Andy's Debian Sarge Virtual Mail Server Howto: Part Two

This HOWTO is now considered depreciated and is no longer supported.

For up to date HOWTOs see my Debian Wiki index page.

Introduction

During the first part of this howto, we setup Postfix with mySQL virtual users to send and recieve email via SMTP. We also configured Courier for IMAP and POP3 connections.

Now we will add support for server side filtering using Maildrop, which is of particular use to IMAP users. We will also add anti-spam and anti-virus filtering through Amavisd-new, using Spam Assassin and ClamAV, and the Squirrel Mail web-mail system.

Contents

• Maildrop
• Amavisd-new, Clamav & Spamassassin
• Mail Graph
• Courier Graph
• pflogsumm
• mailgrep
• Squirrel Mail
• Amavisnewsql
• Quota
• Compatibility
• Server Side Filter
• Email Client Notes
• Postal
• Performance Tweaks
• Todo

---

Linux Email: Setup and Run a Small Office Email Server Using Postfix, Courier, ProcMail, SquirrelMail, ClamAV and SpamAssassin

---

Maildrop

We need to compile Maildrop from source, because the neither of the Debian packages have support for both mySQL and the Maildir++ quota extension built in.

We are going to use Maildrop version 1.6.3, because later versions replace direct mySQL support with Courier authlib support, which I havnt been able to get working right yet.

In order to sucesfully compile Maildrop you will need to begin by installing the packages shown below:

# aptitude install libmysqlclient10-dev
# aptitude install make binutils gcc cpp

Now proceed to download and extract the Maildrop 1.6.3 source code.

# wget http://jaist.dl.sourceforge.net/sourceforge/courier/maildrop.1.6.3.tar.bz2
# tar jxvf maildrop-1.8.0.tar.bz2

Configure the source, enabling support for mySQL and the Maildir++ quota extension:

# ./configure --enable-syslog=1 --enable-maildropmysql --with-mysqlconfig=/etc/maildropmysql.config --without-db --enable-maildirquota

Then build and install Maildrop:

# make
# make install-strip
# make install-man

Now we need to enable support within Postfix for Maildrop as a local delivery agent, or transport as Postfix calls it. If you used the example master.cf file when configuring Postfix then Maildrop should already be enabled. Note the w parameter that controls at what percentage of an accounts storage capacity a warning email is sent to the account.

# ee /etc/postfix/master.cf

# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

Then make the warning message to be sent using the example, modifying as necessary.

# mkdir /usr/local/etc
# ee /usr/local/etc/quotawarnmsg

From: postmaster@domain.tld
Reply-To: postmaster@domain.tld
To: User: user;
Subject: Mail Quota Warning - Account Usage at More Than 75%
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Dear User,

Your mailbox on the server is now at more than 75% capacity.

So that you can continue to receive email, you need to remove some messages
from the mailbox. We suggest that you:

      * download old messages you want to keep to your "local folders"
      * empty your spam folder

Please note that if your account has insufficient spare capacity to hold
a message sent to you, then the message will be retured to it's sender.

Yours Sincerely,

      The Postmaster
      postmaster@domain.tld

# chown root:vmail /usr/local/etc/quotawarnmsg
# chmod 640 /usr/local/etc/quotawarnmsg

Create the file that tells Maildrop how to lookup virtual domain and user details from your mySQL database.

# ee /etc/maildropmysql.config

hostname localhost
port 3306
database postfix
dbuser postfix
dbpw password
dbtable mailbox
uid_field username
# default_uidnumber '1004'
# default_gidnumber '1004'
uidnumber_field '1004'
gidnumber_field '1004'
homedirectory_field concat('/var/vmail/',maildir)
maildir_field 'Maildir/'
# quota_field quota
quota_field concat(quota,'S')
mailstatus_field active

Set permissions to protect your database password.

# chown root:vmail /etc/maildropmysql.config
# chmod 640 /etc/maildropmysql.config

Maildrop can use both a global script and a per-user script to control delivery. You need to include the per-user script from the global script. Create a simple global script using the example. Note that per-user scripts will be dealt with using a plugin for Squirrel Mail, to be installed later.

# ee /etc/maildroprc

# where to log to
logfile "/var/log/maildrop.log"

# default delivery
MAILDIR=$HOME/Maildir/

# spam to spam folder
# if (/.*X-Spam-Flag\: YES/:h)
# {
# to "$MAILDIR/.Spam/"
# }

# import per-user filter rules
include $HOME/.mailfilter

Set permissions, and create the log file.

