Those are the directions I used to setup an almost complete OpenSource Mail server running NetBSD and pkgsrc.
The Mail server will feature:
- E-mail exchange (MX) role on the Internet;
- E-mail gateway (SMTP) for internal LAN users ;
- E-mail access (IMAP) for internal LAN users ;
- Secured (TLS and SASL) access for internal users;
- Greylisting, RFC check and RBL mail filtering ;
- Directory (LDAP) for e-mail entries ;
Table of Contents
Prerequisites
Install a NetBSD server ; I used a Xen3 domU.
I’ll mostly use prebuilt packages ; except for Dovecot that doesn’t have LDAP support by default.
Edit the system-wide LDAP configuration file to enable slapd/ssl certificate validation:
# cat /etc/openldap/ldap.conf
TLS_CACERT /etc/openssl/certs/ca.tumfatig.local.pem
Install the SSL public certificate (PEM with private key) that will be used by Postfix and Dovecot:
# chown root:wheel /etc/postfix/www.tumfatig.net.pem
# chmod 640 /etc/postfix/www.tumfatig.net.pem
Create the user, group and storage space that’ll be used by the mail daemons:
# groupadd -g 3000 vmail
# useradd -m -u 3000 -g vmail -c “Virtual Mail user” -d /home/vmail -s /sbin/nologin vmail
# rm -rf /home/vmail/.??*
# chmod 750 /home/vmail
Of course, you have to have a Lightweight Directory Access Protocol (LDAP) server filled with your e-mail users and aliases. I expanded my OpenLDAP with the Courier IMAP schema(authldap.schema
).
Don’t forget to properly configure the Domain Name System (DNS) server too!
IMAP server
The Internet Message Access Protocol (IMAP) server I choose is Dovecot.
I choose it for historical reasons. I first used Courier-IMAP ; about 2003. Then, I began to store the e-mails on a remote NFS server. I read that Courier may not deal with this very well (at the time of switching). There were informations that claimed Dovecot would and might even be faster (thanks to index caching). So I tried it and kept it 😀
Another reason to keep it is that the NetBSD’s default Postfix instance does support Simple Authentication and Security Layer (SASL) through Dovecot.
The Dovecot server will provide an authentication socket to Postfix and wil offer imaps
access only.
Install Dovecot
In pkgsrc, Dovecot doesn’t enable LDAP support by default. So I had to compile it:
# pkg_add http://nyftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/dovecot-1.2.15.tgz
# cd /usr/pkgsrc/mail/dovecot
# env PKG_OPTIONS.dovecot=”dovecot-managesieve dovecot-sieve ldap” make install clean-depends
Configure LDAP Authentication
Create and edit the backend configuration file:
# cp -p /usr/pkg/share/examples/dovecot/dovecot-ldap-example.conf /usr/pkg/etc/dovecot-ldap.conf # chmod 600 /usr/pkg/etc/dovecot-ldap.conf # vi /usr/pkg/etc/dovecot-ldap.conf uris = ldaps://ldap.tumfatig.local dn = cn=email,dc=tumfatig,dc=local dnpass = password auth_bind = yes auth_bind_userdn = uid=%u,ou=users,dc=tumfatig,dc=local ldap_version = 3 base = ou=users,dc=tumfatig,dc=local user_attrs = homeDirectory=home,mailbox=mail user_filter = (&(objectClass=CourierMailAccount)(uid=%u)) pass_attrs = uid=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(uid=%u))
Create and edit the main configuration file:
# vi /usr/pkg/etc/dovecot.conf protocols = imaps listen = * disable_plaintext_auth = yes ssl_cert_file = /etc/postfix/www.tumfatig.net.pem ssl_key_file = /etc/postfix/www.tumfatig.net.pem login_chroot = yes login_user = dovecot mail_location = /home/vmail/%u mail_uid = vmail mail_gid = vmail verbose_proctitle = no protocol imap { imap_client_workarounds = delay-newmail } auth_verbose = yes auth_debug = no auth default { mechanisms = plain passdb ldap { args = /usr/pkg/etc/dovecot-ldap.conf } userdb ldap { args = /usr/pkg/etc/dovecot-ldap.conf } user = vmail socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = wheel } } } dict { } plugin { }
Configure automatic launch at boot time:
# cat >> /etc/rc.conf dovecot=YES # cat >> /etc/rc.local [ -x /usr/pkg/share/examples/rc.d/dovecot ] && /usr/pkg/share/examples/rc.d/dovecot start
Test your installation:
# openssl s_client -connect localhost:imaps
CONNECTED(00000004)
(…)
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
. login someusername somepassword
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
. logout
* BYE Logging out
. OK Logout completed.
closed
SMTP server
The Simple Mail Transfer Protocol (SMTP) server that ships with NetBSD (at the time of writing) is Postfix 2.6.x.
Uncomment the smtp
line from the /etc/postfix/master.cf
so that Postfix listens to connections on port 25.
