Subscribe to our feed
Join us as we tackle the Postfix mail server and its challenges one tutorial at a time. Enter your email address below and get our latest Postfix tutorials in your inbox.
StumbleUpon
FaceBook
Delicious
Twitter
Posted by mike Filed Under Spam Control with Comments Off
Global Manual Whitelist
Once you have set up Spamassassin so it is working and you have run it for some time you may want to tune it to provide automatic whitelists and blacklists. The whitelist will provide a way to insure that the mail from a particular source will never get rejected. This may be important clients, users on the system or messages from servers that do not necessarily have the right credentials for sending mail. Your company may have important clients that send email that has characteristics that put it on the edge with Spamassassin and you may want to ensure that you do not loose an email. Or you may have users who are on the system that do not always follow the best protocol for how they construct messages but you want to make sure that their mail is not rejected. An important use for whitelists is when you have servers that are sending logs, error messages, or monitoring information to a mail account and this mail does not have the format or the sender format that Spamassassin needs to see. If you are looking for documentation of this information check out our Postfix Mail Server Manual.
The whitelist will automatically reduce the spam score for a user which is listed in the whitelist. The score is reduced by 100 points so that would suggest there is very little chance of the mail being rejected.
The procedure for using a whitelist is straightforward. Use the directive whitelist_from to list any sources that you want to ensure get whitelisted.
Edit the /etc/mail/spamassassin/local.cf file to place these entries. Listed is the default contents of this file.
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
Add your whitelists to the file, save and restart Spamassassin.
whitelist_from tom@example.com
whitelist_from *.@example.com *@goodexample.com
whitelist_from mail.server@myexample.com
When you list a user or source, you will list what you see in the Resent-From, From, Envelope-Sender, Recent-Sender or X-Envelope-From headers. The wildcard “*” can be used to provide all of the users for a domain as you see in the examples above.
You can remove users that you place in the whitelist with unwhitelist_from.
unwhitelist_from tom@example.com
You may want to review the information found in 60_whitelist.cf which Spamassassin uses automatically as there may be some users listed that you want to remove.
You do have an additional option for sender whitelisting. You can use whitelist_from_rcvd which does a reverse lookup with DNS to verify the IP Address of the last trusted relay. So basically what it is doing is looking up the IP of where the mail came from to make sure it came from an IP Address on the senders network. Now, this has several problems related to it. First, you are using precious resources doing reverse DND lookups. And second, depending how the sender network is designed, you may have problems verifying the IP Address. Here is how you can use it to drop the score 100 points.
whitelist_from_rcvd tom@example.com example.com
Note that what you are requiring is that the mail sent by tom must come from a mail server on the example.com domain.
Whitelist Recipients
There are three separate levels of whitelisting you can perform for recipients. If you had a user that did not want any spam checks on their account you would use this method of checking. The whitelist_to directive can use the Resent-To, Resent-Cc, To, Apparently-To, Delivered-To, Envelope-Recipients, Apparently-Resent-To, X-Envelope-To, Envelope-To, X-Delivered-To, X-Original-To, X-Rcpt-To, X-Real-To, or Cc.
The three levels can be used like this:
whitelist_to tom@mycompany.com (lowers score by 6)
or
more_spam_to tom@mycompany.com (lowers score by 20)
or
all_spam_to tom@mycompany.com (lowers score by 100)
Posted by mike Filed Under Postfixadmin with 1 Comment
Install and Configure the Vacation Option
This installation is for Ubuntu 9.10 but should work for just about any Linux distro. The vacation package is nice in that you can create an automatic message for when you are not available.
You will need to install a number of packages.
sudo apt-get install libmail-sender-perl libdbd-mysql-perl libemail-valid-perl libmime-perl liblog-log4perl-perl liblog-dispatch-perl libgetopt-argvfile-perl libmime-charset-perl libmime-encwords-perl
Install a Perl Module
From the command line install the Mail::Sendmail perl module.
perl -MCPAN -e shell;
Set it up, likely just hitting enter will provide the options you need. Once it is complete you will have a shell login for installing modules. Issue this command:
install Mail::Sendmail
Note it is case sensitive and two colons separate the names. When it is installed issue the “quit” command to return.
groupadd -r -g 65501 vacation
useradd -r -u 65501 -g vacation -d /var/spool/vacation -s /sbin/nologin vacation
cp /usr/share/doc/postfixadmin/VIRTUAL_VACATION/vacation.pl.gz .
