User Tools

Site Tools


centos_6_email_server

CentOS 6 Email Server: Postfix, Amavisd-new, SpamAssasin, ClamAV, DoveCot, RoundCube, spam, amavisd, virus

How to setup a CentOS 6 Email Server with Postfix, Amavisd-new, SpamAssasin, ClamAV, DoveCot, and RoundCube.

  1. First we get an email server working.
  2. Then we secure the connections.
  3. Lastly we setup email spam filtering and “Trojans, viruses, malware and other malicious threats” filtering.

Assuming a minimal CentOS 6.3 Installation with repositories.

Setup a CentOS 6 Postfix email server

DNS

First we need a domain name. If you have one you can use it, otherwise you can create a free domain at FreeDNS:

Create an account and login at http://freedns.afraid.org

On the website, select Subdomains → Add a subdomain.

Find you current external IP address from the network the email server is on: http://whatismyipaddress.com/

Add the following values, A - main DNS record to point the subdomain to your external IP, subdomain, domain, and destination :

Type: A
Subdomain: beach (this is an example, make one up for yourself)
Domain: jumpingcrab.com (pick a free domain here, you could setup your own domain, or there are 90,000 available at freedns for free!)
Destination: 73.98.210.8 (your external IP address, if you have a dynamic IP you can set your router to update freedns)

Click Add:

Add the following values, MX - mail exchange, subdomain, domain, and destination :

Type: MX
Subdomain: beach (this is an example, make one up for yourself)
Domain: jumpingcrab.com (pick a free domain here, you could setup your own domain, or there are 90,000 others available on the site, free!)
Destination: 10:beach.jumpingcrab.com   (10 is the priority, if you had other mail servers they would go here, beach.jumpingcrab.com is your mailserver's name

Click Save!.

The website http://beach.jumpingcrab.com will direct to your IP address on port 80 (it doesn't need to go anywhere) and emails to anyname@beach.jumpingcrab.com will go to your IP address on port 25. Optionally, if you want to setup a website on your domain, follow Apache setup on CentOS.

Router

Port 25 is for SMTP protocol, for Postfix to receive and send emails.
Port 110 is for POP3 protocol, optional if aren't going to use POP3. If you don't know you can add it or remove it later.
Port 143 is for IMAP protocol, recommended if you have any email clients externally (on the internet).

Add port forwarding for ports 25 and 143, optionally 110 to the IP address of your internal server for TCP only in your router.

If you have a dynamic IP address, setup DynamicDNS to update freedns.afraid.org.

Setup Postfix

A CentOS 6 server comes with Postfix installed.

On the server, save a copy of the postfix configuration file:

cp /etc/postfix/main.cf /etc/postfix/main.cf.original

Edit the postfix main.cf configuration file:

vi /etc/postfix/main.cf

Find, uncomment, and set the following values:

#external email hostname
myhostname = beach.jumpingcrab.com

#external email domain
mydomain = jumpingcrab.com

#address our emails will be sent from
myorigin = beach.jumpingcrab.com

#accept connections on all interfaces
inet_interfaces = all

#set mailboxes for uses (in home directory)
home_mailbox = Maildir/

restart postfix to pickup changes (must restart for interface changes, for other changes you can just use reload):

service postfix restart

Test Postfix

Send an email to Postfix from the command line

Type the lines below, some lines will populate from the telnet connection.
Enter a single period at the end of your message and press enter to send the message:

# telnet beach.jumpingcrab.com 25
220 beach.jumpingcrab.com ESMTP Postfix
HELO im.notreal.com
250 beach.jumpingcrab.com
MAIL FROM:<im@notreal.com>
250 2.1.0 Ok
RCPT TO:<root@beach.jumpingcrab.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: This is my first email to beach
This is the body of the email

From,
Andrew
.
250 2.0.0 Ok: queued as 812E22E0F
QUIT
221 2.0.0 Bye
Connection to host lost.
#

If you get command not found, install telnet:

yum -y install telnet

If anything doesn't work above, stop and troubleshoot.

