You are here: Frontpage / Articles / Postfix, spamfilter and secure webmail
Author: Carsten Boysen Jensen
Version 2.5 - 9 April 2009
This article describes how to setup a mailserver with secure
webmail and spam-filter on a system running Debian
GNU/Linux and uses
the Maildir-format for emails.
This article describes how to setup at mailserver with webmail and spamfilter that uses Maildir for emails. Multiple solutions are given.
It is simply a documentation of the things I tried when I was looking for a solution to get secure webmail. And there are other ways to do it as well.
The system used in this articles is Debian GNU/Linux, but it propably also works on other systems.
The setup was tested in Debian GNU/Linux 4.0 (etch) and Debian GNU/Linux 3.1 (sarge).
Filtering at reception is in my opinion the most reliable way to prevent spam. But there are other ways. For all the three following methods goes that they usually are executed as soon as an email hit the server. This way the user looses legitimate emails without ever knowing it.
is an effective way to reduce spam. But the possibility to loose legitimate emails is very high. Moreover is Greylisting sort of against the standards, in that it uses a mechanism for overloaded servers all the time and not only when the server is overloaded. You can read more about the problems in Greylisting: The worst thing to happen to email since spam. is another good example on how to fight
against spam takes the user as hostage. Firstly it prevents the
user from using their own email address from random servers. This
was by the way a part of the idea behind the SMTP-protocol.
Secondly it gives the domainowner to much power, because the owner
through SPF can dictate if a given maschine is allowed to send
email from the domain or not. You can read more about the problem
in SPF is harmful. Adopt it. and
Considered Harmful: SPF. is probably one of the oldest attempt to prevent spam. Like the other two it is fundamentally flawed. And I will under no circumstances recommend the use of these lists because they simple are not relyable. You can read more about the problems with DNSBL in The
Spam Problem: Moving Beyond RBLs.The three methods can be combined. With a little effort you can e.g. use Greylisting only if the sender is in DNSBL and/or if SPF says that the sender is not a valid sender. It would prevent some of the problems but not hide that the methods are wrong. I therefor recommend that you give the user as much power as possible over their emails. Do automation on the sorting but let the user define what the user thinks is spam. And avoid for all in the world to delete emails automatically before the user has have something to say first.
At least inform your users how email is handled on your server. It is the most polity to do and at the same time you can instruct the user how to avoid getting any spam in the first place. And then back of and let the user decide how he want to use his account.
Copyright (c) 2009 Carsten Boysen Jensen Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
You are welcome to write me if you have questions or corrections to this document. Constructive criticism is always welcome.
First we need a mailserver. It is very personal what you prefer.
And in the end it is up to you to decide what your needs are. My
advice would be to try more than one and then pick the one you like
the most. And the become good at configuring it. That is also the
best securityadvice because no server is secure if configured
badly. In this article I use Postfix as the base but
any Maildir-capable mailserver should work.
Postfix was designed with security as one of the main goals. This only means that it from design should be harder to exploit for attacks. And that is all it means. The design means nothing if configured insecure.
If you haven't done it already you must now install Postfix: (as root)
apt-get install postfix
You will be asked a few questions. It may be a good idea to run dpkg-reconfigure postfix as root as it gives you some more questions and possibilities.
Then we need to setup Postfix to deliver to Maildir. This is done by including to following in '/etc/postfix/main.cf': (as root)
home_maildir = Maildir/
Remember to reload Postfix when you have edited the config file: (as root)
/etc/init.d/postfix reload
If you use the server as relay for your internal network it can be a good idea to hide the internal hostnames from the world. The easiest way to do this is by including the following to '/etc/postfix/main.cf': (as root)
masquerade_domains = example.com
You can include more domains separated by space. Hereafter all mail from subdomains will appear to come from the topdomain, which is often the server itself.
If the server is going to be host for more domains then Postfix Virtual Domain
Hosting HOW-TO may be good reading.
You can now go to IMAP server setup.
The are more than one possibility to choose from when you want to install a IMAP server. As with so much else in this world the choice is up to you.
Binc IMAP is a well designed, modular IMAP server for Maildir.
The goals are to be secure, stable and fast, and being easy to
maintain.
Install Binc IMAP: (as root)
apt-get install bincimap-run
This will install a couple of programs that Binc IMAP uses. And it creates the service for secure IMAP through port 993.
