How to set up an email server with postfix/cyrus

[cach0rr0]

i hate conference calls. but i have one in 15, so i have to be brief. Man, weekend needs to come fast, this week has been insane.

You may want to fix the com0 for those who find this by way of a search or google.

done.

..and no I couldn't get there. It sat at "Trying..." and never made it. Do you think that 587 would be blocked? Do you know of anyone that would be using it that I could test it at?

offhand no, i could probably set mine up to do that in a little bit

I don't suppose that's an easy thing to set up for one domain? Would it be a problem to post an example?

actually very easy
set

Code: Select all

transport_maps = hash:/etc/postfix/transport

in main.cf
then edit /etc/postfix/transport to have e.g.

Code: Select all

destination.com smtp:[mxhost.destination.com]:587

note the square brackets are important. Too long to explain, but you DO need them (having them bypasses any DNS lookup for that domain). The above says "do not look up an MX in DNS, send direct to 'mxhost.destination.com', do not pass go, etc. Of course, if you omitted them, you would want to do something like

Code: Select all

destination.com smtp:destination.com:587

which says "look up the MX for destination.com, and connect to it on port 587

You've been a great help. Maybe some day I'll be able to find a way to get around the service provider issue. I suspect it will cost me, though. I guess I should open port 25 to see if I can telnet home, if that's blocked as well. Anyways, I have a working system now and if I were able to use it on an open network of a friends or something, I'll be able to set up mail for them. More specifically on BOINC (seti@home, milkyway@home, etc...) I'm on a team (SETI.USA) that's trying to get an email blast setup to send mail to a team email list.

short answer: I'm paying $120/mo to comcast for guaranteed 16/2 (though i normally get 40/5.5), and 5 static IP's (i can set PTR records, too). I look at it this way, to run the VPS's I'd need for what I do, plus maintaining a residential connection at home, it would cost at least that, probably more. Much better running VPS's at home with the caveat being, if power at my house goes down, or my connection temporarily drops out, mail/web/vpn/otherstuff drops off whereas on a VPS it would stay up. I'll take that risk in exchange for the control i have (plus, none of that comcast 200GB/mo quota nonsense)

[cach0rr0]

now that I'm off that bloody call, a few more points

-587 is very likely NOT blocked
-the other advantage to a "business class" line, is that your IP won't be listed on any DNS blacklists/RBL's, whereas dynamic, residential comcast IP's, are all listed on, for example, Spamhaus PBL (which is used in the Spamhaus ZEN list....which, is a very, very, very widely used list, if you're on the PBL, few corporate mail servers are going to accept mail from your home IP, and any servers that use zen.spamhaus.org are going to block mail from your IP). Also, for the business customers, theyre rolling out DOCCIS 3, which I plan on moving to sooner rather than later (i think it's free?).

no, i dont work for comcast
i made this move because i was pissed at being blacklisted, and although they dont block 25 in my area, i was worried they might at some point. I'd have moved to another provider if there was one available that fit my needs, but there isn't, and this ultimately ended up being the most cost-effective path for me

[trigggl]

I'm getting the following message in my imapd.conf

Oct 21 10:18:26 stephie lmtpunix[26273]: IOERROR: fstating sieve script /var/imap/sieve/domain/s/setiusa.webhop.org/s/setiusa-join/defaultbc: No such file or directory

Is this something I should be concerned about? Should I just create the /var/imap/sieve/domain directory?

[cach0rr0]

unless you plan on setting up sieve scripts, i wouldnt worry about it
i dont use them. maybe i should, but sieve is one "language" i just cant be bothered learning.

[cach0rr0]

Hi guys - Just a quick heads up!

I've updated the ebuild for cyrus-imapd-2.4.12 since there was the GLSA/vuln published for prior versions

http://www.gentoo.org/security/en/glsa/ ... 110-16.xml

I have not tested it other than "it patches and compiles without issue" (see note, it's actually not "without issue)". I upgraded my production box for this maybe 5 minutes ago, and will holler if anything catches fire. I don't expect anyone else to be an "early adopter", I am guinea pigging it, and at least this way with me going first I will know if "issues" that pop up are related to these patches, or just related to new cyrus without patches, or unrelated at all.

NOTE: in order for this to build cleanly, you have to have 'sieve' enabled in your USE, otherwise there are files missing, and although things patch correctly, the build fails with:

Code: Select all

x86_64-pc-linux-gnu-gcc -c -I.. -I./../lib -I../com_err/et  -I/usr/include/mysql -I/usr/include/db4.8   -DHAVE_CONFIG_H  -march=native -O2 -pipe \
autosieve.c
<irrelevant stuff snipped>
autosieve.c:27:29: fatal error: sieve_interface.h: No such file or directory

So, even if you dont use sieve, for now, USE="${USE} sieve" anyway I will spend more time figuring out a "correct" way of handling this at some point, but right now I am full of mucus, and feel like resting.


