/[gentoo]/xml/htdocs/doc/en/virt-mail-howto.xml
Gentoo

Diff of /xml/htdocs/doc/en/virt-mail-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.4 Revision 1.9
1<?xml version = '1.0' encoding = 'UTF-8'?> 1<?xml version = '1.0' encoding = 'UTF-8'?>
2<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> 2<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
3<guide link=" /doc/en/virt-mail-howto.xml" > 3<guide link=" /doc/en/virt-mail-howto.xml" >
4<title>Virtual Mailhosting System Guide</title> 4<title>Virtual Mailhosting System Guide</title>
5<author title="Author" > 5<author title="Author" >
6<mail link="ken@kickasskungfu.com" >Ken Nowack</mail> 6<mail link="antifa@gentoo.org" >Ken Nowack</mail>
7</author> 7</author>
8<author title="Author" > 8<author title="Author" >
9<mail link="ezra@kickasskungfu.com" >Ezra Gorman</mail> 9<mail link="ezra@revoltltd.org" >Ezra Gorman</mail>
10</author> 10</author>
11<abstract>This document details how to create a virtual mailhosting system based upon postfix, mysql, courier-imap, and cyrus-sasl. </abstract> 11<abstract>This document details how to create a virtual mailhosting system based upon postfix, mysql, courier-imap, and cyrus-sasl. </abstract>
12<version>1.0</version> 12<version>1.0</version>
13<date>07 Jan 2003</date> 13<date>30 April 2003</date>
14<!-- 14<!--
15 15
16Contents 16Contents
17 17
18I. Introduction 18I. Introduction
35<title>Introduction</title> 35<title>Introduction</title>
36<body> 36<body>
37<p>For most gentoo users, a simple mail client and fetchmail will do. However, if you're hosting a domain with your system, you'll need a full blown MTA (Mail Transfer Agent). And if you're hosting multiple domains, then you'll definitely need something more robust to handle all of the email for your users. This system was designed to be an elegant solution to that problem.</p> 37<p>For most gentoo users, a simple mail client and fetchmail will do. However, if you're hosting a domain with your system, you'll need a full blown MTA (Mail Transfer Agent). And if you're hosting multiple domains, then you'll definitely need something more robust to handle all of the email for your users. This system was designed to be an elegant solution to that problem.</p>
38<p>A virtual mail system needs to be able to handle email for numerous domains with multiple users over a variety of interfaces. This presents some issues that must be dealt with. For instance, what if you have two users on different domains that want the same user name? If you are providing imap access and smtp-auth, how do combine the various authentication daemons into a single system? How do you provide security for the numerous components that comprise the system? How do you manage it all?</p> 38<p>A virtual mail system needs to be able to handle email for numerous domains with multiple users over a variety of interfaces. This presents some issues that must be dealt with. For instance, what if you have two users on different domains that want the same user name? If you are providing imap access and smtp-auth, how do combine the various authentication daemons into a single system? How do you provide security for the numerous components that comprise the system? How do you manage it all?</p>
39<p>This howto will show you how to set up with a mail system capable of handling mail for as many domains as your hardware can handle, supports virtual mail users that don't require shell accounts, has domain specific user names, can authenticate web, imap, smtp, and pop3 clients against a single database, utilizes ssl for transport layer security, has a web interface, can handle mailing lists for any domain on the machine, and is controlled by a nice, central and easy mysql database. </p> 39<p>This howto will show you how to set up with a mail system capable of handling mail for as many domains as your hardware can handle, supports virtual mail users that don't require shell accounts, has domain specific user names, can authenticate web, imap, smtp, and pop3 clients against a single database, utilizes ssl for transport layer security, has a web interface, can handle mailing lists for any domain on the machine, and is controlled by a nice, central and easy mysql database. </p>
