I was given the task of setting up a server at work. I have some questions that I'm hoping somebody here will be able and willing to help me out with. I'm by no means a linux newbie, I've used unix before, and have no aversion to reading, but this is the first time I'm going to be doing a public server and I want to be sure to get it as right as I can. Further, much of the documentation I'm finding assumes that you're either a blithering idiot or know everything about the item being discussed. I'm including all the history now and am planning on adding questions as I run into trouble so this history doesn't have to be repeated.



What I Need To Do:

Run a web server to serve up web pages on a variety of domain names. All pages will most likely be identical, though customized pages for each domain would be nice. (I've used Apache before on internal web servers and will probably go this way again.)

Provide e-mail services for ~100 users initially, most likely growing to ~1000 in the semi-near future. These users have different domains, though all of them resolve to the same IP. (Originally planning on using sendmail, though the security HOWTO referenced under 'What I've Done' below suggests using Postfix/Courrier/Procmail, so now I'm leaning that way. I'm not sure if I should go with POP, IMAP, or both for incoming mail. SMTP will be used for outbound.)

Be certain that the SMTP server cannot be used by people who aren't supposed to be. (I'm initially planning on a combination of SMTP AUTH and pop-before-smtp to accomplish this. I'm also considering running SMTP over SSL/TLS to secure communications and on a non-standard port number to obscure things a bit.)

Have user@domain.com have various aliases. (Basically so people can market whatever username they think will be remembered best - firstname@domain.com, firstname_lastname@domain.com, firstname.lastname@domain.com, lastname@domain.com, etc.)

Provide a webmail interface for users to utilize when not at their regular workstation. (Leaning toward SquirrelMail at this point.)

Allow users connected to this server via a second ethernet card to connect to the internet via the public internet connection connected to the onboard ethernet card. (This is the provide a WiFi hotspot for our customers to use. I've done this exact thing in-house with Linux before, called IP Masquerading.)

Allow administration to take place ONLY from the console or a machine with a specific IP on a third network card. Likewise provide this user (me) with access to the internet, though this last point is not absolutely required. (This is so I don't have to balance a laptop on a chair next to the rack in the basement to administer the machine. It'd be nice to have a separate network drop in my office that I could just plug into and be connected to the server.)

Provide a directory of e-mail addresses to people using the SMTP server. Do not allow people without an e-mail address to access said directory. (I think this is referred to as LDAP, but I don't see any method to authenticate built into client programs like Thunderbird...) This is not strictly required, but would be very nice.

Virus filtering on incoming messages for all users at all domains. (Combination of Amavis & ClamAV?)

Spam filtering on incoming messages, but only for select users. (SpamAssassin?)

DNS lookups maybe? (GoDaddy has a manager where they'll manage the IPs for me, but the dude I talked to on the phone said that most people like to run their own DNS servers so that everything is in-house. I looked at setting up BIND long ago at my home, but got very confused by the config files.)

Have this machine be as impenetrable as possible.




What I've Done So Far:

Read one hell of a lot of documentation. Understood only about 3/4 of what I've read. Gotten really confused over the last 1/4...

Put together a box with 2 PCI network cards in addition to the one built into the motherboard. Used an AMD 2200+, a gig of RAM, and 400 gig HDD.

Transferred a fax line to AT&T so I can get DSL with a static IP on it. (Still waiting on them.)

Set up PPPoE as far as I can without a functional connection.

Registered several domain names via GoDaddy, which I'm intending to point at this machine once I get the connection working.

Installed FreeBSD 7 and updated the port system.

Set up a software RAID so the 400 gig drive is mirrored to an identical drive.

Installed WebMin and configured it to only accept connections from a specific IP.

I've done much of the configuration/lockdown as described here. I'm up to the 'Installing and configuring Mail services' section




My Questions:

I've set up apache before and find it relatively simple. Is it possible for Apache to serve up pages from different directories based on the domain name being visited? If so, how?

I've done IP masquerading before in Linux, but never in FreeBSD. I've found references online and have followed them, but do not yet know if it works because my ISP line isn't active yet. I'm doubting if they do because there's SO little configuration involved. Has anybody done this before? Are there any caveats or pitfalls that I should watch out for?

OpenLDAP looks like what I need in the line of an e-mail directory. Is this correct? If so, how do I control access to it??? I've looked through the docs and see that they have a permission system, but don't understand it and how the client authenticates. Mozilla Thunderbird has fields for Name, Hostname, Base DN, Port, Bind DN, and SSL in the LDAP server definition- no username or password. Is the e-mail address/password used for this purpose?

