Installation of Exim4, DoveCot, SquirrelMails: Difference between revisions

This is for Debian 7 Wheezy

(old Installation of Exim4, DoveCot, SquirrelMails, Debian 5, Debian 6)

Goals

• Using Debian 7 Wheezy
• Exim 4 as mail server
• Using self created certificate
• Dovecot for imap access
• SquirrelMail as web client
• SpamAssassin for spam filtering
• Access from
  • Thunderbird
  • Outlook: works out of the box, but you have to have certificates which match the domain names
• (todo) Backup of mails to a different system
• virtual users

Exim 4

install

We will use the heavy version to be able to later integrate SpamAssassin.

apt-get install exim4-daemon-heavy

If you can start programs with X-Server, you would like to get geximon:

apt-get install geximon xauth

Remember to ssh with "-X" or "ForwardX11 yes" in your config

paniclog

If you get paniclog entries like "address already in use", find out about the other process with

netstat -lnp | grep 25

Chances are, it is something about sendmail. Do

which sendmail

and "ls -l" on the result like

ls -l /usr/sbin/sendmail

or just (ticks, not single quotes)

ls -l `which sendmail`

Chances are, it is a link to exim4 and the installation went wrong. Happens every time for me. Remove the paniclog and restart the server. Check the log /var/log/exim4/mainlog

If it is not the above, perhaps you need to remove the sendmail(-bin) package.

validating

Have a look at the ports:

netstat -apn | grep exim

If you have exim4 listen on port 25, you should be ok.

• add at least one local user so you can set him as receiver for postmaster etc in the next step

Now you should reconfigure exim4

dpkg-reconfigure exim4-config

• internet site
• accept the domain name if you don't know better
• IP addresses to listen to:
  • leave this empty or make sure you include the external ip
  • ::1 the IP6 variant, if you keep this empty, don't bother now
• final destination: your domains
• domains to relay for: normally none (empty)
• machines to relay for: normally none (empty)
• DNS queries minimal: your choice (default: no)
• delivery method: maildir in home directory
• split: your choice (default: no) The main difference is, where will you later put your modifications
  • non-slit: /etc/exim4/exim4.conf.localmacros
  • split: /etc/exim4/conf.d/main/000_localmacros
• root/postmaster: select the above created user, should really read his mail

Now send a mail:

echo Hello You | mail <user>@<OTHER-domain> -s test-1

You should receive the mail at your account at the OTHER domain.

open firewall

If you have a firewall, open it for incoming at port 25. For example ufw:

ufw allow smtp

or firehol in /etc/firehol/firehol.conf

server smtp accept

TLS for SMTP

If you will have different mail domains at one ip you will get into problems with Outlook if you do not have one certificate per domain where the certificate matches the domain name. (TODO)

• install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl

apt-get install openssl swaks libnet-ssleay-perl

• edit the cert creation script, check at least the DAYS value. 7300 would be 20 years.

vi /usr/share/doc/exim4-base/examples/exim-gencert

• execute the script

/usr/share/doc/exim4-base/examples/exim-gencert

• create file /etc/exim4/exim4.conf.localmacros (non-split!) with

MAIN_TLS_ENABLE = 1

• reload exim

/etc/init.d/exim4 reload

• test it locally

swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost

• What would be bad:

Host did not advertise STARTTLS

sasl for system login

Currently we want system users and system user passwords, so we use SASL:

• install it

apt-get install sasl2-bin

• enable for system restart in /etc/default/saslauthd

START=yes

• add exim user to sasl group

adduser Debian-exim sasl

• start sasl

/etc/init.d/saslauthd start

enable exim to ask clients for passwords if they want to SEND mails

in /etc/exim4/exim4.conf.template enable the following 2 sections

plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

login_saslauthd_server:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   # don't send system passwords over unencrypted connections
   server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
   server_set_id = $auth1
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif

