Happy new year! The start of a new year is a perfect time for a fresh mail server, don’t you agree? :)
Slackware 15 has not been released yet but there is demand for an updated guide given Slackware has had many changes since its last stable release.
For the purposes of this guide, the most notable changes are Postfix and Dovecot now being the default MTA and IMAP/POP3 servers, respectively. This doesn’t affect this guide too much. In fact, most of the configuration remains the same as in my previous post for Slackware 14.2.
This post contains some suggestions for a mildly secure mail server running on a Slackware Linux host. The guide assumes a default, fresh installation of Slackware64 15 (post 14.2 -current) that includes at least the A/, AP/, D/, L/, and N/ package series. By the end of the tutorial, you will have:
Postfix Admin to manage mailboxes and domains using a TLS secured web user interface
Roundcube with some plugins as a TLS secured webmail client
Pigeonhole to add support for email filter rules (forwarding, placing in folders, etc)
Preparation
Hostname
Set up an FQDN as your hostname. We’ll use mail.example.org.
PHP + nginx
PHP GD
In order to use GD with PHP we’ll need the following packages. You won’t have these if you only installed the recommended package series from above.
Install nginx
My last guide used nginx 1.14.2, but it’s now at version 1.18.0! I won’t go through all the changes here but I recommend you take a look at the CHANGELOG.
Create your user and use that to run the SlackBuild. If the version of nginx is newer than the one defined in the SlackBuild, simply update the version number in the nginx.SlackBuild file before running it.
Remember that if you want to enable syntax highlighlting for the nginx.conf file in vim, you can copy the contents of the contrib/vim directory from the extracted nginx source to ~/.vim.
SSL Certificates
I’m using ECDSA certificates and the secp384r1 curve here. Remember to change the configuration below if you use something else.
Configure nginx
At minimum, your nginx.conf file will need an events section which can be left blank to activate the defaults or modified depending on the load you’re expecting on the server. Set worker_processes equal to the number of real CPU cores on the machine.
Create your /etc/nginx/conf.d/mailserver.conf
Change the permissions of /var/lib/php since we’re using nginx instead of httpd to run PHP:
PHP-FPM with FastCGI in nginx
We will start by creating a custom /etc/php-fpm.d/mailserver.conf with the following content:
Make sure the startup script is executable then start php-fpm at least once to make sure everything is fine:
Install php-imagick as well since Roundcube will need it later.
Dovecot
Slackware has chosen Dovecot as the new IMAP/POP3 server as of November 2017. Instead of creating a Unix account for each mailbox, we use Postfix Admin to store user information. In the filesystem, the email will be stored in /var/vmail organized by domain and user, so the email for admin@example.org would be stored in /var/vmail/example.org/admin. Since Dovecot is now part of Slackware, the dovenull and dovecot users already exist so there is no need to create them. You will only need to create the vmail user
Fill in the database information in /etc/dovecot/dovecot-sql.conf.ext
These are the same credentials Postfix Admin will use, so keep that in mind. We’re not creating the database or user yet. That will come later. Now let’s add the password_query and user_query to /etc/dovecot/dovecot-sql.conf.ext:
In the file /etc/dovecot/conf.d/10-auth.conf we will enable the SQL configuration file we just modified, disable plaintext authentication, and comment out the auth-system.conf.ext file that’s loaded by default.
Since we are using TLS, it’s OK to use plain as the auth mechanism.
Next file to edit is /etc/dovecot/conf.d/10-mail.conf
The SSL configuration is in /etc/dovecot/conf.d/10-ssl.conf as follows:
Let’s set up the file /etc/dovecot/conf.d/10-master.conf now. We need to uncomment the user, group, and mode lines in the unix_listener auth-userdb section of the service auth block in order to have Dovecot authenticate. Postfix will also need a unix_listener in the postfix spool directory so uncomment that section, and a unix_listener auth-master section too. Make sure to add postfix as the user and group. Don’t worry about creating them now, we’ll do that later. Set up the stats-writer as well. In the end the file should look somewhat like this
Dovecot Pigeonhole
A new addition to this guide is Dovecot Pigeonhole. This adds support for the Sieve language (RFC 5228) and the ManageSieve protocol (RFC 5804) to Dovecot. Coupled with a Roundcube plugin, this will allow us to filter email based on any number of factors. For example, you can create an rule in Roundcube that will automatically place email coming from @bank.com to a Bank Notifications folder.
