Cấu hình như sau:
pixfirewall(config)# hostname PIX1
PIX1(config)#enable password cisco
PIX1(config)#nameif ethernet2 DMZ sec50
PIX1(config)#ip address dmz 172.17.1.1 255.255.255.0
PIX1(config)#ip address inside 172.16.0.1 255.255.255.0
PIX1(config)#ip address outside 192.168.1.1 255.255.255.0
PIX1(config)#interface ethernet0 auto
PIX1(config)#interface ethernet1 auto
PIX1(config)#interface ethernet2 auto
Có 4 kỹ thuật nat dùng trên PIX:
- Static nat: thực hiện map 1 ip – 1 registered ip
- Dynamic nat: map 1 ip – 1 pool registered ip
- Overloading: map multi-ip – 1 registered ip
- Overlapping: is when IP addresses on your network are registered IP address and used by another network.
Nhưng thông thường sẽ cấu hình như sau: Dynamic nat:
PIX1(config)#global (outside) 1 192.168.1.254 netmask 255.255.255.0
PIX1(config)#nat (inside) 1 172.16.0.0 255.255.255.0 0 0
PIX1(config)#nat (dmz) 1 172.17.1.0 255.255.255.0 0 0
Nghĩa là:
1. Create a global address 192.168.1.254 with a tag ID of 1.
2. Assign the network 172.16.0.0/24 behind the inside interface the NAT tag ID 1.
3. Assign the network 172.17.1.0/24 behind the dmz interface the NAT tag ID 1.
Static nat:
PIX1(config)#static (inside,dmz) 172.17.1.0 172.17.1.0 netmask 255.255.255.0 0 0
PIX1(config)#static (dmz,outside) 192.168.1.10 172.17.1.10 netmask
255.255.255.0 0 0
PIX1(config)#static (dmz,outside) 192.168.1.20 172.17.1.20 netmask
Nghĩa là
1. Khi traffic đến từ inside network thì sẽ giữ nguyên ip
2.Trafic từ outside khi đến IP 192.168.1.10 sẽ được gửi đến server có ip là 172.17.1.10
3.Trafic từ outside khi đến IP 192.168.1.20 sẽ được gửi đến server có ip là 172.17.1.20
- Để tăng cường security dùng ACL để cho phép 1 số traffic thông dụng:
PIX1(config)#access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 any eq www
PIX1(config)#access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 any eq ftp
PIX1(config)#access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 any eq 443
PIX1(config)# access-list acl_inside permit tcp 172.16.0.0 255.255.255.0 host
172.17.1.20 eq smtp
PIX1(config)#access-list acl_dmz permit tcp 172.17.1.0 255.255.255.0 any eq www
PIX1(config)#access-list acl_dmz permit tcp host 172.17.1.20 any eq smtp
PIX1(config)#access-list acl_outside permit tcp any host 192.168.1.20 eq smtp
PIX1(config)#access-list acl_outside permit tcp any host 192.168.1.10 eq www
PIX1(config)#access-list acl_outside permit tcp any host 192.168.1.10 eq 443
PIX1(config)#access-group acl_inside in interface inside
PIX1(config)#access-group acl_dmz in interface dmz
PIX1(config)#access-group acl_outside in interface outside
Cuối cùng cấu hình định tuyến:
PIX1(config)#route inside 172.16.0.0 255.255.255.0 172.16.0.2 1
PIX1(config)#route outside 0 0 192.168.1.2 1
PIX1(config)#wr mem
Chú ý:
- Nhớ lưu lại cấu hình: PIX1(config)#wr mem
- Xóa bảng translation: PIX1(config)#clear xlate
- Cú pháp static (internal_if_name,external_if_name) global_ip local_ip netmask mask có cách dễ nhớ hơn là: static (high.low) low high
- Các lệnh trong PIX là case-sensitive
CentOS is an Enterprise-class Linux Distribution derived from Redhat Enterprise Linux – pretty much the only difference is the Redhat branding has been removed. As such CentOS is a great choice of O/S because you can be assured it will be stable and well supported for drivers.
Fedora is another O/S that is very similar to CentOS. This guide will work fine on Fedora as well, with no changes required to the installation steps. If you are going to use Fedora there are a few things you need to be aware of :
Use at least Fedora Core 4, as this gives you MySQL v4. FC3 and earlier has MySQL v3. You want at least MySQL v4 as so you have access to some important performance improvements such as query caching.
Each Fedora Core release only includes a very short period of update maintenance. Typically updates are only available for the previous-to-current version of Fedora. So for example if the current version is FC5, you will soon not be able to get any more mainstream RPM updates for FC3. This is a large contrast to CentOS which is based on RHEL where you have updates available for years. Availability of updates is a very important security consideration.
If you are going to host more than few hundred mailboxes, I would suggest you have at least 2 disk drives in the server. IDE drives are OK, but SCSI ( possibly running in RAID configuration) will give better results when there are high disk loads
It is possible to build large servers using this design. Examples built include :
60K mailboxes, Dual Xeon 2.8Ghz, 2Gb RAM, 2 x SCSI disk RAID1 for O/S, 4 x SCSI disk RAID5 for mailboxes, 2 x P4 Amavisd offload machines
45K mailboxes, Dual Opteron 248, 2Gb RAM, 2 x Raptor SATA RAID1 for O/S, 6 x Raptor RAID5 for mailboxes, 2 x P4 Amavisd offload machines
45K mailboxes, Dual Xeon 2.8Ghz, 1.5Gb RAM, 2 x SCSI disk RAID1 for O/S, 4 x SCSI disk RAID5 for mailboxes, 2 x P4 Amavisd offload machines
With these servers, the system load values on the mailserver are typically around 5 peaking at about 10. The Amavis boxes have similar readings. POP3 and SqWebMail used mainly, with a little bit of IMAP and IMP. Common to see around 100 POP3 sessions active. SMTP-MX concurrency set around 100, Maildrop concurrency set around 20.
Disk Partition Setup : Manually partition with Disk Druid
Your 1st disk doesn’t need to be very large.
/boot : ext3, 256Mb, force to be primary partition
/tmp : ext3 – 2000Mb, force to be primary partition
swap : 2000Mb, force to be primary partition
/ : ext3 – Fill to max available size, force to be primary partition
Your 2nd disk should be large. If its an IDE drive, you should put it on a separate controller to the 1st disk:
/var/vmail : ext3, Fill to max available size, force to be primary partition. (This is where all our mailboxes and user websites are going to live)
If your server is going to be busy, and you have a 3rd disk you can make further enhancements. The disk doesn’t need to be very large. Note, that if you have IDE drives, then this 3rd drive wont really help much unless you have a 3rd IDE controller available
/var/spool/postfix : ext3. (Postfix uses this location for storing queued mail.)
Boot Loader Configuration : press next
Network Configuration :
Choose eth0, edit
Configure using DHCP : unticked
Activate on boot : ticked
IP address : eg 192.168.1.10
Netmask : eg 255.255.255.0
Set hostname manually : ticked
Gateway : eg 192.168.1.1
Primary DNS : eg 192.168.1.2
Secondary DNS : eg 192.168.1.3
Firewall Configuration :
Enable Firewall
Tick : SSH, HTTP, FTP, SMTP
Enable Selinux : Disabled
Additional Language Support :
Tick : English ( Australia )
Choose English (Australia) from the dropdown box at the top
Timezone Selection :
Choose your city on the map
System clock uses UTC : Unticked
Set root Password : ChooseSomethingGood!
Package Group Selection :
Leave default selections as-is, except for :
Editors : tick
Windows file server : untick
MySQL database : tick, Click on details, mysql-server : tick
Development tools : tick
Printing support : untick
TWEAK THE CENTOS INSTALL
Configure the internationalisation settings. By default CentOS will set UTF8 ( Unicode ) character encoding schemes. but I find this causes problems with the console display in my SSH client. Also some perl programs are known to have problems with the UTF8
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.original
vi /etc/sysconfig/i18n
# Remove any UTF-8 entries from the LANG line
# ie change it from LANG="en_US.UTF-8" to LANG="en_US"
LANG="en_US"
Import the GPG keys for software packages
rpm –import /usr/share/rhn/RPM-GPG-KEY*
Configure the log rotation scheme, to rotate daily, for 30 days, compressing the old logs
vi /etc/logrotate.conf
#weekly
daily
#rotate 4
rotate 30
#compress
compress
Configure the NTP clock sync ( very important that mail servers have correct clock! )
vi /etc/ntp.conf
#server 0.pool.ntp.org
#server 1.pool.ntp.org
#server 2.pool.ntp.org
server ntp.yourdomain.com
Tweak the firewall rules. Need to add some extra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT
Configure which services are starting at boot time. The aim is to disable any unneeded services.
chkconfig apmd off
chkconfig bluetooth off
chkconfig cpuspeed off
chkconfig cups off
chkconfig httpd on
chkconfig isdn off
chkconfig mysqld on
chkconfig netfs off
chkconfig nfslock off
chkconfig ntpd on
chkconfig pcmcia off
chkconfig portmap off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig saslauthd off
chkconfig sendmail off
# these two are in Fedora, but not CentOS
chkconfig mDNSResponder off
chkconfig nifd off
For your spool and mailbox partitions, set the noatime flag. This is an important performance tweak which works by preventing the need for writing any updates to the disk when processes are reading files ( eg when Postfix’s qmgr process scans mail in the queue ). I had a busy server where loads dropped from a steady 20 to sub 10’s by making this simple change! Also, as a security precaution, tweak the fstab, to disable /tmp from permitting SUID or exec functionality.
Take advantage of the colors and other advanced features of the vim editor, compared with basic vi editor
# only required on Fedora, a CentOS install appears to already default to vim
echo "alias vi='vim'" >> /root/.bashrc
If you are using CentOS, you can grab the “fastestmirror plugin” for yum, as this should allow your rpm downloads to run quicker
yum install centos-yum yum-plugin-fastestmirror
vi /etc/yum.conf
plugins=1
Then give the server a reboot
shutdown -r now
UPDATE ALL THE RPMS
Run the update manager. It will go and look for updated RPMs, then will download and install them.
TIP : If you are running a 64 bit platform eg Opteron, add this line to the /etc/yum.conf to prevent conflicts between the 64bit and non-64bit libraries
vi /etc/yum.conf
# add this line if you are running 64bit
exclude=*.i386 *.i586 *.i686
Be warned that the first update pass on Fedora can be pretty large. Its not uncommon to see 250M+ of updates to be downloaded. CentOS isnt so “bleeding edge” so for that platform there are usually a lot less updates to download.
yum update
Enable ongoing auto-updating
crontab -e
# Keep up to date. Lets only do it during business hours, just to be safe
#
# Dont download kernel updates, or our /boot will overflow eventually.
# Dont download mysql updates, as I have seen mysql shutdown and not automatically come back up.
#
# If we want to update kernel or mysql, we can run these manually via a "yum update".
50 10 * * 1-5 /usr/bin/yum --exclude=kernel* --exclude=hal --exclude=mysql* -y update
Give the server are reboot, so the new kernel that yum downloaded can take effect
shutdown -r now
CREATE THE SSL CERTIFICATES
SSL certificates will be used by Postfix (for SMTPS and TLS), Courier (for IMAPS and POP3S) and Apache (for HTTPS)
mkdir /usr/local/ssl
cd /usr/local/ssl
# Generate the RSA private-key for the server.
# We don't want a pass phrase on this key, otherwise it will need to be entered
# every time courier/apache/postfix starts.
openssl genrsa -out mail.yourdomain.com.key 1024
Generating RSA private key, 1024 bit long modulus
...................++++++
........................++++++
e is 65537 (0x10001)
# Tighten the permissions on this key file
chmod 600 mail.yourdomain.com.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:AU
State or Province Name (full name) [Berkshire]:South Australia
Locality Name (eg, city) [Newbury]:Adelaide
Organization Name (eg, company) [My Company Ltd]:Yourcompany Limited
Organizational Unit Name (eg, section) []:Hosting Services
Common Name (eg, your name or your server's hostname) []:mail.yourdomain.com
Email Address []:postmaster@yourdomain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
At this point you would send your CSR off to a Certificate Authority for signing (such as Verisign or Thawte) . However if you wanted to do some in-house testing, we can set ourselves up as a CA, and then sign the CSR ourselves :
# generate RSA private-key for the CA
openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.....................++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:capass
Verifying - Enter pass phrase for ca.key:capass
# tighten permissions on this private key
chmod 600 ca.key
# create a self signed CA certificate
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:capass
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:AU
State or Province Name (full name) [Berkshire]:SomeState
Locality Name (eg, city) [Newbury]:SomePlace
Organization Name (eg, company) [My Company Ltd]:Test CA Company
Organizational Unit Name (eg, section) []:SomeGroup
Common Name (eg, your name or your server's hostname) []:CA Signing Biz
Email Address []:postmaster@nowhere
# Use this test CA to sign our server cert
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -in mail.yourdomain.com.csr -out mail.yourdomain.com.crt
Signature ok
subject=/C=AU/ST=SomeState/L=SomePlace/O=Test CA Company/OU=SomeGroup/CN=CA Signing Biz/emailAddress=postmaster@nowhere
Getting CA Private Key
Enter pass phrase for ca.key:capass
Combine the server key and certificate into a single file. Postfix and Apache can deal with two separate files, but Courier needs them both in one. To try and keep things consistent we will use a single file with all 3 apps
# create the PEM file in the format that courier wants (both the key and the cert in one file)
cat mail.yourdomain.com.key mail.yourdomain.com.crt > mail.yourdomain.com.pem
chmod 600 mail.yourdomain.com.pem
OK so you should now have something like this :
ls -al
total 36
drwxr-xr-x 2 root root 4096 Nov 28 22:02 .
drwxr-xr-x 14 root root 4096 Nov 20 21:50 ..
-rw-r--r-- 1 root root 1371 Nov 28 21:50 ca.crt
-rw------- 1 root root 963 Nov 28 21:47 ca.key
-rw-r--r-- 1 root root 1001 Nov 28 21:51 mail.yourdomain.com.crt
-rw-r--r-- 1 root root 773 Nov 28 21:45 mail.yourdomain.com.csr
-rw------- 1 root root 887 Nov 28 21:45 mail.yourdomain.com.key
-rw------- 1 root root 1888 Nov 28 22:02 mail.yourdomain.com.pem
MySQL has been installed as part of the CentOS installation. Databases will be stored in /var/lib/mysql
Tune, based on how busy the MySQL is going to be. There are a few sample cnf files supplied so choose the one that best matches your needs. (IMPORTANT NOTE : MySQL query caching isn’t enabled in any of the sample files except for my-large and my-huge. If you decide to use one of the smaller config files, it will be worth you while to copy the query_cache_size setting across from the large/huge files)
. Edit the config file and make the following tweaks in the [mysqld] section
vi /etc/my.cnf
# put this one in if its not there already
query_cache_size= 64M
# Our databases will only be accessed by programs running locally, so disable TCP connections and replication functions
skip-networking
#log-bin
#Add an entry to tweak the max number of allowed connections
#The default is 100. On a busy server you will probably need to increase this
max_connections = 400
# Record of any queries that run slowly
log-slow-queries
Create the MySQL tables for Postfix to use.
mysql
GRANT SELECT ON postfix.* TO postfixuser@localhost IDENTIFIED BY 'postfixpass';
CREATE DATABASE postfix;
USE postfix;
CREATE TABLE mailbox_domains (
domain varchar(255) NOT NULL default '',
description varchar(255) NOT NULL default 'Postfix virtual mailbox domain',
maxaliases int(10) NOT NULL default '-1',
maxmailboxes int(10) NOT NULL default '-1',
maxquota int(10) NOT NULL default '-1',
server varchar(255) NOT NULL default '',
created datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
modified_by varchar(255) NOT NULL default '',
active tinyint(1) NOT NULL default '1',
PRIMARY KEY (domain)
domain varchar(255) NOT NULL default '',
description varchar(255) NOT NULL default 'Postfix virtual alias domain',
maxaliases int(10) NOT NULL default '-1',
server varchar(255) NOT NULL default '',
created datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
modified_by varchar(255) NOT NULL default '',
active tinyint(1) NOT NULL default '1',
PRIMARY KEY (domain)
) TYPE=MyISAM COMMENT='Postfix Virtual Alias Domains';
CREATE TABLE alias (
address varchar(255) NOT NULL default '',
goto text NOT NULL,
server varchar(255) NOT NULL default '',
created datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
modified_by varchar(255) NOT NULL default '',
active tinyint(1) NOT NULL default '1',
PRIMARY KEY (address)
) TYPE=MyISAM COMMENT='Postfix - Virtual Alias Maps';
CREATE TABLE client_access (
client varchar(255) NOT NULL default '',
response varchar(255) NOT NULL default '',
note varchar(255) NOT NULL default '',
server varchar(255) NOT NULL default '',
created datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
modified_by varchar(255) NOT NULL default '',
active tinyint(1) NOT NULL default '1',
PRIMARY KEY (client)
) TYPE=MyISAM COMMENT='Postfix - Client Access';
CREATE TABLE sender_access (
sender varchar(255) NOT NULL default '',
response varchar(255) NOT NULL default '',
note varchar(255) NOT NULL default '',
server varchar(255) NOT NULL default '',
created datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
modified_by varchar(255) NOT NULL default '',
active tinyint(1) NOT NULL default '1',
PRIMARY KEY (sender)
) TYPE=MyISAM COMMENT='Postfix - Sender Access';
CREATE TABLE recipient_access (
recipient varchar(255) NOT NULL default '',
response varchar(255) NOT NULL default '',
note varchar(255) NOT NULL default '',
server varchar(255) NOT NULL default '',
created datetime NOT NULL default '0000-00-00 00:00:00',
modified datetime NOT NULL default '0000-00-00 00:00:00',
modified_by varchar(255) NOT NULL default '',
active tinyint(1) NOT NULL default '1',
PRIMARY KEY (recipient)
Some applications expect the sendmail binary to be available at /usr/lib/sendmail, but Postfix doesn’t put it there, so lets make a symlink
ln -s /usr/sbin/sendmail /usr/lib/sendmail
vi /etc/postfix/master.cf
# Now enabled SMTP over SSL (smtps : port 465)
#
# To do this, we need to edit the maser.cf file.
# The two line are already there, but are commented out.
# To enable the service, we simply need to remove the comment markers ("#").
#
# Note, there needs to be whitespace (either a space or tab) at the start of the 2nd line (in front of the -o)
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
mynetworks = $config_directory/mynetworks
relayhost = [smarthost.yourdomain.com] #<-- if you have a smarthost server
alias_maps = hash:/etc/aliases
home_mailbox = Maildir/
# Next, add all these to the bottom of the file :
disable_vrfy_command = yes
smtpd_recipient_limit = 250
biff = no
# (note this setting below only affects LOCAL mail delivery agent, not virtual mailboxes)
mailbox_size_limit = 20480000
maximal_queue_lifetime = 5d
message_size_limit = 18000000
delay_warning_time = 4h
default_process_limit = 50
append_dot_mydomain = no
parent_domain_matches_subdomains =
###################################################################################
### ENABLE SASL SUPPORT ( SMTP-AUTH )
# smtpd_sasl_auth_enable = yes
# Enable SASL support in postfix
# smtpd_sasl_security_options = noanonymous
# Anonymous logins will not be permitted
# broken_sasl_auth_clients = yes
# Allow RFC-broken mail clients like Outlook Express4 to use SMTP AUTH
# smtpd_sasl_path = postfix
# Tells SASL to get the config from /usr/lib/sasl2/postfix.conf
# smtpd_sasl_local_domain =
# If the user fails to nominate a domain, don't auto append one
# smtpd_sasl_authenticated_header = yes
# Include the authenticated username in the message headers.
# Having this on will make it easier if a spammer cracks one of your user's weak passwords,
# and starts using SMTP-AUTH to relay spam through your server
###################################################################################
### ENABLE TLS SUPPORT ( "STARTTLS" ... enables SSL to be negotiated during a SMTP connection )
# smtp_use_tls = no
# dont enable TLS for outbound SMTP connections
# smtpd_use_tls = yes
# announce TLS availability for incoming SMTP connections
# smtpd_tls_auth_only = no :
# TLS is optional, not enforced
# smtpd_tls_key_file :
# specify the private key ( must not be encrypted - ie no password)
# smtpd_tls_cert_file :
# specify the certificate
# smtpd_tls_session_cache_database :
# nominate a server-side TLS session cache. Improves performance.
# smtpd_tls_loglevel = 1 :
# log basic TLS handshake and cert info
# smtpd_tls_received_header = yes
# record some protocol/cipher etc info in the Received header smtp_use_tls = no
###################################################################################
### add $smtpd_recipient_restrictions to the standard list
### so that we can "proxy:" the check_client|sender|recipient_access entries
proxy_read_maps =
$local_recipient_maps,
$mydestination,
$virtual_alias_maps,
$virtual_alias_domains,
$virtual_mailbox_maps,
$virtual_mailbox_domains,
$relay_recipient_maps,
$relay_domains,
$canonical_maps,
$sender_canonical_maps,
$recipient_canonical_maps,
$relocated_maps,
$transport_maps,
$mynetworks,
$smtpd_recipient_restrictions
###################################################################################
### Virtual mailbox config
# virtual_mailbox_domains : A list of all the virtual mailbox domains
# virtual_mailbox_base : This value will be prepended to all the virtual_mailbox_maps
# virtual_mailbox_maps : Virtual email addr to disk location mappings
# virtual_mailbox_limit : Maximal size of an individual mailbox/Maildir file
Create the config files that tell Postfix how to access the various MySQL tables.
