Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Fedora 18 x86_64) - Page 3

9 Configure Saslauthd

Edit /etc/sasl2/smtpd.conf. It should look like this:

vi /etc/sasl2/smtpd.conf

pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path:/var/spool/authdaemon/socket

Then turn off Sendmail and start Postfix, saslauthd, and courier-authlib:

chmod 755 /var/spool/authdaemon
systemctl enable courier-authlib.service
systemctl start courier-authlib.service

systemctl disable sendmail.service
systemctl enable postfix.service
systemctl enable saslauthd.service
systemctl stop sendmail.service
systemctl start postfix.service
systemctl start saslauthd.service

 

10 Configure Courier

Now we have to tell Courier that it should authenticate against our MySQL database. First, edit /etc/authlib/authdaemonrc and change the value of authmodulelist so that it reads

vi /etc/authlib/authdaemonrc

[...]
authmodulelist="authmysql"
#authmodulelist="authuserdb authpam authpgsql authldap authmysql authsqlite authcustom authpipe"
[...]

Then edit /etc/authlib/authmysqlrc. It should look exactly like this (again, make sure to fill in the correct database details):

cp /etc/authlib/authmysqlrc /etc/authlib/authmysqlrc_orig
cat /dev/null > /etc/authlib/authmysqlrc
vi /etc/authlib/authmysqlrc

MYSQL_SERVER localhost
MYSQL_USERNAME mail_admin
MYSQL_PASSWORD mail_admin_password
MYSQL_PORT 0
MYSQL_DATABASE mail
MYSQL_USER_TABLE users
MYSQL_CRYPT_PWFIELD password
#MYSQL_CLEAR_PWFIELD password
MYSQL_UID_FIELD 5000
MYSQL_GID_FIELD 5000
MYSQL_LOGIN_FIELD email
MYSQL_HOME_FIELD "/home/vmail"
MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
#MYSQL_NAME_FIELD
MYSQL_QUOTA_FIELD quota

Then restart Courier:

systemctl enable courier-imap.service
systemctl restart courier-authlib.service
systemctl restart courier-imap.service

When courier-imap is started for the first time, it automatically creates the certificate files /usr/lib/courier-imap/share/imapd.pem and /usr/lib/courier-imap/share/pop3d.pem from the /usr/lib/courier-imap/etc/imapd.cnf and /usr/lib/courier-imap/etc/pop3d.cnf files. Because the .cnf files contain the line CN=localhost, but our server is named server1.example.com, the certificates might cause problems when you use TLS connections. To solve this, we delete both certificates...

cd /usr/lib/courier-imap/share
rm -f imapd.pem
rm -f pop3d.pem

... and replace the CN=localhost lines in /usr/lib/courier-imap/etc/imapd.cnf and /usr/lib/courier-imap/etc/pop3d.cnf with CN=server1.example.com:

vi /usr/lib/courier-imap/etc/imapd.cnf

[...]
CN=server1.example.com
[...]

vi /usr/lib/courier-imap/etc/pop3d.cnf

[...]
CN=server1.example.com
[...]

Then we recreate both certificates...

./mkimapdcert
./mkpop3dcert

... and restart courier-authlib and courier-imap:

systemctl restart courier-authlib.service
systemctl restart courier-imap.service

By running

telnet localhost pop3

you can see if your POP3 server is working correctly. It should give back +OK Hello there. (type quit to get back to the Linux shell):

[root@server1 share]# telnet localhost pop3
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Hello there.
<-- quit
+OK Better luck next time.
Connection closed by foreign host.
[root@server1 share]#

 

11 Modify /etc/aliases

Now we should open /etc/aliases. Make sure that postmaster points to root and root to your own username or your email address, e.g. like this:

vi /etc/aliases

[...]
postmaster: root
root: postmaster@yourdomain.tld
[...]

or like this (if administrator is your own username):

[...]
postmaster: root
root:   administrator
[...]

Whenever you modify /etc/aliases, you must run

newaliases

afterwards and restart Postfix:

systemctl restart postfix.service

Share this page:

7 Comment(s)

Add comment

Comments

From: at: 2013-02-15 16:34:11

Need to install: yum install libtool-ltld-devel

Need to install: yum install expect

Need to install: yum install postgresql-devel

Need to install: yum install sqlite-devel

Need to install: yum install mysql-devel

From: at: 2013-02-15 16:50:56

yum install expect gdbm-devel pam-devel gamin-devel openssl-perl ghostscript mgetty-sendfax netpbm-progs pcre-devel libidn-devel

 

From: mbsouth at: 2013-02-05 20:03:27

Just another excellent tutorial by Falko.

