Virtual mail server using Postfix, Courier and PostfixAdmin

Introduction
I recently moved my original mail system, built using the Gentoo Virtual How-to, over to a PostfixAdmin run system. Additionally I took this time to add Postgrey and switch to encrypted passwords using Courier's new authlib, which I'll detail as well.

Virtual Mailhosting System with Postfix Guide

Notes From the Author
kashani (2007.04.17): I just ran through this how-to on my new vps server so it's pretty fresh. Should be updating this over the next week.

kashani (2008.06.25): A few updates, but I haven't really looked to hard at what is new in Postfixadmin 2.2

kashani (2008.08.21): Added syslog-ng stuff to split mail out, added mysql account creation stuff a couple of weeks ago.

Notes From Users
Put things you'd like me to fix or comments here

Bigun - Possibly some code on how to setup courier-imapd-ssl and courier-pop3d-ssl, certificates and all

Why PostfixAdmin
PostfixAdmin provides a nice front-end for a Postfix/Courier based virtual mail server. As super-admin you can create domain admins, create their domains, own the domains to the domain admin, and then you can go back to reading the Gentoo forums rather than creating users, changing passwords, or deleting accounts.

(...and managing your email system with PHPMyadmin sucks.)

Which Packages
This HowTo assumes you have the following prerequisites:

Default Settings
The system we're going to build will have the settings below. You can change any of these to reflect your own system.


 * All mail is in
 * All mail is owned by user postfix:postfix
 * The database is
 * The database user is named
 * The database password is &ldquo;postfix_pass&rdquo; &mdash; you should change this to something different, use the utility to generate a good password

Portage
These are the Use flags that should be set.

If any of them are in your USE variable in the /etc/make.conf file, you can safely remove it from the list. If more USE flags than the above are showing up that fine too. Most of the daemons above will have pam ipv6 or others that appear.

We're going to slave SASL off Courier-authlib instead of having it talk directly to the database. This allows us to use encrypted passwords and seems to work better as well. However there have been some weird authlib problems in recent updates so watch your upgrades.

Some webmail clients require php to be compiled with Unicode support, so just enable it to be sure, you may be needing it eventually.

MySQL
There is a great guide here for installing MySQL, so I suggest you read it too, so you don't miss anything: MySQL Startup Guide

Installation
First install the package

Once that is done, setup the root user in mysql

Now you need install library pam_mysql.so. Do it typing:

The last thing that needs doing, is adding mysql to the default runlevel, so it starts when the server starts

That is really all that is needed to install mysql.

Configuration
Now we need to create the postfix database in mysql, and create the user to login with

create database postfix_db; GRANT ALL PRIVILEGES ON postfix_db.* TO postfix_user@localhost IDENTIFIED BY 'postfix_pass'; flush privileges;

By default MySQL binds only to 127.0.0.1, aka localhost, and will not be accessible from outside your server. In order to let it bind to the normal ethernet interface you need to comment out the bind-address line in /etc/mysql/my.cnf. You will also need to change your GRANT line to allow access from more than localhost.

Apache2
For a guide on how to install and configure apache, please read the Apache2 article.

Once Apache2 is installed, add it to the default runlevel like you did with mysql

PHP
Now that you have Apache installed, installing PHP is really just running this command

Once that is done, edit /etc/conf.d/apache2 and add -D PHP5 to the APACHE2_OPTS variable

Cyrus-SASL
To install Cyrus-SASL, simply emerge it

Thats it, there isn't really any configuration to be done for this package, so just add it to the default runlevel

SMTP Authentication settings:

Postfix
Postfix is the SMTP server, that handles all the incoming emails

Installation
First verify that you have all the proper USE flags enabled. A pretend should look like this.

mail-mta/postfix-2.5.6 USE=""

Now install Postfix

Once Postfix is installed you'll need to add local aliases and run so Postfix will start and be happy. Postfix does not deliver mail to root so you'll want to point the mail for root to some other user or mail account. Edit the file, where you uncomment and fill out the root and operator lines with your own login name:

Now run the newaliases utility, to regenerate the aliases database file

Now add postfix to the default runlevel

And start it

Configuration
Now you need to change the /etc/postfix/main.cf and merge the changes below into it

Then create the following files in /etc/postfix

Directories
Now that you have Postfix installed it's time to create and chown properly our mail directory.

The directory name and location does not matter, but it's a good idea to have it in a large directory. For performance reason in a very busy server you may want to move it to another partition because the Postfix internal queues are also on /var/ and those are write heavy. Moving the main mail store to a partition on another physical disk can increase performance on a box that is struggling under I/O issues.

Owning the /var/vmail to Postfix allows Postfix to create new mail directories for new users when the first piece of mail comes in for that user. I recommend setting Postfixadmin to send a welcome message to new users to make sure their .maildir is created.

Syslog-NG configuration
Just make sure you are using >=syslog-ng-2* and you will be fine.

To be sure, check that your /etc/syslog-ng/syslog-ng.conf contains these lines

Courier-IMAP
Courier-IMAP is that package that contains the pop3 and imap server.

