Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

MailServer

This instruction have no claim for completeness. There is only one possible way described how to install and use a mailserver consisting of a combination of Postfix, Cyrus-imap, Fetchmail, Amavis, and Clamav, Spamassassin on IPFire.
A special thanks to all who have assisted me therefor! alpensegler, Arne.F, eXciter, Maniacikarus, ummeegge, Vossi

Of course I have not reinvented the wheel but a lot of research on the Internet.
Important sources from which I have used excerpts:

  • http://postfix.state-of-mind.de/patrick.koetter/amavisd-new/#basiskonfiguration_amavisd-new

My thanks also go to the operators and authors of this websites!

Requirement for this instruction is the successful installation of the required basic packages:
mysql, postfix, cyrus-imapd, fetchmail, amavisd, clamav, spamassasin, openmailadmin.

Function description for this mailserver

Thisinternal mailserver setup will collect the external mail accounts over Fetchmail and POP3 or IMAP. Also it will investigate the mails for spam and viruses using Amavis, Spamassassin and ClamAV in order to determine the mails subsequently to the internal IMAP mail accounts. As the outgoing mailserver we use the SMTP mailserver from the provider of our trust. In this case it is Arcor, but it could be also any other SMTP server. Requirement is, of course you have an account on this.

Introduction

As an introduction to the subject matter, I recommend the wiki which describes the creation of Openmailadmin. This was my entry and it is a good basis for this guide.

So let's start...

If you have created a mail account via Openmailadmin and the first internal mail was successfully sent and retrieved, let's start with the next step. As described in the above mentioned wiki we will set up fetchmail to collect the first Internet mail account. Here again the advice that you have to enter the SMTP-server of your provider in your mail client, not the IPFire!

Since I do not hold much of unencrypted e-mail traffic on the Internet, the first step is to activate the encryption.

Therefor we use the Console of IPFire and execute step by step the following commands.

  • Create the Keyfile
openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 999
  • Copy them into the right place and make a certificate out of it
cp new.key.pem /var/ipfire/cyrusimap/server.pem
rm new.key.pem
cat ca-cert >> /var/ipfire/cyrusimap/server.pem
  • Set up the owner of the certificate and restrict the access
chown cyrus:mail /var/ipfire/cyrusimap/server.pem
chmod 600 /var/ipfire/cyrusimap/server.pem # Your key should be protected
  • Extend the Cyrus-IMAP configuration for the usage of the certificate
echo tls_ca_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf
echo tls_cert_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf
echo tls_key_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf

This allows the encrypted email traffic between email client and our mailserver.

TLS support for Postfix

Now, the additional mail traffic between our mailserver and the mailservers we collect from will be encrypted.
Therefor we need to edit the postfix configuration file/etc/postfix/main.cf and add the following lines.

file: /etc/postfix/main.cf

#TLS Support
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/certs/smtpd.key
smtpd_tls_cert_file = /etc/postfix/certs/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Then we go back to the Console and issue the following commands:

  • Create the directory

mkdir /etc/postfix/certs

  • Change into the directory

cd /etc/postfix/certs

  • Create the private Key

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

  • Restrict the access permission for the Key

chmod 600 smtpd.key

  • Create the certificate

openssl req -new -key smtpd.key -out smtpd.csr

Note!
It is important to set the corresponding host-domain for the "common name" As passphrase you should use the same than before
openssl x509 -req -days 999 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
  • Rename the key

mv -f smtpd.key.unencrypted smtpd.key

  • Autograph session

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 999

  • Postfix must now be restarted to activate the new settings

/etc/init.d/postfix restart

Autostart Postfix

To start Postfix automatically on boot time you can set the following symlinks:

ln -s /etc/init.d/postfix /etc/rc.d/rc0.d/K31postfix
ln -s /etc/init.d/postfix /etc/rc.d/rc3.d/S31postfix
ln -s /etc/init.d/postfix /etc/rc.d/rc6.d/K31postfix

Customize Fetchmail

The most important thing is to add the ssl line into the file/root/.fetchmailrc to enable the SSL functionality at all. This line must be retrieved to any registered account.

