Difference between revisions of "Configure mail server"
| m (→Client setup) |  (→Domain setup:  reverse DNS) | ||
| Line 313: | Line 313: | ||
| == Domain setup == | == Domain setup == | ||
| + | |||
| + | === Reverse DNS === | ||
| + | Some mail servers don't accept mail from sources that don't have a valid reverse DNS lookup available. You'll need to contact your hosting provider or ISP about getting reverse DNS entries added for your IP addresses. | ||
| === NZ domains === | === NZ domains === | ||
Revision as of 05:48, 9 August 2009
|   | Configure mail server Organic Design procedure | 
Contents
Exim4 (MTA & MDA)
Exim4 is the default mail transfer and delivery agent for Debian, but it's only the light version which is insufficient for running a mail server, so the organicdesign-server package includes the exim4-daemon-heavy package which will replace the light version. Exim is designed to move messages from one e-mail server to another and to deliver messages to local users mailboxes. It has nothing to do with POP3 or IMAP as those are protocols relating to the retrieval of the mail by a user and their mail client software. The default Exim configuration allows the server to send mail, but if you plan on running an IMAP or POP3 server, then additional configuration is required which is discussed here.
First, run through the standard Exim4 configuration script, say no splitting configuration files, set general mail configuration to internet, and keep any non-self-explanatory settings as default.
Next Exim must be told to use the maildir method of local delivery so that it matches our POP3/IMAP settings. Check the /etc/exim4/update-exim4.conf.conf and append dc_localdelivery='maildir_home' if it doesn't already exist.
Restart the mail server:
Handling multiple domains
You may want to handle mail for a few domains on one server, in which case some generic usernames like "accounts" will conflict with the local user names, or with the same names used by other domains. This is based on Blair Harrison's method from this Waikato LUG article which adds virtual domain support to Exim4. This allows any incoming email address to be mapped to any other internal user mailbox, or external email address.
Change the local_domains settings in /etc/exim4/exim4.conf.template (or in /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs if you're using split-file config) to the following:
Next go to the section starting with "real_local" and add a new section as follows (if in split configuration, this section should be added in a new file called /etc/exim4/conf.d/router/300_exim4-config_virtual)
Now you will need file called /etc/exim4/virtual.domains that is simply a list of all the domains for which you accept mail in the following format:
Don't forget to rebuild the configuration and restart the mail server:
Setting up mail users
To add or modify the mail users, edit the /etc/exim4/virtual.users file. Following are some examples to highlight some of the most popular scenarios:
Testing delivery
Before moving on to SMTP or IMAP configuration, you should test that email sent to your local users/domains are being delivered properly. The mails will be delivered to the users home directories in ~/Maildir/cur/. You can cat the files to see the textual content of the messages stored there.
Setting up a secure SMTP server with authentication
Since many people in the organisation may be working with laptops in the field, it's useful for the server to run it's own SMTP server so that settings don't need to be changed when moving from one ISP to another for internet access. The SMTP server will need to use authentication and encryption so that it can't be used for spamming.
Setting up a secure SMTP server with authentication is quite simple using Exim4's plaintext authenticator with TLS encryption. Here we'll enable SMTP for all clients and we'll require authentication in the form of a single user/password used by all the clients (we could upgrade this later to use the client's IMAP login, this, this and this may help with those changes). First generate your certificates as follows:
Then add the following to the first section of /etc/exim4/exim4.conf.template. The second directive adds a second SMTP port since many ISP's restrict outgoing traffic on port 25 to their own SMTP server only.
Using a global inline SMTP user and password
Next find the section containing the string "plain_server" and add a similar entry as follows, but replace the USER and PASSWORD with the global authentication you want all clients to use.
Using the native Linux user accounts and passwords
To use the native Linux accounts for SMTP authentication, the /etc/shadow file must be made accessible to the Debian-exim group:
Next use the same plain_server as shown above, but change the server_condition to the following:
Test sending mail to an external domain
Restart the exim4 server and the server should be ready to accept SMTP requests!
To set up the clients use the user name and password defined above, organicdesign.co.nz for the server, 2525 for the port and TLS for security.
To test that the SMTP is working and is not accessible to spammers, testing sending out emails to non-local recipients (as delivery to local domains is unrestricted). Try sending without authentication to ensure that it fails. Also test sending to a local domain from another SMTP server (such as your ISP's one) to ensure that normal delivery is working correctly.
DoveCot (IMAP & POP3)
The organicdesign-server package installs DoveCot, an IMAP and POP3 server. DoveCot responds to mail client requests by retrieving the mails from file and returning them to the client. It does not deal with the receiving the mails or storing them to disk.
We go with a configuration which is as close to default as possible and gives us both POP3 and IMAP services which both work with either TLS or SSL but not plain text. The users are by default the native linux users and passwords on the system. The minimal configuration necessary is a couple of edits to /etc/dovecot/dovecot.conf.
