Month: November 2007

A CentOS 5 Virtual Mail Server using Postfix, Dovecot, and MySQL

Enable the centosplus repository

# vi /etc/yum.repos.d/CentOS-Base.repo

Under the [centosplus] section, change enabled=0 to enabled=1. The centosplus repository has an RPM with Postfix+MySQL support.

Remove Sendmail

# yum erase sendmail

Make sure that apache and MySQL are installed and running

# yum install dovecot httpd postfix mysql-server php php-mysql php-mbstring

I like to edit /etc/my.cnf first, and make mysql listen just on localhost by adding this to the top [mysqld] section:

bind=127.0.0.1

Then start up apache and mysql

# /etc/init.d/httpd start
# /etc/init.d/mysqld start
# chkconfig httpd on
# chkconfig mysqld on

If you don’t have a root password for mysql, you should do that now:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h <YOUR_IP_ADDRESS> password 'new-password'

Install postfixadmin

Postfixadmin is a pretty simple web-based frontend for managing your mail domains and accounts (Screenshots)

Download and extract it
You may want to check The download page to make sure you are getting the latest version

cd /usr/local/src
wget http://superb-west.dl.sourceforge.net/sourceforge/postfixadmin/postfixadmin-2.2.0.tgz
tar -xvzf postfixadmin-2.2.0.tgz

Move it into the DocumentRoot

mv postfixadmin-2.2.0 /var/www/html/mailadmin

Alternatively, you can check out the code from the subversion repository:

# svn co https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/tags/postfixadmin-2.2.0 .

Create a database user
Run the following mysql commands:

CREATE DATABASE postfix;
GRANT ALL on postfix.* to 'postfix'@'localhost' IDENTIFIED BY 'password';

Create the config file

cp config.inc.php.sample config.inc.php
replace "change-this-to-your.domain.tld" "<YOURDOMAIN.TLD>" -- config.inc.php

Now edit config.inc.php and make these changes to the defaults:

configured:	true
postfix_admin_url:	http://YOUR_IP_ADDRESS/mailadmin/
postfix_admin_path:	/var/www/html/mailadmin/
database_user:	postfix (change it from postfixadmin)
database_password:	Make up a random password. You’ll need it in several config files, so be ready to copy/paste it often
encrypt:	cleartext – The needs to be clear text for SMTP Authentication to work
page_size:	25
default_aliases	Remove the hostmaster line
The next two settings will put your mail accounts directories in the format of /home/vmail/<DOMAIN>/<USERNAME>
domain_path:	YES
domain_in_mailbox:	NO
aliases:	25
mailboxes:	25
quota:	100

Create the Database
Hit http://YOUR_IP_ADDRESS/mailadmin/setup.php in your web browser. This will verify that your system meets the requirements, set up the database tables, and allow you to create an administrator account.

Remove setup.php
This file bypasses all authentication and can be used to create a new administrator, so it is extermely important that you delete it! Postfixadmin requires that setup.php doesn’t exist before allowing you to log in. I noticed, however, that the instructions say to rename it to setup.php.disabled, and I was able to hit setup.php.disabled in my browser and it still worked! Better to be safe and wipe it out completely rather than renaming it.

cd /var/www/mailadmin
rm setup.php

Check your setup
Now hit postfixadmin in your web browser:

http://YOUR_IP_ADDRESS/mailadmin/

You should be able to log in using the administrator account you created in the last step.

Configuring Postfix

Now that we have postfixadmin installed and saving all of our mail account information to the database, we need to tell postfix how to access that database

cd /etc/postfix

Edit main.cf
Change inet_interfaces to this so that the server listens on the public IP address:

inet_interfaces = $myhostname, localhost

And add this to the bottom:

virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:89
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_transport = virtual
virtual_uid_maps = static:89

broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_invalid_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous

Create /etc/postfix/mysql_virtual_alias_maps.cf with this content:

user        = postfix
password    = <YOUR_DATABASE_PASSWORD_HERE>
hosts       = localhost
dbname      = postfix
query       = SELECT goto FROM alias WHERE address = '%s'

Create /etc/postfix/mysql_virtual_mailbox_domains.cf with this content:

user        = postfix
password    = <YOUR_DATABASE_PASSWORD_HERE>
hosts       = localhost
dbname      = postfix
query       = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'

