|
![/!\](/wiki/modern-CentOS/img/alert.png "/!\"){kind=small}
THIS IS A DRAFT ONLY, FOR USE BY DOCUMENTATION WRITERS AND EDITORS. DO NOT RELY ON IT FOR ANY ADVICE UNTIL THIS NOTICE DISAPPEARS AND THE DOCUMENT IS PUBLISHED AS FINAL.
Postfix + CyrusImapd + SASL
Contents
1. Introduction
This article is aimed to beginners who wish to install and configure a basic mail server with virtual domains and quotas. It is necessary that readers have some essential knowledge about system administration, programs installations, and editing configuration files. This article was written to CentOS-5.0.
When we configure a mail server there are many different combinations that could be applied in different scenarios.
Scenario:
A small business with two departments. Each department need their own email domain. Our fellow John has responsibilities in our two departments business. It is pretty sure that he wants to have the same nick name on each department mailbox domain. The space of each created mailbox will be limited to 20MB to avoid reaching the end of our 40GB hard drive space and by consequence the mail system inoperabilty. The business growing is a fact, so we need to build the system in order to accept more departments and users easily.
Software:
- Postfix as the Mail Transfer Agent.
- Cyrus-Imapd to reach mailboxes.
- SASL for authentication.
Conventions:
Default domain name example.com. (If you are connected to Internet a fully qualified domain name most be used. If you want to install the server internally, you could use a false name.)
Host name will be mail.example.com
Host IP address will be 192.168.0.1.
The user name John Smith, and its nickname john will be used for demonstrations.
Note that these names and values are only used for demonstration purpose, you should adapt them to your own environment.
2. Installation
The first thing we need to do is install the software that will be used. The simplest way of doing this is through the yum tool. Run the following command to install the needed software:
# yum install postfix system-switch-mail cyrus-imapd cyrus-plain cyrus-md5 cyrus-utils
Dependencies will be resolved as needed.
|
IMPORTANTE: We assume that only default CentOS repositories are enabled in your system . If you have enabled third party repos be sure to have the yum-priorities plugin correctly configured. |
|
3. Configurations
Before configuration start, let's take a look to the involved elements and the way the email system it's supposed to work:
Here we'll create mailboxes that won't be stored in Postfix and won't use system accounts for authentication. The mailboxes will be created in Cyrus-Imapd and user authentication will be managed by SASL. In this configuration Postfix use LMTP protocol to communicate with Cyrus-Imapd mailboxes.
Generally, when a client wants to send a mail message it talks to Postfix. If the mail is for local delivery, Postfix checks the address and delivers the mail message into Cyrus-Imapd related mailbox. The message is delivered into Cyrus-Imapd mailbox, if the checks are passed and no rejection took place. If all is correct, at this time the message is stored in its related local mailbox, ready to be read from its owner. If the mail is for external delivery, Postfix asks into Internet to determine whom to talk to, and so to deliver the message.
To reach mailboxes, the client needs to authenticate against SASL database first. If authentication is passed the client can reach its mailbox where the mail messages are. To reach mail, clients can do it through a Mail User Agent with IMAP or POP3 protocols support (actually Thunderbird is a nice one, but there are lots of them out there.).
This process is illustrated in the following figure:
------------------
Incoming Mail |--+ Postfix <-----------| Outgoing Mail |
-|---------------- |
|| LMTP | |
-|---------------- |
|+> Cyrus +----------------+ |
|+> Imapd ||---->+ | |
-|--------------|- | | |
||Authentication|| 2| 1| |
|+< SASL <+| v ^ |
------------------ |Receiving| |Sending|
| |
+--------------------+
| Mail Client |
With the idea of what we want in mind, next we'll configure each element of our mail system, in this case Postfix as the MTA, Cyrus-Imapd as the mailbox store, and SALS for authentication user accounts.
Let's begin with Postfix:
3.1. Postfix
The following virtual domains will be created:
dpt1.example.com (for our first business department)
dpt2.example.com (for our second business department)
Also, the default domain will be used:
example.com (for general business accounts, such as postmaster, webmaster, etc.)
This means that in our mail system we'll have accounts with the following termination:
@example.com
@dpt1.example.com
@dpt2.example.com
In the Postfix configuration, set the mail addresses that will be accepted by Postfix as incoming mail. Other addresses will be rejected. See the following configuration files:
/etc/postfix/main.cf
...
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
myhostname = mail.example.com
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
mydomain = example.com
...
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
inet_interfaces = all
...
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp
virtual_mailbox_domains =
example.com
dpt1.example.com
dpt2.example.com
virtual_mailbox_maps =
hash:/etc/postfix/example.com
hash:/etc/postfix/dpt1.example.com
hash:/etc/postfix/dpt2.example.com
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport |
Set the transport used by Postfix to deliver messages on user mailboxes. As we are managing mailboxes with Cyrus-Imapd locally the LMTP transport will be used. |
|
virtual_mailbox_domains |
Define which domains Postfix will be accepting messages to. In our example, we want that Postfix accept messages sent to example.com, dpt1.example.com and dpt2.example.com domains. |
|
virtual_mailbox_maps |
Set a file with our users addresses and domains. Addresses that are not in this list will be rejected. When the file edition is over, we need to run the command postmap in order to update the related data base. |
|
virtual_alias_maps |
Define virtual aliases among virtual users. The users should be listed with the related domains. If users domains are not listed, the default domain is used. When the file edition is over, we need to run the commando postmap in order to update the related data base. |
|
|
IMPORTANTE: In order to receive mails sent from Internet to virtual domains, the MX definition in your zone should include as mail exchanger the machine that handles these virtual domains (mail.example.com, in our example). So that mails sent from Internet to dpt1.example.com and dpt2.example.com could reach mail.example.com machine. |
|
/etc/postfix/example.com
john John Smith # ... More user accounts @example.com.
