~kim0/serverguide/serverguide-review-ch19

<emphasis>Mail Transfer Agents</emphasis> (MTA), the last of which will hand it off to a <emphasis>Mail Delivery Agent</emphasis> (MDA) for delivery to the

recipient's mailbox, from which it

will be retrieved by the recipient's email client, usually via a POP3 or IMAP server.

</para>

<title>Postfix</title>

<para>

<application>Postfix</application> is the default Mail Transfer Agent (MTA) in Ubuntu. It

attempts to be fast and easy to administer and secure. It is

compatible with the MTA <application>sendmail</application>. This section explains how

to install and configure <application>postfix</application>. It also explains how to

set it up as an SMTP server using a secure connection (for sending emails securely).

</para>

<note>

<para>

This guide does not cover setting up Postfix <emphasis>Virtual Domains</emphasis>, for information

on Virtual Domains and other advanced configurations see <xref linkend="postfix-references"/>.

</para>

</note>

<title>Installation</title>

<para>

To install <application>postfix</application> run the following command:

</para>

<command>sudo apt-get install postfix</command>

</screen>

<para>

Simply press return when the installation process asks questions, the configuration will be done in greater detail in the next stage.

</para>

</sect2>

<title>Basic Configuration</title>

<para>

To configure <application>postfix</application>, run the following command:

</para>

<command>sudo dpkg-reconfigure postfix</command>

</screen>

<para>

The user interface will be displayed. On each screen, select the following

values:

<listitem><para>Internet Site</para></listitem>

<listitem><para>mail.example.com</para></listitem>

<listitem><para>steve</para></listitem>

<listitem><para>mail.example.com, localhost.localdomain, localhost</para></listitem>

</itemizedlist>

</para>

<note>

<para>

Replace mail.example.com with the domain for which you'll accept email, 192.168.0.0/24 with the actual network and class

range of your mail server, and steve with the appropriate username.

</para>

</note>

<para>

Now is a good time to decide which mailbox format you want to use. By default

Postfix will use <emphasis role="strong">mbox</emphasis> for the mailbox format.

Rather than editing the configuration file directly,

you can use the <command>postconf</command> command to configure

all <application>postfix</application> parameters. The

configuration parameters will be stored in

<filename>/etc/postfix/main.cf</filename> file. Later if you

wish to re-configure a particular parameter, you can either

run the command or change it manually in the file.

</para>

<para>

To configure the mailbox format for <emphasis role="strong">Maildir:</emphasis>

</para>

<command>sudo postconf -e 'home_mailbox = Maildir/'</command>

</screen>

<note>

100

<para>

101

This will place new mail in /home/<emphasis role="italic">username</emphasis>/Maildir so

102

you will need to configure your Mail Delivery Agent (MDA) to use the same path.

103

</para>

104

</note>

105

106

</sect2>

107

108

<title>SMTP Authentication</title>

109

110

<para>

111

SMTP-AUTH allows a client to identify itself through an authentication mechanism (SASL).

112

Transport Layer Security (TLS) should be used to encrypt the authentication process.

113

Once authenticated the SMTP server will allow the client to relay mail.

114

</para>

115

116

<step>

117

<para>

118

Configure Postfix for SMTP-AUTH using SASL (Dovecot SASL):

119

</para>

120

121

sudo postconf -e 'smtpd_sasl_type = dovecot'

122

sudo postconf -e 'smtpd_sasl_path = private/auth-client'

123

sudo postconf -e 'smtpd_sasl_local_domain ='

124

sudo postconf -e 'smtpd_sasl_security_options = noanonymous'

125

sudo postconf -e 'broken_sasl_auth_clients = yes'

126

sudo postconf -e 'smtpd_sasl_auth_enable = yes'

127

sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

128

sudo postconf -e 'inet_interfaces = all'

129

</screen>

130

<note>

131

<para>

132

The <emphasis>smtpd_sasl_path</emphasis> configuration is a path relative to the Postfix queue directory.

133

</para>

134

</note>

135

</step>

136

<step>

137

<para>

138

Next, obtain a digital certificate for TLS. See <xref linkend="certificates-and-security"/> for details.

139

This example also uses a Certificate Authority (CA). For information on generating a CA certificate see

140

<xref linkend="certificate-authority"/>.

141

</para>

142

<note>

143

<para>

144

You can get the digital certificate from a certificate

145

authority. But unlike web clients, SMTP clients rarely

146

complain about

147

"self-signed certificates", so alternatively, you

148

can create the certificate yourself. Refer to

149

<xref linkend="creating-a-self-signed-certificate"/> for more

150

details.

151

</para>

152

</note>

153

</step>

154

<step>

155

<para>

156

Once you have a certificate, configure Postfix to provide TLS encryption for both incoming and outgoing mail:

157

</para>

158

159

sudo postconf -e 'smtpd_tls_auth_only = no'

160

sudo postconf -e 'smtp_tls_security_level = may'

161

sudo postconf -e 'smtpd_tls_security_level = may'

162

sudo postconf -e 'smtp_tls_note_starttls_offer = yes'

163

sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key'

164

sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt'

165

sudo postconf -e 'smtpd_tls_loglevel = 1'

166

sudo postconf -e 'smtpd_tls_received_header = yes'

167

sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

168

sudo postconf -e 'tls_random_source = dev:/dev/urandom'

169

sudo postconf -e 'myhostname = mail.example.com'

170

</screen>

171

</step>

172

<step>

173

<para>

174

If you are using your own <emphasis>Certificate Authority</emphasis> to sign the certificate enter:

175

</para>

176

177

<command>sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'</command>

178

</screen>

179

180

<para>

181

Again, for more details about certificates see <xref linkend="certificates-and-security"/>.

182

</para>

183

</step>

184

</procedure>

185

<note>

186

<para>

187

After running all the commands, <application>Postfix</application> is configured for SMTP-AUTH

188

and a self-signed certificate has been created for TLS encryption.

189

</para>

190

</note>

191

<para>

192

Now, the file <filename>/etc/postfix/main.cf</filename>

193

should look like <ulink url="../sample/postfix_configuration">this</ulink>.

194

</para>

195

<para>

196

The postfix initial configuration is complete. Run

197

the following command to restart the postfix daemon:

198

</para>

199

200

201

<command>sudo /etc/init.d/postfix restart</command>

202

</screen>

203

204

<para>

205

<application>Postfix</application> supports SMTP-AUTH as defined in

206

<ulink

207

url="http://www.ietf.org/rfc/rfc2554.txt">RFC2554</ulink>.

208

It is based on <ulink

209

url="http://www.ietf.org/rfc/rfc2222.txt">SASL</ulink>. However it is still necessary

210

to set up SASL authentication before you can use SMTP-AUTH.

