DebianEximDovecotSquirrelmailSieve
From Hinterlands
Contents |
Building a mail server with Exim, Dovecot and Squirrelmail
Overview
When recently rebuilding my own personal mail server, I found myself tripping over software and configuration issues which required a bit of detective work (mostly with Google) to sort out. My preferred set of software for this task is not obscure or uncommon, so hopefully this HOWTO will help save other people time.
The task at hand is to build a useful mail server. The server should accept mail via SMTP (Exim 4.72), hand it to an IMAP server (Dovecot 1.2.13) for delivery into the users' mail store, sort the mail according to user-defined rules (Sieve), and also make the mail store accessible via any IMAP compatible mail client, or via web mail (Squirrelmail 1.4.21). We assume that this will be a public Internet-facing server, so all the protocols used are to be encrypted and, for ease of administration, all services authenticate from the system password file.
I'm working on adding a section to this HOWTO for antispam and antivirus filtering. You might consider using http://antibodyMX.net/ instead. Mention this HOWTO and you'll get a discount if you sign up.
Assumptions
The single foremost largest assumption for this HOWTO is that you are using Debian. For some futureproofing, this HOWTO is also based on the testing version of Debian, otherwise known as squeeze. There's no reason why the principles here won't work for other Linux distributions, or earlier or later Debian releases, but please remember that this is specifically written for Debian users, and specifically for squeeze.
It is also assumed that your server is connected to an IP network, possibly the Internet, and that you have correctly working IP routing and DNS.
The name of my mail server is olga.hinterlands.org. The settings in this HOWTO reflect this. You should, of course, replace these with settings appropriate for your own system and domain name.
Exim
Basic Installation
As we will want all our mail services to authenticate from a single database, we need to install a more feature rich exim4 package than is provided by default.
mailhowto:~# sudo aptitude install exim4-daemon-heavy
This package may well pull in an additional set of dependent packages, and their dependencies in turn. Accept the suggestions.
Basic configuration
After downloading and installing this package and its dependencies, you may be asked a series of questions to set a basic Exim configuration. If you've already installed and configured Exim, and depending on some Debian settings, you might not see this. If not, or to check your settings, use:
mailhowto:~# sudo dpkg-reconfigure exim4-config
This HOWTO assumes you will have chosen the following options, suitably modified for your own domain.
- General type of mail configuration: internet site
- System mail name: hinterlands.org
- IP-addresses to listen on for incoming SMTP connections: No value (all interfaces)
- Other destinations for which mail is accepted: hinterlands.org
- Domains to relay mail for: No value (no other domains)
- Machines to relay mail for: No value (no other machines)
- Keep number of DNS-queries minimal (Dial-on-Demand)? No
- Delivery method for local mail: Maildir format in home directory
- Split configuration into small files? Yes
The values entered here are stored in the file /etc/exim4/update-exim4.conf.conf which can be edited by hand if needed. At this point, the contents of the file should be:
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='internet'
dc_other_hostnames='hinterlands.org'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
If you do manually edit, however, you will need to run the following command for your changes to take effect:
mailhowto:~# sudo /usr/sbin/update-exim4.conf
At this point, you should be able to send and deliver an email to yourself locally by running the following command:
mailhowto:~# echo "hello" | mail -s "a test email" martin@hinterlands.org
Examining Exim's mail log should show you something like:
mailhowto:~# sudo tail /var/log/exim4/mainlog
2010-01-19 23:41:02 exim 4.71 daemon started: pid=5362, -q30m, listening for SMTP on port 25 (IPv6 and IPv4)
2010-01-19 23:41:02 Start queue run: pid=5364
2010-01-19 23:41:02 End queue run: pid=5364
2010-01-19 23:41:05 1NXNh3-0001Of-BB <= root@hinterlands.org U=root P=local S=513
2010-01-19 23:41:05 1NXNh3-0001Of-BB => martin <martin@hinterlands.org> R=local_user T=maildir_home
Enabling TLS
Using TLS (Transport Layer Security) on your mail server allows for opportunistic encryption. Connecting servers that also support TLS will then negotiate the best, strongest encryption protocol they can with your server. Connecting servers that don't support TLS will fall back to using plain text. Firstly, you need to generate a keypair and the create an self-signed SSL certificate. Although this certificate will not be signed by one of the many certificate authorities, the encryption it provides will be every bit as good. Debian ships a tool to do this for you. First though, we need to install OpenSSL.