• activate it

update-exim4.conf && /etc/init.d/exim4 reload

• add one of the system users you will want to add anyway
• after installation of dovecot try for example to send a mail with Thunderbird, you should get asked to accept the certificate and give the password

virtual users

Source: https://www.organicdesign.co.nz/Configure_mail_server#Setting_up_mail_users

in exim4.conf.template set domainlist to

domainlist local_domains = @ : @[] : localhost : partial-lsearch;/etc/exim4/virtual.domains

in section "real_local" add

virtual:
	driver = redirect
	allow_defer
	allow_fail
	data = ${lookup{$local_part@$domain}lsearch*@{/etc/exim4/virtual.users}}
	domains = partial-lsearch;/etc/exim4/virtual.domains
	retry_use_local_part

create the file /etc/exim4/virtual.domains

example.com
example.net

reload settings

update-exim4.conf && /etc/init.d/exim4 reload

change /etc/exim4/virtual.users, you don't have to restart the server for this

regularuser@example.com     : localuser@localhost
forwardinguser@example.com  : someuser@example.org
foo@example.com             : :fail: Foo no longer lives here.
bar@example.com             : :blackhole:
*@example.com               : catchall1@localhost

regularuser@example.net     : localuser2@localhost
forwardinguser@example.net  : someuser2@example.org
*@example.net               : catchall2@localhost

If you have the local user smith but you want only to allow smith to get mail via huber@example.com, then use the following pattern:

huber@example.com : smith@localhost
*@example.com     : :fail: Your message

disable ipv6

to be able to send messages to providers like google, you will have to support ipv6 completely or not at all. So:

add to /etc/exim4/update-exim4.conf.conf

disable_ipv6='true'

add to /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

restart the server

shutdown -r now

set some receivers to external mail accounts

• edit /etc/aliases
• change the entries to something you like, for example

root : you@yourDomain.com

• then run

newaliases

• perhaps you just need to allow root@your-domain.com as valid mail receiver

DoveCot

• allow in your firewall, for example for ufw

ufw limit imap

or for firehol in /etc/firehol/firehol.conf

server imap accept

Don't forget

firehol start

• install it

apt-get install dovecot-imapd

• use same directory for mail as exim4:

vi /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir
#mail_location = mbox:~/mail:INBOX=/var/mail/%u

/etc/init.d/dovecot restart

• first test (look for "Dovecot ready")

telnet localhost 143

• remote test (look for "Dovecot ready") from another computer

telnet <domain> 143

• remote tls test

openssl s_client -connect <domain>:143 -starttls imap

folders below inbox

Attention: Only customize this for NEW servers where ALL mailboxes are NEW. Otherwise, use the same settings as the old server. Exception: if you know what you are doing :-)

If you want the folders junk, sent etc. below the inbox, then do the following but keep in mind that is is not possible to just copy mail/ or Maildir/ from another server AND change the separator etc.

vi /etc/dovecot/conf.d/10-mail.conf

search for "namespace inbox" and inside that scope change

separator = 

to

separator = /

Then open

vi /etc/dovecot/conf.d/15-mailboxes.conf

and have it look like

namespace inbox {

  #mailbox name {
    # auto=create will automatically create this mailbox.
    # auto=subscribe will both create and subscribe to the mailbox.
    #auto = no

    # Space separated list of IMAP SPECIAL-USE attributes as specified by
    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
    #special_use =
  #}

  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox inbox/Drafts {
    special_use = \Drafts
    auto=subscribe
  }
  mailbox inbox/Junk {
    special_use = \Junk
    auto=subscribe
  }
  mailbox inbox/Trash {
    special_use = \Trash
    auto=subscribe
  }

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox inbox/Sent {
    special_use = \Sent
    auto=subscribe
  }
  mailbox "inbox/Sent Messages" {
    special_use = \Sent
  }

  # If you have a virtual "All messages" mailbox:
  #mailbox virtual/All {
  #  special_use = \All
  #}

  # If you have a virtual "Flagged" mailbox:
  #mailbox virtual/Flagged {
  #  special_use = \Flagged
  #}

  mailbox inbox/Archive {
    special_use = \Archive
    auto=subscribe
  }
}

switch server

You can copy "mail" or "Maildir" directories from one server or account to the other. If you copy between servers you will have to have the same prefix/separator in both locations. Or you have to understand this: http://wiki2.dovecot.org/Namespaces or something like it. Whatever you do, after the copy of a Maildir, do

chown -R newUser:newUser Maildir

Spam Assassin

the following is from sysadmin world

• install spamassassin and the exim filter

apt-get install sa-exim  spamassassin

• start on each boot: /etc/default/spamassassin

ENABLED=1 

• start

service spamassassin start

• in /etc/exim4/exim4.conf.template at the top in MAIN CONFIGURATION SETTINGS add:

local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so

• enable the connector in /etc/exim4/sa-exim.conf. Please be careful, there are some lines with SAEximRunCond but only one with SAEximRunCond: 0. Comment this line out.