211

</para>

212

</sect2>

213

214

<title>Configuring SASL</title>

215

<para>

216

Postfix supports two SASL implementations Cyrus SASL and Dovecot SASL. To enable Dovecot SASL

217

the <application>dovecot-common</application> package will need to be installed. From a terminal prompt

218

enter the following:

219

</para>

220

221

<command>sudo apt-get install dovecot-common</command>

222

</screen>

223

<para>

224

Next you will need to edit <filename>/etc/dovecot/dovecot.conf</filename>. In the <emphasis>auth default</emphasis>

225

section uncomment the <emphasis>socket listen</emphasis> option and change the following:

226

</para>

227

228

socket listen {

229

#master {

230

# Master socket provides access to userdb information. It's typically

231

# used to give Dovecot's local delivery agent access to userdb so it

232

# can find mailbox locations.

233

#path = /var/run/dovecot/auth-master

234

#mode = 0600

235

# Default user/group is the one who started dovecot-auth (root)

236

#user =

237

#group =

238

239

client {

240

# The client socket is generally safe to export to everyone. Typical use

241

# is to export it to your SMTP server so it can do SMTP AUTH lookups

242

# using it.

243

path = /var/spool/postfix/private/auth-client

244

mode = 0660

245

user = postfix

246

group = postfix

247

}

248

}

249

</programlisting>

250

251

<para>

252

In order to let <application>Outlook</application> clients use SMTP-AUTH, in the <emphasis>auth default</emphasis>

253

section of /etc/dovecot/dovecot.conf add <emphasis>"login"</emphasis>:

254

</para>

255

256

257

mechanisms = plain login

258

</programlisting>

259

260

<para>

261

Once you have <application>Dovecot</application> configured restart it with:

262

</para>

263

264

<command>sudo /etc/init.d/dovecot restart</command>

265

</screen>

266

267

</sect2>

268

269

<title>Postfix-Dovecot</title>

270

271

<para>

272

Another option for configuring <application>Postfix</application> for SMTP-AUTH is using the

273

<application>dovecot-postfix</application> package. This package will install

274

<application>Dovecot</application> and configure <application>Postfix</application> to use it

275

for both SASL authentication and as a Mail Delivery Agent (MDA). The package also configures

276

<application>Dovecot</application> for IMAP, IMAPS, POP3, and POP3S.

277

</para>

278

279

<note>

280

<para>

281

You may or may not want to run IMAP, IMAPS, POP3, or POP3S on your mail server. For example,

282

if you are configuring your server to be a mail gateway, spam/virus filter, etc. If this is

283

the case it may be easier to use the above commands to configure Postfix for SMTP-AUTH.

284

</para>

285

</note>

286

287

<para>

288

To install the package, from a terminal prompt enter:

289

</para>

290

291

292

<command>sudo apt-get install dovecot-postfix</command>

293

</screen>

294

295

<para>

296

You should now have a working mail server, but there are a few options that you may wish to further customize. For example, the

297

package uses the certificate and key from the <application>ssl-cert</application> package, and in a production environment you should

298

use a certificate and key generated for the host. See <xref linkend="certificates-and-security"/> for more details.

299

</para>

300

301

<para>

302

Once you have a customized certificate and key for the host, change the following options in <filename>/etc/postfix/main.cf</filename>:

303

</para>

304

305

306

smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem

307

smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key

308

</programlisting>

309

310

<para>

311

Then restart Postfix:

312

</para>

313

314

315

<command>sudo /etc/init.d/postfix restart</command>

316

</screen>

317

318

</sect2>

319

320

<title>Testing</title>

321

<para>

322

SMTP-AUTH configuration is complete. Now it is time to test the setup.

323

</para>

324

<para>

325

To see if SMTP-AUTH and TLS work properly, run the following

326

command:

327

</para>

328

329

<command>telnet mail.example.com 25</command>

330

</screen>

331

<para>

332

After you have established the connection to the postfix mail

333

server, type:

334

</para>

335

336

ehlo mail.example.com

337

</screen>

338

<para>

339

If you see the following lines among others, then everything

340

is working perfectly. Type <command>quit</command> to exit.

341

</para>

342

343

250-STARTTLS

344

250-AUTH LOGIN PLAIN

345

250-AUTH=LOGIN PLAIN

346

250 8BITMIME

347

</programlisting>

348

</sect2>

349

350

351

<title>Troubleshooting</title>

352

<para>

353

This section introduces some common ways to determine the cause if problems arise.

354

</para>

355

356

<title>Escaping chroot</title>

357

<para>

358

The Ubuntu <application>postfix</application> package will by default install into a <emphasis>chroot</emphasis>

359

environment for security reasons. This can add greater complexity when troubleshooting problems.

360

</para>

361

<para>

362

To turn off the chroot operation locate for the following line in the

363

<filename>/etc/postfix/master.cf</filename> configuration file:

364

</para>

365

366

smtp inet n - - - - smtpd

367

</screen>

368

<para>

369

and modify it as follows:

370

</para>

371

372

smtp inet n - n - - smtpd

373

</screen>

374

<para>

375

You will then need to restart Postfix to use the new configuration. From a terminal prompt enter:

376

</para>

377

378

<command>sudo /etc/init.d/postfix restart</command>

379

</screen>

380

</sect3>

381

382

<title>Log Files</title>

383

<para>

384

<application>Postfix</application> sends all log messages to <filename>/var/log/mail.log</filename>.

385

However error and warning messages can sometimes get lost in the normal log output so they are also logged to

386

<filename>/var/log/mail.err</filename> and <filename>/var/log/mail.warn</filename> respectively.

387

</para>

388

<para>

389

To see messages entered into the logs in real time you can use the <application>tail -f</application>

390

command:

391

</para>

392

393

394

</screen>

395

<para>

396

The amount of detail that is recorded in the logs can be increased. Below are some configuration options for increasing the log level

397

for some of the areas covered above.

398

</para>

399

400

401

<para>

402

To increase <emphasis>TLS</emphasis> activity logging set the <emphasis>smtpd_tls_loglevel</emphasis> option to a value from 1 to 4.

403

</para>

404

405

<command>sudo postconf -e 'smtpd_tls_loglevel = 4'</command>

406

</screen>

407

</listitem>

408

409

<para>

410

If you are having trouble sending or receiving mail from a specific domain you can add the domain to the <emphasis>debug_peer_list</emphasis>

411

parameter.

412

</para>

413

414

<command>sudo postconf -e 'debug_peer_list = problem.domain'</command>

415

</screen>

416

</listitem>

417

418

<para>

419

You can increase the verbosity of any <application>Postfix</application> daemon process by editing the <filename>/etc/postfix/master.cf</filename>

420

and adding a <emphasis>-v</emphasis> after the entry. For example edit the <emphasis>smtp</emphasis> entry:

421

</para>

422

423

smtp unix - - - - - smtp -v

424

</programlisting>

425

</listitem>

426

</itemizedlist>

427

<note>

428

<para>

429

It is important to note that after making one of the logging changes above the <application>Postfix</application> process will need to be reloaded

430

in order to recognize the new configuration: <command>sudo /etc/init.d/postfix reload</command>

431

</para>

432

</note>

433

434

435

<para>

436

To increase the amount of information logged when troubleshooting <emphasis>SASL</emphasis> issues you can set the following options in

437

<filename>/etc/dovecot/dovecot.conf</filename>

438

</para>

439

440

auth_debug=yes

441

auth_debug_passwords=yes

442

</programlisting>

443

</listitem>

444

</itemizedlist>

445

<note>

446

<para>

447

Just like <application>Postfix</application> if you change a <application>Dovecot</application> configuration the process will need to be

448

reloaded: <command>sudo /etc/init.d/dovecot reload</command>.