First, specify which protocols to use (you may like to only allow imaps and pop3s for extra security).
Next, add a section defining the ports for each protocol as follows (you may like to change to  non-standard ports for extra security):
Finally, scroll down to the Mailbox locations and namespaces section and uncomment the first example which says the following:
SSL Certificate
The certificate's are build automatically upon installation to match the servers primary domain name. To rebuild them for a different mailserver domain name, run the dovecot-cert.sh script, enter the organisation details and the mailserver domain in the Common Name field, then restart dovecot.
Spam Assassin
The spamassassin and spamc packages are required, but have now been included in the organicdesign-server package. The configuration file /etc/default/spamassassin needs to be edited and the ENABLED option set to 1. Remember to start spamassassin from init.d after enabling it.
The exim4 configuration needs to be adjusted which is in the /etc/exim4/exim4.conf.template file because our servers use the monolithic configuration method.
Add the following section after the line containing end router/800_exim4-config_maildrop
Add the following section before the line containing end transport/30_exim4-config_remote_smtp_smarthost
Note: be sure to check that the spamc binary is in the location specified, and that it is running.
At this point, after exim4 is restarted, all messages should have extra headers added by spamassassin for example:
Moving spams to another folder automatically
Mails which have been marked as spam by spamassassin can be automatically moved into a specific mail folder by using an exim filter. First you may have to edit the exim4 configuration again and uncomment the allow_filter option in the 600_exim4-config_userforward section. We haven't had to do this so far because it is currently enabled by default.
To make a new filter, create a file in your home directory called .forward and ensure it is owned by the user in question, then add a rule such as in the following example from our server which forwards the spams straight into the Trash folder.
- Important: do not change the comment in the first line!
- Important: use \40 for spaces in target directory name (escaped octal!)
- Note: You can use the make-forwards.pl to create them automatically for all users who don't already have them
Teaching spamassassin
Spamassassin comes with a script called sa-learn which is designed to parse mail directories with the information that the messages within them are either spam or "ham" (not spam). We have a Perl script called learn-spam.pl which resides in the /var/www directory and is run each morning. It scans all our user's Inbox/Spam and Inbox/Not Spam mail folders into which users should place their incorrectly assigned spam and non-spam messages. Note: the messages are removed after being processed, so the messages in your Not Spam folder should be copies, whereas those in the Spam folder can just be moved since you won't need them.
The sa-learn man page has some good information about Spamassassin's Bayesian learning mechanism, the following snippet is from there.
Learning filters require training to be effective. If you don't train them, they won't work. In addition, you need to train them with new messages regularly to keep them up-to-date, or their data will become stale and impact accuracy.
You need to train with both spam and ham mails. One type of mail alone will not have any effect.
Note that if your mail folders contain things like forwarded spam, discussions of spam-catching rules, etc., this will cause trouble. You should avoid scanning those messages if possible. (An easy way to do this is to move them aside, into a folder which is not scanned.)
If the messages you are learning from have already been filtered through SpamAssassin, the learner will compensate for this. In effect, it learns what each message would look like if you had run "spamassassin -d" over it in advance.
Another thing to be aware of, is that typically you should aim to train with at least 1000 messages of spam, and 1000 ham messages, if possible. More is better, but anything over about 5000 messages does not improve accuracy significantly in our tests.
To check how many spams and hams the system has processed as well as some other internal data, use sa-learn --dump magic, here's the output of our system on 24 Dec 2008 which clearly shows that we haven't been feeding it enough ham! It shows that if we feed it ham at the same rate as spam, then it would start becoming useful in about another couple of weeks :-)
Here's a couple of lines of Perl which extract and print the number of spams and hams from the output shown above. I added this to our daily housekeeping script so that it appears in our recent changes each day.
Our training script, /var/www/learn-spam.pl, is run daily from the crontab and contains the following:
To test if the script is working properly, run it manually from the shell at such a time as you know there are spams to be processed and you should see messages stating that new tokens have been learned such as in the following example output.
Backing & restoring up the Bayesian database
Since the Bayesian database takes a month or so to build up to a useful state, it's important to be able to back it up in case it gets corrupted or if the server needs to be rebuilt. Such a backup can also be used in the installation process of any new server so that there's no need to go through the initial learning process for each new installation.
To back up the database use sa-learn --backup > mybackup.txt and to restore it again, first clear any existing data if there is any with sa-learn --clear and then use sa-learn --restore mybackup.txt to restore from the backup file.
Updating Spam Asassin's rules
In addition to relying on the Baysean database, it's also useful to run the sa-update script every month or so which downloads refined rules from the Spam Assassin channel. GPG keys are used to ensure that the rules are coming from the correct source, but I haven't got these working yet. Following is the command to run the update without checking the channel for authenticity since it won't replaced the current rules with the downloaded ones if this is not specified. The spamd daemon must be restarted after the rules have been updated.
