Installation of Exim4, DoveCot, SquirrelMails
Original installation instructions
First of all, this is really just a composition of the links which I list at the bottom.
Goals
- Exim 4 on a debian 5.0 (6.x) virtual machine
- DoveCot as IMAP-Server
- SquirrelMails as WebInterface via self signed SSL
- The whole thing for two domains at once
Exim 4
apt-get install exim4-daemon-heavy eximon4 exim4-doc-info gnutls-bin openssl file libmail-spf-query-perl swaks bsd-mailx ca-certificates dpkg-reconfigure exim4-config
- ::1 is 127.0.0.1 in ip6
- not mbox but maildir!
- split files
- Error: socket bind() to port 25 for address ::1 failed: Cannot assign requested address: daemon abandoned
- redo "dpkg-reconfigure exim4-config" but don't use ::1
- Test the server with
echo "hello" | mail -s "a test email" yourMail@yourDomain.com
- Read mail with
TLS for SMTP
- install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl
apt-get install openssl swaks libnet-ssleay-perl
- create the certificat (change DAYS depending on your wishes)
/usr/share/doc/exim4-base/examples/exim-gencert
- create file /etc/exim4/conf.d/main/001_local with
MAIN_TLS_ENABLE = 1
- test the server with
swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost
DoveCot
- Install it
apt-get install dovecot-imapd
- edit /etc/dovecot/dovecot.conf
protocols = imap sieve mail_location = maildir:~/mail
- and perhaps, not sure about it
# Number of authentication processes to create count = 1
This will set ~/mail/ as the directoy for the mail
- require ssl in conf.d/10-ssl.conf
ssl = required
LDA
Search for "protocol lda" and enable the following code
grep -r lda /etc/dovecot/*
protocol lda {
postmaster_address = postmaster@<yourDomain.com>
mail_plugins = sieve
}
Disable plaintext authentication
Uncomment
#disable_plaintext_auth = yes
Enable the authenticator socket
Look for this line in the default configuration, and uncomment the socket section below it.
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
}
client {
path = /var/run/dovecot/auth-client
mode = 0666
}
}
- restart dovecot
Create a Dovecot transport for Exim
- create /etc/exim4/conf.d/transport/20_dovecot
dovecot: driver = pipe command = /usr/lib/dovecot/deliver message_prefix = message_suffix = log_output delivery_date_add envelope_to_add return_path_add temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
Configure Exim to use the Dovecot transport for local deliveries
I am not sure about this. I think you should not use it !
- edit /etc/exim4/conf.d/router/900_exim4-config_local_user
change
transport = LOCAL_DELIVERY
to
transport = dovecot
- edit /etc/exim4/conf.d/auth/30_exim4-config_examples (or if know where to do it right...) and add
plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1
- make sure other plain/login sections are disabled
Apache 2
- install it
apt-get install apache2 apache2-doc
- enable SSL
a2enmod ssl
- diable http site
a2dissite default
- enable https site
a2ensite default-ssl
- Edit the file /etc/apache2/ports.conf. Comment out the following two lines:
NameVirtualHost *:80 Listen 80
- edit /etc/apache2/sites-available/default-ssl
from
<VirtualHost _default_:443>
to
<VirtualHost *:443>
- set the ServerName sub.domain.xx (/etc/apache2/sites-available/default-ssl)
- restart apache
- connect to https://domain (don't forget your firewall)
Point to new certs
edit /etc/apache2/sites-enabled/default-ssl (or whatever you use) change
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to
SSLCertificateFile /etc/exim4/exim.crt SSLCertificateKeyFile /etc/exim4/exim.key
Configure Apache to authenticate local users (not working for Debian 5 - only from 6 !)
- install it
apt-get install libapache2-mod-authnz-external
- activate it
a2enmod authnz_external
Edit /etc/apache2/sites-available/default-ssl and add a block like this near to the top. (There's a full example configuration file you can see below).