449

</para>

450

</note>

451

<note>

452

<para>

453

Some of the options above can drastically increase the amount of information sent to the log files. Remember to return the log level

454

back to normal after you have corrected the problem. Then reload the appropriate daemon for the new configuration to take affect.

455

</para>

456

</note>

457

</sect3>

458

459

<title>References</title>

460

<para>

461

Administering a <application>Postfix</application> server can be a very complicated task. At some point you may

462

need to turn to the Ubuntu community for more experienced help.

463

</para>

464

<para>

465

A great place to ask for <application>Postfix</application> assistance, and get involved with the Ubuntu Server community,

466

is the <emphasis>#ubuntu-server</emphasis> IRC channel on <ulink url="http://freenode.net">freenode</ulink>. You

467

can also post a message to one of the <ulink url="http://www.ubuntu.com/support/community/webforums">Web Forums</ulink>.

468

</para>

469

<para>

470

For in depth <application>Postfix</application> information Ubuntu developers highly recommend:

471

<ulink url="http://www.postfix-book.com/">The Book of Postfix</ulink>.

472

</para>

473

<para>

474

Finally, the <ulink url="http://www.postfix.org/documentation.html">Postfix</ulink> website also has great documentation on all

475

the different configuration options available.

476

</para>

477

<para>

478

Also, the <ulink url="https://help.ubuntu.com/community/Postfix">Ubuntu Wiki Postifx</ulink> page has more information.

479

</para>

480

</sect3>

481

</sect2>

482

</sect1>

483

484

485

486

<para>

487

<application>Exim4</application> is another Message Transfer

488

Agent (MTA) developed at the University of Cambridge for use

489

on Unix systems connected to the Internet. Exim can be

490

installed in place of <application>sendmail</application>,

491

although the configuration of

492

<application>exim</application> is quite different to

493

that of <application>sendmail</application>.

494

</para>

495

496

<title>Installation</title>

497

<para>

498

To install <application>exim4</application>, run the following command:

499

500

<command>sudo apt-get install exim4</command>

501

</screen>

502

</para>

503

</sect2>

504

505

<title>Configuration</title>

506

<para>

507

To configure <application>Exim4</application>, run the following command:

508

</para>

509

510

<command>sudo dpkg-reconfigure exim4-config</command>

511

</screen>

512

<para>

513

The user interface will be displayed. The user interface

514

lets you configure many parameters. For example, In

515

<application>Exim4</application> the configuration files are

516

split among multiple files. If you wish to have them in one

517

file you can configure accordingly in this user interface.

518

</para>

519

520

<para>

521

All the parameters you configure in the user interface are

522

stored in

523

<filename>/etc/exim4/update-exim4.conf.conf</filename> file.

524

If you wish to re-configure, either you re-run the

525

configuration wizard or manually edit this file

526

using your favorite editor. Once you configure, you can run

527

the following command to generate the master configuration

528

file:

529

</para>

530

531

<command>sudo update-exim4.conf</command>

532

</screen>

533

<para>

534

The master configuration file, is generated and

535

it is stored in

536

<filename>/var/lib/exim4/config.autogenerated</filename>.

537

</para>

538

539

<para>

540

At any time, you should not edit the master configuration

541

file,

542

<filename>/var/lib/exim4/config.autogenerated</filename>

543

manually. It is updated automatically every time you run

544

<command>update-exim4.conf</command>

545

</para>

546

</warning>

547

<para>

548

You can run the following command to start

549

<application>Exim4</application> daemon.

550

</para>

551

552

<command>sudo /etc/init.d/exim4 start</command>

553

</screen>

554

</sect2>

555

556

<title>SMTP Authentication</title>

557

<para>

558

This section covers configuring Exim4 to use SMTP-AUTH with TLS and SASL.

559

</para>

560

<para>

561

The first step is to create a certificate for use with TLS. Enter the following into a terminal prompt:

562

</para>

563

564

<command>sudo /usr/share/doc/exim4-base/examples/exim-gencert</command>

565

</screen>

566

<para>

567

Now Exim4 needs to be configured for TLS by editing <filename>/etc/exim4/conf.d/main/03_exim4-config_tlsoptions</filename>

568

add the following:

569

</para>

570

571

MAIN_TLS_ENABLE = yes

572

</programlisting>

573

<para>

574

Next you need to configure <application>Exim4</application> to use the <application>saslauthd</application>

575

for authentication. Edit <filename>/etc/exim4/conf.d/auth/30_exim4-config_examples</filename> and uncomment

576

the <emphasis>plain_saslauthd_server</emphasis> and <emphasis>login_saslauthd_server</emphasis> sections:

577

</para>

578

579

plain_saslauthd_server:

580

driver = plaintext

581

public_name = PLAIN

582

server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}

583

server_set_id = $auth2

584

server_prompts = :

585

.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS

586

server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}

587

.endif

588

589

login_saslauthd_server:

590

driver = plaintext

591

public_name = LOGIN

592

server_prompts = "Username:: : Password::"

593

# don't send system passwords over unencrypted connections

594

server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}

595

server_set_id = $auth1

596

.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS

597

server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}

598

.endif

599

</programlisting>

600

<para>

601

Finally, update the Exim4 configuration and restart the service:

602

</para>

603

604

<command>sudo update-exim4.conf</command>

605

<command>sudo /etc/init.d/exim4 restart</command>

606

</screen>

607

</sect2>

608

609

<title>Configuring SASL</title>

610

<para>

611

This section provides details on configuring the saslauthd to provide authentication for <application>Exim4</application>.

612

</para>

613

<para>

614

The first step is to install the sasl2-bin package. From a terminal prompt enter the following:

615

</para>

616

617

<command>sudo apt-get install sasl2-bin</command>

618

</screen>

619

<para>

620

To configure saslauthd edit the /etc/default/saslauthd configuration file and set START=no to:

621

</para>

622

623

START=yes

624

</programlisting>

625

<para>

626

Next the <emphasis>Debian-exim</emphasis> user needs to be part of the <emphasis>sasl</emphasis> group in

627

order for Exim4 to use the saslauthd service:

628

</para>

629

630

<command>sudo adduser Debian-exim sasl</command>

631

</screen>

632

<para>

633

Now start the <application>saslauthd</application> service:

634

</para>

635

636

<command>sudo /etc/init.d/saslauthd start</command>

637

</screen>

638

<para>

639

<application>Exim4</application> is now configured with SMTP-AUTH using TLS and SASL authentication.

640

</para>

641

</sect2>

642

643

<title>References</title>

644

645

646

647

<para>

648

See <ulink url="http://www.exim.org/">exim.org</ulink> for more information.

649

</para>

650

</listitem>

651

652

<para>

653

There is also an <ulink url="http://www.uit.co.uk/content/exim-smtp-mail-server">Exim4 Book</ulink> available.

654

</para>

655

</listitem>

656

657

<para>

658

Another resource is the <ulink url="https://help.ubuntu.com/community/Exim4">Exim4 Ubuntu Wiki </ulink> page.

659

</para>

660

</listitem>

661

</itemizedlist>

662

663

</sect2>

664

</sect1>

665

666

<title>Dovecot Server</title>

667

<para>

668

<application>Dovecot</application> is a Mail Delivery Agent, written with security

669

primarily in mind. It supports the major mailbox formats: mbox

670

or Maildir. This section explain how to set it up as an imap or

671

pop3 server.