As we are installing everything on the same machine there is no need to use the encrypted connection in connection with webmail. So we open for the unencrypted part: (as root)
ln -s /etc/bincimap/bincimap /var/service/bincimap
Since we don't need secure IMAP in this config we disable it, this way: (as root)
rm /var/service/bincimaps
Allow plain auth in non SSL connections otherwise you will not be able to log-in. Edit '/etc/bincimap/bincimap.conf': (as root)
Authentication {
allow plain auth in non ssl = "yes",
Now we create Maildir for every user on the system.
Run the following as user:
mkdir ~/Maildir mkdir ~/Maildir/new mkdir ~/Maildir/cur mkdir ~/Maildir/tmp mkdir ~/Maildir/.Spam mkdir ~/Maildir/.Spam/new mkdir ~/Maildir/.Spam/cur mkdir ~/Maildir/.Spam/tmp mkdir ~/Maildir/.MaybeSpam mkdir ~/Maildir/.MaybeSpam/new mkdir ~/Maildir/.MaybeSpam/cur mkdir ~/Maildir/.MaybeSpam/tmp
Special directories used by IlohaMail and SquirrelMail:
mkdir ~/Maildir/.Sent mkdir ~/Maildir/.Sent/new mkdir ~/Maildir/.Sent/cur mkdir ~/Maildir/.Sent/tmp mkdir ~/Maildir/.Trash mkdir ~/Maildir/.Trash/new mkdir ~/Maildir/.Trash/cur mkdir ~/Maildir/.Trash/tmp
Special directory only used by SquirrelMail:
mkdir ~/Maildir/.Drafts mkdir ~/Maildir/.Drafts/new mkdir ~/Maildir/.Drafts/cur mkdir ~/Maildir/.Drafts/tmp
To make the directories visible in the webmail-interface we need to subscribe them to the IMAP server.
Run the following, as user:
echo 'INBOX' >> ~/Maildir/.bincimap-subscribed echo 'INBOX/Spam' >> ~/Maildir/.bincimap-subscribed echo 'INBOX/MaybeSpam' >> ~/Maildir/.bincimap-subscribed echo 'INBOX/Sent' >> ~/Maildir/.bincimap-subscribed echo 'INBOX/Trash' >> ~/Maildir/.bincimap-subscribed
If you choose SquirrelMail:
echo 'INBOX/Drafts' >> ~/Maildir/.bincimap-subscribed
To avoid doing this every time you add a new user, you can create the directories inside '/etc/skel' as root.
Now the users needs to able to log in. Binc IMAP uses the
program CheckPW for authentication. We need to setup this interface
now. CheckPW uses the file '~/Maildir/.password' for passwords. So
now we create this file for every user: (as user)
echo mailpass > ~/Maildir/.password
mailpass is the password. The password file must have this precis rights -rw------- and must be owned by the user himself or else it won't work. We do it like this: (as user)
chmod 600 ~/Maildir/.password chown user ~/Maildir/.password chgrp user ~/Maildir/.password
You can now continue to Procmail setup.
Courier-IMAP is a fast, scaleable IMAP server made for Enterprise
solutions.
Install Courier-IMAP: (as root)
apt-get install courier-imap
New we must secure Courier-IMAP against access from outside. We do this in '/etc/courier/imapd', as root:
ADDRESS=127.0.0.1
The Standard configuration of Courier-IMAP listens to all addresses and that is not necessary in this setup.
Now restart Courier-IMAP, as root:
/etc/init.d/courier-imap restart
Now you must create Maildir for every user on the system. For this we use the program "maildirmake" that gets installed together with the server, as user:
maildirmake ~/Maildir maildirmake ~/Maildir/.Spam maildirmake ~/Maildir/.MaybeSpam
Special directories used by IlohaMail and SquirrelMail:
maildirmake ~/Maildir/.Sent maildirmake ~/Maildir/.Trash
Special directory only used by SquirrelMail:
maildirmake ~/Maildir/.Drafts
Now we must subscribe the directories to the IMAP server so they appear in the folderlist in our webmail. Run this as user:
echo 'INBOX.Spam' >> ~/Maildir/courierimapsubscribed echo 'INBOX.MaybeSpam' >> ~/Maildir/courierimapsubscribed echo 'INBOX.Sent' >> ~/Maildir/courierimapsubscribed echo 'INBOX.Trash' >> ~/Maildir/courierimapsubscribed
If you choose SquirrelMail:
echo 'INBOX.Drafts' >> ~/Maildir/courierimapsubscribed
To avid doing this every time you create a new user, you can create the directories in the same manor inside '/etc/skel', as root.
You can now continue to Procmail setup.
Dovecot IMAP was designed with security primary goal.
