Posts Tagged Postfixadmin

PostfixAdmin and Fetchmail

Posted by Filed Under Postfixadmin with Comments Off

Getting Fetchmail to Work with Postfix Admin
The default set up with Postfixadmin looks like it should work but it will not work correctly until you modify a few things.  This tutorial will help you get it working correctly.

WARNING: Use this at your own risk.  It has been found to work however, it may pull down all email from an account and remove it on the remote server.  Test to verify that it is working like you want.

First go to PostfixAdmin and set up the account you want to pull mail to.

Mailbox            this is the local mailbox
Server               this is the remote server for the account you want to pull from
Auth Type      usually you will supply a password
User                 user_name or remote account
Password        password for account
Folder             the remote folder you want to retrieve
Poll                 Does not work, you must use cron jobs for script
Fetch All       click for all messages
Keep              Be sure to keep on both servers until you are satisfied
Protocol         IMAP usually
SSL                 if it is required

Ubuntu 10.04
Install several programs in preparation.

apt-get install fetchmail liblockfile-simple-perl

Create a directory and lockfile for fetchmail.

mkdir /var/run/fetchmail
touch /var/run/fetchmail/fetchmail-all.lock

You will need to install several perl modules.  Here is a list:

DBI
MIME::Base64
File::Temp
Sys::Syslog

perl -MCPAN -e shell

install>File::Temp

When you install them they should return an “OK” at the end or you will need to fix dependencies.

Edit the fetchmail.pl script.  The key here is to put your database name, user name and password in the script.  Note several lines have been commented out as the file in /etc/mail/postfixadmin/ did not work as well as actually changing the script.

#!/usr/bin/perl
use DBI;
use MIME::Base64;
# use Data::Dumper;
use File::Temp qw/ mkstemp /;
use Sys::Syslog;
#require “liblockfile-simple-perl”;
use LockFile::Simple qw(lock trylock unlock);

######################################################################
########## Change the following variables to fit your needs ##########

# database settings

# database backend – uncomment one of these
#our $db_type = ‘Pg’;
my $db_type = ‘mysql’;

# host name
our $db_host=”127.0.0.1″;
# database name
our $db_name=”postfix”;
# database username
our $db_username=”postfix_user”;
# database password
our $db_password=”database_password”;

# instead of changing this script, you can put your settings to /etc/mail/postfixadmin/fetchmail.conf
# just use perl syntax there to fill the variables listed above (without the “our” keyword). Example:
# $db_username = ‘mail’;
#if (-f “/etc/mail/postfixadmin/fetchmail.conf”) {
#       require “/etc/mail/postfixadmin/fetchmail.conf”;
#}

Make the script executable.
chmod 755 /var/www/postfixadmin/ADDITIONS/fetchmail.pl

It may choke if you do not run it directly from perl.
sh /var/www/postfixadmin/ADDITIONS/fetchmail.pl
/var/www/postfixadmin/ADDITIONS/fetchmail.pl: 3: use: not found
/var/www/postfixadmin/ADDITIONS/fetchmail.pl: 4: use: not found
/var/www/postfixadmin/ADDITIONS/fetchmail.pl: 6: use: not found
/var/www/postfixadmin/ADDITIONS/fetchmail.pl: 7: use: not found
/var/www/postfixadmin/ADDITIONS/fetchmail.pl: 9: Syntax error: “(” unexpected

Call it from perl and it works…it will complain running as root.
/usr/bin/perl /var/www/postfixadmin/ADDITIONS/fetchmail.pl

Put it in a cron job if you want to run it continually.

It finally works correctly and is a great way to move mail to a new account.

Securing PostfixAdmin

Posted by Filed Under Postfixadmin with Comments Off

Securing the PostfixAdmin Directory on Ubuntu
Many administrators who use Postfixadmin, a web based tool to manage virtual domains on Postfix, would like to secure the transactions between the PostfixAdmin program and the administrator.  At the same time often you do not want to add the extra burden of SSL on the whole domain but just want to secure one directory.   The solution is to create a certificate for that one directory only and also locking that directory with a password so only administrators can gain access.  The example is on an Ubuntu 9.10 server, which will be very similar to most server procedures.

Enable the SSL module using the “a2enmod” command.

sudo a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

SSL Security with Apache
The next thing you’ll need for this is a server certificate.  There are two ways to get one.  You can either create your own self-signed certificate, or you can request one from a commercial Certificate Authority.  A self-signed one will work fine if you’re just using it for your organization’s internal operations.  But, if you’re dealing with the public, you’ll want a commercial certificate that verifies that you are who you say you are.

SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing or administrator passwords.

SSL is a protocol that uses TCP/IP on behalf of the higher-level protocols like HTTP. This protocol allows a SSL-enabled server to authenticate itself to a SSL-enabled client. In order to use SSL the client must request a connection on port 443 instead of the typical port 80 used by a web browser.

