For our system, we'll use the Postfix mail transport agent (MTA); Dovecot, a secure, open source IMAP and POP3 server for Linux/Unix-like systems; SquirrelMail, a standards-based Webmail package written in PHP 4; SpamAssassin, a powerful open source spam filter; and ClamAV, a GPLed virus scanner. To tie everything together we'll use amavisd-new, a high-performance interface between MTAs and content checkers such as virus scanners and spam filters.
The system will be configured so that users will have POP, secure POP, IMAP, and secure IMAP (IMAPS) access, and will also be able to access their email from the Web using SquirrelMail. Every email sent or received will be scanned for viruses and checked for possible spam content.
The email applications will run on Fedora Core 4 and Red Hat Enterprise Linux Advanced Server 4.
To install the packages for this project we will use the Yellow Dog Updater, Modified (Yum). In order to get all the packages that you need, make sure you have the Fedora Extras repository (/etc/yum.repos.d/fedora-extras.repo; it's included in the distribution and enabled by default) and Dries repository enabled and configured. You will need both repositories in order to install all the packages needed.
To begin, you'll want to make sure your system is up-to-date. Run
yum update if you haven't already.
Now configure the Dries repository for use by creating a file called /etc/yum.repos.d/dries.repo, with the following entries:
[dries] name=Extra Fedora rpms dries - $releasever - $basearch baseurl=http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/linux/$releasever/$basearch/dries/RPMS/ enabled=1 gpgcheck=1
Next, install the GPG key for this repository:
rpm --import http://dries.ulyssis.org/rpm/RPM-GPG-KEY.dries.txt
Now that you have the repositories ready, you can install the packages that we need:
yum install postfix dovecot spamassassin squirrelmail clamav clamav-server clamav-update clamav-lib clamav-data amavisd-new
Wait until all the packages and dependencies are installed.
By default, Fedora and Red Hat distributions come with sendmail set as the MTA for the system. You can check or change the default MTA with the system-switch-mail utility. If you don't have it installed yet, install it now:
yum install system-switch-mail system-switch-mail-gnome
Simply run the
system-switch-mail tool and select Postfix as your default MTA.
Now that you have all the necessary applications and tools installed, it's time to configure them to work together.
Setting up Postfix
To configure Postfix, edit the main Postfix configuration file /etc/postfix/main.cf and change these entries as follows:
#This is your fully qualified domain name (FQDN): myhostname = mail.srv.dyndns.org #myorigin specifies the default domain name that is appended myorigin = $mydomain #By the parameter "all" we allow the connections to our server # from anywhere, not only from localhost inet_interfaces = all #The mydestination parameter specifies the list of domains that #this machine considers itself the final destination for. mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost #Reject the unknown users local_recipient_maps = unix:passwd.byname $alias_maps #With this parameter we make sure that our server won't be an open relay server mynetworks_style = host
The configuration file is well commented, so if you need more info about the configuration, dig into it. For even more information on Postfix, see the Postfix.org documentation.
Next, start the Postfix service with the command
service postfix start. Also make sure the service is automatically started at boot time:
chkconfig postfix on
Setting up Dovecot
Now it's time to set up Dovecot. Edit the Dovecot config file, /etc/dovecot.conf, to suit your needs. In this case we want to enable POP3, secure POP3, IMAP, and secure IMAP services as shown:
protocols = imap imaps pop3 pop3s imap_listen = * pop3_listen = * imaps_listen = * pop3s_listen = *
After that's done, start the Dovecot service and make sure that it's started at boot time:
service dovecot start
chkconfig dovecot on
Setting up Squirrelmail
In order to be able to use webmail, you need to have Apache's httpd service up and running. It shouldn't be necessary to do any extra configuring of httpd config file for this task, so you can just use it as is. Start the service and make sure it's started at boot time:
service httpd start
chkconfig httpd on
The installation of Squirrelmail will not change your httpd.conf file. Instead, Squirrelmail creates the file squirrelmail.conf in /etc/httpd/conf.d. This file links the /webmail/ virtual folder to the actual Squirrelmail folder installation located at /usr/share/squirrelmail.