Install Dovecot IMAP: (as root)
apt-get install dovecot-imapd
Then edit '/etc/dovecot/dovecot.conf' as root.
First we activate IMAP by editing the standard lines:
# Protocols we want to be serving: # imap imaps pop3 pop3s protocols = imap
Dovecote needs to know where to find the inbox:
# If you use Debian sarge: default_mail_env = maildir:/home/%u/Maildir # If you use Debian etch: mail_location = maildir:/home/%u/Maildir
Restart Dovecot: (as root)
/etc/init.d/dovecot stop /etc/init.d/dovecot start
Now we create Maildir for every user on the system, as user:
mkdir ~/Maildir mkdir ~/Maildir/new mkdir ~/Maildir/cur mkdir ~/Maildir/tmp mkdir ~/Maildir/.INBOX.Spam mkdir ~/Maildir/.INBOX.Spam/new mkdir ~/Maildir/.INBOX.Spam/cur mkdir ~/Maildir/.INBOX.Spam/tmp mkdir ~/Maildir/.INBOX.MaybeSpam mkdir ~/Maildir/.INBOX.MaybeSpam/new mkdir ~/Maildir/.INBOX.MaybeSpam/cur mkdir ~/Maildir/.INBOX.MaybeSpam/tmp
Special directories used by IlohaMail and SquirrelMail:
mkdir ~/Maildir/.INBOX.Sent mkdir ~/Maildir/.INBOX.Sent/new mkdir ~/Maildir/.INBOX.Sent/cur mkdir ~/Maildir/.INBOX.Sent/tmp mkdir ~/Maildir/.INBOX.Trash mkdir ~/Maildir/.INBOX.Trash/new mkdir ~/Maildir/.INBOX.Trash/cur mkdir ~/Maildir/.INBOX.Trash/tmp
Special directory only used by SquirrelMail:
mkdir ~/Maildir/.INBOX.Drafts mkdir ~/Maildir/.INBOX.Drafts/new mkdir ~/Maildir/.INBOX.Drafts/cur mkdir ~/Maildir/.INBOX.Drafts/tmp
Now we must subscribe the directories to the IMAP server so they a visible in our webmail, as user:
echo 'INBOX.Spam' >> ~/Maildir/subscriptions echo 'INBOX.MaybeSpam' >> ~/Maildir/subscriptions echo 'INBOX.Sent' >> ~/Maildir/subscriptions echo 'INBOX.Trash' >> ~/Maildir/subscriptions
If you choose SquirrelMail:
echo 'INBOX.Drafts' >> ~/Maildir/subscriptions
To avoid doing this every time you add a new user, you can do as above inside '/etc/skel', as root.
Please note: Dovecot IMAP has problems with mail headers that are inserted after the first time Dovecot sees the email. What happens is that parts of the header is included in the body of the message the next time you see it. So if you choose Dovecot I suggest you don't choose SpamBayes or similar programs. The problem is the index that Dovecot makes. So you could simply remove the index-files after each training of SpamBayes or disable the index intirely in '/etc/dovecot/dovecot.conf':
mail_location = maildir:~/Maildir:INDEX=MEMORY
You can now continue to Procmail setup.
Procmail is a program for delivering and sorting of emails. We will use it in the following as a link between Postfix and the
spam-filter. But first we need to setup Procmail.
Install Procmail if isn't already installed: (as root)
apt-get install procmail
Then Procmail needs to know where to deliver emails. Create or open '/home/user/.procmailrc', where user is replaced with username. Do this for every user on the system and as the user. Here is an example:
# PATH that may be useful for the filters PATH=/usr/bin:/usr/local/bin:. # Home directory HOME=/home/user # The directory to save all mails to MAILDIR=$HOME/Maildir/ # The default if no match in rules DEFAULT=$MAILDIR
The trailing '/' tells Procmail that it is a Maildir-mailbox.
You can now continue to Spamfilter setup.
To get Postfix to deliver emails through Procmail we edit the following in '/etc/postfix/main.cf' as root:
mailbox_command = procmail -a "$EXTENSION"Spamfilter setup
There are really many ways to do filter spam. In the following I'll describe two methods. They are both easy to automate. The only action need by the user is the mark the email as read. Emails in the spam-directory gets trained as spam and emails in the inbox gets trained as ham (good email).
In selection of these two, I prioritized that is should be easy for the user to categorize email for training. That means solutions that depends on that the user bounce email to special addresses and/or that special directories are used just for training were not suitable. Moreover solutions that by them selves didn't manage which emails had already been trained was not selected.