Ebuild snagged here:

http://whitehathouston.com/downloads/ge ... .12.ebuild

and pasted text in case for some reason I die or my server goes down:

Code: Select all

# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-mail/cyrus-imapd/cyrus-imapd-2.4.12.ebuild,v 1.6 2011/10/11 19:04:16 jer Exp $

EAPI=4

inherit db-use eutils flag-o-matic ssl-cert pam multilib

MY_P=${P/_/}

DESCRIPTION="The Cyrus IMAP Server."
HOMEPAGE="http://www.cyrusimap.org/"
AUTOCREATE_VER="0.10-0"
AUTOSIEVE_VER="0.6.0"
AUTOCREATE_PATCH="${PN}-2.4.4-autocreate-${AUTOCREATE_VER}.patch"
AUTOSIEVE_PATCH="${P}-autosieve-${AUTOSIEVE_VER}.patch"
SRC_URI="ftp://ftp.cyrusimap.org/cyrus-imapd/${MY_P}.tar.gz
        autocreate? ( http://www.vx.sk/download/patches/cyrus-imapd/${AUTOCREATE_PATCH} )
        autosieve? ( http://www.vx.sk/download/patches/cyrus-imapd/${AUTOSIEVE_PATCH} )"

LICENSE="as-is"
SLOT="0"
KEYWORDS="amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86"
IUSE="autocreate autosieve afs berkdb kerberos mysql nntp pam postgres replication sieve snmp sqlite ssl tcpd"

RDEPEND="sys-libs/zlib
        >=dev-libs/cyrus-sasl-2.1.13
        afs? ( net-fs/openafs )
        berkdb? ( >=sys-libs/db-3.2 )
        kerberos? ( virtual/krb5 )
        mysql? ( virtual/mysql )
        nntp? ( !net-nntp/leafnode )
        pam? (
                        virtual/pam
                        >=net-mail/mailbase-1
                )
        postgres? ( dev-db/postgresql-base )
        snmp? ( >=net-analyzer/net-snmp-5.2.2-r1 )
        sqlite? ( dev-db/sqlite )
        ssl? ( >=dev-libs/openssl-0.9.6 )
        tcpd? ( >=sys-apps/tcp-wrappers-7.6 snmp? ( net-analyzer/net-snmp[tcpd=] ) )"

DEPEND="$RDEPEND"

# get rid of old style virtual - bug 350792
# all blockers really needed?
RDEPEND="${RDEPEND}
        !mail-mta/courier
        !net-mail/bincimap
        !net-mail/courier-imap
        !net-mail/uw-imap"

REQUIRED_USE="afs? ( kerberos )"

S=${WORKDIR}/${MY_P}

pkg_setup() {
        enewuser cyrus -1 -1 /usr/cyrus mail
}

src_prepare() {
        # Apply autocreate and autosieve patches if USE enabled
        if use autocreate ; then
                epatch "${DISTDIR}/${AUTOCREATE_PATCH}" || die "epatch failed"
        fi
        #build failure without both 'sieve' AND 'autosieve' in USE. Latter depends on former
        if use sieve ; then
                if use autosieve ; then
                        epatch "${DISTDIR}/${AUTOSIEVE_PATCH}" || die "epatch failed"
                fi
        fi
        # Fix master(8)->cyrusmaster(8) manpage.
        for i in `grep -rl -e 'master\.8' -e 'master(8)' "${S}"` ; do
                sed -i -e 's:master\.8:cyrusmaster.8:g' \
                        -e 's:master(8):cyrusmaster(8):g' \
                        "${i}" || die "sed failed" || die "sed failed"
        done
        mv man/master.8 man/cyrusmaster.8 || die "mv failed"
        sed -i -e "s:MASTER:CYRUSMASTER:g" \
                -e "s:Master:Cyrusmaster:g" \
                -e "s:master:cyrusmaster:g" \
                man/cyrusmaster.8 || die "sed failed"