After you install the SlackBuild, copy the following example configuration files into the /etc/dovecot/conf.d directory:
We will need to edit the following Dovecot configuration files now:
First, edit /etc/dovecot/conf.d/20-lmtp.conf, and add
For /etc/dovecot/conf.d/15-lda.conf, add
For /etc/dovecot/conf.d/10-mail.conf, add
In /etc/dovecot/conf.d/20-managesieve.conf, add
Lastly, edit /etc/dovecot/conf.d/90-sieve.conf, and add
Now we need to create some files that are needed for our configuration to work:
Add postfix to the dovecot group. This is needed by amavisd-new later.
Postfix
Postfix is now the default MTA in Slackware as of November 2017. We no longer have to create users or compile anything so let’s just get to adding our database configuration.
The only change between here and the past guide is that the append_dot_mydomain directive now defaults to no so we don’t need to include it. Here’s what should be in /etc/postfix/main.cf:
Dovecot authentication section is still the same
With newer versions of Postfix, you can now include both ECDSA and RSA certificates in your configuration. I’m disabling SSLv2, SSLv3, and TLSv1.0 in the configuration below. We’re excluding known insecure ciphers and setting the encryption level to may. You can set this to encrypt, if you want, but the Postfix documentation strongly advises against this for a public facing server.
Feel free to set these parameters to whatever fits your needs
Now we set up milters along with the Postgrey and OpenDKIM sockets
We need to point Postfix to our database map files. Use the same UID and GID that was used for vmail user and the existing mail group from /etc/group
The final part of the file will set up Dovecot and Amavis
Postfix Master Configuration
In the file /etc/postfix/master.cf, we’ll set up SMTP with TLS on port 587. Most options can just be enabled by uncommenting them. Make sure you comment out the -o syslog_name=postfix/$service_name option right under relay.
For Amavis, just make sure you set the max number of processes it’s allowed to run. In this example, it’s 4 (the same as the nginx configuration).
Run the newaliases command to generate the aliases database file
Amavis with ClamAV and SpamAssassin
We are going to be using amavsid-new as the interface bewtween Postfix, ClamAV and SpamAssassin. We need a ton of things for Amavis and SpamAssassin. You can go the SlackBuilds route or just use CPAN. I’m going to just go with CPAN this time around. First, install the zeromq, pyzor, unrar, arj, cabextract, lzop, nomarch, p7zip, libmspack, and GeoIP dependencies. This allows SpamAssassin and ClamAV to handle different compressed files as well.
After SpamAssassin is installed, edit the /etc/spamassassin.conf file and set the following options. You only really need ENABLED but the rest are a good idea.
The SpamAssassin source no longer includes rules, so you’ll have to download them. Run sa-update to do this.
ClamAV
You’ll need a user and group created first.
Now go ahead and grab the SlackBuild. After you install, make sure DatabaseMirror is set to the new database.clamav.net mirror in /etc/freshclam.conf. Next, edit the /etc/clamd.conf file and change theLocalSocket and LocalSocketGroup options
Let’s install amavisd-new before we update the ClamAV virus definitions.
amavisd-new
Create a user and group before you run the script.
While we’re at it, go ahead and add the amavis user to the clamav group and vice versa.
Run the SlackBuild to install the package. Afer you install, uncomment the lines @bypass_virus_checks_maps and @bypass_spam_checks_maps at the top of /etc/amavisd.conf and add the following
Next, uncomment @lookup_sql_dsn and modify it to connect to your database using the Unix socket and the proper credentials. Amavis uses the DBD::mysqlPerl module. The documentation states setting the host value to localhost will use the socket. This configuration will enable spam checking for the domains you’ve added to your database either manually or through Postfix Admin
There are a number of configuration options we can change in /etc/amavisd.conf. The only really important one is the unix socket configuration. My recommendations are:
Set $max_servers to the same number of processes we allowed Amavis to use in /etc/postfix/master.cf, which in my case is 4
Set the $sa_tag_level_deflt opton to a large negative number. This will ensure that spam headers are added to every single email
Change the user and group to amavis that we created earlier
Configure the home directory for configuraiton files and quarantine emails
Set the domain name (not the same as your hostname).
