Jedenfalls ein howto von einem noob (:P) für noobs (:D). Meine Bitte: falls ihr Fehler findet, verbesserungsvorschläge etc. bitte Fragen!
Warum ich den howto geschrieben habe? Ich habe keinen vernünftigen gefunden der auch aktuell ist (debian 4.0 etch). Ich wollte zudem wirklich ein minimal System haben da ich von den >100MB RAM Nutzung von xmail(server.org) etwas schockiert war (zudem ich auf meinem neuen VPS nicht mehr soviel RAM habe ;))
Übrigens: obwohl es ziehmlich vollständig ist (copy & paste arbeit) habe ich kaum etwas zu den Vorgängen gesagt. Das meiste schließt sich hoffentlich als "moderate debian user". ABER: ich habe immer die URLS zu docs hinzugefügt woher ich die Infos habe bzw. wo man zur Not selber nachschlagen kann (1-2 docs fehlen noch, die kommen aber die Tage)
Code: Select all
H O W T O S M T P / P O P 3 W I T H D E B I A N 4 . 0
==========================================================================================
SMTP SERVER (postfix) + POP3 SERVER (teapop) + SASL AUTH (cyrus sasl)
..........................................................................................
disclaimer: I am not responsible for any damage at all! Please always do first
a local installation before adapting it on a production server. This
Howto is meant to be for a REAL light-weight solution without any
losses in security. Therefor there is now *sneaky* web
administration nor are user data stored via mysql (=heavy-weight!)
system: debian etch (4.0)
[test hw: AMD Athlon 1GHz, 512MB RAM, 4GB HDD]
info: # => shell command
: => active (uncommented) config line (use accordingly)
; => inactive (commented) config line
changelines: {DOMAIN}, {USER}
license: (by-nc-sa): guwapo AT thedoghouse DOT bz
http://creativecommons.org/licenses/by-nc-sa/3.0/
last update (@#): 08.05.2007 0.1
==========================================================================================
(A) BASIC POSTFIX (SMTPD) INSTALLATION
------------------------------------------------------------------------------------------
docs:
- http://www.sonicresolutions.com/tech/howto_postfix_vmpop3d.html
- http://www.postfix.org/postconf.5.html
1) Install postfix via apt-get
# apt-get install postfix (ok -> internet site -> yourdomain.com)
2) Add folder + user/group structure needed for a virtual host enviroment
# groupadd -g 1100 vmail && useradd -u 1100 -s /bin/false -d /dev/null -g vmail vmail
# mkdir /var/spool/virtual
Add per hosted domain a directory:
# mkdir /var/spool/virtual/{DOMAIN}
# chown -R vmail:vmail /var/spool/virtual && chmod -R 775 /var/spool/virtual
3) make a basic postfix config
# nano /etc/postfix/main.cf
; alias_maps ...
; alias_database ...
: mydestination =
: virtual_mailbox_base = /var/spool/virtual
: virtual_mailbox_maps = hash:/etc/postfix/vmailbox
: virtual_mailbox_domains = hash:/etc/postfix/vmaildomains
: virtual_uid_maps = static:1100
: virtual_gid_maps = static:1100
: virtual_minimum_uid = 1100
4) create virtualtables + hash them
# cd /etc/postfix
# nano vmaildomains
(as it is a hash table, it needs two values each line. the second line will be ignored)
: {DOMAIN} placeholder
: {DOMAIN2} placeholder
.
.
# nano vmailbox
(below some useful examples)
: example@{DOMAIN} {DOMAIN}/{USER}
: {USER}@{DOMAIN} {DOMAIN}/{USER2}
: @{DOMAIN} {DOMAIN}/catchall
.
.
now hash the tables:
# postmap vmaildomains && postmap vmailbox
5) restart postfix and check for errors (/var/log/mail*)
# /etc/init.d/postfix restart
Now have a good and very light-weight smtpd running. Postfix on default is very secure.
Only IPs under the config directive "mynetworks" are allowed to relay emails, so the php
function "mail()" will work, but spammers won't be able to use your server for spamming.
open telnet connection to your server and test send an email. Check if email arrives
correctly:
telnet 192.168.2.125 25
HELO TEST
MAIL FROM:iam@top.com
RCPT TO:existinguser@{DOMAIN}
DATA
blablabla
blablabla
.