672

</para>

673

674

<title>Installation</title>

675

<para>

676

To install <application>dovecot</application>, run the following command in the

677

command prompt:

678

</para>

679

680

<command>sudo apt-get install dovecot-imapd dovecot-pop3d</command>

681

</screen>

682

</sect2>

683

684

<title>Configuration</title>

685

<para>

686

To configure <application>dovecot</application>, you can edit the file

687

<filename>/etc/dovecot/dovecot.conf</filename>. You can

688

choose the protocol you use. It could be pop3, pop3s (pop3

689

secure), imap and imaps (imap secure). A description of these protocols is beyond the scope of this guide. For further information, refer to the Wikipedia articles on <ulink

690

url="http://en.wikipedia.org/wiki/POP3">POP3</ulink> and

691

<ulink

692

url="http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol">IMAP</ulink>.

693

</para>

694

695

<para>

696

IMAPS and POP3S are more secure that the simple IMAP and

697

POP3 because they use SSL encryption to connect. Once you

698

have chosen the protocol, amend the following line in the file

699

<filename>/etc/dovecot/dovecot.conf</filename>:

700

</para>

701

702

protocols = pop3 pop3s imap imaps

703

</programlisting>

704

<para>

705

Next, choose the mailbox you would like to use. <application>Dovecot</application> supports

706

<emphasis role="strong">maildir</emphasis> and <emphasis

707

role="strong">mbox</emphasis> formats. These are the most

708

commonly used mailbox formats. They both have their own

709

benefits and are discussed on <ulink

710

url="http://wiki.dovecot.org/MailboxFormat">the Dovecot web site</ulink>.

711

</para>

712

<para>

713

Once you have chosen your mailbox type, edit the file

714

<filename>/etc/dovecot/dovecot.conf</filename> and change

715

the following line:

716

</para>

717

718

mail_location = maildir:~/Maildir # (for maildir)

719

720

mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox)

721

</programlisting>

722

<note>

723

<para>

724

You should configure your Mail Transport Agent (MTA) to transfer the

725

incoming mail to this type of mailbox if it is different from the one

726

you have configured.

727

</para>

728

</note>

729

<para>

730

Once you have configured dovecot, restart the <application>dovecot</application> daemon

731

in order to test your setup:

732

</para>

733

734

735

<command>sudo /etc/init.d/dovecot restart</command>

736

</screen>

737

738

<para>

739

If you have enabled imap, or pop3, you can also try to log in

740

with the commands <command>telnet localhost pop3</command> or

741

<command>telnet localhost imap2</command>. If you see

742

something like the following, the installation has been

743

successful:

744

</para>

745

746

bhuvan@rainbow:~$ telnet localhost pop3

747

Trying 127.0.0.1...

748

Connected to localhost.localdomain.

749

Escape character is '^]'.

750

+OK Dovecot ready.

751

</programlisting>

752

</sect2>

753

754

<title>Dovecot SSL Configuration</title>

755

<para>

756

To configure <application>dovecot</application> to use SSL, you can edit the file

757

<filename>/etc/dovecot/dovecot.conf</filename> and amend

758

following lines:

759

</para>

760

761

ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

762

ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

763

ssl_disable = no

764

disable_plaintext_auth = no

765

</programlisting>

766

<para>

767

You can get the SSL certificate from a Certificate Issuing

768

Authority or you can create self signed SSL certificate.

769

The latter is a good option for email, because SMTP clients rarely

770

complain about "self-signed certificates".

771

Please

772

refer to <xref linkend="certificates-and-security"/>

773

for details about how to create self signed SSL certificate. Once

774

you create the certificate, you will have a key file and a

775

certificate file. Please copy them to the location pointed

776

in the <filename>/etc/dovecot/dovecot.conf</filename>

777

configuration file.

778

</para>

779

</sect2>

780

<sect2>

781

<title>Firewall Configuration for an Email Server</title>

782

<para>

783

To access your mail server from another computer, you must

784

configure your firewall to allow connections to the server on

785

the necessary ports.

786

787

788

<listitem><para>IMAPS - 993</para></listitem>

789

790

791

</itemizedlist>

792

</para>

793

</sect2>

794

795

<title>References</title>

796

797

798

799

<para>

800

See the <ulink url="http://www.dovecot.org/">Dovecot website</ulink> for more information.

801

</para>

802

</listitem>

803

804

<para>

805

Also, the <ulink url="https://help.ubuntu.com/community/Dovecot">Dovecot Ubuntu Wiki</ulink> page has more details.

806

</para>

807

</listitem>

808

</itemizedlist>

809

810

</sect2>

811

</sect1>

812

813

<title>Mailman</title>

814

<para>

815

Mailman is an open source program for managing electronic mail

816

discussions and e-newsletter lists. Many open source mailing

817

lists (including all the <ulink

818

url="http://lists.ubuntu.com">Ubuntu mailing lists</ulink>) use

819

Mailman as their mailing list software. It is powerful and easy

820

to install and maintain.

821

</para>

822

823

<title>Installation</title>

824

<para>

825

Mailman provides a web interface for the administrators and users,

826

using an external mail server to send and receive emails. It works

827

perfectly with the following mail servers:

828

</para>

829

<para>

830

831

832

<para><application>Postfix</application></para>

833

</listitem>

834

835

836

</listitem>

837

838

<para><application>Sendmail</application></para>

839

</listitem>

840

841

<para><application>Qmail</application></para>

842

</listitem>

843

</itemizedlist>

844

</para>

845

846

<para>

847

We will see how to install and configure Mailman with, the Apache web server,

848

and either the Postfix or Exim mail server. If you wish to install Mailman

849

with a different mail server, please refer to the references

850

section.

851

</para>

852

<note>

853

<para>

854

You only need to install one mail server and <application>Postfix</application> is the default Ubuntu Mail Transfer Agent.

855

</para>

856

</note>

857

858

<title>Apache2</title>

859

<para>

860

To install apache2 you refer to <xref linkend="http-installation"/> for details.

861

</para>

862

</sect3>

863

864

<title>Postfix</title>

865

<para>

866

For instructions on installing and configuring Postfix refer to <xref linkend="postfix"/>

867

</para>

868

</sect3>

869

870

871

<para>

872

To install Exim4 refer to <xref linkend="exim4"/>.

873

</para>

874

<para>

875

Once exim4 is installed, the configuration files are stored in

876

the <filename>/etc/exim4</filename> directory. In Ubuntu, by default, the exim4 configuration files are

877

split across different files. You can change this behavior by changing

878

the following variable in the <filename>/etc/exim4/update-exim4.conf</filename> file:

879

</para>

880

881

882

dc_use_split_config='true'

883

</programlisting>

884

885

886

</sect3>

887

888

<title>Mailman</title>

889

<para>

890

To install <application>Mailman</application>, run following command at a terminal prompt:

891

</para>

892

893

<command>sudo apt-get install mailman</command>

894

</screen>

895

<para>

896

It copies the installation files in

897

<application>/var/lib/mailman</application> directory. It installs the

898

CGI scripts in <application>/usr/lib/cgi-bin/mailman</application>

899

directory. It creates <emphasis>list</emphasis> linux

900

user. It creates the <emphasis>list</emphasis> linux

901

group. The mailman process will be owned by this user.

