Administration Guide Draft/Mail

= MailServer =

Present guide is targeted for small mailserver, serving domain with few clients.

Components
Normally mailserver will consist of several components:
 * MTA, message transport agent. This is the core of the mailserver, taking mail from clients and relaying/delivering towards destination host.
 * Sendmail
 * Postfix
 * Qmail


 * MDA, message delivery agent, responsible for placing arrived mail into proper mailbox, according to rules.
 * Procmail


 * MUA mail user agent, end user's interface for working with mailbox, reading and composing, submitting mail to MTA
 * kmail
 * evolution
 * mail
 * Self:pine


 * Spam tools, identifying spam
 * Spamassassin


 * Access protocols: IMAP, POP, Webmail
 * IMAP Dovecot ;
 * Webmail Squirrelmail


 * email security
 * selfsigned OpenSSL  certificates

If you are behind the Self:NAT enabled Self:router the proper Self:portforwarding is also needed

= Sendmail =

Summary
Purpose: This document covers many of the aspects of configuring and customizing.

Audience: This document is designed for anyone wanting to setup  as an SMTP server.

Assumptions: The Fedora OS is installed, TCP/IP and DNS is configured.User accounts have been added and the reader has access to the root password. Firewall rulls are configured to allow for the proper port access. The computer running Fedora has an active Internet connection, and the user has a basic understanding of vi and bash commands.

Related Documents: The InstallGuide documents the basic install of Fedora. The GettingStarted documents the basic use of Fedora and gaining access to the CLI. The DNS assists with configuring DNS for name resolution. UserAccounts documents the steps for creating users and groups.

Lead Writer: MikeDittmeier

Introduction
is a message transport agent (MTA), responsible for taking in mail from a mail user agent (MUA) such as KMail, Evolution, or, and relaying the mail to another host toward the final destination. An MTA also listens for incoming connections and accepts mail from remote hosts. This document will walk through the process of setting up  for relaying email. First, by allowing connections from other computers and then later by securing email transmissions as well as scanning emails for viruses and even SPAM. Some of the other features covered in this document are distribution lists, and even redirecting incoming emails to other domains. The section for  basic configuration is a good start, but each of the following sections can be used by itself or in combined with other sections to add more customization and functionality to.

Package Requirements
This article makes use of the following packages found in the Fedora Repository:
 * is the core package
 * package contains the configuration files
 * Package contains the docs and man files for
 * Spam filtering
 * milter for  Spam filtering
 * anti-virus application
 * anti-virus application data
 * anti-virus shared libs
 * anti-virus update scripts
 * milter for anti-virus

Installing Sendmail
By default  is already included in most fedora installations. To verify  is installed, by type the following command: rpm -q sendmail this should output the follow results: sendmail-8.14.1-4.2.fc8 if not, then install the  packages by typing: su -c 'yum install -y sendmail sendmail-cf sendmail-doc' For graphical installs, use Main Menu > Add/Remove Software. This requires the root user password to run. In the Browse tab, click on the Servers group on the left, then select the Mail Server option on the right. Click Apply to have the software and all dependencies installed. You can customize what is installed in the Mail Server grouping by clicking on Optional packages.

Connection
needs to be connected to the Internet. While it is not impossible to use a dial-up connection (you might lose incoming mail as remote hosts will be trying to connect when your server is down), normally an always-on Internet connection is needed, preferably with a static IP address. Dynamic IP is also possible with various dynamic IP DNS services (for instance DynDNS ). The default port for  is 25. If  takes secure connections, port 465 might be needed (for SSL connections). These ports need to be opened in the firewall (refer to the sections in this guide on firewalls ) and  router NAT .) Also, a lot of ISP's are blocking port 25 for spam-reduction purposes, it might take couple of hours on the phone with ISP tech support to get them unblock it, some will do it (ATT for instance) others might refuse.

Configuring Sendmail
Sendmail has several configuration files located in the /etc/mail folder. Below is a list of the most common files:
 * , host access file
 * , list of old-domains to new-domain mappings for the mail server
 * , list of host names this server is seen as
 * , table of domains and how to route the email sent to those domains
 * , list of users that can send mail on behalf of other users
 * , list of users and domains and who to forward email to
 * , main  configuration file
 * , mail submission settings
 * , user aliases

