Wednesday, July 28, 2010

Postfix (mail server)


Postfix
The MTA (Mail Transportation Agent) Postfix aims to be fast, easy to administer and secure, while sendmail compatible enough to existing users are not scared.Therefore, the style is externally Sendmail, while internally is completely different.
Unlike Sendmail, Postfix is not a monolithic program, but a combination of small programs, each of which performs a specialized function. In this paper, the reader will find the information you need to get the system working together with other components to complete the installation of an electronic mail system. For further information on Postfix in the online documentation of your website.
TLS

By default, all Internet communication is done without any encryption and without a reliable authentication. This means that anyone with physical access to the data line through which a packet travels can spy on the communication. Even worse, it is possible to redirect or alter the communication so that the information you want to send get lost and nobody notices.
In order to solve these security problems, Netscape, Inc. introduced the SSL (Secure Sockets Layer), which has evolved in the standard TLS protocol (Transportation Layer Security). It offers both encryption of the communication (eavesdropping braking) and strong authentication (ensuring that both sides of a communication are correctly identified and that communication can not be altered).
Postfix / TLS does not implement the TLS protocol itself, but rather uses the OpenSSL package for this task. In the OpenSSL website can be found deeper links to documentation in the protocol and its features.

Cyrus SASL
SASL stands for Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols that has been standardized by the IETF (Internet Engineering Task Force). It is used in servers (in this case Cyrus IMAP) to handle authentication requests from clients. To this end, the protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is added between the protocol and the connection.
The Cyrus SASL library also uses the OpenSSL library to encrypt data. The reader will find more information on the website of Cyrus SASL.

Required Packages
Postfix
Openssl
Cyrus-SASL
Cyrus-imapd
Cyrus-imapd-Utils
Cyrus-sasl-plain
Cyrus-imapd-perl

Procedures

First up services 

/ Etc / init.d / postfix start 
/ Etc / init.d / saslauthd start 
/ Etc / init.d / cyrus-imapd start 

Create the file / usr/lib/sasl2/smtpd.conf with:
pwcheck_method: saslauthd

Edit the following parameters in / etc / postfix / main.cf

# Name of server, must be resolved by a DNS
myhostname = mail.onemax.local 
# Domain name to listen for emails
mydomain = onemax.local 
# Parameter which indicates from which come the emails (eg: From: cristhian@codigolibre.org)
myorigin = $ mydomain 
# Listen for all interfaces
inet_interfaces = all 
# Domains to manage
mydestination = $ myhostname, localhost. $ mydomain, $ mydomain localhost 
# Teams will be allowed to send mail
mynetworks = 10.0.0.0 / 8, 127.0.0.0 / 8 
mailbox_transport cyrus
relay_domains = 
alias_maps = hash: / etc / aliases 
alias_database = hash: / etc / aliases 
messages_size_limit = 102400 # Limit by file size in bytes adjunto.Expresado 

Cyrus Settings

Cyrus IMAP file does not require any configuration change. The default settings allow normal operation. However, it requires some additional procedures in relation to other software.
# Change password 
passwd cyrus

Create User without Shell
# Useradd-s / sbin / nologin user
user passwd

Assigning passwords to authenticate IMAP, IMAPS, POP3 and POP3S via encrypted methods (CRAM-MD5 and DIGEST-MD5) on systems with Cyrus IMAP version compiled against SASL-2 (Red Hat ™ Enterprise Linux 4, CentOS 4 or White Box Enterprise Linux 4), saslpasswd2 required to use the mandate as follows:

User saslpasswd2

Access to the * config to create the mailbox cyrus

cyradm-u cyrus localhost
> Createmailbox user.usuario
# Assign all privileges to your mailbox
> Sam user user.usuario all
# To see created mailboxes
> Lm

