How to setup an imap courier server
Official version
Previous version
Below is the complete source of the official version above. I've saved it only for my own reference. Please follow the URLs above to the author's original site.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>How to set up a mail server on a GNU / Linux system</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<link href="edition4/postfix.css" rel="stylesheet" type="text/css" />
<link href="edition8/postfix.css" rel="stylesheet" type="text/css" />
<style>
</style>
</head>
<body>
<a name="top"></a>
<a href="http://creativecommons.org/licenses/by-sa/2.5/"><img
src="/images/cc-by-sa-small.png" alt="cc by-sa" height="25"
title="Creative Commons Attributions-ShareAlike" border="0" align="right" /></a>
<a href="http://flurdy.com"><img
src="/images/flurdy-small.png" alt="flurdy" height="23"
title="Made by flurdy" border="0" align="right" /></a><br />
<h1>How to set up a mail server on a GNU / Linux system</h1>
<a name=""></a><h3>Step by step guide to install Postfix</h3>
<h3>
Ubuntu + Postfix + Courier IMAP + MySQL
+ Amavisd-new + SpamAssassin + ClamAV
+ SASL + TLS + SquirrelMail + Postgrey
</h3>
<p>
Easy to follow howto on setting up a mail server
with unlimited users and domains,
with IMAP/Pop access, anti-spam, anti-virus,
secure authentication, encrypted traffic,
web mail interface and more.
</p>
<p>
Based on an Ubuntu distribution platform,
but instructions are distro generic.
</p>
<a href="http://www.postfix.org"><img
src="http://www.postfix.org/mysza.gif"
alt="postfix" align="right" border="0"
title="Postfix, the MTA." class="" /></a>
<h6><a href="#editions">8th edition</a></h6>
<h6>
Author <a href="http://flurdy.com">Ivar Abrahamsen</a>
</h6>
<h6>
License:
<a href="http://flurdy.com/docs/license/respect">Respect</a> (CC by-sa)
<!-- on top of <a href="http://creativecommons.org/licenses/by-sa/2.5/">Creative Commons by-sa</a>. -->
</h6>
<h6>Last Update: 2009-06-11</h6>
<h6>
<a href="#contact">Contact</a> /
<a href="http://www.ubuntuforums.org/showthread.php?t=185913">Discuss</a>
</h6>
<!-- <div class="section">
<h2>Draft</h2>
<p>
Please use the <a href="edition7.html">last released edition</a>(7) of this howto guide.<br/>
This edition is still currently being written, and may contain some errors still.
</p>
</div> -->
<h2>Contents</h2>
<div class="section">
<div style="float:right;">
<script type="text/javascript"><!--
ch_client = "flurdy";
ch_type = "mpu";
ch_width = 336;
ch_height = 280;
ch_non_contextual = 4;
ch_vertical ="premium";
ch_sid = "postfix chitika";
var ch_queries = new Array( );
var ch_selected=Math.floor((Math.random()*ch_queries.length));
if ( ch_selected < ch_queries.length ) {
ch_query = ch_queries[ch_selected];
}
//--></script>
<script src="http://scripts.chitika.net/eminimalls/amm.js" type="text/javascript">
</script>
</div>
<ul>
<li>
<h5><a href="#editions">Editions</a></h5>
<p>List of different versions of this document.</p>
</li>
<li>
<h5><a href="#intro">Introduction</a></h5>
<p>Brief description of this document.</p>
<ul>
<li><p><a href="#intro_aim">Aim</a></p></li>
<li><p><a href="#intro_research">Research</a></p></li>
<li><p><a href="#intro_ego">Donate</a></p></li>
</ul>
</li>
<li>
<h5><a href="#software">Software</a></h5>
<p>Which software packages are we using and why.</p>
</li>
<li>
<h5><a href="#install">Installation</a></h5>
<p>How to install all packages and which ones.</p>
<ul>
<li><p><a href="#install_distro">Distrobution</a></p></li>
<li><p><a href="#install_Base">Base Install</a></p></li>
<li><p><a href="#install_repos">Repositories</a></p></li>
<li><p><a href="#install_pack">Packages</a></p></li>
</ul>
</li>
<li>
<h5><a href="#config">Configuration</a></h5>
<p>
Post install, what to configure for each section,
with full command examples.
</p>
<ul>
<li><p><a href="#config-simple-firewall">Firewall (Shorewall)</a></p></li>
<li><p><a href="#config-simple-mta">MTA (Postfix)</a></p></li>
<li><p><a href="#config-simple-database">Database (MySQL)</a></p></li>
<li><p><a href="#config-simple-imap">Pop/IMAP (Courier)</a></p></li>
<li><p><a href="#config-adv-content">Content Checks (amivisd-new)</a></p>
<ul>
<li><p><a href="#config-adv-spam">Anti-Spam(SpamAssassin)</a></p></li>
<li><p><a href="#config-adv-virus">Anti-Virus (ClamAV)</a></p></li>
<li><p><a href="#config-adv-policy">Policy Check (PostGrey)</a></p></li>
</ul>
</li>
<li><p><a href="#config-secure-auth">Authentication (SASL)</a></p></li>
<li><p><a href="#config-secure-crypt">Encryption (TLS)</a></p></li>
<li><p><a href="#config-extra-webmail">Webmail (SquirrelMail)</a></p></li>
<li><p><a href="#config-extra-admin">Administration (phpMyAdmin)</a></p></li>
</ul>
</li>
<li>
<h5><a href="#data">Data</a></h5>
<p>
Creating the basic stub of data,
and how to add your own.
</p>
<ul>
<li><p><a href="#data_add">Add users and domains</a></p></li>
<li><p><a href="#data_common">Common SQL</a></p></li>
</ul>
</li>
<li>
<h5><a href="#test">Test</a></h5>
<p>Testing and troubleshooting each element.</p>
</li>
<li>
<h5><a href="#initialize">Initialize</a></h5>
<p>
If receiving an already setup machine,
a list of actions to do to initialize and configure it.
</p>
</li>
<li>
<h5><a href="#extend">Extend</a></h5>
<p>
Post working system,
detailed instructions on optional features to add.
</p>
<ul>
<li><p><a href="#ext_mx">Remote MX mail backup</a></p></li>
<li><p><a href="#ext_back">Local file backup</a></p></li>
<li><p><a href="#ext_spf">Sender ID & SPF</a></p></li>
<li><p><a href="#ext_pyzor">Spam Reporting</a></p></li>
<li><p><a href="#ext_list">White/Black lists</a></p></li>
<li><p><a href="#ext_pgp">PGP & S/MIME</a></p></li>
<li><p><a href="#ext_reloc">Relocation notice</a></p></li>
<li><p><a href="#ext_pop">Pop-before-SMTP</a></p></li>
<li><p><a href="#ext_reply">Auto Reply</a></p></li>
<li><p><a href="#ext_block">Block Addresses</a></p></li>
<li><p><a href="#ext_throttle">Throttle Output</a></p></li>
<li><p><a href="#ext_mlist">Mail Lists</a></p></li>
<li><p><a href="#ext_admin">Admin software</a></p></li>
<li><p><a href="#ext_gmail">Google Apps / GMail</a></p></li>
<li><p><a href="#ext_maildrop">Maildrop, spam folder and vacation messaging</a></p></li>
</ul>
</li>
<li>
<h5><a href="#ec2">Elastic Computing Cloud</a></h5>
<p>
Amazons' hosting service. Used as examples for this howto.
</p>
<ul>
<li><p><a href="#ec2">Impressions of EC2</a></p></li>
<li><p><a href="#ec2_use">Using EC2 with this howto</a></p></li>
<li><p><a href="#ec2_ami">Amazon EC2 Images: AMIs</a></p></li>
<li><p><a href="#ec2_links">EC2 Links</a></p></li>
</ul>
</li>
<li>
<h5><a href="#app">Appendix</a></h5>
<ul>
<li><p><a href="#author">About author</a></p></li>
<li><p><a href="#contact">Contact</a></p></li>
<li><p><a href="#app_why">Why</a></p></li>
<li><p><a href="#references">References</a></p></li>
<li><p><a href="#app_links">Software Links</a></p></li>
<li><p><a href="#app_dif">Difference between Ubuntu versions</a></p></li>
<li><p><a href="#download">Download</a></p></li>
<li><p><a href="#app_todo">Todo</a></p></li>
<li><p><a href="#app_log">Change Log</a></p></li>
<li><p><a href="#app_faq">FAQ</a></p></li>
</ul>
</ul>
</li>
</ul>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="editions"></a>
<h2>Editions</h2>
<div class="section">
<table border="1" class="editions" cellpadding="5" cellspacing="0">
<tr>
<th colspan="1">Edition</th>
<th colspan="1">State</th>
<th colspan="1">Started</th>
<th colspan="1">Updated</th>
<th colspan="1">Description</th>
</tr>
<tr>
<td colspan="1" nowrap><a href="edition1.html">1st</a></td>
<td colspan="1" nowrap>Released (outdated)</td>
<td colspan="1" nowrap>2004-01</td>
<td colspan="1" nowrap>2004-02</td>
<td colspan="1" class="desc">
Based on Mandrake 9.1.
</td>
</tr>
<tr>
<td colspan="1" nowrap><a href="edition2.html">2nd</a></td>
<td colspan="1" nowrap>Released (outdated)</td>
<td colspan="1" nowrap>2004-02</td>
<td colspan="1" nowrap>2004-07</td>
<td colspan="1" class="desc">
Based on Mandrake 10.x, but valid for all distributions.
Very thorough. Includes package description, where to get the sources and binaries,
how to build them or which RPMs to use, includes many refrences, etc etc.
Starts off with a basic working server, then advances, extends and tightens it in stages.
</td>
</tr>
<tr>
<td colspan="1" nowrap><a href="edition3.html">3rd</a> </td>
<td colspan="1" nowrap>Released (outdated)</td>
<td colspan="1" nowrap>2005-05</td>
<td colspan="1" nowrap>2005-11</td>
<td colspan="1" class="desc">
Based on Ubuntu 5.04, Hoary Hedgehog.
More concise simplified guide to get an advanced server working quickly.
Now includes SASL & TLS integration.
</td>
</tr>
<tr>
<td colspan="1" nowrap><a href="edition4.html">4th</a></td>
<td colspan="1">Released (outdated)</td>
<td colspan="1" nowrap>2005-10</td>
<td colspan="1" nowrap>2005-12</td>
<td colspan="1" class="desc">
Based on Breezy Badger, Ubuntu 5.10.
Includes Postgrey
</td>
</tr>
<tr>
<td colspan="1" nowrap><a href="edition5.html">5th</a></td>
<td colspan="1">
Released
</td>
<td colspan="1" nowrap>2006-05</td>
<td colspan="1" nowrap>2006-11</td>
<td colspan="1" class="desc">
Based on Dapper Drake, Ubuntu 6.06 LTS.
</td>
</tr>
<tr>
<td colspan="1" nowrap><strike>6th</strike></td>
<td colspan="1">
Scrapped
</td>
<td colspan="1" nowrap>2006-11</td>
<td colspan="1" nowrap>2007-10</td>
<td colspan="1" class="desc">
Was to be based on Edgy Eft, Ubuntu 6.10 or 7.04.
include Domain Key signing.
include my mail admin or my catchall aliases admin.
</td>
</tr>
<tr>
<td colspan="1" nowrap><a href="edition7.html">7th</a></td>
<td colspan="1">
Released
</td>
<td colspan="1" nowrap>2008-04</td>
<td colspan="1" nowrap>2009-06</td>
<td colspan="1" class="desc">
Updated, based on Ubuntu 8.04 LTS Hardy Heron.
Using Amazon EC2 as example.
(Tested with 8.10 & 9.04 as well)
</td>
</tr>
<tr>
<td colspan="1" nowrap>8th (this)</td>
<td colspan="1">
Draft
</td>
<td colspan="1" nowrap>2009-05</td>
<td colspan="1" nowrap>2009-06</td>
<td colspan="1" class="desc">
Based on Ubuntu 8.10.
Using official Ubuntu ec2 as examples.
(Tested with 9.04 as well)
</td>
</tr>
<tr>
<td colspan="1" nowrap>9th</td>
<td colspan="1">
Early Draft
</td>
<td colspan="1" nowrap>??</td>
<td colspan="1" nowrap>??</td>
<td colspan="1" class="desc">
Future version.
Waiting for Canonical to release an official Ubuntu 9.04 on ec2
</td>
</tr>
</table>
<h5>
Further details available in the <a href="#app_log">change log</a> and below in the <a href="#intro">introduction</a>.
</h5>
<script type="text/javascript"><!--
ch_client = "flurdy";
ch_type = "mpu";
ch_width = 728;
ch_height = 90;
ch_non_contextual = 4;
ch_vertical ="premium";
ch_sid = "flurdy postfix";
var ch_queries = new Array( );
var ch_selected=Math.floor((Math.random()*ch_queries.length));
if ( ch_selected < ch_queries.length ) {
ch_query = ch_queries[ch_selected];
}
//--></script>
<script src="http://scripts.chitika.net/eminimalls/amm.js" type="text/javascript">
</script>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="dev"></a>
<h2>Notice</h2>
<div class="section">
<p>
<b>Disclaimer</b>.
</p>
<p>
This edition is still in draft mode, so some sections are still to be thoroughly retested.
</p>
<p>
You may prefer to use the <b><a href="edition5.html">previous howto edition</a>(7th)</b>,
while we iron out any errors and missing sections.
</p>
<!--
<p>
Some references to older editions still exists, but they are being ironed out.
And some sections still need some padding out with better descriptions.
</p>
-->
<p>
If you find any spelling mistakes or broken links, <a href="#contact">please let me know</a>.
Any clear technical mistakes, then <a href="#contact">let me know</a>.
But if technical difference of opinion, <a href="#forum">please use the forum</a>.
Any questions / problems <a href="#forum">please use the forum</a>.
</p>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="intro"></a>
<h2>Introduction</h2>
<div class="section">
<a name="intro_aim"></a>
<h3>Aim</h3>
<p>
This is a step by step howto guide to set
up a mail server on a GNU / Linux system.
It is easy to follow, but you
end up with a powerfull secure mail server.
</p>
<p>
The server accepts unlimited domains and users,
and all mail can be read via your favourite clients,
or via web mail.
</p>
<p>
It is secure, traffic can encrypted
and it will block virtually all spam and viruses.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="intro_research"></a>
<h3>Research</h3>
<p>
Dont take my word for it!
Research others opinions and methods.
Look at my <a href="reference">references</a>,
look at <a href="http://www.postfix.org/docs.html"
>Postfix.org's howtos</a>,
read the excellent books available
(E.g. Kyle's or Hildebrandt's),
search the web or read the proper
<a href="http://www.postfix.org/docs.html">documentation</a>.
</p>
<p>
If you refer to this howto in your own document,
or find useful links, then
<a href="#contact">let me know</a>.
</p>
<a name="intro_ego"></a>
<h3>Donate</h3>
<table border="0">
<tr>
<td rowspan="2">
<p>
If you found this howto very useful, spread the word and help others?
</p>
<p>
If this howto was exceptionally useful why not donate me some <b><i>beer</i></b> money?
</p>
<p>
Or buy a <a href="#install">postfix book</a> using my <a href="#install">amazon affiliate links</a> further down?
</p>
<p>
Or buy a t-shirt from <a href="http://shirts.flurdy.com">my t-shirt shop</a>?
</p>
<p>
Otherwise <a href="#contact">send me</a> a <b><i>Thank You</i></b> note?
