ISP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 4

Want to support HowtoForge? Become a subscriber!
 
Submitted by till (Contact Author) (Forums) on Tue, 2005-10-18 11:50. ::

MySQL

apt-get install mysql-server mysql-client libmysqlclient12-dev

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

When you run netstat -tap you should now see a line like this:

tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     2449/mysqld

which means that MySQL is accessible on port 3306. You can go to the next section (Postfix). If you do not see this line, edit /etc/mysql/my.cnf and comment out skip-networking:

# skip-networking

If you had to edit /etc/mysql/my.cnf you have to restart MySQL:

/etc/init.d/mysql restart

Postfix

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail (1 line!)
dpkg-reconfigure postfix


<- Internet Site
<- NONE
<- server1.example.com
<- server1.example.com, localhost.example.com, localhost
<- No
<- 127.0.0.0/8
<- 0
<- +

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com'

The file /etc/postfix/main.cf should now look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd
rm -fr /var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/run/saslauthd":

# This needs to be uncommented before saslauthd will be run automatically
START=yes

PARAMS="-m /var/spool/postfix/var/run/saslauthd"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

Finally we have to edit /etc/init.d/saslauthd. Change the line

dir=`dpkg-statoverride --list $PWDIR`

to

#dir=`dpkg-statoverride --list $PWDIR`

Then change the variables PWDIR and PIDFILE and add the variable dir at the beginning of the file:

PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"

/etc/init.d/saslauthd should now look like this:

#!/bin/sh -e

NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"

createdir() {
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
[ -d "$4" ] || mkdir -p "$4"
chown -c -h "$1:$2" "$4"
chmod -c "$3" "$4"
}

test -f "${DAEMON}" || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. "${DEFAULTS}"
fi

# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi

# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo "You need to configure ${DEFAULTS} with mechanisms to be used"
exit 0
fi

# Add our mechanimsms with the necessary flag
PARAMS="${PARAMS} -a ${MECHANISMS}"

START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name ${NAME} -- ${PARAMS}"

# Consider our options
case "${1}" in
start)
echo -n "Starting ${DESC}: "
#dir=`dpkg-statoverride --list $PWDIR`
test -z "$dir" || createdir $dir
if start-stop-daemon ${START} >/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(failed)."
exit 1
else
echo "${DAEMON} already running."
exit 0
fi
fi
;;
stop)
echo -n "Stopping ${DESC}: "
if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \
--startas ${DAEMON} --retry 10 --name ${NAME} \
>/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(not running)."
exit 0
else
echo "(failed)."
exit 1
fi
fi
;;
restart|force-reload)
$0 stop
exec $0 start
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

Courier-IMAP/Courier-POP3

Install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995).

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0 (one line!)

<- No
<- OK

Then configure Postfix to deliver emails to a user's Maildir:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

/etc/init.d/postfix restart

Please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Sun, 2006-02-26 22:10.

Kudos on the setup with postfix and sasl/pam. Very clean. I've got a couple of suggestions/comments based on my experience with this.

If you're like me and want to script everything, you can replace the last few steps that are done with an editor with these sed scripts:

sed -i 's/# START=yes/START=yes\nPARAMS="-m \/var\/spool\/postfix\/var\/run\/saslauthd"/g' /etc/default/saslauthd
sed -i 's/dir=/# dir=/g' /etc/init.d/saslauthd
sed -i 's/PWDIR=\/var\/run\/saslauthd/PWDIR=\/var\/spool\/postfix\/var\/run\/saslauthd/g' /etc/init.d/saslauthd
sed -i 's/PIDFILE="\/var\/run\/${NAME}\/saslauthd.pid"/PIDFILE="${PWDIR}\/saslauthd.pid"\ndir="root sasl 755 ${PWDIR}"/g' /etc/init.d/saslauthd

I'm not totally sure about the wisdom of changing a script in /etc/init.d, but it works for now. :-)


I used this setup to convert from an RPM-based distro (Mandriva) to Ubuntu. In the process, we had to figure out how to switch from UW-IMAP to Courier. There are some great tools to help. I recommend mb2md.pl. It's actively maintained, easy to use, and works great. We converted several mailboxes without any problems.

One other note: In the process of conversion, I couldn't tell for sure if everything was working ok because I was getting a "could not open mailbox" error back from my mail client. You can test the pieces quite easily to find errors. To test SASL, do the following:

testsaslauthd -u username -p password -f /var/spool/postfix/var/run/saslauthd/mux

If SASL is working ok, then you can telnet into postfix to verify it. Look at this page under the "testing" section. If you don't have mimencode, try this:

perl -MMIME::Base64 -e 'print encode_base64("username_or_password");'

Thanks so much for a great piece of work on this setup page.

