Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've recently set up a forum on my LAMP webserver and now I need something that I can use to send and receive email. The forum should also be able to use this SMTP to send emails. I have a static IP and a domain, which we will call "mydomain.com" for now. All email sent by the forum should appear to be from "info@mydomain.com". This is configurable in the forum settings, but I'd also like to have an inbox for this address, should someone decide to reply.
Since setting up a mail server is rather a new topic to me, I thought I'd first consider the possibilities and later ask some technical questions, however, I do need some suggestions here.
You have two common choices - sendmail and postfix. I've installed both, and now only recommend postfix. Postfix is just so much easier to configure and maintain. Sendmail has many fans, and to them I tip my hat. It is too much like hard work for me.
Yeah, postfix was my primary choice. The fact is I've already installed it, but I'm currently stuck at its configuration. I do have some technical questions about postfix and stuff, but I'll ask those a bit later.
Suppose I wish to access my mail server by using a webmail (eg. mail.mydomain.com, port 80). I figured this should be easy to set up since I'm already running LAMP. The question I have is what software packages do I have to install and configure to run webmail along with postfix?
I don't actually have any problems with postfix *yet*, I'm rather unsure how to properly configure it. I was going to make a new thread about this, but probably won't hurt to ask in here. I do have some rather newbie questions. Let me brainstorm them...
Could you list a few webmail clients for me?
The webmail and the applications on the server will be the only things to use the email service. Should I be worried about security? Do I need to setup sasl?
I take it I have to open port 25 to receive mail from internet. If true, then anyone will be able to telnet to that port and freely do all kinds of stuff. How do I prevent that?
Are courier-imap/pop needed to access the mail via webmail?
I've noticed postfix will automatically drop any email into /home/(username)/maildir. So technically someone can write mails to any linux user by specifying his name in the email like (username)@mydomain.com. Is there a way I can limit this to only certain users that I handpick? How?
There, I hope those aren't too much fuzz to answer.
I don't actually have any problems with postfix *yet*, I'm rather unsure how to properly configure it. I was going to make a new thread about this, but probably won't hurt to ask in here. I do have some rather newbie questions. Let me brainstorm them...
Could you list a few webmail clients for me?
The webmail and the applications on the server will be the only things to use the email service. Should I be worried about security? Do I need to setup sasl?
I take it I have to open port 25 to receive mail from internet. If true, then anyone will be able to telnet to that port and freely do all kinds of stuff. How do I prevent that?
Are courier-imap/pop needed to access the mail via webmail?
I've noticed postfix will automatically drop any email into /home/(username)/maildir. So technically someone can write mails to any linux user by specifying his name in the email like (username)@mydomain.com. Is there a way I can limit this to only certain users that I handpick? How?
There, I hope those aren't too much fuzz to answer.
Regards
Web email clients: Squirrelmail (I like best), Horde and Neomail
Security: You should look in to a self-signed SSL cert if you don't want to shell out the $20 to buy one and you're concerned. I buy the $20/year one because I like it being recognized in my mail clients (Thunderbird/Outlook) without hassle. There is a company that offers SSL certs for free, but the name escapes me at the moment.
Port 25: Yes, you'll have to use port 25 for mail, but chances are your ISP will block mail traffic out of the network or you'll need to connect to another server that sends mail for the network (aka smarthost). If you have this issue (like on comcast's network) just use their SMTP server. You shouldn't need a user/pass to send mail through it because your IP will be recognized as coming from inside the network. (This is what I do for my home server)
Courier: Yes, you'll need to setup courier or something for your webmail to connect to.
Email Routing: You should be able to control this with the valiases file (/etc/valiases/whateverdomain.com) If you don't want to recieve mail for a user you can set it to fail (and bounce) or /dev/null and go to never-never land. (I'm sure there is a better way, but this is all I know.)
Take these with a grain of salt; I'm a n00b at this too.
BTW, I use exim instead of sendmail and it works ok. The config is pretty easy.
Webmail clients:
Found a nice page that lists some of the webmail clients. I will compare their features in the future, but I'll probably go for Squirrelmail anyhow. http://en.wikipedia.org/wiki/Compari...e-mail_clients
Security:
Your suggestion about certificates makes sense. I've read part of some tutorial about setting up sasl for postfix and making a certificate with OpenSSL (ssl command), but that's as far as I got. I'm afraid I don't quite understand the concept of sasl. Where exactly is sasl used. Like is it used when my board (on localhost) connects to the mail service via SMTP (on localhost), or when my mail service (MTA) on mydomain.com connects with another MTA such as gmail?