</p>
</td>
<td colspan="3">
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick" />
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but04.gif"
border="0" name="submit" alt="PayPal" />
<input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----
MIIHNwYJKoZIhvcNAQcEoIIHKDCCByQCAQExggEwMIIBLAIBADCBlDCBjjELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
EgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UE
AxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJ
KoZIhvcNAQEBBQAEgYCgEfxd9glNwwnRA2oazEVXN7IYJF6P+QZxucKi5GPIhDVC
ygZb0mkY/iPHV0FvVCWlBySIpthS62N6sKETS873pydUZDy/3GpkBCgm8Kf+9Joh
ZnixaRsy/h8mnt+BH8WcxgvSyad09l7mxQe6K1gWd0KoJUQTWXBxpjZgQOjQFjEL
MAkGBSsOAwIaBQAwgbQGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQI2JfMa1Ko95qA
gZCxorYhC1DDzc3L7tSe0Dab4/7dAiy9GN5Kjmizd6gS2gsL2SEw2J3P+HbHC7QB
IR5dOLfZ+Z9wdqX7vbJduCn8SllC4Jqv1AgbiRXVggWnJyJlam4eqJE0qGFstAiH
6Rkwq7ESZTSi6Wr7TFiHqC2d8nHW2VX8GmL3Ux/FviFyP/1qu+V0CF9UmnWbqNks
UNygggOHMIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYD
VQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQI
bGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20wHhcNMDQwMjEz
MTAxMzE1WhcNMzUwMjEzMTAxMzE1WjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5j
LjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkq
hkiG9w0BCQEWDXJlQHBheXBhbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMFHTt38RMxLXJyO2SmS+Ndl72T7oKJ4u4uw+6awntALWh03PewmIJuzbALS
csTS4sZoS1fKciBGoh11gIfHzylvkdNe/hJl66/RGqrj5rFb08sAABNTzDTiqqNp
JeBsYs/c2aiGozptX2RlnBktH+SUNpAajW724Nv2Wvhif6sFAgMBAAGjge4wgesw
HQYDVR0OBBYEFJaffLvGbxe9WT9S1wob7BDWZJRrMIG7BgNVHSMEgbMwgbCAFJaf
fLvGbxe9WT9S1wob7BDWZJRroYGUpIGRMIGOMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJ
bmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoG
CSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4GBAIFfOlaagFrl71+jq6OKidbWFSE+Q4FqROvdgIONth+8kSK/
/Y/4ihuE4Ymvzn5ceE3S/iBSQQMjyvb+s2TWbQYDwcp129OPIbD9epdr4tJOUNiS
ojw7BHwYRiPh58S1xGlFgHFXwrEBb3dgNbMUa+u4qectsMAXpVHnD9wIyfmHMYIB
mjCCAZYCAQEwgZQwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE
BxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsU
CmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1y
ZUBwYXlwYWwuY29tAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMTYxNTA3MjhaMCMGCSqGSIb3DQEJ
BDEWBBTbFddl3wwdQ0MTuJUSk4S8P3vPYDANBgkqhkiG9w0BAQEFAASBgGMa41i6
fyK4TnKfops9ao3lQBVaxQ4tQi02mzVPNQ3H/rA41uHhdosuDnsFXjifbYbzmFuq
2KsqMY4RazjlOjSz/sAmz3rxJ+19N0jJbT282t1lFiPI08F1+EIq6bK2qFtXHJb6
y8JYIMG1EKR9YeTQVLalcV2nYjRM/0GXuj0O
-----END PKCS7-----
" />
</form>
</td>
</tr>
<tr>
<td align="center">
<a href="http://shirts.flurdy.com/uk"><img style="border: 1px solid black;"
src="http://image.spreadshirt.com/image-server/image/product/3876780/view/1/type/png/width/190/height/190"
onmouseout="this.src='http://image.spreadshirt.com/image-server/image/product/3876780/view/1/type/png/width/190/height/190'"
onmouseover="this.src='http://image.spreadshirt.com/image-server/image/design/3120666/type/png/width/190/height/190'"
width="60" height="60" border="1" alt="no fix puta" align="left" title="t-shirt by flurdy (UK)" vspace="5" hspace="5"/></a>
<h6><a href="http://shirts.flurdy.com/uk">UK</a></h6>
</td>
<td align="center">
<a href="http://shirts.flurdy.com/us"><img style="border: 1px solid black;"
src="http://image.spreadshirt.com/image-server/image/product/4198589/view/1/type/png/width/190/height/190"
onmouseout="this.src='http://image.spreadshirt.com/image-server/image/product/4198589/view/1/type/png/width/190/height/190'"
onmouseover="this.src='http://image.spreadshirt.com/image-server/image/design/3257345/type/png/width/190/height/190'"
width="60" height="60" border="1" alt="kill bill" align="left" title="t-shirt by flurdy (US)" vspace="5" hspace="5"/></a>
<h6><a href="http://shirts.flurdy.com/us">US</a></h6>
</td>
<td align="center">
<a href="http://shirts.flurdy.com/eu"><img style="border: 1px solid black;"
src="http://image.spreadshirt.net/image-server/image/product/8968630/view/1/type/png/width/190/height/190"
onmouseout="this.src='http://image.spreadshirt.net/image-server/image/product/8968630/view/1/type/png/width/190/height/190'"
onmouseover="this.src='http://image.spreadshirt.net/image-server/image/design/233902/type/png/width/190/height/190'"
width="60" height="60" border="1" alt="" align="left" title="t-shirt by flurdy (EU)" vspace="5" hspace="5"/></a>
<h6><a href="http://shirts.flurdy.com/eu">EU</a></h6>
</td>
</tr>
</table>
<br clear="all" />
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="software"></a>
<h2>Software</h2>
<div class="section">
<div style="float: right;">
<a href="http://www.ubuntu.com"><img
src="edition3/images/ubuntu-Logo-small.png"
alt="Ubuntu" title="Ubuntu Linix OS"
width="120" class="postfix" /></a><br />
<a href="http://www.postfix.org"><img
src="edition3/images/mysza.gif"
alt="postfix" title="Postfix MTA"
width="120" class="postfix" /></a><br />
<a href="http://www.courier-mta.org/imap/"><img
src="edition3/images/courier-imap.png"
alt="Courier IMAP" title="Courier IMAP"
width="120" class="postfix" /></a><br />
<a href="http://www.mysql.com"><img
src="edition3/images/mysql.png"
alt="MySQL" title="MySQL database lookups"
width="120" class="postfix" /></a><br />
<a href="http://www.ijs.si/software/amavisd/"><img
src="edition3/images/amavis-small.png"
alt="amavisd-new" title="amavisd-new content checks"
width="120" class="postfix" /></a><br />
<a href="http://www.clamav.net"><img
src="edition3/images/clam.png"
alt="ClamAV" title="ClamAV anti-virus"
width="120" class="postfix" /></a><br />
<a href="http://spamassassin.apache.org"><img
src="edition3/images/spam-small.png"
alt="SpamAssassin" title="SpamAssassin anti-spam"
width="120" class="postfix" /></a><br />
<a href="http://www.squirrelmail.org"><img
src="edition3/images/squirrel-small.jpg"
alt="SquirrelMail" title="SquirrelMail webmail"
width="120" class="postfix" /></a><br />
<a href="http://www.phpmyadmin.net"><img
src="edition3/images/phpmyadmin.gif"
alt="admin" title="phpMyAdmin"
width="45" height="45" class="postfix" /></a>
<a href="http://spf.pobox.com"><img
src="edition3/images/spfsmtp-small.png"
alt="SPF" title="SPF Sender ID"
width="45" height="45" class="postfix" /></a><br />
<a href="http://www.gnupg.org"><img
src="edition3/images/gnupg-small.png"
alt="GnuPG" title="GnuPG encryption"
width="45" height="45" class="postfix" /></a>
<a href="http://asg.web.cmu.edu/sasl/"><img
src="edition3/images/cyrus-sasl-small.jpg"
alt="SASL" title="Cyrus-SASL authentication"
width="45" height="45" class="postfix" /></a><br />
</div>
<h4>
What software packages have/will I use and why.
</h4>
<ul>
<li>
<h4>OS: <b>Ubuntu Linux</b></h4>
<h6><a href="http://www.ubuntu.com">www.ubuntu.com</a></h6>
<p>
Ah the age old distro argument...
Thankfully this set up should work on most distros.
I used to base this howto on Mandrake(now Mandriva),
and I started this new edition on a Gentoo box.
But I don't have the patience for Gentoo,
nor the money to stay with Mandriva Power editions.
Why Ubuntu? Its free, simple and slick.
As Ubuntu is derived from debian the installations
used here will be apt-get based.
Please refer to my other editions for details on RPM
or source based installations.
</p>
</li>
<li>
<h4>MTA: <b>Postfix</b></h4>
<h6><a href="http://www.postfix.org">www.postfix.org</a></h6>
<p>
Simple, free and slick.
Yup I am a sucker for anything that works easily.
Postfix is powerfull, well established,
but not too bloated,
and is security concious from the start.
</p>
</li>
<li>
<h4>Pop/IMAP: <b>Courier IMAP</b></h4>
<h6><a href="http://www.courier-mta.org/imap/">www.courier-mta.org/imap/</a></h6>
<p>
My first mail server installtion was with Courier.
I have not found a reason to change this as again
it is simple, and free.
</p>
</li>
<li>
<h4>Database: <b>MySQL</b></h4>
<h6><a href="http://www.mysql.com">www.mysql.com</a></h6>
<p>
Although I use Firebird for my application development,
(or Hibernate/C-JDBC hybrids),
MySQL is well supported for the sort of lookups required
in a mail server.
</p>
</li>
<li>
<h4>Content Check: <b>Amavisd-new</b></h4>
<h6><a href="http://www.ijs.si/software/amavisd/">www.ijs.si/software/amavisd/</a></h6>
<p>
Easy plug in solution for spam, virus checking etc.
</p>
</li>
<li>
<h4>Anti-Spam: <b>SpamAssassin</b></h4>
<h6><a href="http://spamassassin.apache.org">spamassassin.apache.org</a></h6>
<hp>
Powerfull renowned spam fighting tool.
</p>
</li>
<li>
<h4>Anti-Virus: <b>ClamAV</b></h4>
<h6><a href="http://www.clamav.net">www.clamav.net</a></h6>
<p>
Free virus scanner that can be trusted and includes update daemon.
</p>
</li>
<li>
<h4>Authentication: <b>Cyrus SASL</b></h4>
<h6><a href="http://www.imc.org/ietf-sasl/">www.imc.org/ietf-sasl/</a></h6>
<p>
Secure and trusted crypthography technology
for authentication of SMTP traffic.
</p>
</li>
<li>
<h4>PostGrey</h4>
<h6><a href="http://isg.ee.ethz.ch/tools/postgrey/">isg.ee.ethz.ch/tools/postgrey/</a></h6>
<p>
Postgrey is an excellent little script to stop 99% of all spam.
All it does is on first contact for specific from-to combinations,
tells the sender server to try again in a little while,
which most spammers cant afford to do.
When proper servers try again after a few minutes it lets it through.
</p>
</li>
<li>
<h4>Encryption: <b>TLS</b></h4>
<h6><a href="http://www.ietf.org/html.charters/tls-charter.html">www.ietf.org/html.charters/tls-charter.html</a></h6>
<p>
Secure and trusted crypthography technology
for encryption of SMTP traffic.
Not too be confused with client encryption technology
like GnuPG and S/MIME. They are covered in the
<a href="#extend">extend</a> section.
Formerly referenced as SSL.
</p>
</li>
<li>
<h4>WebMail: <b>SquirrelMail</b></h4>
<h6><a href="http://www.squirrelmail.org">www.squirrelmail.org</a></h6>
<p>
Easy to set up php based web mail client.
</p>
</li>
</ul>
<p>
Please see <a href="edition5.html#app_links">software links appendix</a> for further information
about these software packages. In that section there is more links to
documentation or forums, and viable alternatives, downloadable packages, versions details etc.
</p><p>
Further software and tweaks are discussed in the
<a href="#extend">extension section</a>.
</p><p>
Also review other peoples opinion on these packages via my <a href="edition5.html#references">references</a>.
</p>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="install"></a>
<h2>Installation</h2>
<div class="section">
<div id="amazon" class="ads">
<iframe src="http://rcm-uk.amazon.co.uk/e/cm?t=ivarssite-21&o=2&p=14&l=st1&mode=books-uk&search=postfix&fc1=&=1&lc1=<1=&f=ifr&bg1="
marginwidth="0" marginheight="0" width="160" height="600"
border="0" frameborder="0" style="border:none;"
scrolling="no"></iframe>
</div>
<ul>
<li><p><a href="#install_distro">Distrobution</a></p></li>
<li><p><a href="#install_Base">Base Install</a></p></li>
<li><p><a href="#install_repos">Repositories</a></p></li>
<li><p><a href="#install_pack">Packages</a></p></li>
</ul>
<a name="install_distro"></a>
<h3>Distribution</h3>
<p>
Please refer to <a href="edition5.html#install_distro">previous edition</a>
for a discussion on distribution selection.
</p>
<a name="install_base"></a>
<h3>Base Install</h3>
<p>
With installing Ubuntu you have a choice of which base system to install.
You may choose server or desktop image or very basic setups.
I will assume a server install, but it should not differ.
</p>
<p>
Ps.
I actually built this recent mail server using
<a href="http://ec2.amazonaws.com">Amazon Elastic Computing Cloud (EC2)</a>.
And thus I have created public images of my mail server that you can use.
For more details see my <a href="#ec2">EC2 section</a>.
If you have your own server, then it is not relevant.
</p>
<p>
Pss. Please note that after a while Ill stop specificying the use of <a href="http://help.ubuntu.com/community/RootSudo">sudo</a>,
as it is up to yourselves if you use it or use a priviliged user, e.g. root.
</p>
<a name="install_repos"></a>
<h3>Repositories</h3>
<p>
Please refer to a <a href="edition5.html#install_repos">previous edition</a>
for a details of repository configurations.
For assitance with repositories, refer to <a href="http://wiki.ubuntu.com/AddingRepositoriesHowto">this article on ubuntu's wiki</a>.
</p>
<a name="install_pack"></a>
<h4>Packages</h4>
<p>
You need to install a whole bunch of packages.
We will install them bit by bit.
But first check your package sources are correctly pointing to <b><i>main multiverse restricted universe</i></b>
repositories of your current Ubuntu version.
<code>sudo vi /etc/apt/sources.list</code>
Secondly update your current system:
<code>sudo aptitude update
sudo aptitude safe-upgrade</code>
</p>
<h5>MySQL</h5>
<p>
First we'll install MySQL
<code>sudo aptitude install mysql-client mysql-server</code>
This will prompt you for a root password.
Choose someting wise and remember it!
For purpose of this tutorial I will set it to <b><i>rootPASSWORD</i></b>
</p>
<h5>Postfix</h5>
<p>
Then we'll install postfix
<code>sudo aptitude install postfix postfix-mysql</code>
This will prompt you to choose type of email server.
Select <b><i>internet site</i></b>
It will also suggest a server name. Correct this if needed.
</p>
<h5>SASL</h5>
<code>sudo aptitude install libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl</code>
<h5>Courier</h5>
<p>
<code>sudo aptitude install courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-ssl</code>
will prompt you about webdirectories. You can say no to this.
It will also warn you about the certificate location. Ignore it.
</p>
<h5> ClamAV</h5>
<p>
<code>sudo aptitude install clamav-base libclamav5 clamav-daemon clamav-freshclam</code>
</p>
<h5>Amavis, SpamAssassin, postgrey</h5>
<p>
<code>sudo aptitude install amavisd-new
sudo aptitude install spamassassin spamc
sudo aptitude install postgrey</code>
</p>
<h5>SquirrelMail</h5>
<code>sudo aptitude install squirrelmail squirrelmail-locales php-pear php5-cli</code>
<p>
</p>
<h5>phpMyAdmin</h5>
<code>sudo aptitude install phpmyadmin</code>
<p>
Accept apache2 as the web server.
</p>
</p>
<h5>ShoreWall</h5>
<code>sudo aptitude install shorewall shorewall-doc</code>
<p>
Amazon provides a firewall/ access control for its servers,
so not always needed then, but nice to have.
And in all others situations; a must have.
</p>
<p>
</p>
<h5>Extras</h5>
<p>
I also install a few other packages that I personally prefer.
But nothing todo with the mail server.
<code>sudo aptitude install vim mutt lynx</code>
</p>
<h5>Package status</5>
<p>
To find out which packages you may have installed,
you can use for example:
<code>sudo dpkg --list | grep <i>postfix</i></code>
or
<code>sudo aptitude search postfix</code>
</p>
<div class="note">
<h5>EC2 Bundle</h5>
<p>
My AMI <b><i><a href="#ec2_ami">flurdy-amis/ubuntu-mail-server-clean</a></i></b>
is based on Canonical's official Ubuntu with these basic mail server packages installed.
</p>
</div>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="config"></a>
<h2>Configuration</h2>
<div class="section">
<ul>
<li>
<h5><a href="#config-simple">Core/Simple</a></h5>
<ul>
<li><p><a href="#config-simple-firewall">Firewall (Shorewall)</a></p></li>
<li><p><a href="#config-simple-mta">MTA (Postfix)</a></p></li>
<li><p><a href="#config-simple-database">Database (MySQL)</a></p></li>
<li><p><a href="#config-simple-imap">Pop/IMAP (Courier)</a></p></li>
</ul>
</li>
<li>
<h5><a href="#config-adv">Advanced</a></h5>
<ul>
<li><p><a href="#config-adv-content">Content Checks (amivisd-new)</a></p>
<ul>
<li><p><a href="#config-adv-spam">Anti-Spam(SpamAssassin)</a></p></li>
<li><p><a href="#config-adv-virus">Anti-Virus (ClamAV)</a></p></li>
<li><p><a href="#config-adv-policy">Policy Check (PostGrey)</a></p></li>
</ul>
</li>
</ul>
</li>
<li>
<h5><a href="#config-secure">Secure</a></h5>
<ul>
<li><p><a href="#config-secure-auth">Authentication (SASL)</a></p></li>
<li><p><a href="#config-secure-crypt">Encryption (TLS)</a></p></li>
</ul>
</li>
<li><p><a href="#config-extra-webmail">Webmail (SquirrelMail)</a></p></li>
<li><p><a href="#config-extra-admin">Administration (phpMyAdmin)</a></p></li>
</ul>
<a name="config-simple"></a>
<h3>Simple mail server</h3>
<p>
Now lets configure a simple mail server using some of
the packages installed.
</p>
<a name="config-simple-firewall"></a>
<h3>Firewall</h3>
<h4>Shorewall</h4>
<p>
Not essential for an EC2 image.
