13. Mail server

Introduction

Back in the days I used to be a big fan of qmail. However, lately that has changed. Qmail sure has it's merits. It is simple, it is secure and it delivers to maildirs, just to name a few. DJ Bernstein, the author of qmail is a legendary and controversial figure in the world of open source, and he surely has bright ideas about everything.

But, even though it has merits, it has drawbacks too. It has not been updated for years. If you ever need to do anything special that qmail does not do, you need to apply patches, and recompile qmail. DJ Bernstein will then however refuse to give support whatsoever, because it is not an official distribution. Of course this is not always handy. If you want to do SMTP authentication, if you want to enable TLS or lots of other things you need patches and you are thus left on your own with it. But that is just geek chat. Back to what you do need to know.

There is another package which has gained a lot of popularity and which drew my attention because it has been adopted by Apple to be included in their Mac OS X since 10.3. It's called postfix and forfills all our needs, and more.

First of all, we want maildir storage for our mails. Plainly said, this means one mail is stored as one file. This sounds like it should be evident, but it isn't. Traditionally, mail servers on unix systems used to store a big file with all your mail, seperated merely be a special character. This is called mbox format, and is still used by a variety of applications. Apple Mail, to name just one. Try writing a script that injects each of your mail messages into gmail, for example. Or try to do some advanced searching on your mail that is not supported by your mail client.

All of these requirements are met in the mailserver PostFix. It can store in maildir format and is not too difficult to configure. It has a webmin interface, of which we will only use the basic features.

Installation

Installation is the usual sudo apt-get install postfix. For convenience, I've put a couple of screenshots with some explanations on what to answer.

Figure 13.1: Warning explaining the various setups (press OK)

Figure 13.2: Which kind of setup would you like... (answer Internet With Smarthost)

Figure 13.3: Mail for the root user should go to... (answer is the main user)

Figure 13.4: The hostname portion of the address... (accept default answer)

Figure 13.5: Append domain for outgoing mail... (answer NO)

Figure 13.6: Smarthost outgoing mail... (answer your ISP's SMTP server's name)

Figure 13.7: Final destination for this machine is... (accept default)

Figure 13.8: Synchronous updates ... (answer YES)

And we're done. Personally, I think that's a couple of questions too much, but maybe that's to do with taking all these screenshots.

There are more programs that need installation, so here we go for another series: sudo apt-get install courier-imap-ssl will install an IMAP mailserver, and will only ask one question:

Figure 13.9: Create directories for web-based administration... (answer NO)

One more package is needed, fetchmail-ssl. The -ssl suffix is because it is necessary to be able to connect to POP-servers that require a secure connection for the password. On top of that, the normal fetchmail has an annoying bug that sometimes gives an error message when connecting to the server. So, fetchmail-ssl is better. This one does not ask any questions, so just sudo apt-get install fetchmail-ssl.

There are some post installation instructions to this section. When adding a new user, the Maildir file will need to be created. Therefore, it is handy to create it in the skeleton that will be created as a home directory when adding a new user. This can be done with the command sudo maildirmake /etc/skel/Maildir. You will also need to do this for every user known to the system already. This actually means you will need to do this for the main user you configured at Knoppix installation time, since we haven't add any other users yet.

Another thing we need to do is make sure that all daemons are started at boot time. For fetchmail this means some extra setup because it is not really happy to be run in daemon mode. We will need to force it a bit. You can change the fetchmail settings in /etc/default/fetchmail to have SERVICE set to true and to have RUNASROOT set to true. This should suffice to have it automatically started up at boot time.

The same goes for the courier authdaemon, which is necessary for the courier IMAP server to be able to authenticate any user. So, we issue the command sudo update-rc.d courier-authdaemon defaults to get the authentication daemon started up at boot time.

Verifying and Adapting the Settings

Now we will manually verify and adapt all these settings. To do this, we have a Webmin control panel at hand, in the Servers section, the Postfix Configuration panel. As can be seen from this panel, the user interface is elaborate. Too elaborate for us, we will only need a couple of catogories.