Edit the /usr/share/squirrelmail/config/config.php file and change the
domain$ variable to match your domain name, in order to make the
from-domain setting (when sending email from Web) correct. For our server, it looks like this:
$domain = 'srv.dyndns.org';
To test webmail, go to http://localhost/webmail/ or http://your_domain_name/webmail/ and log in to check your email and send a few test messages.
Blocking spam and viruses
SpamAssassin is configured right out of the box when you install it, so you shouldn't need to change anything here. However, to reduce the chance that a false positive will tag known addresses, you can whitelist addresses. The file /etc/mail/spammassassin/local.cf should list known email addresses, in a format similar to:
whitelist_from firstname.lastname@example.org whitelist_from email@example.com
Spamassassin will be called by
amavisd-new, so we don't need to configure the SpamAssassin daemon to start at boot time.
To block viruses, we need to configure ClamAV to connect daily to an Internet-based antivirus database and fetch new virus definitions. You need to have a cron daemon running in order for ClamAV to fetch the virus definitions.
First, edit /etc/sysconfig/freshclam and comment out the following line:
#FRESHCLAM_DELAY=disabled-warn # REMOVE ME
Next, edit /etc/freshclam.conf and change the antivirus database to the closest mirror to your location:
#Example DatabaseMirror db.de.clamav.net
You can see a list of available mirrors here.
To test ClamAV, run the
clamscan command in your home folder. The AV client should check your home directory and subdirectories for viruses. Since you are running this check on a Linux box for local files, I'm pretty sure ClamAV won't find any viruses on your machine.
To test updating the virus definitions, run
Setting up amavisd-new
Now we'll set up amavisd-new. The user amavis is automatically created at amavisd-new install time, but we still need to create the following directories and make sure the owner is amavis, as shown below:
mkdir /var/run/amavis mkdir /var/run/clamav chown amavis /var/run/amavis chown amavis /var/run/clamav
You may leave the group permissions of the folders set to root. Copy the sample config file to /etc:
cp /usr/share/doc/clamav-server-X.XX.X/clamd.conf /etc/clamd.conf
X.XX.X with the version you're using. Then, make the following changes to your /etc/clamd.conf file:
#Example User amavis #TCPSocket 3310 #PidFile /var/run/clamd.<SERVICE>/clamd.pid #LocalSocket /var/run/clamd.<SERVICE>/clamd.sock
After making the changes, start the service with
service amavisd start, and set it to start at boot with
chkconfig amavisd on.
Now, test your configuration to see that everything works. Telnet to port 10024 and you should see something like this:
[root@mail ~]# telnet localhost 10024 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready quit 221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel Connection closed by foreign host.
If you are able to telnet to port 10024 and you are greeted by amavisd-new, you've done a good job and you may continue with the configuration. If you're unable to connect to that port, make sure the amavisd service is running, and look for errors in /var/log/messages.
Additional Postfix configuration
Once amavisd is configured and working correctly, you need to configure Postfix so it knows how to communicate with amavisd-new. Copy the following lines to the bottom of your existing /etc/postfix/master.cf file:
smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20
127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
You can find more information how this work in the amavisd documentation in your /usr/share/doc folder. For example, since we're running amavisd 2.3.3, we would check the /usr/share/doc/amavisd-new-2.3.3/README.postfix file.
Save the file and reload the Postfix service, then test it by using telnet to connect to port 10025:
[root@mail ~]# telnet localhost 10025 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.srv.dyndns.org ESMTP Postfix quit 221 Bye Connection closed by foreign host.
If this works for you, you have a working configuration, and you are ready to make the final changes to Postfix.
Add this line to the end of /etc/postfix/main.cf:
content_filter = smtp-amavis:[127.0.0.1]:10024
Once you've done this, Postfix will send all incoming and outgoing mail directly through the content filter that you configured earlier.
All you have to do now is send yourself some clean email messages and some spam, junk, and viruses, and see what's happening on your mail server. You can find sample messages with spam and virus content in /usr/share/doc/amavisd-new-X.X.X/test-messages folder. The best way to see in real time what is going on your mail server is to watch /var/log/maillog for entries using
tail -f /var/log/maillog.
That's all you need to do to configure Postfix and the helper applications to provide antivirus, spam filtering, webmail, POP, and IMAP access. Enjoy your new mail server!