It is essential for a normal server.
</p>
<p>
Basically at first you want to only allow SSH.
Then SMTP and IMAP from your IP only.
</p>
<p>
When you are confident that the mail server is secure,
you can open SMTP to the world.
If you prefer you can also open IMAP to the world,
unless you have a very small client IP range.
</p>
<p>
Later you may open web access to the webmail and admin gui.
This you may also restrict to specific IPs.
</p>
<h5>SSH only</h5>
<p>
By default Shorewall in Ubuntu has an empty set up.
You can find the default values for Shorewall in
<i>/usr/share/doc/shorwall-common/default-config</i>.
And examples in <i>/usr/share/doc/shorwall-common/examples</i>.
We will create a basic set up.
</p>
<p>
First configure which network adapters we are accessing the net.
<code>cp /usr/share/doc/shorewall-common/default-config/interfaces /etc/shorewall/
vi /etc/shorewall/interfaces</code>
<code>net eth0 detect dhcp,tcpflags,logmartians,nosmurfs</code>
</p>
<p>
Then we will configure network zones
<code>cp /usr/share/doc/shorewall-common/default-config/zones /etc/shorewall/
vi /etc/shorewall/zones</code>
Add the firewall if not there and the internet as a zone.
<code>fw firewall
<span class="comment"># loc ipv4</span>
net ipv4</code>
</p>
<p>
Then if needed to specify hosts you can do it in this file.
E.g. If you wanto specify what is your home IP etc.
<code>cp /usr/share/doc/shorewall-common/default-config/hosts /etc/shorewall/
vi /etc/shorewall/hosts</code>
<code><span class="comment"># loc eth0:192.168.0.0/24</span></code>
</p>
<p>
Then set what is the default policy for firewall access.
<code>cp /usr/share/doc/shorewall-common/default-config/policy /etc/shorewall/
vi /etc/shorewall/policy</code>
<code>$FW net ACCEPT
net $FW DROP info
net all DROP info
<span class="comment"># The FOLLOWING POLICY MUST BE LAST</span>
all all REJECT info</code>
</p>
<p>
For safety in case it goes down.
<code>cp /usr/share/doc/shorewall-common/default-config/routestopped /etc/shorewall/
vi /etc/shorewall/routestopped</code>
<code>eth0 0.0.0.0 routeback</code>
You may put in a netmask of your ip range if you are more concerned.
</p>
<p>
Now for the main firewall rules.
You can find predetermined macro rules for Shorewall in
<i>/usr/share/shorewall</i>.
<code>cp /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall/
vi /etc/shorewall/rules</code>
<code>SSH/ACCEPT net $FW</code>
</p>
<h5>Open for business</h5>
<p>
Once your server is working
come back to this step and
open up SMTP and Web access to others. </p>
<code>vi /etc/shorewall/rules</code>
<code>Ping/ACCEPT net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# mail lines
SMTP/ACCEPT net $FW
SMTPS/ACCEPT net $FW
Submission/ACCEPT net $FW
IMAP/ACCEPT net $FW
IMAPS/ACCEPT net $FW
#web
Web/ACCEPT net $FW</code>
</p>
<p>
Firewall configuring is always risky business,
as it is easy to lock yourself out.
To test the setup syntax, run
<code>shorewall check</code>
Restart it with
<code>/etc/init.d/shorewall restart</code>
</p>
<p>
Then to switch it on during boot:
<code>vi /etc/default/shorewall</code>
<code>startup=1</code>
</p>
<p>
For more details on IP Tables and Shorewall,
look up its <a href="http://www.shorewall.net">website</a>.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<script type="text/javascript"><!--
google_ad_client = "pub-7805345644641760";
/* postfix ed7 banner1 */
google_ad_slot = "9524380180";
google_ad_width = 468;
google_ad_height = 60;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<a name="config-simple-mta"></a>
<h3>MTA</h3>
<h4>Postfix</h4>
<p>
You should put the name of your server in this file
<code>sudo vi /etc/mailname</code>
Could be something like <i>smtp.domain.name</i>,
where domain name obviously is replaced with your domain name.
</p>
<p>
Now will open the main postfix configuration file:
<code>sudo vi /etc/postfix/main.cf</code>
Debian and Ubuntu already puts in some sensible default values in this file.
You may need to comment some of them out if we put the same in as well.
</p>
<p>
First specify the name of your server.
<code><span class="comment"># This is already done in /etc/mailname
#myhostname= <i>mail.example.com</i></span></code>
Next is the origin which is the domain appended to email from this machine,
this can be your full servername, or domain name.
<code><span class="comment"># myorigin=/etc/mailname</span>
myorigin=<i>example.com</i></code>
</p>
<p>
Then decide what the greeting text will be.
Enough info so it is useful,
but not divelge everything to potential hackers.
<code>smtpd_banner = $myhostname ESMTP $mail_name</code>
</p>
<p>
Next you need to decide whether to send
all outgoing mail via another SMTP server,
or send them yourself.
I send via my ISP's server,
so it has to worry about the queing etc.
If you send it yourself then you are not reliant
on 3rd party server.
But you may risk more exposure and
accidentally be blocked by spam blockers.
And it is more work for your server.
Also many servers block dynamic dns hosts,
so you may find your server gets rejected.
However choose whichever you are comfortable with.
<code><span class="comment"># leave blank to do it yourself</span>
relayhost =</code><code><span class="comment"># or put it an accessible smtp server</span>
relayhost = <i>smtp.yourisp.com</i></code>
</p>
<p>
Next is network details.
You will accept connection from anywhere,
and you only trust this machine
<code>inet_interfaces = all
mynetworks_style = host</code>
</p>
<p>
Next you can masquerade some outgoing addresses.
Say your machine's name is <i>mail.domain.com</i>.
You may not want outgoing mail to come from
<i>username</i>@mail.example.com, as you'd prefer
<i>username</i>@example.com.
You can also state which domain not to masquerade.
E.g. if you use a dynamic dns service,
then your server address will be a subdomain.
You can also specify which users not to masquerade.
<code><span class="comment"># masquerade_domains = <i>mail.example.com www.example.com !sub.dyndomain.com</i>
# masquerade_exceptions = root</span></code>
</p>
<p>
As we will be using virtual domains, these need to be empty.
<code>local_recipient_maps =
mydestination =</code>
</p>
<p>
Then will set a few numbers.
<code><span class="comment"># how long if undelivered before sending warning update to sender </span>
delay_warning_time = 4h
<span class="comment"># will it be a permanent error or temporary</span>
unknown_local_recipient_reject_code = 450
<span class="comment"># how long to keep message on queue before return as failed.</span>
<span class="comment"># some have 3 days, I have 16 days as I am backup server for some people</span>
<span class="comment"># whom go on holiday with their server switched off.</span>
maximal_queue_lifetime = 7d
<span class="comment"># max and min time in seconds between retries if connection failed</span>
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
<span class="comment"># how long to wait when servers connect before receiving rest of data</span>
smtp_helo_timeout = 60s
<span class="comment"># how many address can be used in one message.</span>
<span class="comment"># effective stopper to mass spammers, accidental copy in whole address list</span>
<span class="comment"># but may restrict intentional mail shots.</span>
smtpd_recipient_limit = 16
<span class="comment"># how many error before back off.</span>
smtpd_soft_error_limit = 3
<span class="comment"># how many max errors before blocking it.</span>
smtpd_hard_error_limit = 12</code>
</p>
<p>
Now we can specify some restrictions.
Be carefull that each setting is on one line only.
</h4>
<code><span class="comment"># Requirements for the HELO statement</span>
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname,
reject_invalid_hostname, permit
<span class="comment"># Requirements for the sender details</span>
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unauth_pipelining, permit
<span class="comment"># Requirements for the connecting server </span>
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client dnsbl.njabl.org
<span class="comment"># Requirement for the recipient address</span>
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining</code>
</p>
<p>
Further restrictions:
<code><span class="comment"># require proper helo at connections </span>
smtpd_helo_required = yes
<span class="comment"># waste spammers time before rejecting them</span>
smtpd_delay_reject = yes
disable_vrfy_command = yes</code>
</p>
<p>
Next we need to set some maps and lookups for the virtual domains.
<code><span class="comment"># not sure of the difference of the next two</span>
<span class="comment"># but they are needed for local aliasing</span>
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
<span class="comment"># this specifies where the virtual mailbox folders will be located</span>
virtual_mailbox_base = /var/spool/mail/virtual
<span class="comment"># this is for the mailbox location for each user</span>
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
<span class="comment"># and their user id</span>
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
<span class="comment"># and group id</span>
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
<span class="comment"># and this is for aliases</span>
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
<span class="comment"># and this is for domain lookups</span>
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
<span class="comment"># this is how to connect to the domains (all virtual, but the option is there)</span>
<span class="comment"># not used yet
# transport_maps = mysql:/etc/postfix/mysql_transport.cf</span></code>
</p>
<p>
You need to set up an alias file.
This is only used locally,
and not by your own mail domains.
<code>sudo cp /etc/aliases /etc/postfix/aliases
# may want to view the file to check if ok.
# especially that the final alias, eg root goes
# to a real person
sudo postalias /etc/postfix/aliases</code>
</p>
<p>
Next you need to set up the folder
where the virtual mail will be stored.
This may have already been done by the apt-get.
And also create the user whom will own the folders.
<code><span class="comment"># to add if there is not a virtual user</span>
sudo mkdir /var/spool/mail/virtual
sudo groupadd virtual -g 5000
sudo useradd virtual -u 5000 -g 5000
sudo chown -R virtual:virtual /var/spool/mail/virtual</code>
</p>
<p>
Note: If using <a href="#ec2">Amazon ec2</a> you may want to move the mail spool
to /mnt or an <a href="http://aws.amazon.com/ebs">EBS</a> location.
You will need to symlink correctly afterwards.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<h5>Postfix's MySQL configuration</h5>
<p>
Next we need to set up the files to access the lookups via the database.
We will only set up a few now, and the rest later when/if needed:
</p>
<p>Edit(create) how to find the users mailbox location
<code>sudo vi /etc/postfix/mysql_mailbox.cf</code></p>
<code>user=mail
password=<i>mailPASSWORD</i>
dbname=maildb
table=users
select_field=maildir
where_field=id
hosts=127.0.0.1
additional_conditions = and enabled = 1</code>
<p>Create how to find the user id (this step I will eventualy remove)
<code>sudo vi /etc/postfix/mysql_uid.cf</code></p>
<code>user=mail
password=<i>mailPASSWORD</i>
dbname=maildb
table=users
select_field=uid
where_field=id
hosts=127.0.0.1</code>
<p>Create how to find the group id. (this step I will eventualy remove)
<code>sudo vi /etc/postfix/mysql_gid.cf</code></p>
<code>user=mail
password=<i>mailPASSWORD</i>
dbname=maildb
table=users
select_field=gid
where_field=id
hosts=127.0.0.1</code>
<p>Create how to find the email alias:
<code>sudo vi /etc/postfix/mysql_alias.cf</code></p>
<code>user=mail
password=<i>mailPASSWORD</i>
dbname=maildb
table=aliases
select_field=destination
where_field=mail
hosts=127.0.0.1
additional_conditions = and enabled = 1</code>
<p>Create how to find the domains:
<code>sudo vi /etc/postfix/mysql_domains.cf</code></p>
<code>user=mail
password=<i>mailPASSWORD</i>
dbname=maildb
table=domains
select_field=domain
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 1</code>
<p>
As you can see the 3 first are very similar,
only the select_field changes.
If you specify an ip in hosts,
(as opposed to 'localhost')
then it will communicate over tcp
and not the mysql socket. (chroot restriction).
Actually you can avoid using separate uid and guid files
as those details are the same for all, but I do anyway.
Ps. remember to replace the password with your chosen mail user password.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<div style="float:right; padding-right: 15px;">
<a href="http://flurdy.spreadshirt.net/en/GB/Shop/Article/Index/article/NO-LOL-on-dickies-7609529"><img
style="border: 1px solid black;"
src="http://image.spreadshirt.net/image-server/image/product/8788774/view/2/type/png/width/190/height/190"
width="90" height="90" border="0" alt="No LOL"
align="right" title="t-shirt by flurdy (UK)" vspace="5" hspace="5"/></a>
</div>
<br />
<br />
<a name="config-simple-database"></a>
<h3>Database</h3>
<h4>MySQL</h4>
<p>
Now we will need to create the tables for thos lookups just specified.
First you need to create a user to use in MySQL for mail only.
Then you need to create the database,
Take note of your chosen mail username and password.
You will need the password you specified for <b><i>root</i></b> during MySQL package installation.
</p>
<p>
<code><span class="comment"># If not already done (in package installation)...</span>
mysqladmin -u root password <i>new_password</i>
<span class="comment"># log in as root</span>
mysql -u root -p
<span class="comment"># then enter password for the root account when prompted</span>
<span class="reply">Enter password:</span>
<span class="comment"># then we create the mail database</span>
create database maildb;
<span class="comment"># then we create a new user: "mail"</span>
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
ON maildb.* TO 'mail'@'localhost' IDENTIFIED by '<i>mailPASSWORD</i>';
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
ON maildb.* TO 'mail'@'%' IDENTIFIED by '<i>mailPASSWORD</i>';
exit;</code>
Obviously replace <b><i>mailPASSWORD</i></b> with your chosen password!
</p>
<p>
Then you will need to create these tables:
<ul>
<li>aliases</li>
<!-- li>backups</li -->
<li>domains</li>
<!-- li>relocated</li -->
<li>users</li>
<!-- li>address</li>
<li>userprefs</li -->
</ul>
We will create more later on for further extensions,
but only these are relevant now.
</p>
<p>
Log in to mysql as the new mail user
<code>mysql -u mail -p maildb
<span class="comment"># enter the newly created password</span>
<span class="reply">Enter password:</span></code>
</p>
<p>
Then run this commands to create the tables:
</p>
<code>CREATE TABLE `aliases` (
`pkid` smallint(3) NOT NULL auto_increment,
`mail` varchar(120) NOT NULL default '',
`destination` varchar(120) NOT NULL default '',
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`pkid`),
UNIQUE KEY `mail` (`mail`)
) ;</code>
<code>CREATE TABLE `domains` (
`pkid` smallint(6) NOT NULL auto_increment,
`domain` varchar(120) NOT NULL default '',
`transport` varchar(120) NOT NULL default 'virtual:',
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`pkid`)
) ;</code>
<code>CREATE TABLE `users` (
`id` varchar(128) NOT NULL default '',
`name` varchar(128) NOT NULL default '',
`uid` smallint(5) unsigned NOT NULL default '5000',
`gid` smallint(5) unsigned NOT NULL default '5000',
`home` varchar(255) NOT NULL default '/var/spool/mail/virtual',
`maildir` varchar(255) NOT NULL default 'blah/',
`enabled` tinyint(3) unsigned NOT NULL default '1',
`change_password` tinyint(3) unsigned NOT NULL default '1',
`clear` varchar(128) NOT NULL default 'ChangeMe',
`crypt` varchar(128) NOT NULL default 'sdtrusfX0Jj66',
`quota` varchar(255) NOT NULL default '',
`procmailrc` varchar(128) NOT NULL default '',
`spamassassinrc` varchar(128) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `id` (`id`)
) ;</code>
<p>
The last few fields in the <b><i>users</i></b> table are not required,
but useful if you extend later.
</p>
<code><span class="comment"># To visualise the tables created:</span>
describe aliases; describe domains; describe users;
<span class="comment"># then quit mysql</span>
exit;</code>
<p>
Next is to edit the MySQL's <b><i>my.cnf</i></b> file.
In Ubuntu/debian this is created by default.
In Mandrake I had to manually create a blank one in /etc.
But we need to configure it, so:
<code>sudo vi /etc/mysql/my.cnf</code>
In previous version you needed to comment out this line
<code><span class="comment">#skip-networking</span></code>
However in todays file the default is to bind the
address to localhost, which is fine.
<code>bind-address = 127.0.0.1</code>
It is very useful at the start to log any SQL calls
that makes it to MySQL. So enable this line:
<code>log = /var/log/mysql/mysql.log</code>
Then in a few weeks comment it out when everything is working,
as it slows mysql down
</p>
<p>
Restart MySQL to make sure its picking up the new settings.
<code>sudo /etc/init.d/mysql restart</code>
</p>
<h6><a href="#top">Return to top</a>.</h6>
<script type="text/javascript"><!--
google_ad_client = "pub-7805345644641760";
/* postfix ed7 banner2 */
google_ad_slot = "3607487631";
google_ad_width = 468;
google_ad_height = 60;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<a name="config-simple-imap"></a>
<h3>Pop/IMAP</h3>
<h4>Courier IMAP</h4>
<p>
Please refer to <a href="edition5.html#conf_imap">previous edition</a>
for more explanations. But below is the details of what you need to
change.
</p>
<p>
<code>sudo vi /etc/courier/authdaemonrc</code>
Change to mysql mode.
<code>authmodulelist="authmysql"</code>
Further down enable logging.
