Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: MailServer

fix various hash headings and remove WRAPs
# MailServer
This instruction have no claim for completeness. There is only one **possible** way described how to install and use a mailserver consisting of a combination of [Postfix](http://www.postfix.org), [Cyrus-imap](http://www.cyrusimap.org), [Fetchmail](http://www.fetchmail.info), [Amavis](http://www.amavis.org), and [Clamav](/addons/clamav), [Spamassassin](http://spamassassin.apache.org/) on IPFire.
*A special thanks to all who have assisted me therefor! alpensegler, Arne.F, eXciter, Maniacikarus, ummeegge, Vossi*
Of course I have not reinvented the wheel but a lot of research on the Internet.
Important sources from which I have used excerpts:
* http://postfix.state-of-mind.de/patrick.koetter/amavisd-new/#basiskonfiguration_amavisd-new
My thanks also go to the operators and authors of this websites!
Requirement for this instruction is the successful installation of the required basic packages:
mysql, postfix, cyrus-imapd, fetchmail, amavisd, clamav, spamassasin, openmailadmin.
## Function description for this mailserver
This*internal* mailserver setup will collect the external mail accounts over Fetchmail and [POP3](https://en.wikipedia.org/wiki/Pop3) or [IMAP](https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol). Also it will investigate the mails for spam and viruses using Amavis, Spamassassin and ClamAV in order to determine the mails subsequently to the internal IMAP mail accounts. As the outgoing mailserver we use the [SMTP](https://en.wikipedia.org/wiki/Smtp) mailserver from the provider of our trust. In this case it is Arcor, but it could be also any other SMTP server. Requirement is, of course you have an account on this.
## Introduction
As an introduction to the subject matter, I recommend the wiki which describes the creation of [Openmailadmin](/addons/mail). This was my entry and it is a good basis for this guide.
# So let's start...
## So let's start...
If you have created a mail account via Openmailadmin and the first internal mail was successfully sent and retrieved, let's start with the next step. As described in the above mentioned wiki we will set up fetchmail to collect the first Internet mail account. **Here again the advice that you have to enter the SMTP-server of your provider in your mail client, not the IPFire!**
Since I do not hold much of unencrypted e-mail traffic on the Internet, the first step is to activate the encryption.
Therefor we use the [Console](/configuration/ipfire/pakfire/konsole) of IPFire and execute step by step the following commands.
* Create the Keyfile
openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 999
* Copy them into the right place and make a certificate out of it
cp new.key.pem /var/ipfire/cyrusimap/server.pem
rm new.key.pem
cat ca-cert >> /var/ipfire/cyrusimap/server.pem
* Set up the owner of the certificate and restrict the access
chown cyrus:mail /var/ipfire/cyrusimap/server.pem
chmod 600 /var/ipfire/cyrusimap/server.pem # Your key should be protected
* Extend the Cyrus-IMAP configuration for the usage of the certificate
echo tls_ca_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf
echo tls_cert_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf
echo tls_key_file: /var/ipfire/cyrusimap/server.pem >> /var/ipfire/cyrusimap/imapd.conf
This allows the encrypted email traffic between email client and our mailserver.
#### TLS support for Postfix
Now, the additional mail traffic between our mailserver and the mailservers we collect from will be encrypted.
Therefor we need to edit the postfix configuration file*/etc/postfix/main.cf* and add the following lines.
file: /etc/postfix/main.cf
#TLS Support
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/certs/smtpd.key
smtpd_tls_cert_file = /etc/postfix/certs/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Then we go back to the [Console](/configuration/ipfire/pakfire/konsole) and issue the following commands:
* Create the directory
`mkdir /etc/postfix/certs`
* Change into the directory
`cd /etc/postfix/certs`
* Create the private Key
`openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024`
* Restrict the access permission for the Key
`chmod 600 smtpd.key`
* Create the certificate
`openssl req -new -key smtpd.key -out smtpd.csr`
| Note! |
<WRAP center round 80% important>It is important to set the corresponding host-domain for the "**common name**" As passphrase you should use the same than before</WRAP>
| It is important to set the corresponding host-domain for the "**common name**" As passphrase you should use the same than before |
openssl x509 -req -days 999 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
* Rename the key
`mv -f smtpd.key.unencrypted smtpd.key`
* Autograph session
`openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 999`
* Postfix must now be restarted to activate the new settings
`/etc/init.d/postfix restart`
#### Autostart Postfix
To start Postfix automatically on boot time you can set the following symlinks:
ln -s /etc/init.d/postfix /etc/rc.d/rc0.d/K31postfix
ln -s /etc/init.d/postfix /etc/rc.d/rc3.d/S31postfix
ln -s /etc/init.d/postfix /etc/rc.d/rc6.d/K31postfix
# Customize Fetchmail
## Customize Fetchmail
The most important thing is to add the ssl line into the file*/root/.fetchmailrc* to enable the [SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security) functionality at all. This line must be retrieved to any registered account.
