Infoaddict Just another site for Infoaddict's

23Feb/140

Configure postfix with CenOS

Install Postfix to configure SMTP Server. This example shows to configure SMTP-Auth to use Dovecot's SASL function.

[1]

Configure Postfix. ( Postfix is installed by default even if you installed CentOS with Minimal.)

[root@mail ~]#

vi /etc/postfix/main.cf

# line 75: uncomment and specify hostname

myhostname =

mail.server.world

# line 83: uncomment and specify domain name

mydomain =

server.world

# line 99: uncomment

myorigin = $mydomain

# line 116: change

inet_interfaces =

all

# line 119: change if you use only IPv4

inet_protocols =

ipv4

# line 164: add

mydestination = $myhostname, localhost.$mydomain, localhost

, $mydomain

# line 264: uncomment and specify your LAN

mynetworks = 127.0.0.0/8,

10.0.0.0/24

# line 419: uncomment (use Maildir)

home_mailbox = Maildir/

# line 545: uncomment, line 546: add

header_checks = regexp:/etc/postfix/header_checks

body_checks = regexp:/etc/postfix/body_checks

# line 571: add

smtpd_banner = $myhostname ESMTP

# add at the last line

# limit an email size 10M

message_size_limit = 10485760

# limit mailbox 1G

mailbox_size_limit = 1073741824

# for SMTP-Auth settings

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

[root@mail ~]#

vi /etc/postfix/header_checks

# add at the head

# reject if email address is empty

/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT

[root@mail ~]#

vi /etc/postfix/body_checks

# reject if includes 'example.com' in mail body

/^(|[^>].*)example.com/ REJECT

[root@mail ~]#

/etc/rc.d/init.d/postfix start

Starting postfix:

[  OK  ]

[root@mail ~]#

chkconfig postfix on

 

Install Dovecot to Configure POP/IMAP Server. This example shows to configure to provide SASL function to Postfix.

[root@mail ~]#

yum -y install dovecot

[root@mail ~]#

vi /etc/dovecot/dovecot.conf

# line 31: change ( if not use IPv6 )

listen =

*

[root@mail ~]#

vi /etc/dovecot/conf.d/10-auth.conf

# line 9: uncomment and change ( allow plain text auth )

disable_plaintext_auth =

no

# line 97: add

auth_mechanisms = plain

login

[root@mail ~]#

vi /etc/dovecot/conf.d/10-mail.conf

# line 30: uncomment and add

mail_location =

maildir:~/Maildir

[root@mail ~]#

vi /etc/dovecot/conf.d/10-master.conf

# line 84-86: uncomment and add

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {

mode = 0666

user = postfix

# add

group = postfix

# add

}

[root@mail ~]#

/etc/rc.d/init.d/dovecot start

Starting Dovecot Imap:

[  OK  ]

[root@mail ~]#

chkconfig dovecot on

 

Configure for your Mail Client on your PC. This example shows with Windows Live Mail.

[1]

Start Windows Live mail and move to "Account" tab and Click "Email".

[2]

Input email address, account's password, sender's name and check a box 'Configure Manually' and go next.

[3]

Select IMAP or POP. This example selects IMAP. And input other information of your Mail server. Don't forget to check a box 'this server requires to authenticate' at the bottom.

[4]

Click 'Finish'.

[5]

Connect and get server's folder settings automatically.

 

Configure SSL settings in order to encrypt datas in connection.

[1]

Create certificates first, see here.

[2]

Configure Postfix and Dovecot for SSL

[root@mail ~]#

vi /etc/postfix/main.cf

# add at the last line

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

[root@mail ~]#

vi /etc/postfix/master.cf

# line 17-18: uncomment

smtps       inet   n       -       n       -       -       smtpd
-o smtpd_tls_wrappermode=yes

[root@mail ~]#

vi /etc/dovecot/conf.d/10-ssl.conf

# line 6: uncomment

ssl = yes

# line 12,13: uncomment and specify certificate

ssl_cert = <

/etc/pki/tls/certs/server.crt

ssl_key = <

/etc/pki/tls/certs/server.key

[root@mail ~]#

/etc/rc.d/init.d/postfix restart

Shutting down postfix:

[ OK ]

Starting postfix:

[ OK ]

[root@mail ~]#

/etc/rc.d/init.d/dovecot restart

Stopping Dovecot Imap:

[ OK ]

Starting Dovecot Imap:

[ OK ]

Configure on client. Change settings like following example. (if you use PO3S, input '995 for incoming mail)

Click syncronize on Windows Live Mail, then following warning is shown because certificate file is created on your server. It's no ploblem. Click 'Yes' to Proceed, then it's possible to send/receive emails trough SSL connection.