Would Postfix/Courrier/Procmail be a good platform to base an e-mail system on? Are there any configurations that I need to do to enable the aforementioned directory at a base level or can I set up e-mail and then add the directory later on without too much trouble?





Like I stated above, I expect to have more questions once I get the connection active. Right now, I need to know if I'm heading in the right direction or not. (I don't want to set up e-mail, then discover that I have to start over if I want an e-mail directory or something similar.) I appreciate any advice, comments, pointers, etc.

My Questions:

I've set up apache before and find it relatively simple. Is it possible for Apache to serve up pages from differen
t directories based on the domain name being visited? If so, how?


Read the apache docs on virtual hosts.



I've done IP masquerading before in Linux, but never in FreeBSD. I've found references online and have followed them, but do not yet know if it works because my ISP line isn't active yet. I'm doubting if they do because there's SO little configuration involved. Has anybody done this before? Are there any caveats or pitfalls that I should watch out for?


Are you using openBSD's pf? It is pretty simple. They have an online doc at http://www.openbsd.org/faq/pf/



OpenLDAP looks like what I need in the line of an e-mail directory. Is this correct? If so, how do I control access to it??? I've looked through the docs and see that they have a permission system, but don't understand it and how the client authenticates. Mozilla Thunderbird has fields for Name, Hostname, Base DN, Port, Bind DN, and SSL in the LDAP server definition- no username or password. Is the e-mail address/password used for this purpose?


Most if not all will have read access to the directory, except the password. It should create an admin for you upon install, if I remember right.




Would Postfix/Courrier/Procmail be a good platform to base an e-mail system on? Are there any configurations that I need to do to enable the aforementioned directory at a base level or can I set up e-mail and then add the directory later on without too much trouble?


Never made email work with ldap, but I know postfix is a good choice. Their site has great and easy to follow docs.

Thank you for the tip - I'll google for that topic and see what I can turn up. (I didn't even know if it was possible, much less the name for the feature.)


I went with FreeBSD for the operating system. Does it have this same packet filter in it? If so, is there anything special I need to do to enable it? Also, are the setups generally the same for both Open and Free variants of BSD? (Now that I know it's done through the packet filter, I can google that too. The Linux box I set up with masquerading in the past used the iptables firewall.)


So if I set up an LDAP directory, there's no mechanism in place to secure it to allow access to only people I want accessing it? (I can only imagine the spam that would result if this is the case. If true, I think I'll scratch it off my list of features to use this machine for.)


[/quote]

Thanks for the input. One more question related to this - is LDAP something integrated with e-mail or a separate piece? I'm viewing it as something that looks at what users have accounts in the system and publishes such information so that e-mail users can send messages to other users on the system without having to remember their e-mail addresses. Is this an incorrect perspective?


Again, thank you for the reply. Even pointers to the right documentation are very helpful to me at this point.

Yeah, they ported PF to FreeBSD.

You can secure openldap the way you want, it will just take some more doing. Check out the site's docs. They explain access control.

LDAP is a separate service, but postfix has support for it.

I've read a lot of stuff on their site related to this, but do not understand how one can control access based on user when the client doesn't have a place for a username or password in the LDAP configuration. I know that I've got to be missing something fundamental here...


I don't understand why an e-mail application would need support for a directory. E-mails arrive and are sent out by the MTA and when somebody wants to address a message, they look in the LDAP directory. What's the relationship between the two that I'm missing?



Again, thank you for bearing with me through all my (what I'm sure seems to you to be simplistic) questions.

I'm not familiar with openldap. My experience is with Sun's directory server. With that there is a uid and password attribute. You bind to the directory server by supplying the users full dn. An example of that would be

uid=myuid,ou=users,dc=example,dc=com

the ou is the organizational unit that the user belongs to. That is usually somethin you create. Ldap can be confusing at first, but you just have to start using it and trying different things to get the hang of it.

Postfix does not need ldap, but it does need somewhere to store the users that can receive mail. By default it is the passwd file. If ldap is going to be your primary repository for user information, than you would want to use that.

Basically you use ldap to store user information. This means that the MTA queries the directory to check user credentials, etc.

You can use ldap as an address book as well, but don't confuse the concept of ldap with the uses. One server can perform more than one function, so it could be a user directory and an address book.