<code>DEBUG_LOGIN=2</code>
</p>
<p>
<code>sudo vi /etc/courier/authmysqlrc</code>
Changed user
<code>MYSQL_USERNAME mail</code>
Changed password to whichever you have chosen
<code>MYSQL_PASSWORD <i>mailPASSWORD</i></code>
Changed database
<code>MYSQL_DATABASE maildb</code>
Changed users table
<code>MYSQL_USER_TABLE users</code>
Keep commented in crypt pw
<code>MYSQL_CRYPT_PWFIELD crypt</code>
Keep commented out clear pw
<code><span class="comment"># MYSQL_CLEAR_PWFIELD clear</span></code>
Added maildir
<code>MYSQL_MAILDIR_FIELD concat(home,'/',maildir)</code>
Added where clause
<code>MYSQL_WHERE_CLAUSE enabled=1</code>
</p>
<p>
Lastly you can have a look at the imapd file, but no changes is needed.
<code>vi /etc/courier/imapd</code>
</p>
<h6><a href="#top">Return to top</a>.</h6>
<h4>Summary</h4>
<p>
You now have a basic mail server!<br/>
</p>
<p>
Before continuing to the advanced and secure mail server you must ensure the basic setup works.
This will save you from loads of pain further on. <br/>
It is very easy to make typos, miss tiny steps, unclear steps or simple actual errors in this howto.
</p>
<p>
<ul>
<li><p>Insert stub data from <a href="#data">data section</a></p></li>
<li><p>Apply advice from <a href="#test">test section</a></p></li>
<li><p>Ensure the mail server can send and receive email before proceding</p></li>
</ul>
<div class="note">
<p>
Ive created an EC2 bundle for this stage:
<a href="#ec2_ami">flurdy-amis/ubuntu-mail-server-simple</a>.
</p>
</div>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<br />
<br />
<div class="section">
<div class="tees">
<a href="http://flurdy.spreadshirt.net/en/GB/Shop/Article/Index/article/wrong-evolution-7434008"><img
src="http://image.spreadshirt.net/image-server/image/product/8601636/view/1/type/png/width/190/height/190"
alt="wrong evolution"
onmouseout="this.src='http://image.spreadshirt.net/image-server/image/product/8601636/view/1/type/png/width/190/height/190'"
onmouseover="this.src='http://image.spreadshirt.net/image-server/image/design/5307374/type/png/width/190/height/190'"
title="t-shirt by flurdy (UK)" vspace="5" hspace="5"/></a>
<br />
<a href="http://flurdy.spreadshirt.net/en/GB/Shop/Article/Index/article/wrong-evolution-7434008">Somewhere, something went terribly wrong</a>
</div>
<a name="config-adv"></a>
<h3>Advanced mail server</h3>
<p>
Now lets extend this setup with more useful content checks
, security and user interfaces.
</p>
<a name="config-adv-content"></a>
<h4>Content Checks (Anti spam & anti virus)</h4>
<a name="config-adv-amavis"></a>
<h5>Amavisd-new</h5>
<p>
Amavisd ties together all the different ways of checking email content
for spam and viruses.
</p>
<p>
The defaults are pretty good and also the <a href="https://help.ubuntu.com/community/PostfixAmavisNew">ubuntu documentation</a> is pretty clear, and recommended.
</p>
<p>
Here is a tweaked version of it:<br />
</p>
<p>
Initially we will not enable spam or virus detection!
This is so we can get amavis set up to receive, check and pass on
emails before we go on and over-complicate it.
</p>
<p>
All of amavis' configuration files are in <i>/etc/amavisd</i>.
They are now spread across several files in <i>conf.d</i>.
Debian and Ubuntu defaults are now very sensible and spread into
seperate files.
<code>cd /etc/amavis.d/conf.d</code>
</p>
<p>
<b><i>01-debian</i></b> defaults are fine.<br />
</p>
<p>
Have a look at <code>less 05-domain-id</code> but dont change anything in it.
</p>
<p>
Have a look at <code>less 05-node-id</code> but dont change anything in it.
</p>
<p>
Have a look at <code>less 15-av_scanners</code> but dont change anything in it.
</p>
<p>
Edit content check file
<code>sudo vi 15-content_filter_mode</code>
Comment out both virus and spam scans. (Default).
<code><span class="comment"># #@bypass_virus_checks_maps = (
# \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
# @bypass_spam_checks_maps = (
# \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);</span></code>
</p>
<p>
Have a look at <code>less 20-debian_defaults</code> but dont change anything in it.
</p>
<p>
<b><i>25-amavis_helpers</i></b> defaults are fine.<br />
</p>
<p>
<b><i>30-template-localization</i></b> defaults are fine.<br />
</p>
<p>
Edit user file
<code>sudo vi 50-user</code>
In the middle insert:
<code>@local_domains_acl = qw(.);
$log_level = 2;
$syslog_priority = 'debug';
$sa_kill_level_deflt = 8.0; # triggers spam evasive actions
$final_spam_destiny = D_PASS;
<span class="comment"># $final_spam_destiny = D_PASS;</span></code>
</p>
<p>
We have not setup amavis to scan and pass along incomming email.
Next we will setup postfix to talk to amavis.
</p>
<p>
<code>vi /etc/postfix/master.cf</code>
Append these lines to the end of the file
(make sure they are not already present).
(Note the -o lines have spaces in front of them.
<code>amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20</code>
<code>127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks</code>
Also add the following two lines immediately below the "pickup" transport service:
<code>-o content_filter=
-o receive_override_options=no_header_body_checks</code>
</p>
<p>
and then added to main.cf
<code>sudo vi /etc/postfix/main.cf</code>
<code>content_filter = amavis:[127.0.0.1]:10024</code>
</p>
<p>
Enable scanning by ClamAV of amavis' temporary files.
<code>sudo adduser clamav amavis</code>
</p>
<p>
This should be it to get amavis working.
If emails are picked up by amavis and
passed back to postfix then it looks okay.
Next is to uncomment the anti virus and anti spam lines
in
<code>sudo vi 15-content_filter_mode</code>
<code>@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);</code>
But do that after the next section (SpamAssassin).
</p>
<p>
When things are working we will turn down logging level,
and start bouncing/discarding spam.
<code>sudo vi /etc/amavis/conf.d/50-user</code>
<code>@local_domains_acl = qw(.);
$log_level = 1;
$syslog_priority = 'info';
$sa_kill_level_deflt = 8.0; # triggers spam evasive actions
<span class="comment">#$final_spam_destiny = D_PASS;</span>
$final_spam_destiny = D_DISCARD;</code>
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="config-adv-spam"></a>
<h4>Anti-Spam</h4>
<h5>SpamAssassin</h5>
<p>
The default config of spam assassin is okay.
You could refer to <a href="edition5.html#spam">previous edition</a>
for more configuration options.
</p>
<p>
You do need to tell SpamAssassin to start <i>smapd</i> on boot.
<code>vi /etc/default/spamassassin</code>
<code>ENABLED=1</code>
</p>
<p>
One configuration option you could tweak is to enable Bayes and auto learning.
<code>vi /etc/spamassassin/local.rf</code>
</p>
<div class="tees">
<a href="http://flurdy.spreadshirt.net/en/GB/Shop/Article/Index/article/I-read-your-email-7705385"><img
style="border: 1px solid black;"
src="http://image.spreadshirt.net/image-server/image/product/8889252/view/1/type/png/width/190/height/190"
width="120" height="120" border="0" alt="I read your email"
align="right" title="t-shirt by flurdy (UK)" vspace="5" hspace="5"/></a>
<br />
<a href="http://flurdy.spreadshirt.net/en/GB/Shop/Article/Index/article/I-read-your-email-7705385">I read your email</a>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<br />
<a name="config-adv-virus"></a>
<h4>Anti Virus</h4>
<h5>ClamAV</h5>
<p>
ClamAV does not need setting up.
Configuration files are in <b><i>/etc/clamav</i></b>,
but they are automatically generated, so do not edit.
</p>
<p>
By default <b><i>freshclam</i></b>, the daemon that
updates the virus definition database, is run 24 times a day.
That seems a little excessive, so I tend to set that to once a day.
<code>sudo dpkg-reconfigure clamav-freshclam</code>
</p>
<p>
If needed, this will redefine the configuration with a lot of questions.
Not needed unless you need to configure.
<code>sudo dpkg-reconfigure clamav-base</code>
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="config-adv-policy"></a>
<h5>Postgrey</h5>
<p>
The default config of postgrey is okay.
However you need to tell Postfix to use it.
<code>sudo vi /etc/postfix/main.cf</code>
And then edit the recipient restrictions:
<code>smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000, permit</code>
</p>
<p>
You can tweak whitelisting in <b><i>/etc/postgrey</i></b>.
You can tweak postgrey configuration by tweaking <b><i>/etc/default/postgrey</i></b>.
E.g. delay, auto whitelisting, or reject message.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<div class="note">
<p>
You know have an advanced mail server.
You can use this, but Id recommend continuing.
However this is a good point to <a href="#test">test</a> the set up so far
and to insert some <a href="#data">data</a> in the db.
</p>
</div>
<div class="note">
<p>
Ive created an EC2 bundle for this stage:
<a href="#ec2_ami">flurdy-amis/ubuntu-mail-server-spam</a>.
</p>
</div>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<br />
<br />
<div class="section">
<div class="tees">
<a href="http://flurdy.spreadshirt.com/us/US/Shop/Article/Index/article/kill-bill-3494310"><img
src="http://image.spreadshirt.com/image-server/image/product/4169063/view/1/type/png/width/190/height/190"
alt="no, i will not fix your computer"
onmouseout="this.src='http://image.spreadshirt.com/image-server/image/product/4169063/view/1/type/png/width/190/height/190'"
onmouseover="this.src='http://image.spreadshirt.net/image-server/image/design/6363926/type/png/width/190/height/190'"
title="t-shirt by flurdy (US)" vspace="5" hspace="5"/></a>
<br />
<a href="http://flurdy.spreadshirt.com/us/US/Shop/Article/Index/article/kill-bill-3494310">No, I will not fix your computer</a>
</div>
<a name="config-secure"></a>
<h4>Secure mail server</h4>
<p>
Stopping hackers, phishers, spammers, your boss and your neighbour from
accessing your server or the traffic in between is important,
and easily done.
</p>
<a name="config-secure-auth"></a>
<a name="config-secure-sasl"></a>
<h3>Authentication</h3>
<p>
Normal email traffic between clients and servers are in open plain text.
That includes passwords and content of emails.
</p>
<h5>SASL</h5>
<p>
Please refer to <a href="edition5.html#conf_auth">previous edition</a>
for more detail.
</p>
<p>
SASL secures the actual authentication (login),
by encoding the passwords so that it can be easily intercepted.
The rest of the emails are however in clear plain text.
</p>
<p>
<i>This is a section I will revisit for the next edition!</i>
</p>
<a name="config-secure-tsl"></a>
<a name="config-secure-crypt"></a>
<h3>Encryption</h3>
<h5>TLS</h5>
<p>
Encrypting the traffic stops anyone else listening in on your email communications.
And is very recommended. There are different types of communication to encrypt:
The data traffic between your email applications and the server when you read emails
or when you send emails,
and communication between other email servers and your server.
</p>
<p>
For the encryption of reading emails, it is Courier you need to configure.
For sending, and beetwen server encryption it is Postfix.
</p>
<h5>TLS in Postfix</h5>
<p>
To encrypt you need certificates. Ubuntu creates some for you for which you can use
while setting up the server. However before you go live,
it is recommended to create your own with your proper domain name etc.
Please refer to <a href="edition5.html#conf_tls">previous edition</a>
for more detail.
</p>
<p>
<code>vi /etc/postfix/main.cf</code>
There are already some TLS settings in the default debian/ubuntu version of this file.
I moved these to the end, for clarity, but that is up to you.
<code># TLS parameters
#smtp_use_tls = no
smtp_tls_security_level = may
#smtpd_use_tls=yes
smtpd_tls_security_level = may
#smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache</code>
</p>
<p>
Next we have a look at the master.cf file.
<code>vi /etc/postfix/master.cf</code>
By default only the normal smtp service is enabled,
which is fine.
But I prefer to enable <i>submission</i> (port 587),
so that clients can use it, and I can restrict them to TLS only.
Also enabled <i>smtps</i> service (port 465),
for some compatebility with some older clients (outlook express etc).
</p>
<code>submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
# if you do not want to restrict it encryption only, comment out next line
-o smtpd_tls_auth_only=yes
# -o smtpd_tls_security_level=encrypt
# -o header_checks=
# -o body_checks=
-o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination, reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
# -o milter_macro_daemon_name=ORIGINATING</code>
<h5>TLS in Courier</h5>
<p>
Again Ubuntu has created a certificate for you, but if you want to create your own,
especially for a properly named server, then do this.
<code>cd /etc/courier
openssl req -x509 -newkey rsa:1024 -keyout imapd.pem \
-out imapd.pem -nodes -days 999</code>
For more details <a href="edition5.html#conf_tls">review last edition</a>.
</p>
<p>
Then you need to edit
<code>vi /etc/courier/imapd-ssl</code>
By default Ubuntu already points to you certificate
<code>TLS_CERTFILE=/etc/courier/imapd.pem</code>
Modify this if needed.
</p>
<p>
Also you if want to restrict IMAP users to SSL/TLS only toggle this setting to 1.
<code>IMAP_TLS_REQUIRED=1</code>
</p>
<br />
<br />
<p>
For maximum compatability it is not wise to restrict to TLS only for the traffic between servers. As this means not all valid emails sent by others can reach your server.
However enabling them the option to encrypt is a good idea.
</p>
<p>
Be aware that the emails are not encrypted on your machine, nor on the server.
For this type of client encryption, please refer to <a href="edition5.html#app">previous edition</a>
for more on GnuPG.
</p>
<p>
In some situations SASL and TLS do not play well together.
Those situations are in combinations of storing encrypted passwords,
using MD5 authentication over encrypted traffic.
I recommend, insisting on TLS traffic with your authenticating clients,
which then negates the need for SASL.
</p>
<div class="note">
<p>
You know have an advanced secure mail server.
Now is another good point to <a href="#test">test</a> the set up so far
and to insert some <a href="#data">data</a> in the db.
</p>
</div>
<div class="note">
<p>
Ive created an EC2 bundle for this stage:
<a href="#ec2_ami">flurdy-amis/ubuntu-mail-server-secure</a>.
</p>
</div>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<br />
<br />
<div class="section">
<a name="config-extra-webmail"></a>
<h3>Webmail</h3>
<p>
Using among others the <a href="https://help.ubuntu.com/community/Squirrelmail">https://help.ubuntu.com/community/Squirrelmail</a>
as an updated reference.
</p>
<h5>Enable web access</h5>
<p>
You may need to enable web access in the firewall.
Check the <a href="#conf_firewall">firewall configuration</a> if this neccessary.
</p>
<p>
You need to copy a SquirrelMail configuration to apache.
<code>sudo cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail</code>
And enable with this:
<code>sudo ln -s /etc/apache2/sites-available/squirrelmail /etc/apache2/sites-enabled/500-squirrelmail</code>
Or as Florent recommends, use:
<code>sudo a2ensite squirrelmail</code>
</p>
<p>
You may accept the default apache configuration where squirrelmail is folder in all sites. But I prefer virtual hosting. But you dont need to do these next steps.
<code>sudo vi /etc/apache2/sites-available/squirrelmail</code>
Comment out the alias.
<code><span class="comment"># alias /squirrelmail /usr/share/squirrelmail</span></code>
Uncomment the virtual settings.,
and insert your servers name.
<code><span class="comment"># users will prefer a simple URL like http://webmail.example.com</span>
<VirtualHost *>
DocumentRoot /usr/share/squirrelmail
ServerName <i>webmail.example.com</i>
</VirtualHost></code>
If you have apache SSL enabled in apache, then you can also
uncomment the mod_rewrite section for further security.
</p>
<p>
Reload apache to activate changes.
First test if ok.
<code>sudo apache2ctl -t</code>
Then reload it.
<code>sudo /etc/init.d/apache2 reload</code>
</p>
<p>
You can now go to<b><i>yourdomain.com/squirrelmail/</i></b>
or <b><i>mail.yourdomain.com</i></b> if you chose virtual host.
This should show a squirrel mail page.
Log in wont work yet though.
</p>
<h5>
Start configuring squirrel mail.
</h5>
<code>sudo squirrelmail-configure</code>
<p>
Initially change nothing. You can customize more afterwards.
You can browse, and exit sub menues by typing <b><i>R</i></b>.
</p>
<p>
Type <b><i>2</i></b> to edit server settings.
Type <b><i>A</i></b> to edit IMAP settings.
</p>
<p>
Type <b><i>8</i></b> to edit server software.
Enter courier.
<code>courier</code>
</p>
<p>
Now they say using TLS over localhost is a waste of time.
But I do anyway.
Type <b><i>7</i></b> to edit secure IMAP.
Type <code>Y</code> to enable it.
</p>
<p>
Type <b><i>5</i></b> to edit IMAP port.
Enter <code>993</code>
</p>
<p>
Type <b><i>S</i></b> to save your changes.
Hit <b><i>Enter</i></b>.
</p>
<p>
Type <b><i>Q</i></b> to exit.