 

Create a your server's original SSL Certificate. If you use your server as a business, it had better buy and use a Formal Certificate from Verisigh and so on.

[root@www ~]#

cd /etc/pki/tls/certs

[root@www certs]#

make server.key

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase:

# set passphrase

Verifying - Enter pass phrase:

# confirm

# remove passphrase from private key

[root@www certs]#

openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:

# input passphrase

writing RSA key
[root@www certs]#
[root@www certs]#

make server.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:

JP

# country

State or Province Name (full name) [e]:

Hiroshima

# state

Locality Name (eg, city) [Default City]:

Hiroshima

# city

Organization Name (eg, company) [Default Company Ltd]:

GTS

# company

Organizational Unit Name (eg, section) []:

Server World

# department

Common Name (eg, your server's hostname) []:

www.server.world

# server's FQDN

Email Address []:

xxx@server.world

# email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

# Enter

An optional company name []:

# Enter

[root@www certs]#
[root@www certs]#

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.server.world/emailAddress=xxx@server.world Getting Private key
[root@www certs]#

chmod 400 server.*

 

[1]

Install Clamav

[root@mail ~]#

yum --enablerepo=rpmforge -y install clamav

# install from RPMforge

[root@mail ~]#

vi /etc/freshclam.conf

# line 122: make it comment

#

NotifyClamd /etc/clamd.conf

[root@mail ~]#

freshclam

# update pattern files

ClamAV update process started at Sun Jul 10 22:10:08 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cvd is up to date (version: 13304, sigs: 144473, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)

[2]

Try to scan

# try to scan

[root@mail ~]#

clamscan --infected --remove --recursive /home

----------- SCAN SUMMARY -----------
Known viruses: 989350
Engine version: 0.97.1
Scanned directories: 3
Scanned files: 3
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 2.060 sec (0 m 2 s)

# try to download trial virus

[root@mail ~]#

wget http://www.eicar.org/download/eicar.com

[root@mail ~]#

clamscan --infected --remove --recursive .

./eicar.com: Eicar-Test-Signature FOUND
./eicar.com: Removed.

# just detected

----------- SCAN SUMMARY -----------
nown viruses: 989350
Engine version: 0.97.1
Scanned directories: 1
Scanned files: 13
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 2.00:1)
Time: 2.079 sec (0 m 2 s)

 

[root@mail ~]#

yum --enablerepo=rpmforge -y install clamd

# install from RPMforge

[root@mail ~]#

wget http://thewalter.net/stef/software/clamsmtp/clamsmtp-1.10.tar.gz

[root@mail ~]#

tar zxvf clamsmtp-1.10.tar.gz

[root@mail ~]#

cd clamsmtp-1.10

[root@mail clamsmtp-1.10]#

./configure

[root@mail clamsmtp-1.10]#

make

[root@mail clamsmtp-1.10]#

make install

[root@mail clamsmtp-1.10]#

cp ./doc/clamsmtpd.conf /etc

[root@mail clamsmtp-1.10]#

cd

[root@mail ~]#

vi /etc/clamsmtpd.conf

# line 11: change

OutAddress:

127.0.0.1:10026

# line 29: uncomment and change

Listen:

127.0.0.1:10025

# line 32: change

ClamAddress:

/var/run/clamav/clamd.sock

# line 35: uncomment

Header: X-Virus-Scanned: ClamAV using ClamSMTP

# line 38: uncomment

TempDirectory: /tmp

# line 41: uncomment

Action: drop

# line 50: uncomment

User: clamav

[root@mail ~]#

vi /etc/rc.d/init.d/clamsmtp

# create init script

#!/bin/bash

# clamsmtpd: Start/Stop clamsmtpd

#

# chkconfig: - 65 40

# description: Clamsmtpd is smtpd for Clamav Antivirus daemon.

#

# processname: clamsmtpd

# pidfile: /var/run/clamav/clamsmtpd.pid

. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

CONFIG_FILE=/etc/clamsmtpd.conf

PID_DIR=/var/run/clamav

RETVAL=0

start() {

   echo -n $"Starting ClamSmtpd: "

   daemon /usr/local/sbin/clamsmtpd -f $CONFIG_FILE -p $PID_DIR/clamsmtpd.pid

   RETVAL=$?