gunzip vacation.pl.gz
cp vacation.pl vacation.pl.original
wget http://www200.pair.com/mecham/spam/vacation.2211.patch.txt
patch -p0 < vacation.2211.patch.txt
or
cd /var/www/postfixadmin/VIRTUAL_VACATION
cp vacation.pl /var/spool/vacation/vacation.pl
wget http://www200.pair.com/mecham/spam/vacation.2211.patch.txt
patch -p0 < vacation.2211.patch.txt
chown -R vacation:vacation /var/spool/vacation
chmod -R 700 /var/spool/vacation
Update the vacation script with your settings
nano /var/spool/vacation/vacation.pl
our $db_type = ‘mysql’;
our $db_username = ‘postfix’;
our $db_password = ‘db_passwd’;
our $db_name = ‘postfix’;
our $vacation_domain = ‘autoreply.yourdomain.com’;
Save and close (CTRL + X)
Update the postfixadmin config file
cd /var/www/postfixadmin
sudo nano config.inc.php
$CONF['vacation'] = ‘YES’;
$CONF['vacation_domain'] = ‘autoreply.yourdomain.com’;
cd /etc/postfix
nano master.cf
Add (near the end of the file):
vacation unix – n n – - pipe flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} ${recipient}
Save
nano main.cf
transport_maps = hash:/etc/postfix/transport
Save
Create a virtual file
jane@your_domain.com jane@your_domain.com@autoreply.your_domain.com
tom@your_domain.com tom@your_domain.com@autoreply.your_domain.com
Save
Create (or update) a transport map to handle the redirected email
nano transport
autoreply.your_domain.com vacation
Save
Postfix uses a hashed file to do the lookups, the postmap command creates that file.
postmap /etc/postfix/transport
Reload the postfix config to activate the changes
sudo /etc/init.d/postfix reload
You should now have a working vacation option with Postfix.
Posted by mike Filed Under Postfixadmin with 1 Comment
PostfixAdmin provides a way to manage your virtual accounts, multiple domains, using a web based interface. Once it is set up it is very easy to use. This install process is not easy to do as there are many commands and a lot of configuration that must be done without mistakes. If you would like a Live Virtual Class for Postfix, click on the link for more information. To get started you will need to install postfix and dovecot-postfix.
apt-get install postfix dovecot-postfix
If you install Postfix at install you can just choose this option.
When you have the options to choose what type of mail site select “Internet Site” and enter the domain you will use as the canonical or main domain. Note the canonical domain cannot be listed as a virtual domain.
The next step is to use MySQL for the virtual users and configure dovecot-postfix to connect to the MySQL database.
Install MySQL and Postfix MySQL
apt-get install mysql-server postfix-mysql
When you install MySQL it will require a password for the root user for MySQL, do not confuse this with the root user on the system…and write down the password you use…you will need it.
Now secure the user and create the database.
Start MySQL
mysql -u root -p
CREATE DATABASE postfix;
CREATE USER ‘postfix’@'localhost’ IDENTIFIED BY ‘your_password’;
GRANT ALL ON postfix.* to ‘postfix’@'localhost’;
Install PostfixAdmin
The PostfixAdmin program is a web based administration panel for Postfix. There are several advantages for this program. It is an easy interface to work with to install new domains, users and of course set up autoresponders for your users. You still have to be able to work at the command line to set up Postfix features however. You need to install PHP5 and apache2 as well and several helper programs.
sudo apt-get install apache2 php5 php5-mysql php5-imap
sudo /etc/init.d/apache2 restart
Once that is done you should be able to see the default web server page when you point your browser to the server IP Address.
Move to the /var/www directory
/var/www
Download postfixadmin
wget http://downloads.sourceforge.net/sourceforge/postfixadmin/postfixadmin_2.3rc7.tar.gz
tar -zxvf postfixadmin_2.3rc7.tar.gz
Rename the directory and remove the tarball
mv postfixadmin-2.3rc7 postfixadmin
rm postfixadmin_2.3rc7.tar.gz
Set the configuration for postfixadmin
cd postfixadmin
nano config.inc.php
$CONF['configured'] = true;
$CONF['postfix_admin_url'] = $_SERVER['HTTP_HOST'].’/postfixadmin’;
$CONF['database_password'] = ‘your_passowrd_for_the_db’;
Update the following variables to what makes sense for your installation
$CONF['admin_email']
$CONF['default_aliases']
Change tis line to “true” as seen to verify a completed configuration.
$CONF['configured'] = true;
Save
Point our browser to: http://server_ip/postfixadmin/setup.php.
You will see an overview of settings that you need to configure…fix all problems before you proceed.
Refresh the setup page each time you make a change to verify it is fixed.
At the bottom you will see that you will need to create a password.
The hashed password that is created you will need to place in the config.in.php.
nano config.inc.php
Update $CONF['setup_password']
Save
Now create a new admin with an email.