Port 25:
My ISP does not seem to block this port. I have successfully configured postfix to send/receive mail. I was able to receive an email sent by my gmail account as well as send an email back by using the board mail. However, for some reason gmail decided to put this email into spambox.
Courier: Huh? Are you serious about this? I always thought imap/pop were only necessary when using MUA's (Thunderbird, Outlook). I do not plan to use those, a webmail should suffice.
Routing:I'm not sure if this solution is a proper one. It effectively means that an admin will always have to make new aliases when a new user account appears on the system. I was hoping for something like allow/deny table eg. allow (username), deny everything else.
Security:
The SSL is used between the server and client. (i.e. mail.yourdomain.com and thunderbird). I don't think there is anyway to use it to send email to other servers; in theroy, these servers would have to support the protocol to accept mail. This is why PGP exists to encrypt messages. I needed a SSL cert to connect to send mail (exim) and recieve mail (courier). Both services needed to know where the key and the crt file were to serve SSL/TLS connections.
Port 25:
Gmail marked it as spam because your IP is blacklisted (or grey-listed or whatever). Gmail can tell if your IP is within a certain block, like IP's that are issued for home use from you ISP. A lot of spam gets sent this way, so most mailservers mark it as spam since it's not a "real/known" email server.
Courier: I could be wrong, but I'm pretty sure squirrelmail (and other webmail apps) need to connect to a server just like any other MUA. Of course, I've really only used Squirrelmail. Hoarde or something could be different.
From Squirrelmail's site:
Quote:
There are only two requirements for SquirrelMail:
A web server with PHP installed. PHP needs to be at least 4.1.0.
Access to an IMAP server which supports IMAP 4 rev 1.
Looks like you need IMAP for squirrelmail.
Routing: If you have alias emails, then this is usually controled at the mailserver level (courier will do this, but I forget where the config is). But even if you have an alias, there is a "real" user on the server the account is tied to. So, Rick might be a "real" user on the server and have his own directory (/home/rick/mail). Rick's email is rick@home.net. Rick could have a virtual user under him - Bobby. His email is bobby@home.net, but Bobby doesn't have a shell account. Bobby's email is actually stored under Rick's home directory.
Like this:
Code:
rick@home.net [~/mail]# ls -l
total 1944
drwxrwx--- 14 rick rick 4096 Feb 13 15:23 ./
drwx--x--x 32 rick rick 4096 Apr 7 09:42 ../
drwx------ 6 rick rick 4096 Jan 14 2007 .Drafts/
drwx------ 6 rick rick 4096 Jan 14 2007 .Sent/
drwx------ 6 rick rick 4096 Jan 14 2007 .Trash/
lrwxrwxrwx 1 rick rick 14 Feb 7 18:01 .bill\@home_com -> home.net/bill/
lrwxrwxrwx 1 rick rick 15 Nov 25 03:08 .alice\@home_com -> home.net/alice/
lrwxrwxrwx 1 rick rick 14 Nov 25 03:09 .bobby\@home_com -> home.net/bobby/
drwxr-x--- 11 rick rick 4096 Feb 13 15:23 home.net/
drwxr-xr-x 2 rick rick 4096 Jan 15 2007 courierimaphieracl/
drwxr-xr-x 2 rick rick 4096 Jan 14 2007 courierimaphieracl_bak/
drwxrwx--- 2 rick rick 442368 Apr 7 11:45 courierimapkeywords/
-rw-r--r-- 1 rick rick 42 Nov 26 16:27 courierimapsubscribed
-rw-r--r-- 1 rick rick 434573 Apr 7 11:35 courierimapuiddb
-rw-r--r-- 1 rick rick 182321 Mar 22 2007 courierpop3dsizelist
drwx------ 2 rick rick 839680 Apr 7 11:48 cur/
drwx--x--- 2 rick rick 4096 Jan 15 2007 mail.home.net/
-rw------- 1 rick rick 1425 Apr 7 11:35 maildirsize
drwx------ 2 rick rick 16384 Apr 7 11:35 new/
drwx--x--- 2 rick rick 4096 Jan 15 2007 proxy.home.net/
drwx------ 2 rick rick 4096 Apr 7 12:21 tmp/
Bill, Bobby and Alice are all virtual users under rick's account. None of them have a shell account on the server. proxy.home.net holds accounts for users with the *@proxy.home.net emails.