   echo

   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamsmtpd

   return $RETVAL

}

stop() {

   echo -n $"Stopping ClamSmtpd: "

   killproc clamsmtpd

   RETVAL=$?

   echo

   [ $RETVAL -eq 0 ] && rm -f /var/run/clamsmtp/clamsmtpd.pid /var/lock/subsys/clamsmtpd

   return $RETVAL

}

case "$1" in

   start)

      start

      ;;

   stop)

      stop

      ;;

   status)

      status clamsmtpd

      ;;

   restart)

      stop

      start

      ;;

   condrestart)

      [ -f /var/lock/subsys/clamsmtpd ] && restart || :

      ;;

   *)

      echo $"Usage: $0 {start|stop|status|restart}"

      exit 1

esac

exit $?

[root@mail ~]#

chmod 755 /etc/rc.d/init.d/clamsmtp

[root@mail ~]#

/etc/rc.d/init.d/clamd start

Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned".
[ OK ]
[root@mail ~]#

/etc/rc.d/init.d/clamsmtp start

Starting ClamSmtpd:

[ OK ]

[root@mail ~]#

chkconfig --add clamsmtp

[root@mail ~]#

chkconfig clamsmtp on

[root@mail ~]#

chkconfig clamd on

[2]

Configure Postfix

[root@mail ~]#

vi /etc/postfix/main.cf

# add at the last line

content_filter = scan:127.0.0.1:10025

[root@mail ~]#

vi /etc/postfix/master.cf

# add at the last line

scan unix -       -       n       -       16       smtp

   -o smtp_data_done_timeout=1200

   -o smtp_send_xforward_command=yes

   -o disable_dns_lookups=yes

127.0.0.1:10026 inet n       -       n       -       16       smtpd

   -o content_filter=

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

   -o mynetworks_style=host

   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

[root@mail ~]#

/etc/rc.d/init.d/postfix restart

Shutting down postfix:

[ OK ]

Starting postfix:

[ OK ]

These lines below are added in header section of emails after this configuration.

Try to send test virus with email, then it will not send to a mailbox and logs like below are recorded.

 

Install httpd

[root@www ~]#

yum -y install httpd

# remove welcome page

[root@www ~]#

rm -f /etc/httpd/conf.d/welcome.conf

# remove default error page

[root@www ~]#

rm -f /var/www/error/noindex.html

[2]

Configure httpd.

[root@www ~]#

vi /etc/httpd/conf/httpd.conf

# line 44: change

ServerTokens

Prod

# line 76: change to ON

KeepAlive

On

# line 262: Admin's address

ServerAdmin

root@server.world

# line 276: change to your server's name

ServerName

www.server.world:80

# line 338: change

AllowOverride

All

# line 402: add file name that it can access only with directory's name

DirectoryIndex index.html

index.htm

# line 536: change

ServerSignature

Off

# line 759: make it comment

#

AddDefaultCharset UTF-8

[root@www ~]#

/etc/rc.d/init.d/httpd start

Starting httpd:

[ OK ]

[root@www ~]#

chkconfig httpd on

Install MySQL for Database Server.

[root@www ~]#

yum -y install mysql-server

[root@www ~]#

/etc/rc.d/init.d/mysqld start

Initializing MySQL database:  Installing MySQL system tables...

OK

Filling help tables...

OK

To start mysqld at boot time you have to copy

support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !

To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'

/usr/bin/mysqladmin -u root -h www.server.world password 'new-password'

Alternatively you can run:

/usr/bin/mysql_secure_installation

which will also give you the option of removing the test

databases and anonymous user created by default.  This is

strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:

cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl

cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

Starting mysqld:     [  OK  ]

[root@www ~]#

chkconfig mysqld on

[root@www ~]#

mysql -u root

# connect to MySQL

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 2

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# show user info

mysql>

select user,host,password from mysql.user;

# set root password

mysql>

set password for root@localhost=password('password');

Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>

set password for root@'127.0.0.1'=password('password');

Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>

set password for root@'www.server.world'=password('password');

Query OK, 0 rows affected (0.00 sec)

# delete anonymous user

mysql>

delete from mysql.user where user='';

Query OK, 2 rows affected (0.00 sec)

mysql>

select user,host,password from mysql.user;

mysql>

exit

# quit

Bye
[root@www ~]#

mysql -u root -p

# connect with root

Enter password:

# MySQL root password

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 4

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

exit

Bye

MySQL

root@mail ~]#

mysql -u root -p

# connect to MySQL

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 4

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# create "postfixadmin" DB ( input any password you like on 'password' section )

mysql>

create database postfixadmin character set utf8 collate utf8_bin;

Query OK, 1 row affected (0.00 sec)

mysql>

grant all privileges on postfixadmin.* to postfixadmin@'localhost' identified by 'password';

Query OK, 0 rows affected (0.00 sec)

mysql>

flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql>

exit

Bye

[2]

Install PostfixAdmin (Download lataest version of it)

[root@mail ~]#

yum -y install php-mysql php-imap

[root@mail ~]#

wget http://ftp.jaist.ac.jp/pub/sourceforge/p/po/postfixadmin/postfixadmin/postfixadmin-2.3.5/postfixadmin-2.3.5.tar.gz

[root@mail ~]#

tar zxvf postfixadmin-2.3.5.tar.gz

[root@mail ~]#

mv postfixadmin-2.3.5 /var/www/html/postfixadmin

[root@mail ~]#

vi /var/www/html/postfixadmin/config.inc.php

# line 26: change

$CONF['configured'] =

true

;

# line 31: change after Web settings (input it generated on [5] section)

$CONF['setup_password'] = '

xxxxxxxxxx

';

# line 43: change

$CONF['default_language'] = '

ja

';

# line 51,52,53: change to the DB info for postfixadmin

$CONF['database_user'] = '

postfixadmin

';
$CONF['database_password'] = '

password

';
$CONF['database_name'] = '

postfixadmin

';

[root@mail ~]#

vi /etc/httpd/conf.d/postfixadmin.conf

# create new

<Directory /var/www/html/postfixadmin/>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 10.0.0.0/24

# IP address you permit

</Directory>

[root@mail ~]#

/etc/rc.d/init.d/httpd restart

Stopping httpd:

[  OK  ]

Starting httpd:

[  OK  ]

[3]

Access to "http://(your server's hostname or IP address)/postfixadmin/setup.php". Then, following screen is shown, click "Lost password?" on right under.

[4]

Input setup password.

[5]

Set generated hash on config file (back to [2]). Next, input setup password and email address, admin-password and click "add admin" button.

[6]

Admin user is added. Initial settings is just completed.

[7]

Access to "http://(your server's hostname or IP address)/postfixadmin/login.php". Then, login screen is shown like follows. Login with admin user you added.

[8]

Just logined. It's possible to configure Postfix on here.

 

[root@mail ~]#

yum --enablerepo=epel -y install mailgraph

# install from EPEL

[root@mail ~]#

vi /etc/httpd/conf.d/mailgraph.conf

Alias /mailgraph /usr/share/mailgraph

AddHandler cgi-script .cgi

<Directory /usr/share/mailgraph/>
AllowOverride None
Options +ExecCGI
DirectoryIndex mailgraph.cgi

   Order Deny,Allow
Deny from all
Allow from 127.0.0.1

10.0.0.0/24

# IP address you allow

</Directory>

[root@mail ~]#

/etc/rc.d/init.d/mailgraph start

Starting mailgraph:

[  OK  ]

[root@mail ~]#

/etc/rc.d/init.d/httpd restart

Stopping httpd:

[  OK  ]

Starting httpd:

[  OK  ]

[root@mail ~]#

chkconfig mailgraph on

[2]

Access to 'http://(your server's name or IP address)/mailgraph/' with web browser. Then following screen is shown and it's possible to make sure mail log summary.

Print Friendly

Posted by Infoaddict

Filed under: Centos, mail Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.