My Email Services Configurations

From Docunext Technology Wiki

1 Mailbox Access
2 Email Delivery
3 Spam Prevention
4 Email Access
5 Simple to Complex
6 Redundancy
7 Email Address to System Username Mappings
- 7.1 Security
8 Connection Caching
9 Lingering Questions and Final Thoughts
- 9.1 Questions
- 9.2 Thoughts
10 Summary
- 10.1 Email Components
- 10.2 Installation and Configuration
11 History and Credits
12 See Also
13 Links

Mailbox Access

For serving access to mailboxes, I used courier-imap and courier-pop (Although it can mean different things in different contexts, our page on Courier is just about the email software.) They don't require too much tweaking and support SSL, which is nice. Because of the type of email services I provide, I will likely phase out everything except courier-imap over the long term, but I'm sure I'll have some customers who would prefer pop, so I'll keep that available on a separate server. Since I use Courier, I use the Maildir format.

I hope to switch to Dovecot soon!

Email Delivery

For email delivery, I use Postfix. It is configured to work with SASL and IMAP for authentication, as well as MySQL and maildrop for delivery options (including filtering with spamc). I am also using CDB for fast table lookups. As of 2009, I'm still using the same Postfix server to accept incoming mail as well as send outgoing mail for authorized users. I hope to split this into two separate hosts soon.

Postfix and maildrop:

dpkg-statoverride --add daemon mail 0750 /var/run/courier/authdaemon
chown vmail:daemon /var/run/courier/authdaemon/

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=394779

Spam Prevention

For Spam prevention, I use Spamassassin, Postgrey or postfix-gld, Fail2Ban, and DNSRBLs. To prevent spammers from trying to send mail using domains I manage as their "from" address, we use SPF and DKIM.

Email Access

For email access, I use CircleBox (aka RoundCube), Squirrelmail, mutt, and Thunderbird. I usually recommend Thunderbird to my clients (though I refrain from making general recommendations on this site, you are up to your own devices!).

I prefer using IMAP and recommend that use to my business clients.

We currently use Courier, but plan to switch to Dovecot soon.

Simple to Complex

Starting to get complicated? Well, we're not done yet!

Redundancy

In an effort to make the email services I provide redundant, I'm trying out OfflineIMAP as a synchronization tool (with positive results after a few days of hammering away with it). I also use PAM to authenticate users from the Postfix-SASL connection, and Courier-Authlib to authenticate Courier services.

Rather than asking my clients and users to have to remember their username and their email, I'm evaluating the use of Perdition to map each email address to a sysusername, so that it can authenticate locally via PAM and instantiate an instance of OfflineIMAP (using libpam-script) before continuing on and authenticate to Courier.

It is absolutely possible to use only the email address to authorize user access to their mailbox and the ability to send outgoing mail, however since I'm trying to use libpam-script, I need the user to authenticate with their username instead. As of Feb 2008, I haven't tested this out thoroughly, and I'm not sure whether its really worth it, but in the end it may save me a lot of customer service request when email is temporarily unavailable. I actually did get this working, but I find that using Dovecot makes this task a lot easier!

Email Address to System Username Mappings

Back in the day, if you're email address was sysop@example.com, your username was "sysop" and your machine's hostname was "example.com". Now thanks to the beauty of virtual hosting and the proliferation of commodity email services, that isn't necessarily the case. Many providers of virtually hosted email services use a single system user to act on behalf of all the virtual email addresses, sometimes named "vmail". I prefer to use actual system users, and so I have to give them unique names. To prevent name clashes, I now use a simple shell-friendly version of the email address, like so: systems.admin@example.com becomes systemsadminexamplecom.

In the case of Postfix handing off incoming emails to maildrop for scanning with Spamassassin, autoresponder analysis, and final delivery to a Maildir, maildir runs as the user to whom the email is addressed. To achieve this, I use pam-mysql, and thankfully the Postfix MySQL hooks provide the mechanisms to identify the system username value using an email address key.

Security

Just because a system user has access to IMAP, SMTP, and POP doesn't mean I want to allow them to login via SSH into a shell! There are a few ways I can prevent that:

A shell like "scponly", "rbash", "pdmenu", "/bin/false", or "/bin/nologin" customized for this scenario
/etc/security/access.conf
Op
NSS adjustments

Connection Caching

To reduce load on the Courier IMAP server, I use up-imapproxy to cache connections on behalf of stateless clients like Circlebox, RoundCube, and SquirrelMail. I've only used this for a short time as of Feb 2008, but I'm happy with the results this far.

This is important for my setup as I've configured Postfix to use SASL to authenticate via a remote IMAP server.

Lingering Questions and Final Thoughts

Questions

What type of python script is needed for OfflineIMAP to use the same ".offlineimaprc" file for every user?
How can I perform tests on all this? ( http://www.informedtesting.com/blog/ )
What should the pfSense load balancer setup look like to support redundant, highly available webmail, IMAP, POP, SMTP? (Not for load balancing, for failover)

Thoughts

As popular as email is, I'm becoming a much bigger fan of XMPP lately. I'd like to use that instead of Email for things like Nagios.

Summary

Email Components

Email access via IMAP or POP3
- Courier - currently using
- dbmail - interesting, I've experimented with it
- dovecot - migrating to this soon
Email storage
- maildir in directories - I use this almost exclusively
- mbox in a file - I use this for a few email lists
- dbmail in a database - not used at the moment
Email delivery via SMTP
- Sendmail - not used
- Postfix - using it and plan to continue to do so for the foreseeable future
- QMail - heard good things about it, never used it myself
Mailbox delivery via local of virtual transport
- Dovecot deliver - will use this when we switch to Dovecot
- maildrop - currently use this to connect with spamassassin and Vacation Autoresponders
- virtual - used to use this, easy to setup
- dbmail LMTP
SPAM filtering, processing
- Spamassassin - using this now
- DSpam - heard good things and have tried it out, but not using it in production
- RBLDNS - great results from Spamhaus and Barracuda
- Postfix Access Controls - very effective when setup right
- Procmail - not using this
- Seive - want to use this, its a mail filtering and processing protocol
Email Clients
- RoundCube
- Outlook
- Thunderbird / Icedove
- SquirrelMail

Installation and Configuration

Required Packages

apt-get install postfix postfix-mysql postfix-cdb mailx mutt courier-imap courier-pop courier-ssl courier-imap-ssl courier-pop-ssl courier-maildrop courier-authlib-mysql sasl2-bin

The database configuration files for postfix and courier are a little obscure, but not too difficult to setup.

Don't forget the Courier#Sanity_Check sanity check!

UCE and Virus Control

apt-get install spamassassin postfix-gld amavisd-new

Webmail Access

apt-get install squirrelmail roundcube imapproxy

History and Credits

I can't take credit for coming up with all this, I have to thank the gifted folks at Gentoo who really know how to write documentation for the Virtual Email Hosting with Postfix Guide which helped me setup my first email server. There are also countless similar guides which I referenced and now cannot remember, but the Gentoo one really stuck as a helpful resource.

I also want to give credit to Google for simply proving that redundant IMAP Email was somehow possible, and restoring my belief that I could do it.

Links