Those are the ones that are used when the user is reading the mails in their inboxes.

Installation
Again verify USE flags.

These are the packages that would be merged, in order:

[ebuild N    ] net-mail/courier-imap-4.4.1-r1  USE="fam gdbm ipv6 nls -berkdb -debug -gnutls (-selinux)" 0 kB

Total: 1 package (1 new), Size of downloads: 0 kB

Then emerge it

Once done, add the services that you need to the default runlevel


 * POP3


 * IMAP


 * POP3 over SSL


 * IMAP over SSL

Configuration
For large virtual systems remember to increase per IP connections in /etc/courier-imap/imapd and any other services you plan to offer to the public. Even on a small system Thunderbird tends to cache several connections to the server. I run my personal mail servers to allow 40 connections from a single IP for IMAP. That seems to work.

This is done by changing the MAXPERIP varible to 40

Courier-AuthLib
Courier-AuthLib handles the authentication of the users, when they connect to imapd or pop3d to read their mail.

Installation
Again verify the use variables

These are the packages that would be merged, in order:

[ebuild N    ] net-libs/courier-authlib-0.61.1  USE="crypt gdbm mysql -berkdb -debug -ldap -pam -postgres -vpopmail" 0 kB

Total: 1 package (1 new), Size of downloads: 0 kB

Then emerge it

And add it to the default runlevel

Configuration
First the /etc/courier/authlib/authmysqlrc file needs to be fitted to our needs

Then you need to edit /etc/courier/authlib/authdaemonrc and make sure authmysql is the first in the authmodulelist variable

You may need to loosen permissons on /var/lib/courier/authdaemon/socket I'd try it on your system first and if you see permission denied errors this is likely the problem.

PostfixAdmin
This section will show you how to set up PostfixAdmin. This is done first because it doesn't depend on anything else and sets up the databases that will be used by Postfix and Courier.

Virtual Host Setup
This section will install PostfixAdmin and configure the Apache virtual host. This section does not deal with configuring SSL, although it is highly recommended that you only access PostfixAdmin over SSL.

Using webapp-config, install PostfixAdmin using the following command, replacing the 2.2.1.1 with the version you're using:

Pay attention to any messages that webapp-config displays and follow any instructions you're given.

PostfixAdmin will now be installed to

Now you need to tell Apache about the virtual host. To do so, put the following into a new file, (based on the Gentoo default virtual host). Remember to change "mailadmin.example.org" into your hostname in this file, it appears four times:

Finally, to apply the changes, restart Apache with:

Configuration
Open up the file in the postfixadmin directory. The following settings are listed in the order that they appear.

First comment out the configured setting by placing a # in front of it to tell PostfixAdmin that we've configured it. Until you do this, PostfixAdmin will not run:

Let PostfixAdmin know that we changed the config-file. Do NOT uncomment the line because login.php use the variable configured.



Tell PostfixAdmin what web address it will be accessed with:



If your native language isn't English, you'll want to change the default_language setting. A list of language files in the languages/language.php file. For example, if you want PostfixAdmin in German:



Next set up the MySQL connection. This uses the MySQL database and user set up above. The password should be the same password you entered when creating the postfix_user MySQL user.



You'll want to change the admin email address that PostfixAdmin uses. This is used as the From address when sending messages to new accounts.



This setup will use mailboxes stored in the format /, so change the domain_path and domain_in_mailbox settings to match those below.



This setup will use quotas, so tell PostfixAdmin to turn them on.



PostfixAdmin displays a couple of customizable links. You'll probably want to change these to link to your website.





Finally, you can change the content of the email that is sent to new users.





Setup
You can now complete the setup of PostfixAdmin, creating the database, by visiting the setup page. For example: http://mailadmin.example.org/setup.php

At this point you'll be asked to set up a global admin user. Follow the instructions to do so. Remember the details as you'll need them to log in later.

Finally remove the file to stop others from being able to reset / change your database unexpectedly:

You can now visit your PostfixAdmin install at the location you set it up. For example: http://mailadmin.example.org/

However, you should not set any domains or mailboxes up yet because Postfix and Dovecot have not been set up yet.

Why Greylist?
It's the simplest way to stop significant spam and it uses far less resources than just about any other method. I've been using sqlgrey on multiple servers and it seems to work well so that's what we'll use here.

Installation
First install the package

Now configure it with Portage system

Then run this command to set the setting in /etc/conf.d/postgrey

And finally add it to the default runlevel

Delay Time
I recommend a very small delay time as I've used above. Many webmail sites like Hotmail will attempt to delivery every thirty seconds for the first three minutes. The next retry will be fifteen minutes after the last retry. By using a very small delay you can still provide effective greylisting, but keep the total delay to a minimum.

Oddities
Here are a couple of weird issues that I ran into while installing Postfix Admin or using it.

Adding Multiple Emails to an Alias
Create an alias pointing to a single address. Now edit the alias again. You'll be able to add multiple email addresses, one per line, to the alias now.