot of the fc3 rpm's from dag.weeirs.com for this tutorial, so I'm wondering if there's a compatibility problem?

[snurckle]

were you able to Telnet before? to port 10024?

If so, your problem lies within SpamAssassin/Amavisd-new

Suggest trying the following command.

Code:

service amavisd restart;service spamassassin restart;service postfix restart

additionally, you may want to adjust IPTABLES, you may have the port shut down.

to test to see if your firewall (IPTABLES) is the problem-

Code:

service iptables stop

then try to:

Code:

telnet localhost 10025

turn IPTABLES BACK ON, don't leave yourself open for intruders-

I haven't messed with IPTABLES YET, but you need to add/edit it to open the ports, they are shutdown by default.

There are a few things the original poster forgot to mention about doing this with a clean install of Fedora. But essentially he was right now, you just need to adjust things on your server to allow it to open the 10024/25 ports.

[tmdii2005]

Thanks, nephila,

Your post helps me a lot in building my mail server. I started with a new install of Fedora Core 3, and now I have some questons:

1. I can use 'mail' or 'echo' to send mail to myself. But I can't send mail to myself using squirrelmail's webmail page or any pop3 mail client.

2. I can't receive mails from my yahoo or other mail account.

I'm quite a newbie about Fedora. Can you or any one give me some suggestions?

Thanks a lot.

[snurckle]

POP3 and IMAP are ran using dovecot (in this configuration)

First question I have is- Is Dovecot running?

to check-

service dovecot status

If it is running, restart it, and check the /var/log/messages and /var/log/maillog for an error.
Usually dovecot will stop if there is an error. A good thing to do, in troubleshooting a problem is to open up 2 terminal windows, type:

tail -f /var/log/messages
and
tail -f /var/log/maillog (in the other terminal)

service dovecot restart

and see if either on of those kick out an error on the tail -f xxxx

post your error, and I'll try to help more.

Try trying to connect with your POP3 client as well, if there is a problem connecting, the error will show up as well. You may want to look at your firewall, make sure the port for POP3 or IMAP are open to receive your traffic.

[tmdii2005]

dovecot is running ok. I restarted dovecot, and tried to send a mail to myself in webmail, and got some messages like below.

1. for /var/log/messages:

Mar 26 21:47:13 Server dovecot: dovecot shutdown succeeded
Mar 26 21:47:14 Server dovecot: dovecot startup succeeded
Mar 26 21:49:30 Server kernel: audit(1111891770.517:0): avc: denied { read } for pid=5336 exe=/usr/sbin/httpd name=sh dev=hda2 ino=3342445 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:bin_t tclass=lnk_file

2. for /var/log/maillog:

Mar 26 21:47:13 Server dovecot: Killed with signal 15
Mar 26 21:47:14 Server dovecot: Dovecot starting up
Mar 26 21:47:48 Server imap-login: Login: me [127.0.0.1]
Mar 26 21:49:11 Server imap-login: Login: me [127.0.0.1]
Mar 26 21:52:49 Server last message repeated 5 times
Mar 26 21:57:50 Server imap-login: Login: me [127.0.0.1]

I don't know what was wrong. Please give me some advice. Thanks alot.

[snurckle]

Try using Thunderbird or some other POP3/IMAP client to send yourself a message.

/var/log/maillog should have reported getting a message if you sent yourself one. On top of that, I don't see postfix in either of the logs, so it may be something simple- like you didn't start Postfix, or--there was an error when it started so it is locked.

do the tail -f /var/log/maillog and tail -f /var/log/messages (in seperate windows)

just to make sure everything is running copy the following line, and execute on your commandline:

Code:

service dovecot restart;service amavisd restart;service spamassassin restart;service postfix restart

I put the postfix at the end, because I think that's where your problem is. If you send yourself a test message, and it isn't getting back to you...or in this case- you logged in, sent yourself a message, and it didn't show up in /var/log/maillog I suspect postfix has a problem.

post the logfile messages.

[basketkase999]

This a great Walkthrough. I was wondering however if we have to do any dns/bind stuff on the box for the domain name i want to use?

[snurckle]

of course you do. But that's easy as well. Let me know if you need help