Alpine Linux - User contributions [en]

Talk:Redmine

2012-05-09T11:50:03Z

Djhughes: /* command lacks proper path */ new section

Why redmine and mysql?
Everything else in Alpine prefers sqlite3 or postgresql

I followed http://www.redmine.org/wiki/redmine/RedmineInstall when setting up Redmine on my test system and am more familiar with MySQL,
so used it. I'm sure it'd work just as well with postgres of sqlite. [[User:Jbilyk|Jbilyk]] 16:33, 20 December 2010 (UTC)

== command lacks proper path ==

Hi

Running command {{Cmd|su -pc "/usr/lib/ruby/gems/1.8/bin/rake generate_session_store" lighttpd}} yields:
<pre>
rake aborted!
No Rakefile found (looking for: rakefile, Rakefile, rakefile.rb, Rakefile.rb)

(See full trace by running task with --trace)
</pre>
Even though this command is run from the /usr/share/webapps/redmine directory, the su command runs it from the lighttpd user home directory, so it yields the above. I got around it by running: {{Cmd|su -p lighttpd}} and then running the rake generate_session_store command.

Same goes for the following command in the documentation for creating the redmine DB structure.

What might be a better way of documenting this command?

--[[User:Djhughes|Djhughes]] 11:50, 9 May 2012 (UTC)

Zabbix - cgi and mysql

2011-11-04T07:17:17Z

Djhughes: /* Zabbix Monitoring Solution */

[[Category:monitoring]]

== Zabbix Monitoring Solution ==

The purpose of this document is to assist in installing the Zabbix server software and Zabbix agent on the Alpine Linux operating system. Instructions on how to configure and use Zabbix - as well as many useful tutorials - can be found at http://www.zabbix.com.

{{Note|The minimum required version of Alpine Linux required to install Zabbix is Alpine 2.2.}}

== Install Lighttpd, and PHP ==

{{:Setting Up Lighttpd With FastCGI}}

== Configure PostgreSQL ==

Setup and configure PostgreSQL:

{{Cmd|apk add postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql}}

== Install Zabbix ==

{{Cmd|apk add zabbix zabbix-pgsql zabbix-webif zabbix-setup}}

Now we need to set up the zabbix database. Substitute '*********' in the example below for a real password:

{{Cmd|<nowiki>psql –U postgres
postgres=# create user zabbix with password '*********';
postgres=# create database zabbix owner zabbix;
postgres=# \q
cd /usr/share/zabbix/create/schema/
cat postgresql.sql | psql -U zabbix zabbix
cd ..
cd data/
cat data.sql | psql -U zabbix zabbix
cat images_pgsql.sql | psql -U zabbix zabbix</nowiki>}}

Create a softlink for the Zabbix web-frontend files:

{{Cmd|rm /var/www/localhost/htdocs -R
ln -s /usr/share/webapps/zabbix /var/www/localhost/htdocs}}

Edit PHP configuration to satisfy some zabbix requirements. Edit /etc/php/php.ini and configure the following values at least:

<pre>
Max_execution_time = 600
Expose_php = off
Date.timezone = <insert your timezone here>
post_max_size = 32M
upload_max_filesize = 16M
max_input_time = 600
memory_limit = 256M
</pre>

Configure the following entries in /etc/zabbix/zabbix_server.conf, where DBPassword is the password chosen for the database above:

<pre>
DBName=zabbix

# Database user

DBUser=zabbix

# Database password
# Comment this line if no password used

DBPassword=*********

FpingLocation=/usr/sbin/fping
</pre>

Start Zabbix server:

{{Cmd|rc-update add zabbix-server
/etc/init.d/zabbix-server start}}

Fix permissions on conf directory.

{{Cmd|chown -R lighttpd /usr/share/webapps/zabbix/conf}}

You should now be able to browse to the Zabbix frontend: http://yourservername/.

or

You should now be able to browse to the Zabbix setup frontend: http://yourserverip/instal.php.

Follow the setup instructions to configure Zabbix, supplying the database information used above.

After setup, login using: Login name: '''Admin''' Password:'''zabbix'''. (as described at http://www.zabbix.com/documentation/1.8/manual/installation)

Finally, Zabbix requires special permissions to use the fping binary.

{{Cmd|chmod u+s /usr/sbin/fping}}

== Install Zabbix Agent on Monitored Servers ==

Zabbix can monitor almost any operating system, including Alpine Linux hosts. Complete the following steps to install the Zabbix agent on Alpine Linux.

{{Note|Support to allow zabbix-agentd to view running processes on Alpine Linux has been added since linux-grsec-2.6.35.9-r2. Please ensure you have that kernel installed prior to attempting to run zabbix-agentd.}}

Ensure that the readproc group exists (support added since alpine-baselayout-2.0_rc1-r1), by adding the following line to /etc/group:

{{Cmd|readproc:x:30:zabbix}}

Install the agent package:

{{Cmd|apk add zabbix-agent}}

Edit the /etc/zabbix/zabbix_agentd.conf file and configure at least the following option:
<pre>
Server=<ip or hostname of zabbix server>
Hostname=<ip or hostname of zabbix agent>
ListenPort=10050
</pre>

Start the zabbix-agent:

{{Cmd|rc-update add zabbix-agentd
/etc/init.d/zabbix-agentd start}}

In case you want to monitor using SNMP agent on remote machines you have to add these packages on zabbix server:

{{Cmd|apk add net-snmp net-snmp-tools}}

And add these packages on remote machines:

{{Cmd|apk add net-snmp }}

== Optional: Crash course in adding hosts, checks and notifications ==

''Note:'' This is optional since it's not specific to Alpine Linux, but I wanted a couple notes for how to perform a simple check on a server that doesn't have the agent installed on it, and be notified on state changes.

Administration -> Media Types -> Email
* Setup server, helo, email from address

Administration -> Users
* Setup each user who'll get notified, make sure they have media type "Email" added with their address

Configuration -> Hosts -> Create host
* In Linux Servers hostgroup
* Define dns name, ip, connect by IP
* If the machine is a simple networking device that will only be monitored using SNMP, add it to Template_SNMPv2_Device, and you're done.

Configuration -> Templates -> Create template
* Give it a name (Template_Alpine_Linux_Infra_HTTP)
* In Templates group

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Items
* Create Item
* Host: Template_Alpine_Linux_Infra_HTTP
* Description: HTTP Basic Check
* Type: Simple_check
* Key: http,80

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Triggers
* Create Trigger
* Name: "HTTP Trigger"
* Expression: {Template_Alpine_Linux_Infra_HTTP:http,80.last(0)}#1
* Severity: High

Configuration -> Actions ->
* Create Action
* name: Email notifications
* Event source: triggers
* Default Subject: add "{HOST.DNS}:" to the beginning
* Default message: add "{HOST.DNS}:" to the beginning
* Conditions: make host have to be from "Linux Servers" hostgroup, and Template_Alpine_Linux_Infra_HTTP:HTTP trigger" is not 1
* Email affected users

Zabbix - cgi and mysql

2011-02-08T02:40:36Z

Djhughes: added zabbix split packages

Zabbix - cgi and mysql

2011-01-26T09:29:40Z

Djhughes: zabbix user needs to be in readproc group

Creating an Alpine package

2011-01-21T09:37:41Z

Djhughes: updated some broken links

== General ==

This document assumes that you have a working [[Setting up the build environment|build environment]], or use a diskbased alpine installation.

=== The APKBUILDs ===

The ''[http://git.alpinelinux.org/cgit/abuild/ abuild]'' script reads the ''[http://git.alpinelinux.org/cgit/abuild/tree/sample.APKBUILD APKBUILD]'' and executes the steps needed to create a package.

=== The aports tree ===

The [http://git.alpinelinux.org/cgit/aports aports] tree is a [http://git.alpinelinux.org/cgit/aports/tree directory tree] with many APKBUILDs. Those files are used when building alpine from source.

== Installing and configuring the alpine-sdk ==

The alpine-sdk is a metapackage that pulls in the most essential packages used to build new packages.<BR>
Install those packages now:

apk add alpine-sdk

This would be a good time to create a normal user account for you to work in. (You weren't going to develop as root now, were you!) To create the user:

adduser <yourusername>

To make life easier later, it's a good idea to add this user to /etc/sudoers. Append the line

<yourusername> ALL=(ALL) ALL

using the command:

visudo

Now logout of the root account, and login as <yourusername>. From here on everything can be done in a normal user account, and operations that require superuser privileges can be done with sudo.