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
<Location />
AuthBasicProvider external
AuthExternal pwauth
AuthName Hinterlands
AuthType basic
Require valid-user
</Location>
Restart Apache and reload the page you visited before, and you should now be prompted for your username and password. Everything transmitted is encrypted, so you should feel reasonable secure in sending your credentials along, browsers caches and password managers excepted.
SquirrelMail
- install it
apt-get install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode avelsieve wngerman wamerican-large php-gettext php-xml-parser aspell spellutils emacsen-common php5-mhash aspell-doc ispell
- check /usr/share/squirrelmail/plugins/secure_login/functions.php ca. line 391, look for code like
if ( $serverPort == $targetHttpsPort && $secure_logoff_count == 0)
below that look for
$location = 'http:// ....
If you find it, replace it with
$location = 'https:// ....
- call /etc/squirrelmail/conf.pl
Options you will definitely need to check are:
(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.) Use ports 25 and 143.
- 1 1 - Set your own organisation name.
- 2 3 - SMTP
- 2 A 4 - localhost
- 2 A 5 - 25
- 2 A 6 - login
- 2 A 7 - true
- 2 A 8 - dovecot
Plugins
- get new plugins from [1] and unzip them to /usr/share/squirrelmail/plugins/
and activate them with
/etc/squirrelmail/conf.pl
Check in /etc/php5/apache2/php.ini:
- post_max_size
- upload_max_filesize
Tests
openssl s_client -connect 127.0.0.1:993 -showcerts echo "hello" | mail -s "a test email" yourMail@yourDomain.com swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost
pk12
- create a pk12 key:
openssl pkcs12 -export -in /etc/exim4/exim.crt -inkey /etc/exim4/exim.key \ -out <your-domain>.p12 -name "<something to recognize>"
Thunderbird
Perhaps you will have to give Thunderbird wrong data when you create the account. Tell him the real ports, but protocols and passwords are plain. No idea, why I had to do that.
Spam Assassin
the following is from sysadmin world
- install spamassassin and the exim filter
apt-get install sa-exim spamassassin
- start on each boot: /etc/default/spamassassin
ENABLED=1
- start
service spamassassin start
- in /etc/exim4/exim4.conf.template at the top in MAIN CONFIGURATION SETTINGS add:
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
- enable the connector in /etc/exim4/sa-exim.conf. Please be careful, there are some lines with SAEximRunCond but only one with SAEximRunCond: 0. Comment this line out.
#SAEximRunCond: 0
Logging:
SAEximDebug: 0
- activate changes in /etc/exim4/exim4.conf.template
/usr/sbin/update-exim4.conf
- restart exim
/etc/init.d/exim4 restart
Dovecot certificate recreate
- create key
openssl genrsa -out /etc/ssl/private/dovecot.pem 1024
- create cert
openssl req -new -x509 -key /etc/ssl/private/dovecot.pem -out /etc/ssl/certs/dovecot.pem -days 4500
Outlook
In the dovecot config file make sure you have allowed "login"
mechanisms = plain login
Links
- Handling mail for multiple virtual domains with exim4
- DebianEximDovecotSquirrelmailSieve - Hinterlands
- Integrating SpamAssassin with Exim4
- How to renew the SSL certificate for dovecot on Ubuntu Linux
- Debian mit Postfix und Dovecot mag Outlook nicht
New installation instructions (Debian 7 Wheezy) work in progress (again)
Goals
- Using Debian 7 Wheezy
- Exim 4 as mail server
- Using self created certificate
- Dovecot for imap access
- SquirrelMail as web client
- SpamAssassin for spam filtering
- Access from
- Thunderbird
- (todo) Outlook (which one?)