Allowing External Connections
By default  will only accept incoming connections from the localhost or 127.0.0.1 host. The first change to make to the  file will be to allow connections from other hosts. First make a backup of the default  file in case the need to roll back occurs. Open a shell and enter the following command: su -c 'cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak' To begin editing the. enter the following command a shell prompt: su -c 'vim /etc/mail/sendmail.mc' The  configuration file should now be displayed in the   editor window. Search for the line of text that will modify what hosts  will accept connection from. In the  editor press the [esc]  key, then type /Port=smtp This should highlight the following line in the : Port=smtp,Addr=127.0.0.1, Name=MTA')dnl to the beginning of the line, or by changing the IP address to the same ip as the server. For simplicity reasons, just comment out the line. Make sure the cursor is at the beginning of the line and pres the [esc]  key, and then the [i]  key to begin inserting text. Add   to the beginning of the line. The line should now look like this: dnl DAEMON_OPTIONS(  start using these settings, apply the changes, and then restart the   daemon. From a shell prompt, type the command: su -c 'make -C /etc/mail' The output should be similar to the text below: make: Entering directory  daemon by typing the following text at a shell prompt: su -c 'service sendmail restart' The changes are now in effect and  will allow connections from any IP.

Auto Starting Sendmail
Now that  is configured to allow connections from other hosts, make sure the daemon starts after system reboots. To accomplish this, simple enter the following command at a shell prompt: su -c 'chkconfig sendmail 345 on' This tells the daemon to start when in run levels 3, 4, and 5. To verify that the settings have taken place, use the, and   commands. Enter the following command at the shell prompt: su -c 'chkconfig --list | grep sendmail' The following output should be returned: sendmail       0:off   1:off   2:on    3:on    4:on    5:on    6:off Notice that run levels 3, 4, and 5 are listed as on. This means the daemon will start automatically in the desired run levels.

Smart Host
Some Internet Service Providers ('ISP') require all email traffic to be relayed via a specific 'SMTP' server or gateway. This is common for an ISp that provides service to residential customers. To configure 'sendmail' to forward or relay all mail messages vis a 'Smart Host', edit the '/etc/mail/sendmail.mc', and define a 'smart host'. Enter the following command at a shell prompt to begin: su-c 'vim /etc/mail/sendmail.mc' After the 'vi' editor opens, press the [esc]  key, then type: /SMART_HOST This should take you to the following line in the '/etc/mail/sendmail.mc' file: dnl define( smtp.your.provider')dnl Simply replace 'smtp.your.provider' with the IP address or host name provided by the ISP, and then remove the 'dnl' from the beginning of the line. Here is an example: define( mail.bellsouth.net')dnl Reapply the settings to the '/etc/mail/sendmail.mc' and make  start using these settings the same as before by typing: su -c 'make -C /etc/mail' and su -c 'service sendmail restart'

Masquerading
To make  send all email outbound as if it had come from a specific domain instead of user@localhost.localdomain, a few changes need to be made to the '/etc/mail/sendmail.mc'. Below is a sample: MASQUERADE_AS( : su -c 'vim /etc/mail/sendmail.mc'

After  opens, search for the line to be modified using by pressing the [esc]  key then entering the following command: /MASQUEARADE_AS

This opens the first line needing to be modified. Alter the text to match the following: MASQUERADE_AS( at beginning of the line), make sure uncomment the line. This tells  to always masquerade as the desired domain, if if the email is sent to other local users on the same server. Search for the next line to modify using the following command: /masquerade_entire_domain

Uncomment the line by removing the  at the beginning of the line. The line should look like: FEATURE(masquerade_entire_domain)dnl

Scroll down and uncomment the following line as following:

FEATURE(masquerade_envelope)dnl

Add the following line to to  to masquerade all email, including messages sent to local users: FEATURE(allmasquerade)dnl

Scroll down and uncomment the following lines as following:

MASQUERADE_DOMAIN( configuration file, and restart the   daemon as follows: su -c 'make -C /etc/mail' and su -c 'service sendmail restart'

Access
allows for the ability to limit what hosts or servers have access to relay through the  server by adding entries to the   file. This feature becomes important and a first step in preventing unwanted computers from using the  server as an open relay and spamming other email systems. The  file has a simple setup of 2 columns. The first column lists the domains or IP addresses to control, and the second column states what permissions or restrictions to place on the entry. Examples of the types of permissions or restrictions are: Here is an example  file that allows relaying from localhost and the 192.168.1.0/24 network only: Connect:localhost.localdomain          RELAY Connect:localhost                      RELAY Connect:127.0.0.1                      RELAY Connect:192.168.1                      RELAY To add support for relaying email from a domain, simply add the domain to the first column, and the permissions to the second column. Here is another example to demonstrate adding RELAY for the  domain: Connect:localhost.localdomain          RELAY Connect:localhost                      RELAY Connect:127.0.0.1                      RELAY Connect:192.168.1                      RELAY Connect:mydomain.org              RELAY To block access to a host that is trying to relay SPAM, add the following line to the  file: Connect:localhost.localdomain          RELAY Connect:localhost                      RELAY Connect:127.0.0.1                      RELAY Connect:192.168.1                      RELAY Connect:mydomain.org                   RELAY Connect:209.62.42.54			REJECT
 * , allow relaying
 * , reject emails
 * , reject email without sending a bounce message
 * , reject email without sending a bounce message