Example:

File: /root/.fetchmailrc

poll pop3.web.de with
  proto pop3
  user testuser
  is usertest
  no rewrite
  ssl

We are not done yet, on the Console, we execute the following command.

fetchmail -v pop3.web.de

The answer will look similarly or like this.

fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:42:00     +0200 (CEST): poll started
    fetchmail: Issuer Organization: Thawte Consulting cc
    fetchmail: Issuer CommonName: Thawte Server CA
    fetchmail: Server CommonName: pop3.web.de
    fetchmail: pop3.web.de key fingerprint:     1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47
    fetchmail: pop3.web.de fingerprints match.
    fetchmail: POP3< +OK WEB.DE POP3-Server
    fetchmail: POP3> USER christoph.rummel
    fetchmail: POP3< +OK Bitte Kennwort eingeben/enter password
    fetchmail: POP3> PASS *
    fetchmail: POP3< +OK Postfach bereit/mailbox locked and ready
    fetchmail: POP3> STAT
    fetchmail: POP3< +OK 0 0
    fetchmail: No mail for christoph.rummel at pop3.web.de
    fetchmail: POP3> QUIT
    fetchmail: POP3< +OK
    fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:42:05     +0200 (CEST): poll completed
    fetchmail: normal termination, status 1

The fingerprint is important for us. We will add this information to the file/root/.fetchmailrc.

file: /root/.fetchmailrc

poll pop3.web.de with
  proto pop3
  user testuser
  is usertest
  no rewrite
  ssl
  sslfingerprint "1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47"

If you want to safely collect e-mails from a mail server, without deleting it from the server, you can write into the/root/.fetchmailrc behind the user name a "keep" and so the mails will be kept on the server.

Example for file: /root/.fetchmailrc:

poll pop3.web.de with
  proto pop3
  user testuser keep
  is usertest
  no rewrite
  ssl
  sslfingerprint "1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47"

The password will be fetched from /root/.netrc.
A valid entry looks like this.

    machine pop3.web.de
    login testuser
    password xxxxx
Note!
Attention! If you do this you should create a symbolic link to "/root/.netrc": ln -s /root/.netrc /.netrc otherwise fetchmail can not find the file if it starts by cron or at boot time.

Dont forget to set the correct permissions

chmod 600 /root/.netrc

Autostart Fetchmail

To start fetchmail automatically on boot time you can set the following symlinks:

ln -s /etc/init.d/fetchmail /etc/rc.d/rc0.d/K35fetchmail
ln -s /etc/init.d/fetchmail /etc/rc.d/rc3.d/S35fetchmail
ln -s /etc/init.d/fetchmail /etc/rc.d/rc6.d/K35fetchmail

Amavis, Spamassasin, ClamAV

At this point we collect our Internet mail accounts encrypted and sort them in our internal mail account.

But now we still want to let the mail investigate for spam and viruses. Therefor we use Amavis, Spamassassin und ClamAV.

For the first step we edit the file /etc/postfix/main.cf again and add the following lines into it.

    soft_bounce = yes
    content_filter=amavis:[127.0.0.1]:10024

Afterwards we adapt the file/etc/amavisd.conf .
We check the following lines and adjust them according to our naming.

It is also important that the path to the ClamAV is set correctly.

File: /etc/amavisd.conf

$myhostname = 'ipfire.localdomain';  # must be a fully-qualified domain name!
        #       ### http://www.clamav.net/
            ['ClamAV-clamd',
      \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
       qr/\bOK$/, qr/\bFOUND$/,
       qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Back again in the Console we incorporate the userclamav to the groupamavis, because ClamAV and Amavis will need each other permissions.

usermod -aG amavis clamav

Subsequently we will edit the file /var/ipfire/clamav/clamd.conf and add the following lines.

    AllowSupplementaryGroups yes

So that everything works even after a restart we create under/etc/rc.d/rc3.d/ appropriate symbolic links. Therefor we type the following commands into the Console.

ln -s ../init.d/amavisd /etc/rc.d/rc3.d/S38amavisd
ln -s ../init.d/spamassassin /etc/rc.d/rc3.d/S38spamassassin

Because we want to work clean, we will also finish the applications while a shutdown or restart of the system.

ln -s ../init.d/amavisd /etc/rc.d/rc0.d/K25amavisd
ln -s ../init.d/amavisd /etc/rc.d/rc6.d/K25amavisd
ln -s ../init.d/spamassassin /etc/rc.d/rc0.d/K25spamassassin
ln -s ../init.d/spamassassin /etc/rc.d/rc6.d/K25spamassassin

Backup

For brief explanation, I mount an NFS from myNAS to /backup. Then I will check with an "IF-loop" if it works, because I do not want that he saves the backup directly to the IPFire. If the mount fails, he sends me an e-mail and cancels the backup.

You can also omit this, but in this case the mail backup would then be placed directly on the IPFire.

