Wayne Catterton wrote:
Hi,
I currently have an old qmail toaster (customized some) setup. I have been
wanting to build a new mail server for a while, and just finally got around to
doing it. My old system is setup with qmail, vpopmail, squirrelmail, spam
assassin, smtpauth, autorespond, qmailadmin, vqadmin, clamav, courier-imap,
daemontools, ezmlm, qmail mrtg, ucspi-tcp, qmail-scanner, and tmda. At any
rate, I'm getting quite a bit of spam coming through, and it seems that people
sending mail to my servers ignore the TMDA, so the user ends up having to look
in the pending queue and release messages and such, so I've decided tha TMDA
has to go.
Upon looking for what I wanted in a new mail system, I started with the qmail
route again (but I wanted to make the install easier), so I looked at
qmailrocks, started getting it setup, then ran into problems, and not much
help, so I junked it, and installed qmailtoaster (I have to say it was an easy
install, and I got everything working and up quickly), however I find myself
dizzy and confused when figuring out how everything is working, and configs are
scattered throughout the system.
One of the things I really want to implement is Dspam, I've been reading alot
about it, and decided that I really want to have it on my mail system, and I
was unable to really implement it the way I wanted on the qmailtoaster and
documentation is slim.
So I looked at alternative MTA's and found postfix. It looks like it's exactly
what I'm looking for, however I am not sure on what all I need to install to
keep the mail system fairly secure and protected. So I started looking through
installation documentation for various setup's, and so far, I've decided I
wanted: postfix, dovecot (imap and pop3), dspam (of course), virtual
users/domains (mysql setup), clamav, sasl (smtpauth), mysql, Mailman,
squirrelmail, and some kinda of GUI frontend (I saw postfix admin and I think
that will do it).
What I'm wondering is if I missed something, is there something vital I missed as far as security/mail processing?
Also as far as dspam, do you have any reccomendations, I've looked through
documentation on it, however it can be fairly complex. I know I want to have a
spam and nospam address for users to forward email to. maybe setup some
spam/nospam IMAP folders as well (to be used from squirrelmail as another
mechanism).
Here is a suggestion. adjust as you like.
Note: go step by step. at each step, only few changes are done (no big
bang). after testing, "commit" (backup for instance) and document (txt
is enough).
- install dovecot. use maildir as mailbox format, mysql as a backend, a
single uid for all the mailstore (per mailbox uid is a little tricky,
though feasible if you have an understanding of setuid and unix
permissions).
http://wiki.dovecot.org/HowTo
test that it works: either copy messsages from some maildir you have or
use dovecot deliver to deliver a new message (copy paste a message from
your MUA for that).
- install postfix. (from a package or from prepackaged source or from
the "original" sources, depending on your system and preferences)
* make sure it has dovecot auth (should be the default). you can test
with 'postconf -a'. (if your postfix will need to act as a client to
another MTA with authentication, you also need cyrus-sasl. but
cyrus-sasl seems to cause trouble to many people).
* make sure it has mysql and pcre (optional, but...). you can test
with 'postconf -m'.
* make sure it's built with openssl (and not gnutls)
- start with a basic config and test it by sending some messages
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
(no mysql or any fancy stuff for now)
- configure postfix for virtual users (use hash to store the few test
users for now)
http://www.postfix.org/VIRTUAL_README.html#virtual_mailbox
- configure postfix to deliver with dovecot LDA
http://wiki.dovecot.org/LDA
- configure postfix to use mysql.
http://www.postfix.org/DATABASE_README.html
http://www.postfix.org/MYSQL_README.html
the workaround howto may be used for "inspiration":
http://workaround.org/articles/ispmail-etch/
- configure smtpd sasl and TLS. test.
http://www.postfix.org/SASL_README.html#server_sasl
http://www.postfix.org/TLS_README.html
http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
(TLS will allow you to use plain text passwords, which are widely
implemented and easy to setup).
- install clamav, spamassassin and amavisd-new. even if you won't use
these in the future, it's good to get confortable with content filters
and amavisd-new is a good example.
http://www.postfix.org/FILTER_README.html
http://www.ijs.si/software/amavisd/README.postfix.html
- if you don't want to use amavisd-new, install clamsmtp to call clamav.
- install dspam and configure it in relay mode (will take mail via lmtp
and forward it via smtp). since you already played with amavisd-new, you
know how such a content filter works and how to play with. but you need
to configure dspam.
http://dspamwiki.expass.de/Installation/Postfix/RelayStepByStep
http://dspam.nuclearelephant.com/text/relay-howto.txt
for questions regarding dspam, please ask on the dspam users list.
- if you want to keep spamassassin (you can use both SA and dspam by
chaining amavisd-new and dspam, that is: smtpd:25 -> amavisd-new ->
smtpd:xyz -> dspam -> smtdp:zyx), use sa-update to update the rules.
include channels you find useful. in particular, the JM Sought rules.
SARE has many rules but you'll need to select the ones that are safe in
your environment. for questions regarding SA, use the spamassassin users
list.
- add webmail (squirrel, roundcube, ...)
There is no support for postfixadmin here (postfixadmin has its own
list). if you ask questions, GUI functionality and specificities will be
ignored.
Whenever you have time, visit
http://www.postfix.org/documentation.html
for some reading. you can also get a copy of the Book of Postfix.
For troubleshooting, read
http://www.postfix.org/DEBUG_README.html
If you need help, read
http://www.postfix.org/DEBUG_README.html#mail
before posting (this will tell you what infos you need to show).