- (todo) Backup of mails to a different system
- virtual users
Exim 4
install
We will use the heavy version to be able to later integrate SpamAssassin.
apt-get install exim4-daemon-heavy
If you can start programs with X-Server, you would like to get geximon:
apt-get install geximon xauth
Remember to ssh with "-X" or "ForwardX11 yes" in your config
paniclog
If you get paniclog entries like "address already in use", find out about the other process with
netstat -lnp | grep 25
Chances are, it is something about sendmail. Do
which sendmail
and "ls -l" on the result like
ls -l /usr/sbin/sendmail
or just (ticks, not single quotes)
ls -l `which sendmail`
Chances are, it is a link to exim4 and the installation went wrong. Happens every time for me. Remove the paniclog and restart the server. Check the log /var/log/exim4/mainlog
If it is not the above, perhaps you need to remove the sendmail(-bin) package.
validating
Have a look at the ports:
netstat -apn | grep exim
If you have exim4 listen on port 25, you should be ok.
- add at least one local user so you can set him as receiver for postmaster etc in the next step
Now you should reconfigure exim4
dpkg-reconfigure exim4-config
- internet site
- accept the domain name if you don't know better
- IP addresses to listen to:
- leave this empty ore make sure you include the external ip
- ::1 the IP6 variant, if you keep this empty, don't bother now
- final destination: your domains
- domains to relay for: normally none (empty)
- machines to relay for: normally none (empty)
- DNS queries minimal: your choice (default: no)
- delivery method: maildir in home directory
- split: your choice (default: no) The main difference is, where will you later put your modifications
- non-slit: /etc/exim4/exim4.conf.localmacros
- split: /etc/exim4/conf.d/main/000_localmacros
- root/postmaster: select the above created user, should really read his mail
Now send a mail:
echo Hello You | mail <user>@<OTHER-domain> -s test-1
You should receive the mail at your account at the OTHER domain.
open firewall
If you have a firewall, open it for incoming at port 25. For example ufw:
ufw allow smtp
or firehol in /etc/firehol/firehol.conf
server smtp accept
TLS for SMTP
- install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl
apt-get install openssl swaks libnet-ssleay-perl
- edit the cert creation script, check at least the DAYS value. 7300 would be 20 years.
vi /usr/share/doc/exim4-base/examples/exim-gencert
- execute the script
/usr/share/doc/exim4-base/examples/exim-gencert
- create file /etc/exim4/exim4.conf.localmacros (non-split!) with
MAIN_TLS_ENABLE = 1
- reload exim
/etc/init.d/exim4 reload
- test it locally
swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost
- What would be bad:
Host did not advertise STARTTLS
sasl for system login
Currently we want system users and system user passwords, so we use SASL:
- install it
apt-get install sasl2-bin
- enable for system restart in /etc/default/saslauthd
START=yes
- add exim user to sasl group
adduser Debian-exim sasl
- start sasl
/etc/init.d/saslauthd start
enable exim to ask clients for passwords if they want to SEND mails
in /etc/exim4/exim4.conf.template enable the following 2 sections
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
- activate it
update-exim4.conf && /etc/init.d/exim4 reload
- now try for example to send a mail with Thunderbird, you should get asked to accept the certificate and give the password
virtual users
Source: https://www.organicdesign.co.nz/Configure_mail_server#Setting_up_mail_users
in exim4.conf.template set domainlist to
domainlist local_domains = @ : @[] : localhost : partial-lsearch;/etc/exim4/virtual.domains
in section "real_local" add
virtual:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part@$domain}lsearch*@{/etc/exim4/virtual.users}}
domains = partial-lsearch;/etc/exim4/virtual.domains
retry_use_local_part
create the file /etc/exim4/virtual.domains
example.com example.net
reload settings
update-exim4.conf && /etc/init.d/exim4 reload
change /etc/exim4/virtual.users, you don't have to restart the server for this