</p>
<p>
You can now go to <b><i>yourdomain.com/squirrelmail/</i></b>
or <b><i>mail.yourdomain.com</i></b> if you chose virtual host.
This should show a squirrel mail page.
Log in will now work.
<i>(Except you may not have defined users, check <a href="#data">data</a>
section. And they may not have received an email which also means
you can not view any IMAP info.)</i>
</p>
<p>
Please refer to <a href="edition5.html#conf_web">previous edition</a>
for more detail. E.g. creating address books and user preferences.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="config-extra-admin"></a>
<h3>Administration</h3>
<h5>Enable web access</h5>
<p>
You may need to enable web access in the firewall.
Check the <a href="#conf_firewall">firewall configuration</a> if this neccessary.
</p>
<p>
You need to copy a phpMyAdmin configuration to apache.
<code>sudo cp /etc/phpmyadmin/apache.conf /etc/apache2/sites-available/phpmyadmin</code>
And enable with this:
<code>sudo ln -s /etc/apache2/sites-available/phpmyadmin /etc/apache2/sites-enabled/400-phpmyadmin</code>
Or as Florent recommends, use:
<code>sudo a2ensite phpmyadmin</code>
</p>
<p>
You may choose to restrict phpMyAdmin to a spefic virtual host.
If so you need to, edit
<code>sudo vi /etc/apache2/sites-available/phpmyadmin</code>
and comment out the alias.
And insert the alias into a virtual host configuration.
For this example we are not.
</p>
<p>
Reload apache to activate changes.
First test if ok.
<code>sudo apache2ctl -t</code>
Then reload it.
<code>sudo /etc/init.d/apache2 reload</code>
</p>
<p>
You can now go to <b><i>http://yourdomain.com/phpmyadmin/</i></b>,
and login with the <b><i>mail</i></b> user.
You can use it as it is, but I recommend securing it a bit more.
</p>
<p>
One simple way is adding apache's .htaccess login requirement.
</p>
<p>
Further restrictions can be restricting to a specific virtual host.
Or renaming the folder. Purely ubfuscating, but simple.
</p>
<p>
Or using the example in the webmail section,
and adding SSL requirement to the connection.
Or disabel mysql root's access via phpMyAdmin.
</p>
<p>
Please refer to <a href="edition5.html#conf_admin">previous edition</a>
for example on htaccess, and mysql user restriction.
</p>
<div class="note">
<p>
You know have a finished mail server.
This is as far as the main guide goes.
Hope it was clear enough to follow.
</p>
<p>
Now it is time to insert <a href="#data">data</a>,
and to <a href="#test">test</a> how it works.
</p>
<p>
Feel free to <a href="#extend">extend it</a> with my suggestions further down.
</p>
</div>
<div class="note">
<p>
Ive created an EC2 bundle for this stage:
<a href="#ec2_ami">flurdy-amis/ubuntu-mail-server-webmail</a>.
</p>
</div>
<script type="text/javascript"><!--
google_ad_client = "pub-7805345644641760";
/* postfix ed7 leader 1 */
google_ad_slot = "9399087443";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="data"></a>
<h2>Data</h2>
<div class="section">
<ul>
<li><p><a href="#data_add">Add users and domains</a></p>
<ul>
<li><p>Required domains and users</p></li>
<li><p>Example domains and users</p></li>
<li><p>Adding template</p></li>
</ul>
</li>
<li><p><a href="#data_common">Common SQL</a></p></li>
</ul>
<a name="data_add"></a>
<h3>Add users and domains</h3>
<p>
So we got a fully set up mail server...
Well no, there is no users, domains, no nothing!
</p>
<p>
Okay, first you need add some default data,
some which are required, some which make sense.
</p>
<p>
Then we'll add your own users and domains.
</p>
<h4>Required domains and users</h4>
<p>First the required domains for local mail</p>
<code><span class="comment"># Use phpMyAdmin or command line mysql</span>
INSERT INTO domains (domain) VALUES
('localhost'),
('localhost.localdomain');</code>
<p>
Then some default aliases.
Some people say these are not needed, but I'd include them.
</p>
<code>INSERT INTO aliases (mail,destination) VALUES
('postmaster@localhost','root@localhost'),
('sysadmin@localhost','root@localhost'),
('webmaster@localhost','root@localhost'),
('abuse@localhost','root@localhost'),
('root@localhost','root@localhost'),
('@localhost','root@localhost'),
('@localhost.localdomain','@localhost');</code>
<p>Then a root user.</p>
<code>INSERT INTO users (id,name,maildir,crypt) VALUES
('root@localhost','root','root/', encrypt('<i>apassword</i>') );</code>
<div class="tees">
<a href="http://flurdy.spreadshirt.com/us/US/Shop/Article/Index/article/I-see-dumb-people-3764115"><img
src="http://image.spreadshirt.com/image-server/image/product/4136811/view/1/type/png/width/190/height/190"
alt="I see dumb people"
onmouseover="this.src='http://image.spreadshirt.com/image-server/image/design/769535/type/png/width/190/height/190'"
onmouseout="this.src='http://image.spreadshirt.com/image-server/image/product/4136811/view/1/type/png/width/190/height/190'"
align="right" title="t-shirt by flurdy (UK)" vspace="5" hspace="5"/></a>
</div>
<h4>Domains and users</h4>
<p>
Now lets add some proper data.
</p>
<p>
Say you want this machine to handle data for the fictional domains
of <i>"blobber.org"</i>, <i>"whopper.nu"</i> and <i>"lala.com"</i>.
</p>
<p>
Then say this machine's name is <i>"mail.blobber.org"</i>.
</p>
<p>
All email to <i>lala.com</i> is to be forwarded to <i>whupper.nu</i>.
</p>
<code>INSERT INTO domains (domain) VALUES
('blobber.org'),
('mail.blobber.org'),
('whopper.nu'),
('lala.com');
INSERT INTO aliases (mail,destination) VALUES
('@lala.com','@whupper.nu'),
('@mail.blobber.org','@blobber.org'),
('postmaster@whopper.nu','postmaster@localhost'),
('abuse@whopper.nu','abuse@localhost'),
('postmaster@blobber.org','postmaster@localhost'),
('abuse@blobber.org','abuse@localhost');</code>
<p>
You also have two users called <i>"Xandros"</i> and <i>"Vivita"</i>.
</p>
<code>INSERT INTO users (id,name,maildir,crypt) VALUES
('xandros@blobber.org','xandros','xandros/', encrypt('<i>apassword</i>') ),
('vivita@blobber.org','vivita','vivita/', encrypt('<i>anotherpassword</i>') );
INSERT INTO aliases (mail,destination) VALUES
('xandros@blobber.org','xandros@blobber.org'),
('vivita@blobber.org','vivita@blobber.org');</code>
<p>
You want all mail for <i>whooper.nu</i> to go to <i>xandros</i> (catchall).
</p>
<code>INSERT INTO aliases (mail,destination) VALUES
('@whopper.nu','xandros@blobber.org');</code>
<p>
There is also a <i>"Karl"</i> user, but he does want all mail forwarded
to an external account.
</p>
<code>INSERT INTO aliases (mail,destination) VALUES
('karl@blobber.org',<i>'karl.vovianda@gmail.com'</i>);</code>
<p>
So what does each of these lines actually do?
Well the domains are pretty straight forward.
</p>
<p>
The users are as well, it requires four fields.
ID is the email address of the user, and also its username
when loggin in, described later on.
NAME is optional description of the user.
MAILDIR is the name of the folder inside <b>/var/spool/mail/virtual</b>.
It must end in a /, otherwise it wont be used as a unix maildir format.
CRYPT is the encrypted text password to use.
</p>
<p>
The alises are the interesting part.
Lets start from a top down view to see how emails get delivered:
</p>
<p>
Say an email arrives addressed to <i>"john@whopper.nu"</i>.
<ul>
<li><p>
Postfix looks up domains and say <i>whopper.nu</i> is an domain it listens to.
</p></li>
<li><p>
Postfix then looks up aliases and searches for a row where the mail field matches <i>"john@whopper.nu"</i>.
</p></li>
<li><p>
None does so it next searches for <i>"@whopper.nu"</i>,
which is the way to specify catch all others for that domain.
</p></li>
<li><p>
It finds one row and its destination is <i>"xandros@blobber.org"</i>.
</p></li>
<li><p>
It then searches for <i>"xandros@blobber.org"</i>
and finds one, which destination is the same as the mail,
therefor it is the final destination.
</p></li>
<li><p>
It then tries to deliver this mail. The look up says <i>blobber.org</i>
is a local mail so it looks up users for a matching id and delivers it
to its maildir.
</p></li>
</ul>
<p>
Lets try <i>"julian.whippit@lala.com"</i>.
</p>
<ul>
<li><p>
Postfix looks up domains and it is an domain it listens to.
</p></li>
<li><p>
First lookup does not find this user,
but the next finds the catchall <i>"@lala.com"</i>.
But its destination is another catchall, <i>"@blobber.org"</i>.
</p></li>
<li><p>
This means Postfix will look for <i>"julian.whippit@blobber.org"</i>.
This address is not found either, nor is a catchall for <i>blobber.org</i>.
Therefor this address is not valid and the message will be bounced.
</p></li>
</ul>
<p>
Any mail arriving for <i>"karl@blobber.org"</i> or <i>"karl@lala.com"</i>,
gets forward to an external address of <i>"karl.vovianda@gmail.com"</i>.
So forwarding is simple. I tend to use a subdomain for all my friends
addresses as easily I forget what their real addresses
are, and I use different email clients all the time.
</p>
<p>
I also added the required aliases of postmaster and abuse to
<i>blobber.org</i> and <i>whopper.nu</i>.
The catchall for <i>lala.com</i> means they are not required for that domain.<br/>
<!-- You can add them though if you do not want <i>xandros</i>
to get the admin emails. -->
Another useful alias to add is <i>root</i>,
as often you get admin mail from e.g cron jobs within
those domains etc.
Other often used aliases are <i>info, sysadmin, support, sales,
webmaster, mail, contact</i> and <i>all</i>.
But they are also honeypots for spam,
so just include the ones you think you will need.
</p>
<h4>Adding template</h4>
<p>
So to add a new domain to the system, You do this, replacing the italics with relevant data:
</p>
<code>INSERT INTO domains (domain) VALUES ('<i>domain.tld</i>');
INSERT INTO aliases (mail,destination) VALUES
('<i>@domain.tld</i>','<i>email@address</i>'),
('<i>postmaster@domain.tld</i>','<i>email@address</i>'),
('<i>abuse@domain.tld</i>','<i>email@address</i>');</code>
<p>
And to add a new user to the system, do this:
</p>
<code>INSERT INTO users (id,name,maildir,clear) VALUES
('<i>email@address</i>','<i>short description</i>','<i>foldername/</i>',encrypt('<i>password</i>'));
INSERT INTO aliases (mail,destination) VALUES
('<i>email@address</i>','<i>email@address</i>');</code>
<h6><a href="#top">Return to top</a>.</h6>
<a name="data_common"></a>
<h3>Common SQL</h3>
<p>
A selection of useful sql statements, if you are not using an admin/manager program to
maintain your email domains and users.
</p>
<p>Find domains without a catchall</p>
<code><span class="comment">#Remember some might be disabled</span>
SELECT dom.domain
FROM domains dom
LEFT JOIN aliases al
ON CONCAT( '@', dom.domain ) = al.mail
WHERE al.mail is null
OR al.enabled = 0
ORDER BY dom.domain ASC
</code>
<h4>Find aliases for an invalid domain</h4>
<code>SELECT al.*
FROM aliases al
LEFT JOIN domains dom
ON dom.domain = SUBSTRING(al.mail,LOCATE('@',al.mail)+1)
WHERE dom.domain is null
OR dom.enabled = 0
ORDER BY al.mail ASC
</code>
<h4>Find all non local destination aliases</h4>
<code>SELECT al.*
FROM aliases al
LEFT JOIN domains dom
ON dom.domain = SUBSTRING(al.destination,LOCATE('@',al.destination)+1)
WHERE dom.domain is null
ORDER BY al.enabled, al.destination ASC, al.mail ASC</code>
<h4>Find all aliases for a certain domain</h4>
<code>SELECT al.*
FROM aliases al
WHERE SUBSTRING(al.mail,LOCATE('@',al.mail)+1) = 'domain.tld'
ORDER BY al.enabled, al.mail ASC</code>
<h4>Find all aliases for a certain domains, checking if enabled for both domain and alias</h4>
<code>select *
from domains d
join aliases a
on a.mail like concat( '%','@',d.domain)
and a.enabled = 1
where d.enabled = 1
and d.domain like '%foobar%'
order by d.domain,a.mail</code>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="test"></a>
<h2>Test</h2>
<div class="section">
<p>
Please refer to the <a href="edition5.html#test">previous edition</a>
for how to test your setup. That edition have an extensive testing section.
It actually has two test sections!
</p>
<p>
So time to tail, tail and tail again the mail.log and mysql.log.
Which is always a good think to do now and again even after you got it working.
As you can quickly see potential new problems.
</p>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="initialize"></a>
<h2>Intialize</h2>
<div class="section">
<p>
Brief hints if you receive a ready setup machine (or EC2 AMI),
and what then to check and to customize it to your setup.
</p>
<ul>
<li><p>Stop services</p></li>
<li><p>Restrict firewall</p></li>
<li><p>Change passwords</p></li>
<li><p>Check configurations</p></li>
<li><p>Set machine name</p></li>
<li><p>Certificates</p></li>
<li><p>Start and test services</p></li>
<li><p>Insert data</p></li>
<li><p>Reload postfix</p></li>
<li><p>Open firewall</p></li>
<li><p>Test</p></li>
</ul>
<h4>Stop services</h4>
<p>
First stop services so they wont accidentally do something.
<code>sudo /etc/init.d/postfix stop
sudo /etc/init.d/courier-imap-ssl stop
sudo /etc/init.d/courier-imap stop
sudo /etc/init.d/courier-authdaemon stop
sudo /etc/init.d/mysql stop
sudo /etc/init.d/amavisd stop
sudo /etc/init.d/spamassassin stop
sudo /etc/init.d/clamav stop</code>
</p>
<h4>Restrict firewall</h4>
<p>
Check what the firewall rules are.
<code>vi /etc/shorewall/rules</code>
Refer to the <a href="#conf_firewall"firewall settings</a>.
Restrict to just SSH access for now.
</p>
<h4>Change passwords</h4>
<p>
Next the passwords needs to be changed.
For both the system and mysql.
</p>
<h5>System passwords</h5>
<p>
Check which users are defined on the system.
<code>cat /etc/passwd</code>
Apart from all the system ones,
there should probably be none (if EC2 AMI) or
just your user if it is a standard Ubuntu install.
If there are some users, you need to change
their passwords.
</p>
<h5>SSH Access</h5>
<p>
Next we check whom got SSH access.
If there was any users defined,
check their home folders for ssh keys.
<code>cat /home/<i>username</i>/.ssh/auth*</code>
Remove any you do not expect to be there.
Next check if and which specific users has been defined
for SSH access in
<code>vi /etc/ssh/sshd</code>
Usually this is fine.
</p>
<h5>MySQL passwords</h5>
<p>
First you need to change the root mysql user.
If none has been set do this
<code>mysqladmin -u root password <i>new_password</i></code>
Otherwise do this and you will be prompted for the old password
<code>mysqladmin -u root password <i>new_password</i> -p</code>
</p>
<p>
Then the default mail user as well.
If you know the old password
<code>mysqladmin -u mail password <i>new_password</i> -p</code>
Otherwise log into mysql as root:
<code>mysql -u root -p</code>
Enter new root password specified above, then:
<code>update mysql.user set password=password('<i>apassword</i>') where user='mail';
flush privileges;</code>
You may need to revisit the top of <a href="#conf-simple-database">MySQL section</a>
to re-grant the mail use rights on the database.
</p>
<p>
If you do not know the old root password,
you have to restart mysql without grant rights. Google it... :)
</p>
<p>
Update postfix mysql configuration files with the new password.
<code>sudo vi /etc/postfix/mysql*</code>
<code>password=<i>apassword</i></code>
Update courier's authmysql file with the new password as well.
<code>sudo vi /etc/courier/authmysqlrc</code>
<code>MYSQL_PASSWORD <i>apassword</i></code>
</p>
<h4>Check configurations</h4>
<p>
You should scan the postfix, courier, etc. configurations
to check if they match what you expect.
</p>
<h4>Set machine name</h4>
<p>
Now you need to define your machine name,
e.g. something like <i>smtp.yourdomain.com</i>.
You need to define it in
<code>sudo vi /etc/mailname</code>
And then your domain name in
<code>sudo vi /etc/postfix/main.cf</code>
under the mydomain setting
<code>myorigin=<i>yourdomain.com</i></code>
It could also be smart to check what the unix hostname is specified
as
<code>hostname</code>
This can be reset by
<code>sudo hostname <i>smtp.yourdomain.com</i>.</code>
All though this does not have to be the same as your postfix mail server name.
