docs‎ > ‎

Email Server CentOS (6.3)

The following is a Document on installing Postfix, Cyrus IMAP/POP, and the Webcyradm Administration tool on CentOS 6.3  (Current Version as of 10NOV2012)

Install CentOS in the usual manner

I installed the current version of CentOS.  I used the CentOS-minimal ISO

Prepare and Install Packages

Set networking parameters in the following files
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/resolv.conf
/etc/sysconfig/network

Disable SELinux

Edit the /etc/sysconfig/selinux file.  Set the SELinux policy to disabled
SELINUX=disabled

/etc/hosts

Add your servername and ip address to the hosts file

10.20.30.40  mailsrv.yourmailserver.com

Install extra repositories

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Update System

Perform a system update
yum -y update

Install Packages

yum install postfix cyrus-imapd cyrus-sasl-plain cyrus-sasl-md5 cyrus-sasl-gssapi mysql-server pam_mysql httpd mod_ssl phpmyadmin spamassassin php-pear-DB wget

Check Mysql support with the following command

postconf -m

Configuration

MySQL Configuration


Lets start with MySQL configuration, First lets start it up
service mysqld start

After you start it for the first time it suggests that you set the root password. We will run MySQL secure server script. I think this is a good idea, so lets do it
/usr/bin/mysql_secure_installation

Then make sure it starts at boot time
chkconfig mysqld on

Create Database

Edit the phpMyAdmin.conf file located in /etc/httpd/conf.d/
vi /etc/httpd/conf.d/phpMyAdmin.conf

Add the following lines as indicated in bold.  Allow phpMyAdmin to be accessed from your IP Address

<Directory /usr/share/phpMyAdmin/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.20.30.102
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory><Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.20.30.102
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>

Start up the apache webserver and disable the firewall

service httpd start
chkconfig httpd on
service iptables stop
chkconfig iptables off

Use a web browser and navigate to your servers IP address to access phpMyAdmin

https://10.20.30.227/phpmyadmin/
Use the username root and password set while creating the MySQL secure installation

Cyrus Configuration

wget https://www.dropbox.com/s/rphdin6aw7ay7xm/mailfilecreate-CentOS6.3v0.2.sh

/etc/rc.d/init.d/cyrus-imapd

Leave as is for now

/etc/cyrus.conf



Find the relevant section and add and modify the following lines. 

Replace $ipaddr with your servers local IP Address
  
imap cmd="imapd" listen="$ipaddr:imap" prefork=0 imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0 imaps cmd="imapd -s" listen="$ipaddr:imaps" prefork=0 imapslocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0 pop3 cmd="pop3d" listen="pop3" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" prefork=0 sieve cmd="timsieved" listen="$ipaddr:sieve" prefork=0 sievelocal cmd="timsieved -C /etc/imapd-local.conf" listen="127.0.0.1:sieve" prefork=0

/etc/imapd.conf

The imapd.conf file looks like this when it is installed.
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

It needs to look this when finished.  Change line 9 to reflect your server name

postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
# admins: cyrus # no admins!
allowanonymouslogin: no
allowplaintext: yes
altnamespace: yes
sasl_mech_list: PLAIN
servername: mailsrv.lazypaddle.com
autocreatequota: 100000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
#hashimapspool: true
sieve_maxscriptsize: 32
sieve_maxscripts: 5
#unixhierarchysep: yes
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

/etc/pam.d/imap , pop , sieve , smtp


The following code needs to be appended to the following files:
/etc/pam.d/imap
/etc/pam.d/pop
/etc/pam.d/sieve
/etc/pam.d/smtp

echo "
auth sufficient  pam_mysql.so verbose=0 host=$mysqlconn user=$mysqluser passwd=$mysqlpasswd db=$mysqldb table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time

account required pam_mysql.so verbose=0 host=$mysqlconn user=$mysqluser passwd=$mysqlpasswd db=$mysqldb table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
" >> /etc/pam.d/imap
Perform the same task for each of the files: imap, pop, sieve, smpt using the values for mysql that you set in the MySQL configuration section. 

/etc/imapd-local.conf


Copy the imap.conf to imap-local.conf 
cp /etc/imap.conf /etc/imap-local.conf
Uncomment the line from:
# admins: cyrus # no admins!
to:
admins: cyrus





Postfix Configuration

/etc/postfix/mysql-virtual.cf

Create the following file, changing the relevant data
touch /etc/postfix/mysql-virtual.cf
echo "
#
# mysql config file for alias lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = $mysqlconn
user = $mysqluser
password = $mysqlpasswd

# the database name on the servers
dbname = $mysqldb

# the table name
table = virtual

#
select_field = dest
where_field = alias
additional_conditions = and status = '1'
" >> /etc/postfix/mysql-virtual.cf

/etc/postfix/mysql-canonical.cf

Create the following file, changing the relevant data
touch /etc/postfix/mysql-canonical.cf
echo "
# mysql config file for canonical lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = $mysqlconn
user = $mysqluser
password = $mysqlpasswd

# the database name on the servers
dbname = $mysqldb

# the table name
table = virtual
#
select_field = alias
where_field = username
# Return the first match only
additional_conditions = and status = '1' limit 1
" >> /etc/postfix/mysql-canonical.cf

/etc/postfix/mysql-mydestination.cf

Create the following file, changing the relevant data
touch /etc/postfix/mysql-mydestination.cf
echo "
# mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
# comments are ok.
#

# the user name and password to log into the mysql server
hosts = $mysqlconn
user = $mysqluser
password = $mysqlpasswd

# the database name on the servers
dbname = $mysqldb

# the table name
table = domain
#
select_field = domain_name
where_field = domain_name
" >> /etc/postfix/mysql-mydestination.cf