        # do not strip
        sed -i -e '/(INSTALL/s/-s //' "${S}"/imtest/Makefile.in

        # correct afs include and liblwp.a directory
        sed -i -e '/I${with_afs_incdir/s/\/include//' \
                -e '/liblwp/s/liblwp/afs\/liblwp/' \
                "${S}"/configure{,.in} || die
        # same with lock.h
        sed -i -e '/lock.h/s:lock.h:afs/lock.h:' \
                ptclient/afskrb.c || die
        # libcom_err.a to libafscom_err.a
        sed -i -e '/afs\/libcom_err.a/s:libcom_err.a:libafscom_err.a:' \
                configure{,.in} || die
}

src_configure() {
        local myconf
        if use mysql ; then
                myconf=$(mysql_config --include)
                myconf="--with-mysql-incdir=${myconf#-I}"
        fi
        if use afs ; then
                myconf+=" --with-afs-libdir=/usr/$(get_libdir)"
                myconf+=" --with-afs-incdir=/usr/include/afs"
        fi
        if use berkdb ; then
                myconf+=" --with-bdb-incdir=$(db_includedir)"
        fi
        econf \
                --enable-murder \
                --enable-netscapehack \
                --enable-idled \
                --with-service-path=/usr/$(get_libdir)/cyrus \
                --with-cyrus-user=cyrus \
                --with-cyrus-group=mail \
                --with-com_err=yes \
                --with-sasl \
                --without-perl \
                --without-krb \
                --without-krbdes \
                --with-zlib \
                $(use_enable afs) \
                $(use_enable afs krb5afspts) \
                $(use_with berkdb bdb) \
                $(use_enable nntp) \
                $(use_enable replication) \
                $(use_enable kerberos gssapi) \
                $(use_with mysql) \
                $(use_with postgres pgsql) \
                $(use_with sqlite) \
                $(use_with ssl openssl) \
                $(use_enable sieve) \
                $(use_with snmp) \
                $(use_with tcpd libwrap) \
                ${myconf}
}

src_install() {
        emake DESTDIR="${D}" install

        # file collision - bug #368245
        if ! use nntp ; then
                rm "${D}"/usr/share/man/man8/fetchnews.8*
        fi

        dodoc README*
        dohtml doc/*.html doc/murder.png
        docinto text
        dodoc doc/text/*
        cp doc/cyrusv2.mc "${D}/usr/share/doc/${PF}/html"
        cp -r contrib tools "${D}/usr/share/doc/${PF}"
        rm -f doc/text/Makefile*

        insinto /etc
        doins "${FILESDIR}/cyrus.conf" "${FILESDIR}/imapd.conf"

        # turn off sieve if not installed
        if ! use sieve; then
                sed -i -e "/sieve/s/^/#/" "${D}/etc/cyrus.conf" || die
        fi

        newinitd "${FILESDIR}/cyrus.rc6" cyrus
        newconfd "${FILESDIR}/cyrus.confd" cyrus
        newpamd "${FILESDIR}/cyrus.pam-include" sieve

        for subdir in imap/{,db,log,msg,proc,socket,sieve} spool/imap/{,stage.} ; do
                keepdir "/var/${subdir}"
                fowners cyrus:mail "/var/${subdir}"
                fperms 0750 "/var/${subdir}"
        done
        for subdir in imap/{user,quota,sieve} spool/imap ; do
                for i in a b c d e f g h i j k l m n o p q r s t v u w x y z ; do
                        keepdir "/var/${subdir}/${i}"
                        fowners cyrus:mail "/var/${subdir}/${i}"
                        fperms 0750 "/var/${subdir}/${i}"
                done
        done
}

pkg_postinst() {
        # do not install server.{key,pem) if they exist.
        if use ssl ; then
                if [ ! -f "${ROOT}"etc/ssl/cyrus/server.key ]; then
                        install_cert /etc/ssl/cyrus/server
                        chown cyrus:mail "${ROOT}"etc/ssl/cyrus/server.{key,pem}
                fi
        fi

        elog "For correct logging add the following to /etc/syslog.conf:"
        elog "    local6.*         /var/log/imapd.log"
        elog "    auth.debug       /var/log/auth.log"
        echo

        elog "You have to add user cyrus to the sasldb2. Do this with:"
        elog "    saslpasswd2 cyrus"
}

ALSO: for anyone that cares, I'm writing something I will never use, for shits and giggles - a crudely done "pretty-ish" UI for handling all of the user/domain creation stuff. Work in progress, going to add support for routing overrides in the near future, and update the doc to reflect as much. http://whitehathouston.com/testcode is downloadable stuff (doc explains which is which), but not the latest, http://whitehathouston.com/yapmi is the latest, but not downloadable.

[audiodef]

in case for some reason I die

No! Forbidden! You can not!

