OpenBSD 3.4 email server
OpenBSD 3.4, Postfix, Procmail, Courier-Imap, Mutt, Pop/Imap before SMTP authentication
Introduction
This document is written for configuring a OpenBSD 3.4-based mailserver, however it there is no reason it should not apply to versions as old as OpenBSD 3.0 or something newer.
Install src
-
untar src.tar.gz into /usr/src from the if you have an OpenBSD CD. If you're grabbing them from the ftp site then you want both src.tar.gz and srcsys.tar.gz.
Upgrade to -stable
-
Even OpenBSD can have security updates so be sure to update to the -stable branch of the release you're working with. To update OpenBSD 3.1 change the
_3_4 to _3_1.
# export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs # cd /usr # cvs -q up -rOPENBSD_3_4 -P src
To update this tree later simply cd /usr/src; cvs -q up -rOPENBSD_3_4 -Pd
Rebuild system from stable source
Rebuild Kernel
# cd /usr/src/sys/arch/i386/conf # /usr/sbin/config GENERIC # cd /usr/src/sys/arch/i386/compile/GENERIC # make clean && make depend && make # cd /usr/src/sys/arch/i386/compile/GENERIC # cp /bsd /bsd.old (Save an old copy of your kernel) # cp bsd /bsd (Copy the new kernel into place) # reboot
Rebuild userland programs
# cd /usr/src # rm -r /usr/obj/* # make obj && make build
Reboot the machine, at this point it's safe to connect it to the internet
Install ports tree, upgrade to stable
# export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs # cd /usr # tar -xvzf /path/to/ports.tar.gz # cvs -q up -rOPENBSD_3_1 ports
Postfix Install
# cd /usr/ports/mail/postfix
Optionally, edit Makefile and uncomment out all the SUBDIR+= except for: SUBDIR+= stable,pcre,tls
# make install
edit /etc/rc.conf
-
Comment out line:
#sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
and add:
sendmail_flags="-bd -q30m"
edit root crontab (# crontab -e )
-
Comment out line:
#*/30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q
edit /etc/postfix/main.cf
-
Set the following fields:
mydomain = your domain here myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, $mydomain home_mailbox = .maildir/ # NOTE: the trailing / is important # mailbox_command = /usr/local/bin/procmail
Leave mailbox_command commented out for now. After procmail is configured it will be uncommented.
Run postfix
# postfix check # postfix start
At this point send a test message to a local user, his mail directory should be created $HOME/usrname/.maildir along with sub directories /new /cur /tmp with the new mail being in /new
Mutt Install
-
This makes it easier for us to test the mailsystem while setting up the server
# cd /usr/ports/mail/mutt
edit Makefile
-
comment out:
# SUBDIR += snapshot # make install cd /etc/Mutt
edit Muttrc
-
Set the following settings:
set mbox_type=Maildir set folder=~/.maildir set spoolfile=~/.maildir/
This allows Mutt to read Maildir format mailboxes
Procmail Install
-
A small change need to be made to the authentice.c source file to make procmail work with the Maildir type mailboxes by default.
# cd /usr/ports/mail/procmail
# make fetch extract
# cd /usr/ports/mail/procmail/w-procmail-3.22/procmail-3.22/src
edit authenticate.c
-
change line:
#define MAILSPOOLDIR "/var/spool/mail/"
to:
#define MAILSPOOLDIR ""
change line:
#define MAILSPOOLHOME "/.mail"
to:
#define MAILSPOOLHOME "/.maildir"
Compile install procmail:
# make install
edit /etc/procmailrc
add line at top of file:
DEFAULT=$HOME/.maildir/
edit /etc/postfix/main.cf
-
Uncomment the line:
mailbox_command = /usr/local/bin/procmail
reload postfix
# postfix reload
Again you want to send another test message at this point to make sure that procmail is now delivering the mail correctly to the users .maildir mailbox
Courier-Imap Install
# cd /usr/ports/mail/courier-imap # make install # cd /etc; mkdir courier-imap # cd courier-imap; cp /usr/local/share/examples/courier-imap/* .