Master.cf
Uncomment the following 2 lines in the /etc/postfix/master.cf file

cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}

Perform the following via command line
postconf -e "mydestination = mysql:/etc/postfix/mysql-mydestination.cf" postconf -e "mailbox_transport = cyrus" postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf" postconf -e "sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf" postconf -e "smtpd_sasl_auth_enable = yes" postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination" postconf -e "smtpd_sasl_security_options = noanonymous" postconf -e "smtpd_sasl_local_domain = " postconf -e "broken_sasl_auth_clients = yes" postconf -e "inet_interfaces = all" echo "pwcheck_method: saslauthd" > /usr/lib/sasl2/smtpd.conf postmap /etc/postfix/virtual postalias /etc/aliases
If you have a relay server that you want to use then add as needed:
postconf -e "relayhost = your.relayhost.com"


Install and Configure Web-Cyradm

Install Web-Cyradm

www.web-cyradm.org appears to be down as of 8-30-14.  I found the version required and placed it in dropbox.

cd /var/www/html/
wget https://www.dropbox.com/s/beushynjazyvkgc/web-cyradm-svn-0.5.5.tar.gz
tar -zxvf web-cyradm-svn-0.5.5.tar.gz
mv web-cyradm-svn-0.5.5 webcyr

Configure Web-Cyradm

Change to the web_cyr directory

cd /var/www/html/webcyr/scripts

Set the password for the system user "cryus", you'll need this later in the configuration

passwd cyrus

Edit the following files to your specs

Edit insertuser_mysql.sql to reflect the user and password for accessing your MySQL database

vi insertuser_mysql.sql

At the bottom of this script edit the password for the admin of the site and for the user cyrus.

vi create_mysql.sql

mysql -u root -p < /var/www/html/webcyr/scripts/insertuser_mysql.sql 
mysql mail -u mail -p < /var/www/html/webcyr/scripts/create_mysql.sql

cd ../config
cp conf.php-dist conf.php

Edit this file to reflect the values for your MySQL database and cyrus user

vi conf.php

Edit the values in conf.php to match your system

Start the daemons

service postfix start                                           
service cyrus-imapd start
service saslauthd start
chkconfig postfix on
chkconfig cyrus-imapd on
chkconfig saslauthd on


WebCyradm Usage

log into your webcyradm installation via:

http://your-ip-address.com/webcyr
Use the default admin credentials if you did not set them specifically
username: admin
password: test

You need to add your servers full domain name as a virtual domain or errors will occur.
If you have a domain like lazypaddle.com and your server name is mailsrv.lazypaddle.com but you want to receive mails at lazypaddle.com then both domains must be entered for the system to work properly.

Something like this: 

Final Cleanup Items

Ensure the following startup at boot time

cyrus-imapd
httpd
postfix
saslauthd

Set up TLS/SSL , STARTTLS

Cyrus IMAP Configuration:


Start of by generating your certificate.  Navigate to your root directory.

mkdir ssl
cd ssl
openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 2999

# for Cyrus IMAP/POP
cp new.key.pem /var/lib/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/lib/imap/server.pem
chown cyrus:mail /var/lib/imap/server.pem
chmod 600 /var/lib/imap/server.pem # Your key should be protected


echo tls_ca_file: /var/lib/imap/server.pem >> /etc/imapd.conf
echo tls_cert_file: /var/lib/imap/server.pem >> /etc/imapd.conf
echo tls_key_file: /var/lib/imap/server.pem >> /etc/imapd.conf

Now comment out or delete the original entries for the certificates in /etc/imapd.conf. You cannot have two entries in this file.

#/etc/imapd.conf
#tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
#tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
#tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

Restart your cyrus mail daemon
service cyrus-imapd restart

Testing

I used Mozilla Thunderbird with the following options:
IMAP(s)

STARTTLS:
    Port: 143
    Security Connection: STARTTLS
    Authentication Mode: Normal

SSL/TLS
    Port : 993
    Security Connection: SSL/TLS
    Authentication Mode: Normal

Confirm the security exception because of the self signed certificate.

POP3(s)

STARTTLS:
    Port: 110
    Security Connection: STARTTLS
    Authentication Mode: Normal

SSL/TLS
    Port : 995
    Security Connection: SSL/TLS
    Authentication Mode: Normal

Confirm the security exception because of the self signed certificate.

Postfix Configuration:


We are going to use the certificate we generated before. If you want to be overly particular you can generate a new cert via the steps outlined above.  Place the new cert file in /etc/postfix and modify accordingly.

cp /var/lib/imap/server.pem /etc/postfix/smtpcert.pem
chmod 644 /etc/postfix/smtpcert.pem

Now modify the /etc/postfix/master.cf file

Uncomment the following two lines:

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes

Add the following to the /etc/postfix/main.cf file

smtp_tls_CAfile = /etc/postfix/smtpcert.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_CAfile = /etc/postfix/smtpcert.pem
smtpd_tls_cert_file = /etc/postfix/smtpcert.pem
smtpd_tls_key_file = /etc/postfix/smtpcert.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may
To force every client to always use SSL/TLS the set the last line to:
smtpd_tls_security_level = encrypt
After configuration restart the postfix daemon
service postfix restart

Testing 

I used Mozilla Thunderbird with the following options:

SMTP(s)

STARTTLS

    Port : 25
    Security Connection: STARTTLS
    Authentication Mode: Normal

SSL/TLS
    
    Port : 465
    Security Connection: SSL/TLS
    Authentication Mode: Normal


ċ
Dale Hartung,
Nov 10, 2012, 2:43 PM
Comments