Config TLS / SSL

First we must create certificates
openssl req-new-nodes-out key.pem req.pem-keyout  
openssl rsa-in key.pem-out cert.pem
req.pem openssl x509-in cacert.pem-req-out \
Signkey-cert.pem-days 999 
Files created copy it to / usr / share / ssl / certs / or wherever you place them.
cp key.pem cert.pem cacert.pem / usr / share / ssl / certs
We make sure that postfix has access / etc/sasldb2
chown: postfix / etc/sasldb2
 
Then add the following lines at the end of / etc / postfix / main.cf
# # # # SASL bits # # # #
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous

# # The Following Allows Anyone Who is in mynetworks, or Anyone Who Can authenticate, send mail to this server-through
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks check_relay_domains
smtpd_delay_reject = yes

# # This is NECESSARY for Some email clients
broken_sasl_auth_clients = yes

# # # # TLS bits # # # #
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

# # Location of key, cert and CA-cert.
# # These files Need to be generated using openssl

smtpd_tls_key_file = / usr / share / ssl / certs / key.pem
smtpd_tls_cert_file = / usr / share / ssl / certs / cert.pem
smtpd_tls_CAfile = / usr / share / ssl / certs / cacert.pem

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = / var / run / prng_exch
tls_random_source = dev: / dev / urandom
tls_smtp_use_tls = yes
ipv6_version = 1.25
Done.

To prove the existence of a certificate. Do the following:
[Root @ localhost ~] # telnet localhost 25
Trying 127.0.0.1 ...
Connected to localhost.localdomain (127.0.0.1).
Escape character is'^]'.
220 localhost.localdomain ESMTP Postfix
ehlo localhost <- YOU THIS TYPE
250-localhost.localdomain
250-PIPELINING
10.24 million 250-SIZE
250-VRFY
250-ETRN
250-STARTTLS <- THIS IS RUNNING Indicate TLS
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN NTLM <- AUTH Indicate TYPES THESE LINES
250-AUTH = GSSAPI DIGEST-MD5 CRAM-MD5 PLAIN LOGIN NTLM <- 
250 8BITMIME
The shaded lines indicate the type of authentication.
 
Checks
Send an email using the mail command and establish a connection between the client and the server via POP3, as exemplified below.
Client: 
$ Telnet 127.0.0.1 110
Server: 
Trying 127.0.0.1 ...
Connected to localhost.localdomain (127.0.0.1).
Escape character is'^]'.
+ OK POP3 localhost.localdomain Cyrus v2.2.12-Invoke-RPM-2.2.1912-3.RHEL4.1 server ready.
Client: 
USER guy
Server: 
+ OK
Client: 
PASS accceso key
Server: 
+ OK Logged in..
Client: 
STAT
Server: 
+ OK 1 728
Client: 
LIST
Server: 
+ OK 1 messages:
1728
.
Client: 
RETR 1
Server: 
+ OK 728 octets
Return-Path:
Received: from localhost.localdomain (localhost.localdomain [192.168.1.254])
         by localhost.localdomain (8.13.1/8.13.1) with SMTP id k2IM2RjA003987
         for ; Sat, 18 Mar 2006 16:03:21 -0600
Date: Sat, 18 Mar 2006 16:02:27 -0600
Message-Id: <200603182203.k2IM2RjA003987 @ localhost.localdomain>
Subject: Test Message
From: fulano@localhost.localdomain
To: root@localhost.localdomain
Status: O
Content-Length: 43
Lines: 2
X-UID: 202
X-Keywords: 

Hello. This is a test message.
Adios.
.
Client: 
QUIT
Server: 
+ OK Logging out.
Connection closed by Foreign Host.
 
Finally configure the mail account in your mail client.
 
WITH MYSQL SUPPORT
After having my postfix running without problems, then proceed to enable a feature which is very important with mysql support. Among the advantages we have are:

Saving accounts
Virtual Domains
Web Administration

To enable mysql support to create a series of steps set out below:

Install mysql-server
Compiling Postfix with mysql support
Compile pam-mysql
Configure / etc / pam.d
Add lines to / etc / cyrus.conf and / etc / imapd.conf
Add lines to / etc / main.conf
Install and configure web-cyradm


Mysql Installation
MySQL Installation is performed as follows:
yum install mysql mysql-server mysql-devel php-mysql

Then start the service
/ Etc / init.d / mysqld start

Compile and configure postfix
The postfix version for centos 5 does not come with mysql support enabled (the version for Fedora 9 if you bring it by default) so we need to compile and install postfix on my system. The version used is the source rpm postfix-2.2.1910-1.RHEL4.2.src.rpm but can still use any other file and compile.



