Subscribe to our feed
Join us as we tackle the Postfix mail server and its challenges one tutorial at a time. Enter your email address below and get our latest Postfix tutorials in your inbox.
StumbleUpon
FaceBook
Delicious
Twitter
Posted by mike Filed Under Squirrelmail with Comments Off
Transferring Mail to IMAP
You may have mail that you want to move to the new IMAP account you created with Postfix and Squirrelmail. In this case create a directory, in the example OldMail has been created.
The Postfix Training Manual has more information.
If you move mail from a different account, or from another Outlook Express account by either forwarding mail to a folder or drag and drop you may want to scan for viruses. You can do this manually with clamav. In this example the virtual mail is located in /var/vmail and it is a recursive scan “-r” and only going to put infected file discoveries on screen.
clamscan -r –infected /var/vmail
———– SCAN SUMMARY ———–
Known viruses: 806314
Engine version: 0.96.1
Scanned directories: 116
Scanned files: 129
Infected files: 0
Data scanned: 0.24 MB
Data read: 0.24 MB (ratio 1.00:1)
Time: 6.315 sec (0 m 6 s)
Posted by mike Filed Under Squirrelmail with Comments Off
Outlook Express and SquirrelMail Folders
The first problem that you may experience with Outlook Express or other email clients is that you have these multiple folders that seem to be duplicated. The problem is that by default Squirrelmail places folders under the INBOX locations while Outlook and other clients will place them at a top level. This is a problem that can be easily fixed.
Here you can see the problem in Outlook Express.
This is the way it looks in Squirrelmail with the problem.
The first thing to do is to consolidate your mail directories so that if you have mail in INBOX:Drafts you forward or move it to Drafts.
Once you have consolidated mail then Unsubscribe from the mailbox and upon refresh the mailbox will be removed.
You may also want to remove the unused mailboxes in Outlook Express.
The next thing you want to do is to modify the mailboxes in Squirrelmail. Execute the configuration script and modify the mailbox directories so that instead of having the prefix INBOX , they are at a top level so they work with your clients.
/usr/share/squirrelmail/config/conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu –
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Select Folder defaults.
[INBOX.Sent]: Sent
[INBOX.Drafts]: Drafts
Save the changes in Squirrelmail.
The result will be cleaned up mailboxes and then you can add ones that you want to add.
Posted by mike Filed Under Mail Client with Comments Off
Thunderbird Client Configuration
Client configuration can be just as big of problem as the set up for the server. One of the problems is that not all clients, both Linux and Windows, are capable of handling TLS or SMTP AUTH. That is getting better but it is still a problem. One great alternative client is Thunderbird, Icedove if you are on Debian. Here is a step by step approach to setting up the Thunderbird client for TLS and SMTP AUTH.
Create an account.
Enter a name for the account and the email address you want to use.
In the example, IMAP is the server of choice. This allows you to retrieve mail and also leave the mail on the server so you could share accounts. An important setting is the “Incoming Server”. Make sure you enter a FQDN (Fully Qualified Domain Name) which means it must have a hostname and domain name.
Now configure an incoming user name.
Check your account settings, one important setting is the “Outgoing Server” at the end of the file. The “Outgoing Server” is the server that will authenticate the mobile user and allow you to send email through the mail server.
If you do not have anything set for the ”Outgoing Server” just skip down in the tutorial to see how to set it up.
The “Server Settings” is how you will retrieve mail. Note that the server is listening on port 993 so that it is secure, IMAPS. Also note to select SSL in this setting so the port is changed.
Here is how to configure the “Outgoing Server”. Note the port number, the User Name that you will authenticate with and that TLS is selected.
If your mail server and client are configured correctly you will be able to send and receive mail, securely
Posted by mike Filed Under Mail Client with Comments Off
Configure Microsoft Outlook Express with TLS and SMTP_AUTH. This is a common issue that can be overlooked by administrators for users who insist on using Outlook Express. The set up for secure login and sending email is not intuitive.
For more information on how to configure Postfix you can consider Postfix Self-Directed Course or the Postfix Live Course.