This will reject all messages sent from the host and send a bounce message notifying the sender that the mail meassage was rejected. To accomplish the same thing, but not send a bounce message, modify the second column like the example below:

Connect:localhost.localdomain          RELAY Connect:localhost                      RELAY Connect:127.0.0.1                      RELAY Connect:192.168.1                      RELAY Connect:mydomain.org                   RELAY Connect:209.62.42.54			DISCARD

Host Names
uses the '/etc/mail/local-host-names' file to determine which domains manages. To add a domain to the file, open the '/etc/mail/local-host-names' file using the following command: su-c 'vim /etc/mail/local-host-names' The file should only contain the following text at this point: Press the [o]  key to begin inserting a new line, then enter the names of the domans  should manage. The example below shows an '/etc/mail/local-host-names' with two different domains: mydomain.org mydomain.net

Virtual Users
The '/etc/mail/virtusertable' file tells  what to do with the mail it receives. The file is setup in two columns. The first column is the email address being sent a message. The second column is the email address that you want those messages to go to. Here is an example or receiving email for  and forwarding the email to  : user1@mydomain.org	user1 To make  forward all email for the mydomain.org domain to , use the following example: @mydomain.org	user1

Aliases
The '/etc/aliases' file can be used ro redirect email to local users, groups, external email addresses, or even programs. The '/etc/aliases' file has 2 columns of data. The first column is the name of the mail alias. The second column is the user, group, list of users, external email, or application to forward the email to. The '/etc/aliases' already includes a list of examples by default for most of the deamons and services on the system. In the example below, an alias called sysadmins will forward email messages to user1, user2, and user3:

sysadmins:	user1,user2,user3

SSl Encryption
The most common way for any system to be exploited is for a user name and password to be captured that is transmitted in clear text over the Internet. can be configured to use TLS and SSL encryption to protect user accounts and passwords. To configure sendmail with TLS / SSL encryption, edit the '/etc/mail/sendmail.mc' file and make the following changes. Uncomment the following lines: DAEMON_OPTIONS( /etc/pki/tls/certs')dnl define( /etc/pki/tls/certs/ca-bundle.crt')dnl define( /etc/pki/tls/certs/sendmail.pem')dnl define( /etc/pki/tls/certs/sendmail.pem')dnl Save the changes to the '/etc/mail/sendmail.mc' and exit the  editor. The next step is to create a self-signed certificate for  to use. A certificate can also be purchased from a commercial vendor such as Verisign, or Thawte. To begin creating a self-signed certificate, open a shell prompt, and become root by entering the following command: su - and entering the root password. Next change to the '/etc/pki/tls/certs' directory. Type 'make sendmail.pem' to begin the cert process. Enter the information for country, state, city, company name, and server name as it is requested. When finished, remake the  configuration files and restart the   daemon as stated earlier in the chapter.

Logging
logs it's information in the '/var/log/maillog' file. The level of logging is set in the '/etc/mail/sendmail.mc' file. The default level of logging is great for normal operation of  but can be changed if the need arises for debugging or troubleshooting. To modify the logging level of, open a shell prompt and enter the following command: su -c 'vim /etc/mail/sendmail.mc' Find the line that sets  logging level by pressing the [esc]  key and entering the following text: /confLOG_LEVEL The higher the number, the more detail. To enable the a specific logging level, uncomment the line by removing the 'dnl' from the beginning of the line, then change '9' to a higher number such as 68. Save the changes to the 'sendmail.mc' and hen finished, remake the  configuration files and restart the   daemon as stated earlier in the chapter.