Note “hosts = localhost” means Postfix will use sockets, “hosts = 127.0.0.1″ means Postfix will use TCP. We have disabled TCP access in MySQL (with the “skip-networking” config option), so make sure you stick with using the word localhost in these files. Also, sockets are faster than TCP.
echo "user = postfixuser" > /etc/postfix/mysql-virtual-mailbox-domains.cf
echo "password = postfixpass" >> /etc/postfix/mysql-virtual-mailbox-domains.cf
echo "hosts = localhost" >> /etc/postfix/mysql-virtual-mailbox-domains.cf
echo "dbname = postfix" >> /etc/postfix/mysql-virtual-mailbox-domains.cf
echo "query = SELECT 'ignored by postfix' FROM mailbox_domains WHERE domain='%s' AND active=1" >> /etc/postfix/mysql-virtual-mailbox-domains.cf
echo "user = postfixuser" > /etc/postfix/mysql-virtual-mailbox-maps.cf
echo "password = postfixpass" >> /etc/postfix/mysql-virtual-mailbox-maps.cf
echo "hosts = localhost" >> /etc/postfix/mysql-virtual-mailbox-maps.cf
echo "dbname = postfix" >> /etc/postfix/mysql-virtual-mailbox-maps.cf
echo "query = SELECT 'ignored by postfix' FROM mailbox WHERE email='%s' AND active=1" >> /etc/postfix/mysql-virtual-mailbox-maps.cf
echo "user = postfixuser" > /etc/postfix/mysql-virtual-alias-domains.cf
echo "password = postfixpass" >> /etc/postfix/mysql-virtual-alias-domains.cf
echo "hosts = localhost" >> /etc/postfix/mysql-virtual-alias-domains.cf
echo "dbname = postfix" >> /etc/postfix/mysql-virtual-alias-domains.cf
echo "query = SELECT 'ignored by postfix' FROM alias_domains WHERE domain='%s' AND active=1" >> /etc/postfix/mysql-virtual-alias-domains.cf
echo "user = postfixuser" > /etc/postfix/mysql-virtual-alias-maps.cf
echo "password = postfixpass" >> /etc/postfix/mysql-virtual-alias-maps.cf
echo "hosts = localhost" >> /etc/postfix/mysql-virtual-alias-maps.cf
echo "dbname = postfix" >> /etc/postfix/mysql-virtual-alias-maps.cf
echo "query = SELECT goto FROM alias WHERE address='%s' AND active=1" >> /etc/postfix/mysql-virtual-alias-maps.cf
#THIS IS A WORKAROUND TO ALLOW US TO USE CATCHALL ENTRIES IN THE VIRTUAL ALIAS MAPS.
#
# This issue is that Postfix will process all the alias entries before looking at the
# virtual mailbox maps. Thus if you add a catchall entry for a virtual mailbox domain,
# the catchall will grab all mail, and no mail will go to the virtual mailboxes.
#
# The only solution for virtual mailbox domains that have a catchall, is to populate
# all the mailbox addresses into the alias table as well. The mailbox entries need to
# be pointed back to themselves eg
#
# ADDRESS GOTO
# user1@domain -> user1@domain
# user2@domain -> user2@domain
# @domain -> somewhere
#
# However we don't want to pollute our alias table with all these workaround records,
# so we will define a lookup now that lets Postfix do the work for us. Then we modify
# main.cf so that virtual_alias_maps changes from this :
#
# virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf
#
# to this :
#
# virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
# proxy:mysql:/etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf
#
# NOTE: I "stole" this workaround from
# http://workaround.org/articles/ispmail-sarge/#mysql-virtual_email2email.cf
#
echo "user = postfixuser" >> /etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf
echo "password = postfixpass" >> /etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf
echo "hosts = localhost" >> /etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf
echo "dbname = postfix" >> /etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf
echo "query = SELECT email FROM mailbox WHERE email='%s' AND active=1" >> /etc/postfix/mysql-virtual-mailbox-to-alias-maps.cf
# these files contain our database username/password, so tighten the security a bit
chown root.postfix /etc/postfix/mysql-*.cf
chmod 640 /etc/postfix/mysql-*.cf
Now we need to populate the mynetworks file. This file lists the IPs that are able to “relay” mail through your server. We put localhost into this file, so that scripts running on this server can relay mail to the internet. If you have workstations on a LAN, or other users on the internet with fixed-ip addresses, you can add them here as well, and these users will then be permitted to relay mail. For all other users who have mailboxes on your server, when sending mail they can either use SMTP-AUTH, or alternatively they could set their email client’s SMTP server settings to point to their ISP’s mail server.
Tweak the aliases file. These mappings are used for system related mails eg crontab messages, postfix bounces etc. <username@mail.yourdomain.com>
vi /etc/aliases
root: someone@yourdomain.com
newaliases
Try starting Postfix
/etc/rc.d/init.d/postfix start
If all goes well, you should be able to run “ps axf” see something like :
7184 ? Ss 0:00 /usr/libexec/postfix/master
7185 ? S 0:00 \_ pickup -l -t fifo -u
7186 ? S 0:00 \_ qmgr -l -t fifo -u
Also, you should take a look in the maillog file to see if any errors are being reported there
tail -f /var/log/maillog
Disable logwatch script from reporting on Postfix logs
The logwatch script runs nightly, and emails a report to the root user Unless your server is very low volume, I would recommend you tell logwatch not to report postfix stats, otherwise the report gets much too big
vi /etc/log.d/conf/logwatch.conf
# Look for where it says "Service = All" and underneath that add this line :
Service = -postfix
INSTALL A 2ND ETHERNET IP
We want to have a 2nd IP address so that we can keep our MX-traffic separate from our customer-SMTP traffic
Customers will use the “mail.yourdomain.com” (192.168.1.10) name in their mail client’s SMTP server settings, but in our zone files we will point the primary MX records to a different hostname such as “mail-mx.yourdomain.com” (192.168.1.11)
Having two interfaces allows us to set the Postfix MX concurrency to something sensibly low (to prevent a spam influx from overloading our server), while at the same time we can retain a high concurrency on the customer-SMTP settings so that our users don’t ever see a connection-refused error
Let’s assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:
Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this:
127.0.0.1:smtp inet n - n - 10 smtpd
192.168.1.10:smtp inet n - n - 100 smtpd
192.168.1.11:smtp inet n - n - 50 smtpd-mx
-o smtpd_sasl_auth_enable=no
cd /usr/libexec/postfix
ln -s smtpd smtpd-mx
Notes :
Our MX concurrency has been set to a lower value (50) than our customer-SMTP concurrency (100). You can tweak the these values up/down (particularly the MX concurrency) to suit your server’s power / load. For a small server I would recommend the SMTP-MX concurrency be set to something like 25. For a medium server you can set it to something like 50, for a large server you will need to use 100+.
We have created a new application-name called smtpd-mx. This is just a cosmetic tweak, so that when you are running commands like pstree, you can easily see exactly how many sessions of MX and customer-SMTP you have running
For the smtpd-mx service, we have used a configuration option to disable SASL ( SMTP-AUTH ). In most scenarios, there is no need to have SMTP-AUTH enabled for MX traffic – disabling it will save some resources.
Also note that you might like to add additional IPs to the server as well (eth0:1 eth0:2 etc), one for each virtual domain you host. As this opens up options for other config tweaks which will be discussed later in this document. Eg setting a default pop3/imapsmtp-authftpsqwebmail domain per hostname, and also allowing Postfix to attach one SSL cert per hostname.
Add entries to your reverse DNS
For each IP address, you need to make sure you have added a reverse DNS entry. If you fail to do this you might find your server is blocked by some mail servers. eg :
CREATE DATABASE sqlgrey;
GRANT ALL ON sqlgrey.* to sqlgrey@localhost;
quit
( SQLgrey program will auto create its tables for us on startup )
Install the binaries and config files
make install
# installed to /usr/sbin by default, I prefer to have them in /usr/local/sbin
mv /usr/sbin/sqlgrey /usr/local/sbin
mv /usr/sbin/update_sqlgrey_config /usr/local/sbin
mv /usr/bin/sqlgrey-logstats.pl /usr/local/sbin
# create the files that can be used for storing local whitelist entries
touch /etc/sqlgrey/clients_ip_whitelist.local
touch /etc/sqlgrey/clients_fqdn_whitelist.local
Make the following changes to the config file
vi /etc/sqlgrey/sqlgrey.conf
reconnect_delay = 1
awl_age = 32
group_domain_level = 10
db_type = mysql
optmethod = optout
admin_mail = someadmin@yourdomain.com
TIP : If your are building a big/busy server you might like to reduce the amount of logging generated by sqlgrey by adjusting these settings :
loglevel = 1
log_override = conf:2
Install the init script
cp init/sqlgrey /etc/rc.d/init.d/sqlgrey
vi /etc/rc.d/init.d/sqlgrey
#go to the start section, and change the sqlgrey -d command to include the full path
/usr/local/sbin/sqlgrey -d
#go to the stop section, and change the sqlgrey -k command to include the full path
/usr/local/sbin/sqlgrey -k
chkconfig --add sqlgrey
chkconfig sqlgrey on
Start the program
/etc/rc.d/init.d/sqlgrey start
If all goes well, ps axf should should show you something like this :
1898 ? Ss 0:00 /usr/bin/perl -w /usr/local/sbin/sqlgrey -d
Tweak the Postfix config, so incoming external mail gets routed via the greylisting daemon. ( You need to add the line shown in bold text )
For your local users who want to opt-out of the greylisting, you simply add their email address to the optout_email table :
mysql
USE sqlgrey;
-- this user wants to opt out
INSERT INTO optout_email (email) VALUES ('someuser@somedomain.com');
-- all users on this domain want to opt out
INSERT INTO optout_domain (domain) VALUES ('somedomainother.com');
quit
To reduce the load on your database server, you can put the most common hosts into the clients_ip_whitelist.local files. You can use sqlgrey-logstats.pl tool to extract this info from your logs.
If you have got secondary MX servers setup for your domain, you need to install SQLgrey on the secondary MX machines as well. Don’t forget to put the secondary MX server IP’s into the primary MX’s clients_ip_whitelist.local file.
make
make check
make install
make install-configure
Tweak the config file so that courier-authlib can access the info from our database
vi /usr/local/courier-authlib/etc/authlib/authmysqlrc
MYSQL_SERVER localhost
MYSQL_USERNAME postfixuser
MYSQL_PASSWORD postfixpass
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_PORT 0
MYSQL_OPT 0
MYSQL_DATABASE postfix
MYSQL_USER_TABLE mailbox
MYSQL_CRYPT_PWFIELD password
MYSQL_CLEAR_PWFIELD clear_password
#you can optionally enable this next setting if you want a particular domain to be appended
#when users haven't specified a domain during authentication
#DEFAULT_DOMAIN yourdomain.com
MYSQL_UID_FIELD '1001'
MYSQL_GID_FIELD '1001'
MYSQL_LOGIN_FIELD email
MYSQL_HOME_FIELD '/var/vmail'
MYSQL_NAME_FIELD name
MYSQL_MAILDIR_FIELD CONCAT(maildir,"Maildir/")
MYSQL_QUOTA_FIELD CONCAT(mailquota*1024*1024,"S")
MYSQL_AUXOPTIONS_FIELD CONCAT("disableimap=",disableimap,",disablepop3=",disablepop3,",disablewebmail=",disablewebmail)
MYSQL_WHERE_CLAUSE active='1'
Tweak the config to disable some unneeded features
vi /usr/local/courier-authlib/etc/authlib/authdaemonrc
#if your server is going to be very busy, you might need to increase this one
daemons=5
# Disable some unneeded functionality.
# (Note that these could optionally be re-enabled per-user by adding appropriate columns to the mailbox database)
#
# wbnochangepass : In our case the postfix MySQL database will be maintained by our billing system, so although
# sqwebmail has functionality to allow users to can change their passwords, these changes would
# be overwritten by the billing system... So we will turn that option off
# wbusexsender : Include an X-Sender header to all outgoing mail ( allows you to track actual sender, even if
# user has altered their From address in sqwebmail )
# disableshared : We don't want shared folders, as this mail server is going to be used in ISP rather than corporate scenario
# webnodsn : Hide the option "
DEFAULTOPTIONS="wbnochangepass=1,wbusexsender=1,disableshared=1,wbnodsn=1"
1515 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/usr/local/courier-authlib/var/spool/authdaemon/pid -s
1516 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
1517 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
1518 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
1519 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
1520 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
1521 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
TROUBLESHOOTING TIP :
Courier-authlib includes a couple of debugging tools. These can be handy if you are having problems eg auth’ing via POP3, but aren’t sure if its your POP3 config that’s broken or whether its actually the courier-authlib that’s not working properly.
# display all accounts
/usr/local/courier-authlib/sbin/authenumerate
# perform a test authentication, and show all values returned from courier-authlib
/usr/local/courier-authlib/sbin/authtest someuser@yourdomain.com somepassword
MAILDROP
Maildrop provides Postfix with a Maildir++ softquota-compatible way to deliver mail into user’s mailboxes.
Note : Instead of using maildrop, many people use the “Postfix VDA” patch instead. This patch hacks the Postfix virtual delivery agent to (supposedly) support Maildir++ softquotas. However I would strongly recommend you don’t use that patch! The doco etc for the patch makes it sounds like it does everything you need. However when you actually inspect the code it is a total debacle zone. There are numerous logic errors – the patch fails to follow the Maildir++ specs, and will cause a ridiculous amount of needless load on your server. Maildrop does everything correctly, doesn’t require the Postfix source code to be patched ( which is good for Postfix’s security/reliability ), and gives additional features like quota warnings. Maildrop also has the huge bonus of being from the same author as Courier-imap/pop3d/sqwebmail so you are guaranteed excellent interoperability between all your tools that touch the Maildir
TIP: if you read the Maildrop docs, there is a configure option “–without-db” which sounds quite desirable. However its not a good idea to use that option because it will prevent some of the Maildrop autoresponder functionality from working properly.
Configure maildrop binary to have siud root. It needs root permissions to be able to connect to the Courier-authlib socket. It drops root permissions as soon as it determines the final account user and group id. ( You cant just go and grant world permissions on the socket, as this would allow anyone on the system to obtain any account’s password ).
chmod u+s /usr/local/bin/maildrop
Setup automatic quota warnings
When you use the -w option with maildrop, it enables the sending of quota warning messages. The warning message is copied verbatim from /usr/local/etc/quotawarnmsg with the addition of the “Date:” and “Message-Id:” headers. The warning is repeated every 24 hours (at least), until the Maildir drops below X percent full.
cp maildir/quotawarnmsg /usr/local/etc
vi /usr/local/etc/quotawarnmsg
# tweak wording to suit your needs
vi /etc/postfix/master.cf
# Maildrop will use courier-authlib to lookup account data for the user specified in the -d option.
#
# The example here tells Postfix to launch a maximum of 10 simultaneous mailbox processes.
# You might need to tweak this depending on how busy your server is. A higher number will
# tell Postfix to try to deliver more messages per second, but setting the value too high can
# cause problems if you run out of disk I/O. I would recommend setting this concurrency value
# to 5 for a small server, 10 for medium, and 20 for large.
#
maildrop unix - n n - 10 pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -w 80 -d ${recipient}
postfix reload
Optionally can configure some global maildrop rules
vi /etc/maildroprc
# You can uncomment this next line if you want some debugging output.
# Useful if you are doing some tweaking to try and get mail deliveries to follow
# some more sophisticated rulesets.
#
#logfile "/var/log/maildroprc.log"
# Per-user .mailfilter files are installed (eg by sqwebmail) into the user's home dir
# at /var/vmail/yourdomain.com/u/user1/.mailfilter
#
# When maildrop runs, it is coded to look for any global rules in : /etc/maildroprc
# and then next will look for any per-user rules in : $HOME/.mailfilter
#
# However, with a vmail style config we have a problem... $HOME doesn't point to a
# per-user location. On a machine with all the accounts in /etc/passwd, $HOME would
# point to the right place, but vmail systems are different because they host all the
# mailboxes under a single UID.
#
# When postfix calls maildrop to perform a message delivery,
# $HOME will contain the vmail home : /var/vmail
# $DEFAULT will contain the path to the maildir eg : yourdomain.com/u/user1/Maildir
#
# So to allow us to still run per-user rules, we will add an INCLUDE command in
# the global file so that we can still pick up any per-user filtering rules.
#
# if the user has a .mailfilter file, then execute it's contents now
exception {
include "$HOME/$DEFAULT/../.mailfilter"
}
TIP : If you need to do some debugging of maildrop you can run it from the command prompt with verbose logging enabled. This will identify if its talking to the database successfully, and will also show up if there are permissions problems etc on the destination dir :
# If you are going to run a busy IMAP-based webmail package, you will need to substantially increase this.
# The default value of 4 is insufficient even for servicing individual users, since clients like Thunderbird default to using up to 5 simultaneous connections
#
MAXPERIP=20
# Add our collection of supported auth methods to the advertised capability string
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=PLAIN AUTH=LOGIN IDLE"
# we want to turn off the announcement of IMAP ACL extensions, as we dont need this ( we arent using shared folders ),
# and the ACL stuff makes Thunderbird spit errors in some cases
IMAP_ACL=0
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY"
# Enabled the enhanced IDLE functionality
# This allows the IMAP server to notify your client when something has changed (eg a new message has arrived)
IMAP_ENHANCEDIDLE=1
# If you were going to have mainly Outlook Express based IMAP users, you can tell Courier-IMAP to name the trash folder "Deleted Items"
# However in our case we are expecting most IMAP users to be webmail, so sticking with the default "Trash" foldername is probably best.