# chown root:vmail /etc/maildroprc
# chmod 640 /etc/maildroprc
# touch /var/log/maildrop.log
# chown vmail:vmail /var/log/maildrop.log
# chmod 600 /var/log/maildrop.log

You should now be able to use Maildrop as a local delivery agent, by setting the transport for a domain to maildrop: in Postfix Admin. Test Postfix again as you did previously.

Finally, add the maildrop log file to be reotated.

# ee /etc/logrotate.d/maildrop

/var/log/maildrop/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  create 600 vmail vmail
}

Amavisd-new, Clamav & Spamassassin

Amavisd-new is a wrapper that supports many virus scanners (we will use the popular and free ClamAV), and also Spam Assassin for anti-spam. Install the packages.

# aptitude install clamav clamav-daemon amavisd-new spamassassin

Uncomment the lines relating to Amavisd-new in Postfix's /etc/postfix/master.cf file.

# ee /etc/postfix/master.cf

# Amavis
smtp-amavis unix -      -       n       -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       n       -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

The first set starts amavisd-new as post-queue content filter. Postfix will pass mail to Amavisd-new for scanning. The second set starts a second Postfix process listening on port 10025. Once mail has passed through amavisd-new it will be sent to this port via SMTP to be reinjected in to the mail system.

Please check the Postfix documentation to understand the differences between the pre-queue and post-queue content filter mechanisms.

Next uncomment the lines relating to Amavisd-new in Postfix's /etc/postfix/main.cf file. The content_filter setting tells Postfix to send all mail through Amavis.

# ee /etc/postfix/main.cf

# Send all email through Amavis
content_filter = smtp-amavis:[127.0.0.1]:10024

Backup the amavisd-new configuration file and create one from the example, adjusting as necessary. Please check the Amavis documentation for details of each parameter.

# cp /etc/amavis/amavisd.conf /etc/amavis/amavisd.conf~
# ee /etc/amavis/amavisd.conf

use strict;

# CORE
$MYHOME = '/var/lib/amavis';
$pid_file  = "/var/run/amavis/amavisd.pid";
$lock_file = "/var/run/amavis/amavisd.lock";
$TEMPBASE = $MYHOME;
$ENV{TMPDIR} = $TEMPBASE;
$daemon_user  = 'amavis';
$daemon_group = 'amavis';
$max_servers  =  2;
$max_requests = 10;
$child_timeout=5*60;
$mydomain = 'domain.tld';
$myhostname = 'hostname.domain.tld';

# MTA SETTINGS
$forward_method = 'smtp:127.0.0.1:10025';  # where to forward checked mail
$notify_method = $forward_method;          # where to submit notifications
$inet_socket_port = 10024;
$inet_socket_bind = '127.0.0.1';
@inet_acl = qw( 127.0.0.1 );

# LOGGING
$DO_SYSLOG = 1;
$SYSLOG_LEVEL = 'mail.info';
$LOGFILE = "/var/log/amavis.log";
$log_level = 0;

# POLICY AND LOOKUPS
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;
@lookup_sql_dsn =
  (['DBI:mysql:database=amavis;host=localhost;port=3306', 'amavis', 'password']);
$sql_select_white_black_list = 'SELECT wb FROM wblist'.
  ' WHERE (rid=?) AND (wblist.email IN (%k))'.
  ' ORDER BY wblist.priority DESC';
# read_hash(\%local_domains, '/etc/amavis/local_domains');
# read_hash(\%whitelist_sender, '/etc/amavis/whitelist_sender');
# read_hash(\%blacklist_sender, '/etc/amavis/blacklist_sender');
# read_hash(\%spam_lovers, '/etc/amavis/spam_lovers');

# DSN
read_l10n_templates('en_US', '/etc/amavis');
$warnvirussender = 0;
$warnspamsender = 0;
$warnbannedsender = 0;
$warnbadhsender = 0;
$warnvirusrecip = 0;
$warnbannedrecip = 0;
$warn_offsite = 0;
# $virus_admin = 'postmaster@domain.tld';
# $spam_admin = 'postmaster@domain.tld';
$mailfrom_notify_admin     = 'postmaster@tdomain.tld';
$mailfrom_notify_recip     = 'postmaster@domain.tld';
$mailfrom_notify_spamadmin = 'postmaster@domain.tld';
$hdrfrom_notify_sender = 'postmaster@domain.tld ';
$hdrfrom_notify_admin = 'postmaster@domain.tld ';
$hdrfrom_notify_spamadmin = 'postmaster@domain.tld ';
$X_HEADER_TAG = 'X-Virus-Scanned';
$X_HEADER_LINE = "by $myversion (Debian) at $mydomain";
$undecipherable_subject_tag = '***UNCHECKED*** ';
$remove_existing_x_scanned_headers= 1;
$remove_existing_spam_headers  = 1;
$keep_decoded_original_re = new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',
);