File: /root/.fetchmailrc
poll pop3.web.de with
proto pop3
user testuser
is usertest
no rewrite
We are not done yet, on the Console, we execute the following command.
`fetchmail -v pop3.web.de`
The answer will look similarly or like this.
fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:42:00 +0200 (CEST): poll started
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Server CA
fetchmail: Server CommonName: pop3.web.de
fetchmail: pop3.web.de key fingerprint: 1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47
fetchmail: pop3.web.de fingerprints match.
fetchmail: POP3< +OK WEB.DE POP3-Server
fetchmail: POP3> USER christoph.rummel
fetchmail: POP3< +OK Bitte Kennwort eingeben/enter password
fetchmail: POP3> PASS *
fetchmail: POP3< +OK Postfach bereit/mailbox locked and ready
fetchmail: POP3> STAT
fetchmail: POP3< +OK 0 0
fetchmail: No mail for christoph.rummel at pop3.web.de
fetchmail: POP3> QUIT
fetchmail: POP3< +OK
fetchmail: 5.9.11 querying pop3.web.de (protocol POP3) at Wed, 02 Oct 2002 18:42:05 +0200 (CEST): poll completed
fetchmail: normal termination, status 1
**The fingerprint is important for us**. We will add this information to the file*/root/.fetchmailrc*.
file: /root/.fetchmailrc
poll pop3.web.de with
proto pop3
user testuser
is usertest
no rewrite
sslfingerprint "1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47"
If you want to safely collect e-mails from a mail server, without deleting it from the server, you can write into the*/root/.fetchmailrc* behind the user name a "keep" and so the mails will be kept on the server.
Example for file: /root/.fetchmailrc:
poll pop3.web.de with
proto pop3
user testuser keep
is usertest
no rewrite
sslfingerprint "1F:41:82:3D:67:D7:44:28:AA:64:DA:06:9C:D6:76:47"
The password will be fetched from */root/.netrc*.
A valid entry looks like this.
machine pop3.web.de
login testuser
password xxxxx
<WRAP round center 80% important>Attention! If you do this you should create a symbolic link to "/root/.netrc":
`ln -s /root/.netrc /.netrc`
otherwise fetchmail can not find the file if it starts by cron or at boot time.</WRAP>
| Note! |
| Attention! If you do this you should create a symbolic link to "/root/.netrc": `ln -s /root/.netrc /.netrc` otherwise fetchmail can not find the file if it starts by cron or at boot time. |
Dont forget to set the correct permissions
`chmod 600 /root/.netrc`
#### Autostart Fetchmail
To start fetchmail automatically on boot time you can set the following symlinks:
ln -s /etc/init.d/fetchmail /etc/rc.d/rc0.d/K35fetchmail
ln -s /etc/init.d/fetchmail /etc/rc.d/rc3.d/S35fetchmail
ln -s /etc/init.d/fetchmail /etc/rc.d/rc6.d/K35fetchmail
# Amavis, Spamassasin, ClamAV
## Amavis, Spamassasin, ClamAV
At this point we collect our Internet mail accounts encrypted and sort them in our internal mail account.
But now we still want to let the mail investigate for spam and viruses. Therefor we use Amavis, Spamassassin und ClamAV.
For the first step we edit the file */etc/postfix/main.cf* again and add the following lines into it.
soft_bounce = yes
Afterwards we adapt the file*/etc/amavisd.conf* .
We check the following lines and adjust them according to our [naming](/installation/step4#hostname_domainname).
**It is also important that the path to the ClamAV is set correctly**.
File: /etc/amavisd.conf
$myhostname = 'ipfire.localdomain'; # must be a fully-qualified domain name!
# ### http://www.clamav.net/
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Back again in the Console we incorporate the user*clamav* to the group*amavis*, because ClamAV and Amavis will need each other permissions.
`usermod -aG amavis clamav`
Subsequently we will edit the file */var/ipfire/clamav/clamd.conf* and add the following lines.
AllowSupplementaryGroups yes
So that everything works even after a restart we create under*/etc/rc.d/rc3.d*/ appropriate symbolic links. Therefor we type the following commands into the Console.
ln -s ../init.d/amavisd /etc/rc.d/rc3.d/S38amavisd
ln -s ../init.d/spamassassin /etc/rc.d/rc3.d/S38spamassassin
Because we want to work clean, we will also finish the applications while a shutdown or restart of the system.
ln -s ../init.d/amavisd /etc/rc.d/rc0.d/K25amavisd
ln -s ../init.d/amavisd /etc/rc.d/rc6.d/K25amavisd
ln -s ../init.d/spamassassin /etc/rc.d/rc0.d/K25spamassassin
ln -s ../init.d/spamassassin /etc/rc.d/rc6.d/K25spamassassin
# Backup
## Backup
For brief explanation, I mount an [NFS](/addons/nfs) from my[NAS](https://en.wikipedia.org/wiki/Network-attached_storage) to */backup*. Then I will check with an "IF-loop" if it works, because I do not want that he saves the backup directly to the IPFire. If the mount fails, he sends me an e-mail and cancels the backup.