Create /etc/postfix/mysql_virtual_mailbox_maps.cf with this content:

user        = postfix
password    = <YOUR_DATABASE_PASSWORD_HERE>
hosts       = localhost
dbname      = postfix
query       = SELECT maildir FROM mailbox WHERE username = '%s'

SMTP Authentication with SASL

SMTP Authentication will allow you to use this mail server as your outgoing mail server. The password is required so that spammers aren’t able to relay mail through it

Install some packages that this will require

yum install cyrus-sasl cyrus-sasl-sql

Edit your smtpd.conf file and replace it with these contents. The location of smtpd.conf is probably /usr/lib/sasl2/smtpd.conf on 32-bit systems or /usr/lib64/sasl2/smtpd.conf on 64-bit systems. Other distros might put this in /etc/sasl2/ or /etc/postfix/sasl/.

pwcheck_method: auxprop
mech_list:      PLAIN LOGIN
auxprop_plugin: sql
sql_verbose:    yes
sql_engine:     mysql
sql_hostnames:  localhost
sql_user:       postfix
sql_passwd:     <YOUR_DATABASE_PASSWORD_HERE>
sql_database:   postfix
sql_select:     SELECT password FROM mailbox WHERE username = '%u@%r'

Configure TLS

TLS/SSL encryption is useful when using this server as an outgoing mail server. Basic SMTP authentication transmits your username and password in a Base64 encoded string which is easy to intercept and decode. If the session is encrypted, that will prevent the possibility that somebody may be able to sniff your password. It also encrypts the contents of mail that you send, so it adds an extra layer of protection if you are using unencrypted (or poorly encrypted) wifi or something where your traffic is easily captured.

In this example, we will create a self-signed certificate that expires in 10 years. The first time your mail client sees this certificate, it will warn you that it isn’t signed by a recognized certificate authority. You can usually tell your mail client to accept the certificate, and it will trust it from then on.

First we have to create some certificates. In the following steps replace <YOURDOMAIN.TLD> with the exact name that you want the certificate to be for. (ie mail.yourdomain.com).

Create a private key

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl
openssl genrsa -out <YOURDOMAIN.TLD>.key 1024

Create the certificate request. Answer the questions appropriately.

[root@www ssl]# openssl req -new -key <YOURDOMAIN.TLD>.key -out <YOURDOMAIN.TLD>.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:<YOUR_COUNTRY>
State or Province Name (full name) [Berkshire]:<YOUR_STATE>
Locality Name (eg, city) [Newbury]:<YOUR_CITY>
Organization Name (eg, company) [My Company Ltd]:<YOUR_COMPANY>
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:<YOURDOMAIN.TLD>
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the certificate yourself. If you are running a server that will be accessible to other users, you may want to purchase a commercially signed SSL certificate to avoid having your users get a warning that the certificate isn’t signed by a recognized certificate authority.

# openssl x509 -req -days 3650 -in <YOURDOMAIN.TLD>.csr  -signkey <YOURDOMAIN.TLD>.key  -out <YOURDOMAIN.TLD>.crt
Signature ok
subject=/C=US/ST=State/L=City/O=CompanyName/CN=<YOURDOMAIN.TLD>
Getting Private key

And create a cacert.pem. Answer the questions the same way as above. This certificate does require a password, so make sure you document that somewhere if you ever need it again.

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Now, tell postfix about the certificates by adding this to the bottom of /etc/postfix/main.cf:

## Enable TLS
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/<YOUR.DOMAIN.TLD>.key
smtpd_tls_cert_file = /etc/postfix/ssl/<YOUR.DOMAIN.TLD>.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

And tell postfix to listen on the SMTP Submission port (587), and the SMTP/SSL port (465). Edit /etc/postfix/master.cf and uncomment these respective lines:

## Enable SMTP on port 587 only for authenticated/TLS clients
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

## Enable SMTP on port 465 only for authenticated/SSL clients
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

File Permissions
Make it so that postfix can write to the directory where all mail will be delivered

mkdir -p /home/vmail
chown postfix:postfix /home/vmail
chmod 770 /home/vmail

Restart postfix, and it should be ready to accept mail

/etc/init.d/postfix restart

If you get an error about the mysql dictionary not being supported, try to remove then reinstall postfix (make a copy of your config files first). I believe this happens when you install postfix prior to enabling the centosplus repository.