At this point you need to set up the connections to the MySQL database. To do this you need ot create 4 files so that MySQL and Postfix can communicate.
cd /etc/postfix
nano my_alias_maps.cf
user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address = ‘%s’ AND active = 1
Save
nano my_domains_maps.cf
user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain = ‘%s’ AND backupmx = 0 AND active = 1
Save
nano my_mailbox_limits.cf
user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username = ‘%s’ AND active = 1
Save
nano my_mailbox_maps.cf
user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT CONCAT(domain,’/',maildir) FROM mailbox WHERE username = ‘%s’ AND active = 1
Save
Edit the main.cf file.
virtual_minimum_uid = 150
virtual_uid_maps = static:150
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
virtual_alias_maps = proxy:mysql:/etc/postfix/my_alias_maps.cf
virtual_mailbox_limit = proxy:mysql:/etc/postfix/my_mailbox_limits.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/my_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/my_mailbox_maps.cf
Comment out or delete these options.
#home_mailbox = Maildir/
#mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m “${EXTENSION}”
You cannot have virtual domains listed in the mydestination option.
Save
Edit the master.cf
dovecot unix – n n – - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -c
/etc/dovecot/dovecot-postfix.conf -f ${sender} -d $(recipient)
Save
Create /var/mail and a user for permissions.
useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail/
Finally, you have to make some changes to the dovecot configuration to accept the mail and deliver it
cd /etc/dovecot
Edit dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=db_password
default_pass_scheme = MD5-CRYPT
user_query = SELECT ‘/var/vmail/%d/%n’ as home, ‘maildir:/var/vmail/%d/%n’ as mail, 150 AS uid, 8 AS gid, concat(‘dirsize:storage=’, quota) AS quota FROM mailbox WHERE username = ‘%u’ AND active = 1
password_query = SELECT username as user, password, ‘/var/vmail/%d/%n’ as userdb_home, ‘maildir:/var/vmail/%d/%n’ as userdb_mail, 150 as userdb_uid, 8 as userdb_gid FROM mailbox WHERE username = ‘%u’ AND active = 1
Save
Edit dovecot-postfix.conf
Adjust several settings.
mail_location = maildir:/var/vmail/%d/%n
first_valid_uid = 150
last_valid_uid = 150
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}
Save
Restart both services so changes take effect
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
If you are still having problems consider the Postfix Mail Server Course.
Posted by mike Filed Under Spam Control with Comments Off
Learning System
You are able to additionally tune SpamAssassin to learn about your email. Two programs are used together to create this learning system; autowhitelisting and Bayesian filtering. Autowhitelisting is an algorithm that learns about each senders history and modifies the spam score of their subsequent mail. This should reduce false positives. Autowhitelisting develops a database for each sender’s mail address and IP address. Each time a message is received from that sender the score is added to the database score for that sender. The average score divided by the number of messages is used to modify any new messages.
The most important issue with autowhitelisting is the weight you place on the sender history. The auto_whitelist_factor is the directive that sets the multiplier between 0-1. The default is .5 which will make the final score halfway between the message spam score. If you wanted to increase the weight set the factor to 1.
The system-wide autowhitelist with amavisd.
Edit the /etc/mail/spamassassin/local.cf
auto_whitelist_path
auto_whitelist_file_mode
Sitewide Bayesian Filtering for Amavisd
The idea behind Bayesian filtering is that it will learn aspects of email which will determine how to distinguish between spam and non-spam. The advantage is that it can help facilitate a more accurate Spam filtering process. The Bayesian rules sets up baselines that determine how much each rule should change the possibility that the email is Spam. These rules have features that are likely to be Spam, thus increasing the probability, and they have rules that typically are not in Spam, thus reducing the probablity of Spam.
Edit the /etc/mail/spamassassin/local.cf
use_bayes 1
bayes_path /var/amavisd/bayes/bayes
Create the directories you need in /var both amavisd and the subdirectory bayes. Be sure to chmod 700 the database file so no others can access it. The user is vscan as is set up in the /etc/amavisd.conf file so that user must have access to the file. Now with the new version of Spamassassin the line for bayes_pay must not end in a folder, so add the name bayes to it per the example.
chown -R vscan:vscan /var/amavisd/
ls -la /var/amavisd/bayes/
total 8
drwx—— 2 vscan vscan 4096 May 11 07:32 .
drwx—— 3 vscan vscan 4096 May 11 07:32 ..
Posted by mike Filed Under Postfix Configuration with Comments Off
Sometimes when you are working with Postfix you may be on an older version that does not support a feature you need. Here is a list of the version and the major features that were added for that version.