Note that if you want to use ldap as an address book, most mail clients won't be able to write to it and will have readonly access

OK, I think I'm going to forgo the LDAP for now for the simple reason that I just plain do not understand the security functions. The only reason I want to use it is to provide employees a directory of all the other employees and their addresses anyways - not a critical feature. Maybe I'll re-visit it after everything else is working and I have time to play. Thanks for the input guys - I appreciate it.



I do have another question, this time regarding SMTP security.

Since my original post, I've gotten more headaches than you'd believe, but have also made much progress and learned an awful lot. I've gotten postfix installed and configured. I also installed and got working BIND for DNS lookups. (I then fixed BIND to *really* work, not just look like it is... ) I have courier-imap installed and working for both IMAP & POP access and for SSL/TLS/unsecured logins for both. Haven't done anything with webmail yet; planning on installing SquirrelMail after I get everything else mail-related fully functional so things aren't changing underneath it. I've got outgoing SMTP relaying working and am checking RBLs (spamcop and spamhaus) to block known spam sources from using the SMTP server. I've got Postfix configured to drop executable attachments completely and also plan on configuring Postfix to screen known subject lines for spam and drop them before they get to procmail. The plan is to have procmail utilize a combination of ClamAV (for everybody) and SpamAssassin (for specific users) to further eliminate crappy mail from getting through to my users. I'm currently looking at locking down the SMTP functionality to only people who are authorized to use it.

I found reference while searching to pop-before-smtp and SMTP AUTH mechanisms to accomplish this objective. I originally thought of using both of them in combination (Cyrus SASL with pop-before-smtp.pl), and it seems as though this is not an unusual configuration and doesn't pose any trouble doing. I do have a question about the SMTP AUTH feature though that I'm hopeful somebody who's done it will know right off the top of their head.

Are there any client-side configuration changes that need to be made for SMTP AUTH? Most clients are using Mozilla Thunderbird, but there are also a few iPhones and probably some people who'll insist on using M$ Outlook in the future.



Additionally, has anybody required the use of SSL/TLS for POP/IMAP server communication security? Are there any major trouble spots to overcome with not allowing unencrypted logins, especially in view of the client mix just listed?



Finally, does the plan I've laid out above sound like a solid one to the more experienced mail server admins? Am I missing anything that you can see? Is anything I'm planning likely to pose problems in the future?



Again, I really appreciate the time and effort everybody who has responded has put into helping me.

You shouldn't need pop before smtp, it's pretty much outdated. Stick with smtp auth (see saslauth).

Squirrelmail is a breeze to install. Install it, then run conf.pl (do a search for the correct location for your installation) to set up a couple of basic server preferences, and you're done.

I don't know anything about iPhones, but in terms of Thunderbird, Outlook and TLS, it's not too much trouble. There are some good howtos around for getting your certificates in the correct format for the client (from memory Outlook wants a p12 certificate).

On the client side for saslauth, all you should need to do is tick the relevant checkbox. The only issue I've come across is some clients don't store the smtp password except in a keyring, which can mean you need to enter the password once per session. I'm sure you can get around this, but since I only use mail clients on the internal network, I don't worry about plaintext passwords too much. You could think about requiring authorization only for external clients.

Another way to use clamav and spamassassin is to use amavisd-new, which avoids the procmail route. Not sure about per-user spamassassin filtering that way though.

It might be a good thing you said that. After I posted the last message, I installed and tried using pop-before-smtp and wound up with the following errors whenever trying to send mail. I googled around and found that postfix is expecting a different version of a database than the file is. (Assuming my problem is the same as another dude had happen...) There was no solution that I was able to find. Even going with SMTP AUTH, I really wouldn't mind having this as an extra layer of security. (If one method fails or was compromised for whatever reason, there's a backup system in place.) Anybody have ideas as to how to fix this issue?

Examining the data file:
***edit - I just checked main.cf.db and it reports the same as pop-before-smtp.db, so that's probably out as a reason for this error. Any ideas?***


I did generate a certificate for both POP and IMAP with the company name, server name, location, etc, in it. When I check mail with TLS/SSL enabled, I'm asked if I want to accept the certificate because the source couldn't be verified as a trusted source. Is this normal or is there a server-based way to stop client machines from asking this? In my view, the less I have to touch each and every machine, the better. (Though I have to set up the e-mail accounts anyways, so it's not a big deal if I do have to do something to every client.)


How would one set up something like this? Probably 98+% of the e-mail is going to be coming from known static IP addresses. The only ones that wouldn't be would be when people send mail from home, from their blackberry/iPhone/etc.


