Centos - base installation

Installing Postfix with SMTPUTF8 enabled, Cyrus SASL and OpenSSL

Summary of the mail server

This guide will install a Mail server that can receive mail with SMTPUTF8 . This prevents the senders email to bounce when the mail server does not support SMTPUTF8.

This includes Imap and POP3 using Courier, the users will be added as local user, with or without SSH login . They have their mail stored in /home/user.

A modified Squirrel-mail is installed to send and receive email?? (NEED TO TEST THIS )

Any email client can be used as your user is not an EAI address.

Using Centos 7, 64 Bit

• Not tested on Centos 5 and 6 and it may not work.

You can install this as root otherwise if specified to use a non privileged user.

Notice, requirements and initial setup

• Centos 7 64 bit, with minimal installation
• Centos 7 comes with postfix 2.x already installed
• The guide assume you are using root, unless otherwise stated.
• You already setup your DNS settings
• hostname is the name your domain e.g ( domain.com )
• mail.hostname is the name of your Mail server e.g (mail.domain.com)

Update your hostname 

If you are using an internional domain, use the punycode equivalent.

For example mail.วีคลาส.ไทย should be punycode equivalent mail.xn--42c0eeo3bp.xn--o3cw4h

vi /etc/hostname

UPDATE YOUR OWN hostname for your Mail server

mail.domain.com

Reboot your server to update your hostname.

After reboot, the following command should show your hostname mail.domain.com

hostname

Install Postfix from source and required libraries (Cyrus SASL, OPENSSL)

Get Postfix version 3.0.1 or later versions to enable SMTPUTF8 extension. You can get a copy in http://www.postfix.org/download.html. In the example below we have downloaded postfix-3.0.1.tar.gz, your version might be different. Currently, installing Postfix by apt-get will install an older version that has no support yet for SMTPUTF8. This may also change in the future.

Install the required libraries and tools

yum groupinstall development tools
yum install cyrus-sasl cyrus-sasl-devel openssl openssl-devel libdb-devel.x86_64 libicu-devel telnet net-tools

Download Postfix 3.0.1 or later version

tar -xzvf postfix-3.0.1.tar.gz
cd postfix-3.0.1
sed -i 's/.\x08//g' README_FILES/*

Compile with openssl and sasl auth

make makefiles CCARGS='-DUSE_TLS -I/usr/include/openssl  -DUSE_SASL_AUTH -DUSE_CYRUS_SASL  -I/usr/include/sasl '   AUXLIBS='-L/usr/lib64  -L/usr/lib64/openssl -L/usr/lib64/sasl2 -lssl -lcrypto -lsasl2'
make

Note: If you are using a 32Bit OS, replace the modify the /lib64 to /lib

Finaly install Postfix

make upgrade

you can remove the config files that are not used anymore, which is shown after the last part of the installation.

Postfix configuration

Create Alias for mails for root or postmaster will be sent to a real user (YourLogin). Optional: Centos 7 , already filled this up

vi /etc/aliases

Copy and paste the code below, change YourLogin to your own user then save and quit.

MAILER-DAEMON:    postmaster
postmaster:       root
root:             YourLogin

then

newaliases

Change mail.domain.tld, domain.tld, yourotherdomain.tld(or remove this)

postconf compatibility_level=2
postconf -e 'myhostname  = mail.domain.tld'
postconf -e 'mydomain    = domain.tld'
postconf -e 'myorigin    = $mydomain'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24'
postconf -e 'alias_database = hash:/etc/aliases'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, yourotherdomain.tld'
postconf -e 'smtputf8_enable = yes'

Finally start Postfix for the first time

service postfix restart

Try and Send a Mail using Telnet and send mail to an external server like gmail

Test if you have SMTPUTF8 enabled

Enter the command in the console, this will connect to the SMTP

 telnet localhost 25

This should result to

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 YourHostName ESMTP Postfix

Type the following and press enter

EHLO localhost

If you can see 250 SMTPUTF8 then your server should be able to send and received from an internationalized email addresses

250-YourHostName
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8

If you don't see the 250 SMTPUTF8, try removing Postfix and try again. You may have installed a component that installed an older Postfix.

Enable SMTP Auth

yum install  cyrus-sasl-plain

vi /etc/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Update Postfix config

postconf -e 'smtpd_sasl_path = smtpd'
postconf -e 'smtpd_sasl_auth_enable = yes'
service saslauthd start
postfix reload

Create a user which we can test for authentication, replace AnyUserName with your own.

useradd -m AnyUserName  -s /usr/sbin/nologin
passwd AnyUserName

Generate your Auth key, replace username with your username and password with your password

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'

Replace dGVzdAB0ZXN0AHRlc3Q= , with the one you generated

	
telnet 	localhost 25
EHLO localhost
AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=

You should get a message Authentication successful.

Finalize Postfix config to allow only authenticated users to send SMTP

postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'smtpd_sasl_local_domain = $mydomain'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
postconf -e 'smtpd_relay_restrictions =  permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch'

Enable TLS

Create the certificates

cd /etc/postfix

openssl req -new -outform PEM -out smtpd.cert \
   -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
   -days 365 -x509

Answer the following questions as prompted

Update Postfix config

postconf -e 'smtpd_enforce_tls = no'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_key_file  = /etc/postfix/smtpd.key'
postconf -e 'smtpd_tls_cert_file  = /etc/postfix/smtpd.cert'
service postfix restart

You can test by telnet localhost 25 and doing an EHLO localhost, you should see STARTTLS

250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8

Issue the command

STARTTLS

and you should see the result

220 2.0.0 Ready to start TLS

Sending and Receiving email to and from the Internet

• Note, installing a command line mail may overwrite your Postfix to an older version.