Look at maillog to see the incoming email:

less /var/log/maillog

To roughly see your email, cat the file located in your new Maildir, the name of the file will be different:

cd /root/Maildir/new
cat 1345833552.Vfd00I5c1cM674918.servername

Send an email externally from the command line

Now that we've established that we can receive an email, lets send an email externally through Postfix:

# mail -s "hello" "someemailyouget@gmail.com"
some body
.
EOT

If you get command not found install mailx:

yum -y install mailx

Check your external email account for the email. Check your spam folder. If it doesn't show up, stop and troubleshoot.

Reply to the email from your external account. Make sure the reply address is correct and that the email shows up in /root/Maildir/new

Setup DoveCot

Dovecot connects your email to a client (example: Apple Mail.app, Outlook, Thunderbird, Mutt, Pine, SquirrelMail, RoundCube Webmail, etc.) whichever you use to access your mail by serving IMAP and/or POP3 protocols.

IMAP is best allowing offline and online reading of emails.
POP3 is an original mail protocol and can be omitted if not required (recommended). POP3 moves the emails from the server to the client which may not be desired anymore.
LMTP is a local protocol we will use later for spam/virus filtering communication

Install Dovecot:

yum -y install dovecot

Save a copy of the DoveCot configuration file:

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.original

Edit the file:

vi /etc/dovecot/dovecot.conf

uncomment and set protocols of your choosing (leave pop3 if you need it):

protocols = imap lmtp

We also need to tell DoveCot where to get the emails in the user accounts.

Save a copy of DoveCot configuration mail location file:

cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.original

Edit the file:

vi /etc/dovecot/conf.d/10-mail.conf

Uncomment the location of the local mail directory for users:

mail_location = maildir:~/Maildir

set dovecot to start on reboot and start dovecot:

chkconfig dovecot on
service dovecot start

Create a Test User

Now we can create a temporary linux user account. :!: Remember to remove the account when done otherwise you will leave a vulnerability:

# useradd testpostfix
# passwd testpostfix
Changing password for user testpostfix.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Setup an External Email Client Opera

I downloaded and installed Opera which includes an email client.

In Opera, select Opera → Mail and Chat Accounts… → Add → Email → Next

Real Name: testpostfix
Email address: testpostfix@beach.jumpingcrab.com

Select Next

Login Name: testpostfix
Password: <use password created above>
Select: IMAP

Next → Incoming Mail server: beach.jumpingcrab.com (remove mail. since we aren't using it)

Select Secure Connection(TLS)

Outgoing Mail server: beach.jumpingcrab.com

Leave outgoing tls unchecked

Select Finish

A popup will occur asking you to accept the certificate. The sample imap certificate is only setup so accept it for now. We will secure it later.

Send an email to an external address and receive an email.

Setup a Web based Email Client RoundCube

RoundCube is a Web based IMAP Email Client. It can be installed on the same server or your webserver.

RoundCube requires a webserver, php, and mysql (LAMP). Follow apache and php installation and Installing MySQL on CentOS if its not on the server.

Install RoundCube:

yum -y install roundcubemail

The README, INSTALL, and roundcubemail-README.fedora files contain the steps to install, available in /usr/share/doc/roundcubemail-0.7.3/

Create a database roundcubemail using the instructions at Installing MySQL on CentOS

Create and grant permissions to the user roundcubeuser on database roundcubemail

Create the tables for RoundCube:

mysql -u root -p roundcubemail < /usr/share/doc/roundcubemail-0.7.3/SQL/mysql.initial.sql

Save a copy of RoundCube's database configuration file:

cp /etc/roundcubemail/db.inc.php /etc/roundcubemail/db.inc.php.original

Edit the file:

vi /etc/roundcubemail/db.inc.php

change line to (with the roundcubeuser password you created):