40<p>There are quite a variety of ways to go about setting up a virtual mailhosting system. With so may options, another may be the best choice for your specific needs. Consider investigating <uri>http://www.qmail.org</uri> and <uri>http://www.exim.org</uri> to explore your options. </p> 40<p>There are quite a variety of ways to go about setting up a virtual mailhosting system. With so may options, another may be the best choice for your specific needs. Consider investigating <uri>http://www.qmail.org/</uri> and <uri>http://www.exim.org/</uri> to explore your options. </p>
41<p>The following packages are used in this setup: 41<p>The following packages are used in this setup:
42 42
43 apache, courier-imap, pam_mysql, postfix, mod_php, mod_ssl, phpmyadmin, squirrelmail, cyrus-sasl, mysql, php, and mailman.</p> 43 apache, courier-imap, pam_mysql, postfix, mod_php, mod_ssl, phpmyadmin, squirrelmail, cyrus-sasl, mysql, php, and mailman.</p>
44<p>Make sure to turn on the following USE variables in <path>/etc/make.conf</path> before compiling the packages: <c>USE=&quot;mysql imap libwww maildir sasl ssl&quot;</c>. Otherwise you will most likely have to recompile things to get the support you need for all the protocols. Further, it's a good idea to turn off any other mail and network variables, like ipv6.</p> 44<p>Make sure to turn on the following USE variables in <path>/etc/make.conf</path> before compiling the packages: <c>USE=&quot;mysql imap libwww maildir sasl ssl&quot;</c>. Otherwise you will most likely have to recompile things to get the support you need for all the protocols. Further, it's a good idea to turn off any other mail and network variables, like ipv6.</p>
45<impo>This howto was written for postfix-2.0.x. If you are using postfix &lt; 2 some of the variables in this document will be different. It is reccommended that you upgrade. Some other packages included in this howto are version sensitive as well. You are advised to read the documentation included with packages if you run into issues with this.</impo> 45<impo>This howto was written for postfix-2.0.x. If you are using postfix &lt; 2 some of the variables in this document will be different. It is recommended that you upgrade. Some other packages included in this howto are version sensitive as well. You are advised to read the documentation included with packages if you run into issues with this.</impo>
46<impo>You need a domain name to run a public mail server, or at least an MX record for a domain. Ideally you would have control of at least two domains to take advantage of your new virtual domain functionality.</impo> 46<impo>You need a domain name to run a public mail server, or at least an MX record for a domain. Ideally you would have control of at least two domains to take advantage of your new virtual domain functionality.</impo>
47<impo>Make sure <path>/etc/hostname</path> is set to the right hostname for your mail server. Verify your hostname is set correctly with <c>hostname</c>. Also verify that there are no conflicting entries in <path>/etc/hosts</path>.</impo> 47<impo>Make sure <path>/etc/hostname</path> is set to the right hostname for your mail server. Verify your hostname is set correctly with <c>hostname</c>. Also verify that there are no conflicting entries in <path>/etc/hosts</path>.</impo>
48<note>It is recommended that you read this entire document and familiarize yourself with all the steps before attempting the install. If you run into problems with any of the steps, check the troubleshooting guide at the end of this document. Also, not all the referenced packages are necessary, this set up is very flexible. For instance, if you do not desire a web interface, feel free to skip the squirrelmail section.</note> 48<note>It is recommended that you read this entire document and familiarize yourself with all the steps before attempting the install. If you run into problems with any of the steps, check the troubleshooting guide at the end of this document. Also, not all the referenced packages are necessary, this set up is very flexible. For instance, if you do not desire a web interface, feel free to skip the squirrelmail section.</note>