SpamAssassin is one of the old boys when we talk spam filter. It
uses many old and proved methods to identify spam, as blacklists,
words often used in spam and Bayesian filter. It takes very long
time to train The Bayesian filter in SpamAssassin so for a long
time a lot of spam will go pass SpamAssassin and end up in your
inbox.
Install SpamAssassin: (as root)
apt-get install spamassassin spamc
Traditional SpamAssassin has been a very heavy program to use for every incoming email. This problem has the people behind SpamAssassin solved by creating a server-client version of it, where spamd is the server and spamc the client. This has greatly improved how hungry SpamAssasin is on the systems resources.
Make spamd start on every boot. Edit '/etc/default/spamassassin': (as root)
ENABLED=1
Now we need to have SpamAssassin to use its Bayesian filter. Add the following to '/etc/spamassassin/local.cf': (as root)
#bayes use_bayes 1 use_bayes_rules 1
Now start spamd: (as root)
/etc/init.d/spamassassin start
In the following we'll use spamc. Add the following to every users '~/.procmailrc': (as user)
# Check every email and calculate the spam-level
:0fw
| spamc
# If the spam-level is over 5 (default) it is spam
# and the email is marked with a spam-flag
:0
* ^X-Spam-Flag: Yes
${MAILDIR}/.Spam/
# If spam-level is 1 or more it may be spam
:0
* ^X-Spam-Level: \*
${MAILDIR}/.MaybeSpam/
Note: If you choose Dovecot IMAP then remember to use .INBOX.Spam and .INBOX.MaybeSpam in the above.
Now we only need to train the filter every night. For this we create the following script. It can be placed in every users homedir or in '/usr/local/bin':
#!/bin/sh
# SpamLearn
# Register spam from read maildir-folder
sa-learn --spam ~/Maildir/.Spam/cur
# Register HAM from read maildir-folder
sa-learn --ham ~/Maildir/cur
Note: If you choose Dovecot IMAP then remember to use .INBOX.Spam in the above.
Make the script executable:
chmod +x /usr/local/bin/spamlearn
Now we run crontab -e for every user and add: (as user)
21 2 * * * /usr/local/bin/spamlearn > /dev/null
Every email is trained only once. SpamAssassin remembers if and how the email was trained.
I recommend that you use varying times so you get the users separated with good intervals in time so the system does not feel any extra load, especially if you have many users.
You can now continue to Webserver with SSL setup.
SpamBayes is an Bayesian
spam filter that pretty fast becomes effective.
When SpamBayes is unsure if an email is spam or not it marks it as
unsure. So in the beginning most emails will be 'unsure'. But it is
a lot better than just letting them in the in-box.
Linux Journal published An Introduction to the
Spambayes Project in 2003 that gives some good information about the project.
Install SpamBayes: (as root)
apt-get install spambayes
Then create the database that SpamBayes uses to test incoming emails: (as user)
/usr/bin/sb_filter.py -d $HOME/.hammiedb -n
Then add the following to .procmailrc for each user: (as user)
# Check if the email is ham,spam or unsure
:0fw:hamlock
| /usr/bin/sb_filter.py -d $HOME/.hammie.db
# If it is spam put it in spam
:0
* ^X-Spambayes-Classification: spam
${MAILDIR}/.Spam/
# If it is unsure put it in maybespam
:0
* ^X-Spambayes-Classification: unsure
${MAILDIR}/.MaybeSpam/
Note: If you choose Dovecot IMAP then remember to use .INBOX.Spam and .INBOX.MaybeSpam in the above.
As SpamBayes like all other Bayesian filters needs training we setup a small crontab-job to run every day at 2:21 in the morning. This will train on all read emails in your in-box and spam-box. Every email is only trained once. Include the following to every users crontab: (run 'crontab -e' as user)
21 2 * * * /usr/bin/sb_mboxtrain.py -q -d $HOME/.hammie.db -g \ $HOME/Maildir -s $HOME/Maildir/.Spam
Note: If you choose Dovecot IMAP then remember to use .INBOX.Spam in the above.
I recommend that you use varying times so you get the users separated with good intervals in time so the system does not feel any extra load, especially if you have many users.
You can now continue to Webserver with SSL setup.
To use webmail we need a webserver.
But lets first create the SSL
certificate that we need to encrypt the connection to our webmail.