Uncomment the amavis section in @av_scanners. Leave the rest of this section as is.
Comment out the $inet_socket_port line
Set the Unix socket for Amavis in $unix_socketname
Comment out forward_method for DKIM signing since we’ll use OpenDKIM for that
Set the pid_file to /var/run/amavis/amavisd.pid
The end result should look something like:
Since we are putting the Amavis socket in the Postfix queue directory, we’ll need to create it and set the permissions
Use the following commands to let Postfix create the amavis-acceptPID:
In order for the above to work, we need to set a $forward_method in /etc/amavisd.conf
If for any reason this is not working, you can edit the /usr/sbin/amavisdPerl script directly. Look around line 926 or search for 10025. Comment out the existing $forward_method and replace it with this:
Go through the rest of /etc/amavisd.conf file and modify any settings you might want changed.
We also need to fix some permissions to get all three of these to play nicely.
Now go ahead and update your virus database by running freshclam as root. Don’t worry if you get a message from freshclam saying clamd was not updated. This is because we have not started clamd yet.
Postgrey
Set up the user and group first, then run the SlackBuild to install Postgrey.
Go and edit the SlackBuild to set the values of POSTGREYUSR, POSTGREYGRP, POSTGREYUID and POSTGREYGID to the values you set earlier when you created them. After you install, you may want to get an updated version of postgrey_whitelist_clients from the Postgrey site and place it in /etc/postfix, replacing the one included with the SlackBuild.
We need to edit the /etc/postgrey.conf file and replace the PORT line with the path to the Unix socket we are going to set up. Set the correct HOST and make sure USER and GROUP are also correct.
In the /etc/rc.d/rc.postgrey script we are going to find the postgrey_start() function and edit the postgrey flags to make sure it uses a socket instead of TCP. We are basically changing --inet=$PORT to --unix=$SOCKET
The extracted source includes an init script, too. It’s in contrib/postgrey.init if you want to use it.
OpenDKIM, DNS and Building Trust
The setup up to this point should be pretty much complete and meet most people’s needs. Some mail servers are quite picky when it comes to receiving email. Gmail particularly doesn’t like when an email is not signed. The next section will walk you through signing your email with DomainKeys Identified Mail and setting up Sender Policy Framework. If you are using a hosting provider for your server, you will need to contact them and have them set up a PTR record for your IP address. This is also known as rDNS. Some mail servers will reject your email if the IP you are sending from does not point back to your domain name. In general, it should look something like this:
If you’re hosting at home, you can try asking your ISP to set this up for you but it is unlikely they’ll want to. They may be willing if you purchase a static IP. You’ll also need to add MX records to your domain’s DNS records. You can add something like this
That’s assuming mail.example.org points to your mail sever’s IP and you want a priority of 10. You can ask your DNS provider to add these for you. Check that the record has propagated with host:
OpenDKIM
Install (libbsd), (opendbx), then grab my SlackBuild and install OpenDKIM. Set up the user and group first:
We’ll need to create the run directory as well:
Add this to the /etc/rc.d/rc.opendkim script to have it created automatically
We are using MariaDB here so set the USE_MYSQL variable to yes and run the SlackBuild. I used a modified version of CentOS’s init script for rc.opendkim, but feel free to grab the one included in the source in the contrib/init/generic/ directory.
Once it’s installed, we’ll need to set up a basic configuration file. You can copy the sample one from opendkim/opendkim.conf.simple in the extracted source to /etc/opendkim and add the user and group we created earlier. Note that the SlackBuild already does this for you:
The KeyFile is default.private since this is what’s set in /etc/rc.d/rc.opendkim. The string default is called the selector. Feel free to use any selector you want. The selector is used to differentiate between multiple DKIM records for your domain.