49</body> 49</body>
50</chapter> 50</chapter>
116<chapter> 116<chapter>
117<title>Cyrus-sasl</title> 117<title>Cyrus-sasl</title>
118<body> 118<body>
119<p>Next we're going to install cyrus-sasl. Sasl is going to play the role of actually passing your auth variables to pam, which will in turn pass that information to mysql for authentication of smtp users. For this howto, we'll not even try to verify that sasl is working until mysql is set up and contains a test user. Which is fine since we'll be authenticating against mysql in the end anyway.</p> 119<p>Next we're going to install cyrus-sasl. Sasl is going to play the role of actually passing your auth variables to pam, which will in turn pass that information to mysql for authentication of smtp users. For this howto, we'll not even try to verify that sasl is working until mysql is set up and contains a test user. Which is fine since we'll be authenticating against mysql in the end anyway.</p>
120<note>Now for some reason, sasl will not play nicely with pam against the shadow file. I banged my head against this problem for, well, a long time. If anyone knows why sasl will not auth against the shadow file in its current gentoo incarnation, please <mail link="ken@kickasskungfu.com" >email me</mail> as I'd love to hear a solution to this.</note> 120<note>Now for some reason, sasl will not play nicely with pam against the shadow file. I banged my head against this problem for, well, a long time. If anyone knows why sasl will not auth against the shadow file in its current gentoo incarnation, please <mail link="ken@kickasskungfu.com" >email me</mail> as I'd love to hear a solution to this.</note>
121<p>Just to get sasl installed is going to require a bit of hacking. Open up the ebuild file and change the configure flags to disable digest and cram. Here's why: mail clients will try to authenticate against the <e>first</e> method presented to it, usually cram-md5. Since we're not going to set that up, cram authentication will fail and most clients will not by default try another method. This is mostly due to the way mail clients are currently put together. So we're going to disable auth methods we're not using in order to not confuse the clients out there.</p>
122<pre caption="Configuring and installing the cyrus-sasl ebuild" > 121<pre caption="Configuring and installing the cyrus-sasl ebuild" >
123 # <i>cd /usr/portage/dev-libs/cyrus-sasl</i>
124 # <i>nano -w cyrus-sasl.$currentversion.ebuild</i>
125<codenote>Disable digest and cram as show below.</codenote>
126
127 econf \
128 --with-saslauthd=/var/lib/sasl2 \
129 --with-pwcheck=/var/lib/sasl2 \
130 --with-configdir=/etc/sasl2 \
131 --with-openssl \
132 --with-plugindir=/usr/lib/sasl2 \
133 --with-dbpath=/etc/sasl2/sasldb2 \
134 --with-des \
135 --with-rc4 \
136 --disable-krb4 \
137 --with-gnu-ld \
138 --enable-shared \
139 --disable-sample \
140 --enable-login \
141 --disable-cram \
142 --disable-digest \
143 ${myconf} || die &quot;bad ./configure&quot;
144
145 # <i>USE='-ldap -mysql' emerge cyrus-sasl</i> 122 # <i>USE='-ldap -mysql' emerge cyrus-sasl</i>
146<codenote>We don't have ldap and we're not using sasl's mysql capabilities </codenote> 123<codenote>We don't have ldap and we're not using sasl's mysql capabilities </codenote>
147<codenote>so we need to turn them off for this build.</codenote> 124<codenote>so we need to turn them off for this build.</codenote>
148</pre> 125</pre>
149<p>Next, edit <path>/var/lib/sasl2/smtp.conf</path>.</p> 126<p>Next, edit <path>/var/lib/sasl2/smtp.conf</path>.</p>
150<pre caption="Starting sasl" > 127<pre caption="Starting sasl" >
151 # <i>nano -w /var/lib/sasl2/smtp.conf</i> 128 # <i>nano -w /var/lib/sasl2/smtp.conf</i>
152 pwcheck_method: saslauthd 129 pwcheck_method: saslauthd
153 130 mech_list: LOGIN PLAIN
131<codenote>It's important to turn off auth mehtods we are not using.</codenote>
132<codenote>They cause problems for some mail clients.</codenote>