Install and Configure Dovecot

Install it from yum. This RPM was compiled with MySQL support

yum install dovecot

Create /etc/dovecot-mysql.conf with this content

driver              = mysql
connect             = host=127.0.0.1 dbname=postfix user=postfix password=<YOUR_DATABASE_PASSWORD>
default_pass_scheme = PLAIN
password_query      = SELECT password FROM mailbox WHERE username = '%u'
user_query          = SELECT maildir, 89 AS uid, 89 AS gid FROM mailbox WHERE username = '%u'

And now edit the main dovecot configuration file in /etc/dovecot.conf, and tell it to use the /etc/dovecot.mysql.conf file for the auth and password databases.

Under the ‘auth default’ section, uncomment the passdb sql section so that it looks like this (Line 831 in a default dovecot.conf file):

  passdb sql {ldelim}
    # Path for SQL configuration file, see doc/dovecot-sql.conf for example
    args =  /etc/dovecot-mysql.conf
  {rdelim}

And same thing with the userdb sql section on line 885:

  userdb sql {ldelim}
    # Path for SQL configuration file, see doc/dovecot-sql.conf for example
    args = /etc/dovecot-mysql.conf
  {rdelim}

If you want to use SSL/TLS for your incoming mail, you can configure dovecot to use the same certificates as postfix:

ssl_cert_file = /etc/postfix/ssl/<YOUR.DOMAIN.TLD>.crt
ssl_key_file = /etc/postfix/ssl/<YOUR.DOMAIN.TLD>.key
ssl_ca_file = /etc/postfix/ssl/cacert.pem

And add this to the bottom of the file (still in /etc/dovecot.conf):

first_valid_uid = 89
mail_location = maildir:/home/vmail/%d/%n

Finally, list the protocols/ports that you want to listen on (still in /etc/dovecot.conf). Here are what ports each protocol is on:

Cleartext protocols:	POP3(110), IMAP(143) (both can do TLS)
Encrypted protocols:	POP3/SSL(993) and IMAP/SSL(995)

protocols = imap imaps pop3 pop3s

Now start up dovecot

/etc/init.d/dovecot start

Testing Everything

Here are some things you should test to ensure that everything is working correctly

Postfix Tests

All of these can be tested through a telnet session or with OpenSSL

• Send mail from an external host and an external account to a valid account
• Send mail from an external host and an external account to an invalid account (make sure it fails)
• Send mail from an external host from aa valid account to an external account (without authentication) and make sure it fails
• Authenticate with SMTP Authentication, make sure you can send to an external domain

  (Use my SMTP authtool to get your encoded password)

• Send mail from localhost, everything should be accepted
• Test SMTP with TLS

openssl -starttls smtp s_client -connect <YOUR_IP_ADDRESS>:587

• Test SMTP over SSL

openssl s_client -connect <YOUR_IP_ADDRESS>:465

Dovecot Tests

All of these can be tested through a telnet session or with OpenSSL

• Test a simple POP3 session
• Test a simple IMAP session
• Test both of those with TLS

openssl -starttls pop3 s_client -connect <YOUR_IP_ADDRESS>:110

• Test both of those with SSL

openssl s_client -connect <YOUR_IP_ADDRESS>:993

Sample Sessions

Here is a basic SMTP Session through telnet

[root@host ~]# telnet <YOUR_IP_ADDRESS> 25
Trying 22.33.44.55...
Connected to mail.yourdomain.com (22.33.44.55).
Escape character is '^]'.
220 mail.yourdomain.com ESMTP Postfix
ehlo my.host.name.com
250-mail.yourdomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<[email protected]>
250 2.1.0 Ok
rcpt to:<[email protected]>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject:test

test
.
250 2.0.0 Ok: queued as EC2273130099
quit
221 2.0.0 Bye
Connection closed by foreign host.

Sample POP3 Session:

[root@host ~]# telnet <YOUR_IP_ADDRESS> 110
Trying 22.33.44.55...
Connected to mail.yourdomain.com (22.33.44.55).
Escape character is '^]'.
+OK Dovecot ready.
user [email protected]
+OK
pass password
+OK Logged in.
list
+OK 4 messages:
1 551
2 541
3 530
4 505
.
quit
+OK Logging out.