First you need to create the account, so choose Tools-Accounts-Add. The Display name is simply how it will look in the list.
Enter the full email address here.
Select IMAP for your mail server. This gives you a number of options in that you can access your mail in several different ways, web based or on your desktop. Your mail server must have a FQDN, Fully Qualified Domain Name, in other words three parts separated by periods, the hostname and the domain. If you do not know the mail server name find out before you continue. The outgoing mail server must also be listed and they are typically the same.
Provide an account name, again this will typically be the full email address, so this could be test@example.com. Enter your password if you want to have it check that automatically.
This will complete the first stage.
Once it is created, right click the account and choose properties. Now fill in the email address if not done so already.
Go the Server tab and be sure the incoming and outgoing mail is set. Also verify the email address and that you have the password set if you want it to be automatic.
At the bottom of the page you see the “Outgoing Mail Server”, check this box and select Settings. Your email account can be used to authenticate when you send email. This is the SMTP_AUTH, what this does is allows only people with email accounts on the server to send email. In other words, this is what stops spammers from using your mail server as a relay but allows you to send email.
Now go to the Advanced tab. Make sure your mail is going out on port 25 and you have selected the SSL option, as you see. Also, be sure to select 993 for incoming and SSL. What this does is provide encrypted communication between the user and your mail server.
That completes the Microsoft Outlook Express configuration. Now you can allow those Microsoft users to start enjoying the security and stability of Postfix.
Posted by mike Filed Under Filters with Comments Off
Amavisd-new provides Policy Banks that allow you to manage messages based on the client or sender. For example if you wanted senders to be able to send to email lists without using the server resources for scanning with Spamassassin and ClamAv for these outgoing messages you could create a Policy Bank
Solution: Specify Clients Who Can Bypass Scanning
This solution will allow the mail server to avoid the scanning process to save on system resources, This solution will require you to add an additional port so you can separate options.
master.cf
Notice that there are two ports here. The port 10024 assumes you are using it with Amavis to scan incoming mail on a re-injection port. The 10026 port is what you can separate the outgoing mail to avoid scanning to save on resources for your server.
smtp inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
4025 inet n - n - - smtpd
-o mynetworks=127.0.0.0/8,192.168.1.0/24
-o smtpd_client_restrictions=permit_mynetworks,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
smtp-amavis unix - - n - 6 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o replay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
You need to add the additional port and set up the Policy Bank in amavisd.conf.
$inet_socket_port = [10024, 10026];
You will set up the Policy Bank, “SERVER” for the Policy Bank on port 10026.
$interface_policy{’10026′} = ‘SERVER’;
$policy_bank{‘SERVER’} = { # Server mail submitted to port 4025
originating => 1, # mail submitted by server
bypass_spam_checks_maps => [1], # no spam check
bypass_banned_checks_maps => [1], # no banned check
bypass_header_checks_maps => [1], # no header checks
};
The mail can actually avoid the content filter and be sent to port 4025. By placing an IP Address in the amavis_bypass_client you will be able to control who will be able to use this option.
4025 inet n - n - - smtpd
-o content_filter=
-o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject
The reject will stop other clients from having this option.
contents of /etc/postfix/amavis_bypass_client:
192.168.7.9 OK
Once you have made the changes you want restart Postfix and amavis and check network connections to verify your ports are listening. You should see these four ports.
netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4025 0.0.0.0:* LISTEN
Exmaples of what you should see in logs.
Outgoing Mail Scanned with Spamassassin before changes.
Mail sent out is tagged as SPAMMY and scores 6.282
Jan 30 06:22:58 mail postfix/pickup[9525]: C22BA73479D: uid=501 from=<tom>
Jan 30 06:22:58 mail postfix/cleanup[9600]: C22BA73479D: message-id=<20100130132258.C22BA73479D@mail.testexample.com>
Jan 30 06:22:58 mail postfix/qmgr[9526]: C22BA73479D: from=<tom@testexample.com>, size=309, nrcpt=1 (queue active)
Jan 30 06:23:13 mail amavis[9566]: (09566-01) Passed SPAMMY, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130132258.C22BA73479D@mail.testexample.com>, mail_id: y-Y0FBXjT2KH, Hits: 6.282, size: 309, queued_as: DF09F734795, 14102 ms
After Changes No Scan
This indicates that Spamassassin did not scan the mail as there are no hits.