For either self signed or a commercial type of certificate, you’ll first need to create an encryption key:

sudo openssl genrsa -des3 -out server.key 1024
Password:
Generating RSA private key, 1024 bit long modulus
…………………….++++++
……………………….++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

You’ll now use this key to create a certificate request:

sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MT
Locality Name (eg, city) []:TC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: ubmail.example.com/postfixadmin
Email Address []:fsmith@example.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

If you need a commercial certificate, you’ll now send this request to a commercial CA.  If you’re creating your own self-signed certificate, you’ll use this request in the next step:

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key     -out server.crt
Signature ok
subject=/C=US/ST=MT/L=TC/O=MyCompany/CN=ubmail.example.com/postfixadmin/emailAddress=fsmith@example.com
Getting Private key
Enter pass phrase for server.key:

Now, you’ll need to install the key and certificate by copying them to the appropriate directories:

sudo cp server.crt /etc/ssl/certs

Open the /etc/apache2/sites-available/your_site_file  for editing.  In the “Virtual Host” section, under the “DocumentRoot” line, modify the following lines:

DocumentRoot  /var/www/my_website/postfixadmin

The goal is to impact only the postfixadmin directory of your site so that users can normally go to the other locations without knowing that the postixadmiin directory location is different.

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Save and exit.

Enable the default SSL site:
Or enable  your site.  Remember if you are using virtual hosting you will have to use IP Based virtual hosting to assign the SSL to an IP Address.

sudo  a2ensite default-ssl

After all of this is done, restart Apache:

service apache2 restart

Apache/2.2.12 mod_ssl/2.2.12 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 127.0.1.1:80 (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
[ ok ]

Now that you’ve installed  the private encryption key, you’ll need to supply your passphrase every time you start or restart Apache.

Once you get the “https” prefix right, you’ll get this if you’re using a self-signed certificate.  You will have the choice to accept or reject the self-signed certificate.

You can accept the certificate, but you’re not through yet.  There’s also the little detail of having a domain name on the certificate that doesn’t match the URL.

You can choose to view the certificate before deciding whether to accept or reject it.

You can see from the example above that the attempt to connect using regular http will not allow a connection but also you can see that if you type https://ubmail.example.com/postfixadmin it sends you to a secure login for the postfixadmin and you can use it securely.

Password Protected Directory
Now lock down the directory so only and administrator with a password can get access.

Apache provides Password Authentication to directories using the htpasswd program. The first thing that needs to be done is to decide on where to place these password files. It is important that they are not placed in areas that are easily accessed as they should only be read by apache. It is probably best to place them in the /etc/apache2 directory. You may even want to create a separate more secure directory called within /etc/apache2. Use the htpasswd program to initialize a file for sales for example:

sudo htpasswd -c /etc/apache2/postfixadmin tom

The program will request a password and then to confirm the password. The -c option creates the file so DO NOT USE IT THE SECOND TIME!!!! If you do it will wipe out the first users you placed in the file. The password file will contain passwords for any number of people you want to have access to this folder. For example if you wanted to add mary later you would use this command:

sudo htpasswd /etc/apache2/postfixadmin mary

The next step is to make sure the permissions are correct on the password files. Change the owner to apache and change permissions to 600.

chown www-data:www-data postfixadmin

The owner and group were changed to www-data. Note you will need to verify these permissions each time changes are made to the file.

chmod 600 postfixadmin

Now the file rights are rw for the owner and nothing for group or other. This is an important setting.

Once a password file has been created, the directory that needs to be protected should be setup in the config file for your web server. The Directory directive is used to create the context of the file by using:

<Directory >
</Directory>

The first line shows which directory the password will protect.

<Directory /var/www/postfixadmin>

The second line determines the kind of authentication, which is Basic.

AuthType Basic

The AuthName will show on the login this text string to verify which group should use this directory.

AuthName “Admin Group”

The AuthUserFile is the file location for the password file.

AuthUserFile /etc/apache2/postfixadmin

Each user of the directory may be determined with specific listing of the user name and the inclusion of that password in the /etc/apache2/postfixadmin password file. “require user” will mandate that no one will be able to use this directory except those users listed. require user tom jane mary joe

If there were a lot of people using the directory one password could be given to all users in the admin group for example.

<Directory /var/www/postfixadmin>
AuthType Basic
AuthName “Admin  Group”
AuthUserFile /etc/apache2/postfixadmin
require user tom jane mary joe
</Directory>

Once you have saved this restart apache and then you can see below that now not only is it encrypted but users have to have a password to access the directory.

PostfixAdmin on Ubuntu 9.10

Posted by Filed Under Postfixadmin with Comments Off

PostfixAdmin provides a way to manage your virtual accounts, multiple domains, using a web based interface.  Once it is set up it is very easy to use.  This install process is not easy to do as there are many commands and a lot of configuration that must be done without mistakes.  If you would like a Live Virtual Class for Postfix, click on the link for more information.  To get started you will need to install postfix and dovecot-postfix.

apt-get install postfix dovecot-postfix

If you install Postfix at install you can just choose this option.

Install The Postfix Mail Server

When you have the options to choose what type of mail site select “Internet Site” and enter the domain you will use as the canonical or main domain.  Note the canonical domain cannot be listed as a virtual domain.

