here
Full Mail Server Solution w/ Virtual Domains & Users
(Debian Etch, Postfix, MySQL, DoveCot, DSpam, ClamAV, Postgrey, RBL)
This tutorial is Copyright
(c) 2007 by Justin Refice. It is
derived from various guides and original material, listed at the end of
the document.
You are free to use this tutorial under the Creative Commons license
2.5 or any later version.
I. Introduction
This guide describes how to set up a full email solution in
Debian Linux (all code is from Debian Etch). I was asked to
design a secure, scalable, portable solution for a small company.
While the guide references many 'servers', the
company only had 4 physical machines, Xen was used to virtualize the
entire
solution. That particular aspect of the system is not
discussed in this guide, although I will try to get it into the next
revision.
Just a note on the server names used below: If it doesn't need
to be accessed by the internet, don't let it be. Domain names
ending in internal.example.com are internal NIC/IP Addresses... there
is
no way to access them directly from the internet, nor should there be.
Any server that ONLY has an internal.example.com domain name
is a pure-internal server, and can't be accessed directly from the
internet.
All non-internal
servers have two NICS (These can be two real NICs, or virtual).
The first NIC has access to the internet, and is strictly
firewalled. The second NIC has access to the internal
network, and has a little less security as a result. The
details of how to setup these NICs are outside the scope of this
document, but I may update it to include them in the future.
The general
layout of the servers is:
Primary MX:
NIC1 = Insecure/Internet = mx-1.example.com
NIC2 = Secure/Intranet = mx-1.internal.example.com
MTA: Postfix
Greylist Filter: Postgrey
Secondary MX:
NIC1 = Insecure/Internet = mx-2.example.com
NIC2 = Secure/Intranet = mx-2.internal.example.com
MTA: Postfix
Greylist Filter: Postgrey
SMTP+TLS & IMAPS:
NIC1 = Insecure/Internet = secure-mail.example.com
NIC2 = Secure/Intranet = secure-mail.internal.example.com
MTA: Postfix (+TLS/SSL)
IMAP: Dovecot (IMAPS)
Mail Delivery Server: postman.internal.example.com
MTA (lmtp): DSPAM
Antivirus: ClamAV
IMAP: Dovecot
Database Server: sql-1.internal.example.com
MySQL
File Server: files-1.internal.example.com
NFS
Temporary Build Server: build.internal.example.com
<Various Tools>
Mail works in the following way:
Internet mail to your domains:
1. Mail comes in to Primary or Secondary MX on port 25
2. MX queries MySQL server to see if mail recipient &
destination are valid:
a. Recipient is unauthorized - Mail is rejected (550 Error)
b. Recipient is authorized - Mail is is allowed to continue
3. MX checks greylist policy:
a. This is the first time email is tried - Mail is rejected
(Retry)
b. This is not the first time email is tried - Mail is
allowed to continue
4. MX checks for quota violations
a. The user's quota is full - Mail is bounced
b. The user has room - Mail is delivered
5. MX Sends mail to Internal Delivery Server (via LMTP)
6. Internal Delivery Server checks for Virus/SPAM
a. This is SPAM - SPAM is marked, and given to LDA for
delivery.
b. This is a virus - Mail is rejected
c. This is NOT SPAM and NOT VIRUS - Mail is given to LDA
7. LDA Delivers mail
a. The mail is marked as SPAM - Delivered to "SPAM"
directory in Maildir
b. The mail is NOT marked as SPAM - Delivered to inbox.
Internet mail from your domains:
1. User initiates connection to SMTP Relay on port 25
2. SMTP Relay offers TLS:
a. User does not use TLS - Mail is rejected
b. User does use TLS - Session is is allowed to continue
3. SMTP Relay offers AUTH (PLAIN):
a. User does not authenticate/Fails Authentication - Mail is
rejected
b. User does authenticate - Session completes as usual
Remote users access mail via IMAPS (Secure IMAP)
Local users access mail via IMAP
If the user detects a false positive SPAM detection, they
forward the email to
"ham-<username>@<domain>.<tld>"
If the user detects a false negative SPAM detection, they forward the
email to
"spam-<username>@<domain>.<tld>"
II. Important Notes
All this may be installed in either Debian 4.0 Etch or Ubuntu
Feisty Fawn, since both systems are quite similar. Note however that
there may
be some minor issues if you use the default version of Dovecot and Postfix, but I
will try to note them down for you when they arise.
If you are a Ubuntu user, note that I will not use “sudo” in
front of every command. Instead, I will launch a root shell using the
command “sudo -s”.
Installing software in Ubuntu & Debian is very easy,
so whenever possible we'll
be using the build in apt-get
utility. The less we have
to build ourselves, the easier it is to maintain later.