# QUARENTINE
# $QUARANTINEDIR = '/var/lib/amavis/virusmails';

# BANNED MIME TYPES
$banned_filename_re = new_RE(
#  qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
   qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # some double extensions
   qr'[{}]',     # curly braces in names (serve as Class ID extensions - CLSID)
#  qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i,           # banned extension - basic
   qr'.\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|
          jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|
          vbe|vbs|wsc|wsf|wsh)$'ix,                  # banned extension - long
   qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
#  qr'^\.(zip|lha|tnef|cab)$'i,                      # banned file(1) types
   qr'^\.exe$'i,                                     # banned file(1) types
   qr'^application/x-msdownload$'i,                  # banned MIME types
   qr'^application/x-msdos-program$'i,
   qr'^message/partial$'i,  # rfc2046. this one is deadly for Outcrook
#  qr'^message/external-body$'i, # block rfc2046
);

# RESOURCE LIMITS
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA =      100*1024;
$MAX_EXPANSION_QUOTA = 300*1024*1024;
$MIN_EXPANSION_FACTOR =   5;
$MAX_EXPANSION_FACTOR = 500;

# EXTERNAL PROGRAMS
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file   = 'file';
$gzip   = 'gzip';
$bzip2  = 'bzip2';
$lzop   = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze   = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc        = ['nomarch', 'arc'];
$unarj      = ['arj', 'unarj'];
$unrar      = ['rar', 'unrar'];
$zoo    = 'zoo';
$lha    = 'lha';
$cpio   = 'cpio';

# SPAMASSASSIN
$sa_local_tests_only = 0;
$sa_auto_whitelist = 0;
$sa_timeout = 30;
$sa_mail_body_size_limit = 150*1024;
$sa_tag_level_deflt  = -999;            # headers
$sa_tag2_level_deflt = 6.3;             # subject tagging (6.3)
$sa_kill_level_deflt = 6.3;             # reject/bounce/discard/pass (6.3)
$sa_dsn_cutoff_level = 10;              # dont send a bounce (10)
$sa_spam_subject_tag = '***SPAM*** ';

# ANTI-VIRUS
$first_infected_stops_scan = 1;
@av_scanners = (
  ### http://www.clamav.net/
  ['Clam Antivirus-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
  # NOTE: run clamd under the same user as amavisd;  match the socket
  # name (LocalSocket) in clamav.conf to the socket name in this entry
  # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],
);
@av_scanners_backup = (
  ### http://www.clamav.net/
  ['Clam Antivirus - clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], [1],
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

#-------------
1;  # insure a defined return

Add clamav user to to amavis group

# adduser clamav amavis

Update the amavisd-new cron jobs to use the new --sync option instead of --rebuild, since we are using Spam Assassin 3.x

# ee /etc/cron.daily/amavisd-new

test -e /usr/bin/sa-learn && test -e /usr/sbin/amavisd-new && {
        su - amavis -- /usr/bin/sa-learn --sync --force-expire >/dev/null 2>&1
}

# ee /etc/cron.d/amavisd-new

18 */3  * * *   amavis  test -e /usr/bin/sa-learn && test -e /usr/sbin/amavisd-new && /usr/bin/sa-learn --rebuild >/dev/null 2>&1

Create the Spam Assassin configuration file using the example. Note that the majority of Spam Assassin configuration parameters must be set through amavisd-new.

# ee /etc/spamassassin/local.cf

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock

dns_available yes
use_auto_whitelist 0
auto_whitelist_path /var/lib/amavis/.spamassassin/auto-whitelist
whitelist_from postmaster@domain.tld
lock_method flock
use_bayes 1
bayes_path /var/lib/amavis/.spamassassin/bayes
bayes_auto_learn 1
bayes_auto_expire 1

Create the initial Bayes files:

# su amavis -c 'sa-learn --sync'

Run spamassassin in debug mode as the amavis user. The '--lint' option asks Spam Assassin to check our rules.

# su amavis -c 'spamassassin --lint -D'

Note the lines relating to the bayes db staus. Amavisd-new will automatically train Spam Assassin's bayes database with high scoring spams.