$rcmail_config['db_dsnw'] = 'mysql://roundcubeuser:pass@localhost/roundcubemail';

Move the RoundCube apache config out of the way:

mv /etc/httpd/conf.d/roundcubemail.conf /etc/httpd/conf.d/roundcubemail.conf.original

Edit the existing apache configuration:

vi /etc/httpd/conf.d/webserver.conf

add near the other Aliases:

Alias /roundcubemail /usr/share/roundcubemail

reload apache to pickup roundcube location:

service httpd reload

Save a copy of RoundCube's main configuration file:

cp /etc/roundcubemail/main.inc.php /etc/roundcubemail/db.inc.main.original

Edit the file:

vi /etc/roundcubemail/main.inc.php

If RoundCube is on the same host as the Postfix server, set the default host to localhost, otherwise set it to the Postfix host:

$rcmail_config['default_host'] = 'localhost';

Visit your roundcube site at:

https://sandy.jumpingcrab.com/roundcubemail/

Login with your test user testpostfix

In order send emails with the correct address, change the email address from accountname@localhost to your domain:

In RoundCube, click Settings, Identities, select your identity, change email address to the account's email address: testpostfix@beach.jumpingcrab.com, Save.

Login, test sending and receiving emails.

Secure Email Connections on a CentOS 6 Postfix email server with SASL

:!: Disclaimer: The goal of this section is to secure the email server. However, this setup may not be secure. You should understand and investigate the security of your server, resources are at the bottom of the page.

So far, we have a working email server, however username and passwords from email clients are not secure and could be sniffed/wiretapped.

Since we are using DoveCot to connect mail clients to our emails, we can setup encrypted SASL (Simple Authentication and Security Layer) over which to pass the login information and emails.

SSL/TLS Certificate

If you have a certificate, you can use it below, just point the key and cert parameters to the file in postfix and dovecot configurations below.

If you want to self sign a certificate for testing you can do the following:

install key generator:

yum -y install crypto-utils

generate certificate and key for your domain, follow the prompts:

genkey --days 365 beach.jumpingcrab.com

It will put the keys where we need them in:

/etc/pki/tls/certs/beach.jumpingcrab.com.crt
/etc/pki/tls/private/beach.jumpingcrab.com.key

Postfix and Dovecot Configuration

Edit Postfix configuration file to use SASL and TLS:

vi /etc/postfix/main.cf

Add the following to main.cf, I added it near the top, optionally uncomment the line for outlook clients if you need to:

#use DoveCot's SASL implementation
smtpd_sasl_type = dovecot

#connect to DoveCot over unix socket (other option is TCP)
smtpd_sasl_path = private/auth

#enable SMTP authentication over SASL (required)
smtpd_sasl_auth_enable = yes

#uncomment the below line for "Outlook up to and including version 2003 and Outlook Express up to version 6" this simply sends the available authentication methods to the client twice instead of once for these broken clients, it doesn't hurt others
#broken_sasl_auth_clients = yes

#do not allow anonymous authentication for unencrypted sessions. These are the connections from other public internet mail servers. We do not allow anonymous connections, but they can be insecure
smtpd_sasl_security_options = noanonymous

#use the same settings for a TLS encrypted session:
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options

#only offer SASL after a TLS encrypted session is established. Without a TLS session, unauthenticated users won't be able to send mail to remote servers.
smtpd_tls_auth_only = yes

#allow SASL authenticated users to send mail
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

#append the domain to any authenticated user who does not specify the domain
smtpd_sasl_local_domain = beach.jumpingcrab.com

#announce STARTTLS for servers to use TLS if available but still accept mail from those without it
smtpd_tls_security_level = may

#set our key
smtpd_tls_key_file = /etc/pki/tls/private/beach.jumpingcrab.com.key

#set our certificate
smtpd_tls_cert_file = /etc/pki/tls/certs/beach.jumpingcrab.com.crt