ALSO: for anyone that cares, I'm writing something I will never use, for shits and giggles - a crudely done "pretty-ish" UI for handling all of the user/domain creation stuff. Work in progress, going to add support for routing overrides in the near future, and update the doc to reflect as much. http://whitehathouston.com/testcode is downloadable stuff (doc explains which is which), but not the latest, http://whitehathouston.com/yapmi is the latest, but not downloadable.

That sounds cool, actually. I'll try to give it a whirl at some point.

[audiodef]

Came across this today: http://thewalter.net/stef/software/clam ... stfix.html

Might be useful to integrate it into the howto.

[cach0rr0]

basically the same steps there that one would use for integrating amavisd-new

Might add a link for it, dunno that id include any piece of that actual HOWTO.

First I need to get a new laptop, one that has its O key intact. I'm currently hitting the little rubber nipple directly.

[audiodef]

I have a phpbb board for which I want to enable new user self-validation via email. I'm having trouble getting this to work and I'm not sure why. I've set the email settings like so:

SMTP settings

Use SMTP server for e-mail: yes

SMTP server address: audiodef.com (which is what I use in my mail client and this works)

SMTP server port: I've tried both 587 and 995

Authentication method for SMTP: Tried both plain and login (other options are cram and md5, which I don't use in my mail clients, so I figure they don't apply here, either)

SMTP username/pass: I enter a webmaster account for this, no typos

I thought I'd post this here first to make sure it's not just me using incorrect mail server settings. I have not gotten phpbb to send out a validation email yet.

[cach0rr0]

a few quick things - sorry so late, very busy times 'round these parts !

-do the connection attempts from your web server even show up in mail.log ? debug_peer might be useful.
-smtpd_tls_auth_only means that you cannot do AUTH, nor will the extension even be advertised, unless the connecting host first establishes a TLS-enabled session (i.e. via STARTTLS).
-if your web server, where you have this phpbb instance, is included in $mynetworks, you shouldn't need to auth. I would of course avoid doing such a thing if you had your site on some kind of shared hosting environment where the unwashed masses were hosted on your same IP, but for your own server that shouldn't be an issue.

I'll tick the 'notify me' box on this one, otherwise I'll never notice a new post has been made
My world isn't going to be calm for at least another few months. In the good sense, all work stuff, big great things happening for me there, but those big great things mean a time vortex.

[audiodef]

Thanks for your as-usual in-depth and helpful advice.

How do I get postfix to have it's own mail log? Right now, it gets dumped into /var/log/messages, which can be a pain to grep through.

I finally grokked what you said about not needing auth if it's all on the same server, so I disabled phpBB's "use smtp for mail" and replaced "mail" with "sendmail" in the local mail function box. This is what succeeded.

So what great, big things are happening? Good stuff, I hope.

[cach0rr0]

How do I get postfix to have it's own mail log? Right now, it gets dumped into /var/log/messages, which can be a pain to grep through.

that's a function of syslog, so you could either edit syslog's configuration to put the mail target into a different file, OR, if youre using syslog-ng, just re-merge it with USE="hardened", and when it's restarted everything - not just mail - should start going to a nicely organized individual log file, in the case of postfix/cyrus, to /var/log/mail.(log|err)

So what great, big things are happening? Good stuff, I hope.

all very good stuff! But the sort that has me running around at a fever pitch doing those 4-hour-sleep nights regularly. Glad I live next door to a coffee shop. About 2 weeks away from my little startup finalizing a really big deal for us - then comes an entirely new kind of chaos.

[audiodef]

I thought I had syslog-ng on hardened, since I knew about that, but I it wasn't. Well, that's fixed now.

Nice. I wish you all the best with the good stuff, busy coffee-laced schedule notwithstanding.

[whatalotta]

Hi cach0rr0,

Thanks for a great HowTo! I tried the official Gentoo Virtual Mail Server and even with a lot of googling and searching in the forums, I couldn't get past the "Relay Access Denied" errors when trying to receive on my virtual domains (although the domain in mydestination worked fine).

The only difficulty I had with your instructions was in the adding domains section. I created the table in mysql, created virtual_domain_lookup.cf, added the virtual domains to the new table and changed virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org to read virtual_mailbox_domains = mysql:/etc/postfix/virtual_domain_lookup.cf. Unfortunately, my virtual domains started giving me the "Relay Access Denied" error upon testing receive functionality. I think it might have worked if I had understood what you meant by "(adjust your SQL lookups accordingly!). I went back to virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org and bingo -- everything worked!