The aports tree is in git so before we clone the aports tree we should configure git.

git config --global user.name "Your Full Name"
git config --global user.email "your@email.address"

Now we can clone the aports tree.

git clone git://dev.alpinelinux.org/aports

Before we start creating or modifying APKBUILD files we need to setup abuild to our system/user. Edit the file abuild.conf to your requirements. Most of the defaults can be left alone, unless you are developing for a custom platform, in which case the comments in the file should guide you. The one field to edit is PACKAGER, so that you can get credit (or blame) for packages you create.

sudo vi /etc/abuild.conf

We also need to prepare the location that the build process caches files when they are downloaded. By default this is /var/cache/distfiles. To create this directory and ensure that it is writeable, enter the following commands:

sudo mkdir -p /var/cache/distfiles
sudo chmod a+w /var/cache/distfiles

The last step in preparation is to configure the security keys for abuild with the command:

abuild-keygen -a -i

== Getting some help ==

It might be wise to start by checking what the abuild program can/cannot do.

abuild -h

== Creating an APKBUILD file ==

=== Use a template APKBUILD ===

To create the actual APKBUILD file abuild has the option -n (new). It will simply copy an example/template APKBUILD file to the given directory and fill some variables.<BR>
If you are create a daemon package which needs initd scripts you can add the -c making it:

abuild -c -n ''packagename''

{{Note|The 'packagename' is a parameter to the -n option so order of -c and -n matters. Further, on newer Alpine systems, 'newapkbuild' has replaced abuild with the -n switch.}}

This will copy the sample initd and confd files to the build directory.<BR>
A third file sample.install file will be copied as well (we will discuss this later on).

=== Modify your APKBUILD ===
Edit APKBUILD and fill in the needed info (especially pkgname, pkgver, pkgdesc, url, license, depends and source).

If you are going to use any of the variables for directories like $pkgdir, always make sure they are double quoted like:

"$pkgdir"/somedir

This will prevent issues with spaces/special characters in the future.

{{Note|If you like syntax highlighting we suggest you to install vim. We have setup vim to recognize the APKBUILD file as a bash scripts so its easier to read them.}}

=== APKBUILD variables/functions ===

==== source ====

The source variable is not only used to list the remote source files to fetch, it is also used to list the local files that abuild will need in order to build the apk. Examples of such local files include: init.d files, conf.d files, install files (see [[Creating an Alpine package#install|install variable]]), patches, and all other necessary files.

Here are few things to note:

* When you are finished adding local and/or remote files to ''source'', you can execute the following command to add their checksums to the APKBUILD file:
: <pre>abuild checksum</pre>
: {{Note|When later updating the content of ''source'', or updating a file that is listed in ''source'', you must also update their checksums again with the same command.}}

* When the remote file is hosted at SourceForge, it's best to specify the special mirrors link used by SourceForge:
: <pre>http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz</pre>
: (or similar depending on the package).

* When the remote filename is not specified in the URI (ie, does not end in '/software-1.0.tar.gz'), such as:
: <pre>http://oss.example.org/?get=software&ver=1.0</pre>
: You must prepend 'saveas-' to the protocol and append '/software-1.0.tar.gz' (for instance) to the end of the URI, like so:
: <pre>saveas-http://oss.example.org/?get=software&ver=1.0/software-1.0.tar.gz</pre>
: This causes the file to be saved as ''software-1.0.tar.gz'' where abuild can use it, instead of ''?get=software&ver=1.0'', where abuild cannot use it.

* abuild currently supports the following protocols for remote file retrieval:
** http
** https
** ftp

* abuild currently supports the following archive types/archive file extensions:
** .tar.gz / .tgz
** .tar.bz2
** .tar.lzma
** .tar.xz
** .zip

==== depends & makedepends ====

Depends are the actual running dependencies that a package would need when it is running. Makedepends are only needed when you are building a package. If you set a package, in depends you do not need to add it to makedepends as well. The best way to find out what the depends and makedepends of a package are is to [http://en.wikipedia.org/wiki/Rtfm RTFM].

No kidding, lots of important information can be found it the package INSTALL and README file (or the likes). Another good way is the run ./configure --help from the source directory to see which options are needed for configure to finish without errors. If you do not yet have a src directory you can create one with the command:

abuild unpack

Running configure will also show you how you can disable a specific option for this package. A good example is for instance "--disable-nls" which will disable native language support and thus does not depend on gettext(libiconv,glib..).

Alpine likes to keep things small, so we try to disable as much as possible without losing too many features. The exact disable/enable options are decided the package builder but please try to follow Alpine's design concept as much as possible.

An easy way of quickly finding out the build info for a package is to check Arch Linux (Alpine package management and build scripts are similar) or Gentoo linux ebuilds (previous versions of Alpine were based on Gentoo).

* [http://www.gentoo-portage.com Search ebuilds]
* [http://sources.gentoo.org/viewcvs.py/gentoo-x86/ Gentoo CVS]
* [http://www.archlinux.org/packages/search/ Arch Linux packages]

After the package is successfully compiled and created we should make sure it didn't link to any package that is not present in the $depends variable. We do this by using scanelf. If scanelf is not yet installed on your system you can do that by installing pax-utils.

scanelf -nR pkg

An example output of libcurl would be:

ET_DYN libssl.so.0.9.8,libcrypto.so.0.9.8,libz.so.1,libc.so.0,ld-uClibc.so.0 pkg/usr/lib/libcurl.so.4.1.1

You can see the needed files and should be able to find out which file belongs to which package.

==== license ====

If a package has a special/custom license we need to provide it with the release. Because we want to save space and don't like to have licenses all over our system we have decided to include the license in the doc subpackage. Please follow the following guidelines to add a proper license. Locate the license file inside the source package. Add the doc subpackage to the $subpackages variable as follows:

subpackages="$pkgname-doc"

Add a similar line to the following to your build() function, depending on the license description file:

install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING

If you follow these steps then abuild will automatically add the license to the package-doc apk for you.

==== arch ====

The package architecture(s) to build for. This can be one of: ''x86, x86_64, all,'' or ''noarch'', where ''all'' means all architectures, and ''noarch'' means it's architecture-independent (ie, a pure-python package).
{{Tip|To determine if your APKBUILD can use ''noarch'', build the package for your architecture and then run "scanelf -R pkg" from the directory that the APKBUILD resides in, in order to scan for ELF files in the ''./pkg'' directory. If you do NOT get output from this, then ''noarch'' can be used.}}

==== url ====

Website address for the program. This is usefully later on when either finding documentation or other information about the package.

==== pkgdesc ====

A brief, one line, description of what the package does. Useful for the package management system.

Here is an example from apk_info for the OpenSSH client package

pkgdesc="Port of OpenBSD's free SSH release - client"

==== pkgver ====

Provide the release number of the package you are building.

==== pkgrel ====

The $pkgrel versioning is made so if you change something to your APKBUILD file without changing the actual $pkgver you can higer pkgrel so apk tools will detect it as an update. For instance if you forget to add a dependency you can add it afterward and you can +1 pkgver so apk finds this update and add the missing dependency.

==== pkgname ====

The base name of the package you are creating. For Freeswitch 1.0.6, you would use "freeswitch"

==== install ====

There are 6 different kinds of install scripts. Each script is called with the $pkgname.''<action>'' where ''<action>'' is one of the following:

===== $pkgname.pre-install =====
This script is executed before package is installed. Typical use is when package needs a user/group to be created. For example:
<pre>
#!/bin/sh
adduser -H -s /bin/false -D clamav 2>/dev/null
exit 0
</pre>
Note the ''exit 0'' at the end. If the script exits with failure (if the user already exist), the package will not be installed and apk add will exit with failure.

===== $pkgname.post-install =====
This script is executed after package is installed. Can be used to generate font cache and similar.

===== $pkgname.pre-upgrade =====
Same as pre-install but is executed before upgrading an already installed package.

===== $pkgname.post-upgrade =====
Same as post-install but is executed after upgrading an already installed package.

===== $pkgname.pre-deinstall =====
This script is executed before uninstalling a package. If script exits with failure apk will not uninstall the package.

