Virtual Users And Domains With Postfix, Courier And MySQL (Debian Etch)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2007-06-05 16:11. :: Anti-Spam/Virus | Debian | Postfix

Virtual Users And Domains With Postfix, Courier And MySQL (Debian Etch)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 05/25/2007

This tutorial is Copyright (c) 2007 by Falko Timme. It is derived from a tutorial from Christoph Haas which you can find at http://workaround.org. You are free to use this tutorial under the Creative Commons license 2.5 or any later version.

This document describes how to install a mail server based on Postfix that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I'll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier-IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.

The resulting Postfix server is capable of SMTP-AUTH and TLS and quota (quota is not built into Postfix by default, I'll show how to patch your Postfix appropriately). Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk). In addition to that, this tutorial covers the installation of Amavisd, SpamAssassin and ClamAV so that emails will be scanned for spam and viruses.

The advantage of such a "virtual" setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on "real" system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the MySQL database when you add new users/domains or edit existing ones. No more postmap commands to create db files, no more reloading of Postfix, etc. For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. The third advantage is that users have an email address as user name (instead of a user name + an email address) which is easier to understand and keep in mind.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

This tutorial is based on Debian Etch, so you should set up a basic Debian Etch installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.

 

2 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin

To install Postfix, Courier, Saslauthd, MySQL, and phpMyAdmin, we simply run

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl postfix-tls libsasl2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl phpmyadmin apache2 libapache2-mod-php5 php5 php5-mysql

You will be asked a few questions:

Create directories for web-based administration ? <-- No
General type of configuration? <-- Internet Site
Mail name? <-- server1.example.com
SSL certificate required <-- Ok

 

3 Apply The Quota Patch To Postfix

We have to get the Postfix sources, patch it with the quota patch, build new Postfix .deb packages and install those .deb packages:

apt-get install build-essential dpkg-dev fakeroot debhelper libgdbm-dev libldap2-dev libpcre3-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch libdb4.3-dev libmysqlclient15-dev lsb-release libcdb-dev

cd /usr/src
apt-get source postfix

(Make sure you use the correct Postfix version in the following commands. I have Postfix 2.3.8 installed. You can find out your Postfix version by running

postconf -d | grep mail_version

The output should look like this:

server1:~# postconf -d | grep mail_version
mail_version = 2.3.8
milter_macro_v = $mail_name $mail_version

)

wget http://vda.sourceforge.net/VDA/postfix-2.3.8-vda.patch.gz
gunzip postfix-2.3.8-vda.patch.gz
cd postfix-2.3.8
patch -p1 < ../postfix-2.3.8-vda.patch
dpkg-buildpackage

You might see a warning like this at the end of the dpkg-buildpackage command:

(WARNING: Failed to sign .dsc and .changes file)

You can ignore this message.

To install our new Postfix package, we run

cd ..
dpkg -i postfix_2.3.8-2_i386.deb
dpkg -i postfix-mysql_2.3.8-2_i386.deb


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by mess-mate (registered user) on Fri, 2008-01-18 17:27.

apt-get source postfix did not work for me.

Replaced by 'apt-src install postfix'.

 

Submitted by Karel (registered user) on Sun, 2007-06-24 20:10.

To fix the security problem I mentioned above, you may possibly use other cyphers, I found this text:

 

User question/comment: I thought MYSQL_CRYPT_PWFIELD only handles the ENCRYPT() function in stead of MD5() (see postfix-mysql setup). Correct me when I'm wrong

User question/comment: MYSQL_CRYPT_PWFIELD only specifies the name of database field,
it has nothing to do with crypt format. authlib
can automatically detect several different formats of password hash, please refer to cryptpassword.c
inside courier authlib source code for more info. Basically it checks if the first
few characters of password hash is:

  • "$1$": password is MD5 format password used by all Linux systems.
  • "{MD5}": this is followed by standard MD5 hash of password phrase.
  • "{SHA}": this is followed by standard SHA hash of password phrase.
  • "{SHA256}": this is followed by standard SHA256 hash of password phrase.
  • "{CRYPT}": this is followed by standard DES crypt() hash of password phrase.

Source:

http://postfix.wiki.xs4all.nl/index.php?title=Virtual_Users_and_Domains_with_Courier-IMAP_and_MySQL 

Submitted by rieschl (registered user) on Fri, 2008-07-25 20:30.

Hi

To fix this problem, just use md5-crypt passwords (as used in /etc/shadow files, starting with $1$) for your mailboxes.

This should work. If it doesn't, append "md5=true" on both lines in /etc/pam.d/smtp.

Submitted by Karel (registered user) on Sun, 2007-06-24 19:58.

This setup seems to be extremely insecure.

Mysql function encrypt () encrypts (on some systems, e.g. my Debian Etch) only first eight characters of a string, making hacking of a mailbox extremely easy. For example, passwords

12345678LHKuhlhKJgkZgHklu

and

12345678

both allow the user to log in (think about people who use password5468d - AOL had similar problem recently).

Submitted by hypernetics (registered user) on Wed, 2007-06-06 21:11.

 Hi,

 I don't understand, why you use the smtp-PAM-Module?!

 By the way: In Debian Etch you have to activate DCC in /etc/spamassassin/v310.pre

 Regards,

Hypz 

Submitted by Ronin (registered user) on Tue, 2008-01-29 13:11.

VERY nice howto. It worked like a dream.
And setting up Squirrelmail for this was a breeze too. 

I encountered some problems while I followed the guide though, which I have listed in my blog @ Ronin's blog[^].

 One was a bug I encountered within Courier-Saslauthdaemon, and 2 were some banal problems with Squirrelmail. But I managed to solve them with some googling around ^^

Submitted by Juan Carlos (not registered) on Tue, 2008-12-16 18:56.
hello as are wanting to loguiarme in mailboxes me introduce the following error:
 
Dec 16 12:43:19 linuxdeb authdaemond: stopping authdaemond children
Dec 16 12:43:19 linuxdeb authdaemond: modules="authmyslq", daemons=5
Dec 16 12:43:19 linuxdeb authdaemond: Installing libauthmyslq
Dec 16 12:43:19 linuxdeb authdaemond: libauthmyslq.so: cannot open shared object file: No such file or directory
Dec 16 12:43:46 linuxdeb courierpop3login: Connection, ip=[::ffff:127.0.0.1]
Dec 16 12:43:54 linuxdeb courierpop3login: LOGIN FAILED, user=juan, ip=[::ffff:127.0.0.1]
Dec 16 12:44:03 linuxdeb courierpop3login: LOGOUT, ip=[::ffff:127.0.0.1]
Dec 16 12:44:03 linuxdeb courierpop3login: Disconnected, ip=[::ffff:127.0.0.1]
~
 
that can be