Jan 30 07:11:22 mail amavis[10249]: (10249-01) Passed CLEAN, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130141111.EC9A6734791@mail.testexample.com>, mail_id: 7fdE5pMr6Zjb, Hits: -, size: 298, queued_as: 77B6073478D, 10576 ms
Incoming Mail Indicates it is Scanned
Jan 30 17:40:38 mail amavis[19274]: (19274-01) 2822.From: <joe@example.com>
Jan 30 17:40:38 mail amavis[19274]: (19274-01) collect banned table[0]: tom@testexample.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x983e7a0)
Jan 30 17:40:38 mail amavis[19274]: (19274-01) p.path tom@testexample.com: “P=p001,L=1,M=text/plain,T=asc”
Jan 30 17:40:43 mail amavis[19274]: (19274-01) spam_scan: score=6.283 autolearn=no tests=[FH_DATE_PAST_20XX=3.384,TVD_SPACE_RATIO=2.899]
Jan 30 17:40:43 mail amavis[19274]: (19274-01) do_notify_and_quar: ccat=Spammy (5,0) (“5″:Spammy, “1,1″:CleanTag, “1″:Clean, “0″:CatchAll) ccat_block=(), qar_mth=
Jan 30 17:40:43 mail amavis[19274]: (19274-01) SPAM-TAG, <joe@example.com> -> <tom@testexample.com>, Yes, score=6.283 tagged_above=2 required=6.2 tests=[FH_DATE_PAST_20XX=3.384, TVD_SPACE_RATIO=2.899] autolearn=no
Posted by mike Filed Under Postfixadmin with Comments Off
Securing the PostfixAdmin Directory on Ubuntu
Many administrators who use Postfixadmin, a web based tool to manage virtual domains on Postfix, would like to secure the transactions between the PostfixAdmin program and the administrator. At the same time often you do not want to add the extra burden of SSL on the whole domain but just want to secure one directory. The solution is to create a certificate for that one directory only and also locking that directory with a password so only administrators can gain access. The example is on an Ubuntu 9.10 server, which will be very similar to most server procedures.
Enable the SSL module using the “a2enmod” command.
sudo a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.
SSL Security with Apache
The next thing you’ll need for this is a server certificate. There are two ways to get one. You can either create your own self-signed certificate, or you can request one from a commercial Certificate Authority. A self-signed one will work fine if you’re just using it for your organization’s internal operations. But, if you’re dealing with the public, you’ll want a commercial certificate that verifies that you are who you say you are.
SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing or administrator passwords.
SSL is a protocol that uses TCP/IP on behalf of the higher-level protocols like HTTP. This protocol allows a SSL-enabled server to authenticate itself to a SSL-enabled client. In order to use SSL the client must request a connection on port 443 instead of the typical port 80 used by a web browser.
For either self signed or a commercial type of certificate, you’ll first need to create an encryption key:
sudo openssl genrsa -des3 -out server.key 1024
Password:
Generating RSA private key, 1024 bit long modulus
…………………….++++++
……………………….++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:
You’ll now use this key to create a certificate request:
sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MT
Locality Name (eg, city) []:TC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: ubmail.example.com/postfixadmin
Email Address []:fsmith@example.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
If you need a commercial certificate, you’ll now send this request to a commercial CA. If you’re creating your own self-signed certificate, you’ll use this request in the next step:
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=MT/L=TC/O=MyCompany/CN=ubmail.example.com/postfixadmin/emailAddress=fsmith@example.com
Getting Private key
Enter pass phrase for server.key:
Now, you’ll need to install the key and certificate by copying them to the appropriate directories:
sudo cp server.crt /etc/ssl/certs
Open the /etc/apache2/sites-available/your_site_file for editing. In the “Virtual Host” section, under the “DocumentRoot” line, modify the following lines:
DocumentRoot /var/www/my_website/postfixadmin
The goal is to impact only the postfixadmin directory of your site so that users can normally go to the other locations without knowing that the postixadmiin directory location is different.