===== $pkgname.post-deinstall =====
This script is executed after a package have been uninstalled. Can be used to update font caches and restore busybox links. For example:
<pre>
#!/bin/sh
busybox --install -s
</pre>

If the package have an pre-install and post-install script the APKBUILD should have the ''install'' variable defined and the scripts should also be added to the source variable:
<pre>
...
install="$pkgname.pre-install $pkgname.post-install"
source="http://....
$install"
...
</pre>

==== subpackages ====

$subpackages are made to split up the normal "make install" into separate packages. The most common subpackages we use are doc and dev. Because we like to keep our target system small we move documentation and development files (only needed when building packages) into separate packages. To use the specific program a user only need to install the base apk without package-doc or package-dev, but if he wants to read the manual he will need to install package-doc.

The easiest way to find out if you need to use -dev and -doc is to first build the package without these options set and wait until the build finishes. When its finished you should have a pkg directory which is the fake root directory. Inside this directory you will see the structure as how it would be installed in / on the target system.

To see if you need the -dev package you can run the following cmd:

find pkg/usr/ -name '*.[acho]' -o -name '*.la'

If this returns any files you need to include the -dev package.

<br> To see if you need the -doc package you can run the following cmd:

find pkg/usr/share -name doc -o -name man -o -name info -o -name html -o -name sgml -o -name licenses

If this returns any directories you need to include the -doc package.

===== Custom subpackages =====

Some applications will have except doc and dev files other non needed at run time files which we want to separate away from the base package. Some packages include large test suites which are only needed in specific circumstances or binaries which have depends which we prefer not to install. To handle those we create our own package/function. In the APKBUILD below the build() function we create another function:

test() {
mkdir -p "$subpkgdir"/usr
mv "$pkgdir"/usr/package-test "$subpkgdir"/usr/
}

We also need to add the package info to $subpackages variable:

subpackages="$pkgname-doc $pkgname-dev $pkgname-test"

After we finish building the package you should see another apk called packagename-test.apk which includes the files which we moved to the $subpkgdir dir.

The above mentioned variables can also be used in our custom function. If we want for instance to build the test() function with perl support we would add:

depends="perl"
makedepends="perl-dev"

If we would install the base package it would not install perl, but if we install the package-test package it would.

==== Patches ====

Please make sure you always submit human readable patches. Way's to create them are:

directory compare:

diff -urp original_directory new_directory > filename.patch

file compare:

diff -up original.file new.file > filename.patch

If you are going to use multiple patches for a single package, the preferred way to handle those is a loop and numbering the patches.

for i in "$srcdir"/*.patch; do
msg "Applying ${i}"
patch -p0 -i $i || return 1
done

Because multiple patches can patch the same file, we could create offset for the next patch. To make sure we always patch in a specified way we should number the patches as followed:

10-patch1.patch 20-patch2.patch 30-patch3.patch

This way we are always sure patch 1 is first and if we want to add additional patches between them we can use 11,12,21,22...

==== Configure options ====

Alpine has some default configure options we set by default. We use /usr for prefix to make sure everyting is installed with /usr in front of it. If you notice that anything is installed in the wrong directory please run ./configure --help and see if you can set the correct location.

We are not covering the depend switches here we have discussed this already in the depend section.

==== Make options ====

If you notice weird problems when compiling or installing the package with make/make install you could try to disable [http://www.gnu.org/software/make/manual/make.html#Parallel parallel] building/installing. A normal make line would be:

make || return 1

To disable parallel we use:

make -j1 || return 1

We can use the same for make install.

Because we do not want to install the package in our build environment but we want to install it in a fake root directory we need to tell 'make install' to use another destination directory instead of '/'. We do this by setting a variable when we execute make install as followed:

make DESTDIR="$pkgdir" install

Please note that some Makefiles do not support this variable and will always install software in '/'. To make sure you do not mess up your build system NEVER run your build system as root but always use a custom user and sudo when needed. If by accident the Makefile does not support DESTDIR variable it will fail to install in our build system system directories.

==== Additional files ====

If you want/need to install additional files not mentioned above you can use the following cmd (this is an example of a conf file):

install -Dm644 doc/$pkgname.conf "$pkgdir"/etc/$pkgname.conf

== Build the package ==

If you did not already create the checksums as mentioned above you can do so now:

cd $pkgname
abuild checksum

Its about time we build our package. Because a build system should never have all the package installed to prevent linking to packages we dont want it to link we use a abuild recursively with the -r switch. It will install all dependency's from your repository and builds it, afterwards it will uninstall all those depending packages again. You could also use the -R switch which would build your package including the dependency packages.

abuild -r

== Commit your work ==

After you successfully build your package you can submit your APKBUILD to alpine git repository.

Update you git repo, before adding new files:

cd $aportsdir
git pull

This should pull all the changes made by others into you local git repo. When you think you are ready you can add your files to git:

cd $apkbuilddir
git add APKBUILD (include any other files needed for the build; $pkgname.install...)
git commit

Now your changes are only available locally in your repo. Because you do not have push rights to the alpine repo you need to create diff (patch) of the changes you made:

git format-patch -1

Where -1 sets how many commits you want to go back (mostly this is 1). This should create a patch called 0001......patch.

An easy way to send this patch to the list is with an program called 'email'.

apk_add email

to send to the mailing list you would do:

email -a 0001...patch alpine-devel@lists.alpinelinux.org

And provide a subject and body after you execute the above cmd.

<br> If you doubt to which repo your package belongs to you can safely use testing.

== See Also ==
* [[APKBUILD Reference]]
* [[Development using git]]

Upgrading Alpine Linux to a new release branch

2011-01-13T09:55:29Z

Djhughes: minor update

== General notes ==
Alpine can be booted from various media.<BR>
It has also made some adjustments through time and this could also have impact on how a upgrade could be done.<BR>
These factors makes it hard to make a 'general' upgrade instruction that fits all scenarios.<BR>
The principle is still the same.

To make your upgrade easy, we now present various documents that will help you in your situation.

== What is your *present* setup ==
You need to know...
* what alpine version the box (that you are upgrading) is running at this moment.
* what media you are planning to upgrade (on what media is your alpine distro at this moment).<BR>''Choose '''CD''', '''USB''', '''HD/CF''' or whatever fits your setup.''

Choose your current setup in the below list
{|
|'''alpine-1.9.x or later'''
|[[Upgrading_Alpine_-_v1.9.x|All Installation Types]]
|
|
|-
|'''alpine-1.8.x'''
|[[Upgrading_Alpine_-_CD_v1.8.x|CD]]
|[[Upgrading_Alpine_-_HD_v1.8.x|HD/CF/USB]]
|
|-
|'''alpine-1.7.x'''
|
|
|
|-
|'''alpine-1.6.x'''
|
|
|
|-
!                           
!             
!             
!             
|}

Template:Using Internet Repositories for apk-tools

2011-01-13T09:51:19Z

Djhughes: updated for version 2.1

Edit the '''/etc/apk/repositories''' file and if necessary, add references to the Alpine package repositories. In the example below, the reference to the Alpine CD is maintained, so that if the requested package is available on the local media, it will be obtained from there instead of being downloaded from the remote repository:

/media/cdrom/apks
http://dl-3.alpinelinux.org/alpine/v2.1/packages/main

Only one repository is shown above, however, you may also use these (if you wish to use another version, substitute v2.1 for the desired version (i.e: v1.9, v1.10)):
http://dl-4.alpinelinux.org/alpine/v2.1/packages/main
http://distrib-coffee.ipsl.jussieu.fr/pub/linux/alpine/alpine/v2.1/packages/main
http://dl-2.alpinelinux.org/alpine/v2.1/packages/main
http://nl.alpinelinux.org/alpine/v2.1/packages/main

After updating the repositories file, obtain the latest index of available packages:
{{Cmd|apk update}}

Upgrading Alpine - v1.9.x

2011-01-13T09:48:35Z

Djhughes: added steps for v2.x

This document covers upgrading from a previous version of Alpine Linux 1.9 (or 1.10) to newer versions of 1.9 / 1.10 / 2.x. Thanks to many improvements in Alpine Linux 1.9 and later, it is possible to easily upgrade in most scenarios.

All examples/instructions/actions mentioned in this document should be executed on the box that you are planning to upgrade (unless you are instructed otherwise).

== Upgrading an Alpine Linux Hard-disk installation ==

When Alpine Linux is installed to hard drive, upgrading the installation is simple.