Edit the main configuration file:
# vi /etc/postfix/main.cf
myhostname = cherie.tumfatig.net
mydomain = tumfatig.local
myorigin = tumfatig.netmydestination = localhost
mynetworks = 10.0.0.0/24, 127.0.0.0/8local_recipient_maps = $virtual_mailbox_maps $virtual_alias_maps
unknown_local_recipient_reject_code = 550
transport_maps = hash:/etc/postfix/transport
virtual_mailbox_domains = $transport_maps
virtual_mailbox_base = /home/vmail
virtual_minimum_uid = 3000
virtual_uid_maps = static:3000
virtual_gid_maps = static:3000
virtual_mailbox_maps = ldap:/etc/postfix/ldap_accounts
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases
Create and edit the accounts configuration file:
# vi /etc/postfix/ldap_accounts
server_host = ldaps://ldap.tumfatig.local
search_base = ou=users,dc=tumfatig,dc=local
query_filter = (&(mail=%s)(objectClass=CourierMailAccount))
result_attribute = mailbox
version = 3
bind = yes
bind_dn = cn=email,dc=tumfatig,dc=local
bind_pw = password
# chown root:postfix /etc/postfix/ldap_accounts
# chmod 640 /etc/postfix/ldap_accounts
Create and edit the aliases configuration file:
# vi /etc/postfix/ldap_aliases
server_host = ldaps://ldap.tumfatig.local
search_base = ou=alias,dc=tumfatig,dc=local
query_filter = (&(mail=%s)(objectClass=CourierMailAlias))
result_attribute = maildrop
version = 3
bind = yes
bind_dn = cn=email,dc=tumfatig,dc=local
bind_pw = password
# chown root:postfix /etc/postfix/ldap_aliases
# chmod 640 /etc/postfix/ldap_aliases
Create and edit the transport configuration file:
# vi /etc/postfix/transport
tumfatig.local virtual:
tumfatig.net virtual:
carnat.net virtual:
truttet.net smtp:network.truttet.net.
Final touch and run the road:
# set -o braceexpand
# postmap /etc/postfix/{ldap_accounts,ldap_aliases,transport}
# cat >> /etc/rc.conf
postfix=YES
# /etc/rc.d/postfix restart
Enable TLS on Postfix
Enabling TLS in quite straight forward:
# vi /etc/postfix/main.cf
# TLS configuration
#
smtpd_tls_cert_file = /etc/postfix/www.tumfatig.net.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_security_level = maysmtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
Test the STARTTLS connexion:
# openssl s_client -starttls smtp -connect localhost:25
CONNECTED(00000004)
(…)
250 DSN
EHLO localhost
250-cherie.tumfatig.net
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Enable SASL on Postfix
Check the available SASL server plug-in types:
# postconf -a
dovecot
Enable SASL in Postfix (the previous section restricts SASL to TLS connexions):
# vi /etc/postfix/main.cf # SASL configuration # smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
Allow mail relay when authenticated:
# vi /etc/postfix/main.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Implement greylisting on Postfix
Install Postgrey:
# pkg_add http://nyftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/postgrey-1.33nb1.tgz
# pkg_add http://nyftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/p5-Digest-SHA1-2.13nb1.tgz
Configure automatic start at boot time:
# cat >> /etc/rc.conf postgrey=YES postgrey_flags="-i localhost:8025 --delay=120 --privacy" # cat >> /etc/rc.local [ -x /usr/pkg/share/examples/rc.d/postgrey ] && /usr/pkg/share/examples/rc.d/postgrey start # /usr/pkg/share/examples/rc.d/postgrey start
Configure Postfix to use Postgrey:
# vi /etc/postfix/main.cf smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:8025, reject_unauth_destination # postfix reload
Test that it works properly:
# telnet 192.168.12.143 25
Trying 192.168.12.143…
Connected to 192.168.12.143.
Escape character is ‘^]’.
220 cherie.tumfatig.net ESMTP Postfix
HELO localhost
250 cherie.tumfatig.net
MAIL FROM: ptijo@tumfatig.net
250 2.1.0 Ok
RCPT TO: joel@carnat.net
450 4.2.0: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/carnat.net.html
RSET
250 2.0.0 Ok
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Tune Postfix to help blocking as many UCE as possible
Configure Postfix to conform to various basics RFC and use external RBL to reject unwanted e-mails:
# vi /etc/postfix/main.cf disable_vrfy_command = yes smtpd_delay_reject = no smtpd_helo_required = yes strict_rfc821_envelopes = yes smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access_client, permit_sasl_authenticated, reject_unauth_pipelining, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, permit smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/access_helo, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:8025, permit # touch /etc/postfix/access_client # postmap /etc/postfix/access_client # touch /etc/postfix/access_helo # postmap /etc/postfix/access_helo # postfix reload
Sources
http://wiki.dovecot.org/HowTo/DovecotOpenLdap
http://www.postfix.org/TLS_README.html
http://www.postfix.org/SASL_README.html#server_dovecot
3 Comments
[…] I did with NetBSD, this is how to build an almost complete Mail Server with […]
[…] that will provide Web, CalDAV and CardDAV access to you e-mail and web clients. You can check my NetBSD and OpenBSD articles to see how to build the backend Mail/Directory/SQL services. Once this is […]
[…] far so good, the Intel(R) Atom(TM) CPU N450 is fast enough for all my services, the NetBSD dom0 and the Linux domU fits in the 2GB of RAM. I am running only xen-aware system so I have no problem. […]