MySQL backed SMTP+IMAP Mail server on Debain Lenny

  By Sam | 6th November 2009 - 8:27 pm | Servers

This is a guide for setting up a mail server with a mysql backend for users and domains using Dovecot for the IMAP Server, Postfix for the MTA and SpamAssassin for preventing spam and all with SSL client-server encryption.

I’ll also assume you have a MySQL server ready for use.

This guide was written for these versions on Debian 5.0.3 (Lenny):

  • Postfix 2.5.5-1.1
  • Dovecot 1.01.15-2.3
  • SASL Auth Server 2.1.22
  • Spamassassin 3.2.5-2

This should also go for any Debian derivates such as Ubuntu.

Updates

  • 29/11/2009 – Fixed SASL location/permissions for postfix
  • 31/07/2010 – Added dovecot to adm group for access to logs

Contents

Files

MySQL

Create a new user and database, either through phpMyAdmin or using the SQL below.

It is best to use a randomly generated password for this through a utility such as pwgen (may need to be installed).

    CREATE USER 'maildb'@'localhost' IDENTIFIED BY 'mailpassword';
    CREATE DATABASE IF NOT EXISTS `maildb` ;
    GRANT ALL PRIVILEGES ON `maildb`.* TO 'maildb'@'localhost';

Make a note of the mailpassword, as you will need it later.

Download and change maildb.sql:

  • Change the admin password
  • Change your initial domain name
  • Set the initial email address and password (must be CRYPT format).

To generate CRYPT Passwords run: perl -e 'print(crypt(" ","")."\n");'
The salt must be 2 random characters.

Import the maildb.sql to your server either through phpMyAdmin or via the following.

Command Line: mysql maildb -u root -p < maildb.sql
SQL : source /dir/to/maildb.sql

Your MySQL database is now ready to use!

SASL

Install needed packages: apt-get install libsasl2-2 libsasl2-modules sasl2-bin

Edit /etc/default/saslauthd

...
Start=yes
...
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Setup saslauthd run directory.

mkdir -p /var/spool/postfix/var/run/saslauthd
chgrp sasl /var/spool/postfix/var/run/saslauthd

Add postfix to the sasl group.

adduser postfix sasl

Start SASL: /etc/init.d/saslauthd start

Postfix

Install needed packages: apt-get install postfix postfix-mysql
Choose Internet Site when installing postfix.

Stop postfix: /etc/init.d/postfix stop

Install this main.cf file to /etc/postfix and alter as neccessary (instructions within, only ssl cert location, hostname to be changed).

Create the directory /etc/postfix/mysql, install the files from postfix-mysql.zip into it and alter each cf file to use the password for the maildb MySQL user.

Put the following into a new file at /etc/postfix/sasl/smtpd.conf

saslauthd_path: /var/run/saslauthd/mux
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: maildb
sql_passwd: 
sql_database: maildb
sql_select: select password from users where email = '%u'

Create the mail directory:

mkdir /var/mail/vdomains
chown mail:mail /var/mail/vdomains
chmod g+w /var/mail/vdomains

Add postfix to the mail group: adduser postfix mail

Secure your files:

chown postfix:postfix /etc/postfix/*.cf
chown -R postfix:postfix /etc/postfix/mysql
chown postfix:postfix /etc/postfix/sasl
chmod -R o-r /etc/postfix/mysql # deny read access to your mysql password
chmod o-r /etc/postfix/sasl/smtpd.conf

Start postfix /etc/init.d/postfix start

netstat -tapn should show these 2 lines:

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      nnnn/master
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      nnnn/master

To verify its working run: telnet mail.yourdomain.com 25

After the server sends: 220 mail.yourdomain.com ESMTP Postfix biff = no

Reply With: EHLO example.com

The server will then send:

250-mail.yourdomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Dont worry about no AUTH header, this is only presented after the client starts encryption with the server.

You can change this by running the command: postconf -e smtpd_tls_auth_only=no and restarting the server: /etc/init.d/postfix restart

Dovecot

Install needed packages: apt-get install dovecot-imapd

Stop Dovecot: /etc/init.d/dovecot stop

Change /etc/dovecot/dovecot.conf to:

## Dovecot configuration file
protocols = imap imaps
log_path = /var/log/mail.err
info_log_path =  /var/log/mail.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl_listen = 0.0.0.0
ssl_disable = no
ssl_cert_file = /etc/ssl/imapd.crt
#ssl_cert_file = /etc/ssl/imapd.pem ## for chained certs
ssl_key_file = /etc/ssl/imapd.key
verbose_ssl = no
login_greeting = Dovecot IMAP Server Ready.
first_valid_uid = 8
last_valid_uid = 8
first_valid_gid = 8
last_valid_gid = 8

auth default {
  mechanisms = plain login
  passdb sql {
    args = /etc/dovecot/sql.conf
  }
  userdb sql {
    args = /etc/dovecot/sql.conf
  }
}

Add the sql configuration to /etc/dovecot/sql.conf:

driver = mysql
connect = host=/var/run/mysqld/mysqld.sock dbname=maildb user=maildb password=
default_pass_scheme = CRYPT
password_query = SELECT email as user, password FROM users WHERE email = '%u' AND active = 1
user_query = SELECT 'maildir:/var/mail/vdomains/%d/users/%n/Maildir/' as mail, 8 as gid, 8 as uid  FROM users WHERE email='%u'

Although the user_query doesnt actually return anything from the database, it is required to make sure the email account exists.

Add dovecot to the mail group adduser dovecot mail
And to the adm group adduser dovecot adm (to allow it to write to the logs)

Secure the configuration:

chown dovecot:dovecot /etc/dovecot/*
chmod o-r /etc/dovecot/sql.conf

Start Dovecot: /etc/init.d/dovecot start

Verify using a mail client or simply running: telnet mail.yourdomain.com 143

netstat -tapn should show these 2 lines:

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      nnnn/imap-login
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      nnnn/imap-login

SpamAssassin

Install needed packages: apt-get install spamassassin

Edit /etc/default/spamassassin

Change ENABLED=0 to ENABLED=1
And CRON=0 to CRON=1

Change the options to:

HOMEDIR="/var/lib/spamassassin"
OPTIONS="-m 3 -u spamd -g spamd -x -i 127.0.0.1 -H ${HOMEDIR}"

Options Explained

  • -m 3 will create 3 child processes to process spam
  • -u and -g will force spamassassin to run as user spamd
  • -x disables user configuration
  • -i binds to localhost
  • -H sets where spamasssassin will keep its learnt spam and ham rules

Create new spamd user

adduser --system --home /var/lib/spamassassin --group --disabled-login spamd

Edit /etc/postfix/master.cf to process incoming mail through spamassassin.

smtp      inet  n       -       -       -       -       smtpd
        -o content_filter=spamd

Add the content filter spamd to the end of the file.

spamd     unix  -       n       n       -       -       pipe
   user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Start SpamAssassin: /etc/init.d/spamassassin start

netstat -tapn should show this line:

tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      nnnnn/spamd.pid

Notes

  • A new email account must recieve an email before it can be used, this is to force postfix to create the users mail directory, otherwise Dovecot cannot find it.
  • You’ll have to work out your own way of managing the database, either through phpMyAdmin or your own custom solution.

END

You should now have a fully function Mail server running, enjoy!

I hope you found this guide useful, if I’ve omitted something or got the details wrong please correct me through the comments :)

Bookmark the permalink.

Leave a Reply

Your email address will not be published.