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
Save and exit.
Enable the default SSL site:
Or enable your site. Remember if you are using virtual hosting you will have to use IP Based virtual hosting to assign the SSL to an IP Address.
sudo a2ensite default-ssl
After all of this is done, restart Apache:
service apache2 restart
Apache/2.2.12 mod_ssl/2.2.12 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server 127.0.1.1:80 (RSA)
Enter pass phrase:
Ok: Pass Phrase Dialog successful.
[ ok ]
Now that you’ve installed the private encryption key, you’ll need to supply your passphrase every time you start or restart Apache.
Once you get the “https” prefix right, you’ll get this if you’re using a self-signed certificate. You will have the choice to accept or reject the self-signed certificate.
You can accept the certificate, but you’re not through yet. There’s also the little detail of having a domain name on the certificate that doesn’t match the URL.
You can choose to view the certificate before deciding whether to accept or reject it.
You can see from the example above that the attempt to connect using regular http will not allow a connection but also you can see that if you type https://ubmail.example.com/postfixadmin it sends you to a secure login for the postfixadmin and you can use it securely.
Password Protected Directory
Now lock down the directory so only and administrator with a password can get access.
Apache provides Password Authentication to directories using the htpasswd program. The first thing that needs to be done is to decide on where to place these password files. It is important that they are not placed in areas that are easily accessed as they should only be read by apache. It is probably best to place them in the /etc/apache2 directory. You may even want to create a separate more secure directory called within /etc/apache2. Use the htpasswd program to initialize a file for sales for example:
sudo htpasswd -c /etc/apache2/postfixadmin tom
The program will request a password and then to confirm the password. The -c option creates the file so DO NOT USE IT THE SECOND TIME!!!! If you do it will wipe out the first users you placed in the file. The password file will contain passwords for any number of people you want to have access to this folder. For example if you wanted to add mary later you would use this command:
sudo htpasswd /etc/apache2/postfixadmin mary
The next step is to make sure the permissions are correct on the password files. Change the owner to apache and change permissions to 600.
chown www-data:www-data postfixadmin
The owner and group were changed to www-data. Note you will need to verify these permissions each time changes are made to the file.
chmod 600 postfixadmin
Now the file rights are rw for the owner and nothing for group or other. This is an important setting.
Once a password file has been created, the directory that needs to be protected should be setup in the config file for your web server. The Directory directive is used to create the context of the file by using:
<Directory >
</Directory>
The first line shows which directory the password will protect.
<Directory /var/www/postfixadmin>
The second line determines the kind of authentication, which is Basic.
AuthType Basic
The AuthName will show on the login this text string to verify which group should use this directory.
AuthName “Admin Group”
The AuthUserFile is the file location for the password file.
AuthUserFile /etc/apache2/postfixadmin
Each user of the directory may be determined with specific listing of the user name and the inclusion of that password in the /etc/apache2/postfixadmin password file. “require user” will mandate that no one will be able to use this directory except those users listed. require user tom jane mary joe
If there were a lot of people using the directory one password could be given to all users in the admin group for example.
<Directory /var/www/postfixadmin>
AuthType Basic
AuthName “Admin Group”
AuthUserFile /etc/apache2/postfixadmin
require user tom jane mary joe
</Directory>
Once you have saved this restart apache and then you can see below that now not only is it encrypted but users have to have a password to access the directory.
Posted by mike Filed Under Troubleshooting with Comments Off
What do you do when you massive overload of unwanted mail that is coming to your server? Recently I saw a Postfix Mail server that had gone down some months ago but had 10s of thousands of email ready to be sent. When it was repaired it began sending tons of old mail….mail that was simply not needed to send any longer. This is a situation where you need to solve things fast.
