Long version - Step by step with explanations

From Wiki_EAI
Jump to navigation Jump to search

Installing Postfix with SMTPUTF8 enabled, Cyrus SASL and OpenSSL

Summary of the mail server

This guide will install a Mail server that can receive mail with SMTPUTF8 . This prevents the senders email to bounce when the mail server does not support SMTPUTF8.

This includes Imap and POP3 using Courier, the users will be added as local user, with or without SSH login . They have their mail stored in /home/user.

A modified Squirrel-mail is installed to send and receive email?? (NEED TO TEST THIS )

Any email client can be used as your user is not an EAI address.


Using Ubuntu 14.04 (Trusty)

Notice, requirements and initial setup

  • Make sure you don't have Postfix installed or use apt-get to install any mail component, since it will install an older version of Postfix which does not support SMTPUTF8
  • If you install any mail compontent after installation, make sure to test your Server if it still return the SMTPUTF8
  • You already setup your DNS settings
  • hostname is the name your domain e.g ( domain.com )
  • mail.hostname is the name of your Mail server e.g (mail.domain.com)
Update your hostname 

If you are using an internional domain, use the punycode equivalent.

For example mail.วีคลาส.ไทย should be punycode equivalent mail.xn--42c0eeo3bp.xn--o3cw4h

sudo hostname mail.domain.com


Reboot your server to update your hostname.

After reboot, the following command should show your hostname mail.domain.com

hostname

Install Postfix from source and required libraries (Cyrus SASL, OPENSSL)

Get Postfix version 3.0.1 or later versions to enable SMTPUTF8 extension. You can get a copy in http://www.postfix.org/download.html. In the example below we have downloaded postfix-3.0.1.tar.gz, your version might be different. Currently, installing Postfix by apt-get will install an older version that has no support yet for SMTPUTF8. This may also change in the future. This guide is orignally from http://www.linuxfromscratch.org/blfs/view/cvs/server/postfix.html


Install the required libraries, users and directory

sudo apt-get update
sudo apt-get install icu-devtools libicu-dev libsasl2-dev libssl-dev  
sudo apt-get build-dep postfix
sudo groupadd -g 32 postfix 
sudo groupadd postdrop 
sudo useradd -c "Postfix Daemon User" -d /var/spool/postfix -g postfix  -s /bin/false -u 32 postfix 
sudo chown -v postfix:postfix /var/mail

Download Postfix 3.0.1 or later version

tar -xzvf postfix-3.0.1.tar.gz
cd postfix-3.0.1
sed -i 's/.\x08//g' README_FILES/*

Compile with openssl and sasl auth

make CCARGS="-DUSE_TLS -I/usr/include/openssl/  \
             -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl" \			
             AUXLIBS="-lssl -lcrypto -lsasl2" makefiles && make

Install Postfix

sudo sh postfix-install -non-interactive   daemon_directory=/usr/lib/postfix  \
                    manpage_directory=/usr/share/man  \
                    html_directory=/usr/share/doc/postfix-3.0.1/html  \
                    readme_directory=/usr/share/doc/postfix-3.0.1/readme

Postfix configuration

Create Alias for mails for root or postmaster will be sent to a real user (YourLogin)

sudo vi /etc/aliases

Copy and paste the code below, change YourLogin to your own user then save and quit.

MAILER-DAEMON:    postmaster
postmaster:       root
root:             YourLogin

then

sudo newaliases


Change mail.domain.tld, domain.tld, yourotherdomain.tld(or remove this)

sudo postconf -e 'myhostname  = mail.domain.tld'
sudo postconf -e 'mydomain    = domain.tld'
sudo postconf -e 'myorigin    = $mydomain'
sudo postconf -e 'inet_interfaces = all'
sudo postconf -e 'mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24'
sudo postconf -e 'alias_database = hash:/etc/aliases'
sudo postconf -e 'alias_maps = hash:/etc/aliases'
sudo postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, yourotherdomain.tld'
sudo postconf -e 'smtputf8_enable = yes'


Finally start Postfix for the first time

sudo /usr/sbin/postfix start


@TODO 
Enable Postfix service to run at startup


Try and Send a Mail using Telnet and send mail to an external server like gmail

Test if you have SMTPUTF8 enabled

Enter the command in the console, this will connect to the SMTP

 telnet localhost 25

This should result to

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 YourHostName ESMTP Postfix


Type the following and press enter

EHLO localhost


If you can see 250 SMTPUTF8 then your server should be able to send and received from an internationalized email addresses

250-YourHostName
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8


If you don't see the 250 SMTPUTF8, try removing Postfix and try again. You may have installed a component that installed an older Postfix.