#IMAP_TRASHFOLDERNAME="Deleted Items"
#IMAP_EMPTYTRASH="Deleted Items":7
Create an empty shared folder index file, to prevent Courier-IMAP from complaining to syslog about it being missing. We aren’t using shared folders at all on this server.
touch /usr/local/courier-imap/etc/shared/index
Start the daemons
/etc/rc.d/init.d/courier-imap start
ps axf should give something like this
14611 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/local/couri
14612 ? S 0:00 \_ /usr/local/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noident
14618 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/var/run/imapd-ssl.pid -start -name=imapd-ssl /usr/loc
14619 ? S 0:00 \_ /usr/local/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noident
14624 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/local/couri
14625 ? S 0:00 \_ /usr/local/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noident
14630 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/var/run/pop3d-ssl.pid -start -name=pop3d-ssl /usr/loc
14631 ? S 0:00 \_ /usr/local/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noident[
Disable logwatch script from reporting on imap logs
The logwatch script runs nightly, and emails a report to the root user. Unless your server is very low volume, I would recommend you tell logwatch not to report imap stats, otherwise the report gets much too big
vi /etc/log.d/conf/logwatch.conf
# Look for where it says "Service = All" and underneath that add this line :
Service = -imapd
Remark out the following modules, which are part of the standard Apache installation, but we wont need. This will reduce the bulk of Apache, and in my experience will make it more stable
# The first vhost entry is used if no hostname matches are found amongst other vhost entries.
# So lets pop a "default" entry here to send any such requests through to our corporate webpage
ServerAdmin webmaster@yourdomain.com
DocumentRoot /var/www/mail/html
ServerName placeholder-for-no-vhost-match
ErrorLog /var/www/mail/logs/error_log
CustomLog /var/www/mail/logs/access_log combined_vhost
RewriteEngine On
RewriteRule .* http://www.yourdomain.com/ [R,L]
<Directory /var/vmail/yourdomain.com/*/*/public_html>
AllowOverride FileInfo AuthConfig Indexes Limit
Options MultiViews Indexes IncludesNoExec
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/var/www/users/cgi-bin/"
<Directory "/var/www/users/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
Create an advertising banner type script that will be used by the sqwebmail binary. The banner is displayed at the bottom of every page.
echo '#!/bin/sh' > /usr/local/bin/sqwebmail-banner.sh
echo '##' >> /usr/local/bin/sqwebmail-banner.sh
echo '## This progam is called by sqwebmail for each [#B#] tag in the html templates' >> /usr/local/bin/sqwebmail-banner.sh
echo '## The ARGV[0] will be the name of the html template that launched the call' >> /usr/local/bin/sqwebmail-banner.sh
echo '##' >> /usr/local/bin/sqwebmail-banner.sh
echo 'echo "<center>";' >> /usr/local/bin/sqwebmail-banner.sh
echo 'echo "<hr>";' >> /usr/local/bin/sqwebmail-banner.sh
echo 'echo "<b>SomeISP support - call 1300 xxx xxx</b>";' >> /usr/local/bin/sqwebmail-banner.sh
echo 'echo "</center>";' >> /usr/local/bin/sqwebmail-banner.sh
chmod 755 /usr/local/bin/sqwebmail-banner.sh
tar xzf Mail-SpamAssassin-3.2.0.tar.gz
chown -R root.root Mail-SpamAssassin-3.2.0
cd Mail-SpamAssassin-3.2.0
Compile and install
perl Makefile.PL
#[answer the questions]
make
make install
Setup the SpamAssassin config file. ( Note, this is a complete config file that can replace the default supplied one )
vi /etc/mail/spamassassin/local.cf
## Enable auto-whitelisting
use_auto_whitelist 1
####
# WILL HAVE NO EFFECT. THE EQUIVALENT SETTINGS IN AMAVISD ARE THE ONES YOU NEED TO SET
#
# ## Required point score before considered spam
# required_score 5
#
#
# ## What to tag the subject line with
# rewrite_header Subject [SPAM]
#
# ## Put the report in the headers. Dont touch the body of the message at all
# report_safe 0
# Enable the Bayes system
use_bayes 1
bayes_auto_learn 1
bayes_auto_learn_threshold_spam 10
## Set headers which may provide inappropriate cues to the Bayesian
## classifier
bayes_ignore_header X-Bogosity
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
## Enable or disable network checks
skip_rbl_checks 0
## File locking method. We dont need to worry about being NFS-safe
lock_method flock
## Give spamassassin some hints as to what IPs are under our control.
## Generally this will be a similar list to what you have put in the postfix mynetworks file
trusted_networks 127.0.0.1 # needed so amavisd headers don't trip up spamassassin
trusted_networks 192.168.1.0/24 # you need to include all the IPs your mail server, and local LAN workstation
$forward_method = 'smtp:[127.0.0.1]:10025';
$notify_method = $forward_method;
$max_servers = 10;
@local_domains_maps = ( [".$mydomain"] );
#
# Normally we would want a list of local domains set here,
# but when using SQL-based recipient lookups this isn't necessary.
# Doco says :
# A special shorthand is provided when SQL lookups are used: when a match
# for recipient address (or domain) is found in SQL tables (regardless of
# field values), the recipient is considered local, regardless of static
# @local_comains_acl or %local_domains lookup tables. This simplifies
# life when a large number of dynamically changing domains is hosted.
# To overrule this behaviour, add an explicit boolean field 'local'
# to table 'users' (missing field defaults to true, meaning record match
# implies the recipient is local; a NULL field 'local' is not special,
# it is interpreted as undef like other NULL fields, causing search
# to continue into other lookup tables).
#
# On other (non-mysql) servers that I have built as antivirus/antispam front-ends
# (which then onforward mail to server that has the mailboxes), I have used a setting like this :
# @local_domains_maps = ("."); # consider all domains to be local
@lookup_sql_dsn = ( ['DBI:mysql:database=postfix;host=localhost', 'postfixuser', 'postfixpass'] );
$sql_select_policy =
'SELECT virus_lover, spam_lover, banned_files_lover, bad_header_lover, '.
'bypass_virus_checks, bypass_spam_checks, bypass_banned_checks, bypass_header_checks, '.
'spam_tag2_level, spam_kill_level FROM mailbox WHERE email IN (%k)';
$sql_select_white_black_list = undef; ## STILL NEED TO WORK OUT HOW TO IMPLEMENT THIS FEATURE
Disable logwatch script from reporting on amavisd logs
The logwatch script runs nightly, and emails a report to the root user Unless your server is very low volume, I would recommend you tell logwatch not to report amavisd stats, otherwise the report gets much too big
vi /etc/log.d/conf/logwatch.conf
# Look for where it says "Service = All" and underneath that add this line :
Service = -amavis
Pureftpd has been chosen because it supports MySQL and softquotas. The softquotas work in a similar way to the maildir++ quota system. But instead of the quotas being stored in a maildirsize file, they are stored in a file called “.ftpquota”
# Note, the configure script will emit this warning :
# “configure: WARNING: No certificate is installed in /usr/local/ssl/mail.yourdomain.com.pem yet”.
# However apon inspecting the source code it can be seen this is a bug. If the file exists it reports that warning,
# when it should actually report that warning if the file is missing. I have reported that bug to the pureftpd authors.
# They have acknowledged the bug and the fix will be included in v1.0.22
TIP : If you are using x86_64 platform ( eg Opteron ), you will have to modify your configure command to be :
#MYSQLServer 127.0.0.1
#MYSQLPort 3306
MYSQLSocket /var/lib/mysql/mysql.sock
MYSQLUser postfixuser
MYSQLPassword postfixpass
MYSQLDatabase postfix
MYSQLCrypt cleartext
MYSQLGetPW SELECT clear_password FROM mailbox WHERE email="\L" AND disableftp=0
#MYSQLGetUID SELECT Uid FROM mailbox WHERE email="\L"
MYSQLDefaultUID 1001
#MYSQLGetGID SELECT Gid FROM mailbox WHERE email="\L"
MYSQLDefaultGID 1001
MYSQLGetDir SELECT CONCAT('/var/vmail/',maildir,'public_html') FROM mailbox WHERE email="\L" AND disableftp=0
MySQLGetQTASZ SELECT ftpquota*1024 FROM mailbox WHERE email="\L" and disableftp=0
If all goes well, ps axf should show something like this :
11204 ? Ss 0:00 pure-ftpd (SERVER)
Allow your IPTables to handle ftp connections at least semi-gracefully
vi /etc/rc.d/rc.local
/sbin/modprobe ip_conntrack_ftp
Setup a crontab to ensure virtual quotas are always kept correct. Especially important after you have copied any content into the public_html dirs using a method other than pureftpd
vi /usr/local/sbin/rebuild-ftp-softquotas.pl
#!/usr/bin/perl -w
##
## Loop through SQL and extract a list of userdirs
## For each user, recalc their ftp softquota file
##
use strict;
use DBI;
my $dbh = DBI->connect('DBI:mysql:postfix', 'postfixuser', 'postfixpass') || die "Database connection failed: $DBI::errstr";
my $sql = "SELECT CONCAT('/var/vmail/',maildir) AS homedir FROM mailbox WHERE active=1 ORDER BY maildir";
my $sth = $dbh->prepare($sql);
$sth->execute() || die "Could not execute SQL statement";
while (my($homedir)=$sth->fetchrow_array) {
my $ftpdir = $homedir . "public_html";
if (-d "$ftpdir") {
my $escaped_ftpdir = $ftpdir;
$escaped_ftpdir =~ s/\&/\\&/g;
$escaped_ftpdir =~ s/\ /\\ /g;
my $cmd = sprintf ("/usr/local/sbin/pure-quotacheck -u 1001 -g 1001 -d $escaped_ftpdir");
system ($cmd);
} else {
print ("WARNING: dir does not exist : $ftpdir\n");
}
}
$sth->finish();
$dbh->disconnect();
### Periodically recalc all the ftp softquotas ( just in case )
0 2 * * Sun /bin/nice /usr/local/sbin/rebuild-ftp-softquotas.pl
LAST BITS OF CLEANUP
Remove some unneeded stuff from MySQL, and set some passwords
mysql
-- MySQL comes with a "test" database and an anonymous user which has access to the test database
-- We don't want either of these so lets get rid of them now
DROP DATABASE test;
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.db WHERE User='';
-- Set a root password ( by default there is no password set,
-- which means anyone with shell access could type "mysql -u root" and login to MySQL as root user )
UPDATE mysql.user SET Password = PASSWORD('newpwd') WHERE User = 'root';
-- Tell MySQL to pickup our username/password changes
FLUSH PRIVILEGES;
Setup a config file that stores the MySQL root password, so the system root user doesn’t have to type the MySQL root password when logging into MySQL
vi /root/.my.cnf
[client]
password=newpwd
chmod 600 /root/.my.cnf
Create a local user for yourself, and disable root SSH logins
By default the SSH daemon will permit root logins. Its a security risk to leave this enabled. I would recommend you create a local account which you can use when connecting via SSH. Once connected you can then type “su -” to switch to the root user if required.
useradd someuser
passwd someuser
vi /etc/ssh/sshd_config
PermitRootLogin no
/etc/rc.d/init.d/sshd restart
Here’s a script which I use to periodically create any missing softquota files. I run this weekly from crontab. Note the script tests for chmod 0 on the user’s public_html : this is done because when I suspend a user for non-payment etc I go and set their disableftp/imap/pop3/webmail=1 in the mailbox table ( but leave active=1 so incoming mail doesn’t get bounced), and I also chmod 0 their public_html dir to stop their webpages from being served.
vi /usr/local/sbin/create-missing-softquotas.pl
#!/usr/bin/perl -w
### Wonder if it would be worth while enhancing the script further to autocreate missing dirs?
### Might be bad news though if the db contains some sort of shonky home dir info
### Maybe just sending an email alert to admin is the best bet, get someone to investigate manually.
###
use strict;
use DBI;
my $dbh = DBI->connect('DBI:mysql:postfix', 'postfixuser', 'postfixpass');
my $sql = "SELECT CONCAT('/var/vmail/',maildir) as homedir, CONCAT(mailquota*1024*1024,'S') AS mailquota, ftpquota*1024 as ftpquota FROM mailbox WHERE active=1 ORDER BY maildir";
my $sth = $dbh->prepare($sql);
$sth->execute() || die "Could not execute SQL statement";
my $cmd;
while (my($homedir, $mailquota, $ftpquota)=$sth->fetchrow_array) {
# chop the trailing slash off the homedir
$homedir =~ s/\/$//;
#print "checking $homedir ($mailquota, $ftpquota) ..\n";
unless (-e "$homedir/Maildir/maildirsize") {
if (-d "$homedir/Maildir") {
print "maildirsize missing from $homedir/Maildir, creating it now\n";
my $escaped_maildir = $homedir . "/Maildir";
$escaped_maildir =~ s/\&/\\&/g;
$escaped_maildir =~ s/\ /\\ /g;
#### Create the quota file
$cmd = sprintf ("/usr/local/courier-imap/bin/maildirmake -q $mailquota $escaped_maildir");
system ($cmd);
#### Fix up permissions
$cmd = sprintf ("chown vmail.vmail $escaped_maildir/maildirsize");
system ($cmd);
$cmd = sprintf ("chmod 600 $escaped_maildir/maildirsize");
system ($cmd);
} else {
print "Error, $homedir/Maildir doesnt exist, this needs to be rectified\n";
}
}
unless (-e "$homedir/public_html/.ftpquota") {
if (-d "$homedir/public_html") {
# bypass any dirs that have been chmod to 0 ( suspended )
my $mode = (stat $homedir."/public_html")[2];
unless ($mode == 0x4000) {
print ".ftpquota missing from $homedir/public_html, creating it now\n";
my $escaped_ftpdir = $homedir . "/public_html";
$escaped_ftpdir =~ s/\&/\\&/g;
$escaped_ftpdir =~ s/\ /\\ /g;
$cmd = sprintf ("/usr/local/sbin/pure-quotacheck -u 1001 -g 1001 -d $escaped_ftpdir");
system ($cmd);
}
} else {
print "Error, $homedir/public_html doesnt even exist, this needs to be rectified\n";
For every new virtual mailbox domain, insert a new row into the ‘mailbox_domains’ table
For every new virtual mailbox user, insert a new row into the ‘mailbox’ table, and create their maildir on the disk. Note: In our example we are going to “hash” the path to the user’s dir, by taking the first letter of the username and putting that into the path eg domain/<1stletter>/username. This is done to the system from slowing down when it has to working with a directory that contains a huge number of entries. If you only plan to have a few hundred users you could probably go without any hashing. If you have thousands of users then 1 level of hashing is a good idea. If you have many tens of thousands of users then you might want to increase the level of hashing eg domain/<1stletter>/<1stletter><2ndletter>/username, or domain/<firstletter><2ndletter>/username)
For every new virtual alias domain, insert a new row into the ‘alias_domains’ table
For every every new alias/forward (doesn’t matter if they are for a mailbox_domain or alias_domain), insert a row into the ‘alias’ table
Here is some examples of data :
use postfix;
----------------------------------------------------------------------------------------------------
-- Tell postfix which domains we host this as virtual mailbox domains
--
INSERT INTO mailbox_domains ( domain, description, created, modified )
VALUES ('testdomain.com', 'Postfix virtual mailbox domain', NOW(), NOW());
----------------------------------------------------------------------------------------------------
-- Tell postfix about the virtual mailboxes that we host
--
-- Note that when generating the crypted password, you can't use the MySQL CRYPT function.
-- If you are migrating users out of an /etc/passwd type file, you can just copy the crypted password
-- from there.
-- If you need to generate a crypted password, you can use some code this like :
-- perl -e "print crypt('testpass', join '', ('.', '/', 0..9,'A'..'Z', 'a'..'z')[rand 64, rand 64]);"
--
-- If you don't enter the clear password, password auth will still work, except for auth methods
-- that require the clear password to be available eg CRAM or DIGEST. More info on this subject here
--
-- We haven't defined any of the spam_lover columns etc. If you don't specify a value there, amavisd
-- will just apply its default settings from amavisd.conf ( virusscanning on, antispam scanning on, tag at 5 drop at 10 etc )
--
INSERT INTO mailbox (email, password, clear_password, maildir, created, modified)
VALUES ('user1@testdomain.com', 'dzOCCGgyq3TVo', 'testpass', 'testdomain.com/u/user1/', NOW(), NOW());
----------------------------------------------------------------------------------------------------
-- Add in some alias address mappings
--
INSERT INTO alias (address, goto, created, modified)
VALUES ('user3@testdomain.com', 'user2@hotmail.com', NOW(), NOW());
INSERT INTO alias (address, goto, created, modified)
VALUES ('sales@testdomain.com', 'someuser2@testdomain.com', NOW(), NOW());
-- "Catchall" entry
INSERT INTO alias (address, goto, created, modified)
VALUES ('@testdomain.com', 'user1@testdomain.com', NOW(), NOW());
To create the Maildirs on the disk you will need some commands like :
# create the full directory tree through to the users dir
mkdir -p /var/vmail/testdomain.com/u/user1/public_html
# create the maildir structure
maildirmake /var/vmail/testdomain.com/u/user1/Maildir
# create the softquota "maildirsize" file in the maildir.
# ( If this file isn't present, no quotas will be enforced )
maildirmake -q 20971520S /var/vmail/testdomain.com/u/user1/Maildir
chmod g-r,o-r /var/vmail/testdomain.com/u/user1/Maildir/maildirsize
chown -R vmail.vmail /var/vmail/testdomain.com/u/user1
You can also host non-mailbox domains, where all addresses are forwarding on to other locations :
Note that postfix will use any user@domain mappings before any @domain mappings are matched
----------------------------------------------------------------------------------------------------
INSERT INTO alias_domains ( domain, description, created, modified )
VALUES ('testdomain3.com', 'Postfix virtual alias domain', NOW(), NOW());
-- map xxx@testdomain3.com to xxx@testdomain.com
INSERT INTO alias (address, goto, created, modified)
VALUES ('@testdomain3.com', '@testdomain.com', NOW(), NOW());
----------------------------------------------------------------------------------------------------
INSERT INTO alias_domains ( domain, description, created, modified )
VALUES ('testdomain4.com', 'Postfix virtual alias domain', NOW(), NOW());
INSERT INTO alias (address, goto, created, modified)
VALUES ('user1@testdomain4.com', 'jim@blah.com', NOW(), NOW());
INSERT INTO alias (address, goto, created, modified)
VALUES ('user2@testdomain4.com', 'john@something.com', NOW(), NOW());
INSERT INTO alias (address, goto, created, modified)
VALUES ('@testdomain4.com', 'fred@somewhere.com', NOW(), NOW());
Here are some examples of data for the “access” files :
-- Always permit mail to our abuse and postmaster addresses.
-- Don't do RBL checking etc for such mail
INSERT INTO recipient_access ( recipient, response, note, created, modified )
VALUES ('abuse', 'OK', 'Dont do RBL checking etc for mail to our abuse address', NOW(), NOW());
INSERT INTO recipient_access ( recipient, response, note, created, modified )
VALUES ('postmaster', 'OK', 'Dont do RBL checking etc for mail to our postmaster address', NOW(), NOW());
-- match incoming smtp connections based on senders IP
INSERT INTO client_access ( client, response, created, modified )
VALUES ('66.6.223.100','REJECT Sorry, you are sending spam', NOW(), NOW());
-- match incoming smtp connections based on senders address
INSERT INTO sender_access ( sender, response, created, modified )
VALUES ('support@westpac.com.au', 'REJECT Sober VIRUS', NOW(), NOW());
-- recipient access can be handy if you have a customer who has configured
-- a wildcard mapping enabled for their domain, but wants to reject one
-- particular address from matching the wildcard
INSERT INTO recipient_access ( recipient, response, note, created, modified )
VALUES ('example@testdomain2.com', 'REJECT Mailbox closed', NOW(), NOW());
9918 ? S 0:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a
Here is an example mrtg cfg file for polling your server
Workdir: /home/httpd/stats/html/mail-servers/data
IconDir: /images
Options[^]: growright, unknaszero
WithPeak[^]: ymw
XSize[^]: 180
##Remarked out this next line out, as it means you are only alerted when threshold is crossed
##Rather than nagged repeatedly that you are over threshold
##For us, being nagged is better I reckon
##ThreshDir: /home/httpd/stats/thresh
ThreshProgI[_]: /home/httpd/stats/mrtg-threshwarn.pl
ThreshProgOKI[_]: /home/httpd/stats/mrtg-threshwarn.pl
ThreshProgO[_]: /home/httpd/stats/mrtg-threshwarn.pl
ThreshProgOKO[_]: /home/httpd/stats/mrtg-threshwarn.pl
#!/usr/bin/perl -w
#
# Called when MRTG detects a threshold problem for a variable.
# ARGV[0] = Parameter name, such as 'wanrouter.cpu'.
# ARGV[1] = Threshold value which was breached, such as "99".
# ARGV[2] = Actual current value of the parameter, such as "100".
#
# Command line looks like:
# thisprogram wanrouter 99[%] 100 description 100
#
my($timestr, $param, $thresh, $raw, $description, $value, $message, $logfile);
$timestr = localtime(time);
$param = $ARGV[0];
$thresh = $ARGV[1];
$raw = $ARGV[2];
$description = $ARGV[3];
$value = $ARGV[4];
$message = "Notice ! $param is $abovebelow threshold $thresh$percent. Current value is $raw$value$percent$bracket";
#$message .= "Notice ! $param ($value) has passed threshold ($thresh)";
system("echo 'Subject: $message' | $emailprog $emailuser");
exit(0);
OPTIONAL CHAPTERS FROM HERE ON DOWN!
THIS STUFF WILL LIKELY APPLY IF YOU ARE BUILDING A LARGER / MORE COMPLEX SERVER
DEDICATED AMAVISD SERVER
It is possible to put the amavisd/clamav/spamassassin on a different box to the Postfix. This can be advantageous as although the clamav software doesn’t consume many resources, the SpamAssassin software can create quite a heavy load.
