What?

This is a quick guide to installing Postfixadmin on a Debian Linux (Etch/4.0) server. I've done a similar guide on this before, but it's getting dated; hence this new one.

This guide also covers installing ClamAV to scan incoming mail and viruses.

If you follow this guide through you should end up with a mail server which can support virtual domains and users, and can be administered through a web browser. Domain specific 'stuff' can be delegated to other administrators if you so wish.

The mail server in question (for a customer of mine) also has Squirrelmail installed, so I've bundled that in too. For historical reasons, the server uses PostgreSQL (rather than MySQL) for it's backend database.

PostfixAdmin is the web based front end through which users and administrators interact with the configuration of the server. Using it you can easily add domains/users/aliases etc to a mail server. It also supports vacation / autoreply support.

Commercial Plug

Pale Purple provide and support Linux mail servers based on a similar configuration. So, if you need a support contract, or more functionality....

Install Debian

No surprise there... I installed Etch via netboot, and ended up with a fairly minimal setup. You'll probably do it a different way. I told it to install as a 'mail server' and a 'web server'. The 'mail server' option was probably a mistake as it installs uw-imapd and exim, neither of which I wanted/needed.

You probably want to install openssh-server and molly-guard :)

Postfix

apt-get install postfix postfix-pgsql

(Or postfix-mysql if you're going to use that instead)

I selected the Internet Site configuration when asked to pick a configuration.

/etc/apt/sources.list

In order to have slightly more recent versions of a few packages (PHP5, ClamAV and PostgreSQL mainly), I added the following into my /etc/apt/sources.list file :

deb http://packages.dotdeb.org stable all
deb http://www.mirrorservice.org/sites/backports.org/ etch-backports main contrib non-free
deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

Install PostgreSQL

I installed PostgreSQL 8.2 from backports.org ...

apt-get install -t etch-backports postgresql-8.2

(Note: there is no requirement on using v8.2, but I'm under the impression that it's faster than previous versions). I'd suggest you use at least v8.1 (in Etch) from a maintenance point of view.

Install PHP5

I always install the suhosin extension to PHP in the hope it will provide extra security. APC (Alternative PHP Cache) is also installed in the expectation it will improve performance.

apt-get install php5 libapache2-mod-php5 php5-pgsql php5-suhosin php5-apc php-pear

(The above packages nearly all come from dotdeb.org)

Install Postfixadmin

Although I have created .deb for Postfixadmin; at the time of writing, v2.2.0 hasn't been released; so I instal Postfixadmin from SVN. Hopefully, we'll release version 2.2.0 of Postfixadmin sometime soon, and you will want to see this page to download it.

cd /var/www 
svn co https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/trunk postfixadmin

If you now hit http://your.server/postfixadmin you should see a slightly useful 'welcome' screen, follow the link through to the 'setup.php' page. And you should get some sort of instant gratification that at least something works :) (although some of the checks will fail)

Setting up PostgreSQL (or MySQL)

As postfixadmin stores all of it's configuration within a database, we need to setup the database before we can do much further. You may find that phppgadmin or phpmyadmin help with this.

Basically - create a user (e.g. 'postfix') and a database (e.g. 'postfix'). The user should own the database. Ensure there's a password set on the user.

If security is a concern, you should probably have a user that is 'read-only' which is used by postfix (as it only ever queries the DB) while postfixadmin will need a read-write user account.

If you're using PostgreSQL, the following shows what I typed in from a shell (all lines containing a $ or #)on the server when logged in as root

mail:~# su - postgres
postgres@mail:~$ psql template1
Welcome to psql 8.2.4, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

template1=# CREATE USER postfix WITH PASSWORD 'complexpassword';
CREATE ROLE
template1=# CREATE DATABASE postfix WITH OWNER postfix ENCODING 'UNICODE';
CREATE DATABASE
template1=# \q

If, like me, you are useless at picking passwords, try using pwgen

Load the Postfixadmin Database Schema into your database

As of subversion revision 328, the setup.php script should automatically create the database structure for you. If you are using an older version of PostfixAdmin you'll need to do the following :

cd /var/www/postfixadmin
psql -U postfix -h localhost postfix < DATABASE_PGSQL.TXT 

This may spew out a few errors about roles that don't exist, but it should work

Configuration of Postfixadmin

Edit /var/www/postfixadmin/config.inc.php in your favourite editor (vi[m]).

1. Change
   

   $CONF['configured'] = false;

   to

   $CONF['configured'] = true;

2. Change
   

   $CONF['postfix_admin_url'] = '';

   to

   $CONF['postfix_admin_url'] = 'http://your.server/postfixadmin';

3. Change
   

   $CONF['database_type'] = 'mysql';

   to pgsql (assuming you want PostgreSQL!)

4. Change the other database parameters to match what you used above.

You'll want to change other parameters, but they're not normally essential

Postfixadmin

Once your config.inc.php file has the right database credentials, and you refresh http://your.server/postfixadmin/setup.php you should some output indicating that the database tables have been created, and also see a dialog box to Create the superadmin account. You should treat these details a bit like the 'root' password for a Unix server. This user will be able to add/remove/edit any domains/users/aliases etc.