Mail Statistics
saves mail traffic information to the '/var/log/mail/statistics' file. To view the information, at the shell prompt type: su -c 'mailstats' This should display results similar to the following regarding server performance: Statistics from Sun Aug 19 12:01:58 2007 M  msgsfr  bytes_from   msgsto    bytes_to  msgsrej msgsdis msgsqur  Mailer 4       3          5K        0          0K        0       0       0  esmtp 9    1817       4196K     1854       5020K        0       0       0  local

=
======================================================== T    1820       4201K     1854       5020K        0       0       0 C    1814                    0                    0 The types of information displayed can be broken down into the following groups:
 * , The mailer number.
 * , Number of messages from the mailer.
 * , Kbytes from the mailer.
 * , Number of messages to the mailer.
 * , Kbytes to the mailer.
 * , Number of messages rejected.
 * , Number of messages discarded.
 * , The name of the mailer

Dealing with SPAM
The first step in dealing with unwanted or unsolicited email requires another change to the '/etc/mail/sendmail.mc' file. Open the 'sendmail.mc' by typing su -c 'vim /etc/mail/sendmail.mc' Press the [esc]  key and enter the following to find the line to be modified: /accept_unresolvable_domains Comment out the line by adding 'dnl' at the beginning of the line. The lines should now look like this: dnl FEATURE( from accepting mail from servers that are not properly set up with DNS on the Internet. The next step is to install and configure a SPAM program. Fedora comes  with such a program called  . To see if   is install, open a shell prompt and enter the following text: su -c 'rpm -q spamassassin spamass-milter' If   is installed, the following results should be displayed: spamassassin-3.2.3-1.fc8 spamass-milter-0.3.1-4.fc8 If   is not installed, enter the following text at the shell prompt: su -c 'yum -y install spamassassin spamass-milter' After the installation completes, it's time to configure the applications.  and   keep configuration files in the following files and folders: To begin configuring   enter the following command at a shell prompt: su -c 'vim /etc/mail/spamassassin/local.cf' This opens the main   configuration file with the following text:
 * , main configuration files
 * , spamd options
 * , milter configuration settings
 * , system wide  settings

required_hits 5 report_safe 0 rewrite_header Subject [SPAM] Modify the file to include the following text: required_score          5.0 rewrite_header subject        [SPAM] report_safe            2 use_bayes              1 bayes_auto_learn       1 skip_rbl_checks        0 use_razor2             1 use_pyzor              1 ok_locales             en Now test to make sure   is working. enter the following text into a shel prompt: spamc -R </usr/share/doc/spamassassin-*/sample-nonspam.txt The following output should be displayed: Spam detection software, running on the system "localhost.localdomain", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details.

Content preview: -BEGIN PGP SIGNED MESSAGE- TBTF ping for 2001-04-20: Reviving T a s t y B i t s f r o m t h e T e c h n o l o g y F r o n t [...]

Content analysis details:  (0.0 points, 5.0 required)

pts rule name             description -- -- _SUMMARY_ Now configure procmail to run spamc on all incoming mail. Add the following text to '/etc/procmailrc' using an editor such as :

DROPPRIVS=yes
 * 0fw


 * /usr/bin/spamassassin
 * 0

\$HOME/mail/spam To configure the final piece, open a shell prompt, and enter the following command: su -c 'vim /etc/sysconfig/spamass-milter' This opens up the  configuration file. Here is an example file:
 * ^X-Spam-Status: Yes


 * 1) SOCKET=/var/run/spamass-milter/spamass-milter.sock

google.com/search?q=PKI+Fedora+8&hl=en&start=10&sa=N Uncomment the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' and the line '#SOCKET=/var/run/spamass-milter/spamass-milter.sock' by removing the '#'.
 * 1) SOCKET=/var/run/spamass-milter/spamass-milter.sock

Save the changes, and use  to open the 'sendmail.mc' again. Insert te following line at the bottom of the 'sendmail.mc': INPUT_MAIL_FILTER( S=local:/var/run/spamass-milter/spamass-milter.sock, F=,T=C:15m;S:4m;R:4m;E:10m')dnl Start the Save the changes, then rebuild the  configuration file. Restart the  daemon. Start the  service by entering the follow command at a shell prompt: su -c 'chkconfig --levels 345 spamass-milter on su -c 'service spamass-milter start' Verify the service is running: su -c 'pgrep spamass-milter' This should return the process id of the  processes: 22325 22326 Check the mail log to verify  is starting by entering the following text at a shell prompt: su -c 'tail /var/log/maillog' There sould be an entry similar to the following: Oct 28 20:25:33 localhost spamass-milter[22326] : spamass-milter 0.3.1 starting