I built procmail and integrated it with Postfix, but that's a 1-liner in a config file and easy enough to remove. I'm going to look at amavisd-new and from what I've read on their homepage, probably go that way instead. (Assuming I can figure out how to set it up! ) Thank you very much for the tip.

Nevermind about the problems with pop-before-smtp. I don't know what changed, but it's now working. (I both love it and hate it when stuff does that - love it because it's working and hate it because I have no idea how to make it work again if it breaks.) I'm going to simply comment out the pop-before-smtp check line in main.cf until I get everything else working so that there's 0 chance of it interfering with something else.


I've been trying to make TLS work and have been having issues, but am continuing to plug away at it. Client says that the server is not issuing a STARTTLS command in the EHLO statement, but I've set the following options in main.cf:


The authentication isn't really doing anything either. I have the following set in main.cf, but I can still send whether having the 'use username/password' box checked or not.

LOL - this is actually approaching the funny stage.

I commented out everything except the stuff related to authentication - no pop-before-smtp, no permit mynetworks. The only permit line in the smtpd_recipient_restrictions section of main.cf is permit smtpd_sasl_authenticated; every other line is a reject. I uncommented the authentication part and tried sending and.... it wouldn't let me! Hey, at least it's working and not allowing me to send unauthenticated. I tick the 'use username/password' under mozilla's smtp server options and it's now asking me for a password. I tried the password for said account several times, but it keeps asking for the password over and over again.

Hey, I'm making progress! (Even if I don't know how... )

Yes, but mail clients will allow you to import a certificate "permanently" so that this doesn't happen. You'll have to search that one I'm afraid.

It's all in mynetworks - trusted IPs go there.

Hint - bad mynetworks setting = no mail going anywhere.

Should be something like

Can you post the output of

postconf -n

and any relevant sections from your logs

Did you see http://postfix.state-of-mind.de/patr...tter/smtpauth/ which is listed on the postfix howto site?

Also, check saslauthd is running when you try to authenticate.

Thanks for all the information and advice BillyMayDay. I had found the document you linked to on the Postfix site, but went on to the next one because that's based on postfix 1.x and I'm using 2.5.

I did figure out why I wasn't able to check mail using SMTP AUTH. (At least I think I did, I didn't fix it because of the following.) Two reasons really. First, as the last line of your post indicated, saslauthd wasn't running. (I was unaware that it required a separate daemon for authentication over an encrypted link. I thought that building Postfix with TLS support would be enough to have Postfix transparently handle encryption.) Secondly, the user wasn't found in the sasl database according to /var/log/maillog. (Again, I didn't know that two separate copies of user credentials were needed.) I started poking around and found more useful information on authentication/encryption than I have in the past.



Unless there's a compelling reason to not do this, I think I'm going to drop SMTP AUTH and TLS from the list of stuff to make this mail server do. I don't want to do a cobble-job on it, but I can also foresee myself being pulled 18 different ways trying to support different mail clients. (One of the documents I found here was a list of clients that support SMTP AUTH and what *types* of SMTP AUTH each supports. (I didn't know there were different types. Did I mention that I knew squat about mail servers before this started? ) There's also the fact that user login name/password would need to be added in one more place; currently when an employee is hired, I need to add them in 5 places for different systems. The last thing I need is another place to remember to add them to.

I also found an 11-page document on how to create a self-signed SSL certificate here, but it also said that I would have to distribute and import said certificate into each and every client. I'm thinking that with BlackBerry devices, iPhones, various types of e-mail client software that people insist upon using, along with whatever new bleeding-edge cell phone the boss decides to get next (he was getting about 3/year for a while), trying to figure out how to make each work with AUTH/TLS (if even possible) would be a major headache.



In your opinion, would dropping TLS and SMTP AUTH/SASL and using pop-before-smtp as a method of securing who can/cannot send mail be a major detriment to the security/performance of a mail server? (And yeah, I realize that this is the chicken's/easy way out...

It's important to realise that authentication and encryption are two entirely different concepts. Authentication is what it says - validating the user. Encryption means no one else can read your traffic. You can use the two together, but they are nothing like the same thing.

On that, you need some form of athentication or you will be an open relay if you allow users to send mail from the outside world. If you don't fix that, expect to be blacklisted pronto. If the devices you are using have fixed IP's, you don't need to authenticate - you can add them to a list of acceptable senders.

Part of the authentication process is sending usernmes and passwords for validation. This is pretty obviously soimething you don't want done in plain text over the internet, and this is why you use TLS. I'd say fro a security standpoint that you really need to protect this information.