Installation of Exim4, DoveCot, SquirrelMails: Difference between revisions

From Andreida
No edit summary
Line 1: Line 1:
([[old Installation of Exim4, DoveCot, SquirrelMails, Debian 5, Debian 6]])

= New installation instructions (Debian 7 Wheezy) =
= New installation instructions (Debian 7 Wheezy) =
== Goals ==
== Goals ==
Line 435: Line 437:
* post_max_size
* post_max_size
* upload_max_filesize
* upload_max_filesize






= Original installation instructions =

First of all, this is really just a composition of the links which I list at the bottom.

== Goals ==
* Exim 4 on a debian 5.0 (6.x) virtual machine
* DoveCot as IMAP-Server
* SquirrelMails as WebInterface via self signed SSL
* The whole thing for two domains at once

== Exim 4 ==
apt-get install exim4-daemon-heavy eximon4 exim4-doc-info gnutls-bin openssl file libmail-spf-query-perl swaks bsd-mailx ca-certificates
dpkg-reconfigure exim4-config
* ::1 is 127.0.0.1 in ip6
* not mbox but maildir!
* split files

* Error: socket bind() to port 25 for address ::1 failed: Cannot assign requested address: daemon abandoned
** redo "dpkg-reconfigure exim4-config" but don't use ::1

* Test the server with
echo "hello" | mail -s "a test email" yourMail@yourDomain.com
* Read mail with
mail

=== TLS for SMTP ===
* install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl
apt-get install openssl swaks libnet-ssleay-perl
* create the certificat (change DAYS depending on your wishes)
/usr/share/doc/exim4-base/examples/exim-gencert
* create file /etc/exim4/conf.d/main/001_local with
MAIN_TLS_ENABLE = 1
* test the server with
swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost

=== disable ipv6 ===
add to /etc/exim4/update-exim4.conf.conf
disable_ipv6='true'

add to /etc/sysctl.conf
<pre>
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
</pre>

restart the server
shutdown -r now

== DoveCot ==
* Install it
apt-get install dovecot-imapd
* edit /etc/dovecot/dovecot.conf
protocols = imap sieve
mail_location = maildir:~/mail
* and perhaps, not sure about it
# Number of authentication processes to create
count = 1

This will set ~/mail/ as the directoy for the mail
* require ssl in conf.d/10-ssl.conf
ssl = required

=== LDA ===
Search for "protocol lda" and enable the following code
grep -r lda /etc/dovecot/*

protocol lda {
postmaster_address = postmaster@<yourDomain.com>
mail_plugins = sieve
}

=== Disable plaintext authentication ===
Uncomment
#disable_plaintext_auth = yes

=== Enable the authenticator socket ===
Look for this line in the default configuration, and uncomment the socket section below it.
<pre>
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
}
client {
path = /var/run/dovecot/auth-client
mode = 0666
}
}
</pre>
* restart dovecot

=== Create a Dovecot transport for Exim ===
* create /etc/exim4/conf.d/transport/20_dovecot
<pre>
dovecot:
driver = pipe
command = /usr/lib/dovecot/deliver
message_prefix =
message_suffix =
log_output
delivery_date_add
envelope_to_add
return_path_add
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
</pre>

=== Configure Exim to use the Dovecot transport for local deliveries ===

'''I am not sure about this. I think you should not use it !'''

* edit /etc/exim4/conf.d/router/900_exim4-config_local_user
change
transport = LOCAL_DELIVERY
to
transport = dovecot


*edit /etc/exim4/conf.d/auth/30_exim4-config_examples (or if know where to do it right...) and add

<pre>
plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1

login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
</pre>

* make sure other plain/login sections are disabled

== Apache 2 ==
* install it
apt-get install apache2 apache2-doc
* enable SSL
a2enmod ssl
* diable http site
a2dissite default
* enable https site
a2ensite default-ssl
* Edit the file /etc/apache2/ports.conf. Comment out the following two lines:
NameVirtualHost *:80
Listen 80
* edit /etc/apache2/sites-available/default-ssl
from
<VirtualHost _default_:443>
to
<VirtualHost *:443>
* set the ServerName sub.domain.xx (/etc/apache2/sites-available/default-ssl)
* restart apache
* connect to https://domain (don't forget your firewall)