Figure 13.10: The Postfix elaborate Configuration Panel

We need to do a couple of things. First of all, the default settings don't allow any computer on the local network to use this server as an SMTP server. This could be ok, if the local users would each set the SMTP server of their mail client to the SMTP server of the ISP, and the firewall would be justly adapted. But, far handier would be that they use this knoppixbox as an SMTP server. This will later allow for archiving of mail, virus checking of mail, etc...

So, we add the local network, 192.168.1.0/24, to the "Local Networks" setting in the "General Options" section. While we're at it, take a look at the exquisite help provided here. Each setting has a link which will open a popup window with some explanation on the setting. Sometimes this can be very helpful! Don't forget to "Save and Apply" this setting.

Another thing we need to change is the "Home-relative pathname of user mailbox file" in the "Local Delivery" section. We will change this to be "Maildir/", with the very important slash on the end. The slash will make sure we have maildir delivery. This setting will immediately change the "home_mailbox" setting in the /etc/postfix/main.cf file. So, every homedir will have it's Maildir directory that will be used to deliver and store the mails in.

My ISP at least, and with the spam explosively growing more and more ISP's, will not allow mail from kristof@knoppixbox. Since we are using a simple LAN, there is no Fully Qualified Domain Name with which we can reach our knoppixbox. So, mail with the From-address set to kristof@knoppixbox will not be delivered. It is not always interesting, but sometimes the knoppixbox will generate mail messages. If we don't make sure these e-mail messages get through our ISP's mail server, these will get lost. So, we need Canonical Maps, in Postfix terminology, to change this e-mail address to something that can be sent back.

And, you wouldn't have expected it, there is a Configuration Panel called "Canonical Mapping", to do just this. We will change the setting of "Address mapping lookup tables" to point to the file /etc/postfix/canonical. With the Edit Canonical Maps button we can change the canonical maps known to the postfix system. There, we set a valid e-mail adress for every user that can generate e-mail on the knoppixbox. That is, if you plan running scheduled commands or something like that, you need to provide a mapping that will translate root@knoppixbox to something that will get the e-mail through your ISP, and, should the e-mail be undeliverable, is also a valid return address.

This is what my canonical mapping configuration panel looks like and this is what my canonical maps look like. If you would like to receive the messages generated by your knoppixbox, make sure to set it to something similar, in which every e-mail address @coin-c is valid and any e-mail address @ghandi is not.

Letting users POP their e-mail

Of course, this does not help us much as we are on a cheap subscription and our ISP will only let us POP e-mail. Well, that's what you think. Since we've installed this fetchmail-ssl tool, we can let the users configure their e-mail pop addresses as much as they like. All they need to do is start the Usermin interface and add an e-mail address to pop and fetchmail will pop it for them and deliver it in their Maildir. So, the users can read it.

Now, reading your mail from an internal network can be done using various methods. There could have be an installation of webmail, but in general that is clumsy to use and not always what you want. It could be added later on in this document, though, because having webmail around is a handy feature anyway. But for now, we will go with another viable solution: reading your mail via the IMAP protocol.

Imap is a protocol like POP3 to read mail, but which leaves the opportunity to read mail on the client without moving it from the server. This way, both client and server retain copies of the e-mail and only a synchronization is necessary, every time we connect to our mailbox.

This is extremely handy when reading on different clients, and is also very handy when trying to backup the mails. You can backup on your client, or you can backup on your server, depending on your preference.

Firewall Configuration

Also in this section, we have made some assumptions which you need to change your firewall for. This table sums up a valid configuration for your mail server firewall.

Action	Source	Destination	Protocol	Source ports	Destination ports	Comment
Accept	Firewall	Zone Net	TCP	Any	25	Allow the knoppixbox to send mail to the upstream SMTP server.
Accept	Zone Local	Firewall	TCP	Any	25	Allow local clients to use the knoppix box as an SMTP server.
Accept	Zone Local	Firewall	TCP	Any	993	Allow the local clients to read e-mail via IMAP
Accept	Firewall	Zone Net	TCP	Any	110	Allow the knoppixbox to pop mail for the users that want to use fetchmail to pop their mail.