Installing a mail server on Red Hat Enterprise Linux 4

I had previously set up an email server using the same components, but on Red Hat Linux 7.3. It has run flawlessly for nearly 4 years, undergoing only minor updates, but the time had come to switch to a faster server with more storage.
For this new setup, I've now used Red Hat Enterprise Linux 4, but with many updated and custom packages.

The chosen components :

• Postfix - My personal favourite.
• Dovecot - The postfix of POP/IMAP servers.
• Spamassassin - To identify and tag most of the spam received.
• Postgrey - To stop most spam from ever being received.
• SpamPD - To interface spamassassin with postfix.
• ClamSMTP - To interface ClamAv with postfix.
• OpenLDAP - To store all user information.

Too much theory? Not enough eye candy? Take a peek at the screenshot!!

Postfix configuration :

• Configuration changes in main.cf :

  I added the hostname I wanted my server to use :

  myhostname = mx1.whatever.ext
  mydomain = whatever.ext
  myorigin = $myhostname
  

  I also changed it to listen on all network interfaces :

  inet_interfaces = all
  

  I allowed some external networks to relay (remote offices) :

  mynetworks = $config_directory/mynetworks
  

  To have SMTP AUTH working, I've used the new feature where one can simply use a socket dovecot opens for postfix :

  # Auth stuff
  smtpd_sasl_auth_enable = yes
  smtpd_sasl_security_options = noanonymous
  broken_sasl_auth_clients = yes
  smtpd_sasl_type = dovecot
  smtpd_sasl_path = private/auth
  

  And to also have TLS (encryption) working :

  # TLS stuff
  smtpd_use_tls = yes
  smtpd_tls_loglevel = 1
  smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
  smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
  

  Now for the virtual domain configuration, I added the following (see below for the files). Note that I previously had the setup wrong, changing the main aliases and making it impossible to configure the aliases file properly or even deliver emails to files. Note also that you do not need to add the ldap-domains to the virtual-domains file, as they're implicitly included.

  # Virtual aliases
  virtual_alias_domains = hash:/etc/postfix/virtual-domains
  virtual_alias_maps = hash:/etc/postfix/virtual
  virtual_mailbox_domains = hash:/etc/postfix/ldap-domains
  virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox.cf
  virtual_mailbox_base = /data/vmail
  virtual_uid_maps = static:500
  virtual_gid_maps = static:500
  

  I also increased the maximum allowed message size from 10MB to 50MB :

  # 50MB message limit
  message_size_limit = 51200000
  

  Now, the restrictions :

  # Block bogus stuff
  smtpd_sender_restrictions =
    reject_unknown_sender_domain,
    check_sender_access hash:/etc/postfix/sender_access
  
  smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    check_recipient_access hash:/etc/postfix/recipient_access,
    check_policy_service unix:postgrey/socket
  
  body_checks = regexp:/etc/postfix/body_checks
  
  header_checks = regexp:/etc/postfix/header_checks
  

  And finally :

  # Make nobody redirect to /dev/null work
  allow_mail_to_files = alias
  

  The content of the /etc/postfix/ldap-mailbox.cf file :

  server_host = ldap://myldapserver
  version = 3
  search_base = ou=users,o=myorg,dc=whatever,dc=ext
  query_filter = (&(objectClass=posixAccount)(mail=%s))
  result_attribute = homeDirectory
  result_format = %s/Maildir/
  domain = hash:/etc/postfix/ldap-domains
  bind_dn = uid=postfix,ou=daemons,o=myorg,dc=whatever,dc=ext
  bind_pw = mybindpass
  

• Configuration changes in master.cf :

  Last, here I changed postfix's master.cf to send to ClamSMTP and be able to get the messages back in through port 10027 once they've also gone through SpamPD :

  # Send to ClamSMTP on port 10025, which then sends to Spampd on 10026
  smtp      inet  n       -       n       -       -       smtpd
      -o content_filter=smtp:127.0.0.1:10025
  # Then finally get everything back through port 10027
  127.0.0.1:10027 inet n  -       n       -      20       smtpd
  

• Additional files :

  Relaying access control through /etc/postfix/mynetworks :

  # Loopback
  127.0.0.0/8
   
  # Office 1
  192.168.1.1
  
  # Office 2
  192.168.32.1
  

  Domains which will trigger LDAP lookups, /etc/postfix/ldapdomains :

  whatever.ext foo
  subdomain.whatever.ext bar
  other-ldap-dom.ext you-need-a-bogus-right-value
  

  Virtual domains and aliases with respectively /etc/postfix/virtual-domains and /etc/postfix/virtual :

  # No need to put the ldap domains here again
  virtual-alias-domain.whatever.ext foo
  other-virtual-domain.ext bar
  

  root@whatever.ext                user@whatever.ext
  foo@other-virtual-domain.ext     user@whatever.ext
  

  Last, don't forget to change the "root:" line in /etc/postfix/aliases.

