Linux mail server
How to improve the work of a mail server that can receive and send e-mail, fight spam, interact with customers? In fact, everything is quite simple.
Today we will talk about mail servers on Linux. We will talk about how to configure the server, about the widely used Internet protocol SMTP, as well as about other protocols, such as POP and IMAP. As a result, you will be the owner of a complete system for working with e-mail.
')
Let's start with the SMTP server on Linux
The Simple Mail Transfer Protocol (SMTP) protocol defines the rules for sending mail between computers, and does not specify the rules for storing or visualizing messages. This system-independent protocol, that is, the sender and recipient of mail can have different operating systems.
SMTP only requires the server to be able to send plain ASCII text to another server using port 25 , which is the standard SMTP port.
Today, two of the most common SMTP implementations are built into most Linux distributions: sendmail and postfix .
Sendmail is a popular open source mail server used in many Linux distributions. Its disadvantages include a somewhat complicated architecture and an insufficiently high level of protection.
Postfix - the system is a bit more advanced, while developing this mail server, special attention was paid to security issues.
A typical postal service consists of three main components:
Mail client , which is also called the mail agent (Mail User Agent, MUA). It is with him that the user interacts, for example, these are Thunderbird or Microsoft Outlook email clients. They allow the user to read mail and write emails.
Mail Server , or Message Transfer Agent (Mail Transport Agent, MTA). This component is responsible for moving email between systems, such as Sendmail and Postfix, for example.
Mail Delivery Agent (MDA). This component is responsible for distributing received messages to user mailboxes. For example, Postfix-maildrop and Procmail.
To configure our server was selected package Postfix. This is a popular choice among system administrators, the standard mail server in most modern Linux distributions.
Let's start by checking whether Postfix is installed on the system:
If you cannot detect Postfix, you can install it, for example, in distributions based on Red Hat, using the following command:
Then we start the postfix service and organize its autorun when the system boots:
On Debian-based distributions like Ubuntu, you can install Postfix like this:
During installation, you will be prompted to select a server configuration. Among the four options available (No configuration, Internet site, Internet system, Satellite system and Local system), we will select No configuration , which will create the necessary user and group accounts for Postfix.
After installing Postfix mail server, you need to configure it. Most of the configuration files are located in the / etc / postfix / directory.
The main Postfix configuration file can be found at /etc/postfix/main.cf . There are many options, consider the most important.
myhostname
This parameter is used to specify the hostname of the mail system. This is the name of the host on the Internet for which Postfix will receive mail.
Typical examples of mail server host names are mail.example.com and smtp.example.com.
Adjust this parameter as follows:
mydomain
This setting allows you to specify the mail domain serviced by the server, for example, example.com:
myorigin
This parameter allows you to specify the domain name used in mail sent from the server. Give it the value of $ mydomain:
In the settings you can refer to the parameters by adding a
mydestination
This parameter contains a list of domains that the Postfix server will consider as final destinations for incoming mail.
In our case, here will be the server’s hostname and domain name, but this parameter may contain other names:
mail_spool_directory
The Postfix mail server can use two modes of mail delivery:
mynetworks
This variable is an important setting parameter. It allows you to specify which servers can forward mail through the Postfix server.
Typically, only mail from local client computers is allowed. Otherwise, spammers may be interested in your server.
If you incorrectly configure the mynetworks parameter, spammers can easily use the server as a mail relay. This will very quickly cause some anti-spam system to put it on one of the blacklists, like the DNS Blacklist (DNSBL), or the Realtime Blackhole List (RBL). As soon as the server gets into the similar list, very few will be able to receive the letters sent with its help.
Here is what the setting of this parameter might look like:
smtpd_banner
This variable allows you to specify a response that the server returns when clients connect.
It is best to change this value so that it does not indicate exactly which mail server is used.
inet_protocols
This variable allows you to specify the version of IP that Postfix will use when establishing connections.
In order for the changes made in the configuration files to take effect, the Postfix service must be restarted:
In fact, you can configure a lot more in the Postfix configuration file. For example, to manage security levels, set debugging options and other parameters.