mailhowto:~# sudo aptitude install openssl
Next, generate the certificate. You will be prompted to fill in a couple of fields. I provided the country code (GB), the locality name (London) and the server name (olga.hinterlands.org), often referred to as the common name.
mailhowto:~# sudo /usr/share/doc/exim4/examples/exim-gencert
[*] Creating a self signed SSL certificate for Exim!
This may be sufficient to establish encrypted connections but for
secure identification you need to buy a real certificate!
Please enter the hostname of your MTA at the Common Name (CN) prompt!
Generating a 1024 bit RSA private key
.........................................................++++++
..................++++++
writing new private key to '/etc/exim4/exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code (2 letters) [US]:GB
State or Province Name (full name) []:
Locality Name (eg, city) []:London
Organization Name (eg, company; recommended) []:Hinterlands
Organizational Unit Name (eg, section) []:
Server name (eg. ssl.domain.tld; required!!!) []:olga.hinterlands.org
Email Address []:
[*] Done generating self signed certificates for exim!
Refer to the documentation and example configuration files
over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
support in your mail transfer agent.
Debian's exim4-daemon-heavy package contains all you need to support TLS, but you have to enable it.
cd /etc/exim4/conf.d/main
vi 001_local
In this file, add the following line
MAIN_TLS_ENABLE = 1
Next restart Exim and we can test that TLS is now enabled and working. Whenever you work with mail servers, I recommend using a piece of software called SWAKS. It's the mail server equivalent of a Swiss Army Knife. It's provided in a Debian package so installation is simple.
mailhowto:~# sudo aptitude -y install swaks
Test your server with the following command.
mailhowto:~# swaks -f martin@hinterlands.org -t martin@hinterlands.org -tls -s localhost
=== Trying localhost:25...
=== Connected to localhost.
<- 220 mailhowto.hinterlands.org ESMTP Exim 4.71 Wed, 20 Jan 2010 20:40:02 +0000
-> EHLO mailhowto.hinterlands.org
<- 250-mailhowto.hinterlands.org Hello mailhowto.hinterlands.org [127.0.0.1]
<- 250-SIZE 52428800
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
~> EHLO mailhowto.hinterlands.org
<~ 250-mailhowto.hinterlands.org Hello mailhowto.hinterlands.org [127.0.0.1]
<~ 250-SIZE 52428800
<~ 250-PIPELINING
<~ 250 HELP
~> MAIL FROM:<martin@hinterlands.org>
<~ 250 OK
~> RCPT TO:<martin@hinterlands.org>
<~ 250 Accepted
~> DATA
<~ 354 Enter message, ending with "." on a line by itself
~> Date: Wed, 20 Jan 2010 20:39:52 +0000
~> To: martin@hinterlands.org
~> From: martin@hinterlands.org
~> Subject: test Wed, 20 Jan 2010 20:39:52 +0000
~> X-Mailer: swaks v20061116.0 jetmore.org/john/code/#swaks
~>
~> This is a test mailing
~>
~> .
<~ 250 OK id=1NXhLO-00020j-Ts
~> QUIT
<~ 221 mailhowto.hinterlands.org closing connection
=== Connection closed with remote host.
Looking in the mail server log will also verify that the email was encrypted in transit.
2010-01-20 20:40:03 1NXhLO-00020j-Ts <= martin@hinterlands.org H=(mailhowto.hinterlands.org) [127.0.0.1] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=556
2010-01-20 20:40:03 1NXhLO-00020j-Ts => martin <martin@hinterlands.org> R=local_user T=maildir_home
2010-01-20 20:40:03 1NXhLO-00020j-Ts Completed
We're going to come back to Exim a little bit later in the HOWTO because we'll want to configure being able to send email via Exim as an authenticated user. Next we move on the IMAP server, Dovecot.