When rick logs in to the server, he doesn't really need the "@home.net" as part of his username; bobby, alice and bill will need the "@home.net" part so the server knows where to find the mail. In fact, if there is another domain that points to that server, Rick can recieve mail to it as well (rick@hishouse.org). Rick is a real user, so the server knows that mail is in his home directory. When Rick logs in he can also see everyone else's mail because the folders are under his mail folder and he has permissions to them.
I dunno. Hope that helps some. Cpanel helps me figure out all this, otherwise I'd be pretty lost.
Security:
Okay. So if I understand correctly, I, technically, do not have to setup sasl because all the things that use this mail service (via SMTP) are also located on the same computer (localhost). And since webmail uses apache, I can easily route it over https.
Still, I'm not quite convinced about port 25 security. When I telnet to my port 25 from outside, it returns this line "220 mydomain.com ESMTP Postfix (Ubuntu)" and then I can enter whatever command I want. I'm a bit worried about this behavior. I mean, shouldn't there be at least some kind username/password before someone can enter commands like that? My personal favorite would be totally disabling telnet access to this port, but still allowing incoming mail.
Courier:
Oh, well. I guess I'm into installing imap then.
Routing:
Yeah, I understand this situation, but I was talking about a bit different scenario.
Suppose there are two shell accounts present. Bill and Bobby. These users both have their own mail accounts on the server. And mister Joe is very happy because he can use his gmail account to email both employees by using their names as part of the email address (billy@mydomain.com and bobby@mydomain.com respectively). However, one day Alice appears in the office for just a few days. She has been given her shell account, but isn't supposed to receive any mail directed to her. Even if mister Joe emails her to alice@mydomain.com, he will get a delivery error, telling him that no such account exists. This is becuse the system is configured to block all mail directed to all users, who are not on the allowed list, regardles whether a shell account with the same name actually exists on the system.
So the question is how do I configure it like that. Let's say I want people to be able to mail me at info@mydomain.com. I also have my account called "origy" on the system, but I don't want any users to be able to email me to origy@mydomain.com. Instead, they should receive the same delivery error. That also goes for all the shell accounts that I get to create in the future. They should be blocked automatically, unless I add them to the allowed list.
Sorry, the only way I know how to do that is by the /etc/valiases file for that domain. If I wanted info and not origy then I would edit the /etc/valiases/mydomain.com file and put thie in there:
Code:
info@mydomain.com: whateverlocalusername
origy@mydomain.com: :fail: no such user
mike@mydomain.com: mikeylikesit@yahoo.com
*:fail <--- or could be local user account and be catch-all address.
Emails to info@mydomain.com will get delivered to a local user (whichever one you put there).
Emails to origy@mydomain.com will bounce and reply with a "no such user".
You can't enter "any command you like" on port 25. You can only enter SMTP data and if you enter anything else then Postfix will reject it as a bad command. Hacker's can't easily (if at all) take control of your server via port 25. Postfix is a mature product and not prone to many vulnerabilities.
Test it out with your ISP. Use "telnet mail.your.isp.com 25" and see what you can do - not much is the answer. You can send an email, but that's about all. So chill about having port 25 open - it's not like you're running Exchange!!!
For what its worth, I use Postfix, Cyrus-IMAP and SquirrelMail, but I'm thinking of replacing Cyrus with Dovecot.
Last edited by blacky_5251; 04-07-2008 at 03:34 PM.
blacky_5251: Haha, well perhaps I wasn't being too clear with "any command I want". I meant SMTP commands, yeah. I wasn't quite concerned about hackers actually taking over the server via port 25, I just wanted to disallow random people from telneting to that port and freely using the service. :s
My ISP blocks telnet on their mail server, port 25.
3rods: Interesting, I'll try that out.
Well I've definitely learned a lot in this thread and now I can happily go back to configuring my server with much greater confidence. Thank you both for your time.
There are steps you need to take to protect port 25 from being used as a relay. Specify the "mynetworks" option. This parameter specifies the list of networks that are local to this machine. The list is used by the anti-UCE software to distinguish local clients from strangers. See permit_mynetworks and smtpd_recipient_restrictions in the SMTP configuration.
The default is a list of all networks attached to the machine: a complete class A network (X.0.0.0/8), a complete class B network (X.X.0.0/16), and so on. If you want stricter control, specify a list of network/mask patterns, where the mask specifies the number of bits in the network part of a host address. You can also specify the absolute pathname of a pattern file instead of listing the patterns here.
While port 25 is open, outsiders should only be able to deliver mail to your recipients.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