You can also omit this, but in this case the mail backup would then be placed directly on the IPFire.
First, I created a directory where the backup should be written.
`mkdir /backup`
Now we create a file named mail.backup.sh and copy it to*/bin*
`touch /bin/mail.backup.sh`
The content looks like this:
File: /bin/mail.backup.sh
DATE=$(date +%a)
SOURCE="/var/imap /var/log/imap /srv/web/openmailadmin /root/.fetch*"
mount -t nfs /backup
if [ "$?" == "0" ]; then
/etc/init.d/fetchmail stop;
/etc/init.d/amavisd stop
/etc/init.d/spamassassin stop
/etc/init.d/postfix stop;
/etc/init.d/cyrus-imapd stop;
sleep 10;
killall master;
sleep 5;
su - cyrus -c '/usr/lib/cyrus/ctl_mboxlist -d \ > /backup/mailboxes.txt';
mv /backup/mailboxes.txt $BACKUP_DIR/$DATE-mailboxes.txt;
tar -czpf $BACKUP_DIR/$DATE-mails.tar.gz $SOURCE #kompression gzip;
/etc/init.d/cyrus-imapd start;
/etc/init.d/postfix start sleep 5;
/etc/init.d/amavisd start
/etc/init.d/spamassassin start
/etc/init.d/fetchmail start;
umount /backup;
sendmail -t < /bin/mail-backup-error.txt
Set the correct access permission
`chmod 600 /bin/mail.backup.sh`
The sending of the e-mail happens with Sendmail. So that this works, another file named*mail-backup-error.txt* needs to be created in the directory*/bin*. The following content should then be inserted.
File: /bin/mail-backup-error.txt
to: receiver account
subject: Mailbackup failed!
from: Sender account
The backup of the email accounts could not be accomplished.
Please fix this!
Now we have also a way to ensure our mail accounts.
Who wants to automate the whole thing, needs to subscribe it to the*fcrontab*.
This is simply done by editing the fcrontab via console.
`fcrontab -e`
| Note! |
<WRAP center round 80% important>The editing of*fronctab* takes place with the editor **vi**. Please make yourselves familiar with the handling in advance! You can also use alternatively [WINSCP](http://winscp.net/eng/docs/lang:de)</WRAP>
| The editing of*fronctab* takes place with the editor **vi**. Please make yourselves familiar with the handling in advance! You can also use alternatively [WINSCP](http://winscp.net/eng/docs/lang:de) |
and add the following lines.
and add the following lines:
# mail-backup
30 2 * * * /bin/mail.backup.sh
So thats all. We retrieve our mails, check them for spam and viruses, sort it into our accounts and backup our email accounts once a day.
Finally, a word of advice. In this configuration, spam and virus emails moves into the folder*/var/virusmail*/ and they won't be delivered. Who prefer another way needs to adjust amavis accordingly, but that is beyond this manual.
# Addendum
## Addendum
To prevent that too many temporary files and directories are accumulate by Amavis, [the Documetation of Amavisd-new](http://www.amavis.org/#doc) advises to look from time to time for superfluous and delete it.
For this purpose, there can be found in the mentioned documentation in the category "**Tips and FAQ -- general**" the following commands.
find /var/amavis -type d -name 'amavis-20??????T*' \
-prune -mtime +1 -exec rm -rf {} \;
It also describes that by executing the commands amavisd should not be active.
So for this intention it is possible to write a script to manage this procedure, which finishes first amavisd, executes then the commands to starts subsequently amavisd again. For the second way you can do it like me and add the commands to the start script of amavisd. This implicates before each start, amavisd will deleted the redundant data.
The content of **/etc/init.d/amavisd** looks the as follows.
# Begin $rc_base/init.d/amavisd
# Description : Amavisd Init Script
# Authors : Michael Tremer (ms@ipfire.org)
# Version : 01.00
# Notes :
. /etc/sysconfig/rc
. ${rc_functions}
case "${1}" in
boot_mesg "Starting AMaViS Daemon..."
find /var/amavis/tmp -type d -name 'amavis-20??????T*' \
-prune -mtime +1 -exec rm -rf {} \;
loadproc /usr/bin/amavisd
boot_mesg "Stopping AMaViS Daemon..."
killproc /usr/bin/amavisd
${0} stop
sleep 1
${0} start
statusproc /usr/bin/amavisd
echo "Usage: ${0} {start|stop|restart|status}"
exit 1
# Addendum 2
## Addendum 2
It is to consider that Fetchmail as well as Postfix produces also log files. Since they both are Addons, and not a part of the standard installation of IPFire they are not a part of the configured logfile-rotation and they would grow more and more. So they have to be involved afterwards to the logfile-rotation.
Therefor, the file **/etc/logrotate.conf** will be edited and the following lines will be added.
# Postfix
/var/log/mail {
rotate 4
# Fetchmail
## Fetchmail
/var/log/fetchmail.log {
rotate 4
For this WiKi the IPFire team wants to thanks WhyTea.