You may have made a mistake when setting up a server by entering parameter values. You can verify the settings using the following command:
With this tool you can find the line in which the error was made, and correct it.
Sometimes the mail queue is full. This can be caused by many factors, such as a network error, or for any reason that may delay the sending of mail.
To check the message queue, use the following command:
It will display the messages in the queue. If the queue is full and it takes several hours to send a message, you can initiate the process of sending messages with the following command:
If you now check the queue, it should be empty.
After setting up the server on Postfix, it needs to be tested. The first step in testing is to use a local email client, such as mailx or mail (this is a symbolic link to mailx).
Try sending a letter to someone whose address is served on the same server, and if it works, send an email to an address that is located somewhere else.
Then try to accept a letter sent from another server.
If you run into problems, check the logs. For Red Hat-based distributions, what you need can be found at / var / log / maillog . In the Debian distributions, the required file can be found here: /var/log/mail.log , or along the path specified in the rsyslogd settings. Here , if necessary, a material on logging in Linux, and how to configure rsyslogd.
If the problems are still not resolved, try checking the DNS settings, take a look at the MX records using Linux network commands .
There are quite a few solutions for detecting unwanted emails - spam. One of the best is the open source project SpamAssassin.
You can install it like this:
Then you need to start the corresponding service and add it to autoload:
After installing SpamAssassin, take a look at its settings in the /etc/mail/spamassassin/local.cf file.
SpamAssassin is able to distinguish regular letters from spam, based on the results of the study of correspondence using various scripts. The results of the checks are scored.
The higher the final mark of the letter, the higher the probability that it is spam.
In the configuration file, the parameter required_hits 5 indicates that SpamAssassin will mark the message as spam if its rating is 5 or higher.
The report_safe parameter accepts values of 0, 1, or 2. Setting it to 0 means that the messages marked as spam are sent as they are, but their header is modified indicating that they are spam.
If this parameter is set to 1 or 2, SpamAssassin will generate a report and send it to the recipient.
The difference between values 1 and 2 is that in the first case the spam message will be encoded in the message / rfc822 format, and in the second case - in the text / plain format.
Text / plain encoding is safer because some email clients execute message / rfc822 messages, which under certain conditions can lead to infection of a client computer with a virus.
After installing and configuring SpamAssassin, you need to integrate it with Postfix. Perhaps the easiest way to do this is through the use of procmail.
Create the / etc / procmailrc file and add the following to it:
Then edit the Postfix configuration file - /etc/postfix/main.cf , setting the mailbox_command parameter as follows:
And finally, we restart the Postfix and SpamAssassin services:
I must say that SpamAssassin does not always recognize spam, which leads to the filling of mailboxes with unnecessary letters.
Fortunately, messages can be filtered using Realtime Blackhole Lists (RBLs) before they reach the Postfix mail server. This will reduce the load on the mail server and help keep it clean.
Open the Postfix configuration file /etc/postfix/main.cf , change the smtpd_recipient_restrictions parameter and configure other parameters as follows:
Then restart the Postfix server:
The above blacklists are used most often, but you can find other similar servers.
It is best to send SMTP traffic over TLS to protect it from an attack through an intermediary.
First you need to generate a certificate and key using the openssl command:
Then add the following to the Postfix /etc/postfix/main.cf configuration file:
And finally, you need to restart the Postfix service:
Now, when connecting the client to the server, you need to select TLS. Here you, when you first send mail after changing the settings, you will see a warning, because the certificate is not signed.
So, we have established the process of sending and receiving e-mails via SMTP, but the organization of a full-fledged postal service does not end there. Consider the following situations:
In order to accommodate all these special cases, other protocols were created. They can be described as protocols for accessing e-mail.
The two most popular mail access protocols are the POP (Post Office Protocol) and the Internet Message Access Protocol (IMAP).
POP is based on a very simple idea. The central mail server on Linux is always connected to the Internet, it receives and stores letters for all users. All received letters remain in the queue on the server until the user connects to it via the POP protocol and downloads the letters.
When a user wants to send an email, the email client usually sends it through a central server via SMTP.
Please note that the SMTP server and POP server can work on the same machine without any problems. These days it is a common practice.
