Virtual Users And Domains With Postfix, Courier And MySQL (Fedora 8)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Sun, 2007-11-18 18:00. :: Anti-Spam/Virus | Fedora | Postfix

Virtual Users And Domains With Postfix, Courier And MySQL (Fedora 8)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 11/14/2007

This tutorial is Copyright (c) 2007 by Falko Timme. It is derived from a tutorial from Christoph Haas which you can find at http://workaround.org. You are free to use this tutorial under the Creative Commons license 2.5 or any later version.

This document describes how to install a mail server based on Postfix that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I'll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier-IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.

The resulting Postfix server is capable of SMTP-AUTH and TLS and quota (quota is not built into Postfix by default, I'll show how to patch your Postfix appropriately). Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk). In addition to that, this tutorial covers the installation of Amavisd, SpamAssassin and ClamAV so that emails will be scanned for spam and viruses.

The advantage of such a "virtual" setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on "real" system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the MySQL database when you add new users/domains or edit existing ones. No more postmap commands to create db files, no more reloading of Postfix, etc. For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. The third advantage is that users have an email address as user name (instead of a user name + an email address) which is easier to understand and keep in mind.

This tutorial is based on Fedora 8 (i386). You should already have set up a basic Fedora system, as described here: http://www.howtoforge.com/fedora-8-server-lamp-email-dns-ftp-ispconfig and http://www.howtoforge.com/fedora-8-server-lamp-email-dns-ftp-ispconfig-p2. Plus, you should make sure that the firewall is off (at least for now) and that SELinux is disabled (this is important!), as shown in the chapters six and seven on http://www.howtoforge.com/fedora-8-server-lamp-email-dns-ftp-ispconfig-p3.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Edit /etc/hosts

Our hostname in this example is server1.example.com, and it has the IP address 192.168.0.100, so we change /etc/hosts as follows:

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1
::1             localhost6.localdomain6 localhost6

 

2 Install Some Software

First we import the GPG keys for software packages:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

Now we install some software that we need later on:

yum groupinstall 'Development Tools'

yum groupinstall 'Development Libraries'

 

3 Install Apache, MySQL, phpMyAdmin

This can all be installed with one single command (including the packages we need to build Courier-IMAP):

yum install ntp httpd mysql-server php php-mysql php-mbstring rpm-build gcc mysql-devel openssl-devel cyrus-sasl-devel pkgconfig zlib-devel phpMyAdmin pcre-devel openldap-devel postgresql-devel expect libtool-ltdl-devel openldap-servers libtool gdbm-devel pam-devel gamin-devel

 

4 Install Courier-IMAP, Courier-Authlib, And Maildrop

Unfortunately there are no rpm packages for Courier-IMAP, Courier-Authlib, and Maildrop, therefore we have to install them as described in this tutorial: How To Install courier-imap, courier-authlib, And maildrop On Fedora, RedHat, CentOS

 

5 Apply Quota Patch To Postfix

We have to get the Postfix source rpm, patch it with the quota patch, build a new Postfix rpm package and install it.

cd /usr/src
wget http://ftp-stud.fht-esslingen.de/pub/Mirrors/fedora/linux/releases/8/Fedora/source/SRPMS/postfix-2.4.5-2.fc8.src.rpm
rpm -ivh postfix-2.4.5-2.fc8.src.rpm

The last command will show some warnings that you can ignore:

warning: user kojibuilder does not exist - using root
warning: group kojibuilder does not exist - using root

cd /usr/src/redhat/SOURCES
wget http://vda.sourceforge.net/VDA/postfix-2.4.5-vda-ng.patch.gz
gunzip postfix-2.4.5-vda-ng.patch.gz
cd /usr/src/redhat/SPECS/

Now we must edit the file postfix.spec:

vi postfix.spec

Change %define MYSQL 0 to %define MYSQL 1, add Patch0: postfix-2.4.5-vda-ng.patch to the # Patches stanza, and finally add %patch0 -p1 -b .vda-ng to the %setup -q stanza:

[...]
%define MYSQL 1
[...]
# Patches

Patch0: postfix-2.4.5-vda-ng.patch
Patch1: postfix-2.1.1-config.patch
Patch3: postfix-alternatives.patch
Patch6: postfix-2.1.1-obsolete.patch
Patch7: postfix-2.1.5-aliases.patch
Patch8: postfix-large-fs.patch
Patch9: postfix-2.4.0-cyrus.patch
Patch10: postfix-2.4.5-open_define.patch
[...]
%prep
%setup -q
# Apply obligatory patches
%patch0 -p1 -b .vda-ng
%patch1 -p1 -b .config
%patch3 -p1 -b .alternatives
%patch6 -p1 -b .obsolete
%patch7 -p1 -b .aliases
%patch8 -p1 -b .large-fs
%patch9 -p1 -b .cyrus
%patch10 -p1 -b .open_define
[...]