So, let's get started!
Full Mail Server Solution w/ Virtual Domains & Users - Page 02 (MySQL & NFS)
III. Installing and configuring MySQL Server (+PostFixAdmin
Schema)
First off, we need to install the MySQL server on
sql-1.internal.example.com. To make life easy,
we're also going to install the MySQL command line client. This can be
achieved
by typing the following at the prompt:
# apt-get install mysql-server
mysql-client
After apt-get has done its installation mojo, you're going to
want to lock the root access to the mysql database. This is done using
the mysqladmin
tool.
# mysqladmin -u root password
"mypassword"
NOTE: Change
mypassword to your own
secure password!!!
Now we're going to create the database and users for Virtual
Users & Domains. It's important
to note that Postfix (And Dovecot) only require SELECT access to this
database. PostfixAdmin will
require SELECT, UPDATE, and INSERT.
# mysql -uroot -p
Enter password:
mysql> CREATE DATABASE virtual_mail;
mysql> GRANT SELECT ON virtual_mail.* TO
'vmail_user'@'mx-1.example.com' IDENTIFIED BY 'vmail_user_password';
mysql> GRANT SELECT,UPDATE,INSERT ON virtual_mail.* TO
'vmail_admin'@'mx-1.example.com' IDENTIFIED BY
'vmail_admin_password';
mysql> GRANT SELECT ON virtual_mail.* TO
'vmail_user'@'mx-2.example.com' IDENTIFIED BY 'vmail_user_password';
mysql> GRANT SELECT,UPDATE,INSERT ON virtual_mail.* TO
'vmail_admin'@'mx-2.example.com' IDENTIFIED BY
'vmail_admin_password';
mysql> quit
NOTE: Change
vmail_user_password and
vmail_admin_password to
your own secure passwords!!!
Now we need to download
Postfix Admin. While the tool itself is not
manditory for our
configuration, it is very useful and the schema it uses are
well
thought out. Once you have downloaded the Postfix Admin distribution
tarball, unpack it like this:
# tar xfvz postfixadmin-2.1.0.tgz
Inside the resulting directory, open postfixadmin-2.1.0/DATABASE_MYSQL.TXT
with your favorite text editor. Remove all the lines under the "Postfix
/ MySQL" section. These lines
create the initial database, which we've already done. For Postfix
Admin 2.1.0 these are lines 26-39.
When complete, load the file into your existing MySQL table
with the following command:
# mysql -uroot -p virtual_mail <
postfixadmin-2.1.0/DATABASE_MYSQL.TXT
NOTE: If you
get an error saying "Access denied for user 'mail'@'localhost'
to database 'mysql'", then you didn't comment out the lines properly.
If you get no message after entering
your password, then everything went fine.
IV. NFS File Share Server
A lot of servers are going to require access to our users
Maildir folders, so in order
to make life simple(r), we're going to install them on an NFS mount.
One of the benefits of
Maildir is that it is compatible with NFS. Mailbox format on the other
hand, would not be pretty. Luckily, setting up NFS in Debian is just as
simple as setting up any other
service.
Let's start by installing the service on
files-1.internal.example.com:
# apt-get install nfs-kernel-server nfs-common portmap
The NFS Exports (Shares) are controlled by the file /etc/exports. Each line begins
with the absolute local path of a directory to be exported, followed by
a space-seperated
list of allowed clients. NFS can be extremely powerful, but I'm not
going to go into the full details here. For our purposes, the following
would do:
/etc/exports:
/vmail mx-1.internal.example.com(ro, insecure) mx-2.internal.example.com(ro, insecure) postman.internal.example.com(rw, no_root_squash) secure-mail.internal.example.com(rw, no_root_squash)
If you make changes to /etc/exports
on a running NFS server, you can make the changes effective by issuing
the command:
# exportfs -a
We're going to need a real-user to handle all the virtual
mappings in our setup. For this
solution, we're going to use user id 150. This user id is for a
specifically created "Virtual Mail" user. It uses the standard "mail"
group, with the default (Debian) gid of 8. You can create the user and
directory like this:
# useradd -r -u 150 -g mail -d /var/vmail -s /sbin/nologin -c "Virtual
Mailbox" vmail
# mkdir /vmail
# chmod 770 /vmail/
# chown vmail:mail /vmail/
NOTE: This
user will need to be created on all servers which will be accessing
this share (mx-1, mx-2, postman, files-1, secure-mail). If the user
doesn't exist,
you could get file
access errors. While NIS could be used to create a single host for this
user, that's outside the range of this
document.
沒有留言:
張貼留言