{{Using_Internet_Repositories_for_apk-tools}}

{{Note|For upgrading to Alpine 1.9 / 1.10, the following steps apply. Alpine 2.x is treated slightly differently (See below).}}

Ensure you have the latest available version of the Alpine Linux Package Manager first before upgrading anything else:
{{Cmd|apk add -u apk-tools}}

Finally, upgrade all remaining packages, including the kernel if applicable:
{{Cmd|apk upgrade
sync}}

{{Note|For upgrading to Alpine 2.x, the following steps apply.}}

Ensure you have the latest available version of the Alpine Linux Package Manager first before upgrading anything else:
{{Cmd|apk add -u apk-tools}}

Remove GNU Wget before attempting an upgrade:
{{Cmd|apk del wget}}

Finally, upgrade all remaining packages, including the kernel. The --available switch is used to force all packages to be upgraded, even if they have the same version number, due to changes in uClibc:
{{Cmd|apk upgrade --update-cache --available
sync}}

{{Note|You will need to restart any services that have been upgraded to begin using the upgraded versions. If the kernel is upgraded, you will need to reboot to begin using the upgraded version.}}

== Upgrading Separate Boot Media ==

You may have an installation where the boot media being used (such as a CD, for example) is separate from the media used to store the configuration information. In this case, simply download the latest ISO, and replace the boot media contents with the contents of the latest ISO. If you are booting from a CD, this would simply mean replacing the CD with a CD made from the new image and rebooting the Alpine Linux box.

== Upgrading Alpine Linux on CF/USB ==

Your installation may consist of Alpine Linux running on Compact Flash or USB media. In most cases, it should be sufficient to upgrade most packages using the '''Alpine Linux Hard-disk Installation''' upgrade procedures described above. However, for new packages to survive after a reboot, you should enable [[How_to_enable_APK_caching|APK caching]].

{{Warning|As the newer version of alpine may include kernel upgrades, simply pointing the Alpine Linux Package Manager to an Internet-based repository and running ''apk upgrade'' will not be enough, as kernel components are not upgraded when Alpine Linux is run from memory.}}

{{Upgrading_Alpine_environmentvars}}

=== Upgrade Step-by-Step ===

Start by checking that you have enough space on your media.<BR>
You need at least 400MB available space.
{{Cmd|df -h | grep "Filesystem\|$LBU_MEDIA"}}

==== Download and verify new release ====

Start downloading a new '.iso' and a '.sha1' file
{{Cmd|cd /media/$LBU_MEDIA
wget -c {{#latestalp:alpine|url}}
wget {{#latestalp:alpine|url}}.sha1}}

Check integrity of the downloaded files ''(it might take some time)''
{{Cmd|sha1sum -c {{#latestalp:alpine|file}}.sha1}}
''The output of the above command should say 'OK'.<BR>''
''If says 'FAILED', delete the iso file and download it again.''

==== Copy the new release ====
{{Note|There is a tool, ''setup-bootable'', in alpine-1.10.4 and newer, that does the mounting and copying for you. With this tool simply do: {{Cmd|setup-bootable -u {{#latestalp:alpine|file}} /media/$LBU_MEDIA}}
}}

Mount the ISO.

{{Cmd|mount -t iso9660 {{#latestalp:alpine|file}} /mnt}}

Back up files that you have modified. For example, you might have modified ''syslinux.cfg'' to show console output on a serial port.<BR>

{{Cmd|cp /media/$LBU_MEDIA/syslinux.cfg /media/$LBU_MEDIA/syslinux.cfg.my}}

Install the '''rsync''' package if necessary, and copy the files:

{{Cmd|cd /mnt
apk add rsync
rsync --delete -rltv .alpine-release * /media/$LBU_MEDIA/}}

Restore your backed up files ''(in case you had any)''

{{Cmd|mv -f /media/$LBU_MEDIA/syslinux.cfg.my /media/$LBU_MEDIA/syslinux.cfg}}

Make sure that all files are permanently saved in right place

{{Cmd|sync}}

==== Clean up ====
Clean up the downloaded/unpacked files
{{Cmd|cd ..
umount /mnt
rm /media/$LBU_MEDIA/{{#latestalp:alpine|file}}
rm /media/$LBU_MEDIA/{{#latestalp:alpine|file}}.sha1}}

=== Save changes ===
Now that all upgrades are done, we should save our settings to our media (which you hopefully have backed up prior to doing this upgrade).
{{Cmd|lbu ci}}

=== Load new kernel ===
In most cases you will need to reboot Alpine Linux (especially if there are changes in the kernel):
{{Cmd|reboot}}
{{Note|If you know what you are doing, you might not need to reboot. But make sure that all services affected by the upgrade are restarted.}}

=== Update remaining packages from Web repository ===

* Check that /etc/apk/repositories reflects the current version, for example, for 2.1 it could say:
http://dl-3.alpinelinux.org/alpine/v2.1/packages/main
* Upgrade packages from Web.
{{Cmd|apk update
apk add -u apk-tools
apk upgrade -U}}

Zabbix - cgi and mysql

2011-01-07T07:39:04Z

Djhughes: permissions for fping

Zabbix - cgi and mysql

2010-12-16T02:46:46Z

Djhughes: use readproc group for zabbix-agentd

Zabbix - cgi and mysql

2010-12-09T03:35:54Z

Djhughes: Updated documentation

ISP Mail Server HowTo

2010-08-27T14:49:48Z

Djhughes: restart services

[[Category:mail]]
== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

/etc/init.d/mini_httpd stop
apk del mini_httpd
mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

'''Option 1:'''
If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

'''Option 2:'''
If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
}
</pre>

If you went with Option 1 above, then add an additional line underneath the ssl.pemfile line, so that the section appears as follows:

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):

wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.3.2/postfixadmin-2.3.2.tar.gz
tar zxvf postfixadmin-2.3.2.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3.2/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to https://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to https://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop3 pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no
auth_username_format = %Lu

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}

protocol imap {
mail_plugins = autocreate
}
plugin {
autocreate = Trash
autocreate2 = Spam
autocreate3 = Sent
autosubscribe = Trash
autosubscribe2 = Spam
autosubscribe3 = Sent

}

</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Change permissions on the /var/log/dovecot* log files, so that the vmail user can write to them:

chown vmail:vmail /var/log/dovecot*

Restart Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Verify that you have at least the following in /etc/postfix/main.cf. Unless you have followed the Relay for Authenticated Users section above, set '''smtpd_tls_auth_only = no''', otherwise leave it set to '''yes''':

<pre>
# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
# Set the next line to no if TLS auth is not configured
smtpd_tls_auth_only = no
</pre>

* Ensure you have this section in /etc/dovecot/dovecot.conf, inside the ''auth default'' stanza:

<pre>
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
</pre>

* Restart the relevant services:

<pre>
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
</pre>

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/postfixadmin/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-08-27T14:44:24Z

Djhughes: check to make sure sasl is enabled for dovecot/postfix

[[Category:mail]]
== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

/etc/init.d/mini_httpd stop
apk del mini_httpd
mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

'''Option 1:'''
If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

'''Option 2:'''
If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
}
</pre>

If you went with Option 1 above, then add an additional line underneath the ssl.pemfile line, so that the section appears as follows:

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):

wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.3.2/postfixadmin-2.3.2.tar.gz
tar zxvf postfixadmin-2.3.2.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3.2/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to https://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to https://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop3 pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no
auth_username_format = %Lu

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}

protocol imap {
mail_plugins = autocreate
}
plugin {
autocreate = Trash
autocreate2 = Spam
autocreate3 = Sent
autosubscribe = Trash
autosubscribe2 = Spam
autosubscribe3 = Sent

}

</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Change permissions on the /var/log/dovecot* log files, so that the vmail user can write to them:

chown vmail:vmail /var/log/dovecot*

Restart Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

Verify that you have at least the following in /etc/postfix/main.cf. Unless you have followed the Relay for Authenticated Users section above, set '''smtpd_tls_auth_only = no''', otherwise leave it set to '''yes''':

<pre>
# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
# Set the next line to no if TLS auth is not configured
smtpd_tls_auth_only = no
</pre>

Ensure you have this section in /etc/dovecot/dovecot.conf, inside the ''auth default'' stanza:

<pre>
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
</pre>

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/postfixadmin/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

Obtaining user information via SNMP

2010-07-30T03:29:52Z

Djhughes: added some configuration.

{{Draft}}

This documents how to use the squark-auth squid authentication helper to obtain a user-name or other information from via SNMP from a switch. The example uses an HP Procurve 5400zl switch.