=== Point to new certs ===
edit /etc/apache2/sites-enabled/default-ssl (or whatever you use)
change
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to
SSLCertificateFile /etc/exim4/exim.crt
SSLCertificateKeyFile /etc/exim4/exim.key

=== Configure Apache to authenticate local users (not working for Debian 5 - only from 6 !) ===
* install it
apt-get install libapache2-mod-authnz-external
* activate it
a2enmod authnz_external

Edit /etc/apache2/sites-available/default-ssl and add a block like this near to the top. (There's a full example configuration file you can see below).
<pre>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe

<Location />
AuthBasicProvider external
AuthExternal pwauth
AuthName Hinterlands
AuthType basic
Require valid-user
</Location>
</pre>

Restart Apache and reload the page you visited before, and you should now be prompted for your username and password. Everything transmitted is encrypted, so you should feel reasonable secure in sending your credentials along, browsers caches and password managers excepted.

== SquirrelMail ==
* install it
apt-get install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode avelsieve wngerman wamerican-large php-gettext php-xml-parser aspell spellutils emacsen-common php5-mhash aspell-doc ispell

* check /usr/share/squirrelmail/plugins/secure_login/functions.php ca. line 391, look for code like
if ( $serverPort == $targetHttpsPort && $secure_logoff_count == 0)
below that look for
$location = 'http:// ....
If you find it, replace it with
$location = 'https:// ....

* call /etc/squirrelmail/conf.pl
Options you will definitely need to check are:

(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.) Use ports 25 and 143.

* 1 1 - Set your own organisation name.
* 2 3 - SMTP
* 2 A 4 - localhost
* 2 A 5 - 25
* 2 A 6 - login
* 2 A 7 - true
* 2 A 8 - dovecot

=== Plugins ===

* get new plugins from [http://www.squirrelmail.org/plugins.php] and unzip them to /usr/share/squirrelmail/plugins/

and activate them with
/etc/squirrelmail/conf.pl

Check in /etc/php5/apache2/php.ini:
* post_max_size
* upload_max_filesize

== Tests ==
openssl s_client -connect 127.0.0.1:993 -showcerts
echo "hello" | mail -s "a test email" yourMail@yourDomain.com
swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost

== pk12 ==
* create a pk12 key:
openssl pkcs12 -export -in /etc/exim4/exim.crt -inkey /etc/exim4/exim.key \
-out <your-domain>.p12 -name "<something to recognize>"

== Thunderbird ==
Perhaps you will have to give Thunderbird wrong data when you create the account. Tell him the real ports, but protocols and passwords are plain.
No idea, why I had to do that.


== Spam Assassin ==
the following is from [http://sysadminwrld.blogspot.de/2012/01/integrating-spamassassin-with-exim4.html sysadmin world]

* install spamassassin and the exim filter
apt-get install sa-exim spamassassin
* start on each boot: /etc/default/spamassassin
ENABLED=1
* start
service spamassassin start
* in /etc/exim4/exim4.conf.template at the top in MAIN CONFIGURATION SETTINGS add:
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
* enable the connector in /etc/exim4/sa-exim.conf. Please be careful, there are some lines with SAEximRunCond but only one with SAEximRunCond: 0. Comment this line out.
#SAEximRunCond: 0
Logging:
SAEximDebug: 0
* activate changes in /etc/exim4/exim4.conf.template
/usr/sbin/update-exim4.conf
* restart exim
/etc/init.d/exim4 restart

== Dovecot certificate recreate ==
* create key
openssl genrsa -out /etc/ssl/private/dovecot.pem 1024
* create cert
openssl req -new -x509 -key /etc/ssl/private/dovecot.pem -out /etc/ssl/certs/dovecot.pem -days 4500


=== Outlook ===
In the dovecot config file make sure you have allowed "login"
mechanisms = plain login

== Links ==
* [http://www.debian-administration.org/articles/140 Handling mail for multiple virtual domains with exim4]
* [http://hinterlands.org/wiki/index.php/DebianEximDovecotSquirrelmailSieve DebianEximDovecotSquirrelmailSieve - Hinterlands]
* [http://sysadminwrld.blogspot.de/2012/01/integrating-spamassassin-with-exim4.html Integrating SpamAssassin with Exim4]
* [http://www.faqforge.com/linux/renew-the-dovecot-ssl-certificate-on-ubuntu-linux/ How to renew the SSL certificate for dovecot on Ubuntu Linux]
* [http://blog.querformatik.de/2011/09/30/debian-mit-postfix-und-dovecot-mag-outlook-nicht/ Debian mit Postfix und Dovecot mag Outlook nicht]