Dovecot configuration :

• Changes to /etc/dovecot.conf :

  I changed logging to be to a separate file instead of syslog since everything would get logged to /var/log/maillog otherwise :

  log_path = /var/log/dovecot.log
  

  I configured the path where to find the users' mailboxes, the %h being replaced by the homeDirectory attribute of the LDAP entry :

  mail_location = maildir:/data/vmail%h/Maildir
  

  For performance reasons, use hardlinks (no NFS on this setup) :

  maildir_copy_with_hardlinks = yes
  

  In the "auth default" section, add digest-md5 to the auth mechanisms :

  mechanisms = plain digest-md5
  

  Comment out the "passdb pam" section, since we won't be needing it and uncomment the "passdb ldap" section, adding only this line :

  args = /etc/dovecot-ldap.conf
  

  Similarly, comment out the "userdb passwd" section and uncomment the "userdb ldap" section, adding the same line again :

  args = /etc/dovecot-ldap.conf
  

  For the authentication, replace "root" which isn't needed for LDAP lookups by a non-privileged account. I used "nobody" since nothing else on the server uses that account :

  user = nobody
  

  For the SMTP AUTH to work trivially from postfix, we create a unix socket which will be used for user authentication. This way we only need to configure user authentication in one place and avoid all the SASL configuration postfix would need otherwise (this is still inside the "auth default" section) :

    socket listen {
      client { 
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
      }
    }
  

• New /etc/dovecot-ldap.conf file :

  I've added the /etc/dovecot-ldap.conf file, based on the example one found in the documentation, in order to get LDAP authentication to work with dovecot. The only used attributes are uid, homeDirectory and userPassword.

  hosts = myldapserver
  dn = uid=dovecot,ou=daemons,o=myorg,dc=whatever,dc=ext
  dnpass = mybindpass
  ldap_version = 3
  base = ou=users,o=myorg,dc=whatever,dc=ext
  deref = never
  scope = subtree
  user_attrs = uid,homeDirectory,,uid,,
  user_filter = (&(objectClass=posixAccount)(uid=%u))
  pass_attrs = uid,userPassword
  user_global_uid = 500
  user_global_gid = 500
  

  All the other settings are the defaults. These include having both POP3 and IMAP and TLS enabled with the same certificates we also used from postfix.

Spamassassin configuration :

Nothing is required to have spamassassin operational, just enable and run the "spampd" service. You can configure the behaviour by editing the usual "/etc/mail/spamassassin/local.cf" file. Note that you do not need to run the basic spamd, and that you can use "sa-learn" as the "spampd" user in order to teach your local installation what is spam and what is ham.

Clam Antivirus configuration :

Enable and run both the "clamsmtp" and "clamd.smtp" services. Everything should be properly pre-configured. For the automatic virus definitions update, you'll need to comment out the "Example" line from "/etc/freshclam.conf".

OpenLDAP configuration :

This is probably the most lengthy part of the setup if you're not familiar with LDAP in general. I wasn't initially, and spent a lot of time figuring things outthe first time, as the whole LDAP protocol and the OpenLDAP implementation are quite rough around the edges, or at least I think so.

I won't detail my schema here, it's pretty standard, and can easily be guessed from the entries used all along. To add users to the database, I use phpldapadmin with a custom template.

The end!

I hope this will have been useful. Please do not contact me directly for help, use mailing-lists instead, but do let me know if you see any mistakes or possible improvements to the document or the setup itself.

Last of all... for Red Hat Linux Enterprise 4, all the software mentioned above and all its dependencies can be found in the testing section (please let me know if any dependencies are missing).

Here are the packages used at time of initial writing (November 2006) :

• postfix-2.3.4-0.1.el4
• dovecot-1.0-0.1.rc12.el4
• spamassassin-3.1.7-0.el4
• clamav-0.88.6-0.el4
• spampd-2.30-2.el4
• clamsmtp-1.8-1.el4
• postgrey-1.27-1.el4
• openldap-2.2.13-6.4E