The next step is to use MySQL for the virtual users and configure dovecot-postfix to connect to the MySQL database.

Install MySQL and Postfix MySQL

apt-get install mysql-server postfix-mysql

When you install MySQL it will require a password for the root user for MySQL, do not confuse this with the root user on the system…and write down the password you use…you will need it.

Now secure the user and create the database.

Start  MySQL

mysql -u root -p

CREATE DATABASE postfix;
CREATE USER ‘postfix’@'localhost’ IDENTIFIED BY ‘your_password’;
GRANT ALL ON postfix.* to ‘postfix’@'localhost’;

Install PostfixAdmin

The PostfixAdmin program is a web based administration panel for Postfix.  There are several advantages for this program.  It is an easy interface to work with to install new domains, users and of course set up autoresponders for your users.  You still have to be able to work at the command line to set up Postfix features however.  You need to install PHP5 and apache2 as well and several helper programs.

sudo apt-get install apache2 php5 php5-mysql php5-imap

sudo  /etc/init.d/apache2 restart

Once that is done you should be able to see the default web server page when you point your browser to the server IP Address.

Move to the /var/www directory

/var/www

Download  postfixadmin

wget http://downloads.sourceforge.net/sourceforge/postfixadmin/postfixadmin_2.3rc7.tar.gz

tar -zxvf postfixadmin_2.3rc7.tar.gz

Rename the directory and remove the tarball

mv postfixadmin-2.3rc7 postfixadmin
rm postfixadmin_2.3rc7.tar.gz

Set the configuration for postfixadmin

cd postfixadmin
nano config.inc.php

$CONF['configured'] = true;
$CONF['postfix_admin_url'] = $_SERVER['HTTP_HOST'].’/postfixadmin’;
$CONF['database_password'] = ‘your_passowrd_for_the_db’;

Update the following variables to what makes sense for your installation
$CONF['admin_email']
$CONF['default_aliases']

Change tis line to “true” as seen to verify a completed configuration.
$CONF['configured'] = true;

Save

Point our browser  to: http://server_ip/postfixadmin/setup.php.

You will see an overview of settings that you need to configure…fix all problems before you proceed.

postfixadmin2

Refresh the setup page each time you make a change to verify it is fixed.

At the bottom you will see that you will need to create a password.

postfixadmin1

The hashed password that is created you will need to place in the config.in.php.

nano config.inc.php

Update $CONF['setup_password']
Save

Now create a new admin with an email.

postfixadmin3

At this point you need to set up the connections to the MySQL database.  To do this you need ot create 4 files so that MySQL and Postfix can communicate.

cd /etc/postfix
nano my_alias_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address = ‘%s’ AND active = 1

Save

nano my_domains_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain = ‘%s’ AND backupmx = 0 AND active = 1

Save

nano my_mailbox_limits.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username = ‘%s’ AND active = 1

Save

nano my_mailbox_maps.cf

user = postfix
password = db_passwd
hosts = localhost
dbname = postfix
query = SELECT CONCAT(domain,’/',maildir) FROM mailbox WHERE username = ‘%s’ AND active = 1

Save

Edit the main.cf file.

virtual_minimum_uid = 150
virtual_uid_maps = static:150
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

virtual_alias_maps = proxy:mysql:/etc/postfix/my_alias_maps.cf
virtual_mailbox_limit = proxy:mysql:/etc/postfix/my_mailbox_limits.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/my_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/my_mailbox_maps.cf

Comment out  or delete these options.
#home_mailbox = Maildir/
#mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m “${EXTENSION}”

You cannot have virtual domains listed in the mydestination option.

Save

Edit the master.cf

dovecot unix – n n – - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -c
/etc/dovecot/dovecot-postfix.conf -f ${sender} -d $(recipient)

Save

Create /var/mail and a user for permissions.

useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail/

Finally, you have to make some changes to the dovecot configuration to accept the mail and deliver it

cd /etc/dovecot
Edit dovecot-sql.conf

driver = mysql
connect = host=localhost dbname=postfix user=postfix password=db_password
default_pass_scheme = MD5-CRYPT

user_query = SELECT ‘/var/vmail/%d/%n’ as home, ‘maildir:/var/vmail/%d/%n’ as mail, 150 AS uid, 8 AS gid, concat(‘dirsize:storage=’, quota) AS quota FROM mailbox WHERE username = ‘%u’ AND active = 1

password_query = SELECT username as user, password, ‘/var/vmail/%d/%n’ as userdb_home, ‘maildir:/var/vmail/%d/%n’ as userdb_mail, 150 as userdb_uid, 8 as userdb_gid FROM mailbox WHERE username = ‘%u’ AND active = 1

Save

Edit dovecot-postfix.conf

Adjust several settings.

mail_location = maildir:/var/vmail/%d/%n
first_valid_uid = 150
last_valid_uid = 150

passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = mail
}

Save

Restart both services so changes take effect

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

If you are still having problems consider the Postfix Mail Server Course.