Revision as of 07:51, 15 March 2016

(old Installation of Exim4, DoveCot, SquirrelMails, Debian 5, Debian 6)

New installation instructions (Debian 7 Wheezy)

Goals

  • Using Debian 7 Wheezy
  • Exim 4 as mail server
  • Using self created certificate
  • Dovecot for imap access
  • SquirrelMail as web client
  • SpamAssassin for spam filtering
  • Access from
    • Thunderbird
    • Outlook: works out of the box, but you have to have certificates which match the domain names
  • (todo) Backup of mails to a different system
  • virtual users

Exim 4

install

We will use the heavy version to be able to later integrate SpamAssassin. 

apt-get install exim4-daemon-heavy

If you can start programs with X-Server, you would like to get geximon: 

apt-get install geximon xauth

Remember to ssh with "-X" or "ForwardX11 yes" in your config

paniclog

If you get paniclog entries like "address already in use", find out about the other process with 

netstat -lnp | grep 25

Chances are, it is something about sendmail. Do 

which sendmail

and "ls -l" on the result like 

ls -l /usr/sbin/sendmail

or just (ticks, not single quotes) 

ls -l `which sendmail`

Chances are, it is a link to exim4 and the installation went wrong. Happens every time for me. Remove the paniclog and restart the server. Check the log /var/log/exim4/mainlog

If it is not the above, perhaps you need to remove the sendmail(-bin) package.

validating

Have a look at the ports: 

netstat -apn | grep exim

If you have exim4 listen on port 25, you should be ok.

  • add at least one local user so you can set him as receiver for postmaster etc in the next step

Now you should reconfigure exim4 

dpkg-reconfigure exim4-config
  • internet site
  • accept the domain name if you don't know better
  • IP addresses to listen to:
    • leave this empty ore make sure you include the external ip
    • ::1 the IP6 variant, if you keep this empty, don't bother now
  • final destination: your domains
  • domains to relay for: normally none (empty)
  • machines to relay for: normally none (empty)
  • DNS queries minimal: your choice (default: no)
  • delivery method: maildir in home directory
  • split: your choice (default: no) The main difference is, where will you later put your modifications
    • non-slit: /etc/exim4/exim4.conf.localmacros
    • split: /etc/exim4/conf.d/main/000_localmacros
  • root/postmaster: select the above created user, should really read his mail

Now send a mail: 

echo Hello You | mail <user>@<OTHER-domain> -s test-1

You should receive the mail at your account at the OTHER domain.


open firewall

If you have a firewall, open it for incoming at port 25. For example ufw: 

ufw allow smtp

or firehol in /etc/firehol/firehol.conf 

server smtp accept

TLS for SMTP

If you will have different mail domains at one ip you will get into problems with Outlook if you do not have one certificate per domain where the certificate matches the domain name. (TODO)


  • install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl
apt-get install openssl swaks libnet-ssleay-perl
  • edit the cert creation script, check at least the DAYS value. 7300 would be 20 years.
vi /usr/share/doc/exim4-base/examples/exim-gencert
  • execute the script
/usr/share/doc/exim4-base/examples/exim-gencert
  • create file /etc/exim4/exim4.conf.localmacros (non-split!) with
MAIN_TLS_ENABLE = 1
  • reload exim
/etc/init.d/exim4 reload
  • test it locally
swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost
  • What would be bad:
Host did not advertise STARTTLS

sasl for system login

Currently we want system users and system user passwords, so we use SASL:

  • install it
apt-get install sasl2-bin
  • enable for system restart in /etc/default/saslauthd
START=yes
  • add exim user to sasl group
adduser Debian-exim sasl
  • start sasl
/etc/init.d/saslauthd start

enable exim to ask clients for passwords if they want to SEND mails

in /etc/exim4/exim4.conf.template enable the following 2 sections 

plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

login_saslauthd_server:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   # don't send system passwords over unencrypted connections
   server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
   server_set_id = $auth1
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif
  • activate it
update-exim4.conf && /etc/init.d/exim4 reload
  • add one of the system users you will want to add anyway
  • after installation of dovecot try for example to send a mail with Thunderbird, you should get asked to accept the certificate and give the password

virtual users

Source: https://www.organicdesign.co.nz/Configure_mail_server#Setting_up_mail_users

in exim4.conf.template set domainlist to 

domainlist local_domains = @ : @[] : localhost : partial-lsearch;/etc/exim4/virtual.domains

in section "real_local" add 

virtual:
	driver = redirect
	allow_defer
	allow_fail
	data = ${lookup{$local_part@$domain}lsearch*@{/etc/exim4/virtual.users}}
	domains = partial-lsearch;/etc/exim4/virtual.domains
	retry_use_local_part

create the file /etc/exim4/virtual.domains 

example.com
example.net

reload settings 

update-exim4.conf && /etc/init.d/exim4 reload

change /etc/exim4/virtual.users, you don't have to restart the server for this 

regularuser@example.com     : localuser@localhost
forwardinguser@example.com  : someuser@example.org
foo@example.com             : :fail: Foo no longer lives here.
bar@example.com             : :blackhole:
*@example.com               : catchall1@localhost

regularuser@example.net     : localuser2@localhost
forwardinguser@example.net  : someuser2@example.org
*@example.net               : catchall2@localhost

If you have the local user smith but you want only to allow smith to get mail via huber@example.com, then use the following pattern: 

huber@example.com : smith@localhost
*@example.com     : :fail: Your message

disable ipv6

to be able to send messages to providers like google, you will have to support ipv6 completely or not at all. So:

add to /etc/exim4/update-exim4.conf.conf 

disable_ipv6='true'

add to /etc/sysctl.conf 

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

restart the server 

shutdown -r now

set some receivers to external mail accounts

  • edit /etc/aliases
  • change the entries to something you like, for example
root : you@yourDomain.com
  • then run
newaliases
  • perhaps you just need to allow root@your-domain.com as valid mail receiver

DoveCot

  • allow in your firewall, for example for ufw
ufw limit imap

or for firehol in /etc/firehol/firehol.conf 

server imap accept

Don't forget 

firehol start
  • install it
apt-get install dovecot-imapd
  • use same directory for mail as exim4:
vi /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir
#mail_location = mbox:~/mail:INBOX=/var/mail/%u

/etc/init.d/dovecot restart
  • first test (look for "Dovecot ready")
telnet localhost 143
  • remote test (look for "Dovecot ready") from another computer
telnet <domain> 143
  • remote tls test
openssl s_client -connect <domain>:143 -starttls imap

folders below inbox

Attention: Only customize this for NEW servers where ALL mailboxes are NEW. Otherwise, use the same settings as the old server. Exception: if you know what you are doing :-)


If you want the folders junk, sent etc. below the inbox, then do the following but keep in mind that is is not possible to just copy mail/ or Maildir/ from another server AND change the separator etc. 

vi /etc/dovecot/conf.d/10-mail.conf

search for "namespace inbox" and inside that scope change 

separator =

to 

separator = /

Then open 

vi /etc/dovecot/conf.d/15-mailboxes.conf

and have it look like 

namespace inbox {

  #mailbox name {
    # auto=create will automatically create this mailbox.
    # auto=subscribe will both create and subscribe to the mailbox.
    #auto = no

    # Space separated list of IMAP SPECIAL-USE attributes as specified by
    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
    #special_use =
  #}

  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox inbox/Drafts {
    special_use = \Drafts
    auto=subscribe
  }
  mailbox inbox/Junk {
    special_use = \Junk
    auto=subscribe
  }
  mailbox inbox/Trash {
    special_use = \Trash
    auto=subscribe
  }

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox inbox/Sent {
    special_use = \Sent
    auto=subscribe
  }
  mailbox "inbox/Sent Messages" {
    special_use = \Sent
  }