You may want to speficiy some hosts in hosts file as well,
<code>sudo vi /etc/hosts</code>
<code>127.0.0.1 localhost.localdomain localhost
127.0.0.1 <i>smtp.yourdomain.com smtp</i></code>
</p>
<h4>Certificates</h4>
<p>
You could go along with the generated certificates
(if they are there, default for Ubuntu).
Or if you could create new ones with the correct machine name in them.
Especially if this a mail server used by many, and authenticiy is important.
Follow the <a href="#config-secure-tsl">TLS certificate instructions</a> for
Postfix and Courier.
</p>
<h4>Start and test services.</h4>
<p>
Next you need to start your mail services and test them.
<code>sudo /etc/init.d/mysql start
sudo /etc/init.d/spamassassin start
sudo /etc/init.d/clamav start
sudo /etc/init.d/amavisd start
sudo /etc/init.d/postfix start
sudo /etc/init.d/courier-imap-ssl start
sudo /etc/init.d/courier-imap start
sudo /etc/init.d/courier-authdaemon start</code>
</p>
<p>
So test tjenestene via <a href="#test">testing section</a>.
</p>
<h4>Insert data<h4>
<p>
Insert your mail domains, aliases and users using the <a href="#data">data section</a>.
</p>
<p>
Some times there are test data already in the database. Remove them.
E.g.;
<code>mysql -u mail -p<i>apassword</i> maildb</code>
<code>delete from domains where domain = 'bar.com';
delete from aliases where mail = 'foo@bar.com';</code>
</p>
<h4>Open firewall</h4>
<p>
Then open up the firewall, follow the world access bit in the <a href="#conf_firewall">firewall configuration</a>.
Voila. Up and running. Well we hope.
</p>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="extend"></a>
<h2>Extend</h2>
<div class="section">
<div class="tees">
<a href="http://flurdy.spreadshirt.com/us/US/Shop/Article/Index/article/Kill-Bill-colour-3621063"><img
src="http://image.spreadshirt.com/image-server/image/product/4064502/view/1/type/png/width/190/height/190"
alt="Kill Bill" style="width: 150px; height: 150px;"
onmouseover="this.src='http://image.spreadshirt.com/image-server/image/design/3257345/type/png/width/190/height/190'"
onmouseout="this.src='http://image.spreadshirt.com/image-server/image/product/4064502/view/1/type/png/width/190/height/190'"
align="right" title="t-shirt by flurdy (US)" vspace="5" hspace="5"/></a>
</div>
<p>
Please refer to <a href="edition5.html#ext">previous edition</a>
for how and why you can extend this mail server.
</p>
<p>
By now you should have a fully working system.
No point extending and complicating it untill then.
What next?
There are many ways to extend the server,
to create your own powerfull customized version.
</p>
<ul>
<li><p><a href="#ext_mx">Remote MX mail backup</a><p></li>
<li><p><a href="#ext_back">Local file backup</a><p></li>
<li><p><a href="#ext_spf">Sender ID & SPF</a><p></li>
<li><p><a href="#ext_pyzor">Spam reporting</a><p></li>
<li><p><a href="#ext_list">White/Black lists</a><p></li>
<li><p><a href="#ext_pgp">PGP & S/MIME</a><p></li>
<li><p><a href="#ext_reloc">Relocation notice</a><p></li>
<li><p><a href="#ext_pop">Pop-before-SMTP</a><p></li>
<li><p><a href="#ext_admin">Admnin Software</a><p></li>
<li><p><a href="#ext_reply">Auto Reply</a><p></li>
<li><p><a href="#ext_block">Block Addresses</a><p></li>
<li><p><a href="#ext_throttle">Throttle Output</a><p></li>
<li><p><a href="#ext_mlist">Mail Lists</a><p></li>
<li><p><a href="#ext_sug">Sugesstions?</a><p></li>
</ul>
<p>
Some of these sections can be brief as they
are not core to this howto.
</p>
<a name="ext_mx"></a>
<h3>Remote MX mail backup</h3>
<p>
With MX backup loosing emails are unlikely.
</p>
<p>
Normally if someone sends an email destined for you,
their server will try and connect to your server.
If it can't reach your server for whatever reason
( it is down, dns issues, there is network problems, or just too busy ),
the other server will back off and try again in a bit.
How many and for how long it will try again is determined
by the sending server. Some of them are not very patience,
and it will report undelivered after only a few attempts.
So you would have lost that email.
</p>
<p>
If you had specified a backup MX,
this email may not have been lost.
Upon first failure to connect to your server,
the sender would see if there is any alternative server
to send to. So it connects to your backup mx server.
This server spools and queues your message
and will try at intervals to send the message to you.
It too will though eventually give up.
</p>
<p>
What is the difference?
Simple, you (or whoever controls the backup mx )
is in control how long and often to try connecting
to your machine.
So if you have a reasonable values and your server
is not down for weeks, no mail is lost.
</p>
<p>
How to implement it?
First edit the DNS records again,
and add a backup mx with a higher value.
</p>
<code><span class="comment"># your server details</span>
<i>domain.tld</i> IN MX 10 <i>your.mailserver.name.tld</i>
<span class="comment"># new backup server</span>
<i>domain.tld</i> IN MX 20 <i>your.backupserver.name.tld</i></code>
<h4>
Now presuming the other backup mx is a postfix
server identical to this, or you are backuing up someone else's
server;
Go into mysql and create this tables:
</h4>
<code>CREATE TABLE `backups` (
`pkid` smallint(6) NOT NULL auto_increment,
`domain` varchar(128) NOT NULL default '',
`transport` varchar(128) NOT NULL default ':[]',
`enabled` smallint(6) NOT NULL default '1',
PRIMARY KEY (`pkid`),
UNIQUE KEY `domain` (`domain`)
);</code>
<p>
Then still on the backup server,
edit main.cf and add these:
</p>
<code>relay_domains = mysql:/etc/postfix/mysql_backups.cf
transport_maps = mysql:/etc/postfix/mysql_transport.cf</code>
<p>
You may choose to have this as the last line in the file,
as you may use small cron jobs to modify this ip address,
if you don't have a permanent static address.
It should contain your IP addres, hence if you do not
have a very static IP address, that you need to
automatic editing if the postfix file.
</p>
<code>proxy_interfaces = <i>1.2.3.4</i></code>
<p>
If someone comes with a better way,
<a href="#contact">then let me know</a>.
</p>
<p>
Next create this file /etc/postfix/mysql_backups.cf
</p>
<code>user=mail
password=<i>apassword</i>
dbname=maildb
table=backups
select_field=domain
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 1</code>
<p>Next create this file /etc/postfix/mysql_transport.cf</p>
<code>user=mail
password=<i>apassword</i>
dbname=maildb
table=backups
select_field=transport
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 1</code>
<p>
You noticed I added a transport lookup.
This is a field in both the domain and the backup tables.
In domains it is used to determine how to deliver
the email, ie either virtual (correct) or local
(not used in this howto).
When backing up servers, your also need to specify
in the transport field how to connect to the correct servers.
</p>
<p>
Say you are backiup for a friends server, mail.friend.com,
for the domains of friend1.com and friend2.com.
So you should insert this into your backup table.
</p>
<code>INSERT INTO backups (domain,transport)
VALUES ('<i>friend1.com</i>' , ':[<i>mail.friend.com</i>]' ),
('<i>friend2.com</i>' , ':[<i>mail.friend.com</i>]' );</code>
<p>
The :[] tells to connect directly to this server,
not doing any more look ups for valid MX servers.
</p>
<p>
This shouls now work fine.
Further tweaking of the queue values,
review these and modify as appropiate.
Shorter warning times are good for the sender,
so that they realise the email has not arrived yet,
but may also be annoying. Tradeoffs..
Look in the first <a href="#config_mta">main.cf configurations</a>
for ways to do so.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_back"></a>
<h3>Local file backup</h3>
<p>
Here is rough backup script to backup your configurations
and mail folders.
You may want to backup the folders seperatly
as they can quickly grow to GBs.
Adding this to a cronjob automates this process.
Be aware that you should
stop postfix and courier while backing up the
mail folders. And that if they have grown large,
that this may take some time.
</p>
<code>tar czf mail-config.xxxxx.tgz /etc/postfic /etc/courier /etc/spamassassin /etc/clamav /etc/amavis /etc/mysql/my.cnf
tar czf mail-fold.xxxx.tgz /var/spool/mail/virtual
mysqldump -u mail -p<i>apassword</i> -t maildb > data.sql
mysqldump -u mail -p<i>apassword</i> -d maildb > schema.sql
tar czf mail-data.xxx.tgz schema.sql data.sql
tar cf mail.xxxxx.tar mail-*.xxxxx.tgz </code>
<p>
You may combine a full backup
with a intermediate update of what has changed recently only.
</p>
<code>tar --newer-mtime "2005-01-01"</code>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_spf"></a>
<h3>Sender ID & SPF</h3>
<p>
Further security features is using Microsoft's
Sender ID or Pobox's SPF. I'd use SPF as
there is much argument over Sender ID.
</p>
<p><a href="http://spf.pobox.com/">spf.pobox.com</a></p>
<p><a href="http://www.microsoft.com/mscorp/safety/technologies/senderid/">www.microsoft.com/mscorp/safety/technologies/senderid/</a></p>
<p>
SPF should limit who can send mail on behalf of your domains, and is an open design.
I do recommend SPF, with some reservations, detailed below.
</p>
<p>
While Microsoft is not always entirely evil,
as sometimes they do nice things and make some useful software,
I would prefer not to be locked into their Sender ID technology.
</p>
<h4>SPF configuration</h4>
<p>
The pobox site has some nice SPF generation tools to setup your SPF configuration.
Probably best to use theirs.
</p>
<p>
But the way I have my setup, is generally one domain with detailed SPF, then all other domains just with an SPF alias to it.
e.g:
</p>
<p>
Main domain DNS TXT field:
</p>
<code>"v=spf1 a mx a:<i>myserver.example.com</i> include:aspmx.googlemail.com include:gmail.com ~all"</code>
<p>
The important elements are:
</p>
<ul>
<li><p>
I list the mail servers and websites associated with this domain (the <i>a</i> and <i>mx</i> bit).
</p></li>
<li><p>
I then specifically list the name of a server I may send mail from applications automatically using addresses within this domain.
</p></li>
<li><p>
As you can see I also use Google Apps with this domain, thus tell SPF to also allow all mail servers associated with google mail.
</p></li>
</ul>
<p>
Then for most of the other domains I would use this DNS TXT field:
</p>
<code>"v=spf1 a mx include:<i>example.com</i> ~all"</code>
<p>
The important elements are:
<ul>
<li><p>
I list the mail servers and websites associated with this domain
</p></li>
<li><p>
Then I tell SPF to also allow all mail servers associated with my main domain (<i>example.com</i>).
</p></li>
</ul>
<p>
And for all these I use <b><i>~all</i></b>!<br/>
</p>
<p>
Ps. Some domains I have added an even stricter SPF, as these are domains that will never send an email.
</p>
<h4>SPF problem</h4>
<p>
It is worth noting about SPF, that you should leave the decision to whether to reject or allow
the email to the mail servers. Therefor using <b>-all</b> instead of <b>~all</b> is not a good choice.
Leave it to the SPAM scoring by the receiving server, like SpamAssasin does it.
You then minimise the risk of false positives.
</p>
<p>
One of the reason I do discourage -all use, is that SPF has a distinct problem:<br/>
<b>It does not like email forwarding or use of backup MX!</b>
</p>
<p>
Consider this: Your address of <i>lulu@hoopa.com</i> sends a joke email to a few friends.
One of these is <i>trixie@bellbell.org</i>.<br/>
Trixie's email address is actually an alias and forwards the email to her private webmail account on <i>hotmailnot.com</i>.
</p>
<p>
Now if your domain, <i>hoopa.com</i>, have a strict SPF set up, which only allows emails to be sent by its mail server.
And you/the mail admin has added <i>-all</i> to the SPF, which tells other server to reject emails not from your server.
This you think makes sense, spammers can not use your domain for spoof emails.
</p>
<p>
So what happens: bellbell.org receives the email from lulu, and possible checks the SPF, which is OK, and forwards it on to hotmailnot.com.<br/>
However if hotmailnot.com also checks SPF, it will receive the email from bellbell.org, check the SPF to see bellbell.org's mail server is allowed to send emails on behalf hoopa.com. SPF will say No!, and with the -all, hotmailnot.com email server will reject the email!
</p>
<p>
2nd scenario if lulu email trixie directly at hotmailnot.com,
but hotmailnot.com main mail server was down, and email was sent to the backup mx server.
When the main server came online again, and the backup spooled the email back to it,
the SPF would again fail as the hoopa.com's SPF would not mention hotmailnot.com backup mx as an allowed mail server.
</p>
<p>
<b>Solution</b>: <br/>
Of course you can not list all possible forwarding / backup mx email server that your domain's users might at some point email!<br/>
I simple just use the ~all option. Which simple say it is not the expected server, but probably ok. <br/>
And if this is added to a scoring by the receiver, then the accumulated spam score might be enough to reject dodgy emails.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_pyzor"></a>
<h3>Spam reporting</h3>
<h6 class="red">todo</h6>
<p>
Reporting spam to Pyzor, Razor and SpamCop,
for collaboration in spam fighting.
</p><p>
More detail on <a href="http://www.spamcop.net/">SpamCop is here</a>.
</p><p>
http://pyzor.sourceforge.net/
</p><p>
http://razor.sourceforge.net/
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_list"></a>
<h3>White/Black Lists</h3>
<h6 class="red">todo</h6>
<p>
You can implement white and black lists
to explicitly allow or block domains and users.
</p>
<p>
You have already visited the option
of a <a href="#config-simple-mta">blackhole list of known open relays</a>
in the postfix configuration.
</p>
<p>
You can implement further lists inside Postfix or SpamAssassin.
Amavisd-new already has a few well known white/black listed items
in its config files.
SpamAssissin also as a feture to automaticly learn white lists.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_pgp"></a>
<h3>PGP & S/MIME</h3>
<p>
Adding support for GnuPG and S/MIME increases
indiviual security.
</p>
<p>
This is not implemented on the postfix server side,
as this totally a client side option.
</p>
<p>
However SquirrelMail has a GnuPG option.
It is a plugin that can be downloaded from their website.
Which can then be enabled via SquirrelMail's
config script.
</p>
<p>
Here is how to create a GnuPG key pair.
</p>
<code><span class="comment"># check you have not already got a key</span>
gpg --list-keys
<span class="comment"># then create one</span>
gpg --gen-key</code>
<p>
To import GnuPG into Evolution;
in your settings/preferences
edit your account settings and
add you private key under the security tab.
The private key is found via listing the GnuPG
keys as above, then it is the 8 characters
after the "sub 1024g/" bit of you key.
</p>
<p>
To use GnuPG with Thunderbird
you need to install
<a href="http://www.mozdev.org">EnigMail</a>.
</p>
<p>
S/MIME is another way to encrypt and/or sign messages.
You can create you own certificate
or use known organizations like
<a href="http://www.thawte.com">Thawte</a>.
(Thawte was originally set up by the Ubuntu founder)
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_reloc"></a>
<h3>Relocation notice</h3>
<p>
If people change addresses,
a bounced message stating so
if people send email to the old address
is quite useful.
To implement this in postfix,
frst create a lookup table in the database.
</p>
<code>CREATE TABLE `relocated` (
`pkid` smallint(6) NOT NULL auto_increment,
`oldadr` varchar(128) NOT NULL default '',
`newadr` varchar(128) NOT NULL default '',
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`pkid`),
UNIQUE KEY `oldadr` (`oldadr`)
) ;</code>
<p>Then add this to /etc/postfix/main.cf</p>
<code>relocated_maps = mysql:/etc/postfix/mysql_relocated.cf</code>
<p>The create this file /etc/postfix/mysql_relocated.cf</p>
<code>user=mail
password=<i>apassword</i>
dbname=maildb
table=relocated
select_field=newadr
where_field=oldadr
hosts=127.0.0.1</code>
<p>
Then if pete@domain1.com has changed address to
pete.jones@another.org:
</p>
<code>INSERT INTO relocated (oldadr,newadr)VALUES
('<i>pete@domain1.com</i>','<i>pete.jones@another.org</i>');</code>
<p>
If anyone sends an email to pete@domain.com,
they will get a message back stating he has changed address
to pete.jones@another.org.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_pop"></a>
<h3>Pop-before-SMTP</h3>
<p>
If SASL didn't work, or you are using clients which
dont support it, the Pop-Before-SMTP is an easy way
around that issue, so that people externally can
still securly send mail via your server.
</p>
<p>
Refer to my
<a href="edition2.html#send">2nd edition</a>
on Pop-before-SMTP setup.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_admin"></a>
<h3>Admin software</h3>
<h6 class="red">todo</h6>
<p>
Trying out a few admin software might make you life
easier, if phpMyAdmin gets to crude.
<a href="http://www.google.com/search?q=postfix+admin">Quick search</a>
</p>
<p>More to come later.</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_reply"></a>
<h3>Auto Reply</h3>
<h6 class="red">todo</h6>
<p>
Postfix have now features to auto reply to an email,
while still delivering it to its alias.