Then we build our new Postfix rpm package with quota and MySQL support:

rpmbuild -ba postfix.spec

You will see lots of warnings like these that you can ignore:

msg.h:12:1: warning: "/*" within comment
msg.h:14:1: warning: "/*" within comment
msg.h:33:1: warning: "/*" within comment
msg.h:34:1: warning: "/*" within comment
msg.h:35:1: warning: "/*" within comment
msg.h:36:1: warning: "/*" within comment

Our Postfix rpm package is created in /usr/src/redhat/RPMS/i386, so we go there:

cd /usr/src/redhat/RPMS/i386

The command

ls -l

shows you the available packages:

[root@server1 i386]# ls -l
total 11604
-rw-r--r-- 1 root root 3899179 2007-11-13 22:26 postfix-2.4.5-2.fc8.i386.rpm
-rw-r--r-- 1 root root 7907114 2007-11-13 22:26 postfix-debuginfo-2.4.5-2.fc8.i386.rpm
-rw-r--r-- 1 root root   50804 2007-11-13 22:26 postfix-pflogsumm-2.4.5-2.fc8.i386.rpm
[root@server1 i386]#

Pick the Postfix package and install it like this:

rpm -ivh postfix-2.4.5-2.fc8.i386.rpm

(In case you have problems creating the Postfix rpm package, you can download mine from here.)

 

6 Set MySQL Passwords And Configure phpMyAdmin

Start MySQL:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Then set passwords for the MySQL root account:

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory /usr/share/phpMyAdmin/> stanza):

vi /etc/httpd/conf.d/phpMyAdmin.conf

# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /phpMyAdmin /usr/share/phpMyAdmin
#<Directory /usr/share/phpMyAdmin/>
#   order deny,allow
#   deny from all
#   allow from 127.0.0.1
#</Directory>

# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries>
    Order Deny,Allow
    Deny from All
    Allow from None
</Directory>

# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc.  This may break your mod_security implementation.
#
#<IfModule mod_security.c>
#    <LocationMatch "/phpMyAdmin/(.+)">
#        SecFilterInheritance Off
#    </LocationMatch>
#</IfModule>

Then we create the system startup links for Apache and start it:

chkconfig --levels 235 httpd on
/etc/init.d/httpd start

Now you can direct your browser to http://server1.example.com/phpMyAdmin/ or http://192.168.0.100/phpMyAdmin/ and log in with the user name root and your new root MySQL password.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Slawek (not registered) on Wed, 2008-09-17 09:16.

You don't have to disable selinux !

I found help here:
http://wiki.centos.org/HowTos/SELinux

I had problems during configure postfix + mysql + courier-imap
(elements: postfix_virtual_t , courier_authdaemon_t , postfix_smtpd_t)

You do have to analyze logs: /var/log/messages and /var/log/audit/audit.log
You have to make sure, that it isn't file permision problem.
You have to make sure, that it isn't selinux file context problem. 

  1. after problem occurs check logs:
    tail /var/log/messages
    and find:
    setroubleshoot: SELinux is preventing xxxx (<element>) .... For complete SELinux messages. run sealert -l <alert_identifier>
    e.g. <element> = postfix_virtual_t
  2. create selinux policy module:
    grep <element> /var/log/audit/audit.log | audit2allow -M <module_name>
    e.g.
    grep postfix_virtual_t /var/log/audit/audit.log | audit2allow -M postfixvirtual
    it creates two files .te (text version of module), .pp (module)
  3. display and check .te file
    e.g.
    cat postfixvirtual.te
  4. if it is ok load module:
    semodule -i postfixvirtual.pp
  5. test if it works, if not go back to step 1 and repeat (I had to do 3 times for every element)
Submitted by jpieper (registered user) on Wed, 2008-08-27 19:19.

I also needed to install cyrus-sasl:

yum -y install cyrus-sasl

It wasn´t installed before and  isn´t present in paragraph 3 of this article.