I had already build a VoIP system using CentOS (another Unix-like OS) as a base with trixbox CE providing the VoIP telephony. It was a fun project and for all the same reasons I wanted to do something similar for our messaging. I naturally (or some may argue un-naturally) started thinking about Microsoft Exchange, but was put off by the cost and all the additional features that I might not use! Then I remembered reading something about Postfix and thought “I can setup a VoIP system, surely it can’t be too hard to setup a mail server on a *nix<\/em> box?” It also seemed like I nice way to create a rounded “communication” solution for our organisation encompassing telephony and email (my thoughts immediately turned to shared calendaring too).<\/p>\n With the availability of devices like the iPhone and iPad (yes, I’m a fan-boy!), it meant that I could create a mail platform that could be accessed “anywhere”, “anytime” on “any device” (and by any device read: iPad or iPhone ?). This was a plus for management, who wouldn’t need to be restricted to carrying around a laptop and 3G modem in order to access emails!<\/p>\n So I started searching on the internet for a cookbook that would outline the steps and one of the first I came across (and ultimately stayed with) was Ivar Abrahamsen’s step-by-step guide at flurdy.com. It’s a fantastic guide that outlines things very clearly with details on “how” and “why” each step is taken.<\/p>\n This HOWTO is effectively a duplicate (and to some degree a subset) of flurdy’s guide, with some of my own changes\/omissions based on my own situation and experiences during the install. It was also to some degree intended for my own reference in case I needed to recover my server one day. All credit goes to Ivar Abrahamsen without whom I’d never have got my server off the ground. I didn’t plan on using my server in the cloud so I removed the references to ec2.<\/p>\n So why would you build your own mail server? There are a number of advantages to having your own mail server, and a cursory check of the MX records of a number of organisations I deal with revealed that almost everyone was doing it! Reason 1: I didn’t want to be left out!! More selfishly, it was a way to gain total control over the server, and with my “portable mail” plan relying on IMAP it meant I couldn’t have an ISP reigning me back on disk space!!<\/p>\n I did have concerns about being a target for spammers and hackers, so it was a relief to see the sections in flurdy’s guide that dealt with spam and antivirus as well as the encryption of the traffic – another plus if the aforementioned management decided to access their mail, using webmail from a internet caf\u00e9 while on holiday!<\/p>\n This HOWTO is based on Ubuntu Server 10.04 LTS (Lucid Lynx) 64-bit and its Debian base which uses apt-get (aptitude) to download and install its packages.<\/p>\n Why 10.04 and what is LTS? Lucid Lynx (10.04) is an LTS (Long Term Support<\/em>) release. It (the server version) will be supported with security updates until April 2015. The long life cycle will hopefully mean a more stable platform, enhanced support and more time before we have to consider upgrading.<\/p>\n Hardware configuration<\/p>\n You know what they say about assumptions… Unfortunately I didn’t do enough research when picking my server hardware, and just went for the highest spec machine I could afford. Little did I know there would be issues around driver support for the RAID controller and GRUB’s inability to recognise GPT partitions for disks larger than 2TB! There are workarounds, but I had other options…<\/p>\n Here’s the specifications of the server I used for this exercise:<\/p>\n Never one to let road block get in the way of accomplishing a goal, I did the following steps in order to prepare the server for (and install) the OS:<\/p>\n to see the various components of the array and<\/p>\n where x<\/em><\/strong><\/span> is 0,1,2…<\/li>\n Ah the age old distro argument… Why Ubuntu? It’s free, simple and slick with solid package management. As Ubuntu is derived from Debian the installations used here will be apt-get based..<\/p>\n Simple, free, proven and slick. I agree with flurdy on this one – I’m a sucker for anything that works easily and like it was designed to. Postfix is all that! It’s powerful, well established, but not too bloated, and is security conscious from the start.