154 # <i>/etc/init.d/saslauthd start</i> 133 # <i>/etc/init.d/saslauthd start</i>
155</pre> 134</pre>
156</body> 135</body>
157</chapter> 136</chapter>
158<chapter> 137<chapter>
159<title>SSL Certs for Postfix and Apache</title> 138<title>SSL Certs for Postfix and Apache</title>
160<body> 139<body>
161<p>Next we're going to make a set of ssl certificates for postfix and apache.</p> 140<p>Next we're going to make a set of ssl certificates for postfix and apache.</p>
162<pre> 141<pre>
163 # <i>cd /usr/lib/ssl/</i> 142 # <i>cd /etc/ssl/</i>
164 # <i>nano -w openssl.cnf</i> 143 # <i>nano -w openssl.cnf</i>
165<codenote>Change the following default values for your domain:</codenote> 144<codenote>Change the following default values for your domain:</codenote>
166 145
167 countryName_default 146 countryName_default
168 stateOrProvinceName_default 147 stateOrProvinceName_default
225<codenote>mangled by postfix and be unable to auth.</codenote> 204<codenote>mangled by postfix and be unable to auth.</codenote>
226 205
227 smtpd_recipient_restrictions = 206 smtpd_recipient_restrictions =
228 permit_sasl_authenticated, 207 permit_sasl_authenticated,
229 permit_mynetworks, 208 permit_mynetworks,
230 reject_unath_destination 209 reject_unauth_destination
231 210
232 211
233 smtpd_use_tls = yes 212 smtpd_use_tls = yes
234 #smtpd_tls_auth_only = yes 213 #smtpd_tls_auth_only = yes
235 smtpd_tls_key_file = /etc/postfix/newreq.pem 214 smtpd_tls_key_file = /etc/postfix/newreq.pem
258 250-PIPELINING 237 250-PIPELINING
259 250-SIZE 10240000 238 250-SIZE 10240000
260 250-VRFY 239 250-VRFY
261 250-ETRN 240 250-ETRN
262 250-STARTTLS 241 250-STARTTLS
263 250-AUTH LOGIN PLAIN OTP 242 250-AUTH LOGIN PLAIN
264 250-AUTH=LOGIN PLAIN OTP 243 250-AUTH=LOGIN PLAIN
265 250-XVERP 244 250-XVERP
266 250 8BITMIME 245 250 8BITMIME
267 <i>^]</i> 246 <i>^]</i>
268 telnet> <i>quit</i> 247 telnet> <i>quit</i>
269</pre> 248</pre>
540 virtual_mailbox_domains = 519 virtual_mailbox_domains =
541 virt-bar.com, 520 virt-bar.com,
542 $other-virtual-domain.com 521 $other-virtual-domain.com
543 522
544 virtual_minimum_uid = 1000 523 virtual_minimum_uid = 1000
545 virtual_gid_maps = static: $vmail-gid 524 virtual_gid_maps = static:$vmail-gid
546 virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf 525 virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
547 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf 526 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
548 virtual_uid_maps = static: $vmail-uid 527 virtual_uid_maps = static:$vmail-uid
549 virtual_mailbox_base = / 528 virtual_mailbox_base = /
550 #virtual_mailbox_limit = 529 #virtual_mailbox_limit =
551 </pre> 530 </pre>
552<p>As of Postfix 2.0.x, there were a number of significant changes over the 1.1.x release. Notably the transport, virtual-gid, and virtual-uid tables are no longer necessary. The tables are still included if you wish to use them.</p> 531<p>As of Postfix 2.0.x, there were a number of significant changes over the 1.1.x release. Notably the transport, virtual-gid, and virtual-uid tables are no longer necessary. The tables are still included if you wish to use them.</p>
553<note>It is recommended tha you read VIRTUAL_README included with the postfix doc's for more information.</note> 532<note>It is recommended tha you read VIRTUAL_README included with the postfix doc's for more information.</note>
573</body> 552</body>
574</chapter> 553</chapter>
575<chapter> 554<chapter>
576<title>Mailman</title> 555<title>Mailman</title>
577<body> 556<body>
578<p>Last step: mailman. The new version of mailman has very nice virtual domain support, which is why I use it, not to mention it's really a great package. To get this package installed and working correclty for virtual domains is going to require a bit of hacking. I really reccommend reading all of the mailman documentation, including README.POSTFIX.gz, to understand what's being done here.</p> 557<p>Last step: mailman. The new version of mailman has very nice virtual domain support, which is why I use it, not to mention it's really a great package. To get this package installed and working correctly for virtual domains is going to require a bit of hacking. I really recommend reading all of the mailman documentation, including README.POSTFIX.gz, to understand what's being done here.</p>