Sending email by telnet

telnet localhost 25
EHLO localhost

MAIL FROM: <youruser@domain.tld> SMTPUTF8
RCPT TO: <EAI@IDN.idn>
data
Subject: A Test

This is the body

.

Take not of the dot(.) , this is to end and send the message.

In this point make sure you can send and receive mail.

You can send message using an EAI address and check /var/log/maillog, in the log below test@domain.tld is a local receiver

Aug  3 02:48:49 ip-172-31-21-209 postfix/local[21614]: 7EAD343550: to=<test@domain.tld>, relay=local, delay=0.62, delays=0.62/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Aug  3 02:48:49 ip-172-31-21-209 postfix/qmgr[21586]: 7EAD343550: removed

The email stored is stored in /var/mail/

if you cannot receive any email, use an online tool such as mxtoolbox.com to diagnose your problem.

Configuring Courier authlib, Courier imap

This will enable imap and pop3

Install libtool which is a requirement for authlib,

yum install libtool-ltdl-devel.x86_64

Install Courier Unicode Library 1.2 which can be downloaded in http://sourceforge.net/projects/courier/files/courier-unicode

tar -jxvf courier-unicode-1.2.tar.bz2
cd courier-unicode-1.2
./configure
make 
make install

Download authlib http://sourceforge.net/projects/courier/files/authlib/ , the latest version was 0.66.3

tar -jxvf courier-authlib-0.66.3.tar.bz2
cd courier-authlib-0.66.3
./configure --with-authshadow --with-mailuser=postfix --with-mailgroup=postfix
make 
make install
make install-configure

vi /usr/local/etc/authlib/authdaemonrc and change the authentication method

authmodulelist="authshadow"

vi /etc/ld.so.conf.d/locallibs.conf and add

/usr/local/lib

Apply the changes..

ldconfig

Then Start

/usr/local/sbin/authdaemond  start

Check if it is running

ps -ef |grep authdaemond

It should show the following

 26393 26392  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26394 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26395 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26396 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26397 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26398 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond

NOTE: You must change to a normal user(Not root) (Create a new user first, if you don't have any)

Install courier imap which will support both Imap and Pop3

Download from http://sourceforge.net/projects/courier/files/imap

tar -jxvf courier-imap-4.16.2.tar.bz2
cd courier-imap-4.16.2
./configure
make

You can go back as root here, if you don't want to use sudo

sudo make install
sudo make install-configure
cd /usr/lib/courier-imap/libexec
./pop3d.rc start

Check if imap is running

netstat -ntlp | grep 110

Enabling SSL using self signed certificate

cd /usr/lib/courier-imap/etc
vi pop3d.cnf

Modify as needed, then save and quit

[ req_dn ]
C=US
ST=NY
L=New York
O=Courier Mail Server
OU=Automatically-generated POP3 SSL key
CN=localhost
emailAddress=postmaster@example.com

Now generate the certificates

 cd ../share
 ./mkpop3dcert

You can now run pop with ssl and will listen at port 995

cd /usr/lib/courier-imap/libexec
./pop3d-ssl.rc start
netstat -tulpn |grep 995

Finally enable pop3 and pop3s at init

@TODO

Continue with Imap

/usr/lib/courier-imap/libexec/imapd.rc start
netstat -ntlp | grep 143

vi /usr/lib/courier-imap/etc/imapd Change IMAPDSTART=NO to

IMAPDSTART=yes

Enable Imap SSL by using self generated certificates

vi /usr/lib/courier-imap/etc/imapd.cnf and edit the values accordingly, then generate the certs.

 /usr/lib/courier-imap/share/mkimapdcert

Now start and check imap-ssl

/usr/lib/courier-imap/libexec/imapd-ssl.rc start
netstat -ntlp |grep 993

Finally enable at startup

@TODO

Configure Postfix to use Maildir as a storage for Mail

postconf -e 'home_mailbox = Maildir/'
postfix reload

Update the Skeleton and create the folder for user we created just before. In this example we used the user test

mkdir -p /etc/skel/Maildir/{cur,new,tmp}

mkdir -p /home/test/Maildir/{cur,new,tmp}
chown test.test /home/test/Maildir/{,cur,new,tmp}
chmod 0700 /home/test/Maildir/{,cur,new,tmp}

Test imap, pop3

telnet localhost imap
ok login username password

telnet localhost pop3
User username
Pass password

Open Firewall

firewall-cmd --zone=public --add-port=995/tcp --permanent
firewall-cmd --zone=public --add-port=110/tcp --permanent
firewall-cmd --zone=public --add-port=143/tcp --permanent
firewall-cmd --zone=public --add-port=25/tcp --permanent
firewall-cmd --reload

Install Squirrel-mail

Make sure you have apache and php installed.

Install Modified Squirrel mail

cd to-your-public-html-folder
wget http://interlab.ait.ac.th/eai-wiki/files/squirrelmail.zip
unzip squirrelmail.zip

edit the configuration file and change the attachchment_dir and data_dir, don't forget to create the folders. Change the ownership to your apache user, and allow a write access as well.

vi squirrelmail/config/config.php

Access squirrelmail

http://your-domain/squirrelmail/

Related Links

Mail server is not sending or receiving email to outside world

Sources

http://postfix.org/