Packages needed for compilation
rpm-build-4.4.2-47.el5
pcre-devel-6.6-2.el5_1.7
Now the next step is to download and install the source

rpm-i postfix-2.2.1910-1.RHEL4.2.src.rpm

Then we went to the folder / usr / src / redhat / where in the part of the file is located SPECS postfix.spec which open and edit the following line:

% Define MYSQL 0 ---> we change it to% define MYSQL 1

We recorded and execute:

rpmbuild-ba postfix.spec

And the compilation .....
After you create files that postfix-2.2.1910-1.RHEL4.2.i386.rpm and postfix-pflogsumm-02.02.1910-1.RHEL4.2.i386.rpm which puts them in / usr / src / redhat/RPMS/i386 /, but before we install uninstall our current postfix no conflicts.

[Root @ greenlab i386] # rpm-e postfix 
warning: / etc / postfix / master.cf saved as / etc / postfix / master.cf.rpmsave 
warning: / etc / postfix / main.cf saved as / etc / postfix / main.cf.rpmsave 
[Root @ greenlab i386] # 

Caution: These files that are going to need to save later.
Then install:
[Root @ greenlab i386] # rpm-ivh / usr/src/redhat/RPMS/i386/postfix-2.2.10-1.RHEL4.2.i386.rpm 
Preparing ... ########################################### [100% ] 
   1: postfix ########################################### [100%] 

[Root @ greenlab i386] # rpm-ivh / usr/src/redhat/RPMS/i386/postfix-pflogsumm-2.2.10-1.RHEL4.2.i386.rpm 
Preparing ... ########################################### [100% ] 
   1: postfix-pflogsumm ########################################### [100 %] 
[Root @ greenlab i386] # 

Copy and replace files. Rpmsave that were generated when uninstalling my postfix system

cp / etc / postfix / main.cd.rpmsave / etc / postfix / main.cf
cp / etc / postfix / master.cf.rpmsave / etc / postfix / master.cf
 
 Finally postfix start

[Root @ greenlab i386] # / etc / init.d / postfix start 
Starting postfix: [OK] 
[Root @ greenlab i386] # 

The postfix configuration list.

Compile pam-mysql
pam-mysql is the module for postfix with mysql authenticate through pam. We do as follows:

Prerequisite: pam-devel.rpm

Download the package pam-mysql (in my case pam-mysql-0.7RC1.tar.gz) and compile it:
tar-xvzf mysql-pam-0.7RC1.tar.gz

[Root @ mail xam] # cd pam_mysql-0.7RC1 
[Root @ mail pam_mysql-0.7RC1] # 

. / Configure
make
make install 

Then edit the file / etc / pam.d / imap and we added the following information:
auth sufficient pam_mysql.so user = mail passwd = secret host = localhost db = mail table = accountuser passwdcolumn usercolumn = username = password crypt = 1 = log logtable logusercolumn logmsgcolumn = msg = host = user loghostcolumn logtimecolumn logpidcolumn = pid = time

auth sufficient pam_unix_auth.so

pam_mysql.so account required user = mail passwd = secret host = localhost db = mail table = accountuser passwdcolumn usercolumn = username = password crypt = 1 = log logtable logusercolumn logmsgcolumn = msg = host = user loghostcolumn logtimecolumn logpidcolumn = pid = time

Sufficient account pam_unix_acct.so
This indicates the authentication to the mail database with the user email and password secret and tables that will affect them. 