Troubleshooting

• Both postfix and dovecot log to /var/log/maillog. Often, they tell you exactly what is long if you know where to look.
• If troubleshooting postfix lookups, you can use postmap directly:

[root@mail postfix]# postmap -q [email protected] mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
somedomain.com/someuser

• Turn on debugging for the smtpd process by adding a ‘-v’ in /etc/postfix/master.cf:

smtp      inet  n       -       n       -       500       smtpd -v

The HTTP TRACE Method is a debugging tool in Apache that just echo’s back what was sent to it. Attackers could potentially use this to trick a browser into revealing cookies or other request details from the domain with HTTP TRACE enabled. See https://www.apacheweek.com/issues/03-01-24#news for more info

Here is a sample HTTP TRACE session through telnet

[root@wwwa ~]# telnet 11.22.33.44 80
Trying 11.22.33.44...
Connected to mywebsite.com (11.22.33.44).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: www.mywebsite.com
X-Header: testing

HTTP/1.1 200 OK
Date: Thu, 29 Nov 2007 15:25:59 GMT
Server: Apache/2.2.6 (Unix)
Transfer-Encoding: chunked
Content-Type: message/http

42
TRACE / HTTP/1.1
Host: www.mywebsite.com
X-Header: testing

Disabling this is easy enough. Just add this to your Apache configuration:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* https://www.campusbooks.com/ [R]

I had a few users who have been using my bcSpamBlock WordPress plugin for blocking spam tell me that it also completely blocks trackbacks. Thanks to their input and specifically wlx who sent me a patch to have it skip validation on trackbacks and pingbacks.

I modified the WordPress component of the code so that it doesn’t check for the cryptographic signature for trackbacks, but instead makes sure that the remote host is the webserver for the site that it says it is. If that check passes, it also retrieves the page and verifies that it contains a link to your own blog.

I’ve updated the plugin and it is available for download on the bcSpamBlock wordpress page

I now have a bunch of email accounts each with their own IMAP folders.   It has been terribly annoying that they always show up in the order in which the accounts were added and there is no way to sort them.   I finally came across a Thunderbird plugin called ‘Folderpane Tools‘ which allows you to change the order of the accounts.

It still isn’t ideal.  Any changes have to be done through the little plugins window and require Thunderbird to be restarted.  Oh well, I guess its better than nothing.

I’ve had a couple customers in the past month or so run into a problem where they were trying to run a simple Perl script, but kept getting HTTP 500 errors (Internal Server Error) despite double checking through their code, and simplifying it down to almost nothing. One had spent half a day troubleshooting a seemingly simple error. Apache would log something like this:

[Sat Nov 03 22:46:57 2007] [error] [client 11.22.33.44] (2)No such file or directory: exec of '/var/www/cgi-bin/hello.pl' failed
[Sat Nov 03 22:46:57 2007] [error] [client 11.22.33.44] Premature end of script headers: hello.pl

By time they contacted me, they were so frustrated, that it is hard to tell them how easy the fix is. In both cases, the users had created the files on a Windows machine and then uploaded them to a Linux server. Many windows applications happen to save text files in a slightly different format than Linux does. Specifically, windows uses the two characters CR and LF (Carriage Return, and Line Feed), where Linux simply uses just a LF.

Carriage Return is the ASCII character 13, and is also recognized as ‘\r’, or ‘^M’. The Line Feed character is ASCII code 10, and represented as ‘\n’, or ‘^J’.

An attempt to run this same ‘hello.pl’ script via a command line results in:

[root@host cgi-bin]# ./hello.pl
: bad interpreter: No such file or directory

To fix, simply convert the file to a Unix text file format. Your text editor may have an option to save the file in a Unix format. If you are stuck with the editor you have, you can use the ‘dos2unix‘ command which is available on pretty much any Linux box.

[root@host cgi-bin]# dos2unix hello.pl
dos2unix: converting file hello.pl to UNIX format ...

And now your script will magically work (You did remember to add the content-type header, right):

[root@flickerworks cgi-bin]# ./hello.pl
Content-type: text/html

Hello World