<\/p>\n Simple, free and support for IMAPv4.<\/p>\n I haven’t had much exposure to database software other than the development I’ve done using MS SQL 2008 Express. MySQL, however, is well supported for the sort of lookups required in a mail server environment and these packages support it “out-of-the-box”.<\/p>\n Easy plug-in content interface solution for spam, virus checking etc.<\/p>\n A FREE<\/strong> <\/span>virus scanner this is trusted and proven, which includes an update daemon.<\/p>\n Secure and trusted cryptography technology for authentication of SMTP traffic.<\/p>\n Secure and trusted cryptography technology for encryption of SMTP traffic. Not to be confused with client encryption technology like GnuPG and S\/MIME. Formerly referenced as SSL.<\/p>\n For me interface is everything. It’s all about the “look-and-feel” baby! Roundcube is an “ajaxified” and prettier webmail client than SquirrelMail but not quite as solid… yet!<\/p>\n For this install you need the main<\/strong> and universe<\/strong> repositories, but I also throw in the other “safe” ones: restricted<\/strong> and multiverse<\/strong> (and partner<\/strong>, when available) if they are not already defined.<\/p>\n There are a number of packages that constitute this installation. We will install and configure them individually, but before starting first check your package sources are correctly pointing to the main<\/strong>, multiverse<\/strong>, restricted<\/strong> and universe<\/strong> repositories of your current Ubuntu version as detailed above.<\/p>\n Once complete, install any updates for the base install.<\/p>\n The first core component to install is MySQL.<\/p>\n This will prompt you for a MySQL root<\/strong> password. Choose something secure and easy to remember (Current recommendations are for 12 alpha-numeric characters using case mixes). In this example we\u2019ll set it to rootPASSWORD<\/em><\/span>.<\/p>\n Next install Postfix, assuming it wasn’t selected at the end of the Ubuntu install and similar steps taken to configure it.<\/p>\n During the install it will prompt you to choose the \u201ctype<\/em>\u201d of email server. Select \u201cinternet site<\/strong>\u201d as it is assumed this install will connect to the internet to send and receive email. The install will also suggest\/request a server name. Alter as required using your FQDN or DynDNS equivalent.<\/p>\n Because it\u2019s easier to cut-and-paste using SSH telnet on your own PC, than keying it all in on the server console.<\/p>\n Select \u201cYes<\/strong>\u201d to set it up and enter the root MySQL password defined above. Create a phpmyadmin MySQL user password, and repeat to confirm. When asked, accept \u201capache2\u201d as the web server.<\/p>\n The install will prompt you about web directories. You can say \u201cNo<\/strong>\u201d to this. It will also warn you about the certificate location. Ignore this.<\/p>\n I also install a few other packages to add functionality but have nothing to do with the mail server setup.<\/p>\n At any stage to find out which packages you may have installed, you can use the following commands (substituting \u201cpostfix\u201d with the package you\u2019re checking):<\/p>\n Now let\u2019s configure a simple mail server using some of the packages installed previously. This HOWTO makes the assumption that you’re either NOT logged on as the root or root isn’t (or hasn’t) been enabled – hence the use of the “sudo” command.<\/p>\n UFW is bundled with the 10.04 Ubuntu distribution, but I still prefer Shorewall<\/strong> for servers I setup. Basically at first you want to only allow SSH<\/strong>. Then SMTP<\/strong> & IMAP<\/strong> from your IP only. When you are confident that the mail server is secure, you can open SMTP<\/strong> and IMAP<\/strong> to the world.<\/p>\n Later on in the install you may wish to open web access to the webmail and admin GUI. Once again, this can be restricted to specific IPs.<\/p>\n By default Shorewall in Ubuntu has an empty set up. You can find the default values for Shorewall in \/usr\/share\/doc\/shorwall\/default-config<\/em>, and examples of configurations in \/usr\/share\/doc\/shorwall\/examples<\/em>. To start, we will create the basic set up.<\/p>\n First configure which network adapters are accessing the net.<\/p>\n Then we will configure network zones<\/p>\n Add the firewall if not there and the internet as a zone.