QUIT
Look if message was delivered correctly (cat /var/spool/virtual/{DOMAIN}/{USER}
if not, check /var/log/mail*
------------------------------------------------------------------------------------------
(B) TEAPOP INSTALLATION (POP3)
------------------------------------------------------------------------------------------
docs:
- http://www.toontown.org/teapop/
1) install teapop via apt-get
# apt-get install teapop ( -> no)
2) set teapop to run as standalone daemon
# nano /etc/default/teapop
: RUNMODE=standalone
3) create virtual folder + access structure
# mkdir /etc/teapop/virtual && mkdir /etc/teapop/virtual/{DOMAIN}
# nano /etc/teapop/virtual/{DOMAIN}/passwd
per line set username (same as virtual mbox destination + htaccess compatible password)
: {USER}:{PASSWORD}
# chmod -R 775 /etc/teapop/virtual && chown -R vmail:vmail /etc/teapop/virtual
4) give teapop the info where to fetch the passwords from
# nano /etc/teapop/teapop.passwd
(please read the manual!)
: {DOMAIN}:*:htpasswd:/var/spool/virtual/{DOMAIN}:0:1100:1100:/etc/teapop/virtual/{DOMAIN}/passwd:5:
5) (re)start teapop
# /etc/init.d/teapop start
Teapop is a very robust, fast & stable POP3 server. I tried (gnu) pop3d and vm-pop3d
but encountered many problemes due to rfc compilance, bugs, and big problemes with file
locking.
Test teapop with telnet, and in case of errors check the /var/log/mail* logs:
telnet 192.168.2.125 110
USER existinguser@{DOMAIN}
PASS xxxxx
LIST
QUIT
------------------------------------------------------------------------------------------
(C) CYRUS SASL (SMTP AUTH)
------------------------------------------------------------------------------------------
docs:
- http://silicon-verl.de/home/flo/software/postfixsasl.html
- http://www.postfix.org/postconf.5.html
- http://www.postfix.org/SASL_README.html
1) what we need...
# apt-get install sasl2-bin libsasl2-modules
2) enable sasl support via postfix config
# nano /etc/postfix/main.cf
: smtpd_sasl_auth_enable = yes
: smtpd_recipient_restrictions =
: permit_mynetworks
: permit_sasl_authenticated
: reject_unauth_destination
: smtpd_sasl_authenticated_header = yes
: broken_sasl_auth_clients = yes
: smtpd_sasl_path = smtpd
: smtpd_sasl_local_domain = $myhostname
3) create the sasl config
# nano /etc/postfix/sasl/smtpd.conf
: pwcheck_method: auxprop
: auxprop_plugin: sasldb
: mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
4) maintain the sasldb
# saslpasswd2 -c -u `postconf -h myhostname` {USER}
(# sasldblistusers2 <-- list current sasldb)
the next steps are important as postfix runs in a chrooted enviroment
# cp /etc/sasldb2 /var/spool/postfix/etc
# chmod 640 /var/spool/postfix/etc/sasldb2 && chown postfix:postfix /var/spool/postfix/etc/sasldb2
5) restart & test
# /etc/init.d/postfix restart
use telnet to test:
telnet 192.168.2.125 25
EHLO test
.
.
AUTH PLAIN {AUTHCODE}*
* http://www.fourmilab.ch/webtools/base64/
printf "\0%s\0%s" username password | base64
------------------------------------------------------------------------------------------
(D) "HARDENING"
------------------------------------------------------------------------------------------
docs
- http://www.postfix-howto.de/konfiguration/index.htm
- http://www.postfix.org/postconf.5.html
1) keep spam away (at least what is possible without additional software)
# nano /etc/postfix/main.cf
:smtpd_recipient_restrictions =
: permit_sasl_authenticated
: permit_mynetworks
: reject_unauth_destination
: reject_non_fqdn_recipient
:smtpd_helo_restrictions =
: permit_sasl_authenticated
: permit_mynetworks
: reject_invalid_helo_hostname
: reject_non_fqdn_helo_hostname
:smtpd_sender_restrictions =
: permit_sasl_authenticated
: permit_mynetworks
: reject_non_fqdn_sender
:smtpd_client_restrictions =
: permit_sasl_authenticated
: permit_mynetworks
: reject_rbl_client bl.spamcop.net
: reject_rbl_client cbl.abuseat.org
# /etc/init.d/postfix restart
Check your server for open doors:
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html
http://www.dnsstuff.com
------------------------------------------------------------------------------------------
(F) AFTERMATH / CONCLUSION
------------------------------------------------------------------------------------------
Everything is working? Congratulation! You know have a complete and secure SMTP + POP3
server. It includes even a basic anti-spam filtering which should block at least 30% (in
my case) of spam reaching you in first place. It is anyway more advisable to have your own
anti-spam software local, as on a "virtual enviroment" others surely have a different
definition of spam as you.
This is just a very simple and lightweight solution. On my system it only consumed 30MB,
compared to >100MB xmail(server.net) needed before. If you have enough RAM on your server
could install some apache/lighttpd + php/perl/etc enviroment and even make a WebInterface
for managing the accounts.
==========================================================================================