You’ll notice my init script will automatically create some default keys for you in /etc/opendkim/keys and it also creates the directory if it doesn’t exist. We’re using Unix sockets in this guide, so let’s change a line in /etc/opendkim.conf:
We’ll generate a 2048 bit key with the opendkim-genkey command. You can try something stronger like 4096 bits, but RFC 6376 suggests it might not fit in a 512 byte DNSUDP response. See section 3.3.3 Key Sizes for more information.
The selector is set with the -s parameter. You’ll end up with two files inside /etc/opendkim/keys/, default.private, which is your key, and default.txt which has a nicely formatted record you’ll need to add to your DNS zone. If you don’t manage your own DNS or have access to your zone file, simply copy the text starting with v=DKIM1 as a TXT record in whatever control panel your DNS provider uses. For the example above, this is what I got (truncated for demonstration):
You’ll need to wait a while before the DNS record propagates but once it does you can check it with dig
Sender Policy Framework
This basically consists of adding another TXT record to your DNS zone. There used to be an SPF type record but this was removed in RFC 7208. You’ll want to add something like this:
MariaDB
We’ll set up MariaDB first (the scripts are still named rc.mysqld):
Now create the user and database we’ll be using for Roundcube, Postfix Admin, and all other components.
Roundcube and Postfix Admin
The same advice from my previous post regarding web based interfaces applies.
Postfix Admin
Not many updates to Postfix Admin this time. We still set public/ as the root directory in our nginx configuration above so just proceed with the installation as normal:
Make a copy of config.inc.php as config.local.php and make your changes there. The ones we need for this guide are
Comment out the $CONF['database_host'] = 'localhost'; line because we are using sockets here.
This tells Postfix Admin to use Dovecot’s crypt() scheme for passwords and to connect to MariaDB using Unix sockets. Next, visit https://mail.example.org/postfixadmin/setup.php and complete the setup. Make sure you add your $CONF['setup_password'] obtained from setup.php to config.local.php. Do this before clicking on Add Admin.
Add Email Domains and Mailboxes
Log in to https://mail.example.org/postfixadmin and head over to Domain List > New Domain. Fill in whatever works for you here to add a new domain, then head to Virtual List > Add Mailbox and create your first user. I set up example.org as an email domain and admin@example.org as my first user. Doing this will generate the needed database schema that Postfix will use. Go ahead and play around with this and make sure your aliases are set up
Roundcube
The latest version of Roundcube is now 1.4.10. There is a cool new mobile friendly theme now, too. We’ve already set up the nginx configuration for Postfix Admin and Roundcube so now we just have to download their files and run the installers.
We’ll need to create a database for Roundcube to use. Log in to *8MariaDB** with mysql and create it. Make sure you use a strong password.
Roundcube includes an SQL file that can create the necessary database structure for you
I recommend you check out the INSTALL file included in the source for a more complete guide on the installation. Now head over to https://mail.example.org/installer and make sure everything is OK in the Check environment section. You will probably need to temporarily comment out the location blocks in /etc/nginx/conf.d/mail.example.org.conf that block access to Roundcube URLs such as /installer.
My installation complained about the date.timezone setting in php.ini so I had to set that. Get a list of supported time zones from here. You may need to restart nginx and php-fpm for the changes to take effect.
Click Next when you’re done to move on to the Create config section. You can leave most of these settings alone. If you want to know what a specific setting does, check out Roundcube’s wiki. Fill in the Database setup section with the user and database you created earlier.
IMAP and SMTP Settings
Fill in your database information in the Database Setup section. Make sure you do not enable spellchecking support. If you do, Roundcube will connect to external services to check your spelling. Why would we go through all this trouble to have a third party see every word we type?
We’re going to set default_host to tls://localhost in the IMAP Settings section and leave the default port. In the SMTP Settings section, set smtp_server to tls://localhost , smtp_port to 587 and check the Use the current IMAP username and password for SMTP authentication option. In the Plugins section, enable managesieve.