It is possible to configure HP Procurve switches to do port-based web authentication. A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access. A browser needs to be opened, and the user is given a user-name and password prompt. For more information on configuring web-based authentication on an HP switch, see [http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S1_Web-Authentication-final-080608.pdf this link].

The squark-auth squid authentication helper queries the HP switch via SNMP using standard MIBs to obtain the user-name associated with the IP address, which it injects into the squid access logs, which can help web-log auditors analyse . For more information see the squark-auth documentation [http://insert.reallink.com here].

=== Enable SNMP Lookups on HP Procurve Device ===

Create an SNMP read-only community on your HP Procurve Switch, or use one that already exists (the following example uses "public" as a community name - adjust as you like):

{{cmd|configure
snmp-server community "public" restricted
snmp-server response-source dst-ip-of-request
exit }}

The 2nd last command ensures that the SNMP replies are always returned from the switch's primary management interface. Run the above commands on all switches that the squark-auth plugin will run snmp queries against. Run them exactly as they appear.

=== Install Squark and Configure Squid ===

{{cmd|apk add squark}}

The squark-auth binary used by squid is copied into the /usr/local/bin directory. All further configuration is done in /etc/squid/squid.conf:

{{Note| The following configuration assumes that you are using SNMPv2c}}

<pre>
#external ACL squid auth helper
# Squark authentication external acl
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c <communityname> -r <ip.of.switch> -i VLAN<id> -v <id>
acl Zone_D_SquarkAuth external squark_auth
</pre>

Replace <communityname> with the SNMPv2 community name you have configured on your switch. Replace <ip.of.switch> with the IP of your switch, and replace <id> with the VLAN Id number of the VLAN that the clients will be connected to.

Here is an example to illustrate how the above configuration could look:

<pre>
#external ACL squid auth helper
# Squark authentication external acl
external_acl_type squark_auth children=1 ttl=1800 negative_ttl=60 concurrency=128 grace=10 %SRC /usr/local/bin/squark-auth -c public -r 192.168.0.1 -i VLAN5 -v 5
acl Zone_D_SquarkAuth external squark_auth
</pre>

{{Note| If you have multiple switches in your environment, Link Layer Discovery Protocol (LLDP) should be enabled in order for squark-auth to work properly. If the IP of the switch that you have specified is a core switch (such as in a star topology network, and the all the switches in your network have LLDP enabled (usually enabled by default), then your network topology should be automatically discoverable.}}

{{Note| For more information on the squark_auth options available, run the command '''man squark-auth'''.}}

=== Optional: SNMP v3 Configuration ===

Squark will use the configuration specified in '''/etc/snmp/snmp.conf''' when snmpv3 is specified as the preferred version of SNMP to use.

Ensure that you have at least the following in '''/etc/snmp/snmp.conf''':

<pre>
defContext none
defSecurityName <username>
defAuthPassphrase <password>
defVersion 3
defAuthType MD5
defSecurityLevel authNoPriv
</pre>

Adjust the above as dictated by the SNMP v3 configuration on your switch.

Tutorials and Howtos

2010-07-26T14:31:38Z

Djhughes: Reverted edits by MyrtaZiobro (Talk); changed back to last version by Djhughes

[[Image:package_edutainment.svg|left|link=]]
{{TOC right}}'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good examples. The output in one step is the starting point for the following step.<br/>
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux. We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page [[Talk:Tutorials_and_Howtos|Discussion]].

== Installation ==
* [[Bootstrapping Alpine on Soekris net4xxx]]
* [[Bootstrapping Alpine on PC Engines ALIX.3]]
* [[Setting up a software raid1 array]]
* [[Setting up Logical Volumes with LVM]]
* [[Setting up a /var partition on software IDE raid1]]
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[Booting Alpine on an HP ML350 G6]]
* [[Installing XFCE as a VirtualBox guest]]
* [[Enable Serial Console on Boot]]
* [[How to enable APK caching]]
* [[Install Alpine on VirtualBox]]
* [[Upgrading to Edge]]

== Networking ==
* [[Howto Configure a Network Bridge]]
* [[Setting up a OpenVPN-server with Alpine]]
* [[Setting up traffic monitoring using rrdtool (and snmp)]]
* [[Setting up Zaptel/Asterisk on Alpine]]
* [[Using HSDPA modem]]
* [[Using Alpine on Windows domain with IPSEC isolation]]
* [[Using Racoon for Remote Sites]]
* [[High Performance and Fault Tolerant Routing with Alpine Linux]]

== Misc ==
* [[Setting up lm_sensors]]
* [[Setting up Satellite Internet Connection]]
* [[Setting up Streaming an Asterisk Channel]]
* [[Formatting HD/Floppy/Other]]
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]
* [[Hosting services on Alpine]] ''(This applies to hosting mail, webservices and other services)''
** [[Setting up postfix with virtual domains]]
** [[Protecting your email server with Alpine]]
** [[Hosting Web/Email services on Alpine]]
* [[Running Alpine Linux As a QEMU networked Guest ]]
* [[Screen on console]]
* [[Using espeak on Alpine Linux]]
* [[Generating SSL certs with ACF]]
* [[Setting up a ssh-server]]
* [[Changing passwords]]
* [[Multiple Instances of Services]]
* [[Setting up NRPE daemon]]
* [[IPTV How To]]
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
* [[XFCE Setup]]
* [[Freepbx on Alpine Linux]]
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)''

== iSCSI ==
* [[iSCSI Target and Initiator Configuration]]
* [[iSCSI Raid and Clustered File Systems]]

== Vserver ==
* [[Setting up a basic vserver]]

== Obsolete Docs ==
Those are candidates for rewriting/removal.
* [[Native Harddisk Install]]
* [[Installing XUbuntu using Alpine boot floppy]]
* [[Setting up trac wiki]]

Setting up Transparent Squid Proxy

2010-07-23T15:40:33Z

Djhughes:

{{Draft}}

This document covers how to set up squid as a transparent proxy server.

The following is assumed:
* You have already install a server running Alpine Linux as a base, with Alpine 1.10.6 or later.
* Your proxy server will reside in a DMZ zone, separated from the network segment your clients are in. Other implementations are covered [http://wiki.squid-cache.org/SquidFaq/InterceptionProxy here].
** In order to transparently redirect web traffic from your clients to the proxy server in the DMZ, you will need to configure your intercepting router to DNAT traffic.

=== Install Squid ===

{{Cmd|apk add acf-squid}}

Configure squid with at least the following configuration:

{{Note|substitute '''proxy.example.com''' and the '''mynet''' acl for your own desired hostname and network subnet respectively}}

<pre>
# This makes squid transparent
http_port 8080 transparent

visible_hostname proxy.example.com
cache_mem 8 MB
cache_dir aufs /var/cache/squid 900 16 256

# Even though we only use one proxy, this line is recommended
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html
hierarchy_stoplist cgi-bin ?

# Keep 7 days of logs
logfile_rotate 7

access_log /var/log/squid/access.log squid
cache_store_log none
pid_filename /var/run/squid.pid

# Web auditors want to see the full uri, even with the query terms
strip_query_terms off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

coredump_dir /var/cache/squid

#
# Authentication
#

# Optional authentication methods (NTLM, etc) can go here

#
# Access Control Lists (ACL's)
#

# These settings are recommended by squid
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# Standard ACL settings
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8004 9000
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

# Require authentication
#acl userlist proxy_auth REQUIRED
acl userlist src 0.0.0.0/0.0.0.0

# Definition of network subnets
acl mynet src 192.168.0.0/24

#
# Access restrictions
#

cache deny QUERY

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Allow hosts in mynet subnet to access the entire Internet without being
# authenticated
http_access allow mynet

# Denying all access not explicitly allowed
http_access deny all

http_reply_access allow all
icp_access allow all
</pre>

Check squid with:
{{Cmd|squid -k reconfigure}}

Start squid:
{{Cmd|/etc/init.d/squid start}}

Add squid to boot-up sequence:
{{Cmd|rc-update add squid default}}

Remember to add port 8080 to the permitted ports clients can connect on to any firewalls on your proxy server or inbetween the proxy and the clients.

If you are running an Alpine Linux firewall on the firewall separating the Proxy from the clients, you will need to redirect all traffic from your client subnet on port 80 to the proxy server on port 8080 to allow web traffic to be proxied.