Restart Amavisd-new and Postfix.

# /etc/init.d/postfix restart
# /etc/init.d/amavis restart

Test Postfix as you have done previously, looking closely at the extra lines generated by Amavisd-new in your log files. Your mail should now be scanned for viruses. Use the Eicar test virus to simulate a real virus. Also check you can telnet in to ports 20004 and 20005 on localhost.

TODO: Train bayes with examples of ham.

Mail Graph

Mail graph will provide near-real time web-based stats, graphing mail throughput in terms of received, sent, virus infected and spam messages.

Install mailgraph.

# aptitude install mailgraph

When prompted during configuration, choose to run mailgraph as a daemon, and to watch /var/log/mail.log, and to ignore localhost.

Edit the configuration file and check that it is actually ignoring localhost; for some reason mine wasnt.

# ee /etc/default/mailgraph

You should then be able to access Mailgraph through your browser at http://hostname.domain.tld/cgi-bin/mailgraph.cgi

Courier Graph

Courier graph will provide near-real time web-based stats, graphing logins in terms of pop and imap.

Install Courier Graph. When prompted, choose to run as a daemon and to watch /var/log/mail.log

# aptitude install couriergraph

You should then be able to access Mailgraph through your browser at http://hostname.domain.tld/cgi-bin/couriergraph.cgi

pflogsumm

pflogsumm is a script that will run from cron and generate daily summary reports from your mail system's log files.

Install the script and configure your crontab to run it daily.

# aptitude install pflogsumm
# crontab -e

10 3 * * * /usr/bin/pflogsumm -d yesterday /var/log/mail.log 2>&1 |/usr/bin/mail -s "hostname.domain.tld - Postfix daily mail summary" postmaster@domain.tld
10 3 * * 0 /usr/bin/pflogsumm /var/log/mail.log 2>&1 |/usr/bin/mail -s "hostname.domain.tld - Postfix WEEKLY mail summary" postmaster@domain.tld

You should now receive the email daily. Run the script manually to have an email sent now.

mailgrep

Download the mailgrep.pl and openlogfile.pl files, copy them to /usr/bin, and set them executable:

# mkdir /root/mailgrep
# cd /root/mailgrep
# wget http://www.besy.co.uk/projects/debian/mailgrep.pl
# mv mailgrep.pl /usr/bin/mailgrep.pl
# chmod +x /usr/bin/mailgrep.pl
# wget http://www.besy.co.uk/projects/debian/openlogfile.pl
# mv openlogfile.pl /usr/bin/openlogfile.pl
# chmod +x /usr/bin/openlogfile.pl
# perl -MCPAN -e shell

~ install File::MMagic
~ quit

# mailgrep.pl
# mailgrep.pl -s someuser@somedomain.com /var/log/mail.log

To search for all mail log entries dealing with mail to or from "someuser@somedomain.com", we would use: . To see what mailgrep.pl does for you, compare the output of the above to grep -i someuser@somedomain.com /var/log/mail.log.

Squirrel Mail

Squirrel Mail is an exceptionally good web-mail system with many plugins. It runs off your IMAP server.

Install Squirrel Mail.

# aptitude install squirrelmail

Configure Squirrel Mail. Explore each page of the menu, and set the options shown below.

# squirrelmail-configure

Server software               : courier
Default Folder Prefix         : INBOX.
Trash Folder                  : Trash
Sent Folder                   : Sent
Drafts Folder                 : Drafts
Folder Delete Bypasses Trash  : true
Default Left Size           : 200

Link to Squirrel Mail from your web root.

# ln -s /usr/share/squirrelmail /var/www/squirrelmail

AmavisNewSQL

This is a plugin for Squirrel Mail that will enable our users to each main a distinct set of Amavisd-new and Spam Assassin settings, stored in a mySQL database.

Download and install it. Installation instructions are available in the packaged README file. My commands were as follows:

# cd ~
# wget http://www.squirrelmail.org/file...
# tar zxvf amavisnewsql-0.7.3x-1.4.tar.gz
# cd amavisnewsql
# ee README
# cd ..
# mv amavisnewsql /usr/share/squirrelmail/plugins
# cd /usr/share/squirrelmail/plugins/amavisnewsql
# cp config.php.dist config.php
# ee config.php

Set permissions.

# chown root:www-data /usr/share/squirrelmail/plugins/amavisnewsql -R
# chmod 640 /usr/share/squirrelmail/plugins/amavisnewsql/*.* -R

Create a database user user called amavis. Create the amavis database from utils/schema.mysql using either the mySQL or using client or PHPMyAdmin.