Client setup
Any standard mail client such as Thunderbird or Outlook should connect with no trouble, but our procedure doesn't yet include the generation of a valid SSL certificate, so you'll get a warning initially which you can specify to be ignored for subsequent connections.
POP3 & IMAP together
It is possible to use both POP3 and IMAP together for the same account because both are simply different protocols for accessing the same mail. There's probably no useful purpose to do that, but if you do then make sure the client settings for the POP setup is configured to leave the messages on the server, otherwise any messages downloaded from the inbox will be removed and will therefore no be available from the IMAP inbox folder either. Note that any messages that have been moved out of the inbox and into another folder using the IMAP protocol will no longer be available for download by the POP3 protocol because it only interacts with the inbox folder which is the root mailbox.
The settings for client access for Organic Design are: organicdesign.co.nz, IMAP, port 993, use SSL.
SMTP settings
To set the email client to use the organisations SMTP server, go to Account settings/Outgoing server (SMTP) and add a new one called Organic Design with server address organicdesign.co.nz, port 2525 and TLS security. Use the login and password specified above for use by the whole organisation for SMTP (later this may be changed to individual IMAP login details).
You may want to keep your ISP's SMTP server as the default since it will work more quickly being more local and not requiring encryption or authentication, but you can easily make the Organic Design SMTP server the default when working in the field.
Detailed procedure
We have a detailed procedure with screenshots for connecting to the mail server using Outlook here: Set up an IMAP account on Outlook 2007
Domain setup
Reverse DNS
Some mail servers don't accept mail from sources that don't have a valid reverse DNS lookup available. You'll need to contact your hosting provider or ISP about getting reverse DNS entries added for your IP addresses.
NZ domains
Our NZ domains are handled through WebDrive. The main setup is done from the associated domain template. Assign a primary and secondary MX record with a subdomain each. Both subdomains must explicitly exist as A records in the template.
Other domains
Our non .co.nz domains are handled through NameCheap, so I'll cover the setup for them, but it should be easy to adjust to any name hosting service. In the all host records page for your domain, go to mail settings at the bottom, and set it to "User Simplified" then click save changes.
Now scroll to the bottom of the page again and fill in the "User Simplified" form, set HOST NAME to "mail" (this setting seems to be superfluous), fill in the MAILSERVER IP and set the MX PREF to 1, then click save changes.
RoundCube (IMAP-only webmail)
We need to have access to our IMAP folder structures from a browser, we use the RoundCube wenmail application for this purpose.
First ensure that the sub-domains which should have webmail access have a rule in the web-server configuration mapping it to the roundcube code base which can be downloaded from here and should be saved to /var/www/domains/webmail. See set up a new domain name for details on mapping a sub-domain to a web application code-base.
Next, go to your.domain/installer and follow their installation procedure. Use localhost for the server addresses (you may need to use ssl://localhost if non-ssl is denied by the server). You'll need to manually create the MySQL database:
The installer tests whether the database exists and is writable, then allows you to initialise it with a button. At this point you can also test the IMAP login and SMTP sending. 
Manually populating the database
Under some (currently unknown) circumstances the database tables are not created by the web installer, so you may need to manually populate the database with tables by logging into MySQL and running following:
Note the execute command does not end with a ";"
Once all these are working, go to the root of the webmail domain and login.
Upgrading
To upgrade the Roundcube code-base, download and unpack the new version and set the ownership to www-data and the mode to 755 for all the files. Next set the ownership of config, logs and temp to root.
Copy the distribution config files then transfer the settings from the old versions config files to the new ones. In our configuration there is only one setting in db.inc.php which is the mysql database connection line, and there are three settings in the main.inc.php, the default_host is "ssl://localhost", the des_key and the product_name which is "OrganicDesign Webmail".
Exim broken after apt-get upgrade
We had a major problem with exim aftyer doing an apt-get upgrade where the configuration files were incompatible with the new format. The error was something like the following:
From the message it would seem that this problem started by deciding to keep my configuration file rather than allow it to be replaced by the new one. I did this because of all the changes shown above that I would have had to do again, but I shouldn't have been so lazy because after it broke it took far longer to figure out how to fix the problem. In the end I just had to completely purge Exim4 and re-install from scratch as follows:
And from there go through all the instructions above to re-apply our configuration from scratch again!
imapsync
nad@nad-laptop:~$ apt-cache search imapsync imapcopy - IMAP backup, copy and migration tool imapsync - IMAP synchronization, copy and migration tool
See also
- Mail Server Overview - in DoveCot manual
- Exim4 manual
- Exim4 configuration functions and variables
- Exim4 configuration directives
- Exim4 generic router options
- The Exim4 queryprogram router - routing messages according to an external program
- The Exim4 pipe transport
- Adding a local scan to Exim4
 