902

</para>

903

</sect3>

904

</sect2>

905

906

<title>Configuration</title>

907

<para>

908

This section assumes you have successfully installed

909

<application>mailman</application>,

910

<application>apache2</application>, and

911

<application>postfix</application> or <application>exim4</application>. Now you just need

912

to configure them.

913

</para>

914

915

<title>Apache2</title>

916

<para>

917

An example Apache configuration file comes with <application>Mailman</application> and is placed

918

in <filename>/etc/mailman/apache.conf</filename>. In order for Apache to use the config file it needs

919

to be copied to <filename>/etc/apache2/sites-available</filename>:

920

</para>

921

922

<command>sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/mailman.conf</command>

923

</screen>

924

<para>

925

This will setup a new Apache <emphasis>VirtualHost</emphasis> for the Mailman administration site.

926

Now enable the new configuration and restart Apache:

927

</para>

928

929

<command>sudo a2ensite mailman.conf</command>

930

<command>sudo /etc/init.d/apache2 restart</command>

931

</screen>

932

<para>

933

Mailman uses apache2 to render its CGI scripts. The mailman CGI scripts

934

are installed in the <application>/usr/lib/cgi-bin/mailman</application>

935

directory. So, the mailman url will be

936

http://hostname/cgi-bin/mailman/. You can make changes to the

937

<filename>/etc/apache2/sites-available/mailman.conf</filename> file if you wish to

938

change this behavior.

939

</para>

940

</sect3>

941

942

<title>Postfix</title>

943

<para>

944

For <application>Postfix</application> integration, we will associate the domain lists.example.com with the mailing lists.

945

Please replace <emphasis>lists.example.com</emphasis> with the domain of your choosing.

946

</para>

947

<para>

948

You can use the postconf command to add the necessary configuration to <filename>/etc/postfix/main.cf</filename>:

949

</para>

950

951

<command>sudo postconf -e 'relay_domains = lists.example.com'</command>

952

<command>sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'</command>

953

<command>sudo postconf -e 'mailman_destination_recipient_limit = 1'</command>

954

</screen>

955

<para>

956

In <filename>/etc/postfix/master.cf</filename> double check that you have the following transport:

957

</para>

958

959

mailman unix - n n - - pipe

960

flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

961

${nexthop} ${user}

962

</programlisting>

963

<para>

964

It calls the <emphasis>postfix-to-mailman.py</emphasis> script when a mail is delivered to a list.

965

</para>

966

<para>

967

Associate the domain lists.example.com to the Mailman transport with the transport map. Edit the file <filename>/etc/postfix/transport</filename>:

968

</para>

969

970

lists.example.com mailman:

971

</programlisting>

972

<para>

973

Now have <application>Postfix</application> build the transport map by entering the following from a terminal prompt:

974

</para>

975

976

<command>sudo postmap -v /etc/postfix/transport</command>

977

</screen>

978

<para>

979

Then restart Postfix to enable the new configurations:

980

</para>

981

982

<command>sudo /etc/init.d/postfix restart</command>

983

</screen>

984

</sect3>

985

986

987

<para>

988

Once Exim4 is installed, you can start the Exim server using the following

989

command from a terminal prompt:

990

</para>

991

992

<command>sudo /etc/init.d/exim4 start</command>

993

</screen>

994

<para>

995

In order to make mailman work with Exim4, you need to configure Exim4.

996

As mentioned earlier, by default, Exim4 uses multiple configuration

997

files of different types. For details, please refer to the <ulink

998

url="http://www.exim.org">Exim</ulink> web site. To run mailman, we

999

should add new a configuration file to the following configuration

1000

types:

1001

1002

1003

1004

</listitem>

1005

1006

<para>Transport</para>

1007

</listitem>

1008

1009

<para>Router</para>

1010

</listitem>

1011

</itemizedlist>

1012

Exim creates a master configuration file by sorting all

1013

these mini configuration files. So, the order of these

1014

configuration files is very important.

1015

</para>

1016

</sect3>

1017

1018

1019

<para>

1020

All the configuration files belonging to the main type are

1021

stored in the

1022

<filename>/etc/exim4/conf.d/main/</filename> directory. You can add

1023

the following content to a new file, named <filename>04_exim4-config_mailman</filename>:

1024

1025

1026

# start

1027

# Home dir for your Mailman installation -- aka Mailman's prefix

1028

# directory.

1029

# On Ubuntu this should be "/var/lib/mailman"

1030

# This is normally the same as ~mailman

1031

MM_HOME=/var/lib/mailman

1032

1033

# User and group for Mailman, should match your --with-mail-gid

1034

# switch to Mailman's configure script. Value is normally "mailman"

1035

MM_UID=list

1036

MM_GID=list

1037

1038

# Domains that your lists are in - colon separated list

1039

# you may wish to add these into local_domains as well

1040

domainlist mm_domains=hostname.com

1041

1042

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1043

1044

# These values are derived from the ones above and should not need

1045

# editing unless you have munged your mailman installation

1046

1047

# The path of the Mailman mail wrapper script

1048

MM_WRAP=MM_HOME/mail/mailman

1049

1050

# The path of the list config file (used as a required file when

1051

# verifying list addresses)

1052

MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck

1053

# end

1054

</programlisting>

1055

</para>

1056

</sect3>

1057

1058

<title>Transport</title>

1059

<para>

1060

All the configuration files belonging to transport type are stored in

1061

the <filename>/etc/exim4/conf.d/transport/</filename> directory. You

1062

can add the following content to a new file named <filename>

1063

40_exim4-config_mailman</filename>:

1064

1065

1066

mailman_transport:

1067

driver = pipe

1068

command = MM_WRAP \

1069

'${if def:local_part_suffix \

1070

{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \

1071

{post}}' \

1072

$local_part

1073

current_directory = MM_HOME

1074

home_directory = MM_HOME

1075

user = MM_UID

1076

group = MM_GID

1077

</programlisting>

1078

</para>

1079

</sect3>

1080

1081

<title>Router</title>

1082

<para>

1083

All the configuration files belonging to router type are stored in the

1084

<filename>/etc/exim4/conf.d/router/</filename> directory. You can add the following content

1085

in to a new file named <filename>101_exim4-config_mailman</filename>:

1086

1087

mailman_router:

1088

driver = accept

1089

require_files = MM_HOME/lists/$local_part/config.pck

1090

local_part_suffix_optional

1091

local_part_suffix = -bounces : -bounces+* : \

1092

-confirm+* : -join : -leave : \

1093

-owner : -request : -admin

1094

transport = mailman_transport

1095

</programlisting>

1096

1097

</para>

1098

1099

<para>

1100

The order of main and transport configuration files can be in any order.

1101

But, the order of router configuration files must be the same.

1102

This particular file must appear before the

1103

<application>200_exim4-config_primary</application> file.

1104

These two configuration files contain same type of information. The

1105

first file takes the precedence. For more details, please refer to the

1106

references section.

1107

</para>

1108

</warning>

1109

</sect3>

1110

1111

<title>Mailman</title>

1112

<para>

1113

Once mailman is installed, you can run it using the following command:

1114

</para>

1115

1116

<command>sudo /etc/init.d/mailman start</command>

1117

</screen>

1118

<para>

1119

Once mailman is installed, you should create the default mailing list.