Copy this file for all other services

cp / etc / pam.d / imap / etc / pam.d / pop
cp / etc / pam.d / imap / etc / pam.d / sieve
cp / etc / pam.d / imap / etc / pam.d / smtp
Adding lines to / etc / cyrus.conf and / etc / imapd.conf

/ Etc / imapd.conf:
configdirectory: / var / lib / imap 
partition-default: / var / spool / imap 
admins: cyrus 
sievedir: / var / lib / imap / sieve 
sieve_maxscriptsize: 32 
sieve_maxscripts: 5 
unixhierarchysep: yes 
sendmail: / usr / sbin / sendmail 
hashimapspool: true 
sasl_pwcheck_method: saslauthd 
sasl_mech_list: PLAIN 
servername: mail.greenlab.onemax.net.do 
autocreatequota: 10000 
reject8bit: no 
quotawarm: 90 
timeout: 30 
poptimeout: 10 
dracinterval: 0 
drachost: localhost 
tls_ca_file: / etc / ssl / TULLAVE.pem 
tls_cert_file: / etc / ssl / TUCERTIFICADO.crt 
tls_key_file: / etc / ssl / TULLAVE.key
 
The last three lines correspond to the certificates created at the beginning of this document. These options placed the certificate created.

Add lines to / etc / postfix / main.cf
Mysql support to add the following lines:

master.cf
We make sure to have these lines:
flags = user = cyrus argv = / usr / cyrus / bin / deliver-r $ (sender)-m $ (extension) $ (user)

main.cf
mydestination = $ myhostname, localhost. $ mydomain, localhost, mysql: / etc / postfix / mysql-mydestination.cf 
mailbox_transport = cyrus
virtual_alias_maps = hash: / etc / postfix / virtual, mysql: / etc / postfix / mysql-virtual.cf 
sender_canonical_maps = mysql: / etc / postfix / mysql-canonical.cf 

Create the following files:
/ Etc / postfix / mysql-virtual.cf

#
# Mysql config file for alias lookups on postfix
# Comments are ok.
#

# The user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# The database name on the servers
dbname = mail

# The table name
table = virtual

#
select_field = dest
where_field = alias
additional_conditions = and status = '1 '
/ Etc / postfix / mysql-canonical.cf
# Mysql config file for canonical lookups on postfix
# Comments are ok.
#

# The user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# The database name on the servers
dbname = mail

# The table name
table = virtual
#
select_field = alias
where_field = username
# Return the first match only
additional_conditions = and Status = '1 'limit 1
/ Etc / postfix / mysql-mydestination.cf
# Mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
# Comments are ok.
#

# The user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret

# The database name on the servers
dbname = mail

# The table name
table = domain
#
select_field = domain_name
where_field = domain_name
Installing and Configuring Web-cyradm

To set up web-cyradm just simply download the package (web-cyradm-0.5.5) in our apache, assuming the apache document root is / var / www / html /

tar-xvzf web-cyradm-svn-0.5.5.tar.gz
mv web-cyradm-svn-0.5.5 / var / www / html / webcyradm

Copy the sample configuration file conf.php.dist located in / var / www / html / webcyradm / conf.php config for the same directory.

cp conf.php conf.php.dist

The authentication part of cyrus corresponds to the following: 

# The Cyrus login stuff
$ CYRUS = array (
        'HOST' => 'localhost',
        'PORT' => 143,
        'ADMIN' => 'cyrus',
        'PASS' => 'secret'
);
Where it connects to port 143 for imap and cyrus and the secret key.

Entries for the DB are:

$ DB = array (
        'TYPE' => 'mysql',
        'USER' => 'mail',
        'PASS' => 'secret'
        'PROTO' => 'unix', / / set to "tcp" for TCP / IP
        'HOST' => 'localhost',
        'NAME' => 'mail'
);
Where is the type of mysql database to use while the user is valid user name in the database with sufficient privileges. The key is secret and the DB name is mail.
Performing tests

Bibliography

http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/t1.html
http://www.linuxsilo.net/articles/postfix-mysql.html
www.alcancelibre.org
www.redhat.com