Email Server CentOS (6.3)

docs‎ > ‎

Email Server CentOS (6.3)

The following is a Document on installing Postfix, Cyrus IMAP/POP, and the Webcyradm Administration tool on CentOS 6.3 (Current Version as of 10NOV2012)

Contents
1 Install CentOS in the usual manner
2 Prepare and Install Packages
2.1 Disable SELinux
3 Configuration
3.1 MySQL Configuration
3.2 Cyrus Configuration
3.3 Postfix Configuration
4 Install and Configure Web-Cyradm
4.1 Install Web-Cyradm
4.2 Configure Web-Cyradm
4.3 WebCyradm Usage
5 Final Cleanup Items
6 Set up TLS/SSL , STARTTLS
6.1 Cyrus IMAP Configuration:
6.2 Postfix Configuration:

Install CentOS in the usual manner

I installed the current version of CentOS. I used the CentOS-minimal ISO

Prepare and Install Packages

Set networking parameters in the following files

/etc/sysconfig/network-scripts/ifcfg-eth0

/etc/resolv.conf

/etc/sysconfig/network

Disable SELinux

Edit the /etc/sysconfig/selinux file. Set the SELinux policy to disabled

SELINUX=disabled

/etc/hosts

Add your servername and ip address to the hosts file

10.20.30.40 mailsrv.yourmailserver.com

Install extra repositories

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Update System

Perform a system update

yum -y update

Install Packages

yum install postfix cyrus-imapd cyrus-sasl-plain cyrus-sasl-md5 cyrus-sasl-gssapi mysql-server pam_mysql httpd mod_ssl phpmyadmin spamassassin php-pear-DB wget

Check Mysql support with the following command

postconf -m

Configuration

MySQL Configuration

Lets start with MySQL configuration, First lets start it up

service mysqld start

After you start it for the first time it suggests that you set the root password. We will run MySQL secure server script. I think this is a good idea, so lets do it

/usr/bin/mysql_secure_installation

Then make sure it starts at boot time

chkconfig mysqld on

Create Database

Edit the phpMyAdmin.conf file located in /etc/httpd/conf.d/

vi /etc/httpd/conf.d/phpMyAdmin.conf

Add the following lines as indicated in bold. Allow phpMyAdmin to be accessed from your IP Address

<Directory /usr/share/phpMyAdmin/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.20.30.102
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory><Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.20.30.102
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>

Start up the apache webserver and disable the firewall

service httpd start
chkconfig httpd on
service iptables stop
chkconfig iptables off

Use a web browser and navigate to your servers IP address to access phpMyAdmin

https://10.20.30.227/phpmyadmin/

Use the username root and password set while creating the MySQL secure installation

Cyrus Configuration

Lazy config

wget https://www.dropbox.com/s/rphdin6aw7ay7xm/mailfilecreate-CentOS6.3v0.2.sh

/etc/rc.d/init.d/cyrus-imapd

Leave as is for now

/etc/cyrus.conf

For SQUAT errors in logs : http://forum.open-xchange.com/archive/index.php/t-1129.html

Find the relevant section and add and modify the following lines.

Replace $ipaddr with your servers local IP Address

    imap          cmd="imapd" listen="$ipaddr:imap" prefork=0
  imaplocal     cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0
  imaps         cmd="imapd -s" listen="$ipaddr:imaps" prefork=0
  imapslocal    cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0
  pop3          cmd="pop3d" listen="pop3" prefork=0
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="$ipaddr:sieve" prefork=0
  sievelocal    cmd="timsieved -C /etc/imapd-local.conf" listen="127.0.0.1:sieve" prefork=0

/etc/imapd.conf

The imapd.conf file looks like this when it is installed.

configdirectory: /var/lib/imap

partition-default: /var/spool/imap

admins: cyrus

sievedir: /var/lib/imap/sieve

sendmail: /usr/sbin/sendmail

hashimapspool: true

sasl_pwcheck_method: saslauthd

sasl_mech_list: PLAIN

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

# uncomment this if you're operating in a DSCP environment (RFC-4594)

# qosmarking: af13

It needs to look this when finished. Change line 9 to reflect your server name

postmaster: postmaster

configdirectory: /var/lib/imap

partition-default: /var/spool/imap

# admins: cyrus # no admins!

allowanonymouslogin: no

allowplaintext: yes

altnamespace: yes

sasl_mech_list: PLAIN

servername: mailsrv.lazypaddle.com

autocreatequota: 100000

reject8bit: no

quotawarn: 90

timeout: 30

poptimeout: 10

dracinterval: 0

drachost: localhost

sasl_pwcheck_method: saslauthd

sievedir: /var/lib/imap/sieve

sendmail: /usr/sbin/sendmail

#hashimapspool: true

sieve_maxscriptsize: 32

sieve_maxscripts: 5

#unixhierarchysep: yes

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

/etc/pam.d/imap , pop , sieve , smtp

The following code needs to be appended to the following files:

/etc/pam.d/imap

/etc/pam.d/pop

/etc/pam.d/sieve

/etc/pam.d/smtp

echo "

auth sufficient  pam_mysql.so verbose=0 host=$mysqlconn user=$mysqluser passwd=$mysqlpasswd db=$mysqldb table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time

account required pam_mysql.so verbose=0 host=$mysqlconn user=$mysqluser passwd=$mysqlpasswd db=$mysqldb table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
" >> /etc/pam.d/imap

Perform the same task for each of the files: imap, pop, sieve, smpt using the values for mysql that you set in the MySQL configuration section.

/etc/imapd-local.conf

Copy the imap.conf to imap-local.conf

cp /etc/imap.conf /etc/imap-local.conf

Uncomment the line from:

# admins: cyrus # no admins!

to:

admins: cyrus

Postfix Configuration

/etc/postfix/mysql-virtual.cf

Create the following file, changing the relevant data

touch /etc/postfix/mysql-virtual.cf

echo "

#

# mysql config file for alias lookups on postfix

# comments are ok.

#

# the user name and password to log into the mysql server

hosts = $mysqlconn

user = $mysqluser

password = $mysqlpasswd

# the database name on the servers

dbname = $mysqldb

# the table name

table = virtual

#

select_field = dest

where_field = alias

additional_conditions = and status = '1'

" >> /etc/postfix/mysql-virtual.cf

/etc/postfix/mysql-canonical.cf

Create the following file, changing the relevant data

touch /etc/postfix/mysql-canonical.cf

echo "

# mysql config file for canonical lookups on postfix

# comments are ok.

#

# the user name and password to log into the mysql server

hosts = $mysqlconn

user = $mysqluser

password = $mysqlpasswd

# the database name on the servers

dbname = $mysqldb

# the table name

table = virtual

#

select_field = alias

where_field = username

# Return the first match only

additional_conditions = and status = '1' limit 1

" >> /etc/postfix/mysql-canonical.cf

/etc/postfix/mysql-mydestination.cf

Create the following file, changing the relevant data

touch /etc/postfix/mysql-mydestination.cf

echo "

# mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix

# comments are ok.

#

# the user name and password to log into the mysql server

hosts = $mysqlconn

user = $mysqluser

password = $mysqlpasswd

# the database name on the servers

dbname = $mysqldb

# the table name

table = domain

#

select_field = domain_name

where_field = domain_name

" >> /etc/postfix/mysql-mydestination.cf

Master.cf

Uncomment the following 2 lines in the /etc/postfix/master.cf file

cyrus unix - n n - - pipe

user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}

Perform the following via command line

postconf -e "mydestination = mysql:/etc/postfix/mysql-mydestination.cf"
postconf -e "mailbox_transport = cyrus"
postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf"
postconf -e "sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf"
postconf -e "smtpd_sasl_auth_enable = yes"
postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"
postconf -e "smtpd_sasl_security_options = noanonymous"
postconf -e "smtpd_sasl_local_domain = "
postconf -e "broken_sasl_auth_clients = yes"
postconf -e "inet_interfaces = all"
echo "pwcheck_method: saslauthd" > /usr/lib/sasl2/smtpd.conf
postmap /etc/postfix/virtual
postalias /etc/aliases
If you have a relay server that you want to use then add as needed:
postconf -e "relayhost = your.relayhost.com"

Install and Configure Web-Cyradm

Install Web-Cyradm

www.web-cyradm.org appears to be down as of 8-30-14. I found the version required and placed it in dropbox.

cd /var/www/html/
wget https://www.dropbox.com/s/beushynjazyvkgc/web-cyradm-svn-0.5.5.tar.gz
tar -zxvf web-cyradm-svn-0.5.5.tar.gz
mv web-cyradm-svn-0.5.5 webcyr