1120

Run the following command to create the mailing list:

1121

</para>

1122

1123

1124

<command>sudo /usr/sbin/newlist mailman</command>

1125

</screen>

1126

1127

1128

Enter the email address of the person running the list: bhuvan at ubuntu.com

1129

Initial mailman password:

1130

To finish creating your mailing list, you must edit your <filename>/etc/aliases</filename> (or

1131

equivalent) file by adding the following lines, and possibly running the

1132

`newaliases' program:

1133

1134

## mailman mailing list

1135

mailman: "|/var/lib/mailman/mail/mailman post mailman"

1136

mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"

1137

mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"

1138

mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"

1139

mailman-join: "|/var/lib/mailman/mail/mailman join mailman"

1140

mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"

1141

mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"

1142

mailman-request: "|/var/lib/mailman/mail/mailman request mailman"

1143

mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"

1144

mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"

1145

1146

Hit enter to notify mailman owner...

1147

1148

1149

</programlisting>

1150

<para>

1151

We have configured either Postfix or Exim4 to recognize all emails from mailman. So, it is

1152

not mandatory to make any new entries in

1153

<filename>/etc/aliases</filename>. If you have made any changes

1154

to the configuration files, please ensure that you restart those

1155

services before continuing to next section.

1156

</para>

1157

<note>

1158

<para>

1159

The Exim4 does not use the above aliases to forward mails to

1160

Mailman, as it uses a <emphasis>discover</emphasis> approach. To

1161

suppress the aliases while creating the list, you can add

1162

<emphasis>MTA=None</emphasis> line in Mailman configuration

1163

file, <filename>/etc/mailman/mm_cfg.py</filename>.

1164

</para>

1165

</note>

1166

</sect3>

1167

</sect2>

1168

1169

<title>Administration</title>

1170

<para>

1171

We assume you have a default installation. The

1172

mailman cgi scripts are still in the

1173

<application>/usr/lib/cgi-bin/mailman/</application> directory. Mailman

1174

provides a web based administration facility. To access this page, point

1175

your browser to the following url:

1176

1177

</para>

1178

<para>

1179

http://hostname/cgi-bin/mailman/admin

1180

</para>

1181

1182

<para>

1183

The default mailing list, <emphasis>mailman</emphasis>,

1184

will appear in this screen. If you click the mailing list name, it

1185

will ask for your authentication password. If you enter the correct

1186

password, you will be able to change administrative settings of this

1187

mailing list.

1188

1189

You can create a new mailing list using the command line utility

1190

(<command>/usr/sbin/newlist</command>).

1191

Alternatively, you can create a new mailing list using the web interface.

1192

</para>

1193

</sect2>

1194

1195

<title>Users</title>

1196

<para>

1197

Mailman provides a web based interface for users. To access this page,

1198

point your browser to the following url:

1199

</para>

1200

1201

<para>

1202

http://hostname/cgi-bin/mailman/listinfo

1203

</para>

1204

1205

<para>

1206

The default mailing list, <emphasis>mailman</emphasis>,

1207

will appear in this screen. If you

1208

click the mailing list name, it will display the subscription form. You

1209

can enter your email address, name (optional), and password to subscribe.

1210

An email invitation will be sent to you. You can follow the

1211

instructions in the email to subscribe.

1212

</para>

1213

</sect2>

1214

1215

<title>References</title>

1216

<para>

1217

<ulink url="http://www.list.org/mailman-install/index.html"> GNU Mailman

1218

- Installation Manual</ulink>

1219

</para>

1220

<para>

1221

<ulink url="http://www.exim.org/howto/mailman21.html">HOWTO - Using Exim

1222

4 and Mailman 2.1 together</ulink>

1223

</para>

1224

<para>

1225

Also, see the <ulink url="https://help.ubuntu.com/community/Mailman">Mailman Ubuntu Wiki</ulink> page.

1226

</para>

1227

</sect2>

1228

</sect1>

1229

1230

<title>Mail Filtering</title>

1231

<para>

1232

One of the largest issues with email today is the problem of Unsolicited Bulk Email (UBE).

1233

Also known as SPAM, such messages may also carry viruses and other forms of malware.

1234

According to some reports these messages make up the bulk of all email traffic on the Internet.

1235

</para>

1236

<para>

1237

This section will cover integrating <application>Amavisd-new</application>,

1238

<application>Spamassassin</application>, and <application>ClamAV</application> with the

1239

<application>Postfix</application> Mail Transport Agent (MTA). <application>Postfix</application> can also

1240

check email validity by passing it through external content filters. These filters can sometimes determine if

1241

a message is spam without needing to process it with more resource intensive applications. Two common filters are

1242

<application>opendkim</application> and <application>python-policyd-spf</application>.

1243

</para>

1244

1245

1246

<para>

1247

<application>Amavisd-new</application> is a wrapper program that can call any number of content filtering programs

1248

for spam detection, antivirus, etc.

1249

</para>

1250

</listitem>

1251

1252

<para>

1253

<application>Spamassassin</application> uses a variety of mechanisms to filter email based on the message content.

1254

</para>

1255

</listitem>

1256

1257

<para>

1258

<application>ClamAV</application> is an open source antivirus application.

1259

</para>

1260

</listitem>

1261

1262

<para>

1263

<application>opendkim</application> implements a Sendmail Mail Filter (Milter) for the DomainKeys

1264

Identified Mail (DKIM) standard.

1265

</para>

1266

</listitem>

1267

1268

<para>

1269

<application>python-policyd-spf</application> enables Sender Policy Framework (SPF) checking with <application>Postfix</application>.

1270

</para>

1271

</listitem>

1272

</itemizedlist>

1273

<para>

1274

This is how the pieces fit together:

1275

</para>

1276

1277

1278

<para>

1279

An email message is accepted by <application>Postfix</application>.

1280

</para>

1281

</listitem>

1282

1283

<para>

1284

The message is passed through any external filters <application>opendkim</application> and

1285

<application>python-policyd-spf</application> in this case.

1286

</para>

1287

</listitem>

1288

1289

<para>

1290

<application>Amavisd-new</application> then processes the message.

1291

</para>

1292

</listitem>

1293

1294

<para>

1295

<application>ClamAV</application> is used to scan the message. If the message contains a virus

1296

<application>Postfix</application> will reject the message.

1297

</para>

1298

</listitem>

1299

1300

<para>

1301

Clean messages will then be analyzed by <application>Spamassassin</application> to find out if the message is spam.

1302

<application>Spamassassin</application> will then add X-Header lines allowing

1303

<application>Amavisd-new</application> to further manipulate the message.

1304

</para>

1305

</listitem>

1306

</itemizedlist>

1307

<para>

1308

For example, if a message has a Spam score of over fifty the message could be automatically dropped from

1309

the queue without the recipient ever having to be bothered. Another, way to handle flagged messages is to deliver

1310

them to the Mail User Agent (MUA) allowing the user to deal with the message as they see fit.

1311

</para>

1312

1313

<title>Installation</title>

1314

<para>

1315

See <xref linkend="postfix"/> for instructions on installing and configuring Postfix.