ON THE POSTFIX MACHINE :
Add an entry in the firewall that permits your amavisd machine to connect on port TCP 10025 ( Amavisd )
Add an entry in the firewall that permits your amavisd machine to connect on port TCP 3306 ( MySQL )
Allow MySQL to serve lookups to the 2nd machine
GRANT SELECT ON postfix.* TO postfixuser@offload-machines-address-here IDENTIFIED BY 'postfixpass';
Modify the MySQL so it listens for TCP connections
vi /etc/my.cnf
#skip-networking
In the /etc/postfix/main.cf, reconfigure Postfix to send the amavisd traffic to the amavisd machine
# Note you could have multiple machines setup eg avs1/2/3/4.yourdomain.com,
# and a round-robin DNS name of avs.yourdomain.com that points to these boxes,
# and you could use that avs.yourdomain.com hostname in that command above.
# This will loadshare the amavisd traffic amongst your multiple servers
In the /etc/postfix/main.cf, reconfigure Postfix to listen for amavisd traffic from the amavisd machine
Add an entry in the firewall that permits mail.yourdomain.com to connect on port 10024
Run these commands
# Not running MySQL server on this box ( but still want the libraries ).
# Also not running apache.
chkconfig mysqld off
chkconfig httpd off
# Load postfix from RPM to allow this box to send mail ( nightly reports etc )
yum install postfix system-switch-mail
# Run this next command and choose postfix
system-switch-mail
# Ensure that you have got prerequisite libraries installed
yum install mysql-devel db4-devel db4-utils zlib zlib-devel
Follow the installation steps at the top of the guide for these applications :
In cpan, you might need to “force install DBD::mysql”, otherwise it wont work because the installer tries to test a connection to the local MySQL server ( which may not succeed since our design wont need MySQL running on the amavisd machine )
In the /etc/amavisd.conf, you will need to alter these settings :
$forward_method = 'smtp:*:*';
@inet_acl = qw(127.0.0.0/8 [::1] 192.168.1.10); # adjust list as needed
$inet_socket_bind = undef; # bind to all IP interfaces if undef
Next is an optional tweak, which doesn’t affect the operation of the server, but does fix a problem seen when people are reporting spam to SpamCop. By default amavisd calls itself localhost in the headers, which is OK when the software is running on same box as Postfix. But when you have split the two applications apart onto separate boxes, we need to use the proper hostname rather than localhost. Unless you make this change SpamCop will trip up on this header and can incorrectly identify your mail server as the source of the SPAM.
In the /etc/amavisd.conf, add this line
$localhost_name = $myhostname;
Probably the best place to put it, is below this line :
# $myhostname = 'host.example.com'; # fqdn of this host, default by uname(3)
SOME OTHER AMAVISD TIPS :
If you have a really busy server, then a single amavisd box might not be enough, you might need to run two or more. Just build them with same config, and setup a round-robin DNS entry that points to both boxes. Tweak the content_filter line in Postfix’s main.cf to use the RR name. Also increase the smtp-amavis_destination_concurrency_limit setting in main.cf to a suitable amount ( eg if you have 2 dedicated amavisd machines each configured for 10 clients, then set the smtp-amavis_destination_concurrency_limit=20)
If you have gone down the road of splitting the amavisd onto a dedicated box, you are probably on the lookout for other performance enhancement tips. One suggestion is to put the amavisd tmp folder into a ram drive. Instructions available here : http://www.stahl.bau.tu-bs.de/~hildeb/postfix/amavisd_tmpfs.shtml
If you use the content_filter command in postfix’s main.cf, you will be scanning all inbound + outbound mail. If you don’t want to bother scanning outbound mail, you remove that content filter line and instead populate your recipient_access table with a list of locally hosted domains you want to do filtering for eg :
We already have a webmail package installed ( sqwebmail ). However sqwebmail only has a very functionality. Many times you will have users who want something more powerful. This is where the Horde suite can help. Its takes a bit of work to get it installed, but the results are worth the effort.
pear install -o Log Mail Mail_Mime DB Date File Net_URL Net_Sieve Net_Socket HTTP_Request Fileinfo
# Gotcha with above! The Fileinfo tries to compile in /tmp, which our tweaked fstab disallows.
# Workaround is to remove the nosuid,noexec from fstab, and to mount -o remount /tmp before install,
# and then put it back again afterwards.
# Would be good if we could come up with something more graceful
# eg, can we perhaps export TEMP variable or similar to point other than /TMP for this install
# Then I would recommend you run the following to bring all your pear modules up to date
pear upgrade Archive_Tar
pear upgrade PEAR
# If the above command fails saying it requires PEAR-1.3.3, then type "pear upgrade PEAR-1.3.3" and then run above command again
pear channel-update pear.php.net
pear upgrade-all
Install the optional wvHhtml tool, so IMP can render MS Word docs as HTML :
On Fedora you can just do this :
yum install wv
On CentOS its a bit more work involved, you need to do this :
# in the "Dynamic Extensions" part, enter this :
extension=fileinfo.so
# find and tweak these values to allow for large webmail uploads
max_execution_time = 3600
memory_limit = 64M
post_max_size = 18M
file_uploads = On
upload_max_filesize = 17M
cd config
for f in *.dist; do cp $f `basename $f .dist`; done
cd ..
chown -R root.apache config
chmod -R g+rw config
cd /var/www/mail/html/images
# grab a copy of your logo file needs to be max 140px wide and 40px high
wget http://somewhere/images/yourdomain.com-smalllogo.gif
# grab a copy of your larger logo file
wget http://somewhere/images/yourdomain.com-largelogo.gif
http://mail.yourdomain.com/horde/test.php
http://mail.yourdomain.com/horde/
click on Administration->Setup
In the Application screen, click on Horde
Database ->
What database backend : MySQL
Request persistent connections : ticked
Database server/host : localhost
Username to connect to the database as : horde
password to connect with : hordepass
database name to use : horde
Preference system ->
Preference driver : SQL Database
DataTree System ->
Backend : SQL Database
Mailer ->
The location of sendmail binary : /usr/sbin/sendmail
Virtual File Storage ->
Backend : SQL Database
Custom sessions handler ->
Sessionhandler : MySQL based sessions
Request persistent connections : ticked
Row level locking : ticked
Database server/host : localhost
Username to connect to the database as : horde
password to connect with : hordepass
database name to use : horde
MIME Detection ->
location : /usr/share/misc/magic
Problem Reporting ->
whre should problem reports be sent : support@yourdomain.com
Menu Settings ->
Select applications to be linked to Hordes menu : imp, ingo, kronolith, turba
Display problem reporting link : Never
URL of an image for top of horde menu : /images/yourdomain.com-smalllogo.gif
If logo is displayed, what URL should it link to : www.yourdomain.com
Click on generate horde config
If you installed the wvHtml package from source ( CentOS ) rather than RPM ( Fedora), then you need to fix the path Horde uses for this tool :
vi /var/www/mail/html/horde/config/mime_drivers.php
Now, regardless of whether you are using CentOS or Fedora, there are two other Horde helper tools “xlhtml” and “ppthtml” that need to be disabled. Although these two tools sound useful ( convert Excel and Powerpoint files to HTML for viewing), you cant get them via Yum and the source fails to compile on most boxes I have tried. Also there are two other drivers “webcpp” and “srchighlite” which are only for fairly obscure use and these tools dont exist on our machine so we want to disable them as well :
vi /var/www/mail/html/horde/config/mime_drivers.php
# up towards the top of the file there is a section that looks like this :
$mime_drivers_map['horde']['registered'] = array(
# need to remove the msexcel, mspowerpoint, srchighlite and webcpp entries from this array
cd config/
for foo in *.dist; do cp $foo `basename $foo .dist`; done
cd ..
chown -R root.apache config
chmod -R g+rw config
cd scripts/sql
mysql -p horde < mnemo.sql
cd ../..
http://mail.yourdomain.com/horde/mnemo/test.php
http://mail.yourdomain.com/horde/
click on Administration->Setup
In the Application menu, click on Notes (Mnemo)
Click on Generate Notes configuration
Now that all the modules are installed and setup, lets reconfigure the Horde module to authenticate users via IMP
http://mail.yourdomain.com/horde
Clock on Administration -> Setup
In the Application menu, click on Horde
Authentication ->
Which users should be treated as administrators : someadminemail@yourdomain.com
# NOTE, the address above should be a valid email account that will be hosted on this box.
# When you login into webmail as this user, you will be given access to all the admin
# menus which lets you change the config of the horde suite.
What backend for authenticating : let a horde application handle authentication
The application that is providing authentication : imp
Click on Generate Horde Configuration
you get a nasty forbidden message at this point, because you have just killed off the previous administrator user admin rights
And lets tweak the interface defaults a bit
vi /var/www/mail/html/horde/templates/common-footer.inc
# This next one you can choose whether you do it or not...
# If you add this tweak, then HTML mails will display inline, rather than requiring the user
# to click on the attachment link.
# Displaying inline can be a security issue, however you have to juggle this against
# helpdesk load that you will suffer from users who complain about not being able to read
# their html mail.
vi /var/www/mail/html/horde/imp/config/mime_drivers.php
$mime_drivers['imp']['html']['inline'] = true;
vi /var/www/mail/html/horde/imp/templates/login/login.inc
#Search for input box name="imapuser" add size=32 as property of input box.
#Since the default box is a bit too small and can cause users confusion
#when they arent able to spot typos that have scrolled off the screen
SETTING A DEFAULT IMAP/POP3 DOMAIN PER HOSTNAME
You can bind multiple IPs to your server (one per domain) and set “default” POP3/IMAP domain for each IP :
Probably you first should remove any DEFAULT_DOMAIN entry from the /usr/local/courier-authlib/etc/authdaemonrc
And from my experience, you have to restart courier-imap for the changes to take effect after making any changes to this file
/etc/rc.d/init.d/courier-imap restart
SETTING A DEFAULT SQWEBMAIL DOMAIN PER HOSTNAME
You can bind multiple IPs to your server (one per domain) and set a “default” sqwebmail domain for each IP
The config below would look to see what IP the client connected to, and would pre-populate the domain name part of the login box
vi /usr/local/sqwebmail/etc/logindomainlist
# A set of mappings for ip addresses to default domains
domain1.com:192.168.1.101:@
domain2.com:192.168.1.102:@
domain3.com:192.168.1.103:@
SETTING A DEFAULT SMTP-AUTH DOMAIN PER HOSTNAME
When you configure the SASL ( SMTP-AUTH) settings in postfix’s main.cf, you can nominate a default domain to use should the SMTP user not supply one (smtpd_sasl_local_domain = yourdomain.com ). However when you are hosting multiple virtual domains on the one box, unless the vast bulk of your users are from a single domain, you really need a way to append the correct domain.
You can bind multiple IPs to your server (one per domain), and then set the smtpd_sasl_local_domain inside the master.cf on a per-smtpd instance basis.
127.0.0.1:smtp inet n - n - 10 smtpd
192.168.1.11:smtp inet n - n - 50 smtpd-mx
-o smtpd_sasl_auth_enable=no
192.168.1.10:smtp inet n - n - 100 smtpd
To something like this :
127.0.0.1:smtp inet n - n - 10 smtpd
192.168.1.11:smtp inet n - n - 50 smtpd-mx
-o smtpd_sasl_auth_enable=no
192.168.1.101:smtp inet n - n - 30 smtpd-domain1
-o smtpd_sasl_local_domain=domain1.com
192.168.1.102:smtp inet n - n - 30 smtpd-domain2
-o smtpd_sasl_local_domain=domain2.com
192.168.1.103:smtp inet n - n - 30 smtpd-domain3
-o smtpd_sasl_local_domain=domain3.com
You can set a default login doman domain based on the IP address the user has connected to
Create a IP <-> Domain mapping table :
mysql
USE postfix;
CREATE TABLE domain_ips (
ip varchar(15) not NULL,
domain varchar(255) NOT NULL,
PRIMARY KEY (ip)
) TYPE=MyISAM COMMENT='IP to Domain mappings for Pure-ftpd';
INSERT INTO domain_ips (ip, domain) VALUES ('192.168.1.101', 'domain1.com');
INSERT INTO domain_ips (ip, domain) VALUES ('192.168.1.102', 'domain2.com');
INSERT INTO domain_ips (ip, domain) VALUES ('192.168.1.103', 'domain3.com');
quit
Tweak the pure-ftpd config :
vi /etc/pureftpd-mysql.conf
MYSQLGetPW SELECT clear_password FROM mailbox WHERE (("\L" LIKE '%@%' AND email = "\L") OR ("\L" NOT LIKE '%@%' AND email = CONCAT("\L",'@',(select domain from domain_ips where ip = "\I")))) AND disableftp=0
MYSQLGetDir SELECT CONCAT('/var/vmail/',maildir,'public_html') FROM mailbox WHERE (("\L" LIKE '%@%' AND email = "\L") OR ("\L" NOT LIKE '%@%' AND email = CONCAT("\L",'@',(SELECT domain FROM domain_ips WHERE ip = "\I")))) and disableftp=0
MySQLGetQTASZ SELECT ftpquota FROM mailbox WHERE (("\L" LIKE '%@%' AND email = "\L") OR ("\L" NOT LIKE '%@%' AND email = CONCAT("\L",'@',(SELECT domain FROM domain_ips WHERE ip = "\I")))) AND disableftp=0
WHAT TO DO IF YOU DONT HAVE CLEAR PASSWORDS AVAILABLE
If you don’t have clear passwords ( eg you are migrating a server where you only have /etc/passwd to work with) you have a couple of choices.
First would be to try cracking the passwords. If you get lucky you can crack a very good percentage of them using a tool like “John the Ripper password cracker“.
If you have no luck cracking the passwords then you might need to tweak your mailserver config as follows :
Mod your SASL config to use courier-authlib (rather than talking to the MySQL database directly), and to remove CRAM AUTH options ( which require clear password to be available )
vi /usr/lib/sasl2/postfix.conf
# replace all the existing commands with this new block :
pwcheck_method: authdaemond
authdaemond_path: /usr/local/courier-authlib/var/spool/authdaemon/socket
mech_list: plain login
TIP : If you are using x86_64 platform ( eg Opteron ), this file will be found in a different place:
/usr/lib64/sasl2/postfix.conf
Add postfix to the daemon group, and tweak the directory permissions slightly, so that postfix applications can gain access to the courier-authlib socket
Where $CERTFILE is the name you used for the $CERTFILE setting in imapd-ssl and pop3d-ssl conf files
Courier will look for a certfile with matching ip. If it doesn’t find one, it will fallback to trying to use “somecert”
HELO FILTERING FOR POSTFIX
We have found that spammers will often forge the SMTP HELO address when they make a connection to Postfix. It seems fairly common for them to use the hostname or IP address of your server.
To block such spam, first create a list of hostnames and IPs used by your server :
vi /etc/postfix/helo.access
## Deny connections from people forging our hostnames
mail.yourdomain.com REJECT You are not me
mail-mx.yourdomain.com REJECT You are not me
mail.domain1.com REJECT You are not me
mail.domain2.com REJECT You are not me
mail.domain3.com REJECT You are not me
domain1.com REJECT Use of that helo name is not permitted
domain2.com REJECT Use of that helo name is not permitted
domain3.com REJECT Use of that helo name is not permitted
## Deny connections from people forging our IP
192.168.1.10 REJECT You are not me
192.168.1.11 REJECT You are not me
192.168.1.101 REJECT You are not me
192.168.1.102 REJECT You are not me
192.168.1.103 REJECT You are not me
postmap /etc/postfix/helo.access
Then tell Postfix to do helo filtering (if you uncomment the warn_if_reject line, hits will be logged but not actually rejected – which can be good for initial testing ) :
The RFC’s state that you aren’t meant to reject mail based on the data presented in the helo command, however after much analysis of our logs we have found that all the hits we are getting are SPAM. I have yet to see any legit users be affected by this piece of config, so I am satisfied that it is a safe and worthwhile mod. If you are unsure, then uncomment the warn_if_reject line and inspect the results before going live.
HOSTING MULTIPLE SSL DOMAINS FOR APACHE / SQWEBMAIL
HOSTING MULTIPLE SSL DOMAINS FOR POSTFIX
In one of the sections above, I show how to set multiple smtp-auth domains for Postfix. The same technique can be used to set multiple SSL domains.
Don’t set a default global SSL domain in in main.cf
smtpd_tls_key_file =
smtpd_tls_cert_file =
Set use them as -o entries instead in master.cf eg
192.168.1.101:smtp inet n - n - 30 smtpd-domain1
-o smtpd_tls_key_file=/usr/local/ssl/mail.domain1.com.key
-o smtpd_tls_cert_file=/usr/local/ssl/mail.domain1.com.crt
192.168.1.102:smtp inet n - n - 30 smtpd-domain2
-o smtpd_tls_key_file=/usr/local/ssl/mail.domain2.com.key
-o smtpd_tls_cert_file=/usr/local/ssl/mail.domain2.com.crt
192.168.1.103:smtp inet n - n - 30 smtpd-domain3
-o smtpd_tls_key_file=/usr/local/ssl/mail.domain3.com.key
-o smtpd_tls_cert_file=/usr/local/ssl/mail.domain3.com.crt
HAVE TO TEST THIS STILL
WHAT TO DO IF YOU DONT WANT TO USE SSL
Some mail servers will not need SSL functionality enabled. Usually due cost savings that can be made particularly if you are hosting a large number of domains. You can self-sign certs, but that is usually only suitable for testing. In production your users will complain about the security warnings generated by their mail client / web browser.
Disable SSL in Postfix
vi /etc/postfix/master.cf
remark out the smtps service (and any associated -o arguments)
This is a plugin for SpamAssassin that uses OCR tools to grab the words from inside those annoying image-based spams
NOTE : I have been tinkering with this on a few different machines. It seems to run OK on machines that have only light load, but when I try to run it on some of our busier equipment, I am seeing problems with crashed spamd or amavisd processes. Have tried tinkering with different package versions, patches, source vs RPM install without much success. So it seems the concept is a good one, but maybe we wont be able to use it in busy production environment until some new builds of the software are available.
Install gifsicle application ( a tool which we will use to get info about GIFs )
cd /usr/local/src
wget http://www.lcdf.org/gifsicle/gifsicle-1.44.tar.gz
tar xzf gifsicle-1.44.tar.gz
chown -R root.root gifsicle-1.44
cd gifsicle-1.44
./configure --disable-gifview
make
make install
Install gOCR prerequisite modules, which do things like convert gif/jpg/png/tiff to pbm format
# Tools to convert gif/jpg/png/tiff files to pnm "portable anymaps" format
yum install netpbm netpbm-progs netpbm-devel
# Now we need to install some more tools :
# * giffix tool which allows us to intentionally corrupted GIFs
# * giftext tool which dumps text info about a GIF file ( which has a bug and needs to be patched )
# Although these are available as RPM's, we cant use them as the giftext program contains
# a bug which can cause segfaults. So instead we need to grab the source, patch it and then
# compile/install
# TIP: On CentOS, but not Fedora, the configure script experiences a failed dependency on the maths library,
# which causes the netpbm libraries to be rejected :
# checking for library containing pnm_readpnminit... no
# * * * try option --with-netpbm=PATH
# The workaround is to use this command instead :
./configure LIBS=-lm
make
make install
Install the ocradd application ( which reads pbm formats, and outputs text. Its similar to gOCR, and can be used to give “2nd opinion”)
# Some of the boxes I was experimenting with needed this
# (although I assume it should already been installed if you ticked development tools as per my doco)
yum install gcc-c++
echo "### MAKE SURE YOU DONT PUT ANY BLANK LINES IN HERE ###" > /etc/mail/spamassassin/FuzzyOcr.words
echo "###" >> /etc/mail/spamassassin/FuzzyOcr.words
echo "### * Matches are case insentive" >> /etc/mail/spamassassin/FuzzyOcr.words
echo "### * All special chars, spaces or numbers are stripped before any matching is done" >> /etc/mail/spamassassin/FuzzyOcr.words
echo "### * Your wordlist word will be found even if its inside another word ( submatching )" >> /etc/mail/spamassassin/FuzzyOcr.words
cat FuzzyOcr.words.sample >> /etc/mail/spamassassin/FuzzyOcr.words
echo "goldmark" >> /etc/mail/spamassassin/FuzzyOcr.words
echo "gdki" >> /etc/mail/spamassassin/FuzzyOcr.words
echo "l intl computers inc" >> /etc/mail/spamassassin/FuzzyOcr.words
echo "metropolis technologies" >> /etc/mail/spamassassin/FuzzyOcr.words
echo "### MAKE SURE YOU DONT PUT ANY BLANK LINES IN HERE ###" >> /etc/mail/spamassassin/FuzzyOcr.words
If you have been running Amavisd/Spamassassin for a while before installing this plugin, I think its a good idea to zap your existing auto-whitelist and bayes database files so that they will be rebuilt more accurately now we have OCR capabilities :
/etc/rc.d/init.d/amavisd stop
cd ~clamav/.spamassassin
rm *
/etc/rc.d/init.d/amavisd start
MISC NOTES :
There is no fancy GUI interface available for managing accounts. With my Qmail guide there was a handy program called QmailAdmin. In the Postfix world it seems that Postfix.Admin is popular. ( Note : my database design isn’t exactly the same as the one for PostfixAdmin ). At my workplace we have written our own perl-based CGI scripts for adding/removing/modifying mailboxes.