Edit the Amavisd-new configuration file and check your SQL lookup settings match your database settings. You may have noticed that virtual domains dont get messages tagged with Spam Assassin's headers. Thats because Amavisd-new doesnt see the domain as local; SQL lookups will fix this.

# ee /etc/amavis/amavisd.conf

@lookup_sql_dsn =
  (['DBI:mysql:database=amavis;host=localhost;port=3306', 'amavis', 'password']);

$sql_select_white_black_list = 'SELECT wb FROM wblist'.
  ' WHERE (rid=?) AND (wblist.email IN (%k))'.
  ' ORDER BY wblist.priority DESC';

Disable the quarentine feature in the AmavisNewSQL plugin. We need to edit the config file and change some defaults on the database. Details in the packaged readme file.

$CONFIG["use_quarantine"] = false;    // true or false in config.php

Change default value for "spam_quarantine_to" column in "policy" table to NULL.
Set this columns value to NULL for any existing policy records

Configure Squirrel Mail and enable the plugin.

# squirrelmail-configure

You can modify the default policies in the mysql database. Below is a SQL dump for mine.

-- phpMyAdmin SQL Dump
-- version 2.6.2-rc1
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: May 02, 2005 at 03:18 PM
-- Server version: 4.0.24
-- PHP Version: 4.3.10-12
--
-- policy table for amavisnew squirrelmail plugin. modified by andy.
--
--
-- Database: `amavis`
--

-- --------------------------------------------------------

--
-- Table structure for table `policy`
--

DROP TABLE IF EXISTS `policy`;
CREATE TABLE `policy` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `policy_name` varchar(32) default NULL,
  `virus_lover` char(1) default 'N',
  `spam_lover` char(1) default 'N',
  `banned_files_lover` char(1) default 'N',
  `bad_header_lover` char(1) default 'N',
  `bypass_virus_checks` char(1) default 'N',
  `bypass_spam_checks` char(1) default 'N',
  `bypass_banned_checks` char(1) default 'N',
  `bypass_header_checks` char(1) default 'N',
  `spam_modifies_subj` char(1) default 'Y',
  `spam_quarantine_to` varchar(64) default NULL,
  `spam_tag_level` float default '-999',
  `spam_tag2_level` float default NULL,
  `spam_kill_level` float default NULL,
  UNIQUE KEY `id` (`id`)
) TYPE=MyISAM AUTO_INCREMENT=9 ;

--
-- Dumping data for table `policy`
--

INSERT INTO `policy` VALUES (1, 'Default_Nonuser', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'Y', NULL, -999, 6, 6);
INSERT INTO `policy` VALUES (2, 'Default', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'Y', NULL, -999, 6, 6);
INSERT INTO `policy` VALUES (8, 'Aggressive', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'Y', NULL, -999, 5, 5);

Quota

Quota is a plugin for Squirrel Mail that will add an indicator of quota usage for users of Squirrel Mail. Note that many mail clients (thunderbird) also can display the storage quota usage of an account. Installation instructions in the packaged README file. My commands were as follows.

# cd ~
# wget http://www.squirrelmail.org/file...
# tar zxvf quota_usage-1.3-1.2.7.tar.gz
# mv quota_usage /usr/share/squirrelmail/plugins
# cd /usr/share/squirrelmail/plugins/quota_usage
# cp config.php.sample config.php
# ee config.php
# chown root:www-data /usr/share/squirrelmail/plugins/quota_usage -R
# chmod 640 /usr/share/squirrelmail/plugins/quota_usage/*.* -R

Configure Squirrel Mail and enable the plugin.

# squirrelmail-configure

Compatibility

Compatibility is a plugin for Squirrel Mail that makes other plugins work.

# cd ~
# wget http://www.squirrelmail.org/file...
# tar zxvf compatibility-1.3.tar.gz
# mv compatibility /usr/share/squirrelmail/plugins

Configure Squirrel Mail and enable the plugin.

# squirrelmail-configure

Server Side Filter

Server Side Filter is a plugin for Squirrel Mail that provides a web-based interface for the configuration of Maildrop rules. These are useful for automatically moving messages tagged as spam to a spam folder, and for sorting messages from lists in to seperate folders etc.

Per-user rules are stored in a file in the user's virtual home directory at /var/vmail/user/.mailfilter. You will remeber that this per-user rule file is included from our global rule file at /etc/maildroprc.