1316

</para>

1317

<para>

1318

To install the rest of the applications enter the following from a terminal prompt:

1319

</para>

1320

1321

<command>sudo apt-get install amavisd-new spamassassin clamav-daemon</command>

1322

<command>sudo apt-get install opendkim python-policyd-spf</command>

1323

</screen>

1324

<para>

1325

There are some optional packages that integrate with <application>Spamassassin</application> for better spam detection:

1326

</para>

1327

1328

<command>sudo apt-get install pyzor razor</command>

1329

</screen>

1330

<para>

1331

Along with the main filtering applications compression utilities are needed to process some email attachments:

1332

</para>

1333

1334

<command>sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip zip</command>

1335

</screen>

1336

<note>

1337

<para>If some packages are not found, check that the <emphasis>multiverse</emphasis> repository is enabled in <filename>/etc/apt/sources.list</filename></para>

1338

<para>If you make changes to the file, be sure to run <command>sudo apt-get update</command> before trying to install again.</para>

1339

</note>

1340

</sect2>

1341

1342

<title>Configuration</title>

1343

<para>

1344

Now configure everything to work together and filter email.

1345

</para>

1346

1347

<title>ClamAV</title>

1348

<para>

1349

The default behaviour of <application>ClamAV</application> will fit our needs.

1350

For more ClamAV configuration options, check the configuration files in

1351

<filename>/etc/clamav</filename>.

1352

</para>

1353

<para>

1354

Add the <emphasis>clamav</emphasis> user to the <emphasis>amavis</emphasis> group in order for <application>Amavisd-new</application>

1355

to have the appropriate access to scan files:

1356

</para>

1357

1358

<command>sudo adduser clamav amavis</command>

1359

</screen>

1360

</sect3>

1361

1362

<title>Spamassassin</title>

1363

<para>

1364

Spamassassin automatically detects optional components and will use them if they are present. This means that there is no need to

1365

configure <application>pyzor</application> and <application>razor</application>.

1366

</para>

1367

<para>

1368

Edit <filename>/etc/default/spamassassin</filename> to activate the <application>Spamassassin</application> daemon.

1369

Change <emphasis>ENABLED=0</emphasis> to:

1370

</para>

1371

1372

ENABLED=1

1373

</programlisting>

1374

<para>

1375

Now start the daemon:

1376

</para>

1377

1378

<command>sudo /etc/init.d/spamassassin start</command>

1379

</screen>

1380

</sect3>

1381

1382

<title>Amavisd-new</title>

1383

<para>

1384

First activate spam and antivirus detection in <application>Amavisd-new</application> by editing

1385

<filename>/etc/amavis/conf.d/15-content_filter_mode</filename>:

1386

</para>

1387

1388

use strict;

1389

1390

# You can modify this file to re-enable SPAM checking through spamassassin

1391

# and to re-enable antivirus checking.

1392

1393

1394

# Default antivirus checking mode

1395

# Uncomment the two lines below to enable it

1396

1397

1398

@bypass_virus_checks_maps = (

1399

\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

1400

1401

1402

1403

# Default SPAM checking mode

1404

# Uncomment the two lines below to enable it

1405

1406

1407

@bypass_spam_checks_maps = (

1408

\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1409

1410

1; # insure a defined return

1411

</programlisting>

1412

<para>

1413

Bouncing spam can be a bad idea as the return address is often faked. Consider editing

1414

<filename>/etc/amavis/conf.d/20-debian_defaults</filename> to set <emphasis>$final_spam_destiny</emphasis> to D_DISCARD

1415

rather than D_BOUNCE, as follows:

1416

</para>

1417

1418

1419

$final_spam_destiny = D_DISCARD;

1420

</programlisting>

1421

1422

<para>

1423

Additionally, you may want to adjust the following options to flag more messages as spam:

1424

</para>

1425

1426

1427

$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level

1428

$sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at that level

1429

$sa_kill_level_deflt = 21.0; # triggers spam evasive actions

1430

$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is not sent

1431

</programlisting>

1432

1433

<para>

1434

If the server's <emphasis>hostname</emphasis> is different from the domain's MX record you may need to manually set

1435

the <emphasis>$myhostname</emphasis> option. Also, if the server receives mail for multiple domains the

1436

<emphasis>@local_domains_acl</emphasis> option will need to be customized. Edit the

1437

<filename>/etc/amavis/conf.d/50-user</filename> file:

1438

</para>

1439

1440

1441

$myhostname = 'mail.example.com';

1442

@local_domains_acl = ( "example.com", "example.org" );

1443

</programlisting>

1444

1445

<para>

1446

After configuration <application>Amavisd-new</application> needs to be restarted:

1447

</para>

1448

1449

<command>sudo /etc/init.d/amavis restart</command>

1450

</screen>

1451

1452

<title>DKIM Whitelist</title>

1453

1454

<para>

1455

<application>Amavisd-new</application> can be configured to automatically <emphasis>Whitelist</emphasis>

1456

addresses from domains with valid Domain Keys. There are some pre-configured domains in the

1457

<filename>/etc/amavis/conf.d/40-policy_banks</filename>.

1458

</para>

1459

1460

<para>

1461

There are multiple ways to configure the Whitelist for a domain:

1462

</para>

1463

1464

1465

1466

<para>

1467

<emphasis>'example.com' => 'WHITELIST',</emphasis>: will whitelist any address from the "example.com" domain.

1468

</para>

1469

</listitem>

1470

1471

<para>

1472

<emphasis>'.example.com' => 'WHITELIST',</emphasis>: will whitelist any address from any <emphasis>subdomains</emphasis>

1473

of "example.com" that have a valid signature.

1474

</para>

1475

</listitem>

1476

1477

<para>

1478

<emphasis>'.example.com/@example.com' => 'WHITELIST',</emphasis>: will whitelist subdomains of "example.com" that use the

1479

signature of <emphasis role="italic">example.com</emphasis> the parent domain.

1480

</para>

1481

</listitem>

1482

1483

<para>

1484

<emphasis>'./@example.com' => 'WHITELIST',</emphasis>: adds addresses that have a valid signature from "example.com".

1485

This is usually used for discussion groups that sign their messages.

1486

</para>

1487

</listitem>

1488

</itemizedlist>

1489

1490

<para>

1491

A domain can also have multiple Whitelist configurations.

1492

After editing the file, restart <application>amavisd-new</application>:

1493

</para>

1494

1495

1496

<command>sudo /etc/init.d/amavis restart</command>

1497

</screen>

1498

1499

<note>

1500

<para>

1501

In this context, once a domain has been added to the Whitelist the message will not receive any anti-virus or spam filtering.

1502

This may or may not be the intended behavior you wish for a domain.