Postfix 2.5 Stress-dependent configuration
Postfix 2.3 DKIM, DomainKeys and SenderID authentication, DSN status notifications, Enhanced status codes, Plug-in support for multiple SASL implementations (Cyrus, Dovecot), Configurable delivery status notification message text, Sender-dependent SMTP relay lookup, Sender-dependent SASL password lookup, Sendmail Milter (mail filter) protocol
Postfix 2.2 Connection cache for SMTP, IP version 6, TLS encryption and authentication, SMTP server per-client rate and concurrency limits, CDB database, Masquerading addresses in outbound SMTP mail, Selective address rewriting
Postfix 2.1 Access control per client/sender/recipient/etc., Address probing callout, Greylisting plug-in, SPF plug-in
Postfix 2.0 MIME (including 8BITMIME to 7BIT conversion), PostgreSQL database
Postfix 1.1 QMQP server, Content filter, VERP envelope return addresses
Postfix 1.0 ETRN on-demand relay, LMTP client, Pipelining (SMTP client and server), SASL authentication, Berkeley DB database, DBM database, LDAP database, MySQL database, Maildir and mailbox format, Virtual domains
Posted by mike Filed Under Logs with Comments Off
Reducing Syslogd Performance Issues
Syslogd is the main logging program for many Linux systems. Unfortunately it can cause performance issues by using synchronous writes by default. If you open syslog.conf you will see that the mail logging goes to /var/log/mail.log. In order to prevent synchronous writes a “-” is placed in front of the log.
mail.* -/var/log/mail.log
This is a default on most Linux systems so you do not have to do anything but it does provide an explanation for why the log file is different in the syslog.conf.
Posted by mike Filed Under Mail Client with Comments Off
Thunderbird, Icedove if you are on Debian is an excellent choice for an email client especially as it is capable of connecting using SSL or TLS and SMTP AUTH. Many email clients are not able to do that. Why TLS, well it is all about encrypting your password and data when you connect to your mail server. In addition, when you use SMTP AUTH, you can travel and your mail server will allow you to send email because you have authenticated.
Create an account with Thunderbird.
Enter a name for the account and the email address you want to use.
In the example, IMAP is the server of choice which means your mail stays on the server. This allows you to retrieve mail and also leave the mail on the server so you could share accounts. An important setting is the “Incoming Server”. Make sure you enter a FQDN (Fully Qualified Domain Name) which means it must have a hostname and domain name.
Now configure an incoming user name.
Check your account settings, one important setting is the “Outgoing Server” at the end of the file. The “Outgoing Server” is the server that will authenticate the mobile user and allow you to send email through the mail server.
If you do not have anything set for the ”Outgoing Server” just skip down in the tutorial to see how to set it up.
The “Server Settings” is how you will retrieve mail. Note that the server is listening on port 993 so that it is secure, IMAPS. Also note to select SSL in this setting so the port is changed.
Here is how to configure the “Outgoing Server”. Note the port number, the User Name that you will authenticate with and that TLS is selected.
If your mail server and client are configured correctly you will be able to send and receive mail, securely. If it is not configured correctly you will see this message. You will not be able to relay through the mail server, in other words you cannot send mail.
Posted by mike Filed Under Dovecot with 1 Comment
Virtual Accounts with CRAM-MD5
The major disadvantage of PLAIN text passwords on the server of course is that they are readable. Even if your communication with the server is encrypted it is troubling to have readable passwords on the server. You can easily change this by using the dovecotpw command and creating encrypted passwords.
As root login to the mail server and use the dovecotpw command as seen below. It will ask for the password you want to encrypt and then provide you with the output.
# dovecotpw
Enter new password:
Retype new password:
{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
In the /etc/dovecot directory create two files, userdb for a list of users and passdb for the encrypted passwords.
userdb
This file has a list of the users and the location of their virtual accounts. Note the virtual accounts are accounts that you have set up for the domains that you manage mail for, this is not the canonical domain on the server. For example, if you set up a mail server and the hostname is mail.my_mail_server.com then mail accounts that are local will be canonical accounts with a home directory. However, virtual accounts for the virtual domains that your mail server uses will not be able to login to the server as you can see from the /bin/false. These are only mail users who can retrieve mail.
tom@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
sue@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
joe@secondexample.com::510:510::/var/spool/vhosts/spidertools.com/:/bin/false::
passdb
The passdb will include the users and their passwords. You can see that virtual users must be indicated by username and the domain they have an account with. The password that was encrypted is then listed after their name.
tom@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
sue@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
joe@secondexample.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
Here is the configuration you must add to /etc/dovecot.conf in order to use CRAM-MD5 with the virtual accounts.
}
default_mail_env = maildir:/var/spool/vhosts/%d/%n
auth_mechanisms = plain DIGEST-MD5 CRAM-MD5
auth_verbose = yes
auth default {
mechanisms = plain cram-md5
passdb passwd-file {
args = /etc/dovecot/passdb
}
userdb static {
args = uid=virtual gid=virtual /etc/dovecot/userdb
}
}
« Older Entries
Newer Entries »