Features such as storing the original copies of user letters on the server, storing only cached copies on the client, are absent in the POP. This led to the development of the IMAP protocol.
Using IMAP, the server will support three mail access modes:
There are various implementations of IMAP and POP, in this area Dovecot server is very popular, which allows you to work with both protocols.
POP3, POP3S, IMAP, and IMAPS servers listen on ports 110, 995, 143, and 993, respectively.
Most Linux distributions contain Dovecot pre-installed, however, you can install it yourself. On systems based on Red Hat, this is done like this:
On Debian-based systems, IMAP and POP3 functionality is provided in two different packages:
Here you will be prompted to create a self-signed certificate for working with IMAP and POP3 over SSL / TLS. Answer the question yes and, when prompted, enter the host name of your system.
Then you can start the corresponding service and add it to autoload:
The main Dovecot configuration file is located at /etc/dovecot/dovecot.conf . In some Linux distributions, this file is located in the /etc/dovecot/conf.d/ folder and, for including configuration files, the include directive is used.
Here are some of the parameters used to configure Dovecot.
protocols : protocols to support.
Here lmtp means Local Mail Transfer Protocol. listen : The IP address that the server will listen to.
Here, an asterisk means all IPv4 interfaces, a double colon means all IPv6 interfaces.
userdb : user database for authentication.
mail_location : this is an entry in the /etc/dovecot/conf.d/10-mail.conf file. It looks like this:
Dovecot comes with standard SSL certificates and key files that are used in the /etc/dovecot/conf.d/10/ssl.conf file.
When a user tries to connect to Dovecot, the server will display a warning because the certificates are not signed. If necessary, signed certificates can be purchased at a suitable certificate authority.
Do not forget to open the Dovecot server ports on the firewall.
And do not forget about the SMTP port.
Then save the rules. If you want to refresh the memory of the work with iptables in Linux, take a look at this material.
Or, if you are using firewalld, you can do this:
And if something went wrong, look at the log files / var / log / messages , / var / log / maillog, and /var/log/mail.log .
Now you can set up mail service on your Linux server. As you can see, it will not take long. Of course, the packages reviewed here, like Postfix, have a lot of settings, but if you have mastered the sequence of actions described here and sorted out the basics, then everything you need will be easy to find out from the documentation.
Dear readers! How do you set up mail servers on Linux?
Today we will talk about mail servers on Linux. We will talk about how to configure the server, about the widely used Internet protocol SMTP, as well as about other protocols, such as POP and IMAP. As a result, you will be the owner of a complete system for working with e-mail.
')
Let's start with the SMTP server on Linux
SMTP server
The Simple Mail Transfer Protocol (SMTP) protocol defines the rules for sending mail between computers, and does not specify the rules for storing or visualizing messages. This system-independent protocol, that is, the sender and recipient of mail can have different operating systems.
SMTP only requires the server to be able to send plain ASCII text to another server using port 25 , which is the standard SMTP port.
Today, two of the most common SMTP implementations are built into most Linux distributions: sendmail and postfix .
Sendmail is a popular open source mail server used in many Linux distributions. Its disadvantages include a somewhat complicated architecture and an insufficiently high level of protection.
Postfix - the system is a bit more advanced, while developing this mail server, special attention was paid to security issues.
Components of the postal service
A typical postal service consists of three main components:
Mail client , which is also called the mail agent (Mail User Agent, MUA). It is with him that the user interacts, for example, these are Thunderbird or Microsoft Outlook email clients. They allow the user to read mail and write emails.
Mail Server , or Message Transfer Agent (Mail Transport Agent, MTA). This component is responsible for moving email between systems, such as Sendmail and Postfix, for example.
Mail Delivery Agent (MDA). This component is responsible for distributing received messages to user mailboxes. For example, Postfix-maildrop and Procmail.
Install mail server
To configure our server was selected package Postfix. This is a popular choice among system administrators, the standard mail server in most modern Linux distributions.