/etc/postfix/dpt1.example.com
john@dpt1.example.com John Smith # ... More virtual user accounts @dpt1.example.com.
/etc/postfix/dpt2.example.com
john@dpt2.example.com John Smith # ... More virtual user accounts @dpt2.example.com.
/etc/postfix/virtual
root john postmaster@example.com john postmaster@dpt1.example.com john postmaster@dpt2.example.com john
|
NOTE: In this configuration, messages sent to local root system account and postmaster accounts will be forwarded into john@example.com mailbox. |
|
3.2. Cyrus-Imapd
The Cyrus-Imapd configuration is on /etc/imapd.conf file. Here is our example:
configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus cyrusadm sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: auxprop sasl_mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt virtdomains: yes defaultdomain: example.com unixhierarchysep: yes
admins |
Define who is going to administer Cyrus-Imapd. By default cyrus user is the one used to do it. In our example we leave cyrus as it is and add a new user called cyrusadm. cyrusadm is the user we'll use to administer our mail system. |
|
sasl_pwcheck_method |
Define SASL method to authenticate users. Here auxprop sets authentication through an internal SASL data base, located at /etc/sasldb2. This method is useful at the time of virtual account creation. |
|
virtdomains |
Specify if we'll be using virtual domains or not. In our example we'll do, so the yes value is set. |
|
defaultdomain |
Specify our default domain name in the mail system. When an address hasn't specified a domain name the domain set as value in this option will be used. In our example the domain example.com is used. |
|
unixhierarchysep |
Here we say that we are going to use the slash unix separator (/) and not the dot news one (.). This let us create accounts like: john.smith@example.com |
|
3.3. Creating authentication accounts
The command used to administer SASL internal database is saslpasswd2. To create the cyrusadm authentication account, run the following command:
# saslpasswd2 cyrusadm
It is recommended do not create a mailbox to the cyrus administration accounts.
To create john's authentication accounts on each domain, we can do the following:
# saslpasswd2 john # saslpasswd2 john@dpt1.example.com # saslpasswd2 john@dpt2.example.com
Note that here we have created accounts to john user on three different domains. You can repeat this step to create as many virtual authentication accounts as you need.
Check the file permissions of SASL data base. Confirm that cyrus user has read access on it.
# chmod 640 /etc/sasldb2 # chown root:cyrus /etc/sasldb2
3.4. Creating mailboxes
On mail.example.com machine, type the following command to connect to the Cyrus-Imapd server.
# cyradm --user=cyrusadm mail.example.com
Then, use the command createmailbox to create mailboxes on your system. Here we create the mailboxes to user john on our three deferents domains:
createmailbox user/john createmailbox user/john@dpt1.example.com createmailbox user/john@dpt2.example.com
You can repeat this step to create as many virtual mailboxes as you need. Cyrus-Impad supports a great amount of mailboxes, around 10 000 maybe more. Note that each mailbox is unique in its domain (or realm).
3.5. Controlling the mailbox store space
Let's limit the store space on john's mailbox to 20MB.
On mail.example.com machine, type the following command to connect to the Cyrus-Imapd server.
# cyradm --user=cyrusadm mail.example.com
then, to set 20MB of available space on each john's mailbox we can use the command setquota. See the following commands:
setquota user/john 20000 setquota user/john@dpt1.example.com 20000 setquota user/john@dpt2.example.com 20000
3.6. Deleting mailboxes
On mail.example.com machine, type the following command to connect to the Cyrus-Imapd server.
# cyradm --user=cyrusadm mail.example.com
then, to remove john's mailboxes, we can use the command deletemailbox. See the following commands:
deletemailbox user/john deletemailbox user/john@dpt1.example.com deletemailbox user/john@dpt2.example.com
3.7. Removing authentication account
After deleting a mailbox it is convenient to remove the related authentication account. To delete the authentication accounts related to john's user, we use the option -d from the saslpasswd2 command. See the following commands:
# saslpasswd2 -d john # saslpasswd2 -d john@dpt1.example.com # saslpasswd2 -d john@dpt2.example.com
4. Starting the server
Let's configure the system to make Posftix the default MTA. To do that we can use the system-switch-mail tool. With this tool we install the postfix service and make it start on run levels 3, 4 and 5. Also, we need to do something similar with the Cyrus-Imapd service but this time with chkconfig command. Here is:
# chkconfig --level 345 cyrus-imapd on
Later we start the Postfix and Cyrus-Imapd services with the commands:
# /sbin/service cyrus-imapd start # /sbin/service postfix start
At this moment the mail server must be able to send and receive mail internally.
Remember to configure your firewall to open the ports (SMTP 25; POP3 110; IMAP 143). This configuration can be done with the system-config-network-tui tool.
This mail server was tested on a permissive SELinux environment.
|
TODO: Add some info about tests over SELinux enforcing environments |
|
To send messages to external sites you need to configure your DNS to resolve external domain names in order to find external MX references. To receive messages from external you need to configure an MX record on your DNS at which other sites could refer to.
It's recommended to configure a PTR record to your mail machine too. To do this you need to contact your ISP, the people how give you the IP address range and domain names, and talk them about it if it isn't configured yet.
5. Summary
In this article we have made a very basic mail server installation and configuration. Our server was implemented with Postfix and Cyrus-Imapd. This configuration allow us to access mailbox through POP3 and IMAP protocols, also virtual domains and quota assignment to mailboxes were implemented.