First, I created a directory where the backup should be written.

mkdir /backup

Now we create a file named mail.backup.sh and copy it to/bin

touch /bin/mail.backup.sh

The content looks like this:

File: /bin/mail.backup.sh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/sh
DATE=$(date +%a)
BACKUP_DIR="/backup"
SOURCE="/var/imap /var/log/imap /srv/web/openmailadmin /root/.fetch*"
mount -t nfs 192.168.6.10:/mnt/data/ipfire /backup

if [ "$?" == "0" ]; then
    /etc/init.d/fetchmail stop;
    /etc/init.d/amavisd stop
    /etc/init.d/spamassassin stop
    /etc/init.d/postfix stop;
    /etc/init.d/cyrus-imapd stop;
    sleep 10;
    killall master;
    sleep 5;
    su - cyrus -c '/usr/lib/cyrus/ctl_mboxlist -d \ > /backup/mailboxes.txt';
    mv /backup/mailboxes.txt $BACKUP_DIR/$DATE-mailboxes.txt;
    tar -czpf $BACKUP_DIR/$DATE-mails.tar.gz $SOURCE #kompression gzip;
    /etc/init.d/cyrus-imapd start;
    /etc/init.d/postfix start sleep 5;
    /etc/init.d/amavisd start
    /etc/init.d/spamassassin start
    /etc/init.d/fetchmail start;
    umount /backup;
else
    sendmail -t < /bin/mail-backup-error.txt
fi

Set the correct access permission

chmod 600 /bin/mail.backup.sh

The sending of the e-mail happens with Sendmail. So that this works, another file namedmail-backup-error.txt needs to be created in the directory/bin. The following content should then be inserted.

File: /bin/mail-backup-error.txt

    to: receiver account
    subject: Mailbackup failed!
    from: Sender account

    The backup of the email accounts could not be accomplished.
    Please fix this!

Now we have also a way to ensure our mail accounts.
Who wants to automate the whole thing, needs to subscribe it to thefcrontab.

This is simply done by editing the fcrontab via console.

fcrontab -e

Note!
The editing offronctab takes place with the editor vi. Please make yourselves familiar with the handling in advance! You can also use alternatively WINSCP

and add the following lines:

# mail-backup
  30 2 * * * /bin/mail.backup.sh

So thats all. We retrieve our mails, check them for spam and viruses, sort it into our accounts and backup our email accounts once a day.

Finally, a word of advice. In this configuration, spam and virus emails moves into the folder/var/virusmail/ and they won't be delivered. Who prefer another way needs to adjust amavis accordingly, but that is beyond this manual.

Addendum

To prevent that too many temporary files and directories are accumulate by Amavis, the Documetation of Amavisd-new advises to look from time to time for superfluous and delete it.

For this purpose, there can be found in the mentioned documentation in the category "Tips and FAQ -- general" the following commands.

  find /var/amavis -type d -name 'amavis-20??????T*' \
  -prune -mtime +1 -exec rm -rf {} \;

It also describes that by executing the commands amavisd should not be active.

So for this intention it is possible to write a script to manage this procedure, which finishes first amavisd, executes then the commands to starts subsequently amavisd again. For the second way you can do it like me and add the commands to the start script of amavisd. This implicates before each start, amavisd will deleted the redundant data.

The content of /etc/init.d/amavisd looks the as follows.

#!/bin/sh
########################################################################
# Begin $rc_base/init.d/amavisd
#
# Description : Amavisd Init Script
#
# Authors     : Michael Tremer (ms@ipfire.org)
#
# Version     : 01.00
#
# Notes       :
#
########################################################################

. /etc/sysconfig/rc
. ${rc_functions}


case "${1}" in
      start)
              boot_mesg "Starting AMaViS Daemon..."
                find /var/amavis/tmp -type d -name 'amavis-20??????T*' \
  -prune -mtime +1 -exec rm -rf {} \;
              loadproc /usr/bin/amavisd
              ;;

      stop)
              boot_mesg "Stopping AMaViS Daemon..."
              killproc /usr/bin/amavisd
              ;;

      restart)
              ${0} stop
              sleep 1
              ${0} start
              ;;

      status)
              statusproc /usr/bin/amavisd
              ;;

        *)
              echo "Usage: ${0} {start|stop|restart|status}"
              exit 1
              ;;
esac

Addendum 2

It is to consider that Fetchmail as well as Postfix produces also log files. Since they both are Addons, and not a part of the standard installation of IPFire they are not a part of the configured logfile-rotation and they would grow more and more. So they have to be involved afterwards to the logfile-rotation.

Therefor, the file /etc/logrotate.conf will be edited and the following lines will be added.

# Postfix
/var/log/mail {
  weekly
  rotate 4
  copytruncate
  compress
  notifempty
  missingok
}

## Fetchmail
/var/log/fetchmail.log {
  weekly
  rotate 4
  copytruncate
  compress
  notifempty
  missingok
}

For this WiKi the IPFire team wants to thanks WhyTea.

Edit Page ‐ Yes, you can edit!

Older Revisions • September 6 at 3:17 am • Jon