Configure Web-Cyradm

Change to the web_cyr directory

cd /var/www/html/webcyr/scripts

Set the password for the system user "cryus", you'll need this later in the configuration

passwd cyrus

Edit the following files to your specs

Edit insertuser_mysql.sql to reflect the user and password for accessing your MySQL database

vi insertuser_mysql.sql

At the bottom of this script edit the password for the admin of the site and for the user cyrus.

vi create_mysql.sql

mysql -u root -p < /var/www/html/webcyr/scripts/insertuser_mysql.sql

mysql mail -u mail -p < /var/www/html/webcyr/scripts/create_mysql.sql

cd ../config
cp conf.php-dist conf.php

Edit this file to reflect the values for your MySQL database and cyrus user

vi conf.php

Edit the values in conf.php to match your system

Start the daemons

service postfix start

service cyrus-imapd start

service saslauthd start

chkconfig postfix on

chkconfig cyrus-imapd on

chkconfig saslauthd on

WebCyradm Usage

log into your webcyradm installation via:

http://your-ip-address.com/webcyr

Use the default admin credentials if you did not set them specifically

username: admin

password: test

You need to add your servers full domain name as a virtual domain or errors will occur.

If you have a domain like lazypaddle.com and your server name is mailsrv.lazypaddle.com but you want to receive mails at lazypaddle.com then both domains must be entered for the system to work properly.

Something like this:

Final Cleanup Items

Ensure the following startup at boot time

cyrus-imapd

httpd

postfix

saslauthd

Set up TLS/SSL , STARTTLS

Cyrus IMAP Configuration:

Start of by generating your certificate. Navigate to your root directory.

mkdir ssl
cd ssl
openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 2999

# for Cyrus IMAP/POP
cp new.key.pem /var/lib/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/lib/imap/server.pem
chown cyrus:mail /var/lib/imap/server.pem
chmod 600 /var/lib/imap/server.pem # Your key should be protected

echo tls_ca_file: /var/lib/imap/server.pem >> /etc/imapd.conf
echo tls_cert_file: /var/lib/imap/server.pem >> /etc/imapd.conf
echo tls_key_file: /var/lib/imap/server.pem >> /etc/imapd.conf

Now comment out or delete the original entries for the certificates in /etc/imapd.conf. You cannot have two entries in this file.

#/etc/imapd.conf

#tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

#tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

#tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt

Restart your cyrus mail daemon

service cyrus-imapd restart

Testing

I used Mozilla Thunderbird with the following options:

IMAP(s)

STARTTLS:

Port: 143

Security Connection: STARTTLS

Authentication Mode: Normal

SSL/TLS

Port : 993

Security Connection: SSL/TLS

Authentication Mode: Normal

Confirm the security exception because of the self signed certificate.

POP3(s)

STARTTLS:

Port: 110

Security Connection: STARTTLS

Authentication Mode: Normal

SSL/TLS

Port : 995

Security Connection: SSL/TLS

Authentication Mode: Normal

Confirm the security exception because of the self signed certificate.

Postfix Configuration:

We are going to use the certificate we generated before. If you want to be overly particular you can generate a new cert via the steps outlined above. Place the new cert file in /etc/postfix and modify accordingly.

cp /var/lib/imap/server.pem /etc/postfix/smtpcert.pem

chmod 644 /etc/postfix/smtpcert.pem

Now modify the /etc/postfix/master.cf file

Uncomment the following two lines:

smtps inet n - n - - smtpd

-o smtpd_tls_wrappermode=yes

Add the following to the /etc/postfix/main.cf file

smtp_tls_CAfile = /etc/postfix/smtpcert.pem

smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache

smtpd_tls_CAfile = /etc/postfix/smtpcert.pem

smtpd_tls_cert_file = /etc/postfix/smtpcert.pem

smtpd_tls_key_file = /etc/postfix/smtpcert.pem

smtpd_tls_received_header = yes

smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache

tls_random_source = dev:/dev/urandom

smtpd_tls_security_level = may

To force every client to always use SSL/TLS the set the last line to:

smtpd_tls_security_level = encrypt

After configuration restart the postfix daemon

service postfix restart

Testing

I used Mozilla Thunderbird with the following options:

SMTP(s)

STARTTLS

Port : 25

Security Connection: STARTTLS

Authentication Mode: Normal

SSL/TLS

Port : 465

Security Connection: SSL/TLS

Authentication Mode: Normal

mailfilecreate-CentOS6.3.sh

(9k)

Dale Hartung,

Nov 10, 2012, 2:43 PM

v.1

Comments