</p>
<p>
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_block"></a>
<h3>Block Addresses</h3>
<p>
If you use catch alls,
which are useful for some domains,
then eventually some addresses will be target for spam.
You can then either stop the catch all,
or stop indivdual addresses.
</p>
<p>
By implementing a lookup
and adding this restriction to smtpd_recipient_restrictions
accomplises this.
</p>
<code>check_recipient_access mysql:/etc/postfix/mysql_block_recip.cf,</code>
<code>smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, \
check_recipient_access mysql:/etc/postfix/mysql_block_recip.cf, \
reject_non_fqdn_recipient, reject_unauth_destination, \
check_relay_domains</code>
<p>
Beware of the order is important here, if any options says ok before check_recipient_access it will ignore it.
</p>
<p>
Next create mysql_block_recip.cf to lookup addresses.
Either create a another table,
or add a blocked field to aliases table.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_throttle"></a>
<h3>Throttle Output</h3>
<h6 class="red">todo</h6>
<p>
For some users with restrictions on bandwidth,
you may wish to control how much mail is sendt out.
Postfix has long refused to implement these features,
out of ideolocial beliefs that mail servers should
not be restricted.
However there are some ways around this.
More to come later.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_mlist"></a>
<h3>Mail Lists</h3>
<p>
<p>
Rich Brown has written a howto on adding Mailman,
a mail list program, to my howto.
<a href="http://freemars.org/howto/mailman.html">Click here</a> to read it.
</p>
<p>
Do note it is not part of my howto,
so do not contact me regarding it.
And although I think it is fine,
I can't guarantee it will work.
</p>
<p>
If you do need assistance or need to talk about it,
contact Rich via
<a href="http://freemars.org/howto/mailman.html">his howto</a>
or use the
<a href="#contact">forums</a>
for this howto.
</p>
</p>
<p>
If you want a simple mailling list,
it can be implemented
by simply seperating aliases in the
destination field in the aliases table with a comma.
</p>
<code>INSERT INTO aliases (mail,destination) VALUES
( 'listof@domain.com' , 'john@ppp.com,vic@domain.com,jj@somewhere.tld' );</code>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_gmail"></a>
<h3>Google Apps / GMail</h3>
<p><i>Currently writting this one...</i></p>
<p>
I have for various reasons integrated some Google Apps hosted
domains into my mail server. And you can still have good control
over the addresses by using your server with Google Apps.
</p>
<p>
More information on <a href="http://www.google.com/a/">Google Apps</a>.
</p>
<h4>Why</h4>
<p>
<ul>
<li><p>Some already have their domain's email hosted with Google.</p></li>
<li><p>Some people prefer Google's web based interface.</p></li>
<li><p>Temporary Migrations.</p></li>
<li><p>Include Google's security features on top of yours.</p></li>
</ul>
</p>
<h4>How</h4>
<h5>Options</h5>
<p>
The easiest and simples solution is not to have a domain MXed to your server,
and simply alias email to those domains.
eg All email to joeblogs.co.uk hosted on your server
are forwarded to joeblogs.com hosted with google.
</p>
<p>
You may set up your own server to simple be a mail server backup (mx)
for a domain hosted with google.
If you are the first priority in the MX details of the DNS, you still
have some control, but not all will obey the priority listing.
E.g. spammers, but some valid senders as well.
</p>
<p>
However the one I use and the option where you are most in control
is to keep you server as the only MX server in the DNS.
And only forward certain aliases onto Google after all your servers checks.
Other aliases and user can just use your mail server if you prefer.
I will explain how to do this in the next steps.
</p>
<h5>DNS</h5>
<p>
You only put your mail server as the mx for the domain in question.
Google will complain about this, as it will not be able to verify that
email is setup correctly. Ignore this as it will still accept emails.
</p>
<h5>MySQL tables</h5>
<p>
You setup you aliases as normal.
However you domain table needs tweaking.
This is because otherwise your server
will just forward the email to itself.
You can actually specify aliases in the domain table.
</p>
<p>
Example:
Your domain is bloggs.com.
Joe wants to use gmail.
Mary does not.
<code>to be done</code>
<code>to be done</code>
</p>
<h4>Issues</h4>
<p>
There are some items you should consider when integrating Google Apps.
</p>
<p>
<b>Privacy</b><br />
First there is the privacy issue.
This is the same as if you were using Google Apps only or GMail.
Google can and will read your email.
However probably not a person, but they will use it for commercial reasons,
E.g. showing relevant ads.
Some people really hate this part and refuse to use Google's mail products.
However I trust them a little bit, and do use it.
</p>
<p>
<b>Spam</b><br />
If you forward spam, then consider your own servers reputation.
Should be okay though.
</p>
<p>
<b>SPF</b><br />
If you use SPF for your domain,
consider that both your server and google will receive and send mail
on behalf of that domin.
</p>
<p>
<b>Google internally</b><br />
Be aware Google think they host you domain.
So if others inside google, or using google hosted apps or GMail,
if they email you, the email may not go via your email server,
but directly to the Google Apps for your domain.
That could be an issue if not all aliases you have use Google Apps.
This needs to be tested more though.
Especially as it may only be an issue if Google's servers are part
of you domains MXs.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_maildrop"></a>
<h3>Maildrop, spam folder and vacation messaging</h3>
<p>
Villu have documented swapping in Maildrop for virtual transport
and automatically deliverin spam to a spam folder.
(And links to a post about vacation messaging)
</p>
<p>
Please <a href="http://ubuntuforums.org/showpost.php?p=7278296&postcount=223">read his post here</a>.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="ext_sug"></a>
<h3>Suggestions?</h3>
<p>
If you have any suggestions to other ways of extending
a postfix server, then fire off a mail to me via
the <a href="#contact">contact form</a> further down.<br/>
(Or rather, Id prefer that you write down the extension, and let me know the link! :))
</p>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<br />
<br />
<br />
<a name="ec2"></a>
<h2>Elastic Computing Cloud</h2>
<div class="section">
<ul>
<li><p><a href="#ec2">Impressions</a></p></li>
<li><p><a href="#ec2_use">Using EC2 with this howto</a></p></li>
<li><p><a href="#ec2_ami">Amazon EC2 Images: AMIs</a></p></li>
<li><p><a href="#ec2_links">EC2 Links</a></p></li>
</ul>
<div id="amazon_mp3" class="ads">
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab" id="Player_1e15411e-ade9-4fdd-b48f-48b279efc5c8" WIDTH="250px" HEIGHT="250px"> <PARAM NAME="movie" VALUE="http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822%2FUS%2Fflurdy-20%2F8014%2F1e15411e-ade9-4fdd-b48f-48b279efc5c8&Operation=GetDisplayTemplate"><PARAM NAME="quality" VALUE="high"><PARAM NAME="bgcolor" VALUE="#FFFFFF"><PARAM NAME="allowscriptaccess" VALUE="always"><embed src="http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822%2FUS%2Fflurdy-20%2F8014%2F1e15411e-ade9-4fdd-b48f-48b279efc5c8&Operation=GetDisplayTemplate" id="Player_1e15411e-ade9-4fdd-b48f-48b279efc5c8" quality="high" bgcolor="#ffffff" name="Player_1e15411e-ade9-4fdd-b48f-48b279efc5c8" allowscriptaccess="always" type="application/x-shockwave-flash" align="middle" height="250px" width="250px"></embed></OBJECT> <NOSCRIPT><A HREF="http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822%2FUS%2Fflurdy-20%2F8014%2F1e15411e-ade9-4fdd-b48f-48b279efc5c8&Operation=NoScript">Amazon.com Widgets</A></NOSCRIPT>
</div>
<h4>Impressions</h4>
<!--
<h5>Before</h5>
<p>
Looked very neat,
Seemed applicable for big company/universities only.
And conveluted interface.
</p>
<h5>After</h5>
-->
<p>
Easy to use.
Anyone can use, not just big companies.
Very useful.
Tools are command line but simple.
Firefox extensions work well.
Recommended.
</p>
<p>
I find it very usefull.
Basically it is a colo hosting environment.
Some may use it as for Saas, ie single scalable application in the cloud,
but I use it as a hosting environment for complete servers.
</p>
<h4>How I plan to use it with my mail servers</h4>
<p>
Different images to launch for different needs.
Good way to scale backup MXs if needed.
Can script backup to S3 of mail dirs etc.
</p>
<a name="ec2_use"></a>
<h4> Using EC2 with this howto </h4>
<p>
If you plan to use EC2 to follow this howto,
then familiarise yourself with EC2 first.
Check the <a href="#ec2_links">links</a> further down.
</p>
<p>
Once competent enough on EC2, launch the latest official
<a href="http://help.ubuntu.com/community/EC2StartersGuide#Getting the images">Ubuntu ec2 image</a> or one of
<a href="http://alestic.com">Eric Hammond images</a>.
You can cheat by using my other images,
but you should really know how the whole server was built by starting
from the bottom.
</p>
<p>
When using EC2 images, be aware of security groups as they restricts
access to your server on top of the firewall.
Initially you will need SSH (22) access, quite soon you will need SMTP
and IMAP ports opened, 25,143,465,587 and 993, and
eventually webserver ports of 80 and 443.
<a href="http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233&categoryID=100G">Read here</a> for tips on securing AMIs.
</p>
<p>
Also do not terminate your instances without backing up your machine.
This you can do by either create your own image.
Or backup certain data if you got an image to instantiate from.
Back up to S3 or your local machine.
Create images only now and then. Backup configurations, database, maildirs
more regularily.
</p>
<p>
<b>Note</b>:
You probably want to remove my ssh key from root or ubuntu user's authorized_keys2 file.
This should not be present, but may be so please check?
</p>
<p>
<b>2nd Note</b>:
<a href="http://www.spamhaus.org">Spamhaus.org</a> lists amazons ec2 ip ranges as dynamic,
thus many mail servers will reject emails from it.
(Including other people using this howto.)
But Spamhaus has a simple web page to remove ips,
which they link to in rejection messages.
Simple look in your logs, click on the link on follow the instrucions:
basically fill in your ip, email and state its for a mail server.
Then Spamhaus will remove your IP from their database.
</p>
<p>
<b>3rd Note</b>:
<a href="http://groups.google.com/group/ec2ubuntu/msg/ea6dc7ee49092cea">This fix needs to applied to the instances</a>
buildt on an early 8.04 base. This is not a problem with the later Hammond or any Canonical based images.
</p>
<a name="ec2_ami"></a>
<h4>Amazon EC2 Images: AMIs</h4>
<p>
Public AMIs to use as base:
<table border="1">
<tr>
<th>AMI</th>
<th>Description</th>
<th>S3 Name</th>
<th>Extended from</th>
</tr>
<tr>
<td><p>ami-5059be39</p></td>
<td><p>Canonical's Official Ubuntu 8.10 Intrepid 32bit US</p></td>
<td><p>canonical-cloud-us/ubuntu-intrepid-20090422-i386</p></td>
<td><p></p></td>
</tr>
<tr>
<td><p>ami-4132d428</p></td>
<td><p>Clean with all packages installed but no configuration</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-clean-20090529-2</p></td>
<td><p>ami-5059be39 (Canonical Official ec2)</p></td>
</tr>
<tr>
<td><p>ami-0f41a466</p></td>
<td><p>Clean with all packages installed but no configuration</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-clean-080502-1</p></td>
<td><p>ami-ce44a1a7 (Eric Hammond's base)</p></td>
</tr>
<tr>
<td><p>ami-eb39df82</p></td>
<td><p>Just mysql, postfix and courier configured</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-basic-20090604-1</p></td>
<td><p>ami-4132d428 (Canonical-Clean)</p></td>
</tr>
<tr>
<td><p>ami-8541a4ec</p></td>
<td><p>Just mysql, postfix and courier configured</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-simple-080504-1</p></td>
<td><p>ami-0f41a466 (Hammond-Clean)</p></td>
</tr>
<tr>
<td><p>ami-9941a4f0</p></td>
<td><p>Including anti spam and anti virus</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-spam-080504-1</p></td>
<td><p>ami-8541a4ec (Simple)</p></td>
</tr>
<tr>
<td><p>ami-395fba50</p></td>
<td><p>Including TLS and SASL encryption and authentication</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-secure-080527-2</p></td>
<td><p>ami-9941a4f0 (Spam)</p></td>
</tr>
<tr>
<td><p>ami-275fba4e</p></td>
<td><p>With webmail and admin enabled</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-webmail-080527-1</p></td>
<td><p>ami-395fba50 (Secure)</p></td>
</tr>
<tr>
<td><p><i>ami-xxx</i></p></td>
<td><p>With back up mx</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-backup-xxx</p></td>
<td><p>ami-275fba4e (Webmail)</p></td>
</tr>
<tr>
<td><p><i>ami-xxx</i></p></td>
<td><p>With back up mx only</p></td>
<td><p>flurdy-amis/ubuntu-mail-server-backup-only-xxx</p></td>
<td><p>ami-395fba50 (Secure)</p></td>
</tr>
</table>
</p>
<p>
If you have a comment or question about the ec2 images, please discuss it in the <a href="#forum">forums</a>?</br>
If you notice a security problem, or I have not cleaned the images properly <a href="#contact">please let me know</a>?
</p>
<a name="ec2_links"></a>
<h4>EC2 Links</h4>
<ul>
<li><p><a href="http://www.amazonaws.com">Amazon web services (AWS)</a></p></li>
<li><p><a href="http://ec2.amazonaws.com">Elastic Computing Cloud (EC2)</a></p></li>
<li><p><a href="http://s3.amazonaws.com">Simple Storage Service (S3)</a></p></li>
<li><p><a href="http://calculator.s3.amazonaws.com/calc5.html?">AWS Cost Calculator</p></li>
<li><p><a href="http://developer.amazonwebservices.com/connect/kbcategory.jspa?categoryID=84">EC2 Resource Centre</p></li>
<li><p><a href="http://docs.amazonwebservices.com/AWSEC2/2008-02-01/GettingStartedGuide/?ref=get-started">EC2 Starter Guide</p></li>
<li><p><a href="http://developer.amazonwebservices.com/connect/entry.jspa?externalID=609&categoryID=88">EC2 Firefox extension: Elasticfox</p></li>
<li><p><a href="https://s3.amazonaws.com/ec2-downloads/elasticfox-ff3b.xpi">Elasticfox for Firefox 3</a></p></li>
<li><p><a href="http://developer.amazonwebservices.com/connect/entry.jspa?externalID=771&categoryID=58">S3 Firefox extension: S3Fox</a></p></li>
<li><p><a href="http://developer.amazonwebservices.com/connect/entry.jspa?externalID=931">EC2 to S3 Admin Scripts</a></p></li>
<li><p><a href="http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1427&categoryID=101">Eric Hammond 8.04 AMI</a></p></li>
<li><p><a href="http://alestic.com">alestic</a>, ubuntu ec2 images</p></li>
<li><p><a href="http://www.ubuntu.com/ec2">Ubuntu ec2</a></p></li>
<li><p><a href="http://help.ubuntu.com/community/EC2StartersGuide">Ubuntu ec2 Starter Guide</a></p></li>
<li><p><a href=""></a></p></li>
</ul>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<a name="app"></a>
<h2>Appendix</h2>
<div class="section">
<div class="tees">
<a href="http://flurdy.spreadshirt.com/us/US/Shop/Article/Index/article/No-I-will-not-fix-your-computer-3827043"><img
src="http://image.spreadshirt.com/image-server/image/product/4198687/view/1/producttypecolor/2/type/png/width/190/height/190"
alt="No fix computer"
onmouseover="this.src='http://image.spreadshirt.com/image-server/image/design/3120666/type/png/width/190/height/190'"
onmouseout="this.src='http://image.spreadshirt.com/image-server/image/product/4198687/view/1/producttypecolor/2/type/png/width/190/height/190'"
align="right" title="t-shirt by flurdy (US)" vspace="5" hspace="5"/></a>
</div>
<ul>
<li><p><a href="#author">About author</a></p></li>
<li><p><a href="#contact">Contact</a></p></li>
<li><p><a href="#app_why">Why</a></p></li>
<li><p><a href="#references">References</a></p></li>
<li><p><a href="#app_links">Software Links</a></p></li>
<li><p><a href="#app_dif">Difference between Ubuntu versions</a></p></li>
<li><p><a href="#download">Download</a></p></li>
<li><p><a href="#app_todo">Todo</a></p></li>
<li><p><a href="#app_log">Change Log</a></p></li>
</ul>
<a name="about"></a>
<h3>About author</h3>
<p>
Ivar Abrahamsen, an IT Senior Consultant from Norway.
Specialising in developing and integrating middleware application systems.
Mainly open source and Java based technology stack.
Recently moved back to Oslo, Norway after 15 years in Manchester.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="contact"></a>
<a name="forum"></a>
<h3>Contact</h3>
<p>
Remember I have <b>stood on the shoulders of <a href="#references">giants</a></b>.
I just ended up with a system that worked for me, and decided to document its evolution.
</p>
<p>
Before contacting, have you?:
</p>
<ul>
<li><p>
Read this document properly? Followed it step by step?<br/>
(While we can not insist on the same setup for everyone,
assistance is easier and more likely if less customised)
</p></li>
<li><p>
Applied the solutions provided in the <a href="#test">test section</a>?