Download and extract the plugin, setting appropriate file permissions.

# cd ~
# wget http://www.squirrelmail.org/countdl.php?file...
# tar zxvf serversidefilter-1.42.tar.gz
# mv serversidefilter /usr/share/squirrelmail/plugins
# cd /usr/share/squirrelmail/plugins/serversidefilter
# chown root:www-data /usr/share/squirrelmail/plugins/serversidefilter -R

Create a config file from the example, setting options as shown below:

# cp config.php.sample config.php
# ee config.php

$ALWAYS_CREATE = true;
$FILTER_FILE_PATH = '/var/vmail/[DOMAIN]/[USERNAME]/.mailfilter';
$FILTER_APP_PATH = '/usr/local/bin/maildrop';
//$DEFAULT_DELIVERY = '$MAILDIR';
$ALLOW_UNSUBSCRIBED = true;
$SPAMHEADER = 'X-Spam-Flag';
$SPAMVALUE = 'Yes';
$SPAMFILTERMAXKB = 150;
$LOCAL_MAILDIR = '$HOME/Maildir/';
$USE_MAILDIRS = 1;
$VIRTUAL_DOMAINS = 1;
$SEPERATOR = '@';
//$FORWARD_FILE_TYPE = "forward";

Then set file permissions on the config file securely.

# chown root:root config.php

Make template header and footer files.

# cp skeleton/header.sample skeleton/header
# ee skeleton/header

# empty header skeleton

# cp skeleton/footer.sample skeleton/footer
# ee skeleton/footer

# deliver messages if not yet delivered
to "$MAILDIR"

Make virtual domains file.

# cp virtualdomains.sample virtualdomains
# ee virtualdomains

domain.co.uk:vmail

Filtercmd

In the directory named script you will find the source code for filtercmd. Once compiled, serversidefilter will use filtercmd to write filter files using IMAP.

The UW-IMAP c-client library is an IMAP client used by filtercmd to connect to your IMAP server.

We need to compile both from source. These can be a pain to get it to work right, but the procedure below has proven reliable for me across many servers.

In order to compile source code we need to install the packages shown below. Don't worry if you already have some of these installed.

# aptitude install make binutils gcc cpp

First download, compile and install the UW-IMAP c-client library using the commands exactly as shown below.

# cd ~
# wget -c ftp://ftp.cac.washington.edu/imap/imap.tar.Z
# tar zxvf imap.tar.Z
# mv imap-2004d /usr/local
# cd /usr/local/imap-2004d
# make ldb SSLTYPE=none
# mkdir include
# mkdir lib
# cp c-client/*.h include/
# cp c-client/*.c lib/
# mv c-client/c-client.a lib/libc-client.a

In order to compile filtercmd we need to install the libraries it needs.

# aptitude install zlibc zlib1g zlib1g-dev libc-client2002edebian libc-client-dev comerr-dev libkadm55 libkrb5-dev libpam0g-dev libssl-dev mlock

Then configure the options in the makefile as shown below:

# cd /usr/share/squirrelmail/plugins/serversidefilter/script
# cp Makefile Makefile~
# ee Makefile

HTTPD_GROUP=www-data
LFLAGS=
#LFLAGS=-static
SQUIRRELMAILCONFIGFILE=/etc/squirrelmail/config.php
I=/usr/local/imap-2004d/c-client

Then build filtercmd:

# make clean
# make

And finally set filtercmd setuid:

# aptitude install sudo
# sudo chmod 4750 filtercmd

You can test filtercmd as shown below. When prompted, enter the username and password of a virtual mail user that exists in your mySQL database.

# make test

Finally if everything worked right enable the plugin in Squirrel Mail.

# squirrelmail-configure

Email Client Notes

Thunderbird Tweaks

How to have sub-folders (including the Drafts, Sent and Trash special folders) appear at root level rather than as sub-folders of Inbox

By default all folders are displayed as sub-folders of Inbox. This includes the Drafts, Sent and Trash special folders. While this is technically correct, many users may be more familiar and comfortable with folders appearing at root level, as a peer of Inbox.

Follow the procedure below To set Mozilla Thunderbird to display special folders in this way:

1. Select the Tools menu; then
2. select Account Settings from the menu; then
3. select the appropriate email account from the list on the left; then
4. select the Server Settings group of options from tghe list on the left; then
5. click the Advanced button; then
6. enter INBOX. in to the box labelled IMAP server directory (note that the dot on the end of INBOX. is important); then
7. close the advanced dialogue by clicking the OK button; then
8. close the account settings dialogue by clicking the OK button; then
9. restart Mozilla Thunderbird.