Black Lists
To reduce the amount of SPAM even further, add the following rule to the end of the '/etc/mail/sendmail.mc' file, remake the  config file and restart   to make all of the changes take effect. FEATURE( relays.ordb.org',  is an open source anti-virus program that can scan incoming mail messages.   and   are included in Fedora distributions. to check if   and   are installed, run the following command at a shell prompt: su -c 'rpm -q clamav clamav-milter' The follow will be returned if   and   are installed clamav-0.91.2-2.fc8 clamav-milter-0.91.2-2.fc8 If the packages are not installed, run the following command at  a shell prompt: su -c 'yum -y install clamav clamav-milter clamav-data clamav-update' After the install completes, there are some changes that need to made to the configuration files.   keeps it's configuration files in '/etc/clamd.d/milter.conf' and '/etc/sysconfig/clamav-milter'. Open the '/etc/clamd.d/milter.conf' using the following command at a shell prompt: su -c 'vim /etc/mail/clamd.d/milter.conf'

The first change that needs to be made is to comment out the 'Example' line. Press the [esc]  key and enter the following search string: /Example Comment out the line by placing a '#' at the beginning of the line. Save the changes, and start up  by entering the following command at a shell prompt: su -c 'service clamav-milter start' To make  auto start during system reboots, enter the following command at a shell prompt: su -c 'chkconfig --levels 345 clamav-milter on' To enable  updates, enter the following command at the command prompt: su -c 'vim /etc/freshclam.conf' Comment out the line with the text 'Example' by adding a '#' to the beginning of the line. Save the changes and run the following command at a shell prompt to update  data files: freshclam The last item to make changes to is the 'sendmail.mc'. Open the '/etc/mail/sendmail.mc' by entering the following command at a shell prompt: su -c 'vim /etc/mail/sendmail.mc' Scroll to the bottom of the 'sendmail.mc' and add the following text: INPUT_MAIL_FILTER( S=local:/var/run/clamav-milter/clamav.sock, T=S:4m;R:4m')dnl define( spamassassin,clamav-milter')dnl Remake the sendmail configuration file and restart  to apply the changes and enable anti-virus scanning. To verify anti-virus scanning is running, run the following command at the shell prompt: su -c 'tail /var/log/maillog' The following line should be present in the log file after a mail message has been received: Milter add: header: X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on localhost.localdomain

Once the email is accepted by an MTA (eg sendmail) and identified as deliverable to local mailbox the message is passed to MDA (by default - procmail) which is responsible for appending it to users' mailboxes.

there are two types of mailboxes: mbox - the old school, saves all messages in one file (it is Fedora default). there are some opinions that mbox works poorer with larger mailboxes.

maildir - every message is saved in individual file. there is an opinion that maildir works slower when accessed through IMAP protocols.

Systemwide config file for procmail is  (might need to create one, if missing). On default one doesn't have to do anything for procmail to do its job. However two typical causes of custom procmail configuration are:
 * use of  Spamassassin : Spamassassin needs to be called by procmail, for that following needs to be included in  :
 * 0 fw

above instructs procmail to divert all messages less then 128kb to Spamassassin for spam identification. You might want to include larger or smaller size criteria depending on strength of your box and intensity of spam. usually spammers avoid larger messages and Spamassassin being perl-based is somewhat of resource hog.
 * < 128000
 * /usr/bin/spamc

Spamassassin only identifies email as spam, it is procmail again that needs to handle the spam-identified message according to messaging rules as discussed in next section. :0: $HOME/mail/Junk
 * custom messaging rules. The advantage of using procmail for message processing is that any rule is executed at the server, not client. for instance
 * ^X-Spam-Status: Yes


 * 0:

$HOME/mail/Junk we have two separate messaging rules in above.
 * ^From.*annoy\.com

first checks whether message contains earmark from Spamassassin. If positive, instead of default (delivery to your ) the message in delivered in separate folder -.

second rule checks if email has been From: certain domain, in which case it is also diverted to  folder instead of default.

singe messaging rule consists of: first line :0: instructs procmail to pass message to a certain test and listen back to result. next line specifies the test, regular expressions can be used here. finally the third line describes the action if the test positive, often you indicate the delivery destination to a separate folder.

bring above options together and you get typical.

if one prefers to have maildir format instead of mbox, procmailrc can do that: DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir/ above will cause procmail to deliver to user's home folder in maildir format. by default delivery is to individual mbox format in

in general procmail automatically creates any folders it needs for delivery if one doesn't exist.

finally beyond systemwide procmailrc config every user can define individual rules, which need to be placed into  file. Individual files have exactly the same syntax as systemwide file above. again, any rule will be executed by mailserver (that is by procmail, while delivering email), before the client. there is some overlap between .procmailrc and .forward files for some rules can equally validly be included in both.