TODO :
Describe how to build a secondary MX machine which uses the mysql data to be able to validate all recipient addresses
Maybe set smtpd_sasl_auth_enable=no in main.cf, and enable only on the required customer-smtpd services in master.cf ?
Provide more explanation about what each database table / column is used for. Include some examples showing how to make use of the amavisd-related columns.
Describe these log entries : lookup_sql_field(id) (WARN: no such field in the SQL table), “admin@mydomain.com” result=undef
Can add rebuilt ‘Fedora – Extras’ repo to CentOS http://centos.karan.org/, which would allow RPM versons of wv, arc, cabextract, zoo, freeze, pure-ftpd
Add some Postfix examples for smtpd_client_connection_count|rate_limit, smtpd_client_message|recipient_rate_limit
Create a sysv script with chkconfig support for sqwebmail
Implement the amavisd black/whitelist functionality
Find a solution to the “pear install” where it wants to exec programs on the /tmp
When you have a virtual alias domain mapping @domain1.com a virtual mailbox domain @domain2.com, it appears postfix is accepting any address on domain1, but it doesn’t then immediately bounce the mail if it doesn’t exist on domain2. It first sends the mail via the content_filter and the message only gets bounced once maildrop tries to lookup the destination maildir. Need to see if we can optimise this a bit.
Show how to disable imap service reporting from logwatch scripts
Upgraded to Postfix 2.4.0
19th March :
Updated to Postfix 2.3.8
Changed CentOS 4.3 to 4.4
15th March :
Added “parent_domain_matches_subdomains =” to the postfix main.cf to allow for less confusion in access maps : “somedomain.com” will match only that domain and “.somedomain.com” will match subdomains.
Added modified_by and server columns to Postfix MySQL tables. On my installs modified_by will contain persons name etc, or scripts name that modified the entry last. The server column is going to be used by me for some MySQL replication testing for clusters of mailservers
5th March :
Update to ClamAV 0.90.1
19th February :
Added webnodsn=1 to courier-authlib config.
14th February :
Upgraded to ClamAV 0.90
Upgraded to SpamAssassin 3.1.8
9th February :
Added a tip about reducing the logging levels for sqlgrey on busy servers
7th February :
Moved the no_address_mappings setting from Postfix main.cf to master.cf, so that amavisd sees the after-virtual-alias-expansion address rather than the before-virtual-alias-expansion address. This is important because amavisd is doing lookups against the mailbox table to extract per-user antispam/antivirus settings. The email addresses stored in the mailbox table will only match correctly once virtual-alias-expansion has been done. Eg if you had a virtual alias of fred@some-virtual-alias-domain.com which forwards to user1@some-virtual-mailbox-domain.com, then you need amavisd to see the user1@some-virtual-mailbox-domain.com address, because that is the one that is stored in the mailbox table.
Removed the smtp-amavis process limit from master.cf and replaced it with smtp-amavis_destination_concurrency_limit in main.cf. This is important only if you need to exceed a concurrency of 20. Without making this change postfix’s default destination concurrency limit of 20 would cap the number of smtp-amavis processes at 20 even if you were setting a higher process limit in master.cf. Also added -o lmtp_connection_timeout=2 to the smtp-avamis process in master.cf. Note these changes are really important for large installations where multiple dedicated amavisd servers are in use.
5th February :
Added at create-missing-softquotas.pl script to allow auto-creation of any missing softquota files.
2nd February :
Changes the SNMP / MRTG to monitor LMTP (Postfix -> Amavis) rather than smtpd-av (Amavis -> Postfix) processes. The Postfix -> Amavis direction is where bottlenecks will show up, not the other direction.
29th January :
Added some notes about setting the Maildrop concurrency in Postfix master.cf
Added some notes about setting the SMTP-MX concurrency in Postfix master.cf
Provided some example hardware configs for larger servers
Remind people not to forget about adding reverse DNS entries
Show how to create a local account for SSH use, and how to disable root SSH logins
Upgrade Amavis to v2.4.4
Upgrade to Postfix v2.3.6
Upgrade to ClamAV v0.88.7
25th January 2007 :
Added a note showing how to use /root/.my.cnf
Added info showing how to disable Postfix and amavis services from being included in the nightly logwatch reports
Added Postfix HELO filtering example
Disable SMTP-AUTH for Postfix smtpd-mx service
Added some preliminary info showing how to host one SSL cert per domain in Postfix
Added some preliminary info showing how to turn off SSL if its not required
15th December :
Added a note about creating a link for /usr/lib/sendmail
6th December :
Added notes to dedicated amavisd server section regarding $localhost_name setting
Slightly tweaked the rebuild-ftp-softquotas.pl script
27th November :
added spam_lovers_maps and whitelist_sender_maps to /etc/amavisd.conf
7th November :
Update to Postfix-2.3.4
Update to ClamAV-0.88.6
30th October :
Update to ClamAV-0.88.5
Update to SpamAssassin-3.1.7
27th October :
Tweak the postfix/amavisd content-filter docs to use improved -o options in the smtpd-av section, and also to specify receive_override_options=no_address_mappings in main.cf
Added some FuzzyOCR notes. Still trialling this on some live servers, but it looks pretty good!
26th October :
Added fix error when trying to create new Turba addressbook. (Have to set shares to be localsql in the Turba config screen)
19th September :
Added info about the CentOS fastestmirror plugin for yum
13th September :
Relocated site to new URL
Added note column to recipient_access, sender_access, client_access MySQL tables, to allow optional freeform note to be attached to entry.
8th September :
Remove “–without-db” configure switch from maildrop. This flag was preventing some of maildrop’s autoresponder functionality.
4th September :
Increased the php.ini max_execution_time and memory_limit values, as the previous ones seemed too small to handle larger attachment uploads
Upgrade to sqwebmail-5.1.3
Tweaked the pear commands showing how to upgrade all the modules
Added installation instructions for the wvHtml package which is used by IMP Webmail. Also show how to disable two other IMP helpers xlhtml and ppthtml
31st August 2006 :
Added tips to YUM, SASL, Postfix, and PureFTPd for getting x86_64 platform to work smoothly
Upgraded to SpamAssassin 3.1.5, and Postfix 2.3.3
18th August 2006 :
Added the authtest and authenumerate troubleshooting tips for courier-authlib
8th August 2006 :
Update to SpamAsssassin-3.1.4, ClamAV-0.88.4
Showed how you can combine catchall alias entries and virtual mailbox domains. Requires tweak of Postfix virtual_alias_maps , and addition of mysql-virtual-mailbox-to-alias-maps.cf file.
4th August 2006 :
Tidied up the Horde logo examples
Added some more notes about the admin email address that you nominate when setting up Horde
1st August 2006 :
Upgraded to Postfix 2.3.2
Moved the “yum install pcre-devel” back to an earlier position in the guide, since Postfix can make use of this library when its present
28th July 2006
Upgraded to Postfix 2.3.1. Changes involve adding -DUSE_CYRUS_SASL to the Postfix make, and then in main.cf :
change smtpd_sasl_application_name to smtpd_sasl_path
change reject_invalid_hostname to reject_invalid_helo_hostname
adding smtpd_sasl_authenticated_header = yes
Upgraded to amavisd 2.4.2
Added the wbusexsender=1 option to courier-authlib DEFAULTOPTIONS, so that sqwebmail will add an X-Sender header to each outgoing message
Added cyrus-sasl-devel to the list of packages to install during SASL setup. These libraries are needed to allow Postfix to compile
19th July 2006
Fixed error in Courier-Authlib MYSQL_QUOTA_FIELD. ( Need to concatenate an “S” to the quota string )
Removed bat and cmd files from the amavisd banned list
14th July 2006
Tweaked the SpamAssassin local.cf to add some info on trusted_networks setting
Cleaned up the example 192.168 IPs to make then consistent throughout document
Added some more explanation of the /etc/maildroprc file
Tweaked the httpd logrotate.conf
Added examples showing how to add abuse and postmaster to postfix recipient_access
3rd July 2006
Tweaked the proxy_read_maps so we can can “proxy:” the check_client|sender|recipient_access entries in smtpd_recipient_restrictions
Did a bit of tweaking to the apache config, still could do with a bit more work. Eg demonstrate how to have 1 SSL cert per domain
Added some notes explaining how in the example data we are “hashing” the path to the user dirs
29th June 2006
Switched wording to recommend using CentOS. Left notes in saying that Fedora will also work.
Added some debugging notes for Maildrop
22nd June 2006
Added “AND disableftp=0″ clauses to the Pureftp MySQL select commands.
15th June 2006 :
Added description of how to set an smtp-auth default domain per hostname
14th June 2006 :
Exclude MySQL from crontabbed yum updates. On on of my production serves I saw mysql-4.1.19 shutdown and 4.1.20 not start automatically after the update. Needless to say, the server doesnt work too well if MySQL is down!
Tweaked some of the wording in the maildrop section. Also increased the smallmsg size there, to reduce disk I/O at the expense of higher RAM consumption.
Move the “yum install pcre-devel gamin-devel” into the courier-authlib section. Authlib doesnt need these libraries, but others like maildrop do.
Added tips about using RR DNS entry for multiple Amavisd boxes. Also added the tip about using a RAM disk for the amavisd tmp folder. Also the tip about only content scanning inbound mail
9th June 2006 :
Added notes about removing non-necessary apache modules from httpd.conf.
Tweaked the Horde customisations to show how to display HTML attachments inline
For the last few years I haven’t done much vpopmail work, because the ISP where I work uses Postfix rather than qmail. I have recently accepted a job offer from a different ISP and they use Postfix there as well. When I switch to this new company it will cut the remaining ties I had with customers using my original qmail/vpopmail design. I haven’t really done many updates to this guide over the last couple of years, and now I have decided that no further updates will be done at all. I thank everyone who has used the guide and sent me feedback over the years. I have recently published a Postfix+MySQL guide, and maybe I will do a Postfix+LDAP guide soon, since this is the combo used at my new place of employment.
You can easily add additional columns to the vpopmail tables to store other “per-user” information without affecting the operation of vpopmail
For a server with many user accounts, you would expect that MySQL would give faster performance than disk based accounts. Particularly when you have a large number of users in a given domain. (I haven’t personally done any benchmarks on this, and I also have never seen anyone else run such a test, but you would have to expect that a SQL based backend would scale better than the file-based cdb backend that qmail/vpopmail uses by default)
If you have a very large number of accounts, vpopmail can be configured to use MySQL replication and NFS to share the load over over multiple servers
ABOUT THESE NOTES
Follow these notes at your own risk…!
All the commands shown below have been run as root.
I have successfully used these notes to build many Redhat 7.2, 7.3 and 8.0 based servers. People have told me that Redhat 9.0 & Fedora will also work, but you have to be aware of a few issues :
Most of the qmail software and associated utilities will not compile under RH9 or Fedora, due to conflicts with its new version of glibc. You can get patches to solve these problems from www.qmail.org. (Do a search for “errno”). The actual link for the patches is http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/
For packages using perl (eg Razor, SpamAssassin), you may need to add an “export LANG=en_US” to your scripts, or alternatively modify the “/etc/sysconfig/i18n” file.
REDHAT 7.2 / 7.3 / 8.0 NOTES
FIREWALL :
The ipchains or iptables firewalling software will usually be installed during Redhat’s installation process.
For this server you will need to make sure you have opened access on at least the following ports :
SMTP:TCP
HTTP.TCP
HTTPS:TCP
POP3:TCP
NTP:UDP
Note that we arent going to open the IMAP:TCP port, as we are not offering IMAP services directly to our clients. We will be running an IMAP server, but the only program talking to it will be the SquirrelMail software which is also running on this same box.
On Redhat 7.2 / 7.3 (which uses ipchains by default)
You can examine/modify the ipchains config by working on the file :
/etc/sysconfig/ipchains
If you make any changes to this file, you will need to restart the ipchains software :
/etc/rc.d/init.d/ipchains restart
On Redhat 8.0 (which uses iptables by default)
You can examine/modify the iptables config by working on the file :
/etc/sysconfig/iptables
If you make any changes to this file, you will need to restart the iptables software :
/etc/rc.d/init.d/iptables restart
SETUP TIME SYNCHRONISATION :
Mail servers need to have their clocks set correctly. If you don’t have their time sync’ed, you can experience strange problems.
Redhat comes with the ntpd package which is easy to setup
vi /etc/ntp.conf
look for the “# — OUR TIMESERVERS —–” section
and then put in the following lines :
restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery
server xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the IP address of your (or your upstream’s) NTP server
After making the changes, you will need to restart the ntpd service :
/etc/rc.d/init.d/ntpd restart
Use the ntsysv program and make sure the ntpd service is enabled at bootup time
SETUP DNS :
For our example, we setup an A record for hostname.yourdomain.com. Any domains that we are hosting mail for should have their primary MX pointing to this host. We also created the following CNAME aliases for this host : pop3, smtp, webmail
This allows our users to :
access SquirrelMail and qmailadmin via http://webmail.yourdomain.com
set their POP3 clients to pop3.yourdomain.com for their incoming mail, and smtp.yourdomain.com for their outgoing mail
IMPORTANT : Never configure a end-user’s software to reference the hostname directly. Even though you might start out with just a single box doing all your email functions, later on you might add other boxes to split the load onto different machines (eg one to handle all the SMTP mail, the other doing POP3/IMAP and another again doing WebMail). By setting your client to use the aliased names, you can add extra boxes and then just update the DNS as appropriate. No changes will be required on the client’s computer. Make sure you take my advice now on this matter. You will thank me for this later!!
CHECK YOUR SYSLOG CONFIG :
You may find that your mail server logs a lot of entries to the syslog. On linux you need to be careful of this as there can be a big performance impact. In particular you should check your /etc/syslog.conf and make sure there is a “-” symbol in front of any files that will be busy eg “-/var/log/maillog”. If you have to add the file, then dont forget to “killall -HUP syslogd” so the changes are picked up. Some more info on this subject here
(OPTIONAL) UPDATE YOUR KERNEL :
RedHat regularly publishes updated versions of the Linux kernel to suit their various RedHat distributions. To ensure that your server has best performance and reliability, it is a good idea to regularly upgrade to the latest available kernel.
RedHat have got some easy-to-follow instructions online :
We will be using MySQL to store all the domain and mailbox account information for vpopmail. We are also going to use MySQL to store the SquirrelMail user preferences and address books
Setup an account for the MySQL server to run under :
groupadd mysql
useradd -g mysql mysql
Go to their website and download the latest binaries to /usr/local/src. In this example I have used the file:
mysql-max-3.23.57-pc-linux-i686.tar.gz
(Note, MySQL v4 has recently been released as “stable”, however I am yet to personally do any vpopmail testing under this new version. I have used MySQL v4 for other jobs, and have had reports from other people that it works fine with vpopmail, so if you are keen you should be safe to give MySQL v4 a go rather than v3)
Unzip / configure the binaries so they get installed to /usr/local/mysql
cd /usr/local
tar xzf /usr/local/src/mysql-max-3.23.57-pc-linux-i686.tar.gz
ln -s mysql-max-3.23.57-pc-linux-i686 mysql
Run the installation script that creates/verifies all the various system-use tables etc
Let the MySQL server know what amount of resources it is allowed to use
# choose an appropriate config file from the samples provided
cp /usr/local/mysql/support-files/my-medium.cnf /usr/local/mysql/data/my.cnf
# adjust the permissions on the file so that mysql daemon can read the contents
chgrp mysql /usr/local/mysql/data/my.cnf
Fire up the server
cd /usr/local/mysql
bin/safe_mysqld --user=mysql &
At this point the mysql daemons should be running. A good way to verify this is to use this command :
ps axf
If all is well, you should be able to see something like this :
1073 ? S 0:00 /bin/sh ./bin/safe_mysqld --datadir=/usr/local/mysql/data --pid-file=/usr/local/mysql/data/.pid
1117 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/m
1125 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/loc
1126 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1143 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1419 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1449 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1471 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
(If you received errors, look in the file /usr/local/mysql/data/hostname.err for debugging info)
This package is optional. It is required if you want your Apache software to have SSL support. We have used it because we want our WebMail interface to have SSL functionality for the login screens. If you don’t want/need SSL support, you could skip this section
Go to their website and download the latest source to /usr/local/src. In this example I have used the file:
openssl-0.9.7b.tar.gz
Compile source (installs to /usr/local/ssl)
cd /usr/local/src
tar xzf openssl-0.9.7b.tar.gz
chown -R root.root openssl-0.9.7b.tar.gz
cd openssl-0.9.7b
./config no-threads -fPIC
make
make install
Generate a private key (make a KEY file)
cd /usr/local/ssl
# generate an 1024-bit RSA private key
bin/openssl genrsa -out private/webmail.yourdomain.com.key 1024
# make sure the permissions on the private dir are tight
chown -R root.root private
chmod -R 600 private
chmod u+X private
Generate a certificate signing request (make a CSR file)
# fill in the X.509 prompts when they appear on the screen
# make sure you put the web site's name into the common name box eg webmail.yourdomain.com
bin/openssl req -new -key private/webmail.yourdomain.com.key -out certs/webmail.yourdomain.com.csr
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Pty Ltd
Organizational Unit Name (eg, section) []:Internet Services
Common Name (eg, your name or your server's hostname) []:webmail.yourdomain.com
Email Address []:postmaster@yourdomain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yoursecretpasswd
An optional company name []:
Get the certificate signed (make a CRT file)
Get the certificate signed by one of the official signing authorities (eg Thawte) :
Send the webmail.yourdomain.com.csr file to a signing authority for processing…
When they have signed it, copy the signed certificate to /usr/local/ssl/certs/webmail.yourdomain.com.crt
Or alternately, here is how you can sign it yourself so you can do a bit of testing! :
A note for the future…. Eventually you will need to renew your certificate :
If you get your certificate signed by eg Thawte, then after the certificate period expires (typically 1 year), you will need to renew the certificate
If all the details for your server are still the same as on your original signing request, then you do not have to submit them a new CSR file. They can just ask them to “re-sign” your existing certificate with an updated expiry date. Before proceeding with your renewal request, make sure you still have a copy of your original private key, as the new certificate will require this file.
Alternatively, if any of the details for your server have changed, then you will need to apply for a new certificate. To do this just follow the original steps above that show how to create a certificate from scratch. (Thawte will still only bill you the cheaper renewal rates..)
Thawte will then send you an updated CRT, and all you do is save this over the top of your original CRT file (/usr/local/ssl/certs/webmail.yourdomain.com.crt), and then restart the apache server
APACHE WEB SERVER (WITH MOD_SSL & PHP4 AS DSO MODULES)
Text with green background is only required if you are building in support for mod_ssl
Uninstall apache if it is installed already
rpm -e --nodeps apache
Go to their website and download the latest source to /usr/local/src. In this example I have used the file:
apache_1.3.27.tar.gz
(Note, Apache v2 has recently been released as “stable”, however I am yet to do any testing under this new version. I would recommend that you stay with v1.3 until the v2 series is more mature)
Extract the apache source
cd /usr/local/src
tar xzf apache_1.3.27.tar.gz
chown -R root.root apache_1.3.27
Create an account and group for the web server to run under
mod_ssl provides SSL cryptography functionality for the Apache webserver
Go to their website and download the version of mod_ssl that matches your version of apache. Put the file into /usr/local/src. In this example I have used the file :
mod_ssl-2.8.14-1.3.27.tar.gz
Extract the source :
cd /usr/local/src
tar xzf mod_ssl-2.8.14-1.3.27.tar.gz
chown -R root.root mod_ssl-2.8.14-1.3.27.tar.gz
cd mod_ssl-2.8.14-1.3.27
And now use the configure script to patch the apache source tree
# Since we have installed PHP as a module, it will run in our chosen "www" context.
# We will now tighten up the permissions on the php directory to allow only root and www users access
chown -R root.www /usr/local/lib/php
chmod -R g-w,o-rwx /usr/local/lib/php
# Following line should be present already as it would be inserted by the PHP make
# Make sure you move it outside of the IfDefineSSL section if the make (incorrectly) put it there
LoadModule php4_module libexec/libphp4.so
# uncomment (or add) the following line
AddType application/x-httpd-php .php
# Add the index.php into this line so apache will use this file as a default in addition to index.html
DirectoryIndex index.php index.html
# Go towards the end of the httpd.conf and look for the "SSL Virtual Host Context"
ServerName webmail.yourdomain.com
ServerAdmin postmaster@yourdomain.com
cd /usr/local
# make root.root own the entire Apache tree
chown -R root.root apache
# setup permissions on the apachedir.
# Because it is owned by root.root, we need to make sure the world permissions bits
# allow rx so that the www group in particular can get access to the apacheroot
chmod 755 apache
# now set the rest of the apacheroot to only allow root to rw. Everything else blocked
# we will selectively go and open permissions as needed
chmod -R 600 apache/*
# give owner (root) search/access permissions on all directories in the apacheroot
chmod -R u+X apache
cd apache
# bin dir contains binaries, so grant execute permissions to owner (root)
chmod -R u+x bin
# cgi-bin contains binaries. Allow either owner (root), or group (web server (www)) to execute these
chgrp -R www cgi-bin
chmod -R u+x,g+x cgi-bin
# the web server needs read access the icons dir
chgrp -R www icons
chmod -R g+rX icons
# Web server log files can be written by the service processes
# but the log files cannot be read or served as web content.
# Web server log files can be read only by administration processes
chgrp -R www logs
chmod g+wX logs
# public web files needs to be able to be read, but not written to by the web service processes
# Also the directories where public web content is stored must not be writable by web services processes
# Also public web content files can be written only by processes authorised for web server admin (only root in our case)
chgrp -R www htdocs
chmod -R g+rX htdocs
mod_gzip is a module for Apache that allows you to compress outgoing content from an Apache web server on-the-fly. It uses the same compression as gzip and no plugins or extra software is needed by your browser to take advantage of this product. Reduction in size of up to 90% or more is possible.