Your folders should now appear at root level as peers of the Inbox folder, rather then as children of Inbox. Be sure to make this change to any other client's you use to access this account to avoid confusing folders.

How to check all sub-folders for new messages

By default Mozilla Thunderbird checks only the Inbox of IMAP accounts for new messages, and not any sub-folders. If you are organising your mail in to sub-folders manually, or using client-side filtering rules setup within your Thunderbird client then this is sufficient, as all new mail is initially recieved in to the Inbox and stored here until it is moved by the client.

However, if you are using server side filtering rules then new messages may be recieved directly in to one of your sub-folders. In this circumstance it is important that the email client check all of your account's sub-folders for new messages, or else you may never know they are there without manually clicking through folders and checking for new messages.

There are two ways to have Mozilla Thunderbird check sub-folders for new messages:

How to set Thunderbird to check sub-folders for new messages on a per-folder basis

To have Mozilla Thunderbird check specified sub-folders for new messages on startup and subsequent checks, right click the appropriate folder and select Properties from the contextual menu. Check the Check this folder for new messages checkbox, and OK out of the dialogue box.

How to globally set Thunderbird to check sub-folders for new messages

To globally set Mozilla Thunderbird to check all sub-folders for new messages, we need to create a simple file within your profile directory, or add a couple of lines to that file if it already exists. The profile folder is where Thunderbird saves all your settings and refers to a location on your hard drive.

On Windows 2000/XP, the path is usually %AppData%\Thunderbird\Profiles\default\xxxxxxxx.slt\, where xxxxxxxx is a random string of 8 characters. Just browse to C:\Documents and Settings\[User Name]\Application Data\Thunderbird\Profiles\ and the rest should be obvious.

On Windows 95/98/Me, the path is usually C:\WINDOWS\Application Data\Thunderbird\Profiles\default\xxxxxxxx.slt\.

On Linux, the path is usually ~/.thunderbird/default/xxxxxxxx.slt.

On MacOS X, the path is usually ~/Library/Thunderbird/Profiles/default/xxxxxxxx.slt.

Once you have found your profile folder check for a file called user.js. If you dont see the file just create it. Then add the lines shown below to the end of the file:

// Download mail from all accounts on startup
user_pref("mail.check_all_imap_folders_for_new", true);

Then restart Mozilla Thunderbird. Next time it checks your account for mail, it should check all the sub-folders. Where a folder contains new messages, you should see the number to the right of the folder indicating that there are unread messages in the folder.

Further Reference

Mozilla Thunderbird Help, FAQs, Tips & Tricks

Outlook Express Tweaks

How to have sub-folders (including the Drafts, Sent and Trash special folders) appear at root level rather than as sub-folders of Inbox

By default all folders are displayed as sub-folders of Inbox. This includes the Drafts, Sent and Trash special folders. While this is technically correct, many users may be more familiar and comfortable with folders appearing at root level, as a peer of Inbox.

Follow the procedure below To set Mozilla Thunderbird to display special folders in this way:

1. Select the Tools menu; then
2. select Accounts from the menu; then
3. select the Mail tab; then
4. click to highlight the appropriate email account from the list; then
5. click the properties button on the right; then
6. select the IMAP tab on the new dialogue box; then
7. enter INBOX. in to the box labelled Root folder path (note that the dot on the end of INBOX. is important); then
8. Close the account properties dialogue box by clicking the OK button
9. Close the Internet Accounts dialogue box by clicking the OK button
10. Confirm to fresh the folder list.

Your folders should now appear at root level as peers of the Inbox folder, rather then as children of Inbox. Be sure to make this change to any other client's you use to access this account to avoid confusing folders.

How to check all sub-folders for new messages

Outlook Express is set to check all sub-folders by default.

Self Signed Security Certificates

It appears it is not possible to have Outlook Express permenantly accept a self signed security certificate.

Mixing Email Clients

IMAP email accounts are preferable to POP3 email accounts when it is desireable to access an account from more than one location. However due to differences in the way different email clients handle IMAP, it is important to give some prior thought to how your email is to be accessed in each location.

Generally speaking we reccoment that you use the same email client to access your account from all locations. You can also use the SquirrelMail web mail system of course.