Anyway, choose an admin account, this could be (for example) it@your.domain

Submitting this form, successfully, should result in the page giving you a message like 'Admin has been added!'

Delete setup.php (rm setup.php or mv setup.php setup.php.blah)

Configuring Postfix

This always seems to be the bit that causes others trouble....

New configuration files

In my world, the following go in /etc/postfix/pgsql

You'll need to change the xxxxxx's to appropriate values

relay-domains.cf

(Who we relay mail for (as a backup mx))

user            = postfix
password        = xxxxxxx
dbname          = postfix
hosts           = localhost
query = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = true

virtual-alias-maps.cf

(Think: /etc/aliases or similar)

user             = postfix
password         = xxxxxxxx
dbname           = postfix
hosts            = localhost
query = SELECT goto FROM alias WHERE address='%s' AND active = true

virtual-domains.cf

(Domains we accept mail for...)

user        = postfix
password    = xxxxxxxx
dbname      = postfix
hosts       = localhost
query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = false AND active = true

virtual-mailbox-limit-maps.cf

(Only used if you're checking quota etc)

user = postfix
password = xxxxxxx
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username = '%s'

virtual-mailbox-maps.cf

(What mailboxes exist that we can deliver to)

user      = postfix
password  = xxxxxxxx
dbname    = postfix
hosts     = localhost
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

main.cf changes

Add in the following :

# All virtual mailboxes live somewhere in here ..
virtual_mailbox_base = /var/mail/vmail

# The (virtual) domains we accept mail for
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual-domains.cf

# Lookup mailbox location, uid and gid based on email address received.
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual-mailbox-maps.cf
virtual_uid_maps = static:101
virtual_gid_maps = static:101

virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual-alias-maps.cf

relay_domains = proxy:pgsql:/etc/postfix/pgsql/relay-domains.cf
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps

chown 101 /var/mail/vmail

Postfix SMTP Auth Support

If your users are likely to be trying to send mail through your mail server when they are not on a trusted network, you'll need to add this to /etc/postfix/main.cf

smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

And in /etc/postfix/sasl/smtpd.conf put the following :

pwcheck_method: saslauthd 
saslauthd_path: /var/run/saslauthd/mux
log_level: 3
mech_list: PLAIN LOGIN

(As you can see, we'll be using SASL as a backend for authentication)

SASL

Thankfully the SASL package works a bit better under Etch than it did under Sarge/etc.

apt-get install sasl2-bin

Edit /etc/default/saslauthd so it has :

MECHANISMS="rimap"
THREADS=5
OPTIONS="-r -c -O localhost -m /var/spool/postfix/var/run/saslauthd"

You'll need to mkdir -p /var/spool/postfix/var/run/saslauthd before SASL will start

(One day, I might change to use the pam_sql module; as this would remove unnecessary IMAP logins... )

Courier

apt-get install courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-authlib-postgresql

Configuring Courier's authdaemon

You'll need to edit /etc/courier/authpgsqlrc (or authmysqlrc if using MySQL)

PGSQL_HOST        localhost
PGSQL_PORT        5432
PGSQL_USERNAME    postfix
PGSQL_PASSWORD    something
PGSQL_DATABASE    postfix
PGSQL_USER_TABLE  mailbox
PGSQL_CRYPT_PWFIELD password
PGSQL_UID_FIELD   '101'
PGSQL_GID_FIELD   '101'
PGSQL_LOGIN_FIELD username
PGSQL_HOME_FIELD  '/var/mail/vmail'
PGSQL_NAME_FIELD  name
PGSQL_MAILDIR_FIELD maildir
PGSQL_QUOTA_FIELD quota

And also edit /etc/courier/authdaemonrc, and set authmodulelist="authpgsql" (or authmysql if you're using MySQL)

If you now create a user in a test domain on postfixadmin, you should be able to connect to your mail server successfully, and receive mail

Basic Testing (pop3)

Assuming you've created a domain, and a user within that domain from Postfixadmin, you should be able to do something like the following :

mail:~# tail -f /var/log/mail.log  &
mail:~# echo 'test email' | mail test@my.domain
mail:~# 
Dec  6 22:31:56 mail postfix/pickup[11888]: A811A2B10063: uid=0 from=<root>
Dec  6 22:31:56 mail postfix/cleanup[11897]: A811A2B10063: message-id=<20071206223156.A811A2B10063@mail.my.domain>
Dec  6 22:31:56 mail postfix/qmgr[11889]: A811A2B10063: from=<root>, size=297, nrcpt=1 (queue active)
Dec  6 22:31:56 mail postfix/virtual[11902]: A811A2B10063: to=<test@my.domain>, relay=virtual, delay=0.11, delays=0.05/0.04/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Dec  6 22:31:56 mail postfix/qmgr[11889]: A811A2B10063: removed

Additionally, if you now look in /var/mail/vmail, you should see a folder called 'test@my.domain'. No guesses should be needed to figure out what this contains!