In this case with a little criticism from me: Squirrel webmail and Courier have the best days already behind itself.
Really interesting would be a similar tutorial with Dovecot 1.2 or 2.0 (with Dovecots quota support [SQL based] and over-quota-warning mails to the user), SQL-Grey, Amavis (incl. DKIM support)  and Roundcube webmail.

Just my 2 cents
mbsouth

From: Ferry at: 2013-02-08 09:03:30

Disable SELinux? You've got to be kidding me!

Especially on a setup like this.

I'd to see the article updated with SELinux _enabled_

From: Cristian Sava at: 2013-09-23 19:40:24

Wonderfull tutorial, congrats Falko! It also applies to Fedora 19 (with minimal tweaks).

Selinux is easy to setup if you understand what youre doing.

Edit /etc/selinux/config and enable SELINUX:

nano /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system.

Then we set some needed booleans:


[root@s168 ~]# setsebool -P httpd_can_network_connect on
[root@s168 ~]# setsebool -P httpd_can_network_connect_db on
[root@s168 ~]# setsebool -P httpd_can_sendmail on
[root@s168 ~]# setsebool -P httpd_enable_homedirs on
[root@s168 ~]# setsebool -P httpd_mod_auth_pam on
[root@s168 ~]# setsebool -P httpd_use_gpg on
[root@s168 ~]# setsebool -P httpd_sys_script_anon_write on
[root@s168 ~]# setsebool -P selinuxuser_mysql_connect_enabled on
[root@s168 ~]# setsebool -P saslauthd_read_shadow on
[root@s168 ~]# setsebool -P clamd_use_jit on

We set clamd_use_jit to on to avoid messages like this:
ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied

 

You can see what values are set for booleans using something like this:

[root@s168 ~]# getsebool -a | grep http | grep " on"
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_can_sendmail --> on
httpd_enable_cgi --> on
httpd_enable_homedirs --> on
httpd_graceful_shutdown --> on
httpd_mod_auth_pam --> on
httpd_sys_script_anon_write --> on
httpd_use_gpg --> on

To analyze and to build the custom modules we will need audit2allow so we have to install the policycoreutils-devel package:

# yum install policycoreutils-devel

The virtual mail directory is choosen by the administrator (folder set by us) so we can't have a default rule for that. That's why we have to build a policy module to get access to our virtual directory.
Another thing is that the antivirus, generally, should not access the database, but in /etc/amavisd/amavisd.conf we have this rule:
@lookup_sql_dsn = ( ['DBI:mysql:database=maildb;host=127.0.0.1;port=3306', 'mail_admin', 'mail_admin_password'] );
It is something legitimate but not expected for an antivirus.
We will investigate the logs first (find out if we have related AVCs) and we will react accordingly:

[root@s168 ~]# audit2allow -a
...
#============= postfix_virtual_t ==============
allow postfix_virtual_t home_root_t:dir { write remove_name create add_name };
allow postfix_virtual_t home_root_t:file { write getattr link create unlink open };
...
#============= antivirus_t ==============
allow antivirus_t mysqld_port_t:tcp_socket name_connect;
...

Now we build the needed policy modules:

[root@s168 ~]# grep virt /var/log/audit/audit.log | audit2allow -M myvirtual
[root@s168 ~]# semodule -i myvirtual.pp

[root@s168 ~]# grep antivirus /var/log/audit/audit.log | audit2allow -M myantivir_mysql
[root@s168 ~]# semodule -i myantivir_mysql.pp

We verify our policy modules:

[root@s168 ~]# audit2allow -a
...
#============= postfix_virtual_t ==============

#!!!! This avc is allowed in the current policy
allow postfix_virtual_t home_root_t:dir { write remove_name create add_name };

#!!!! This avc is allowed in the current policy
allow postfix_virtual_t home_root_t:file { write getattr link create unlink open };
...
#============= antivirus_t ==============

#!!!! This avc is allowed in the current policy
allow antivirus_t mysqld_port_t:tcp_socket name_connect;
...

That's all.

 

From: Cristian Sava at: 2013-09-25 06:09:34

Congrats Falko!

Very good and complete tutorial, rock solid server resulting. Excellent for small/medium business. Easy to install and maintain.

Keep posting tutorials like this for actual and future Fedora releases (F19, F20, ...).

 Great work!

 C. Sava

 

From: fly at: 2015-01-02 07:19:53

HelloSir

This is a very good tutorial to show us the methods.

And i do it step by step. I have one question about Creat the mail folder. Everything is Ok but it can not generate the User Mail Folder at ../Vmail/  automatically. Mysql Is Ok, and i want to konw whether you  had met such a problem.

Best wishes

JI