</p></li>
<li><p>
Read the <a href="#forum">forums</a> for solutions already posted?
</p></li>
<li><p>
Read the <a href="#app_faq">FAQ</a>?
</p></li>
<li><p>
Tailed the mail.log? It usually tells you what the problem is!
</p></li>
<li><p>
Tailed the mysql.log? If nothing happens there it should indicate something...
</p></li>
<li><p>
Include a short dump of the mail.log with your post.
(Remember to anonymise the servernames etc)
</p></li>
</ul>
<a name="forum"></a>
<a name="forums"></a>
<h4>Forums</h4>
<p>
Use the <a href="http://www.ubuntuforums.org">Ubuntu forums</a>! :)<br />
</p>
<ul>
<li><p>
<b><a href="http://ubuntuforums.org/showthread.php?t=185913">Here is a thread</a> on this specific mail server howto</b>.
</p></li>
<li><p>
<b>And <a href="http://ubuntuforums.org/showthread.php?t=97600">another one</a> by me which is also used.</b>.
</p></li>
</ul>
<p>
Please participate in the forums.<br/>
If you see an issue you also have, contribute with more information. <br/>
And even better if it something you may know how to solve, please <a href="http://ubuntuforums.org/showthread.php?t=185913">let people know</a>. <br/>
And especially, if you post a problem, then solve it, let <a href="http://ubuntuforums.org/showthread.php?t=185913">people know what the solution was</a>! (and not just that you solved it...)
</p>
<p>
I am rubbish in replying to emails,
and the forums are read and answered by people whom
know a lot more about Postfix than me.
</p>
<p>
Questions sent to me directly may not be answered for a while or at all unfortunetly.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="consult"></a>
<h4>Consultancy and advice</h4>
<p>
Not to be rude, but to try and reduce the volume of emails I get please consider the following:
</p>
<ul>
<li><p>
<a href="#references">My references</a> and the people whom follow <a href="http://ubuntuforums.org/showthread.php?t=185913">the forums</a> and the <a href="http://www.postfix.org/lists.html">postfix mailling lists</a> are much more knowledgable than me.
</p></li>
<li><p>
People whom follow <a href="http://ubuntuforums.org/showthread.php?t=185913">the forums</a> and the <a href="http://www.postfix.org/lists.html">postfix mailling lists</a> are much more likely to reply than me.
</p></li>
<!-- <li><p>
While I am a consultant, it is not regarding email servers. So this is not actually my field.
I am generally contracted out as software engineer or architect within enterprise Java applications.
</p></li> -->
<li><p>
I am a firm believer in: <i><a href="http://www.amatecon.com/fish.html">Give a man a fish; you have fed him for today.
Teach a man to fish; and you have fed him for a lifetime</a></i>.
(Playing far too much <a href="http://www.civilization.com">Civ</a> was not all wasted..)
</p></li>
<li><p>
So if you have any questions,
problems with using this guide,
or any other issues with this guide,
<a href="http://ubuntuforums.org/showthread.php?t=185913">please use the forum</a>.<br/>
Then it is also an available archive for others to find solutions in the future.
</p></li>
<li><p>
Any technical difference of opinion,
<a href="http://ubuntuforums.org/showthread.php?t=185913">please use the forum</a>.
</p></li>
<li><p>
Interested in Postfix, or got a technical query about it?
Considered the <a href="http://www.postfix.org/lists.html">postfix mailling lists</a>.
</p></li>
<!--
<li><p>
I really do not have much spare time.
And rarely do I spend to the one spare hour I get a week on mail server issues.<br/>
While I try to be nice, setting up a server for someone else would use up my spare time that month!
</p></li>
-->
<li><p>
Any clear technical mistakes by me in this guide,
then <a href="#consult">let me know</a>,
but perhaps <a href="http://ubuntuforums.org/showthread.php?t=185913">discuss it first in the forums</a>?
</p></li>
<li><p>
If you made / found an extensions to this tutorial, Fantastic!
<a href="/contact">Please let me know</a>, and Ill link to it.
And <a href="/contact">shout at me</a>, if I am slow in doing so. :)
</p></li>
<li><p>
If you find any spelling mistakes or broken links, <a href="/contact">please let me know</a>.
</p></li>
<li><p>
<b>Thank you messages</b> are <a href="/contact/">very appreciated</a> however! Actually it makes my day. :)<br />
(People whom <a href="http://shirts.flurdy.com">buy a T-shirt</a> of me makes my week.. ;p )
</p></li>
</ul>
<p>
<b>If you still want my advice or hire me: </b>
</p>
<ul>
<!--
<li><p>
If it is for a commercial company,
since my <a href="http://www.tieto.com">employer</a> do not allow other paid employement
(hence why <a href="http://www.eray.co.uk">eray.co.uk</a> is currently mothballed),
then it will have to be through my <a href="http://www.tieto.com">employer</a>, <a href="http://www.tieto.com">Tieto</a>.<br/>
<i>(Please consider that they probably insist on 3-6 months minimum contract with an hourly rate of about ~$180 USD)</i>
</p></li>
-->
<li><p>
If my own consultancy at <a href="http://www.eray.co.uk">eray</a> is ever resurrected, you may hire me via <strike><a href="http://www.eray.co.uk/contact/">eray</a></strike>...
</p></li>
<li><p title="Please consider that they probably insist on 3-6 months minimum contract with an hourly rate of about ~$180 USD">
Meanwhile, proper commercial consultancy will have to be through <a href="http://www.tieto.com">my employer</a>, <a href="http://www.tieto.com">Tieto</a>.
</p></li>
<li><p>
If it is for your own personal server, then I am much cheaper, ie. free. :)<br/>
However :
<ul>
<li><p>
Do remember my <i><a href="http://www.amatecon.com/fish.html">fishing</a</i> analogy.
</p></li>
<li><p>
And I do not appreciate people whom wants shortcuts
and ask me to set their server up for them (for free). <br />
Email servers are important and potentially dangerous, so you really need to learn how it works, and how to tweak it.
</p></li>
<li><p>
And unfortunetly, while I am not lazy (well a little bit) or rude (well somewhat), but I am probably too busy,
so <a href="http://ubuntuforums.org/showthread.php?t=185913">check the forums</a>?....
</p></li>
</ul>
</p></li>
<li><p>
In the end I am contactable via <a href="/contact/">flurdy.com/contact</a> :)
</p></li>
</ul>
<h6><a href="#top">Return to top</a>.</h6>
<div style="float:right; padding-right: 15px;">
<a href="http://flurdy.spreadshirt.com/us/US/Shop/Article/Index/article/I-read-your-email-3691300"><img
style="border: 1px solid black; background-color:white; padding:3px;"
src="http://image.spreadshirt.com/image-server/image/product/4068110/view/1/type/png/width/190/height/190"
onmouseover="this.src='http://image.spreadshirt.com/image-server/image/configuration/6024181/type/png/width/42/height/42'"
onmouseout="this.src='http://image.spreadshirt.com/image-server/image/product/4068110/view/1/type/png/width/190/height/190'"
width="150" height="150" border="0" alt="I read your email"
align="right" title="t-shirt by flurdy" vspace="5" hspace="5"/></a>
</div>
<a name="app_why"></a>
<h3>Why</h3>
<h4>Why your own mail server</h4>
<p>
Main reason: Because you can.<br />
Other good reasons:
Basically it leaves you in complete control,
to expand, customize and tweak your mail server to your needs.
You are not dependant on 3rd party providers,
limited by their technology contraints or your budgets.
With your own mail server you can add as many aliases,
users and domain as you'd like,
be as restrictive or open about security, virus, spam,
file sizes etc as you prefer.
And is it is well known, frequently updated, open source application stack,
you can also trust the software you use.
</p>
<h4>Why I wrote this howto</h4>
<p>
When I set up my first email server I used a mix
of other howtos on the net.
And they were so helpfull that I though I would
contribute back with my experience.
And it has been useful as a recipe script for
myself every time I need to install/update a server.
</p>
<p>
A less angelic reason is that back in 2003 I was setting up mail server
for a few friends and collegues.
Soon I was getting more request, and being a lazy programmer, I thought..
"Why don't I write a howto and let them do it themselves..."
Soon it was listed on postfix.org
and I was getting thousends of hits and
lots of emails. (blessing in disguise)
</p>
</p>
<h4>Why I wrote this edition</h4>
<p>
Or rather why no new edition or updates for two years?
Well basically no time or need to do so, so basically lazyness...<br />
My last edition was written two years ago,
and was pretty complete and thorough so my inclination
to write a new one has been low, especially as
my own mail server had not changed since then either.
</p>
<p>
But then my server started crashing so I upgraded it to Ubuntu 8.04 which went pretty smooth, but with a few tweaks. So time for another edition.
</p>
<p>
This time I expanded reliability to include
the possibility of running backup mx
servers using <a href="http://amazon.com">Amazon</a>'s
<a href="http://ec2.amazonaws.com">Elastic Computing Cloud</a>.
Note, however this is an optional extra at the end.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="references"></a>
<h3>References</h3>
<ul>
<li><p><a href="http://www.postfix.org/docs.html">Postfix howtos</a></p></li>
<li><p><a href="http://www.amazon.co.uk/exec/obidos/redirect?tag=ivarssite-21&creative=3914&camp=526&link_code=st1&path=tg/sim-explorer/explore-items/-/0596002122/0">Kyle's book</a></p></li>
<li><p><a href="http://techrepublic.com.com/5171-22-5030268.html">John Locke on TechRepublic</a></p></li>
<li><p><a href="http://www.amazon.co.uk/exec/obidos/redirect?tag=ivarssite-21&creative=3930&camp=526&link_code=st1&path=tg/sim-explorer/explore-items/-/1593270011/0">Hildebrandt's book</a></p></li>
<li><p><a href="http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/">Hildebrandt's website</a></p></li>
<li><p><a href="http://www.marlow.dk/postfix/">List-Petersen</a></p></li>
<li><p><a href="http://genco.gen.tc/postfix_virtual.php">Genco Yilmaz</a></p></li>
<li><p><a href="http://workaround.org/articles/ispmail-sarge/">Christop Haas</a></p></li>
<li><p><a href="http://kirb.insanegenius.net/postfix.html">Nenzel & Peet</a></p></li>
<li><p><a href="http://postfixwiki.org/index.php?title=Virtual_Users_and_Domains_with_Courier-IMAP_and_MySQL">Peters</a></p></li>
<li><p><a href="http://www.sweeney.demon.co.uk/pfix_imap_virtual.html">Matthews</a></p></li>
<li><p><a href="http://www.phparchitecture.com/howto_show.php?id=2">Stepanov</a></p></li>
<li><p><a href="http://www.besy.co.uk/projects/debian/woody_mail_server_howto.htm">Andy "Besy"</a></p></li>
<li><p><a href="http://www.metaconsultancy.com/whitepapers/smtp.htm">Meta Consultancy</a></p></li>
</ul>
<p>New references</h3>
<ul>
<li><p><a href="https://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/conf.html">Postfix TLS</a</p></li>
<li><p><a href="http://www.postfix.org/postconf.5.html">Postfix main.cf doc</a></p></li>
<li><p><a href="http://www.greens.org/~cls/linux/howtos/smtp-auth-saslauthd.html">saslauthd</a></p></li>
<li><p><a href="http://www200.pair.com/mecham/spam/bypassing.html">Bypassing amavisd</a></p></li>
<li><p><a href="https://help.ubuntu.com/community/Squirrelmail">Ubuntu Help: Squirrelmail</a></p></li>
</ul>
<h6><a href="#top">Return to top</a>.</h6>
<a name="app_links"></a>
<h3>Software Links</h3>
<p>
Please refer to the <a href="edition5.html#app_links">previous edition</a>
for a list of urls and suiteable downloads.
However most are unneccessary with decent package manager.
</p>
<a name="app_diff"></a>
<h3>Difference between Ubuntu versions</h3>
<p>
I used to distinguish differences, which were avaialble in a <a href="edition5.html#app_diff">previous edition</a>.
</p>
<a name="download"></a>
<h3>Download</h3>
<p>
Please refer to the <a href="edition5.html#download">previous edition</a>
for a complete lists of downloads that are available.
</p>
<a name="app_log"></a>
<h3>Change log</h3>
<p>
Brief list of latest changes.
</p>
<ul>
<!--
<li><p>
2009-05-29:
</p></li>
-->
<li><p>
2009-06-04:
made basic server image available on ec2.
based canonical's official ec2 ami.
</p></li>
<li><p>
2009-06-02:
made clean server image available on ec2.
based canonical's official ec2 ami.
</p></li>
<li><p>
2009-05-29:
changed contact section.
</p></li>
<li><p>2009-05-29: started 8th edition</p></li>
</ul>
<p>
Used to refer to all changes, but got too long.
A <a href="edition5.html#app_log">previous edition</a> contains such a list.
</p>
<h6><a href="#top">Return to top</a>.</h6>
<a name="app_todo"></a>
<h3>Todo</h3>
<ul>
<li><p>Populate some of the: Refer to previous edition...</p></li>
<li><p>Spell check!</p></li>
<li><p>Remove uid and guid</p></li>
<li><p>Copy across test sections from earlier</p></li>
<li><p>Merge test sections</p></li>
<li><p>Create backup mx AMI</p></li>
</ul>
<p>
Please refer to the <a href="edition5.html#app_todo">previous edition</a>
for some old todos....
</p>
<a name="app_faq"></a>
<h3>FAQ</h3>
<p>
There is not yet an extensive FAQ.
</p>
<p>
But please, most of the frequent questions have been asked and answered in <a href="http://ubuntuforums.org/showthread.php?t=185913">the forums</a>.<br/>
Most are also unneccessary as following the <a href="#test">test section</a> will have solved them.
</p>
<p>
Some question that frequently get sent to me, which first of all should have been asked in <a href="http://ubuntuforums.org/showthread.php?t=185913">the forums</a> and has been answered there many times, which then I tend to ignore are:
</p>
<ul>
<li>
<h5>Squirrelmail does not allow me to log in</h5>
<p>
This is due to many things.
Most are due to skipping too fast forward, ignoring <a href="#test">test sections</a> etc.
</p>
<p>Answers:
<ul>
<li><p>
<b>Does <a href="#config-simple-mta">postfix</a> work?</b><br/>
No point trying to run before you can crawl.
Send emails to recipients on your server,
tail mail.log to see if everything is okay.<br/>
Often <a href="#config-simple-database">mysql</a> is not configured properly, <a href="#test">check the mysql logs</a> for activity.
</p></li>
<li><p>
<b>Have they ever received an email?</b><br/>
If not they can not log into squirrelmail
as the email folders will not yet exist.
</p></li>
<li><p>
<b>Does <a href="#config-simple-imap">Courier</a> work?</b><br/>
If it doesn't then you have still got some more setup to do.
</p></li>
<li><p>
If all above is okay, then it may be a problem with your <a href="#config-extra-webmail">Squirrelmail setup</a>.<br/>
Check empty spaces in squirrelmail mysql setup. More details in <a href="#test">test section</a>.
</p></li>
</ul>
</li>
<li>
<h5>Email folders do not exist</h5>
<p>
Mentioned many times in this guide and forums.
</p>
<p>Answers:
<ul>
<li><p>
<b>Have they received an email?</b><br/>
If not they you can not log into squirrelmail
as the email folders will not yet exist.
When receiving their first email,
postfix will create all the neccessary folders.
If it does not your postfix setup is broken.
</p></li>
<li><p>
<b>There is a program that creates the folders for you.</b><br/>
I do not recommend it,
as basically your postfix setup is broken
if no folders are created, and you better fix it instead.
</p></li>
</ul>
</li>
</ul>
</div>
<h6><a href="#top">Return to top</a>.</h6>
<!--Creative Commons License--><a rel="license" href="http://creativecommons.org/licenses/by-sa/2.5/"><img alt="Creative Commons License" border="0" src="http://creativecommons.org/images/public/somerights20.png"/></a><br/><p>This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-sa/2.5/">Creative Commons Attribution-ShareAlike 2.5 License</a>.</p><!--/Creative Commons License--><!-- <rdf:RDF xmlns="http://web.resource.org/cc/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<Work rdf:about="">
<license rdf:resource="http://creativecommons.org/licenses/by-sa/2.5/" />
<dc:type rdf:resource="http://purl.org/dc/dcmitype/Text" />
</Work>
<License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"><permits rdf:resource="http://web.resource.org/cc/Reproduction"/><permits rdf:resource="http://web.resource.org/cc/Distribution"/><requires rdf:resource="http://web.resource.org/cc/Notice"/><requires rdf:resource="http://web.resource.org/cc/Attribution"/><permits rdf:resource="http://web.resource.org/cc/DerivativeWorks"/><requires rdf:resource="http://web.resource.org/cc/ShareAlike"/></License></rdf:RDF> -->
<h5><a href="http://flurdy.com"><img
src="/images/flurdy-small.png" alt="flurdy"
title="Made by flurdy" border="0" align="right" /></a>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-281408-1";
urchinTracker();
</script>
</body>
<!-- iea 2k8 -->
</html>
[Click to add or edit comments])
Please prepend comments below including a date