#SAEximRunCond: 0 

Logging:

SAEximDebug: 0

• activate changes in /etc/exim4/exim4.conf.template

/usr/sbin/update-exim4.conf 

• restart exim

/etc/init.d/exim4 restart

Let Spam Assassin learn from your folders

Spam Assassin can learn what is junk and what is ham (not junk) from your folders, if the users of your mail server put junk mails into certain folders and good mails into certain other folders. If Thunderbird is being used, it is easy.

crontab -e
32 1 * * * . /etc/profile && /usr/bin/sa-learn  --spam /home/*/Maildir/.INBOX.Junk/ > /dev/null
45 2 * * * . /etc/profile && /usr/bin/sa-learn  --ham /home/*/Maildir/.INBOX.Archives* > /dev/null

This way your Spam Assassin will learn each night more. It is important to realize that Spam Assassin does *not* put junk into certain folders. It will only mark the messages as junk. You have to configure your e-mail program to trust Spam Assassin headers and put marked mails into its junk folders.

SquirrelMail

WebMail behind Apache2 authentication depending on logins

• install it

apt-get install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode wngerman wamerican-large php-gettext php-xml-parser aspell spellutils emacsen-common php5-mhash aspell-doc ispell php5-common libapache2-mod-authnz-external

• check /usr/share/squirrelmail/plugins/secure_login/functions.php ca. line 391, look for code like

if ( $serverPort == $targetHttpsPort && $secure_logoff_count == 0)

below that look for

 $location = 'http:// ....

If you find it, replace it with https. (It seems to be fixed in certain versions)

 $location = 'https:// ....

• call /etc/squirrelmail/conf.pl

Options you will definitely need to check are: (use ports 25 and 143)

(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.)

• 1 1 - Set your own organisation name.
• 2 3 - SMTP
• 2 A 4 - localhost
• 2 A 5 - 143
• 2 A 6 - login
• 2 A 7 - false (we are local, if not, use true)
• 2 A 8 - dovecot

Apache

link to /var/www

cd /var/www
ln -s /usr/share/squirrelmail

in /etc/apache2/ports.conf

• disable all ports but 431 which depends on a module
• activate the module

cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.load
ln -s ../mods-available/ssl.conf

• enable authnz_external the easy way (both ways have the same result: a link)

a2enmod authnz_external 

in /etc/apache2/sites-available/110-squirrel-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
    ServerName mail.yourdomain.de
    Alias /var/www/squirrelmail /usr/share/squirrelmail
    DocumentRoot /usr/share/squirrelmail/
    <Directory /usr/share/squirrelmail>
        Options Indexes FollowSymLinks
        <IfModule mod_php4.c>
            php_flag register_globals off
        </IfModule>
        <IfModule mod_php5.c>
            php_flag register_globals off
        </IfModule>
        <IfModule mod_dir.c>
            DirectoryIndex index.php
        </IfModule>
    </Directory>
    SSLEngine on
    SSLCertificateFile    /etc/exim4/exim.crt
    SSLCertificateKeyFile /etc/exim4/exim.key

    AddExternalAuth pwauth /usr/sbin/pwauth
    SetExternalAuthMethod pwauth pipe

    <Location />
        AuthBasicProvider external
        AuthExternal pwauth
        AuthName your-domain
        AuthType basic
        Require valid-user
    </Location>

    </VirtualHost>
</IfModule>

• enable it

cd  cd /etc/apache2/sites-enabled/
ln -s ../sites-available/110-squirrel-ssl.conf

• remove the default

rm 000-default

• restart apache

/etc/init.d/apache2 restart

• allow https in your firewall

for example firehol:

server https accept

Plugins

• get new plugins from [1] and unzip them to /usr/share/squirrelmail/plugins/

and activate them with

/etc/squirrelmail/conf.pl

Check in /etc/php5/apache2/php.ini:

• post_max_size
• upload_max_filesize