Dovecot
Basic installation
Dovecot is provided as a Debian package:
mailhowto:~# sudo aptitude install dovecot-imapd
Now we need to set up Dovecot so that we only use a secure protocol, enable Dovecot's SIEVE filtering daemon and to create a hook into Dovecot so we can use it to authenticate Exim sessions. Dovecot uses a single configuration file located at /etc/dovecot/dovecot.conf. It would almost certainly be wise to take a copy of this file before proceeding with the next steps.
Enable IMAPS & ManageSieve
Edit the configuration file and look for the following line:
protocols = imap imaps
Replace this with:
protocols = imaps managesieve
Locate and uncomment the following two lines:
#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem
Adjust LDA settings
Locate the section of the configuration file called "LDA Specific Settings". You will need to uncomment the start and end of the block and add a postmaster address and enable the sieve plugin.
protocol lda {
postmaster_address = postmaster@hinterlands.org
mail_plugins = sieve
}
Disable plaintext authentication
Locate and uncomment this line.
#disable_plaintext_auth = yes
Enable the authenticator socket
Look for this line in the default configuration, and uncomment the socket section below it.
# It's possible to export the authentication interface to other programs:
With the comments stripped out, the socket definition should look like this. Note the adjusted file mode for the client socket from the default given.
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
}
client {
path = /var/run/dovecot/auth-client
mode = 0666
}
}
One done editing, restart Dovecot. If you get an error, check that you've balanced brackets or uncommented all of a particular section. You can also download my sample configuration and compare it to your own.
mailhowto:~# sudo /etc/init.d/dovecot restart
Restarting IMAP/POP3 mail server: dovecot.
Binding Exim and Dovecot together
The default settings for Exim and Dovecot will work just fine. Exim will deliver to the Maildir in a user's home directory, Dovecot will allow that Maildir to be accessed via IMAPS. However, to take advantage of Dovecot's mail sorting features, we will need to configure Exim to use Dovecot to deliver email to the user.
Create a Dovecot transport for Exim
Change into the directory /etc/exim4/conf.d/transport and create a file called 20_dovecot containing the following:
dovecot:
driver = pipe
command = /usr/lib/dovecot/deliver
message_prefix =
message_suffix =
log_output
delivery_date_add
envelope_to_add
return_path_add
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
Configure Exim to use the Dovecot transport for local deliveries
Change into the directory /etc/exim4/conf.d/router and edit the file named 900_exim4-config_local_user. Change the line
transport = LOCAL_DELIVERY
To
transport = dovecot
Save the file and restart Exim. Next, use Exim's test mode to check that mail will be routed correctly.
mailhowto:~# exim -bt martin@hinterlands.org
R: system_aliases for martin@hinterlands.org
R: userforward for martin@hinterlands.org
R: procmail for martin@hinterlands.org
R: maildrop for martin@hinterlands.org
R: lowuid_aliases for martin@hinterlands.org (UID 1000)
R: local_user for martin@hinterlands.org
martin@hinterlands.org
router = local_user, transport = dovecot
Use SWAKS again to send another email to your account, make sure there are no errors in the Exim log and that the delivery is successful.
Apache and mod_ssl
We want our webmail sessions to be secure, so serving Squirrelmail via Apache and mod_ssl is the way to go. Happily, mod_ssl is a provided by default in Debian's package. Install the Apache package and enable mod_ssl.
Basic installation
Installing Apache and enabling mod_ssl is trivial:
mailhowto:~# sudo aptitude install apache2
mailhowto:~# sudo a2enmod ssl
Create an SSL certificate
As with many of the package installs done in this HOWTO, Debian will want to install dependent packages. Just accept the defaults. Next you need to make an SSL certificate. You might be thinking that you've had to do that before in this HOWTO, and you'd be right. So far, you have created a SSL certificate for Dovecot, for Exim and now for Apache. It's perfectly possible to use just one single certificate, and we'll get to that a bit later.
mailhowto:~# sudo make-ssl-cert generate-default-snakeoil --force-overwrite
Configure the SSL vhost
Debian provides you with two default sites served by Apache, one plain HTTP, and one HTTPS. For now, we will only enable the HTTPS one.
mailhowto:~# sudo a2dissite default
Site default disabled.
mailhowto:~# sudo a2ensite default-ssl
Enabling site default-ssl.