regularuser@example.com : localuser@localhost forwardinguser@example.com : someuser@example.org foo@example.com : :fail: Foo no longer lives here. bar@example.com : :blackhole: *@example.com : catchall1@localhost
regularuser@example.net : localuser2@localhost forwardinguser@example.net : someuser2@example.org *@example.net : catchall2@localhost
If you have the local user smith but you want only to allow smith to get mail via huber@example.com, then use the following pattern:
huber@example.com : smith@localhost *@example.com : :fail: Your message
DoveCot
- allow in your firewall, for example for ufw
ufw limit imap
or for firehol in /etc/firehol/firehol.conf
server imap accept
Don't forget
firehol start
- install it
apt-get install dovecot-imapd
- use same directory for mail as exim4:
vi /etc/dovecot/dovecot.conf
mail_location = maildir:~/Maildir #mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/init.d/dovecot restart
- first test (look for "Dovecot ready")
telnet localhost 143
- remote test (look for "Dovecot ready") from another computer
telnet <domain> 143
- remote tls test
openssl s_client -connect <domain>:143 -starttls imap
Spam Assassin
the following is from sysadmin world
- install spamassassin and the exim filter
apt-get install sa-exim spamassassin
- start on each boot: /etc/default/spamassassin
ENABLED=1
- start
service spamassassin start
- in /etc/exim4/exim4.conf.template at the top in MAIN CONFIGURATION SETTINGS add:
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
- enable the connector in /etc/exim4/sa-exim.conf. Please be careful, there are some lines with SAEximRunCond but only one with SAEximRunCond: 0. Comment this line out.
#SAEximRunCond: 0
Logging:
SAEximDebug: 0
- activate changes in /etc/exim4/exim4.conf.template
/usr/sbin/update-exim4.conf
- restart exim
/etc/init.d/exim4 restart
SquirrelMail
WebMail behind Apache2 authentication depending on logins
- install it
apt-get install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode wngerman wamerican-large php-gettext php-xml-parser aspell spellutils emacsen-common php5-mhash aspell-doc ispell php5-common libapache2-mod-authnz-external
- check /usr/share/squirrelmail/plugins/secure_login/functions.php ca. line 391, look for code like
if ( $serverPort == $targetHttpsPort && $secure_logoff_count == 0)
below that look for
$location = 'http:// ....
If you find it, replace it with https. (It seems to be fixed in certain versions)
$location = 'https:// ....
- call /etc/squirrelmail/conf.pl
Options you will definitely need to check are: (use ports 25 and 143)
(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.)
- 1 1 - Set your own organisation name.
- 2 3 - SMTP
- 2 A 4 - localhost
- 2 A 5 - 143
- 2 A 6 - login
- 2 A 7 - false (we are local, if not, use true)
- 2 A 8 - dovecot
Apache
link to /var/www
cd /var/www ln -s /usr/share/squirrelmail
in /etc/apache2/ports.conf
- disable all ports but 431 which depends on a module
- activate the module
cd mods-enabled/ ln -s ../mods-available/ssl.load ln -s ../mods-available/ssl.conf
- enable authnz_external the easy way (both ways have the same result: a link)
a2enmod authnz_external
in /etc/apache2/sites-availabe/110-squirrel-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mail.funiaita.de
Alias /var/www/squirrelmail /usr/share/squirrelmail
DocumentRoot /usr/share/squirrelmail/
<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks
<IfModule mod_php4.c>
php_flag register_globals off
</IfModule>
<IfModule mod_php5.c>
php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
</Directory>
SSLEngine on
SSLCertificateFile /etc/exim4/exim.crt
SSLCertificateKeyFile /etc/exim4/exim.key
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
<Location />
AuthBasicProvider external
AuthExternal pwauth
AuthName your-domain
AuthType basic
Require valid-user
</Location>
</VirtualHost>
</IfModule>
Plugins
- get new plugins from [2] and unzip them to /usr/share/squirrelmail/plugins/
and activate them with
/etc/squirrelmail/conf.pl
Check in /etc/php5/apache2/php.ini:
- post_max_size
- upload_max_filesize