Go to their website and download the latest source to /usr/local/src. In this example I have used :
APXS=/usr/local/apache/bin/apxs make
APXS=/usr/local/apache/bin/apxs make install
Setup the mod_gzip config in the Apache’s httpd.conf file
vi /usr/local/apache/conf/httpd.conf
# Add the following commands to the httpd.conf file.
# ( Insert them before all the SSL config options )
LoadModule gzip_module libexec/mod_gzip.so
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_temp_dir /tmp
mod_gzip_keep_workfiles No
mod_gzip_minimum_file_size 500
mod_gzip_maximum_file_size 5000000
mod_gzip_maximum_inmem_size 60000
mod_gzip_handle_methods GET
# Patch rblsmtpd so that it can be used with all the newer RBL zones.
# This patch also lets you specify a custom error message to be returned to the sender.
patch -p0 rblsmtpd.c < ../ucspi-rss.diff
# Modify rblsmtpd.c to increase the maximum size of the error text that is allowed
# to be returned to the sender from 200 to 500 chars.
# This allows you to create some nice and descriptive text to send to people who
# are being blocked by your RBL filters
vi rblsmtpd.c
Unzip the sources, apply the required patches, compile
tar xzf qmail-1.03.tar.gz
cd qmail-1.03
# Apply patch that allows qmail to work with oversize DNSpackets
patch -p1 < ../qmail-103.patch
# Apply the "qmailqueue" patch
# This patch gives you the required support for other popular addons like Qmail-Scanner
patch -p1 < ../qmailqueue-patch
# Apply patch to make qmail-local and qmail-pop3d compatible with the maildir++ quota
# system that is used by vpopmail and courier-imap
patch < ../qmail-maildir++.patch
# Apply patch for local timestamps.
# This will make the emails headers be written in localtime rather than GMT
patch -p1 < ../qmail-date-localtime.patch.txt
# Apply patch to limit the size of bounce messages generated by our server.
# The patch will limit the size of the bounce to be 50K,
# or you can override this by setting a different value in /var/qmail/control/bouncemaxbytes
patch < ../qmail-limit-bounce-size.patch.txt
# Now add the qregex patch, which adds regexp support to qmail's badmailfrom,
# and also implements badmailto checking (again with regexp support)
patch < ../qregex.patch-20020129.txt
# Apply patch to add ESMTP SIZE support to qmail-smtpd
# This helps your server be able to reject excessively large messages "up front",
# rather than waiting for the whole message to arrive and then bouncing it because
# exceeded the /var/qmail/control/databytes setting.
# Nother that particular patch has been modified so it will apply cleanly in
# conjunction with the other patches I have supplied above. The original version
# of this patch would fail because it conflicted with the qregex patch.
patch < ../qmail-smtpd-esmtp-size_qregex-compat.diff.txt
Edit qmail-smtpd.c and change the code on the straynewline function (around line 54) from 451 to 553
Without this you will get nasty loops forming when a remote servers sends you an message with invalid formatting. By default qmail will says something like “I am not going to accept that message at the moment, you can try again later”. However in my experience the sending server will try sending the same message again a few seconds later, and this will go around and around in a loop for days on end – consuming valuable bandwidth and resources. By changing the error code to 553, it is making the error be permanent ie “I am not going to accept that message, don’t try sending it again”
make setup check
./config
cd ..
Remove the sendmail package, and link in qmail’s replacement utility
# If you are running redhat 8, you may first need to remove the postfix
# package, so that mail to someuser@hostname.yourdomain.com will work correctly :
rpm -e --nodeps postfix
# OK, now go ahead and remove the sendmail package
rpm -e --nodeps sendmail
# Link in qmail's replacement "sendmail-like" tools
ln -s /var/qmail/bin/sendmail /usr/lib
ln -s /var/qmail/bin/sendmail /usr/sbin
The qmailctl script contains all the various commands that will allow us to control our qmail daemons. Put it in with the other qmail binaries. Also link it into /usr/bin so it will be in our “path” for easy access
Setup the /etc/tcp.smtp file
This file controls who is allowed to send and/or relay mail on this server
An example configuration follows :
#------------------------------------------------------
# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS
#
# If you set 'allow', this means that our mail server will allow
# the specified IP range to make a TCP connection to our server
#
# If you set 'deny', this means that our mail server will not allow
# the specified IP range to make a TCP connection to our server
#
# If you set RELAYCLIENT="", this means that the listed IP range is
# allowed to relay mail through our server
#
# If you dont set RELAYCLIENT="", this means that the listed IP range
# will not be able to relay mail through our server
#
# If you set RBLSMTPD="", this means that the listed IP ranges will
# not be checked against any of the RBL databases
#
# If you set RBLSMTPD="some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 4xx temp error message
#
# If you set RBLSMTPD="-some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 5xx perm error message
#
# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup
# will be performed. If the lookup is successful, then RBLSMTPD will
# return your custom error message (as specified in the -r parameter
# in smtpd supervise script)
#
#-----------------------------------------------------
# HERE ARE THE RULES! :
#-----------------------------------------------------
# BYPASS OPEN RELAY CHECKING FOR THESE IPS :
#
# These IPs are ones that we have setup so that they arent RBL checked.
# We have done this because these particular servers are RBL listed,
# and for whatever reason they can't/won't fix their open relay problem,
# and we still want to be able to receive mail from them.
#
# reminder text goes here for this entry so we know the story...
111.111.111.111:allow,RBLSMTPD=""
# reminder text goes here for this entry so we know the story...
222.222.222.222:allow,RBLSMTPD=""
#
#-----------------------------------------------------------------
# DONT ALLOW THESE IPS TO SEND MAIL TO US :
#
# mailXX.offermail.net connecting regularly and sending invalid
# format messages causing exit with status 256 (bare linefeed normally)
# entry added 15/12/2001
# after looking at the mail coming from these servers it was found to be spam
216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
#
# heaps of spam from replyto of *@freeamateurhotties.com dec2001
64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#
#-----------------------------------------------------------------
# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER
#
# Local class-c's from our LAN are allowed to relay,
# and we wont bother doing any RBL checking.
123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""
123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""
#
# Connections from localhost are allowed to relay
# (because the WebMail server runs on localhost),
# and obviously there is no point trying to perform an RBL check.
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
#
#-----------------------------------------------------------------
# ALLOW EVERYONE ELSE TO SEND US MAIL
#
# Everyone else can make connections to our server,
# but not allowed to relay
# RBL lookups are performed
:allow
Setup the /etc/tcp.pop3 file
This file controls who is allowed to access the POP3 services on this server
An example configuration follows :
# Allow any client to connect to us via POP3
# If people are abusing POP3 such as denial-of-service on POP3,
# you can add their ips here to block them out
:allow
Now we have created our tcp.smtp and tcp.pop3 files, we need to compile them into the cdb database format that the tcpserver program can read
qmailctl cdb
Adjust various aspects of the qmail configuration to suite our tastes :
# use postmaster@hostname.yourdomain.com as sender in bounce messages
# rather than the default MAILER-DAEMON@hostname.yourdomain.com
echo 'postmaster' > /var/qmail/control/bouncefrom
# Define how to handle "double bounces".
# The server admin has two choices here, either to receive double bounces
# or to discard them. If your server doesn't handle a lot of mail then it
# wouldn't hurt to receive all double bounces for the admin's inspection.
# But if your server handles a lot of mail, then it is more likely that you
# are going to want to discard double-bounces, because you will end up with
# potentially thousands of these every day.
#
# If you want to keep double-bounces, use these commands to nominate what
# email address to send them through to (eg doublebounce@yourdomain.com) :
echo 'doublebounce' > /var/qmail/control/doublebounceto
echo 'yourdomain.com' > /var/qmail/control/doublebouncehost
# (dont forget that you will need to make sure you have created a mailbox
# to receive these mails. You could use qmailadmin to create a dedicated
# mailbox, or perhaps setup an alias on an existing mailbox)
#
# Or if you would prefer to silently discard any doublebounces,
# then use these commands instead
echo 'doublebounce' > /var/qmail/control/doublebounceto
echo 'hostname.yourdomain.com' > /var/qmail/control/doublebouncehost
echo '#' > ~alias/.qmail-doublebounce
chmod 644 ~alias/.qmail-doublebounce
# set maximum message size to be 8Mb
echo '8000000' > /var/qmail/control/databytes
# queue mail for up to 4 days
echo '345600' > /var/qmail/control/queuelifetime
# Populate badmailto so that mail with invalid address formatting gets rejected
echo '# reject containing invalid characters, brackets or multiple @' > /var/qmail/control/badmailto
echo '[!%#:\*\^]' >> /var/qmail/control/badmailto
echo '[\(\)]' >> /var/qmail/control/badmailto
echo '[\{\}]' >> /var/qmail/control/badmailto
echo '@.*@' >> /var/qmail/control/badmailto
# setup the default domain for use where an address does not have a domain specified
echo 'yourdomain.com' > /var/qmail/control/defaultdomain
# Note, this following command is optional!
#
# If you want qmail to send all outbound mail via a particular mail server
# rather than to send it direct to the recipient's mail server, then this
# can be achieved with the smtproutes command.
#
# SEND ALL OUTBOUND MAIL VIA SMARTHOST
echo ':yoursmarthost.yourdomain.com' > /var/qmail/control/smtproutes
# redirect any mail sent to root@hostname.yourdomain.com to 'postmaster@yourdomain.com
# redirect any mail sent to postmaster@hostname.yourdomain.com to 'postmaster@yourdomain.com
# redirect any mail sent to mailer-daemon@hostname.yourdomain.com to 'postmaster@yourdomain.com
echo 'postmaster@yourdomain.com' > ~alias/.qmail-root
echo 'postmaster@yourdomain.com' > ~alias/.qmail-postmaster
echo 'postmaster@yourdomain.com' > ~alias/.qmail-mailer-daemon
chmod 644 ~alias/.qmail-*
Create / configure the various qmail run scripts :
#!/bin/sh
# Keep 30 logs of max 10Mb each
#
# They will get rotated when they reach 10Mb in size,
# or at midnight when our crontab script fires (whichever event comes 1st)
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send
vi /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
exec /usr/local/bin/softlimit -m 4000000 \
/usr/local/bin/tcpserver \
-H -l hostname.yourdomain.com \
-v -x /etc/tcp.smtp.cdb \
-c 20 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
-r 'list.dsbl.org:Your message was rejected because the message was sent from a server listed in DSBL - More information regarding this problem is available at http://dsbl.org/listing?%IP% - Please forward this error to your email server support staff for resolution.' \
-r 'sbl-xbl.spamhaus.org:Your message was rejected because the message was sent from a server listed in the Spamhaus RBL - More information regarding this problems is available at http://www.spamhaus.org/query/bl?ip=%IP% - Please forward this error to your email server support staff for resolution.' \
-t 5 \
/var/qmail/bin/qmail-smtpd 2>&1
# The line in orange should be used if you are running qmail on a computer
# that is on a LAN that is using fake ips/masquerading.
# It tells tcpserver not to bother trying to resolve ip addresses
# to names when writing the SMTP log files. Usually with fake ips,
# you cant resolve them to names, so it will make the SMTP services run
# really slowly if it is always trying to resolve these addresses.
# Alternatively, if you are eg an ISP and all your SMTP clients are
# connecting from real IPs with resolvable names, then you can omit
# the orange line and then then benefit from more readable logfiles.
vi /var/qmail/supervise/qmail-smtpd/log/run
#!/bin/sh
# Keep 30 logs of max 10Mb each
#
# They will get rotated when they reach 10Mb in size,
# or at midnight when our crontab script fires (whichever event comes 1st)
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd
# The line in orange should be used if you are running qmail on a computer
# that is on a LAN that is using fake ips/masquerading.
# It tells tcpserver not to bother trying to resolve ip addresses
# to names when writing the POP3 log files. Usually with fake ips,
# you cant resolve them to names, so it will make the POP3 services run
# really slowly if it is always trying to resolve these addresses.
# Alternatively, if you are eg an ISP and all your POP3 clients are
# connecting from real IPs with resolvable names, then you can omit
# the orange line and then then benefit from more readable logfiles.
vi /var/qmail/supervise/qmail-pop3d/log/run
#!/bin/sh
# Keep 30 logs of max 10Mb each
# They will get rotated when they reach 10Mb in size,
# or at midnight when our crontab script fires (whichever event comes 1st)
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d
At this point the qmail daemons should be running. A good way to verify this is to use this command :
ps axf
If all is well, you should be able to see something like this :
1218 ? S 0:00 /bin/sh /command/svscanboot
1222 ? S 0:00 \_ svscan /service
1224 ? S 0:00 | \_ supervise qmail-send
1230 ? S 0:00 | | \_ qmail-send
1236 ? S 0:00 | | \_ qmail-lspawn ./Maildir/
1237 ? S 0:00 | | \_ qmail-rspawn
1238 ? S 0:00 | | \_ qmail-clean
1225 ? S 0:00 | \_ supervise log
1233 ? S 0:00 | | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send
1226 ? S 0:00 | \_ supervise qmail-smtpd
1231 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 20 -R -u 504 -g 503 0 smtp /var/qmail/bin
1227 ? S 0:00 | \_ supervise log
1234 ? S 0:00 | | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd
1228 ? S 0:00 | \_ supervise qmail-pop3d
1232 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -x /etc/tcp.pop3.cdb -c 30 -H -R 0 110 /var/qmail/bin/qmail-popup
1229 ? S 0:00 | \_ supervise log
1235 ? S 0:00 | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d
1223 ? S 0:00 \_ readproctitle service errors: .......................................................................
Note the 3 qmail daemons : qmail-send, qmail-smtpd, qmail-pop3d, as well as their associated logging processes. If there is anything wrong with your install, an error message will generally be visible on the “readproctitle” line
You can control the qmail daemons by using the qmailctl program. You can just type that command without any parameters and it will display the available options eg start, stop, status, doqueue
# If you are using RH8.0, you will probably need to run this following command,
# because RH8.0 comes preconfigured with UID/GID 89 allocated to postfix
#
# userdel postfix
# We recommend you use the user and group id's of 89. The FreeBSD folks
# have reserved 89 for the group and 89 for the user for vpopmail. Feel
# free to have the OS assign the group/user id (for example, Solaris won't
# allow gid 89).
# Create the configuration file that vpopmail will use
# to setup the connection to the mysql database
#
# This example will tell vpopmail :
# * Log into the server running on localhost
# * Use the default mysql port
# (In fact if the server is localhost, and you don't specify a port number, then
# I believe the that communications are done via unix sockets rather than TCP/IP)
# * Login with username vpopmailuser
# * Login with password vpoppasswd
# * Use the database called vpopmail
#
# log into MySQL as the MySQL root user
# and then create the database for vpopmail to use
# and then setup the appropriate permissions on this database
<-- We aren't building roaming user support in this example<-- Log POP3 authentication errors including the failed password (to syslog)
<-- Don't include /etc/passwd support. Our box doesn't have any "real" users, only vpopmail users
<-- Enable storing passwords in clear-text. Makes your support staff's life much easier!
<-- Domain quotas allow you to limit the amount of storage a particular domain can use. This code is buggy though and is not recommended for use.
<-- Store all the user and domain information in MySQL rather than using disk-based "cdb" files
<-- Maintain a lastauth table in MySQL (shows when / how a user last accessed their email)
<-- Maintain the vlog table in MySQL (shows failed authentication requests).
The verbosity of the logging will mirror what was chosen in the --enable-logging parameter.
<-- Store aliases and autoresponder settings in MySQL rather than .qmail-xxxx files on the disk.
<-- Use disk-based ".qmailadmin-limits" files rather than storing this data in MySQL.
make
make install-strip
Notes :
The “–enable-mysql-limits” configuration option is fairly new. I plan to update my guide to use this function at some point in the near future once I have done some testing etc of this functionality
I used to recommend the –disable-many-domains switch – which tells vpopmail to create one MySQL table per email domain. When I first started building vpopmail servers, I found this to be the most logical way, having each domain in its own table. However there has been some discussion about this config option on the vpopmail mailing lists, and it sound like this option may be removed at some point in the future. If you have a lot of domains on your server, having each domain in its own table can hurt performance. I now agree that –enable-many-domains (which is the default) is probably the better choice
Review the contents of the file is used to set the default limits for any domains / mailboxes in the vpopmail system. Make sure it contains reasonable defaults for your system.
vi ~vpopmail/etc/vlimits.default
# in particular set the default mailbox size to be something reasonable eg 20Mb
default_quota 20971520
Optionally, nominate a “default domain”. Users in this domain can login to POP3 etc using just their username. Users from all other domains need to use their full email address as their login name.
Setup the quota warning message that is sent to users when they are at 90% quota
vi quotawarn.msg
From: SomeCompany Postmaster <postmaster@yourdomain.com>
Reply-To: postmaster@yourdomain.com
To: SomeCompany User:;
Subject: Mail quota warning
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Your mailbox on the server is now more than 90% full.
So that you can continue to receive mail,
you need to remove some messages from your mailbox.
If you require assistance with this,
please contact our support department :
email : support@yourdomain.com
Tel : xx xxxx xxxx
This gives you info such as name, crypted password, cleartext password, dir, quota, usage%, last auth.
It has a number of flags to let you see the individual fields, or you can see them all if you dont use any flags.
It also creates the maildirsize file in the users dir
Logging in via POP3
When your users are setting up their POP3 email clients (eg Outlook Express), they should use settings like this :
My incoming mail server is a POP3 server
Incoming mail server (POP3): pop3.yourdomain.com
Outgoing mail server (SMTP): smtp.yourdomain.com
POP3 account name : theirusername@yourdomain.com
Password: theirpassword
When you configured vpopmail, you had the opportunity to nominate a “default” domain. When users from the default domain authenticate, it is optional for them to add the @yourdomain.com onto the end of their username. If vpopmail sees that no domain has been specified by the user, then it will automatically perform the auth against the nominated default domain. If you are hosting multiple domains, then everyone who is NOT in the default domain MUST add their domain name onto the end of their username. (A small percentage of email programs eg Netscape Mail v4.7 do not permit the use of the @ symbol in account name. In this case you can use the % symbol instead of the @ symbol)
vpopmail roaming users :
With qmail, the typical way to control mail relaying is to put a list of rules into a file called tcp.smtp. The tcprules program is then used to compile this file into cdb database format with the output being stored in a file called tcp.smtp.cdb. The tcpserver program is configured (using the -x parameter) to read this file and thus know which SMTP clients are permitted to relay mail.
This type of configuration works well if there is a known range of IP addresses that are permitted to relay mail. eg the IP’s on the qmail server’s local LAN. However if the qmail server needs to provide outbound SMTP services for clients who may be connecting from any IP, you are going to run into problems. What is needed is some way to automate the process of granting users the ability to relay mail, without opening up access to all and sundry on the Internet.
vpopmail includes a solution for this problem. The solution is known as “roaming users” and is typically implemented with a technique known as “POP-before-SMTP”. Once a client has successfully authenticated via POP3, vpopmail will add the client’s IP to a list. vpopmail then merges this list with the contents of the tcp.smtp file and runs the tcprules program to compile a new version of the tcp.smtp.cdb file. Thus the client can now relay mail.