Edit imapd.cnf
Configure the file for your server
# mkimapdcert
This reads imapd.cnf and creates an imap ssl certificate in /etc/ssl/private/imapd.pem
Edit authdaemond.conf
Set:
AUTHDAEMOND="authdaemond.plain"
Edit imapd
Set at the end of the file:
MAILDIR=.maildir IMAPDSTART=YES
Startup Courier-IMAP:
# /usr/local/libexec/authlib/authdaemond start # /usr/local/libexec/imapd.rc start # /usr/local/libexec/imapd-ssl.rc start
You might want to put the above into a shell script you can call from /etc/rc.local for startup
At this point you should be able to test out imap access with your favorite mail client.
Pop-before-smtp
-
If this machine is going to allow remote users to connect and use the mail system, we dont want to have an open relay, so we'll setup pop/imap before smtp authentication to only allow those valid users who have an account and check their email to be able to send it.
Grab pop-before-stmp from its website: http://popbsmtp.sourceforge.net/ and untar into a temp directory like /usr/local/src/pop-before-smtp
edit pop-before-smtp-conf.pl
uncomment the line under: # Override the DB hash file we will create/update (".db" gets appended).
$dbfile = '/etc/postfix/pop-before-smtp';
uncomment:
$logto = '/var/log/pop-before-smtp';
change the line under: # Set the log file we will watch for pop3d/imapd records. to read:
$file_tail{'name'} = '/var/log/maillog';
uncomment the line under: # For Courier-POP3 and Courier-IMAP:
$pat = '^(... .. ..:..:..) \S+ (?:courier)?(?:pop3|imap)(?:login|d|d-ssl): ' .
'LOGIN, user=\S+, ip=\[[:f]*(\d+\.\d+\.\d+\.\d+)\]$';
comment out the lines to tell it to use NDBM database:
#=pod #------------------------ Postfix NDBM_File ---------------------START-
#=cut #------------------------ Postfix NDBM_File -----------------------END-
# cp pop-before-smtp-conf.pl /etc
# cp pop-before-smtp.init /etc
# cp pop-before-smtp /usr/sbin
Start pop-before-smtp
/etc/pop-before-smtp.init start
You should see a list of ip addresses etc in /var/log/pop-before-smtp from your imap tests. You should also have a database file in /etc/postfix/pop-before-smtp.db
Setup Postfix for pop-before-smtp authentication
edit /etc/postfix/main.cf
Add the following line:
smtpd_recipient_restrictions = permit_mynetworks,reject_non_fqdn_recipient,check_client_access hash:/etc/postfix/pop-before-smtp,check_relay_domains
Reload postfix settings:
# postfix reload
You should be able to verify that postfix will now refuse to accept mail from remote (non local network) connections without logging in via imap or pop3 first.
Spamassassin
-
Another great tool for configuring email is spamassassin, which is a perl script that can be used to identify and control incoming spam.
Spamassassin website can be found at: http://spamassassin.sourceforge.net/
Spamassassin requires HTML-Parser perl module as a prereq so we'll start there.
# cd /usr/ports/www/p5-HTML-Parser # make install
Now onto the spamassasin install
# mkdir /usr/local/src # cd /usr/local/src # tar -xvzf /path/to/downloaded/Mail-SpamAssassin-2.41.tar.gz # perl Makefile.PL # make # make install
Lets test the install:
# spamassassin -t < sample-nonspam.txt > nonspam.out # spamassassin -t < sample-spam.txt > spam.out
This runs spamassasin in test, by reading the spam.out file and nospam.out file you can see what it does to each mail message.
At this point spamassassin is ready to be setup in procmail, you can either set it up system wide or in my case on a user by user basis.
Setup spamassassin for your mail account:
# cd ~
create directory to store spam in
# maildirmake -f Spam .maildir
This creates a maildir folder inside your ~/.maildir called .Spam
edit .procmailrc
-
Add the following lines:
:0fw | spamassassin -P :0: * ^X-Spam-Status: Yes $HOME/.maildir/.Spam/
Now simply kick back and watch most if not all of your incoming spam get tagged and redirected into your new imap folder Spam.
Post new comment