  # If you have a virtual "All messages" mailbox:
  #mailbox virtual/All {
  #  special_use = \All
  #}

  # If you have a virtual "Flagged" mailbox:
  #mailbox virtual/Flagged {
  #  special_use = \Flagged
  #}

  mailbox inbox/Archive {
    special_use = \Archive
    auto=subscribe
  }
}

switch server

You can copy "mail" or "Maildir" directories from one server or account to the other. If you copy between servers you will have to have the same prefix/separator in both locations. Or you have to understand this: http://wiki2.dovecot.org/Namespaces or something like it. Whatever you do, after the copy of a Maildir, do 

chown -R newUser:newUser Maildir

Spam Assassin

the following is from sysadmin world

  • install spamassassin and the exim filter
apt-get install sa-exim  spamassassin
  • start on each boot: /etc/default/spamassassin
ENABLED=1
  • start
service spamassassin start
  • in /etc/exim4/exim4.conf.template at the top in MAIN CONFIGURATION SETTINGS add:
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
  • enable the connector in /etc/exim4/sa-exim.conf. Please be careful, there are some lines with SAEximRunCond but only one with SAEximRunCond: 0. Comment this line out.
#SAEximRunCond: 0

Logging: 

SAEximDebug: 0
  • activate changes in /etc/exim4/exim4.conf.template
/usr/sbin/update-exim4.conf
  • restart exim
/etc/init.d/exim4 restart

SquirrelMail

WebMail behind Apache2 authentication depending on logins

  • install it
apt-get install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode wngerman wamerican-large php-gettext php-xml-parser aspell spellutils emacsen-common php5-mhash aspell-doc ispell php5-common libapache2-mod-authnz-external
  • check /usr/share/squirrelmail/plugins/secure_login/functions.php ca. line 391, look for code like
if ( $serverPort == $targetHttpsPort && $secure_logoff_count == 0)

below that look for 

 $location = 'http:// ....

If you find it, replace it with https. (It seems to be fixed in certain versions) 

 $location = 'https:// ....
  • call /etc/squirrelmail/conf.pl

Options you will definitely need to check are: (use ports 25 and 143)

(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.)

  • 1 1 - Set your own organisation name.
  • 2 3 - SMTP
  • 2 A 4 - localhost
  • 2 A 5 - 143
  • 2 A 6 - login
  • 2 A 7 - false (we are local, if not, use true)
  • 2 A 8 - dovecot

Apache

link to /var/www 

cd /var/www
ln -s /usr/share/squirrelmail


in /etc/apache2/ports.conf

  • disable all ports but 431 which depends on a module
  • activate the module
cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.load
ln -s ../mods-available/ssl.conf
  • enable authnz_external the easy way (both ways have the same result: a link)
a2enmod authnz_external

in /etc/apache2/sites-available/110-squirrel-ssl.conf 

<IfModule mod_ssl.c>
    <VirtualHost *:443>
    ServerName mail.yourdomain.de
    Alias /var/www/squirrelmail /usr/share/squirrelmail
    DocumentRoot /usr/share/squirrelmail/
    <Directory /usr/share/squirrelmail>
        Options Indexes FollowSymLinks
        <IfModule mod_php4.c>
            php_flag register_globals off
        </IfModule>
        <IfModule mod_php5.c>
            php_flag register_globals off
        </IfModule>
        <IfModule mod_dir.c>
            DirectoryIndex index.php
        </IfModule>
    </Directory>
    SSLEngine on
    SSLCertificateFile    /etc/exim4/exim.crt
    SSLCertificateKeyFile /etc/exim4/exim.key

    AddExternalAuth pwauth /usr/sbin/pwauth
    SetExternalAuthMethod pwauth pipe

    <Location />
        AuthBasicProvider external
        AuthExternal pwauth
        AuthName your-domain
        AuthType basic
        Require valid-user
    </Location>

    </VirtualHost>
</IfModule>
  • enable it
cd  cd /etc/apache2/sites-enabled/
ln -s ../sites-available/110-squirrel-ssl.conf
  • remove the default
rm 000-default
  • restart apache
/etc/init.d/apache2 restart
  • allow https in your firewall

for example firehol: 

server https accept

Plugins

  • get new plugins from [1] and unzip them to /usr/share/squirrelmail/plugins/

and activate them with 

/etc/squirrelmail/conf.pl

Check in /etc/php5/apache2/php.ini:

  • post_max_size
  • upload_max_filesize
Retrieved from "http://wiki.andreas-duffner.de/index.php?title=Installation_of_Exim4,_DoveCot,_SquirrelMails&oldid=231"