579<pre caption="/usr/portage/net-mail/mailman/mailman-$ver.ebuild"> 558<pre caption="/usr/portage/net-mail/mailman/mailman-$ver.ebuild">
580 # <i>nano -w /usr/portage/net-mail/mailman/mailman-$ver.ebuild</i> 559 # <i>nano -w /usr/portage/net-mail/mailman/mailman-$ver.ebuild</i>
581 MAILGID="280" 560 MAILGID="280"
582 <codenote>Set MAILGID to the mailman group instead of nobody</codenote> 561 <codenote>Set MAILGID to the mailman group instead of nobody</codenote>
583 <codenote>This is needed for postfix integration</codenote> 562 <codenote>This is needed for postfix integration</codenote>
586 # <i>emerge mailman</i> 565 # <i>emerge mailman</i>
587<codenote>This package is currently masked as well, so you'll need to unmask it or give </codenote> 566<codenote>This package is currently masked as well, so you'll need to unmask it or give </codenote>
588<codenote>emerge an explicit path to the ebuild. Once it's installed, follow the directions</codenote> 567<codenote>emerge an explicit path to the ebuild. Once it's installed, follow the directions</codenote>
589<codenote>in the README.gentoo.gz</codenote> 568<codenote>in the README.gentoo.gz</codenote>
590 569
591 # <i>nano -w /usr/share/doc/mailman-$ver/README.gentoo.gz</i> 570 # <i>zless /usr/share/doc/mailman-$ver/README.gentoo.gz</i>
592</pre> 571</pre>
593<pre caption="mailman config: mm_cfg.py"> 572<pre caption="mailman config: mm_cfg.py">
594 # <i>nano -w /var/mailman/Mailman/mm_cfg.py</i> 573 # <i>nano -w /var/mailman/Mailman/mm_cfg.py</i>
595 MTA = "Postfix" 574 MTA = "Postfix"
596 POSTFIX_STYLE_VIRTUAL_DOMAINS = ['virt-domain.com', 'virt.domain2.com'] 575 POSTFIX_STYLE_VIRTUAL_DOMAINS = ['virt-domain.com', 'virt.domain2.com']
653<p> You should now be able to setup mailing lists for any domain on your box. Last note on this, make sure you run all mailman commands as the user mailman (<c>su mailman</c>) or else the permissions will be wrong and you'll have to fix them. Read the mailman doc's for more information on setting up and managing mailman lists.</p> 632<p> You should now be able to setup mailing lists for any domain on your box. Last note on this, make sure you run all mailman commands as the user mailman (<c>su mailman</c>) or else the permissions will be wrong and you'll have to fix them. Read the mailman doc's for more information on setting up and managing mailman lists.</p>
654</body> 633</body>
655</chapter> 634</chapter>
656<chapter> 635<chapter>
657<title>Content Filtering and Anti-Virus</title> 636<title>Content Filtering and Anti-Virus</title>
658<body><p>Coming soon...</p></body> 637<body><p>Coming soon...it would be done already but I need some perl help and testing to make it so. If you'd like to volunteer for that, please email me.</p></body>
659</chapter> 638</chapter>
660<chapter> 639<chapter>
661<title>Wrap Up</title> 640<title>Wrap Up</title>
662<body> 641<body>
663<p>Ok, you're all set, edit <path>/etc/postfix/master.cf</path> and turn off verbose mode for production use. You'll probably also want to add the services to your startup routine to make sure everything comes back up on a reboot. Make sure to add all the services you're using - apache, mysql, saslauthd, postfix, courier-imapd, courier-imapd-ssl, courier-pop3d, and courier-pop3d-ssl are all up to your decision on what access you want to provide. I generally have all the services enabled.</p> 642<p>Ok, you're all set, edit <path>/etc/postfix/master.cf</path> and turn off verbose mode for production use. You'll probably also want to add the services to your startup routine to make sure everything comes back up on a reboot. Make sure to add all the services you're using - apache, mysql, saslauthd, postfix, courier-imapd, courier-imapd-ssl, courier-pop3d, and courier-pop3d-ssl are all up to your decision on what access you want to provide. I generally have all the services enabled.</p>

Legend:
Removed from v.1.4  
changed lines
  Added in v.1.9

  ViewVC Help
Powered by ViewVC 1.1.20