Submitted by Anonymous (not registered) on Tue, 2006-01-24 12:19.

I can't understand what means this:

<- Internet Site

<- NONE

<- server1.example.com

<- server1.example.com, localhost.example.com, localhost

<- No

<- 127.0.0.0/8

<- 0

<- +

Submitted by admin (registered user) on Tue, 2006-01-24 12:28.
The installer will ask you several questions after you executed the command above these lines and this are the answers.
Submitted by Anonymous (not registered) on Fri, 2006-01-20 08:21.

how to test this postfix & courier-imap can work properly?

does it support virtual hosts?

Submitted by admin (registered user) on Fri, 2006-01-20 08:27.

This setup uses System users, not virtual users. But you can manage the accounts and hosts easily with ISPConfig.

To test the setup, create a site and email account in ISPConfig and send yourself an email with the UebiMiau webmail package (Aavailable on the iSPConfig downloads page) or with an email client like Thunderbid or outlook.

Submitted by Anonymous (not registered) on Wed, 2005-11-23 05:10.

when I typed

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

I got 'openssl command not found'

little help

Submitted by Anonymous (not registered) on Wed, 2005-11-23 22:14.
apt-get install openssl
Submitted by Anonymous (not registered) on Mon, 2005-11-21 18:41.

Quote from tutorial

<- Internet Site
<- NONE
<- server1.example.com
<- server1.example.com, localhost.example.com, localhost
<- No
<- 127.0.0.0/8
<- 0
<- +

You are missing a step here.

<- Internet Site
<- NONE
<- server1.example.com
<- server1.example.com, localhost.example.com, localhost
<- No
<- 127.0.0.0/8

<- Yes/No


<- 0
<- +


Submitted by Anonymous (not registered) on Tue, 2006-01-03 00:12.
its ur choice where u want ur root mail to go and how its going to get there.... you can also change it in ispconfig....
Submitted by Anonymous (not registered) on Sat, 2005-11-05 02:54.

I was following the guide just copying and pasting and thus made the mistake of setting...

mysqladmin -u root password yourrootsqlpassword
How to I change mysqladmin root password?

Submitted by admin (registered user) on Sat, 2005-11-05 13:30.

Must be something like

mysqladmin -u root -pyourrootsqlpassword password new_password

(note: there's no space between -p and the password!).

Run

man mysqladmin

to find out more.

Submitted by Anonymous (not registered) on Fri, 2005-11-04 15:10.

ok everything going smooth from on DMZ on my Smoothwall.

now can u tell where i am supposed do this --->

Please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface

i have no idea???

Submitted by Anonymous (not registered) on Wed, 2006-01-11 01:52.
That's a very confusing way to end this page of the howto. It turns out that you install ISPConfig on the very last page of the howto. It'd be very nice if the author would include alternate instructions for those of us who don't intend to install ISPConfig.
Submitted by admin (registered user) on Wed, 2006-01-11 13:16.

The howto does not end on page 4 where you entered this comment, it ends on page 6 after the setup of ISPConfig.

There are no alternate instructions nescessary, just dont install ISPConfig if you dont want to use it. The complete ISPConfig setup is described on page 6, so just skip this page.
Submitted by Anonymous (not registered) on Wed, 2006-01-11 01:31.
Interesting. I don't see anywhere in this howto that says to install ISPConfig. Maybe it's installed by default by Ubuntu? I wonder what port ISPConfig uses? I'm investigating now.
Submitted by admin (registered user) on Wed, 2006-01-11 13:17.
The ISPConfig setup is described on page 6 of the howto.
Submitted by Anonymous (not registered) on Tue, 2005-11-01 23:41.

There is no mention that apt-get generates the needed certificates for pop3-ssl and imap-ssl using generic data. To generate the correct certificates for courier do the following steps:

1. cd /etc/courier

2. Remove old certificates: rm *.pem

3. Edit pop3d.cnf and imapd.cnf with your information.

5. Generate both certificates with mkpop3dcert, and mkimapdcert

Submitted by Anonymous (not registered) on Fri, 2005-10-28 01:06.

there is a small typo on page 3 it is in the config of postfix

postconf -e 'smtpd_recipient_restrictions =

should read postconf -e 'smtpd_recipient_restrictions ='

Submitted by admin (registered user) on Fri, 2005-10-28 09:11.
No, the command continues in the next line...