If you are running shorewall, add this to your /etc/shorewall/rules file:

{{Note|Substitute '''loc''' and '''dmz:172.16.1.2:8080''' for your client subnet zone and proxy server zone and IP as defined in /etc/shorewall/zones.}}

<pre>
## This forces all web traffic to be redirected to the proxy on port 8080
DNAT loc dmz:172.16.1.2:8080 tcp 80
</pre>

And restart shorewall with:

{{Cmd|shorewall check}}
{{Cmd|shorewall restart}}

Template:Draft

2010-07-23T15:39:33Z

Djhughes: created using K0gen's idea

<noinclude>{{Template}}

== Template Documentation ==
This template should be used for work-in-progress pages.
Example:
<nowiki>{{Draft}}</nowiki>

Will produce:
{{Draft}}

</noinclude><onlyinclude>[[Category:Draft]]<center>
{|style="width: 33em; padding:2px; margin:0; margin-bottom:10px; background-color:#f6f6f6; border:1px solid #aaa; -moz-border-radius-bottomright: 0.5em; -moz-border-radius-bottomleft: 1em; border-radius-bottomright: 0.5em; border-radius-bottomleft: 1em; -webkit-border-bottom-right-radius: 0.5em; -webkit-border-bottom-left-radius: 1em;"
|<div style="font-size: 1.5em; font-weight:bold;"> [[Image:Underconstruction_clock_icon_gray.svg‎|64px|left|link=]] This page is work in progress ... </div><p style="text-align: center; font-size: 87%;">This page is under construction. Do not follow this document until this notice is removed.</p>
|}</center></onlyinclude>

Template:Sandbox

2010-07-23T15:33:52Z

Djhughes:

<noinclude>{{Template}}
== Template Documentation ==
This template should be used for commands
Example:
<nowiki>{{Draft}}</nowiki>

Will produce:
<center>
{|style="width: 33em; padding:2px; margin:0; margin-bottom:10px; background-color:#f6f6f6; border:1px solid #aaa; -moz-border-radius-bottomright: 0.5em; -moz-border-radius-bottomleft: 1em; border-radius-bottomright: 0.5em; border-radius-bottomleft: 1em; -webkit-border-bottom-right-radius: 0.5em; -webkit-border-bottom-left-radius: 1em;"
|<div style="font-size: 1.5em; font-weight:bold;"> [[Image:Underconstruction_clock_icon_gray.svg‎|64px|left|link=]] This page is work in progress ... </div><p style="text-align: center; font-size: 87%;">This page is under construction. Do not follow this document until this notice is removed.</p>
|}</center>

== [[Image:Newspaper_Cover.svg‎|32px|link=]] Recent News ==
{{Sandbox|2010-07-16 Alpine 2.0.0 Beta3 released|
This is the first announced beta release for v2.0 series. See [[Release Notes for Alpine 2.0.0_beta3]] for more details of the release.
|[[User:ncopa|ncopa]] 20:58, 16 July 2010 (GMT)
}}

{{Sandbox|2010-07-16 Alpine 2.0.0 Beta3 released|
This is the first announced beta release for v2.0 series. See [[Release Notes for Alpine 2.0.0_beta3]] for more details of the release.
|[[User:ncopa|ncopa]] 20:58, 16 July 2010 (GMT)
}}

</noinclude><onlyinclude>
<span class="editsection plainlinks" id="doc_editlinks">[[{{fullurl:News_talk:{{{1}}}|}} Discuss]]</span>
<h5>{{{1}}}</h5>
{{{2}}}
<div style="text-align: right;">{{{3}}}</div>
----
</onlyinclude>

Setting up Transparent Squid Proxy

2010-07-23T15:24:57Z

Djhughes: added some templates

This document covers how to set up squid as a transparent proxy server.

The following is assumed:
* You have already install a server running Alpine Linux as a base, with Alpine 1.10.6 or later.
* Your proxy server will reside in a DMZ zone, separated from the network segment your clients are in. Other implementations are covered [http://wiki.squid-cache.org/SquidFaq/InterceptionProxy here].
** In order to transparently redirect web traffic from your clients to the proxy server in the DMZ, you will need to configure your intercepting router to DNAT traffic.

=== Install Squid ===

{{Cmd|apk add acf-squid}}

Configure squid with at least the following configuration:

{{Note|substitute '''proxy.example.com''' and the '''mynet''' acl for your own desired hostname and network subnet respectively}}

<pre>
# This makes squid transparent
http_port 8080 transparent

visible_hostname proxy.example.com
cache_mem 8 MB
cache_dir aufs /var/cache/squid 900 16 256

# Even though we only use one proxy, this line is recommended
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html
hierarchy_stoplist cgi-bin ?

# Keep 7 days of logs
logfile_rotate 7

access_log /var/log/squid/access.log squid
cache_store_log none
pid_filename /var/run/squid.pid

# Web auditors want to see the full uri, even with the query terms
strip_query_terms off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

coredump_dir /var/cache/squid

#
# Authentication
#

# Optional authentication methods (NTLM, etc) can go here

#
# Access Control Lists (ACL's)
#

# These settings are recommended by squid
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# Standard ACL settings
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8004 9000
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

# Require authentication
#acl userlist proxy_auth REQUIRED
acl userlist src 0.0.0.0/0.0.0.0

# Definition of network subnets
acl mynet src 192.168.0.0/24

#
# Access restrictions
#

cache deny QUERY

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Allow hosts in mynet subnet to access the entire Internet without being
# authenticated
http_access allow mynet

# Denying all access not explicitly allowed
http_access deny all

http_reply_access allow all
icp_access allow all
</pre>

Check squid with:
{{Cmd|squid -k reconfigure}}

Start squid:
{{Cmd|/etc/init.d/squid start}}

Add squid to boot-up sequence:
{{Cmd|rc-update add squid default}}

Remember to add port 8080 to the permitted ports clients can connect on to any firewalls on your proxy server or inbetween the proxy and the clients.

If you are running an Alpine Linux firewall on the firewall separating the Proxy from the clients, you will need to redirect all traffic from your client subnet on port 80 to the proxy server on port 8080 to allow web traffic to be proxied.

If you are running shorewall, add this to your /etc/shorewall/rules file:

{{Note|Substitute '''loc''' and '''dmz:172.16.1.2:8080''' for your client subnet zone and proxy server zone and IP as defined in /etc/shorewall/zones.}}

<pre>
## This forces all web traffic to be redirected to the proxy on port 8080
DNAT loc dmz:172.16.1.2:8080 tcp 80
</pre>

And restart shorewall with:

{{Cmd|shorewall check}}
{{Cmd|shorewall restart}}

Template:Cmd

2010-07-23T15:23:35Z

Djhughes: increased font size

<noinclude>{{Template}}
== Template Documentation ==
This template should be used for commands<br />
Example:
<nowiki>{{Cmd|apk add -U}}</nowiki>

Will produce:
{{Cmd|apk add -U}}

</noinclude><onlyinclude><div style="background-color:#eeeeee; color:#111111; padding:.05em .5em; margin:.5em; border:1px solid #dddddd; border-left:2px solid #dddddd; white-space:pre; font-family:monospace; font-size:10pt;">{{{1}}}</div></onlyinclude>

Obtaining user information via SNMP

2010-07-23T12:35:26Z

Djhughes: began work on squark-auth squid helper documentation

'''Draft''' - Work in progress

This documents how to use the squark-auth squid authentication helper to obtain a user-name or other information from via SNMP from a switch. The example uses an HP Procurve 5400zl switch.

It is possible to configure HP Procurve switches to do port-based web authentication. A network device initiates traffic on a port, and is assigned to a "guest" vlan with limited or no network access. A browser needs to be opened, and the user is given a user-name and password prompt. For more information on configuring web-based authentication on an HP switch, see [http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S1_Web-Authentication-final-080608.pdf this link].

The squark-auth squid authentication helper queries the HP switch via SNMP using standard MIBs to obtain the user-name associated with the IP address, which it injects into the squid access logs, which can help web-log auditors analyse . For more information see the squark-auth documentation [http://insert.reallink.com here].

=== Enable SNMP Lookups on HP Procurve Device ===

Create an SNMP read-only community on your HP Procurve Switch, or use one that already exists (the following example uses "public" as a community name - adjust as you like):

configure
snmp-server community "public" restricted
snmp-server response-source dst-ip-of-request
exit

The 2nd last command ensures that the SNMP replies are always returned from the switch's primary management interface. Run the above commands on all switches that the squark-auth plugin will run snmp queries against. Run them exactly as they appear.