Click on Create config.
After it’s done generating your configuraiton file, go through config/config.inc.php and see if you’d like to change anything. I recommend disabling SSL peer verification for IMAP and SMTP since we are using localhost and the SSL certificates likely won’t match the hostname. This is needed in PHP 5.6 or later and Slackware is on PHP 7.4 as of this writing.
Start Up Email Services
Let’s start up the services we have so far in order to get all necessary files created properly. We’ll need the services running in order to set up Roundcube and Postfix Admin correctly. You can place your startup commands in /etc/rc.d/rc.local and the stop commands in /etc/rc.d/rc.local_shutdown.
Since now Dovecot and Postfix are part of Slackware, their start up scripts are run before /etc/rc.d/rc.local. My workaround here is just to issue restarts since Postfix depends on OpenDKIM to be running before starting. I didn’t think too much about how to solve this problem.
Make sure both scripts are executable and add this content
/etc/rc.d/rc.local
/etc/rc.d/rc.local_shutdown
Finishing Up
Go ahead and create some filters in Roundcube and make sure emails are going to the right folders. Test sending email to and from your own domain as well as to external domains. Connect your email clients. They should automatically detect your sever’s open ports but you can use the following settings to set it up manually. You can substitute the hostname for example.org if that points to your server’s IP as well.
The first time you receive an email, it’ll be greylisted thanks to Postgrey. Check /var/log/maillog:
Most mail servers will try once more after some time and will be allowed the second time they send. Spammers generally only try once so this should stop some most of the common spam you could receive. Once the mail passes through, Amavis will check for viruses and other malware.
You can also test your anti-virus using the EICAR test file. Send yourself an email from another mail server with only the following string in the body:
It will be detected as a virus and you’ll see this in the log as well:
In a similar fashion, you can test your spam filter using the GTUBE. Send a message from another mail server to yourself with only the following string in the body:
It will be detected as spam and you’ll see this in the log as well:
Other Considerations
You’ll notice in your /var/log/maillog file that there will be a ton of bots and compromised third party servers trying to relay using your server, trying to log in using common usernames (admin, support, test, etc) and generally just trying to wreak havoc on your mail server. The setup suggestions I described in this article should prevent most of those attacks. You may consider trying something like fail2ban to automatically ban these IPs. Get yourself a nice firewall using AlienBob’s Easy Firewall Generator and block anything you don’t need.
I tested this set up by following it step by step on a fresh server and it worked for me. I may have missed some things. Contact me if you have any comments. Encrypted email is strongly encouraged and preferred.
Nearly two years after the release of Slackware Linux 14.2 and three years after my original blog post, I’m glad to finally provide an update. Sorry for the delay. The core packages that make up the mail server have received lots of updates. Besides the version and configuration updates I’ve also added some information for setting up Dovecot Pigeonhole and configuring email filtering.
This post contains some suggestions for a mildly secure mail server running on a Slackware Linux host. The guide assumes a default, fresh installation of Slackware64 14.2 that includes at least the A/, AP/, D/, L/, and N/ package series. By the end of the tutorial, you will have:
This post contains some suggestions for a mildly secure mail server running on a Slackware Linux host. The guide assumes a default, fresh installation of Slackware64 14.1 that includes at least the A/, AP/, D/, L/, and N/ package series. By the end of the tutorial, you will have:
Postfix for encrypted connections over SMTP and removing identifying information from the email headers
Dovecot for local mail directories and encrypted connections over POP and IMAP
MariaDB a drop-in replacement for MySQL to store mailbox information
Postgrey which will require unknown senders to resend their mail, eliminating most spam
SpamAssassin for e-mail spam filtering based on content-matching rules
ClamAV to detect trojans, viruses, malware and other malicious threats in your email
There is a line of a song I enjoy that says, “How come 24 hours sometimes seem to slip into days?” The song goes on about homesickness and being lonely on a trip. For the longest time, I identified with that line in regards to aging. The older we get, the faster time seems to pass us by. What are we doing with the limited time we have available?