Thanks, and good luck with the start-up!
-w

[cach0rr0]

Hi cach0rr0,

Thanks for a great HowTo! I tried the official Gentoo Virtual Mail Server and even with a lot of googling and searching in the forums, I couldn't get past the "Relay Access Denied" errors when trying to receive on my virtual domains (although the domain in mydestination worked fine).

The only difficulty I had with your instructions was in the adding domains section. I created the table in mysql, created virtual_domain_lookup.cf, added the virtual domains to the new table and changed virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org to read virtual_mailbox_domains = mysql:/etc/postfix/virtual_domain_lookup.cf. Unfortunately, my virtual domains started giving me the "Relay Access Denied" error upon testing receive functionality. I think it might have worked if I had understood what you meant by "(adjust your SQL lookups accordingly!). I went back to virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org and bingo -- everything worked!

Thanks, and good luck with the start-up!
-w

sorry so late a reply, been on the road

"adjust your sql lookups accordingly" i just meant to make sure whatever you put in /etc/postfix/virtual_domain_lookup.cf for your query, matches e.g. the table names, column names, etc, you'd created in the step above

which goes to the next point; apparently I provided an example virtual_domain_lookup.cf that will not work with the example table I provided.

where i have:

Code: Select all

query = SELECT email from domainlist where domain='%d'

I should have:

Code: Select all

query = SELECT domain from domainlist where domain='%d'

I've updated the doc to reflect this. The relay error was likely because the mysql lookup was looking for the domain in a column named 'email', when no such column exists in the 'domainlist' table. Since nothing was returned by the query, postfix assumed the domain was not found, ergo it was seen as an illegal relay attempt.

If it finds the domain (represented by '%d') in the 'domain' column of the 'domainlist' table, it allows the relay.

NB: unless you want multiple domains served by this, you dont need to go the mysql route for your virtual domains.

[audiodef]

I've been using Claws Mail. I like it a lot, except for one thing: it appears not to do anything when I select Options -> Request Return Receipt before sending a message.

Does Claws Mail use DSN or MDN for return receipts? How can I make either of these work? I'm posting this here because I'm wondering if this has to do with my postfix setup, which was done according to the how-to in this thread.

Since I run my own mail server, this would be a very useful function for me, as opposed to checking the server logs every time I want to verify a message was successfully delivered.

I'm also open to other ways of receiving DSNs or MDNs, if anyone has such suggestions.

[ChrisJumper]

Little Offtopic:

Before i follow your How-To..

- Could i use/integrate Roundcube as Webfrontend?
- Is this a solution for collecting all/much emails for multiple Accounts from different Mailhosters?
(This off Course could be done with IMAP and E-Mail forwarding, but i would prefer a single Point of interact and Collecting).
- Or did the Postfix/Cyrus just handle my Domain and its as MTA?

EDIT Ok, the Cyrus and Postfix Service is really easy to use with a roundcube Webfrontend. So now i am really lucky to got that worked. Just one thing on that guide did not work for me as expected. The magic autocreation of the new INBOX ad co. The Useflags have changed and i think that you have to add "sieve" to it. Even with it the autocreation fails. I activate in roundecube that the first logged in Users, roundcube will autocreate INBOX, Sent, Trash and Junk.

Since i just checked this with roundecube it could work with other imap-Mail Clients. After create this Folders the service work as expected.

Since i am new to cyrus i don't know how to use or configure and use net-mail/cyrus-imap-admin. Would be nice if your great hwoto could add some aspect there. Since you add an admins in your /etc/imap.conf i never could connect as admin to my cyrus.. even if i add this user with a pass in the mysql database. I suppose that the cyrus user have to exist on the system as user and should be able to login as user. Both login with cyadm as root or as cyrus did not work. :/

Thinks ill do is to spent some time to HASH, salt and pepper the Passworts in the ICMP Databse or find a good way to allow connections via SSL from Outside. And roundcube would love to use a icmp-proxy inside to speed up the connections..?

- Is this a solution for collecting all/much emails for multiple Accounts from different Mailhosters?

I need some time to understand and find better words to describe my conception. As user i with a solution to collect al my mail from different hosts. That i could connect to one service like a multi Messenger Service that collects all different Services like Jabber, ICQ.. so just for Mail. Now i know if i would have this i have to refer all emails from different Mails to one Service or that one email address that my postfix Server handles.

As Administrator the virtual Domain for using one Mail Server to handle multiple (virtual) Domains work very well!

Roundcube itself did not allow to configure one user for more than just one Email. So i expected that roundcube is like Evolution just as Webfrontend. Thats not true. To use more then one Mailservice i have to relay all the mails to that one email-address.