Let's start by checking whether Postfix is installed on the system:
$ rpm -qa | grep postfix If you cannot detect Postfix, you can install it, for example, in distributions based on Red Hat, using the following command:
$ dnf -y install postfix Then we start the postfix service and organize its autorun when the system boots:
$ systemctl start postfix $ systemctl enable postfix On Debian-based distributions like Ubuntu, you can install Postfix like this:
$ apt-get -y install postfix During installation, you will be prompted to select a server configuration. Among the four options available (No configuration, Internet site, Internet system, Satellite system and Local system), we will select No configuration , which will create the necessary user and group accounts for Postfix.
Server Tuning
After installing Postfix mail server, you need to configure it. Most of the configuration files are located in the / etc / postfix / directory.
The main Postfix configuration file can be found at /etc/postfix/main.cf . There are many options, consider the most important.
myhostname
This parameter is used to specify the hostname of the mail system. This is the name of the host on the Internet for which Postfix will receive mail.
Typical examples of mail server host names are mail.example.com and smtp.example.com.
Adjust this parameter as follows:
myhostname = mail.example.com mydomain
This setting allows you to specify the mail domain serviced by the server, for example, example.com:
mydomain = example.com myorigin
This parameter allows you to specify the domain name used in mail sent from the server. Give it the value of $ mydomain:
myorigin = $mydomain In the settings you can refer to the parameters by adding a
$ sign in front of the variable name.mydestination
This parameter contains a list of domains that the Postfix server will consider as final destinations for incoming mail.
In our case, here will be the server’s hostname and domain name, but this parameter may contain other names:
mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, www.$mydomain mail_spool_directory
The Postfix mail server can use two modes of mail delivery:
- Directly to the user's mailbox.
- In the central directory of queues, while mail falls into the / var / spool / mail folder, where there is a file for each user.
mail_spool_directory = /var/spool/mail mynetworks
This variable is an important setting parameter. It allows you to specify which servers can forward mail through the Postfix server.
Typically, only mail from local client computers is allowed. Otherwise, spammers may be interested in your server.
If you incorrectly configure the mynetworks parameter, spammers can easily use the server as a mail relay. This will very quickly cause some anti-spam system to put it on one of the blacklists, like the DNS Blacklist (DNSBL), or the Realtime Blackhole List (RBL). As soon as the server gets into the similar list, very few will be able to receive the letters sent with its help.
Here is what the setting of this parameter might look like:
mynetworks = 127.0.0.0/8, 192.168.1.0/24 smtpd_banner
This variable allows you to specify a response that the server returns when clients connect.
It is best to change this value so that it does not indicate exactly which mail server is used.
inet_protocols
This variable allows you to specify the version of IP that Postfix will use when establishing connections.
inet_protocols = ipv4 In order for the changes made in the configuration files to take effect, the Postfix service must be restarted:
$ systemctl reload postfix In fact, you can configure a lot more in the Postfix configuration file. For example, to manage security levels, set debugging options and other parameters.
You may have made a mistake when setting up a server by entering parameter values. You can verify the settings using the following command:
$ postfix check With this tool you can find the line in which the error was made, and correct it.
Message Queuing Check
Sometimes the mail queue is full. This can be caused by many factors, such as a network error, or for any reason that may delay the sending of mail.
To check the message queue, use the following command:
$ mailq It will display the messages in the queue. If the queue is full and it takes several hours to send a message, you can initiate the process of sending messages with the following command:
$ postfix flush If you now check the queue, it should be empty.
Mail Server Testing
After setting up the server on Postfix, it needs to be tested. The first step in testing is to use a local email client, such as mailx or mail (this is a symbolic link to mailx).
Try sending a letter to someone whose address is served on the same server, and if it works, send an email to an address that is located somewhere else.
$ echo "This is message body" | mailx -s "This is Subject" -r "likegeeks<likegeeks@example.com>" -a /path/to/attachment someone@example.com Then try to accept a letter sent from another server.
If you run into problems, check the logs. For Red Hat-based distributions, what you need can be found at / var / log / maillog . In the Debian distributions, the required file can be found here: /var/log/mail.log , or along the path specified in the rsyslogd settings. Here , if necessary, a material on logging in Linux, and how to configure rsyslogd.