In addition to storing the client’s IP address, vpopmail will also store the time of authentication. The postmaster uses a cronjob on the qmail server to periodically (eg once per hour) run the clearopensmtp program. This program scans through the list of roaming clients and removes any entries that exceed the nominated age (eg 3 hours). This ensures that the list of IPs does not grow out of bounds, and that the roaming IPs are closed within a reasonable timeframe after being opened.
configure options for vpopmail that relate to roaming users :
./configure \
--enable-roaming-users \ <- enable roaming users functionality
--enable-tcprules-prog=path \ <- defaults to /usr/local/bin/tcprules
--enable-tcpserver-file=path \ <- defaults to /home/vpopmail/etc/tcp.smtp
--enable-relay-clear-minutes=minutes <- defaults to 180
Example /var/qmail/supervise/qmail-smtpd/run file :
qmail servers are typically built with the tcp.smtp files being located in the /etc directory. This is not usually suitable for vpopmail roaming users, since the /etc directory will (should) not have write permissions for the vpopmail user. Therefore it is not going to be possible for vpopmail to write out updated versions of the tcp.smtp.cdb file. For use with roaming users, it is recommended that the tcp.smtp files are stored in ~vpopmail/etc
If a user auths, and their IP already exists in the roaming IP list, the timestamp for the entry is updated, but the tcprules program is not run. There is no need to rebuild the tcp.smtp.cdb file as the IP address is already permitted to relay. Rebuilding the file will only waste disk and CPU time.
If the vpopmail server is using the default cdb authentication backend, then the list of roaming IPs will be stored in a file called ~vpopmail/etc/open-smtp. If the vpopmail server is using the MySQL backend, the roaming IPs will be stored in a database table called relay. The SQL backend will give better performance on a busy server. Either way though, you should be cautious about enabling roaming user functionality on a very busy server, as a large amount of disk and CPU will be used with the continual rebuilding of the tcp.smtp.cdb file. If the server is busy enough you could run into nasty file locking issues which will cause vpopmail password authentication to intermittently fail. If you absolutely must have POP-before-SMTP functionality on your busy server, then there are only two possible solutions that I can think of : 1) you could try putting the tcp.smtp files onto a RAM disk, or 2) use vpopmail’s MySQL auth backend plus use Matt Simerson’s tcpserver patch that allows all of the tcp.smtp files to be stored in MySQL
For POP-before-SMTP to work, the POP3 daemon will need to run under the tcpserver program. This is because vpopmail uses tcpserver’s TCPREMOTEIP environment variable to work out what IP address the POP3 user is connecting from.
Over time POP-before-SMTP is becoming a less favored way of allowing roaming users to relay mail. SMTP-Auth appears to becoming the more preferred option, as it scales much more easily on a busy server. However for a small to medium sized server, POP-before-SMTP is still quite a workable option. If you would like investigate the use of SMTP-Auth take a look at this patch http://www.fehcom.de/qmail/smtpauth.html#PATCHES
IMAP-before-SMTP is possible when using Courier-IMAP v3.x. However it only works when configured “–with-authvchkpw –without-authdaemon”. When running –without-authdaemon, Courier-IMAP’s authvchkpw code is able to make use of vpopmail’s roaming user functions to allow IMAP-before-SMTP functionality. IMAP-before-SMTP is not possible when Courier-IMAP has been complied –with-authdaemon, because in this mode the user’s IP address is not made available to the authvchkpw code (via the TCPREMOTEIP env var). Also note that in Courier-IMAP v4.x and later, –without-authdaemon functionality is no longer available thus preventing IMAP-before-SMTP from working.
Qmailadmin uses the autorespond program for both autoresponse (“mail robot” in qmailadmin-speak), and vacation response duties. However this is pretty badly FUBAR. Reason being is the autorespond.c is written to do duties as an autoresponse program only. “Out of the box” it doesn’t behave correctly when doing vacation response duties. The code inside the program can be easily tweaked to work correctly as a vacation responder, but this will break the autoresponder functionality. Unfortunately the settings are mutually exclusive. In my opinion the correct solution is to create two variations of this program, autorespond.c and vacation.c, install them both, and then tweak qmailadmin to call the right binary for the right job. I have opened a bug report on the qmailadmin sourceforge site to try and get this problem sorted out. If you read back through the qmailadmin and vpopmail archives, you will see the the autoresponder stuff is an ongoing saga
(Optional) Make a small mod that affects the look of the qmailadmin login page
edit the lang/en file, and change record 112 “Username” rather than “User Account”
(We found our users knew what to type as their “Username”, but didn’t know what to type as a “User Account”)
# note, I chose to have 12 accounts per page in the config above,
# because this makes these particular screens fit nicely on my 1024*768 monitor
make
make install-strip
Test to see if it works
http://webmail.yourdomain.com/cgi-bin/qmailadmin
If you login a domain postmaster, then you should get the screens where you can view all and add/remove mailboxes, aliases, mailinglists etc on the domain. etc
If you login as a user, you can only access your own mailbox settings (eg password, forwards, vacation messages)
Setting limits :
You can setup limits on any domains where required by putting a .qmailadmin-limits file into the domain’s virtual dir (/home/vpopmail/domains/yourdomain.com). Make sure vpopmail user has read permissions for this file.
Syntax of .qmailadmin-limits file is as follows :
maxpopaccounts X
maxforwards X
maxmailinglists X
maxautoresponders X
Set X to be the maximum desired number for that feature
Set X to be 0 if you want to disable that feature & menu item
There are also some other settings that can be specified in the .qmailadmin-limits file, refer to section 6 of the qmailadmin installation instructions (http://inter7.com/qmailadmin/install.txt) for more info
A bit of a long-winded misc note to myself :
(If you are setting up your vpopmail server for the first time, then this block of text has no relevance to you. You can skip straight past this waffle and go onto the next section…)
As of qmailadmin-1.0.21, you cant create “aliases” any more. What qmailadmin previously created as aliases, are now created as forwards. Aliases dump incoming mail for that aliased address directly into the recipient user’s Maildir. The problem with this is it bypassed any further “.qmail” processing, meaning that you ran into problems if you were trying to setup some of the more fancy things (like per-user SpamAssassin configurations?). Using forwards bypasses this problem as the message will get re-injected back into the queue for delivery.
However this change does cause some problems for sites that already have existing aliases in use. The problem is that when you go into qmailadmin-1.0.21 and select the forwards screen, all the existing aliases and forwards for that domain are displayed.
Problem # 1 : For mail that is being redirected to a local account, you can’t tell from this screen whether the user is getting alias or forward delivery. If you were trying to setup some tricky per-user stuff, then you are going to get variable results because some users may be configured as alias, and others are configured as forward, but you cant easily tell which is which from this screen
Problem # 2 : Up the top there is a count showing “[Used # / limit]“. This count relates to the number of forwards in use and the maxforwards qmailadmin-limits setting. The count ignores any existing aliases. This could potentially cause confusion for domain postmasters as you will be looking at a screen full of accounts and if some of them have been previously setup as aliases then it is going to be hard to reconcile the reported count against the number of accounts displayed on the screen
What is needed is some sort of utility that will scan and find existing aliases and convert them over to the now-preferred forward syntax…. That would keep the delivery method consistent for all users, and would also eliminate any problems with the qmailadmin-limits code
Note: As of qmailadmin-1.0.25, there is a tool for converting existing aliases to forwards. Look in the contrib dir for the tools called alias2forward.pl
valias processing :
qmailadmin v1.2.1 and later store aliases and autoresponders in valias table if vpopmail was compiled with –enable-valias. If you are upgrading from a previous version of QmailAdmin and used the –enable-valias option when building vpopmail, be sure to download vpopmail 5.4.1 or later and use the dotqmail2valias program to convert .qmail-alias files to valias table entries.
Courier-IMAP is an IMAP server. Having an IMAP server is a prerequisite to be able run a IMAP-client WebMail system like SquirrelMail. Courier-IMAP is good choice because it has support for vpopmail authentication and maildir mailboxes.
Then I like to use the ntsysv program to double-check that courier-authlib is set to launch at boot time
If you aren’t ready to reboot the server now, you can fire up the authentication libraries in the mean time with this command :
/etc/rc.d/init.d/courier-authlib start
At this point the courier-authlib software should be running. A good way to verify this is to use this command :
ps axf
And if all is well, you should be able to see something like this :
23689 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/usr/local/courier-authlib/var/spool/
23690 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23702 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23703 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23704 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23705 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23706 ? S 0:00 \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
FAM + Courier-IMAP on Redhat 7.3 doesnt seem very stable. On old Linux platforms, I would recommend you remove FAM before trying to install Courier-IMAP ( By the way, the alternative/replacement package GAMIN seems to works OK with Courier-IMAP on newer platforms like FC4/FC5/CentOS43)
# note, if you are running redhat/fedora, you may have to add a
# --with-redhat
# to the list of configuration settings above
make
make install
make install-configure
The Courier-IMAP package includes 4 servers that can be individually enabled/disabled : IMAP, IMAP-SSL, POP3, POP3SSL. In this example, we are only using the IMAP server.
<-- Max number of IMAP daemons
<-- All connections will be coming from single IP (SquirrelMail on localhost)
<-- Enable automatic purging of mail from these folders
<-- allow our init.d script (below) to boot up the imapd
Configure Courier-IMAP so it is running all the time from bootup onwards
Then I like to use the ntsysv program to double-check that courier-imap is set to launch at boot time
If you aren’t ready to reboot the server now, you can fire up Courier-IMAP in the mean time with this command :
/etc/rc.d/init.d/courier-imap start
At this point the Courier-IMAP software should be running. A good way to verify this is to use this command :
ps axf
And if all is well, you should be able to see something like this :
1030 ? S 0:02 /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1031 ? S 1:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1032 ? S 0:59 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1033 ? S 1:01 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1035 ? S 1:02 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1036 ? S 1:02 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
17566 ? S 0:00 /usr/local/courier-imap/libexec/couriertcpd -address=0 -stderrlogger=/usr/local/courier-
17569 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger imapd
SQWEBMAIL
SqWebMail is a webmail program written by the authors of Courier-Authlib/Courier-IMAP. Most webmail packages use POP3 or IMAP, but SqWebMail is a bit different – it accesses the Maildirs directly.
I wouldn’t really recommend SqWebMail ( you are better off using the Squirrelmail instructions below). But I regularly see people asking how to install SqWebMail, so I am going to add some notes here to show what the required steps would be if you chose to use this package instead of Courier-IMAP / Squirrelmail. I wont go into a heap of detail, but here are the steps you would need to follow
Note, to run SqWebMail, you still need to have Courer-Authlib installed as per the instructions above, but you don’t have to install Courier-IMAP. You can run Courier-IMAP if you want, it wont interfere with SqWebMail.
echo '#!/bin/sh' > /usr/local/bin/sqwebmail-banner.sh
echo '##' >> /usr/local/bin/sqwebmail-banner.sh
echo '## This progam is called by sqwebmail for each [#B#] tag in the html templates' >> /usr/local/bin/sqwebmail-banner.sh
echo '## The ARGV[0] will be the name of the html template that launched the call' >> /usr/local/bin/sqwebmail-banner.sh
echo '##' >> /usr/local/bin/sqwebmail-banner.sh
echo 'echo "<center>YourISP support - call xxxx xxxx</center>"' >> /usr/local/bin/sqwebmail-banner.sh
chmod 755 /usr/local/bin/sqwebmail-banner.sh
# If you get a pcre error during sqwebmail configure, you will probably need to do this :
# cd /usr/local/src
# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-6.4.tar.gz
# tar xzf pcre-6.4.tar.gz
# chown -R root.root pcre-6.4
# cd pcre-6.4
# ./configure
# make
# make install
To customise look/feel, you can modify the HTML files in /usr/local/sqwebmail/share/sqwebmail/html/en, and also the css file /usr/local/apache/htdocs/images/sqwebmail
the text with yellow background is specific to using MySQL backend. if you don’t want to use MySQL backend, then just skip over these sections….
Go to the SquirrelMail download page, and save the latest source to /usr/local/src. In this example I have used :
squirrelmail-1.4.4.tar.gz
Download and unpack all the sources
cd /usr/local/apache/htdocs
tar xzf /usr/local/src/squirrelmail-1.4.4.tar.gz
chown -R root.www squirrelmail-1.4.4
chmod -R 750 squirrelmail-1.4.4
ln -s squirrelmail-1.4.4 squirrelmail
Create the required directory structure
mkdir /var/squirrelmail
# create the data dir. This is where users personal preferences are stored if not using MySQL backend
mkdir /var/squirrelmail/data
# create the attach dir. This is where temp files for emails in progress are store
mkdir /var/squirrelmail/attach
SquirrelMail allows you to add your company logo to the login page. So whack a copy of your logo into the Apache images directory so it is available for SquirrelMail to use
D. SET PRE-DEFINED SETTINGS FOR SPECIFIC IMAP SERVERS
Choose Courier
1. ORGANIZATION PREFERENCES
1. Organization name : YourCompany WebMail
2. Organization Logo : /images/yourcompanylogo-100.gif
3. Org. Logo Height/Width : 100/100
4. Organization title : YourCompany WebMail (v$version)
7. Provider link : http://www.yourdomain.com
8. Provider name : YourCompany
2. SERVER SETTINGS
1. Domain : yourdomain.com
3. FOLDER DEFAULTS
15. Default Unseen Type : 2
4. GENERAL OPTIONS
1. Data directory : /var/squirrelmail/data
2. Attachment directory : /var/squirrelmail/attach
5. Usernames in lower case : true
7. Hide SM attributions : true
11. Allow server-side sorting : false
( Note, server-sorting is faster, but I personally find the sort results to be not as "intuitive"
compared with when you let SquirrelMail do the sorting. If you toggle this option on/off and compare
the resultant displays in SquirrelMail you will see what I mean. For example if you server-sort the
FROM column then the sort will be done senders email address, whereas if you let SquirrelMail do the
sort then column will be sorted on senders name. I would suggest you try toggling this
option on and off to make your own decision on which sorting method provides the better results.)
6. ADDRESS BOOKS
2. Use Javascript Address Book Search : True
9. DATABASE
1. DSN for address book : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
3. DSN for preferences : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
Now Save and quit the config program
Create the necessary database and tables in MySQL, so that SquirrelMail can store the address books and user preferences there :
cd /usr/local/mysql/bin
./mysql --password="mysql-root-pwd"
CREATE DATABASE squirrelmail;
GRANT select,insert,update,delete ON squirrelmail.*
TO squirreluser@localhost IDENTIFIED BY 'squirrelpassword';
USE squirrelmail;
CREATE TABLE address (
owner varchar(128) DEFAULT '' NOT NULL,
nickname varchar(16) DEFAULT '' NOT NULL,
firstname varchar(128) DEFAULT '' NOT NULL,
lastname varchar(128) DEFAULT '' NOT NULL,
email varchar(128) DEFAULT '' NOT NULL,
label varchar(255),
PRIMARY KEY (owner,nickname),
KEY firstname (firstname,lastname)
);
CREATE TABLE userprefs (
user varchar(128) DEFAULT '' NOT NULL,
prefkey varchar(64) DEFAULT '' NOT NULL,
prefval blob DEFAULT '' NOT NULL,
PRIMARY KEY (user,prefkey)
);
quit
You can define what default SquirrelMail settings that users will receive when they log in.
For MySQL backend
cd /usr/local/apache/htdocs/squirrelmail
# replace the default preferences definition in the db_prefs file
# with our own customised defaults.
# Open the file, scroll down and replace the existing "var $default"
# entry (on line 102) with our customised version shown below
vi functions/db_prefs.php
When SquirrelMail users are composing a message that has attachment(s), the attachment is temporarily stored in the /var/squirrelmail/attach directory. When the user sends the message, the associated temp files will get deleted.
However sometimes the temp files do not get deleted (eg if the user closes their browser mid-compose?). Since the permissions on this directory are setup (as a security measure) to prevent the webserver from listing the files in this directory, there is no way for Apache/SquirrelMail to do a periodic scan/purge of old files.
So we are going to setup a daily crontab to clean up any attachments that get left hanging around
crontab -e
# delete any files that are more than 2 days old from the SquirrelMail attachment dir
0 0 * * * find /var/squirrelmail/attach/* -atime +2 -exec /bin/rm {} \;
Install the quota_usage plugin so users can see their mailbox quota usage
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/quota_usage-1.2.tar.gz
cp quota_usage/config.php.sample quota_usage/config.php
chown -R root.www quota_usage
chmod -R o-rx quota_usage
# qmailadmin and the other tools all classify a 1Mb as 1048576 bytes (1024 * 1024 )
# Fix up the quota_plugin so it works with the same units.
# Otherwise your quota would show as 20M in qmailadmin, and 21M in SquirrelMail :-/
vi quota_usage/functions.php
Go to line 43 and change the value 1000000 to 1048576
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/secure_login-1.2-1.2.8.tar.gz
cp secure_login/config.php.sample secure_login/config.php
chown -R root.www secure_login
chmod -R o-rx secure_login
cd ../config
perl conf.pl
8. Plugins, and choose secure_login
Optionally, modify SquirrelMail so that it will any failed login attempts to the syslog
modify squirrelmail/functions/imap_general.php
search for the line that has “Unknown user or password incorrect”
above this line add :
syslog(LOG_MAIL|LOG_NOTICE,"Squirrelmail login failed for Username : $username, Password : $password");
now failed SquirrelMail logins will be logged to /var/log/maillog
We also added some code to squirrelmail/src/login.php to add a notes page to the login screen. We inserted this chunk just before the line that says “do_hook(‘login_bottom’);
echo "<BR><CENTER>".
"<TABLE BORDER=1 WIDTH=75%><TR><TD ALIGN=CENTER><FONT FACE=Arial SIZE=2>".
"<P><B><FONT SIZE=3>IMPORTANT NOTES REGARDING THE WEBMAIL SYSTEM</FONT></B></P>".
"<P><B>AUTOMATIC MAIL DELETION</B></P>".
"<P>The mail server will automatically delete mail from the<BR> ".
"following folders after the specified number of days :<br>".
"Trash Folder - 7 days, Sent Folder - 30 days".
"<P><B>POP3 MAIL CLIENTS</B></P>".
"<P>If you check your mail using a POP3 mail client (such as Outlook Express),<BR> ".
"it will download and delete the mail from your WebMail inbox.</P>".
"<P>If you want to be able to download the mail using POP3 and also<BR> ".
"leave it on the server so you can see it with WebMail, you will need<BR> ".
"to adjust the settings in your POP3 client to tell it not to delete<BR> ".
"mail after downloading.</P>".
"<P>For example, to configure this in Outlook Express you would go to<br> ".
"<i>Tools -> Accounts -> Mail -> Properties -> Advanced</i><BR> ".
"and then tick the box<BR><i>'Leave a copy of message on server'</i><P>".
"</FONT>".
"</TD><TR></TABLE></CENTER>";
Now, another cosmetic change… : modify the squirrelmail/src/login.php and change the wording of “Name:” to “Email address:”.
Next, we setup a default document in the web servers root, to redirect our customers through to the SquirrelMail login page. That way when people want to access the WebMail tool they can point their browser to “http://webmail.yourdomain.com” and they will get automatically redirected through to the SquirrelMail directory
vi /usr/local/apache/htdocs/index.html
<HTML>
<HEAD>
<TITLE>Redirect to WebMail login screen...</TITLE>
<META HTTP-EQUIV="refresh" CONTENT="1; url=http://webmail.yourdomain.com/squirrelmail/">
</HEAD>
<BODY>
Redirecting to the WebMail login screen...<br>
<a href=squirrelmail/>Click here if you are not automatically redirected</a>
</BODY>
</HTML>
SPAM AND VIRUS CHECKING
OK, now you have a working mail server.. You have loaded all your users and they are giving the new system a good workout. Everything is running nice and smoothly. You sit back and think “my job is done!”
Until… users starting coming to you and saying… “Hey, this new mail server is really good… But how do I block out all these viruses and spam?”… Uh oh…!