Enable SMTP Auth

sudo apt-get install libsasl2-modules sasl2-bin
sudo cp /etc/default/saslauthd /etc/default/saslauthd-postfix

edit /etc/default/saslauthd-postfix , set START, NAME and OPTIONS

START=yes
DESC="SASL Auth. Daemon for Postfix"
NAME="saslauthd-postf"      # max. 15 char.
# Option -m sets working dir for saslauthd (contains socket)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"        # postfix/smtp in chroot()


sudo rm -rf /run/saslauthd
sudo ln -s /var/spool/postfix/var/run/saslauthd   /run/saslauthd
sudo dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
sudo adduser postfix sasl
cd /etc/pam.d
sudo cp other smtp
sudo service saslauthd  restart


sudo mkdir /etc/sasl2


create or edit /etc/sasl2/smtpd.conf . Only PLAIN mechanism will be used.

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


Update Postfix config

sudo postconf -e 'smtpd_sasl_path = smtpd'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postfix reload


Create a user which we can test for authentication, replace AnyUserName with your own.

sudo useradd -m AnyUserName  -s /usr/sbin/nologin
sudo passwd AnyUserName


Generate your Auth key, replace username with your username and password with your password

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'


Replace dGVzdAB0ZXN0AHRlc3Q= , with the one you generated

	
telnet 	localhost 25
EHLO localhost
AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=


You should get a message Authentication successful.


Finalize Postfix config to allow only authenticated users to send SMTP

sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'smtpd_sasl_local_domain = $mydomain'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
sudo postconf -e 'smtpd_relay_restrictions =  permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_sender_login_mismatch'

Enable TLS

Create the certificates

cd /etc/postfix

sudo openssl req -new -outform PEM -out smtpd.cert \
   -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
   -days 365 -x509

Answer the following questions as prompted


Update Postfix config

sudo postconf -e 'smtpd_enforce_tls = no'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_use_tls = yes'
sudo postconf -e 'smtpd_tls_key_file  = /etc/postfix/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file  = /etc/postfix/smtpd.cert'
sudo postfix reload

You can test by telnet to 25 and doing an EHLO, you should see STARTTLS

250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8

Issue the command

STARTTLS

and you should see the result

220 2.0.0 Ready to start TLS

Sending and Receiving email to and from the Internet

  • Note, installing a command line mail may overwrite your Postfix to an older version.

Sending email by telnet

telnet localhost 25
EHLO localhost

MAIL FROM: <youruser@domain.tld> SMTPUTF8
RCPT TO: <EAI@IDN.idn>
data
Subject: A Test

This is the body

.

Take not of the dot(.) , this is to end and send the message.


In this point make sure you can send and receive mail.

You can send message using an EAI address and check /var/mail/mail.log, in the log below test@domain.tld is a local receiver

Aug  3 02:48:49 ip-172-31-21-209 postfix/local[21614]: 7EAD343550: to=<test@domain.tld>, relay=local, delay=0.62, delays=0.62/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Aug  3 02:48:49 ip-172-31-21-209 postfix/qmgr[21586]: 7EAD343550: removed

The email stored is stored in /var/mail/

if you cannot receive any email, use an online tool such as mxtoolbox.com to diagnose your problem.

Configuring Courier authlib, Courier imap

This will enable imap and pop3

Install libtool which is a requirement for authlib,

sudo apt-get install libtool

Install Courier Unicode Library 1.2 which can be downloaded in http://sourceforge.net/projects/courier/files/courier-unicode

tar -jxvf courier-unicode-1.2.tar.bz2
cd courier-unicode-1.2
./configure
make 
sudo make install

Download authlib http://sourceforge.net/projects/courier/files/authlib/ , the latest version was 0.66.3

tar -jxvf courier-authlib-0.66.3.tar.bz2
cd courier-authlib-0.66.3
./configure --with-authshadow --with-mailuser=postfix --with-mailgroup=postfix
make 
sudo make install
sudo make install-configure

edit /usr/local/etc/authlib/authdaemonrc and change the authentication method

authmodulelist="authshadow"

Only authshadow will work for a non-ASCII username. Other authentications such as PAM and MYSQL, will result to non readable characters which it will fail to authenticate.