If the problems are still not resolved, try checking the DNS settings, take a look at the MX records using Linux network commands .
Spam fighting
There are quite a few solutions for detecting unwanted emails - spam. One of the best is the open source project SpamAssassin.
You can install it like this:
$ dnf -y install spamassassin Then you need to start the corresponding service and add it to autoload:
$ systemctl start spamassassin $ systemctl enable spamassassin After installing SpamAssassin, take a look at its settings in the /etc/mail/spamassassin/local.cf file.
SpamAssassin is able to distinguish regular letters from spam, based on the results of the study of correspondence using various scripts. The results of the checks are scored.
The higher the final mark of the letter, the higher the probability that it is spam.
In the configuration file, the parameter required_hits 5 indicates that SpamAssassin will mark the message as spam if its rating is 5 or higher.
The report_safe parameter accepts values of 0, 1, or 2. Setting it to 0 means that the messages marked as spam are sent as they are, but their header is modified indicating that they are spam.
If this parameter is set to 1 or 2, SpamAssassin will generate a report and send it to the recipient.
The difference between values 1 and 2 is that in the first case the spam message will be encoded in the message / rfc822 format, and in the second case - in the text / plain format.
Text / plain encoding is safer because some email clients execute message / rfc822 messages, which under certain conditions can lead to infection of a client computer with a virus.
After installing and configuring SpamAssassin, you need to integrate it with Postfix. Perhaps the easiest way to do this is through the use of procmail.
Create the / etc / procmailrc file and add the following to it:
:0 hbfw | /usr/bin/spamc Then edit the Postfix configuration file - /etc/postfix/main.cf , setting the mailbox_command parameter as follows:
mailbox_command = /usr/bin/procmail And finally, we restart the Postfix and SpamAssassin services:
$ systemctl restart postfix $ systemctl restart spamassassin I must say that SpamAssassin does not always recognize spam, which leads to the filling of mailboxes with unnecessary letters.
Fortunately, messages can be filtered using Realtime Blackhole Lists (RBLs) before they reach the Postfix mail server. This will reduce the load on the mail server and help keep it clean.
Open the Postfix configuration file /etc/postfix/main.cf , change the smtpd_recipient_restrictions parameter and configure other parameters as follows:
strict_rfc821_envelopes = yes relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unverified_recipient_reject_code = 554 smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, permit Then restart the Postfix server:
$ systemctl restart postfix The above blacklists are used most often, but you can find other similar servers.
SMTP Security
It is best to send SMTP traffic over TLS to protect it from an attack through an intermediary.
First you need to generate a certificate and key using the openssl command:
$ openssl genrsa -des3 -out mail.key $ openssl req -new -key mail.key -out mail.csr $ cp mail.key mail.key.original $ openssl rsa -in mail.key.original -out mail_secure.key $ openssl x509 -req -days 365 -in mail.csr -signkey mail_secure.key -out mail_secure.crt $ cp mail_secure.crt /etc/postfix/ $ cp mail_secure.key /etc/postfix/ Then add the following to the Postfix /etc/postfix/main.cf configuration file:
smtpd_use_tls = yes smtpd_tls_cert_file = /etc/postfix/mail_secure.crt smtpd_tls_key_file = /etc/postfix/mail_secure.key smtp_tls_security_level = may And finally, you need to restart the Postfix service:
$ systemctl restart postfix Now, when connecting the client to the server, you need to select TLS. Here you, when you first send mail after changing the settings, you will see a warning, because the certificate is not signed.
Basics of POP3 and IMAP Protocols
So, we have established the process of sending and receiving e-mails via SMTP, but the organization of a full-fledged postal service does not end there. Consider the following situations:
- Users need local copies of emails to view them without being connected to the Internet.
- User mail clients do not support the mbox file format. This is a simple text format that many console mail clients can read, such as mailx and mutt.
- Users can not always use the fast connection to access the server's file system and work with mbox-files, as a result, you need to make a local copy to work with them without connecting to the network.
- Security restrictions indicate that users do not have direct access to the email gateway, for example, it is not allowed to work with public message queue folders.