=== Install Squark and Configure Squid ===

apk add squark

The squark-auth binary used by squid is copied into the /usr/local/bin directory. All further configuration is done in /etc/squid/squid.conf:

<pre>
#external ACL squid auth helper
insert code here
</pre>

Setting up Transparent Squid Proxy

2010-07-23T09:55:02Z

Djhughes:

This document covers how to set up squid as a transparent proxy server.

The following is assumed:
* You have already install a server running Alpine Linux as a base, with Alpine 1.10.6 or later.
* Your proxy server will reside in a DMZ zone, separated from the network segment your clients are in. Other implementations are covered here
** In order to transparently redirect web traffic from your clients to the proxy server in the DMZ, you will need to configure

=== Install Squid ===

apk add acf-squid

Configure squid with at least the following configuration:

'''Note:''' substitute '''proxy.example.com''' and the '''mynet''' acl for your own desired hostname and network subnet respectively):

<pre>
# This makes squid transparent
http_port 8080 transparent

visible_hostname proxy.example.com
cache_mem 8 MB
cache_dir aufs /var/cache/squid 900 16 256

# Even though we only use one proxy, this line is recommended
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html
hierarchy_stoplist cgi-bin ?

# Keep 7 days of logs
logfile_rotate 7

access_log /var/log/squid/access.log squid
cache_store_log none
pid_filename /var/run/squid.pid

# Web auditors want to see the full uri, even with the query terms
strip_query_terms off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

coredump_dir /var/cache/squid

#
# Authentication
#

# Optional authentication methods (NTLM, etc) can go here

#
# Access Control Lists (ACL's)
#

# These settings are recommended by squid
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# Standard ACL settings
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8004 9000
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

# Require authentication
#acl userlist proxy_auth REQUIRED
acl userlist src 0.0.0.0/0.0.0.0

# Definition of network subnets
acl mynet src 192.168.0.0/24

#
# Access restrictions
#

cache deny QUERY

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Allow hosts in mynet subnet to access the entire Internet without being
# authenticated
http_access allow mynet

# Denying all access not explicitly allowed
http_access deny all

http_reply_access allow all
icp_access allow all
</pre>

Check squid with:
squid -k reconfigure

Start squid:
/etc/init.d/squid start

Add squid to boot-up sequence:
rc-update add squid default

Remember to add port 8080 to the permitted ports clients can connect on to any firewalls on your proxy server or inbetween the proxy and the clients.

If you are running an Alpine Linux firewall on the firewall separating the Proxy from the clients, you will need to redirect all traffic from your client subnet on port 80 to the proxy server on port 8080 to allow web traffic to be proxied.

If you are running shorewall, add this to your /etc/shorewall/rules file:

'''Note:''' substitute '''loc''' and '''dmz:172.16.1.2:8080''' for your client subnet zone and proxy server zone and IP as defined in /etc/shorewall/zones.

## This forces all web traffic to be redirected to the proxy on port 8080
DNAT loc dmz:172.16.1.2:8080 tcp 80

And restart shorewall with:

shorewall check
shorewall restart

Setting up Transparent Squid Proxy

2010-07-23T09:54:21Z

Djhughes: created page

== Squid Transparent Proxy Server ==

This document covers how to set up squid as a transparent proxy server.

The following is assumed:
* You have already install a server running Alpine Linux as a base, with Alpine 1.10.6 or later.
* Your proxy server will reside in a DMZ zone, separated from the network segment your clients are in. Other implementations are covered here
** In order to transparently redirect web traffic from your clients to the proxy server in the DMZ, you will need to configure

=== Install Squid ===

apk add acf-squid

Configure squid with at least the following configuration:

'''Note:''' substitute '''proxy.example.com''' and the '''mynet''' acl for your own desired hostname and network subnet respectively):

<pre>
# This makes squid transparent
http_port 8080 transparent

visible_hostname proxy.example.com
cache_mem 8 MB
cache_dir aufs /var/cache/squid 900 16 256

# Even though we only use one proxy, this line is recommended
# More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html
hierarchy_stoplist cgi-bin ?

# Keep 7 days of logs
logfile_rotate 7

access_log /var/log/squid/access.log squid
cache_store_log none
pid_filename /var/run/squid.pid

# Web auditors want to see the full uri, even with the query terms
strip_query_terms off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

coredump_dir /var/cache/squid

#
# Authentication
#

# Optional authentication methods (NTLM, etc) can go here

#
# Access Control Lists (ACL's)
#

# These settings are recommended by squid
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# Standard ACL settings
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8004 9000
acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

# Require authentication
#acl userlist proxy_auth REQUIRED
acl userlist src 0.0.0.0/0.0.0.0

# Definition of network subnets
acl mynet src 192.168.0.0/24

#
# Access restrictions
#

cache deny QUERY

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Allow hosts in mynet subnet to access the entire Internet without being
# authenticated
http_access allow mynet

# Denying all access not explicitly allowed
http_access deny all

http_reply_access allow all
icp_access allow all
</pre>

Check squid with:
squid -k reconfigure

Start squid:
/etc/init.d/squid start

Add squid to boot-up sequence:
rc-update add squid default

Remember to add port 8080 to the permitted ports clients can connect on to any firewalls on your proxy server or inbetween the proxy and the clients.

If you are running an Alpine Linux firewall on the firewall separating the Proxy from the clients, you will need to redirect all traffic from your client subnet on port 80 to the proxy server on port 8080 to allow web traffic to be proxied.

If you are running shorewall, add this to your /etc/shorewall/rules file:

'''Note:''' substitute '''loc''' and '''dmz:172.16.1.2:8080''' for your client subnet zone and proxy server zone and IP as defined in /etc/shorewall/zones.

## This forces all web traffic to be redirected to the proxy on port 8080
DNAT loc dmz:172.16.1.2:8080 tcp 80

And restart shorewall with:

shorewall check
shorewall restart

Tutorials and Howtos

2010-07-23T09:29:00Z

Djhughes:

Tutorials and Howtos

2010-07-23T09:25:11Z

Djhughes:

[[Image:package_edutainment.svg|left|link=]]
{{TOC right}}'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good examples. The output in one step is the starting point for the following step.<br/>
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux. We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page [[Talk:Tutorials_and_Howtos|Discussion]].

== Installation ==
* [[Bootstrapping Alpine on Soekris net4xxx]]
* [[Bootstrapping Alpine on PC Engines ALIX.3]]
* [[Setting up a software raid1 array]]
* [[Setting up Logical Volumes with LVM]]
* [[Setting up a /var partition on software IDE raid1]]
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[Booting Alpine on an HP ML350 G6]]
* [[Installing XFCE as a VirtualBox guest]]
* [[Enable Serial Console on Boot]]
* [[How to enable APK caching]]
* [[Install Alpine on VirtualBox]]
* [[Upgrading to Edge]]

== Networking ==
* [[Howto Configure a Network Bridge]]
* [[Setting up a OpenVPN-server with Alpine]]
* [[Setting up traffic monitoring using rrdtool (and snmp)]]
* [[Setting up Zaptel/Asterisk on Alpine]]
* [[Using HSDPA modem]]
* [[Using Alpine on Windows domain with IPSEC isolation]]
* [[Using Racoon for Remote Sites]]
* [[High Performance and Fault Tolerant Routing with Alpine Linux]]

== Misc ==
* [[Setting up lm_sensors]]
* [[Setting up Satellite Internet Connection]]
* [[Setting up Streaming an Asterisk Channel]]
* [[Formatting HD/Floppy/Other]]
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]
* [[Hosting services on Alpine]] ''(This applies to hosting mail, webservices and other services)''
** [[Setting up postfix with virtual domains]]
** [[Protecting your email server with Alpine]]
** [[Hosting Web/Email services on Alpine]]
* [[Running Alpine Linux As a QEMU networked Guest ]]
* [[Screen on console]]
* [[Using espeak on Alpine Linux]]
* [[Generating SSL certs with ACF]]
* [[Setting up a ssh-server]]
* [[Changing passwords]]
* [[Multiple Instances of Services]]
* [[Setting up NRPE daemon]]
* [[IPTV How To]]
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
* [[XFCE Setup]]
* [[Freepbx on Alpine Linux]]
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''

== iSCSI ==
* [[iSCSI Target and Initiator Configuration]]
* [[iSCSI Raid and Clustered File Systems]]