1503

</para>

1504

</note>

1505

1506

</sect4>

1507

</sect3>

1508

1509

<title>Postfix</title>

1510

<para>

1511

For <application>Postfix</application> integration, enter the following from a terminal prompt:

1512

</para>

1513

1514

<command>sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'</command>

1515

</screen>

1516

<para>

1517

Next edit <filename>/etc/postfix/master.cf</filename> and add the following to the end of the file:

1518

</para>

1519

1520

smtp-amavis unix - - - - 2 smtp

1521

-o smtp_data_done_timeout=1200

1522

-o smtp_send_xforward_command=yes

1523

-o disable_dns_lookups=yes

1524

-o max_use=20

1525

1526

127.0.0.1:10025 inet n - - - - smtpd

1527

-o content_filter=

1528

-o local_recipient_maps=

1529

-o relay_recipient_maps=

1530

-o smtpd_restriction_classes=

1531

-o smtpd_delay_reject=no

1532

-o smtpd_client_restrictions=permit_mynetworks,reject

1533

-o smtpd_helo_restrictions=

1534

-o smtpd_sender_restrictions=

1535

-o smtpd_recipient_restrictions=permit_mynetworks,reject

1536

-o smtpd_data_restrictions=reject_unauth_pipelining

1537

-o smtpd_end_of_data_restrictions=

1538

-o mynetworks=127.0.0.0/8

1539

-o smtpd_error_sleep_time=0

1540

-o smtpd_soft_error_limit=1001

1541

-o smtpd_hard_error_limit=1000

1542

-o smtpd_client_connection_count_limit=0

1543

-o smtpd_client_connection_rate_limit=0

1544

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

1545

</programlisting>

1546

<para>

1547

Also add the following two lines immediately below the <emphasis>"pickup"</emphasis> transport service:

1548

</para>

1549

1550

-o content_filter=

1551

-o receive_override_options=no_header_body_checks

1552

</programlisting>

1553

<para>

1554

This will prevent messages that are generated to report on spam from being classified as spam.

1555

</para>

1556

<para>

1557

Now restart <application>Postfix</application>:

1558

</para>

1559

1560

<command>sudo /etc/init.d/postfix restart</command>

1561

</screen>

1562

<para>

1563

Content filtering with spam and virus detection is now enabled.

1564

</para>

1565

1566

</sect3>

1567

1568

<title>Amavisd-new and Spamassassin</title>

1569

1570

<para>

1571

When integrating <application>Amavisd-new</application> with <application>Spamassassin</application>, if you choose to

1572

disable the bayes filtering by editing <filename>/etc/spamassassin/local.cf</filename> and use <application>cron</application>

1573

to update the nightly rules, the result can cause a situation where a large amount of error messages are sent to the

1574

<emphasis>amavis</emphasis> user via the amavisd-new <application>cron</application> job.

1575

</para>

1576

1577

<para>

1578

There are several ways to handle this situation:

1579

</para>

1580

1581

1582

1583

<para>

1584

Configure your MDA to filter messages you do not wish to see.

1585

</para>

1586

</listitem>

1587

1588

<para>

1589

Change <filename>/usr/sbin/amavisd-new-cronjob</filename> to check for <emphasis>use_bayes 0</emphasis>. For example, edit

1590

<filename>/usr/sbin/amavisd-new-cronjob</filename> and add the following to the top before the <emphasis>test</emphasis> statements:

1591

</para>

1592

1593

egrep -q "^[ \t]*use_bayes[ \t]*0" /etc/spamassassin/local.cf && exit 0

1594

</programlisting>

1595

</listitem>

1596

</itemizedlist>

1597

1598

</sect3>

1599

</sect2>

1600

1601

<title>Testing</title>

1602

<para>

1603

First, test that the <application>Amavisd-new</application> SMTP is listening:

1604

</para>

1605

1606

telnet localhost 10024

1607

Trying 127.0.0.1...

1608

Connected to localhost.

1609

Escape character is '^]'.

1610

220 [127.0.0.1] ESMTP amavisd-new service ready

1611

1612

</programlisting>

1613

<para>

1614

In the Header of messages that go through the content filter you should see:

1615

</para>

1616

1617

X-Spam-Level:

1618

X-Virus-Scanned: Debian amavisd-new at example.com

1619

X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, BAYES_00

1620

X-Spam-Level:

1621

</programlisting>

1622

<note>

1623

<para>

1624

Your output will vary, but the important thing is that there are <emphasis>X-Virus-Scanned</emphasis> and

1625

<emphasis>X-Spam-Status</emphasis> entries.

1626

</para>

1627

</note>

1628

</sect2>

1629

1630

<title>Troubleshooting</title>

1631

<para>

1632

The best way to figure out why something is going wrong is to check the log files.

1633

</para>

1634

1635

1636

<para>

1637

For instructions on <application>Postfix</application> logging see the

1638

<xref linkend="postfix-troubleshooting"/> section.

1639

</para>

1640

</listitem>

1641

1642

<para>

1643

<application>Amavisd-new</application> uses <application>Syslog</application> to send messages to

1644

<filename>/var/log/mail.log</filename>. The amount of detail can be increased by adding the

1645

<emphasis>$log_level</emphasis> option to <filename>/etc/amavis/conf.d/50-user</filename>, and setting the value from 1 to 5.

1646

</para>

1647

1648

$log_level = 2;

1649

</programlisting>

1650

<note>

1651

<para>

1652

When the <application>Amavisd-new</application> log output is increased <application>Spamassassin</application> log output is also

1653

increased.

1654

</para>

1655

</note>

1656

</listitem>

1657

1658

<para>

1659

The <application>ClamAV</application> log level can be increased by editing <filename>/etc/clamav/clamd.conf</filename>

1660

and setting the following option:

1661

</para>

1662

1663

LogVerbose true

1664

</programlisting>

1665

<para>

1666

By default <application>ClamAV</application> will send log messages to <filename>/var/log/clamav/clamav.log</filename>.

1667

</para>

1668

</listitem>

1669

</itemizedlist>

1670

<note>

1671

<para>

1672

After changing an applications log settings remember to restart the service for the new settings to take affect. Also,

1673

once the issue you are troubleshooting is resolved it is a good idea to change the log settings back to normal.

1674

</para>

1675

</note>

1676

</sect2>

1677

1678

<title>References</title>

1679

<para>

1680

For more information on filtering mail see the following links:

1681

</para>

1682

1683

1684

<para>

1685

<ulink url="http://www.ijs.si/software/amavisd/amavisd-new-docs.html">Amavisd-new Documentation</ulink>

1686

</para>

1687

</listitem>

1688

1689

<para>

1690

<ulink url="http://www.clamav.org/doc/latest/html/">ClamAV Documentation</ulink> and

1691

<ulink url="http://wiki.clamav.net/Main/WebHome">ClamAV Wiki</ulink>

1692

</para>

1693

</listitem>

1694

1695

<para>

1696

<ulink url="http://wiki.apache.org/spamassassin/">Spamassassin Wiki</ulink>

1697

</para>

1698

</listitem>

1699

1700

<para>

1701

<ulink url="http://pyzor.sourceforge.net/">Pyzor Homepage</ulink>

1702

</para>

1703

</listitem>

1704

1705

<para>

1706

<ulink url="http://razor.sourceforge.net/">Razor Homepage</ulink>

1707

</para>

1708

</listitem>

1709

1710

<para>

1711

1712

</para>

1713

</listitem>

1714

1715

<para>

1716

<ulink url="https://help.ubuntu.com/community/PostfixAmavisNew">Postfix Amavis New</ulink>

1717

</para>

1718

</listitem>

1719

</itemizedlist>

1720

<para>

1721

Also, feel free to ask questions in the <emphasis>#ubuntu-server</emphasis> IRC channel on

1722

<ulink url="http://freenode.net">freenode</ulink>.

1723

</para>

1724

</sect2>

1725

</sect1>

1726

</chapter>

1727

Older »