#setup TLS session cache so negotiation is valid for whole session and doesn't need to be redone for every transaction (saves resources)
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

#supply random characters for key security
tls_random_source = dev:/dev/urandom

There are many additional settings including preventing authenticated users from sending email from a name other than their own. Since that requires further configuration to keep track of who is authorized, it is left out in the settings above. If you don't want your users to have the ability to send emails from any name/domain they make up, you can set this here. See Postfix SASL Howto

Reload Postfix:

service postfix reload

Set Dovecot listen on the unix socket for Postfix:

Save a copy of the master configuration if you haven't already:

cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.original

Edit the configuration file:

vi /etc/dovecot/conf.d/10-master.conf

find the service auth section and comment out the auth-userdb and change to Postfix:

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
  # permissions make it readable only by root, but you may need to relax these
  # permissions. Users that have access to this socket are able to get a list
  # of all usernames and get results of everyone's userdb lookups.
  #unix_listener auth-userdb {
    #mode = 0600
    #user =
    #group =
  #}

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

Set Dovecot to use the SSL(TLS) certificate and key:

Save a copy of the dovecot ssl configuration, if you haven't already:

cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.original

Edit the configuration file:

vi /etc/dovecot/conf.d/10-ssl.conf

Uncomment and change to:

ssl = yes

ssl_cert = </etc/pki/tls/certs/beach.jumpingcrab.com.crt
ssl_key = </etc/pki/tls/private/beach.jumpingcrab.com.key

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Reload DoveCot:

service dovecot reload

Setup Spam and Virus Filtering on a CentOS 6 Postfix email server with SpamAssasin and ClamAV

First, test that you are not an Open Relay that spammers would use to send spam with. Enter your external IP: http://www.mailradar.com/openrelay/

Setup Spam filtering with SpamAssassin

Install SpamAssassin:

yum -y install spamassassin

There is nothing else to do. We will use Amavisd-new to connect to SpamAssassin so we don't need it to start at boot. SpamAssassin updates itself daily in cron /etc/cron.d.

Setup Antivirus filtering with ClamAV

Install ClamAV (daemon, virus database, and software):

yum -y install clamd clamav-db clamav

Setup interface between Postfix and SpamAssassan, ClamAV

Amavisd-new connects the MTA (Postfix) to the filters.

Install Amavisd-new:

yum -y install amavisd-new

Save a copy of the configuration file:

 cp /etc/amavisd/amavisd.conf /etc/amavisd/amavisd.conf.original

Edit the Amavisd-new configuration file:

vi /etc/amavisd/amavisd.conf

Uncomment and update:

$myhostname = 'beach.jumpingcrab.com';

Set Postfix to use amavids on port 10024:

 vi /etc/postfix/main.cf

add after other parameters we added:

#use amavisd as filter on port 10024
content_filter=amavisfeed:[127.0.0.1]:10024

Save a copy of Postfix master configuration file if not already done:

cp /etc/postfix/master.cf /etc/postfix/master.cf.original

Edit Postfix configuration file:

vi /etc/postfix/master.cf

Add the following lines at the bottom of the file to connect Postfix to Amavisd-new (explanation and updates found in /usr/share/doc/amavisd-new-2.6.4/README_FILES/README.postfix):

amavisfeed unix    -       -       n        -      2     lmtp
     -o lmtp_data_done_timeout=1200
     -o lmtp_send_xforward_command=yes
     -o lmtp_tls_note_starttls_offer=no

127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=

reload postfix to get the change:

service postfix reload

Set Amavisd-new to start after reboot and start Amavisd-new:

chkconfig amavisd on
service amavisd start

Set ClamAV to start after reboot and start ClamAV:

chkconfig clamd.amavisd on
service clamd.amavisd start

Make sure you remove your weak test account created above!

Resources

centos_6_email_server.txt · Last modified: 2013/08/22 22:40 (external edit)