If you choose to mix the use of Outlook Express and Thunderbird then you may need to tweak various settings in order to have the two coexist hapilly. A few hints can be found below:

• How messages are deleted. Thunderbird and Squirrel Mail both by default moved deleted messages to the trash folder. Outlook Express on the other hand marks messages for deletion using the deleted flag. Messages then remain within the same folder, but are displayed differently and can later be expunged as a seperate process.
• The names of special folders. Thunderbird and Squirrel Mail both use Drafts, Sent and Trash. Outlook uses Drafts and Sent Items, and by default does not have a Trash folder. We reccomend you stick to the special folder naming schema used by Thunderbird.

apple-mail client tweaks

A part of a message posted to a news group about the 'apple-mail' client.

1. to add 'INBOX' as imap server prefix in Apple-mail preferences >
Advanced. But this has to be done on the account creation, so
  1.1 save your mails dirs (in case you make an error)
  1.2 delete your imap account
  1.3 re-create it and type INBOX in imap prefix
  1.4 put back your old mails if necessary

2. On the courier-imap server, Apple-mail creates two dirs:
 Maildir/.Sent Messages
 Maildir/.Deleted Messages
whereas other clients share the .Sent and .Trash folders.
So if you want to share some boxes among users, you'll remove those
Apple's specific dirs and replace them by symbolic links:
  2.1 Check there's nothing in .Sent Messages:
     ls Maildir/.Sent\ Messages/cur
      If necessary mv the mails to .Sent/cur
  2.2 rm -r Maildir/.Sent\ Messages
      rm -r Maildir/.Deleted\ Messages
  2.3 ln -s Maildir/.Sent Maildir/'.Sent Messages'
      ln -s Maildir/.Trash Maildir/'.Deleted Messages'
  2.4 check rights

Postal

Postal is an SMTP client that can be used to load test your mail server. It can send lots of emails through your system, allowing you to control the rate per minuite, and number of connections used.

Postal can be run either on the local machine or on a remote machine. If your mail server is going to be accepting incoming connections across the Internet than you should do so when load testing, rather than just running Postal from another machine on your LAN. The reason is that when a connection is made across a slower link it will need to remain open for longer, and so will consume more resources. Obviously you need to install Postal on an appropriate computer.

Install Postal:

# apt-get install postal

The command below will execute the Postal program. The respective meaning of the parameters is; use two processes; with a maximum of 2 messages per connection; at a rate of 10 messages per minuite; and with nought percent of connections using SSL encryption. Then follows the IP address or hostname to make the connections to, then the path to a plain text file containing the recipient email addresses the messages should be sent to, and then a dash to specify not to bother with the optional list of variations to apply to those recipient addresses.

postal -p 2 -c 2 -r 10 -s 0 -a localhost /root/postal/list.txt    -

For further information read the MAN page:

man postal

Performance Tweaks

• Set filesystem mount not to record date/time (affect trash cycling?)
• Use asyncronous logging in Postfix (enabled by default)
• Mount postfix spool on seperate HD or RAM disk
• Disable or reduce maildrop logging
• Disable mySQL logging
• Set amavis to log less verbosely

TODO List

1. chroot
2. Checkout Postfix quota patch (as an alternative to Maildrop)
3. Per-user maximum message size limit - is this possible?
4. Checkout etc/postfix/access
5. Get SASL's SQL module working with hashed passwords. Ideally using the username and passwords from the user's table.
6. Rename 'active' checkbox in the mailbox table to 'virtual delivery' in database schema, and in Postfix Admin
7. Add a checkbox to enable/disable smtp relay access to the database schema, and to Postfix Admin
8. Add a checkbox to enable/disable imap access to the database schema, and to Postfix Admin
9. Add a checkbox to enable/disable pop3 access to the database schema, and to Postfix Admin
10. Automate home directory and maildir creation
11. Automate listing of domain as virtual domain in /var/www/squirrelmail/plugins/serversidefilter/virtualdomains
12. Automate creation of magic folders (and soft links for any other aliases for these folders)
13. Courier Vacation
14. SquirrelMail Plugin: Download All
15. SquirrelMail Plugin: Folder Sizes
16. SquirrelMail Plugin: G/PGP Encryption Plugin
17. SquirrelMail Plugin: HTML Mail
18. SquirrelMail Plugin: Mail Fetchmail
19. SquirrelMail Plugin: TWC Weather / Weather_uk
20. LDAP directory service for address books
21. Razor
22. Check out Maia Mailguard as an alternative to tagging for POP3 and server-side filtering for IMAP.

Virtual Servers

I highly recommend a Bytemark Hosting virtual machine for those looking for a cost effective server to run this on. And they will donate to the Debian project when you use this link :)