Then Start

 sudo /usr/local/sbin/authdaemond  start

Check if it is running

sudo ps -ef |grep authdaemond

It should show the following

 26393 26392  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26394 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26395 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26396 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26397 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond
 26398 26393  0 10:26 ?        00:00:00 /usr/local/libexec/courier-authlib/authdaemond


Install courier imap which will support both Imap and Pop3

Download from http://sourceforge.net/projects/courier/files/imap

tar -jxvf courier-imap-4.16.2.tar.bz2
cd courier-imap-4.16.2
./configure
make
sudo make install
sudo make install-configure

cd /usr/lib/courier-imap/libexec
sudo  ./pop3d.rc start

Check if imap is running

sudo  netstat -ntlp | grep 110

Enabling SSL using self signed certificate

cd /usr/lib/courier-imap/etc
sudo vi pop3d.cnf

Modify as needed, then save and quit

[ req_dn ]
C=US
ST=NY
L=New York
O=Courier Mail Server
OU=Automatically-generated POP3 SSL key
CN=localhost
emailAddress=postmaster@example.com

Now generate the certificates

 cd ../share
 sudo ./mkpop3dcert

You can now run pop with ssl and will listen at port 995

cd /usr/lib/courier-imap/libexec
sudo ./pop3d-ssl.rc start
sudo  netstat -tulpn |grep 995

Finally enable pop3 and pop3s at init

sudo ln -s /usr/lib/courier-imap/libexec/pop3d    /etc/init.d/
sudo ln -s /usr/lib/courier-imap/libexec/pop3d-ssl    /etc/init.d/


update-rc.d pop3d defaults
update-rc.d pop3d-ssl defaults

@TODO
*Run level for ubuntu*

Continue with Imap

sudo /usr/lib/courier-imap/libexec/imapd.rc start
sudo netstat -ntlp | grep 143

Edit imapd

sudo vi /usr/lib/courier-imap/etc/imapd

Change to yes

IMAPDSTART=yes

Enable Imap SSL by using self generated certificates

Edit the config and change accordingly

sudo vi /usr/lib/courier-imap/etc/imapd.cnf

Generate the certificate

 sudo /usr/lib/courier-imap/share/mkimapdcert

Now start and check imap-ssl

sudo /usr/lib/courier-imap/libexec/imapd-ssl.rc start
sudo netstat -ntlp |grep 993


Finally enable at startup

@TODO


Configure Postfix to use Maildir as a storage for Mail

sudo postconf -e 'home_mailbox = Maildir/'
sudo postfix reload

Update the Skeleton and create the folder for user we created just before. In this example we used the user test

sudo mkdir -p /etc/skel/Maildir/{cur,new,tmp}

sudo mkdir -p /home/test/Maildir/{cur,new,tmp}
sudo chown test.test /home/test/Maildir/{,cur,new,tmp}
sudo chmod 0700 /home/test/Maildir/{,cur,new,tmp}

Test imap, pop3

telnet localhost imap
ok login username password


telnet localhost pop3
User username
Pass password

Install Squirrel-mail

Install Modified Squirrel mail

cd /var/www/html
wget http://interlab.ait.ac.th/eai-wiki/files/squirrelmail.zip
unzip squirrelmail.zip

edit the configuration file and change the attachchment_dir and data_dir, don't forget to create the folders. Change the ownership to your apache user, and allow a write access as well.

vi /var/www/html/squirrelmail/config/config.php

Access squirrelmail

http://your-domain/squirrelmail/

Errors

This happens when logging in IMAP

 error while loading shared libraries: libcourier-unicode.so.1: cannot open shared object file: No such file or directory

Solution, sudo vi /etc/ld.so.conf and add

/usr/local/lib

then run sudo ldconfig

Related Links

Mail server is not sending or receiving email to outside world

Sources

http://postfix.org/

https://kiranjith.wordpress.com/2010/03/15/12-postfix-installing-and-configuring-courier-auth-libs-courier-imap-and-pop3/

http://www.linuxfromscratch.org/blfs/view/cvs/server/postfix.html

http://www.postfix.org/SASL_README.html https://wiki.debian.org/PostfixAndSASL