<\/p>\n Then (if needed) specify hosts in the Shorewall hosts file. i.e. If you want to specify what your home IP is etc.<\/p>\n Then set what the default policy is for firewall access.<\/p>\n For safety in case it goes down.<\/p>\n For higher security you can use the netmask of your IP range if you\u2019re more concerned.<\/p>\n The next step is to define the main firewall rules. You can find predetermined macro rules for Shorewall in the \/usr\/share\/shorewall<\/em> directory.<\/p>\n Once your server is working properly, come back to this step and open up the required protocols to the net.<\/p>\n Firewall configuring is always a risky business and it is easy to lock yourself out. To test the syntax of your configuration run<\/p>\n Then to switch it on during boot<\/p>\n Restart it with<\/p>\nBase OS Distribution<\/h3>\n
\n
\n
sudo cat \/proc\/mdstat<\/pre>\n
sudo mdadm --detail \/dev\/mdx<\/em><\/strong><\/span><\/pre>\nSoftware components<\/h3>\n
OS: Ubuntu Linux<\/strong><\/h4>\n
MTA: Postfix<\/strong><\/h4>\n
POP\/IMAP: Courier IMAP<\/strong><\/h4>\n
Database: MySQL<\/strong><\/h4>\n
Content Check: Amavisd-new<\/strong><\/h4>\n
Anti-SPAM: SpamAssassin & Postgrey<\/strong><\/h4>\n
\n
Anti-Virus: ClamAV<\/strong><\/h4>\n
Authentication: Cyrus SASL<\/strong><\/h4>\n
Encryption: TLS<\/strong><\/h4>\n
Webmail: Roundcube<\/strong><\/h4>\n
Software configuration<\/h2>\n
Repositories<\/h3>\n
sudo vi \/etc\/apt\/sources.list<\/pre>\n
Packages<\/h3>\n
sudo aptitude update\r\nsudo aptitude safe-upgrade<\/pre>\n
MySQL<\/h4>\n
sudo aptitude install mysql-client mysql-server<\/pre>\n
Postfix<\/h4>\n
sudo aptitude install postfix postfix-mysql<\/pre>\n
openSSH Server<\/h4>\n
sudo aptitude install openssh-server<\/pre>\n
SASL<\/h4>\n
sudo aptitude install libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin libpam-mysql<\/pre>\n
ClamAV<\/h4>\n
sudo aptitude install clamav-base libclamav6 clamav-daemon clamav-freshclam<\/pre>\n
Amavis, SpamAssassin, postgrey<\/h4>\n
sudo aptitude install amavisd-new\r\nsudo aptitude install spamassassin spamc\r\nsudo aptitude install postgrey<\/pre>\n
Roundcube<\/h4>\n
sudo aptitude install roundcube roundcube-mysql php-pear php5-cli<\/pre>\n
phpMyAdmin<\/h4>\n
sudo aptitude install phpmyadmin<\/pre>\n
ShoreWall<\/h4>\n
sudo aptitude install shorewall-common shorewall-perl<\/pre>\n
Courier<\/h4>\n
sudo aptitude install courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-ssl<\/pre>\n
Extras<\/h4>\n
sudo aptitude install vim mutt lynx<\/pre>\n
\n
Package status<\/h3>\n
sudo dpkg --list | grep postfix sudo aptitude search postfix<\/pre>\n
Stage One: A simple mail server<\/h2>\n
Firewall<\/h3>\n
Shorewall<\/h4>\n
SSH only<\/h5>\n
sudo cp \/usr\/share\/doc\/shorewall\/default-config\/interfaces \/etc\/shorewall\/\r\nsudo vi \/etc\/shorewall\/interfaces net eth0 detect dhcp,tcpflags,logmartians,nosmurfs<\/pre>\n
sudo cp \/usr\/share\/doc\/shorewall\/default-config\/zones \/etc\/shorewall\/\r\nsudo vi \/etc\/shorewall\/zones<\/pre>\n
fw firewall\r\n# loc ipv4<\/span>\r\nnet ipv4<\/span><\/pre>\nsudo cp \/usr\/share\/doc\/shorewall\/default-config\/hosts \/etc\/shorewall\/\r\nsudo vi \/etc\/shorewall\/hosts # loc eth0:192.168.0.0\/24<\/pre>\n
sudo cp \/usr\/share\/doc\/shorewall\/default-config\/policy \/etc\/shorewall\/\r\nsudo vi \/etc\/shorewall\/policy $FW net ACCEPT\r\n\r\nnet $FW DROP info<\/span>\r\nnet all DROP info<\/span>\r\n# The FOLLOWING POLICY MUST BE LAST<\/span>\r\nall all REJECT info<\/span><\/pre>\nsudo cp \/usr\/share\/doc\/shorewall\/default-config\/routestopped \/etc\/shorewall\/\r\nsudo vi \/etc\/shorewall\/routestopped\r\neth0 0.0.0.0 routeback<\/span><\/pre>\nsudo cp \/usr\/share\/doc\/shorewall\/default-config\/rules \/etc\/shorewall\/\r\nsudo vi \/etc\/shorewall\/rules\r\n\r\nSSH\/ACCEPT net $FW<\/span><\/pre>\nOpen for business?<\/h5>\n
sudo vi \/etc\/shorewall\/rules\r\n\r\nPing\/ACCEPT net $FW<\/span>\r\n# Permit all ICMP traffic FROM the firewall TO the net zone.<\/span>\r\nACCEPT $FW net icmp<\/span>\r\n# Add these for mail services.<\/span>\r\nSMTP\/ACCEPT net $FW<\/span>\r\nSMTPS\/ACCEPT net $FW<\/span>\r\nSubmission\/ACCEPT net $FW<\/span>\r\nIMAP\/ACCEPT net $FW<\/span>\r\nIMAPS\/ACCEPT net $FW<\/span>\r\n# Access for web clients.<\/span>\r\nWeb\/ACCEPT net $FW<\/span><\/pre>\nsudo shorewall check<\/pre>\n
sudo vi \/etc\/default\/shorewall\r\n\r\nstartup=1<\/span><\/pre>\nsudo \/etc\/init.d\/shorewall restart<\/pre>\n