Well, luckily the answer is relatively easy….. The qmail-scanner program lets us easily implement anti-spam and anti-virus. Installation instructions follow :
If Razor is installed, SpamAssassin will automatically include it in the list of tests run. We found that Razor is quite accurate in identifying spam, and it only added small amount of extra CPU load on the server, so it is definitely worth installing. Note though, that I believe the licensing of Razor states that it isn’t free for commercial use – so you should probably check the docs before deciding whether you wish to enable this function or not
Compile and install :
# install the pre-requisite modules for razor
perl -MCPAN -e shell
#(enter your way through all the questions. The only one you will likely have to answer is regarding your Continent/Country)
# tell the cpan shell to follow the dependency tree and automatically grab any required modules
o conf prerequisites_policy follow
# make sure you have some of the basic tools needed to get the CPAN downloads working smoothly
install LWP MD5
# install the razor pre-requisites now
install Net::Ping Net::DNS Time::HiRes Digest::SHA1 Getopt::Long File::Copy Digest::Nilsimsa URI::Escape
SpamAssassin is program that scans email messages using a set of rules, and then assigns a score. If the score is higher than your nominated limit, then the message will be tagged as spam.
# install the pre-requisite modules for spamassassin
perl -MCPAN -e shell
# tell the cpan shell to follow the dependency tree and automatically grab any required modules
o conf prerequisites_policy follow
# make sure we have all the SpamAssassin prerequisites installed
install Digest::SHA1 HTML::Parser Storable MIME::Base64 DB_File Net::DNS Net::SMTP Mail::SPF::Query IP::Country::Fast BerkeleyDB
tar xzf Mail-SpamAssassin-3.1.2.tar.gz
chown -R root.root Mail-SpamAssassin-3.1.2
cd Mail-SpamAssassin-3.1.2
perl Makefile.PL
make
make install
cd ..
“make install” creates the following main files :
/usr/bin/spamassassin <- This is the command-line version of the SpamAssassin program
/usr/bin/spamc <- Daemonised SpamAssassin client
/usr/bin/spamd <- Daemonised SpamAssassin server
/usr/share/spamassassin/ <- The SpamAssassin logic/filter files live here
/etc/mail/spamassassin/local.cf <- sitewide configuration settings
Test to see if the installation was successful. (Watch the output from the script. SpamAssassin will add headers to the message. In particular look for the “X-Spam-Status: ” and see if it correctly tags the message with a Yes or No)
To improve security, modify the configuration of the spamd daemon so it runs under its own uid
Create a spamd user for the spamd process to run as
groupadd spamd
useradd -g spamd spamd
Modify / create the spamd configuration file
vi /etc/sysconfig/spamassassin
# Hint : if you want to enable SpamAssassin debugging
# (the debug output goes to /var/log/maillog) then use :
# SPAMDOPTIONS="-x -u spamd -H /home/spamd -d -D"
# Don't leave debugging turned on unnecessarily though,
# because it will slow down a busy server.
#
# Otherwise, for normal operation (debugging disabled) use following combo :
# -x means not to look for any per-user preferences ( since all our users are virtual)
# -u means to run as userid spamd
# -H tells the addon apps like .razor to store all their files into eg /home/spamd/.razor
# -d tells spamd to run as a daemon
SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"
Configure the spamd daemon so it is running all the time from bootup onwards
cp spamd/redhat-rc-script.sh /etc/rc.d/init.d/spamd
chmod 700 /etc/rc.d/init.d/spamd
cd ..
chkconfig --add spamd
Then I like to use the ntsysv program to double-check that spamd is set to launch at boot time
Setup the SpamAssassin configuration
vi /etc/mail/spamassassin/local.cf
# Define the sensitivity level.
required_score 5
# Allow SpamAssassin to rewrite the subject line of any messages it classifies as spam
# This is the value that will prepended to the subject line of messages classified as spam
rewrite_header Subject [SPAM]
# Put spam analysis reports into to the headers of the message (rather than the body)
report_safe 0
# Enable SpamAssassin's RBL checking features :
# Although we have already done some RBL filtering earier in qmail's rblsmtpd program,
# it is still recommended to turn on RBL checking in SpamAssassin, as it will run
# checks against a variety of different RBL sources, and the results will help
# tag spam more accurately
skip_rbl_checks 0
# If we haven't received a response from the RBL server in X seconds, then skip that test
rbl_timeout 3
# You can nominate any netblocks that you control, and contain mailservers that
# you trust. IE you control the mailservers in these netblocks so there is no
# need to be running RBL checks against these particular servers.
# You should include all the netblocks used by email clients on your local lan.
# Also make sure you include any netblocks that host your mail servers.
trusted_networks 127.0.0.1
trusted_networks 123.123.123.0/24
# Enable auto-learning
use_bayes 1
bayes_auto_learn 1
# we are going to run a single global bayes db for all users ( rather than a db per user)
bayes_path /home/spamd/.spamassassin/bayes
# Enable auto-whitelisting
use_auto_whitelist 1
Just to make sure the bayes database directory will be setup correctly :
If you wish to view all the possible configuration options, use this command :
perldoc Mail::SpamAssassin::Conf
Enable the razor functions
vi /etc/mail/spamassassin/v310.pre
#uncomment the following line :
loadplugin Mail::SpamAssassin::Plugin::Razor2
OK, the SpamAssassin software is now fully installed!
Any mail that SpamAssassin classifies as spam will have [SPAM] added to the subject line. You should now probably setup some docs for your users showing them how they can use message filtering rules in their email client. You can see our message filtering guides here
If you aren’t ready to reboot the server now, you can fire up spamd in the mean time with this command :
/etc/rc.d/init.d/spamd start
If all goes well you will see some output like this :
(Note that spam filtering isn’t actually operational on your server yet, you need to use the qmail-scanner program to feed mail through the SpamAssassin scripts)
Clam antivirus can run in two different modes. Either as a normal command line scanner, or as a client/daemon pair.
When working as a command line scanner, you perform your scanning using the program “clamscan”. If a complex program like a virus scanner is run repetitively (ie being launched for every email that passes through your system), it chews up a lot of CPU/disk resources. To get around this issue you can launch Clam as a daemon (clamd). This is where a copy of Clam is launched and stays active in the background. You then do your scanning using the clamdscan client, which is only small, thus making it fast to launch/run. The client sends commands to the daemon, and the daemon will take care of scanning the message and returning the results to the client. (The same technique is used by SpamAssassin where you can use the full spamassassin command line version, or the spamc/spamd client/daemon pair).
In a busy environment, there is no doubt that the client/daemon method is the best way to go
Then I like to use the ntsysv program to double-check that clamd is set to launch at boot time
If you aren’t ready to reboot the server now, you can fire up clamd in the mean time with this command :
/etc/rc.d/init.d/clamd start
At this point the clamd software should be running. A good way to verify this is to use this command :
ps axf
And if all is well, you should be able to see something like this :
18144 ? S 0:00 /usr/local/sbin/clamd
Setup the freshclam configuration file
vi /usr/local/etc/freshclam.conf
# make sure you comment out the "example" line
LogSyslog
DatabaseOwner clamav
DatabaseMirror db.au.clamav.net (where "au" matches your country code)
NotifyClamd
Configure freshclam to start on boot
vi /etc/rc.d/rc.local
/usr/local/bin/freshclam -d
Launch freshclam now
/usr/local/bin/freshclam -d
At this point the freshclam software should be running. A good way to verify this is to use this command :
ps axf
And if all is well, you should be able to see something like this :
Qmail-Scanner is an add-on that enables a qmail server to scan messages for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial (or open source) virus scanners. It also capable of blocking email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).
Install the required supporting modules for Qmail-Scanner
bunzip2 maildrop-2.0.1.tar.bz2
tar xf maildrop-2.0.1.tar
chown -R root.root maildrop-2.0.1.tar
cd maildrop-2.0.1
./configure
make
make install-strip
make install-man
cd ..
A “Qmail-Scanner ST patch” has been released by Salvatore Toribio, which greatly extends the functionality of qmail-scanner. The patch adds extra features to help deal with spam (such as dropping messages that exceed a certain SpamAssassin score). We are going to use this patch, as it makes qmail-scanner much more useful.
For qmailscanner to work correctly with clamav, you need to adjust clamav to run under the qscand username
vi /usr/local/etc/clamd.conf
# look for the line that says "User clamav" and replace with
User qscand
/etc/rc.d/init.d/clamd restart
Configure Qmail-Scanner :
# Here are the settings we used at our site for configuring Qmail-Scanner :
#
# configure Qmail-Scanner to work in the following manner :
# - notify a nominated admin each time a virus is detected
# (in this case it will be virusadmin@yourdomain.com)
# - use the client/server version of Clam AV for anti-virus scanning.
# - enable support for spamc/spamd in "verbose" mode.
# Qmail-Scanner can run spamd in "fast" mode or "verbose" mode.
# You can read more about this at the Qmail-Scanner FAQ page.
# I would recommend that you use verbose mode as this allows you to get access to
# the full reporting/tagging features that SpamAssassin can provide. It costs you
# a fraction more CPU power, but provides a much greater range of features.
# - Use a medium level of sensitivity when blocking mail due to broken MIME formatting
#
# THE COMMANDS HIGHLIGHTED IN BLUE BELOW ARE FROM THE QMAIL-SCANNER-ST PATCH
# - sa-delete sets the point that spam mail is autodeleted.
# sa-delete is a relative value to the SpamAssassin required_hits.
# so in our case, the spam will be deleted at a score of 10
Edit the perscanner file which is used to block mail that contains particular strings. perlscanner is a tool that is included with qmail-scanner, and it is executed after all the other anti-virus scanners have run (eg clamscan). This system provides a good failsafe in case some new virus comes along that the virus-scanner cant detect yet. perlscanner is perfect for blocking those virus-prone attachments that have no legitimate purpose in email.
vi /var/spool/qscan/quarantine-events.txt
Uncomment the following lines :
.lnk SIZE=-1 LNK files not allowed per Company security policy
.wsh SIZE=-1 WSH files not allowed per Company security policy
.vbs SIZE=-1 VBS files not allowed per Company security policy
.scr SIZE=-1 SCR files not allowed per Company security policy
.hta SIZE=-1 HTA files not allowed per Company security policy
.pif SIZE=-1 PIF files not allowed per Company security policy
.cpl SIZE=-1 CPL files not allowed per Company security policy
# rebuild the perlscanner database
setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g
Any SMTP sessions that are dropped (due to network outages/etc) may lead to files lying around in /var/spool/qmailscan . Running /var/qmail/bin/qmail-scanner-queue.pl -z at least once daily will ensure such files are deleted when they’re over 30 hours old. We will make a cronjob to do that :
Now define what mail is to be sent through the Qmail-Scanner, also make sure that your qmail-smtpd script allocates sufficient resources to support the needs of Qmail-Scanner + Antivirus + SpamAssassin. At our site, we have configured Qmail-Scanner to virusscan all messages (ie inbound and outbound mail). We did this by setting up our our /var/qmail/supervise/qmail-smtpd/run file like this :
vi /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
# softlimit needs to be set at something large such as 15000000
# to allow virusscanning software to run successfully
exec /usr/local/bin/softlimit -m 15000000 \
/usr/local/bin/tcpserver \
-v -x /etc/tcp.smtp.cdb \
-c 20 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
... and the rest of the file snipped ...
However, if you don’t want to virusscan all mail, you can selectively nominate which IP ranges should or shouldn’t be checked by setting the QMAILQUEUE variable via your /etc/tcp.smtp file rather than inside the supervise/qmail-smtpd/run file. Refer to the Qmail-Scanner home page for setup examples.
QMAIL-SCANNER / SPAMASSASSIN NOTES :
How can I tell if SpamAssassin is working?
Each time SpamAssassin processes a message, it will log some information to /var/log/maillog (score, message size, time taken to process)
Not all mail gets passed through SpamAssassin
We have configured our supervise/qmail-smtpd/run script so that it runs Qmail-Scanner for every mail message. This means all incoming and outgoing mail will get virus-checked. However this doesn’t necessarily mean that every message passing through Qmail-Scanner will also get sent through SpamAssassin.
Qmail-Scanner has been coded so that messages are only passed onto SpamAssassin if the RELAYCLIENT variable from tcp.smtp is not set. The idea behind this to reduce load on the system by not running SpamAssassin on mail originated by your users.
It is possible to force SpamAssassin checking for local users if you choose by setting QS_SPAMASSASSIN=”on” for the appropriate entries in your tcp.smtp file
Is it possible to configure per-user settings for SpamAssassin?
It depends on your configuration. We believe it will be possible to implement an interface so that vpopmail users can turn SpamAssassin checking on/off, and also set their own custom required_hits. We are hoping to store these settings as additional columns in the vpopmail MySQL database… Stay tuned and we will post more info as it comes to hand
Can I make it so that all the spam get sent to my a SPAM or TRASH folder?
“ps axf” is your friend. Particularly useful for visualising how the supervise/qmail processes all fit together.
“ps axfu” is good for double checking what accounts that individual server processes are running under
SOME EXAMPLE MAILBOX MANAGEMENT SCRIPTS :
Since all the information for your email domains and mailboxes are store in MySQL, it is easy to create scripts so your support staff can quickly navigate / view all this account information.
Our support staff’s intranet site is a Windows 2000 machine running IIS5 with ASP. Here is a couple of example ASP scripts that I hacked together that show what can be achieved : vpopmail-asp-scripts.v120.zip.. No doubt it would be easy enough though to use these same techniques in PHP if you are running linux/apache for your intranet
The script “viewvlogs” allows you to view browse through the vpopmail “vlog” table in MySQL to look for people who have failed to auth successfully when trying to check mail.
The script “viewpop3″ allows you to see a list of email domains hosted on your server. You can do things like view all users from a domain, or view an individual mailbox. The output will show useful things like clear passwords, mailbox size. Also there are buttons that will log you into qmailadmin or SquirrelMail as a given user using just a single mouse click
On a related subject, have you ever wanted to be able to create mailboxes “on-the-fly” via a webpage or similar? Well if you are running the MySQL back-end, then you are in luck! It is possible to use an INSERT command to create the new user in the MySQL. When the user 1st POP/IMAP’s into their account, or when they first receive a message, their mailbox will automatically be created on the hard disk of the mail server. I have an example showing how I create mailboxes on-the-fly from an IIS server using an ASP script asp-vpopmail-passwd-entries.txt. ( And here is another link that shows how you can generate suitably encrypted passwords using PHP ). And there is some more spirited discussion on this subject here http://www.mail-archive.com/qmailadmin@inter7.com/msg03509.html
TODO :
Use netqmail-1.05
Update to MySQL v4.x
Use Fedora rather than Redhat
Other misc ramblings :
I sold the ISP that I used to own to a larger national provider, and now “I work for them”. At this larger company we use Postfix (and amavisd/spamassassin/clamd) rather than qmail (and qmail-scanner/spamd/clamd). After learning Postfix I can confidently say that it is a much superior MTA to qmail. However even the most pro-Postfix staff are amazed at the ease of use of the vpopmail/qmail system. Although Postfix also has virtual mailbox support, there is no easy-to-use package like vpopmail for driving this system. Since I now spend my days working with Postfix, my development of this webpage has slowed somewhat. Hopefully I will be able to find the time to keep this page fairly up to date I have published a Postfix server guide
No further changes will be made to this guide. See the text at the top of the document for more info.
13th September 2006 :
Updated the URL of the page to new site.
I have an updated version of this guide probably 90% written – based on CentOS / Fedora with RPM installs of many apps… Let me know if you are interested in seeing it !
13th June 2006 :
Updated the SpamAssassin v3.1.2
For safety sake, added a mkdir/chown for /home/spamd/.spamassassin dir (Thanks to Steven Looi for the tip)
Updated to Courier-IMAP v4.1.1
Added a note about FAM to the Courier-IMAP section.
Thương mại điện tử đã phát triển khác xa 10 năm trước và hiện nay, tính ứng dụng luôn được đặt lên hàng đầu. Sự nổi tiếng của một website đôi khi lại nhờ những yếu tố tưởng như rất nhỏ nhặt.
Ảnh: Larta.
1. Thông báo người sử dụng đang ở đâu
Bất cứ khi nào người dùng truy cập đến một gian hàng, website cần hiển thị vị trí của họ trong cấu trúc chung của site, chẳng hạn Home > Category > Sub-cat > Product.
2. Phân loại đa dạng
Website phải cung cấp đủ các chuẩn phân loại như “Giá cả” (Từ cao đến thấp, Từ thấp đến cao), “Tính phổ biến” (Bán chạy nhất, Được người dùng đánh giá cao nhất…), “Tính năng”, “Màu sắc”, “Kích cỡ”, “Sản phẩm mới” để khách hàng thỏa sức lựa chọn theo tiêu chí của riêng họ mà không gặp khó khăn.
3. Hiển thị tất cả sản phẩm cùng loại trên một trang
Trừ khi số sản phẩm lên tới hơn 200, website nên tạo điều kiện cho người sử dụng quan sát tổng thể các mặt hàng để họ dễ đối chiếu. Điều này cũng không khó thực hiện nhờ sự phổ biến của băng thông rộng hiện nay.
4. Càng chi tiết càng tốt
Một website sẽ được đánh giá cao nếu cung cấp một vài thông tin ấn tượng trước khi khách hàng bấm vào trang riêng về sản phẩm đó.
5. Chia sẻ thông tin có ích
Nhiều người sử dụng cho biết họ đã thấy rất nhiều mẫu quần áo đẹp, phù hợp “gu” thẩm mỹ của họ nhưng lại không biết bộ đồ đó có vừa với số đo của mình hay không. Hay không ít website kinh doanh cặp laptop “quên” thông báo chiếc cặp đó phù hợp cho máy tính xách tay 14 inch, 15 inch hay 17 inch…
5. Đặt thanh tìm kiếm ở vị trí dễ thấy
Ngay cả khi thực hiện xong lệnh search, website vẫn nên đặt thanh tìm kiếm ở vị trí trung tâm và giữ lại từ khóa cũ trong trường hợp người sử dụng muốn điều chỉnh lệnh để đạt kết quả phù hợp hơn. Bên cạnh đó, hệ thống tìm kiếm nâng cao theo giá cả, màu sắc, kích cỡ… sẽ không bao giờ thừa với khách hàng. (Người dùng vẫn xếp “tìm kiếm” là tính năng khó chịu nhất trên các website thương mại điện tử).
6. “Khoe” tối đa kho hàng của bạn
eBay mở rộng kết quả tìm kiếm bằng cách loại bỏ bớt từ khóa. Ảnh chụp màn hình.
eBay đã rất thông minh trong việc hiển thị sản phẩm mà họ có dựa trên lệnh tìm kiếm của khách hàng. Chỉ một chi tiết nhỏ thôi cũng góp phần thúc đẩy công việc kinh doanh của chủ nhân một gian hàng trực tuyến.
7. Thông báo ngay nếu hết hàng
Người sử dụng sẽ khó chịu nếu họ dành cả tiếng đồng hồ ngắm nghía sản phẩm nhưng mãi đến khi bấm chọn nó thì mới phát hiện ra rằng mặt hàng đó không còn trong kho.
8. Trực quan sinh động
Do không thể cảm nhận sản phẩm như trong đời thực, ảnh, video và những lời nhận xét là thông tin vô giá với khách hàng. Một bức ảnh ở một góc chụp duy nhất không thể đủ thuyết phục người mua.
9. Các cách chuyển hàng
Website nên liệt kê các phương pháp thanh toán và phân phối hàng hóa để người sử dụng xem có phù hợp với hoàn cảnh của họ không trước khi bắt đầu mua sắm.
10. Khẳng định giao dịch qua e-mail
Một khách hàng của Dell cho hay anh ta rất lo lắng không hiểu chiếc laptop mình đặt mua có được chuyển đến trước chuyến du lịch Trung Quốc không bởi anh không muốn dành 28 giờ trên máy bay mà thiếu máy tính. Rất may, e-mail khẳng định thời hạn giao hàng của Dell đã giúp anh bình tâm.
utside2 192.168.1.1 security0
MZ 172.17.1.1 security50
#
# Dont download kernel updates, or our /boot will overflow eventually.
# Dont download mysql updates, as I have seen mysql shutdown and not automatically come back up.
#
# If we want to update kernel or mysql, we can run these manually via a "yum update".
50 10 * * 1-5 /usr/bin/yum --exclude=kernel* --exclude=hal --exclude=mysql* -y update
##ThreshDir: /home/httpd/stats/thresh
ThreshProgI[_]: /home/httpd/stats/mrtg-threshwarn.pl
ThreshProgOKI[_]: /home/httpd/stats/mrtg-threshwarn.pl
ThreshProgO[_]: /home/httpd/stats/mrtg-threshwarn.pl
ThreshProgOKO[_]: /home/httpd/stats/mrtg-threshwarn.pl
