Install a Debian Wheezy mail server into a virtual using Exim, Dovecot, Fetchmail

I’ve noticed some traffic on this post.  Given the interest, I’ve written a better tutorial, which you can find here.

And, to go with the post below, here is the full install list from my (inside the firewall) wiki that I use now to write down everything I did – in theory next time I come to do this I won’t be as stretched remembering where everything is.

This wiki is intended for me as a memory jogger more than as a tutorial, so take as is rather than thinking this will give you every step.  I also haven’t included the base OS install, I have that in a separate entry, the main trick is that in order to get better IO performance I’m setting the disk type to virtio, cache to none and IO to native.  In /etc/defaults/grub I put the following setting, which tells the virtual not to run a tickless timer (apparently generates a lot of interrupts), and not to use an IO scheduler, as the host machine is also running an IO scheduler, and running two is bound to interfere with performance.

  GRUB_CMDLINE_LINUX="nohz=off elevator=noop"

Anyway, on to the install process itself.

This server is aimed to provide the email services, consolidating all mail from the other servers and running the imap mail services for my domain in general.
Since this is part of the core environment, not part of the development environment, it runs nis+ and shares logons with the hosts and myth boxes.

This machine has no desktop applications, so runs a console only.  Any GUI applications need to be run on another machine, connecting back to this machine.  Key applications are:

  • Dovecot
  • Exim
  • Fetchmail
  • SpamAssassin

The server name is

  mail

The IP address is

  192.168.1.11

Currently valid users are

  • root
  • all nis users

This server has the following storage allocated:

  /    25GB
  swap  4GB

Generate ssh keys, and setup public key logon:

  mkdir ~/.ssh
  cd ~/.ssh
  ssh-keygen
  vi authorized_keys          # copy these from another server

Install ntp, as this server should have a good time source.

  aptitude install ntp

Install saidar, sudo as these are base packages we want.

  aptitude install saidar sudo
  visudo     # add key users

Install nis+

  aptitude install nis+

Accept domain name as being [my domain]

  • Edit /etc/default/nis     (nothing to change as a client)
  • Edit /etc/ypserv.securenets     (nothing to change as a client, but take out the open access anyway)
  • Edit /etc/yp.conf               (nothing to change if we’re happy to broadcast)
  • Change
  /etc/passwd
  /etc/shadow
  /etc/gshadow
  /etc/group
  • From these remove any ids > 1000, and put pluses at the end (e.g. +:::)
  /etc/init.d/nis restart                   # check can su as one of the NIS users

Install the mail packages and testing packages:

  aptitude install exim4 fetchmail dovecot-imapd sasl2-bin swaks libnet-ssleay-perl

The key elements here are:

  • mail is in /var/mail, in mbox format
  • exim4 is an SMTP server, accepts mail from the other machines and relays it
  • dovecot is an IMAP server, makes mail available to other programs
  • fetchmail pulls down mail from external mail sources, particularly our isp

First, configure the base exim4

  dpkg-reconfigure exim4-config
  • Set as an internet site
  • Domain is [my domain]
  • Allow it to listen on the public interface (put ip address in here – 192.168.1.11)
  • Accepts mail for [my domain]
  • Relay for all hosts on the local network – 192.168.1.0/24
  • mbox format   <<later change to maildir>>
  • Don’t split configuration

Test that you can see the connection to exim4 (for SMTP outbound):

  telnet 192.168.1.11 25  # can't use machine name - mail - as then resolves to 127.0.0.1
  ehlo xxx                # looking for 250-TLS in the response - won't be there yet
  quit

Set up sasld by editing /etc/default/saslauthd, change:

  START=yes
  /etc/init.d/sasld start

Next, set up for TLS auth, using these references:

/usr/share/doc/exim4-base/examples/exim-gencert

  • Edit /etc/exim4/exim4.conf.template, and uncomment
  plain_saslauthd_server:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
  server_set_id = $auth2
  server_prompts = :
 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif
  • create (or edit if it exists) /etc/exim4/exim4.conf.localmacros, and add the line
  MAIN_TLS_ENABLE = true
  • once done:
  update-exim4.conf
  /etc/init.d/exim4 restart
  • check authentication
  swaks -a -tls -q AUTH -s 192.168.1.11 -au [user]
  • you can also check again using telnet and open SSL, but swaks seems to do it all in one go
  telnet 192.168.1.11 25  # can't use machine name - mail - as then resolves to 127.0.0.1
  ehlo xxx                # looking for 250-TLS in the response - should now be there
  quit

First, create a password crypto file

  perl -MMIME::Base64 -e 'print encode_base64("00paul00<password>")'

Test the SSL connection for SMTP:

  openssl s_client -starttls smtp -crlf -connect 192.168.1.11:25
  ehlo testing
  auth plain <<content from the perl command above>>

Update smoothwall to redirect port 25 (and imap ports whilst we’re at it) to this new server
Test whether this mail relay is locked down properly:

  telnet relay-test.mail-abuse.org

Set all the other machines to relay mail via this server

  • On each of my machines
  dpkg-reconfigure exim4-config
  • Change to send mail via smarthost, have no local files, and host is mail.[my domain]
  • configure exim as a client to send mail to velocity, edit /etc/exim4/passwd.client, add:
  <smtp.isp.org>:<user>@[my domain]:<password>
  <smtp.isp.org>:<user>@[my domain]:<password>
  <smtp.isp.org>:<user>@[my domain]:<password>

Configure fetchmail.

  • Edit /etc/default/fetchmail, change start to yes
  • Create a new file /etc/fetchmailrc, content elsewhere on the web

Configure dovecot:

  • Appears to need no configuration.  We’ll see
  • Does need /home/<user> created, and permissions set properly

Copy mail across from /var/mail/ on the old server

  tar -cvvf mail.tar.gz *
  tar -xvf mail.tar.gz

Copy mail across in each home directory

  cd /home/<user>
  tar -cvvf Mail.tar.gz ~/Mail

Convert the format of the mail

  • Change the format in /etc/dovecot/conf.d/10-mail
  mail_location = maildir:~/Maildir
  • Add users to the mail group (I think only needed for conversion)
  addgroup <user> mail
  • First move each mbox file from /var/mail into /home/<user>/mbox/, and call it mbox so that it thinks it’s inbox
  dsync mirror mbox:~/mbox/
  dsync mirror mbox:~/Mail

Next, install spam filtering. http://wiki.debian.org/Exim

  aptitude install spamassassin
  • edit /etc/default/spamassassin
  ENABLED=1
  CRON=1
  OPTIONS="--create-prefs --max-children 2 --helper-home-dir -u spamd"
  • this tells spamassassin to store all it’s learnings in /home/spamd
  adduser spamd
  /etc/init.d/spamassassin start
  • should be no need to edit /etc/exim4/exim4.conf.template to set spamd_address, as we use the default
  • edit /etc/exim4/exim4.conf.template to set spam headers:
  # put headers in all messages (no matter if spam or not)
  warn  spam = nobody:true
  add_header = X-Spam-Score: $spam_score ($spam_bar)
  add_header = X-Spam-Report: $spam_report

  # add second subject line with *SPAM* marker when message
  # is over threshold
  warn  spam = nobody
  add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
  • this section also says to install exim-heavy.  So do that as well
  aptitude install exim4-daemon-heavy
  • Mac OSX  Mail wouldn’t work, things to fix this were:
  1. Open port 587 on smoothwall
  2. Edit /etc/default/exim4 to have exim listen on more ports
  3. Add directive to exim4.conf.template:
  tls_on_connect_ports = 587
  update-exim4.conf
  /etc/init.d/exim4 restart
  1. Change mac to use port 587

Still need to fix spam handling better – should be auto-moved to folder, but is just coming in with a header that says “spam”.

Advertisements

2 thoughts on “Install a Debian Wheezy mail server into a virtual using Exim, Dovecot, Fetchmail

  1. Pingback: Part One: Install a secure Debian Wheezy imap mail server into a virtual using Exim, Dovecot, Fetchmail | technpol

  2. Pingback: Kako da » Unix Srbija | Unix Srbija

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s