The mailq command showed many thousands of mail being sent out. When the deferred queue was examined it was clear….all the mail was in the active queue. It looked something like this:
[root@mail postfix]# ls active/
001072081CF 289032080DA 50C8B2081EE 7D8B6208169 A3B14208235 CAD4F20823A
007D9208259 28D1E2080F5 50F662081BA 7DEEB20813A A3D0920813F CBC242081AE
009D82080EF 2A7C3208199 51FD020822B 7E24A208283 A3D1C208251 CC806208109
00CD9208274 2B02520812C 549E7208134 7EE6F208266 A4137208104 CCC81208125
01ED5208222 2B1B420825F 54B4A208183 7EEF3208213 A48A02081FA CD05E2080EC
02BB420815D 2B2BF208209 551A42080FA 7F5492081F4 A58B1208120 CE523208191
0341F208110 2BB272081E9 569992081EF 7FFA8208150 A627D20816C CE564208145
034C4208174 2CABC208296 56C1520814A 802FC2081D9 A6BC0208288 CEAE2208256
0388C20823F 2CFC820817B 56C4E208249 8209A2081F5 A6F7F208218 CF33320826F
041CA208194 2D11F207BC3 56C7820819F 826D52081A4 A7B112081C5 CFDA2208144
046AC208195 2D6B8208279 56F792080E0 82D05208100 A82832081AA CFEB72081D2
04A792081B4 2ED842080DB 5757520829A 8305F208231 A8F4B208140 D00B920828D
05366208205 2F2FB2080F6 57EE520822C 83304208188 AA6B52081FB D05C520821D
05BC320812B 2F32420817C 57FBF208165 84BB4208151 AA6EA20818C D2D632081AF
064F4208147 2FCE520820A 58B372081BB 8536620811C AA9C92080E9 D35ED2080A7
065782080D7 30C4B20812F 5995E2081F0 853B3208267 AAB0E208252 D3603208200
066922081D0 32145208245 59C5C20827F 859CD207BB6 AAD5B208219 D4CBB20810A
066A020825A 324CF208260 5D28E20822D 85C312080E4 AB15E2080CD D4FF02080ED
067F7208273 324DB20817D 5D6A1208264 861D6208214 AB2CD208289 D55AA2081DF
075722080F0 3285220819A 5DC22208280 862C220813B AB5AF208121 D5805208159
09D6120815E 3291320820B 5DE27208118 86C6E2081C0 AC639208105 D5950207BC2
09DB6208293 32AF3208149 5DE4B2081D5 877C620824E ACE222081C6 D63E7208126
The solution, though it is dangerous, was to delete all mail in the active queue as it was considered safer to get rid of all mail than to send thousands of old email to other servers.
rm -f /var/spool/postfix/active/*
This should only be considered a last resort, but …nice to have the option when needed.
Posted by mike Filed Under Spam Control with Comments Off
Blacklists are a little easier to understand in that you will find domains or senders that you simply do not want to receive mail from them ever.
There are two blacklist directives. The first directive, blacklist_from will specify a a sender address that address is what will appear in the Resent-From, From, Envelope-Sender, Resent-Sender or X-Envelope-From. When the sender address matches a score of 100 is added to the sender, which effectively blocks mail from that user. Edit the /etc/mail/spamassassin/local.cf file to place these entries.
blacklist_from joe@badexample.com
blacklist_from badexample.com *.badexample.com
The wildcard “*” can be used for including multiple characters to eliminate all users on the badexample.com domain.
You can remove a user from the list by using the the unblacklist_from directive.
unblacklist_from badexample.com
The other method of blacklisting users is the blacklist_to which will blacklist the recipient address. This users may be found in the Resent-To, Resent-Cc, To, Apparently-To, Delivered-To, Envelope-Recipients, Apparently-Resent-To, X-Envelope-To, Envelope-To, X-Delivered-To, X-Original-To, X-Rcpt-To, X-Real-To, or Cc.
blacklist_to users@mycompany.com
This would be used to eliminate mail coming to possibly forged To header by adding 10 points to the score.
Here is what a local.cf looks like with some blacklist entries.
# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
blacklist_from *@bellevuecollege.edu
blacklist_from *@vmta-c-253.lstrk.net
blacklist_from *@SmartStream-1.itsjss.com
blacklist_from *@hosting.obdobion.com
« Older Entries
Newer Entries »