Edit the file /etc/apache2/ports.conf. Comment out the following two lines:
NameVirtualHost *:80
Listen 80
Next edit the file /etc/apache2/sites-available/default-ssl. Change the line:
<VirtualHost _default_:443>
To read:
<VirtualHost *:443>
You can now restart Apache and check that it starts listening on the HTTPS port.
mailhowto:~# sudo /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
mailhowto:~# sudo netstat -a | grep https
tcp6 0 0 [::]:https [::]:* LISTEN
Pointing a web browser at your server (i.e. https://olga.hinterlands.org/) should result in you seeing an "It works!" page. Your browser will almost certainly issue dire security warnings about an untrusted certificate.
Configure Apache to authenticate local users
I like to use one secure and complicated password to access all my personal stuff. Rather than have a separate user database for Apache, we can allow it to safely authenticate from the server's own user database. To do so requires we install and enable another Apache module.
mailhowto:~# sudo aptitude install libapache2-mod-authnz-external
mailhowto:~# sudo a2enmod authnz_external
Edit /etc/apache2/sites-available/default-ssl and add a block like this near to the top. (There's a full example configuration file you can see below).
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
<Location />
AuthBasicProvider external
AuthExternal pwauth
AuthName Hinterlands
AuthType basic
Require valid-user
</Location>
Restart Apache and reload the page you visited before, and you should now be prompted for your username and password. Everything transmitted is encrypted, so you should feel reasonable secure in sending your credentials along, browsers caches and password managers excepted.
Squirrelmail
Basic installation
As you should perhaps be getting used to by now, Squirrelmail is available as a Debian package. To install:
mailhowto:~# sudo aptitude install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode avelsieve
Additional dependencies may be installed as well. Squirrelmail is a PHP application, so unless you already have PHP installed expect that to be wanted too.
Basic configuration
Squirrelmail provides a useful configuration script both to get you started and for ongoing maintenance:
mailhowto:~# sudo /etc/squirrelmail/conf.pl
Options you will definitely need to change are:
(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.)
- 1 1 - Set your own organisation name.
- 2 3 - SMTP
- 2 A 4 - localhost
- 2 A 5 - 993
- 2 A 6 - login
- 2 A 7 - true
- 2 A 8 - dovecot
Add Squirrelmail to Apache
Edit /etc/apache2/sites-available/default-ssl and add the following line inside the virtual host container. (It's personal preference, I usually add these sorts of thing near the end).
Include /etc/squirrelmail/apache.conf
Restart Apache and visit the URL https://yourserverhere.org/squirrelmail/ . If all is well, you should be asked for your user credentials (unless you're still using the session for the Apache configuration above), and then you should see the Squirrelmail login screen. Enter your credentials and you should see your inbox. Try sending yourself an email, try sending an email to external account, such as GMail.
Automatic mail sorting
The avelsieve package we installed adds on very powerful server-side mail filtering to Squirrelmail. If you click to view a message, look for the Create Filter addition to the message headers and the Filters link in the tool bar. You can easily create rules to sort your mail according to where it has come from, where it was sent to, or the contents, or any combination of these and more. I recommend experimentation.
More on SSL certificates
In this HOWTO you have effectively generated several different SSL certificates. All of these certificates are self-signed. Whilst they are no less secure than certificates issued by widely recognised Certificate Authorities, clients connecting to your secure services will almost certainly give you warnings about this. To get around this, you might consider investing in a trusted CA-signed certificate to replace all of the ones you made as you worked through this document. Depending on exactly what you want, this can cost you anything from nothing at all up to a few hundred pounds.
External Links
- The Dovecot home page.
- The Exim home page.
- The Apache home page.
- The Squirrelmail home page and plugins to provide additional functionality.
- The SWAKS homepage - an email Swiss army knife.
- I'm working on a section on spam and virus filtering to be added soon. You might consider trying http://antibodyMX.net/ for your mail filtering needs.
Example Files
- Dovecot configuration, tweaked according to this HOWTO.
- Dovecot router for Exim.
- Debian SSL vhost skeleton with Squirrelmail added and local authentication enabled.