In order to accommodate all these special cases, other protocols were created. They can be described as protocols for accessing e-mail.
The two most popular mail access protocols are the POP (Post Office Protocol) and the Internet Message Access Protocol (IMAP).
POP is based on a very simple idea. The central mail server on Linux is always connected to the Internet, it receives and stores letters for all users. All received letters remain in the queue on the server until the user connects to it via the POP protocol and downloads the letters.
When a user wants to send an email, the email client usually sends it through a central server via SMTP.
Please note that the SMTP server and POP server can work on the same machine without any problems. These days it is a common practice.
Features such as storing the original copies of user letters on the server, storing only cached copies on the client, are absent in the POP. This led to the development of the IMAP protocol.
Using IMAP, the server will support three mail access modes:
- Online mode is similar to direct access to the file system on the mail server.
- Offline mode is similar to how POP works when a client disconnects from the network after receiving its emails. In this mode, the server usually does not store copies of letters.
- Offline mode allows users to store cached copies of their letters, and the server also stores copies of these letters.
There are various implementations of IMAP and POP, in this area Dovecot server is very popular, which allows you to work with both protocols.
POP3, POP3S, IMAP, and IMAPS servers listen on ports 110, 995, 143, and 993, respectively.
Dovecot installation
Most Linux distributions contain Dovecot pre-installed, however, you can install it yourself. On systems based on Red Hat, this is done like this:
$ dnf -y install dovecot On Debian-based systems, IMAP and POP3 functionality is provided in two different packages:
$ apt-get -y install dovecot-imapd dovecot-pop3d Here you will be prompted to create a self-signed certificate for working with IMAP and POP3 over SSL / TLS. Answer the question yes and, when prompted, enter the host name of your system.
Then you can start the corresponding service and add it to autoload:
$ systemctl start dovecot $ systemctl enable dovecot Dovecot setup
The main Dovecot configuration file is located at /etc/dovecot/dovecot.conf . In some Linux distributions, this file is located in the /etc/dovecot/conf.d/ folder and, for including configuration files, the include directive is used.
Here are some of the parameters used to configure Dovecot.
protocols : protocols to support.
protocols = imap pop3 lmtp Here lmtp means Local Mail Transfer Protocol. listen : The IP address that the server will listen to.
listen = *, :: Here, an asterisk means all IPv4 interfaces, a double colon means all IPv6 interfaces.
userdb : user database for authentication.
userdb { driver = pam } mail_location : this is an entry in the /etc/dovecot/conf.d/10-mail.conf file. It looks like this:
mail_location = mbox:~/mail:INBOX=/var/mail/%u Dovecot comes with standard SSL certificates and key files that are used in the /etc/dovecot/conf.d/10/ssl.conf file.
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem When a user tries to connect to Dovecot, the server will display a warning because the certificates are not signed. If necessary, signed certificates can be purchased at a suitable certificate authority.
Do not forget to open the Dovecot server ports on the firewall.
$ iptables -A INPUT -p tcp --dport 110 -j ACCEPT $ iptables -A INPUT -p tcp --dport 995 -j ACCEPT $ iptables -A INPUT -p tcp --dport 143 -j ACCEPT $ iptables -A INPUT -p tcp --dport 993 -j ACCEPT And do not forget about the SMTP port.
$ iptables -A INPUT -p tcp --dport 25 -j ACCEPT Then save the rules. If you want to refresh the memory of the work with iptables in Linux, take a look at this material.
Or, if you are using firewalld, you can do this:
$ firewall-cmd --permanent --add-port=110/tcp --add-port=995 $ firewall-cmd --permanent --add-port=143/tcp --add-port=993 $ firewall-cmd --reload And if something went wrong, look at the log files / var / log / messages , / var / log / maillog, and /var/log/mail.log .
Results
Now you can set up mail service on your Linux server. As you can see, it will not take long. Of course, the packages reviewed here, like Postfix, have a lot of settings, but if you have mastered the sequence of actions described here and sorted out the basics, then everything you need will be easy to find out from the documentation.
Dear readers! How do you set up mail servers on Linux?
Source: https://habr.com/ru/post/325356/
All Articles