For this we need OpenSSL. If don't have it installed, install it now: (as root)
apt-get install openssl ca-certificates
In this example we place the SSL-certificate in '/etc/ssl' but it can be placed were ever you want, as long as the webserver can read it. Now create the certificate: (as root)
openssl req -new -x509 -keyout /etc/ssl/server.pem -out \ /etc/ssl/server.pem -days 3650 -nodes
Answer a few questions and remember that 'Common Name' must be the domainname used to contact webmail. The certificate is valid for 10 years or 3650 days.
Install Apache2: (as root)
apt-get install apache2-mpm-prefork
As both IlohaMail and SquirrelMail are written in PHP, you need to
install PHP as well: (as root)
apt-get install libapache2-mod-php4
Now activate the SSL module in Apache2 with 'a2enmod': (as root)
a2enmod ssl
Now Apache2 need to listen to port 443. Add Listen 443 to '/etc/apache2/ports.conf'. Run this: (as root)
echo "Listen 443" >> /etc/apache2/ports.conf
Now we need to create a configuration for SSL. We do this by copying the existing config: (as root)
cp /etc/apache2/sites-available/default \ /etc/apache2/sites-available/default-ssl
Now edit '/etc/apache2/sites-available/default-ssl' to config SSL: (as root)
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/server.pem
...
</VirtualHost>
Now activate the SSL-config: (as root)
a2ensite default-ssl
Don't forget to restart Apache2: (as root)
/etc/init.d/apache2 restart
You can now continue to Webmail setup.
Install Lighttpd: (as root)
apt-get install lighttpd
As both IlohaMail and SquirrelMail are written in PHP, you need to install PHP now: (as root)
apt-get install php4-cgi
Lighttpd uses FastCGI for PHP. In Debian FastCGI is already setup for PHP, so we just activate the module in Lighttpd: (as root)
/usr/sbin/lighty-enable-mod fastcgi
Then we activate the SSL-module: (as root)
/usr/sbin/lighty-enable-mod ssl
Edit '/etc/lighttpd/conf-available/10-ssl.conf': (as root)
#### SSL engine
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/server.pem"
}
Remember to restart Lighttpd:
/etc/init.d/ligttpd restart
You can now continue to Webmail setup.
IlohaMail is the small and light one that doesn't attempt to be more than a simple webmail for the average user.
Install IlohaMail: (as root)
apt-get install ilohamail
Under the installation you will be asked a few questions, including which webserver you use. If you choose an Apache the installation will create an alias for IlohaMail in Apache's configuration. This makes the symbolic link we set in the end of this section not-needed.
Edit the config-files '/etc/IlohaMail/conf.php' and '/etc/IlohaMail/login.php' (as root). The options are pretty well documented in the files so I let you figure it out.
If you want to use the Calender you need MySQL as BACKEND in '/etc/IlohaMail/conf.php'. And you need to create the database and user to use with IlohaMail. You install the database for IlohaMail like this:
mysql -u root -p databasename < /usr/share/doc/ilohamail/sql
It requires a working MySQL server, that the database for IlohaMail has been created and a IlohaMail-user with all rights for this database.
If you want to allow your users to edit the colors on their webmail-pages you need to comment with '//' in '/usr/share/IlohaMail/source/themes/default/info.inc' and '/usr/share/IlohaMail/source/themes/default/override.inc'.
Now we make IlohaMail available with a browser: (as root)
ln -s /usr/share/IlohaMail/source /var/www/webmail
You can now access your webmail at: http://localhost/webmail/
SquirrelMail is the bigger one, that wants to be a standard email
client. SquirrelMail can be extended with plugins from the homepage
if you wish to make it do even more than the default or to adjust
its behavior.
Install SquirrelMail: (as root)
apt-get install squirrelmail-locales squirrelmail
Configure SquirrelMail by running: (as root)
/usr/sbin/squirrelmail-configure
Please note: If you choose Binc IMAP, then you must change the names for the folders SquirrelMail uses, under Folders Defaults, from this:
... 3. Trash Folder : INBOX.Trash 4. Sent Folder : INBOX.Sent 5. Drafts Folder : INBOX.Drafts ...
To this:
... 3. Trash Folder: : INBOX/Trash 4. Sent Folder : INBOX/Sent 5. Drafts Folder : INBOX/Drafts ...
Or SquirrelMail will complain.
If you need plugins from the net they must be placed in '/usr/share/squirrelmail/plugins/'. Remember to configure SquirrelMail again afterwards
Now we make SquirrelMail available with a browser: (as root)
ln -s /usr/share/squirrelmail /var/www/webmail
You can now access your webmail at: http://localhost/webmail/
The content was last modified on 20 May 2009, at 02:01 (CEST)