Squirrelmail

Squirrelmail is a mature web based mail client. It's been around for some time now, and thankfully plugins exist for a number of additional "features". As your author patched up the squirrelmail postfixadmin plugin, he's going to take a small amount of time <plug>it.</plug>

• apt-get install squirrelmail

• wget http://squirrelmail-postfixadmin.palepurple.co.uk/files/squirrelmail-postfixadmin_2.1.0-1_all.deb

• dpkg -i squirrelmail-postfixadmin_2.1.0-1_all.deb

• Edit /etc/squirrelmail/plugins/postfixadmin-config.php - use the same settings from Postfixadmin
• pear install MDB2
• pear install MDB2#pgsql (or MDB2#mysql)
• Run squirrelmail-configure and enable the Postfixadmin plugin

Squirrelmail should be accessible at http://youserver/squirrelmail by default.

ClamAV

This is easiest to integrate via Amavis. You should get ClamAV from dotdeb.org, or Debian volatile via apt-get. Relying on the 'default' clamav shipped with etch is probably not a good idea (and ClamAV will also moan when it tries to update it's definitions list).

apt-get install amavisd-new clamav spamassassin

You'll want to edit

/etc/amavis/50-user

In my case, it looks a bit like :

use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#

chomp($myhostname = `hostname`);

$forward_method = 'smtp:127.0.0.1:10025';
# Where to submit notifications
$notify_method = $forward_method;

# Net::Server Pre-forking settings; note max_servers should match Postfix's master.cf..
$max_servers = 5;
$max_requests = 10;
$child_timeout = 5*60; # abort child if it takes longer than x seconds to complete.

# MTA specific settings...
$relayhost_is_client = 0;
$insert_received_line = 1;

$inet_socket_bind = '127.0.0.50';
@inet_acl = qw ( 127.0.0.0/8 );

# How we handle viruses and spam; options being discard, bounce or pass.
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_BOUNCE;

# Headers..
$X_HEADER_TAG = 'X-Virus-Scanned';
$X_HEADER_LINE = "by Amavis+SpamAssassin+ClamAV and more at $mydomain";

$remove_existing_x_scanned_headers = 1;
$remove_existing_spam_headers = 1;

$sa_tag_level_deflt  = -99.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = 5.0; # triggers spam evasive actions

$recipient_delimiter = '+';
$replace_existing_extension = 1;
$localpart_is_case_sensitive = 0;

# SpamAssassin settings
$sa_timeout = 30;
$sa_auto_whitelist = 1;
$sa_local_tests_only = 0;
$sa_spam_modifies_subj = 1;
$sa_spam_subject_tag = '*** SPAM *** ';
$sa_spam_report_header = 1;
$first_infected_stops_scan = 1;
$sa_debug = 1;

$DO_SYSLOG = 0;
$SYSLOG_LEVEL = 'mail.info';
$LOGFILE = "/var/log/amavis.log";

@local_domains_acl = ('.');
#------------ Do not modify anything below this line -------------
1;  # insure a defined return

The above configures Amavis to :

• Scan and label Spam for all mail that goes through the server (And not just for some specified domains - see @local_domains_acl)
• Forward scanned mail to 127.0.0.2:10025 for delivery by Postfix
• Listen for mail (from Postfix) on 127.0.0.50
• Discard Viruses
• Remove any existing anti-virus tags etc (as these will be from some.other.system)
• If SpamAssassin scores more than 5.0, then rewrite the subject etc

Some notes:

1. SpamAssassin does not need to run via the SpamC/SpamD mechanism - Amavis handles this all internally
2. Amavis appears to ignore most, if not all, settings you would otherwise set for SpamAssassin in e.g. /etc/spamassassin/local.cf
3. When I initially started using Amavis it seemed to be a bit clueless when it came to listening and delivering on the same IP address. Perhaps I did something wrong, but nevertheless, this is why it listens on a different IP address (127.0.0.50) to the one it delivers to (127.0.0.1). You don't need to do anything to setup 127.0.0.50 on a Linux box.

Amavis / Postfix Integration

• Edit /etc/postfix/master.cf

amavis            unix  -       -       -       -       5       smtp
    -o smtp_data_done_timeout=5000
    -o smtp_send_xforward_command=yes
    -o receive_override_options=no_address_mappings

# change or remove the existing smtp definition.
smtp      inet  n       -       -       -       12       smtpd
    -o content_filter=amavis:[127.0.0.50]:10024

# where mail is re-injected back in by Amavis after it's
# done it's stuff.
127.0.0.1:10025 inet    n   -   -   -   - smtpd
    -o smtpd_autorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings

Then reload Postfix, make sure Amavis and ClamAV are running (/etc/init.d/amavis start or /etc/init.d/clamav-daemon ) and it should work.