== Vserver ==
* [[Setting up a basic vserver]]

== Obsolete Docs ==
Those are candidates for rewriting/removal.
* [[Native Harddisk Install]]
* [[Installing XUbuntu using Alpine boot floppy]]
* [[Setting up trac wiki]]

How to use xdelta and download only differential update files

2010-06-10T05:06:54Z

Djhughes:

For those having a slow connection, it is possible to download a smaller differential file that contains only the new Alpine Linux version changes. If you have an ISO file of the version immediately prior to the latest version, you can then use the downloaded xdelta file to update to the latest ISO. You will still need to download the new ISO checksum file and test the integrity of the newly built ISO file. For xdelta to work you should have the three files on the same directory level, i.e.: alpine-1.10.3-1.10.4.xdelta, alpine-1.10.3-x86.iso (previous release) and the alpine-1.10.4-x86.iso.sha1

wget -c http://www.alpinelinux.org/cgi-bin/dl.cgi/v1.10/releases/alpine-1.10.3-1.10.4.xdelta
wget http://www.alpinelinux.org/cgi-bin/dl.cgi/v1.10/releases/alpine-1.10.4-x86.iso.sha1

Make sure you have xdelta3 installed and build the new ISO:

apk add xdelta3
xdelta3 -d alpine-1.10.3-1.10.4.xdelta

Check the integrity of the file:

sha1sum -c alpine-1.10.4-x86.iso.sha1

If checking the integrity of the file shows: alpine-1.10.4-x86.iso: OK then you are ready to continue.

How to use xdelta and download only differential update files

2010-06-10T05:06:05Z

Djhughes: check integrity and minor clarification

For those having a slow connection, it is possible to download a smaller differential file that contains only the new Alpine Linux version changes. If you have an ISO file of the version immediately prior to the latest version, you can then use the downloaded xdelta file to update to the latest ISO. You will still need to download the new ISO checksum file and test the integrity of the newly built ISO file. For xdelta to work you should have the three files on the same directory level, i.e.: alpine-1.10.3-1.10.4.xdelta, alpine-1.10.3-x86.iso (previous release) and the alpine-1.10.4-x86.iso.sha1

wget –c http://www.alpinelinux.org/cgi-bin/dl.cgi/v1.10/releases/alpine-1.10.3-1.10.4.xdelta
wget http://www.alpinelinux.org/cgi-bin/dl.cgi/v1.10/releases/alpine-1.10.4-x86.iso.sha1

Make sure you have xdelta3 installed and build the new ISO:

apk add xdelta3
xdelta3 -d alpine-1.10.3-1.10.4.xdelta

Check the integrity of the file:

sha1sum -c alpine-1.10.4-x86.iso.sha1

If checking the integrity of the file shows: alpine-1.10.4-x86.iso: OK then you are ready to continue.

ISP Mail Server HowTo

2010-05-21T04:45:07Z

Djhughes: corrected directory

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

'''Option 1:'''
If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

'''Option 2:'''
If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
}
</pre>

If you went with Option 1 above, then add an additional line underneath the ssl.pemfile line, so that the section appears as follows:

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Change permissions on the /var/log/dovecot* log files, so that the vmail user can write to them:

chown vmail:vmail /var/log/dovecot*

Restart Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/postfixadmin/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-05-20T07:29:19Z

Djhughes: perms on log files, and restart services

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

'''Option 1:'''
If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

'''Option 2:'''
If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
}
</pre>

If you went with Option 1 above, then add an additional line underneath the ssl.pemfile line, so that the section appears as follows:

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Change permissions on the /var/log/dovecot* log files, so that the vmail user can write to them:

chown vmail:vmail /var/log/dovecot*

Restart Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-05-13T08:10:11Z

Djhughes: minor

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

'''Option 1:'''
If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

'''Option 2:'''
If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
}
</pre>

If you went with Option 1 above, then add an additional line underneath the ssl.pemfile line, so that the section appears as follows:

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-05-13T03:23:25Z

Djhughes: reorganized a bit

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

'''Option 1:'''
If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

'''Option 2:'''
If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
}
</pre>

If you went with Option 1 above, then add an additional line underneath the ssl.pemfile line, so that the section appears as follows:

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-05-13T03:00:54Z

Djhughes: no ca cert with setup-acf

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-05-10T08:28:59Z

Djhughes: added steps for optionally using the setup-acf generated cert

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. You have two options: 1. If you want to use a self-signed cert, you can use the instructions found at [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]] to generate it. 2. Use the certificate created with the '''setup-acf''' command.

If you create your own self-signed certificate, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

If you prefer to just use the default certificate created with the '''setup-acf''' command, then you will need to do the following:

setup-acf

During the above process, mini_httpd will be started, if it isn't already, and a certificate will be created. Once you have completed the setup-acf steps, do the following to move the certificate files to the correct location for lighttpd to use.

mv /etc/ssl/mini_httpd/server.pem /etc/lighttpd/server-bundle.pem
cp /etc/ssl/cacert.pem /etc/lighttpd/ca-crt.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown root:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': The psqlodbc package is currently unavailable

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-30T09:16:10Z

Djhughes: minor

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c where username = %u";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings_test (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
);

ALTER TABLE ldap_attr_mappings_test ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings_test ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-30T09:15:08Z

Djhughes: some fixes for database script

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add teh following inside the ''auth default'' stanza:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c where username = %u";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file:

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings_test (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
);

ALTER TABLE ldap_attr_mappings_test ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings_test ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-19T09:22:25Z

Djhughes: update for dovecot 1.2.11

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.11
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

<pre>
cat - <<EOF | psql -U postgres postfix
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
id integer SERIAL,
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE TABLE ldap_attr_mappings_test (
id integer SERIAL,
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
EOF
</pre>

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''instead of'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-18T13:59:26Z

Djhughes: clarified optional DNS configuration

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.10
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

<pre>
cat - <<EOF | psql -U postgres postfix
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
id integer SERIAL,
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE TABLE ldap_attr_mappings_test (
id integer SERIAL,
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
EOF
</pre>

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''instead of'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-18T09:41:00Z

Djhughes: corrected path

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.10
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

<pre>
cat - <<EOF | psql -U postgres postfix
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
id integer SERIAL,
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE TABLE ldap_attr_mappings_test (
id integer SERIAL,
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
EOF
</pre>

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Configure DNS ==

This server hosts three separate web applications, and these can be handled as three different virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS A records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-18T09:35:29Z

Djhughes: typo, removed freshclam, as clamd depends on freshclam which starts when clam starts up

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.10
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

<pre>
cat - <<EOF | psql -U postgres postfix
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
id integer SERIAL,
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE TABLE ldap_attr_mappings_test (
id integer SERIAL,
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
EOF
</pre>

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Configure DNS ==

This server hosts three separate web applications, and these can be handled as three different virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS A records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-18T07:29:46Z

Djhughes: sed command to replace text

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add freshclam
rc-update add clamsmtp
/etc/init.d/clamd start
/etc/init.d/freshclam start
/etc/init.d/clamsmtp start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.10
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

<pre>
cat - <<EOF | psql -U postgres postfix
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
id integer SERIAL,
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE TABLE ldap_attr_mappings_test (
id integer SERIAL,
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
EOF
</pre>

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Configure DNS ==

This server hosts three separate web applications, and these can be handled as three different virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS A records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

ISP Mail Server HowTo

2010-03-18T06:41:53Z

Djhughes: formatting

== A Full Service Mail Server ==

The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server.

The server must provide:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* Quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* Standard filters (virus/spam/rbl/etc)
* Web mail client
* Value Add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-pgsql php-imap

Stop and remove mini_httpd, and move ACF to lighttpd; We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):

mkdir -p /var/www/domains/host.example.com/www
ln -s /usr/share/acf/www /var/www/domains/host.example.com/www/acf

Edit /var/www/domains/host.example.com/index.html to put a simple redirection page:

<pre>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/acf">ACF</a></li>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
</pre>

Edit /etc/lighttpd/mod_cgi.conf to serve haserl files by adding a "" => "" cgi handler and to treat /acf/cgi-bin as a CGI directory (remove the '^')

$HTTP["url"] =~ "/cgi-bin/" {
# disable directory listings
dir-listing.activate = "disable"
# only allow cgi's in this directory
cgi.assign = (
".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
"" => ""
)
}

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_cgi.conf"

include "mod_fastcgi.conf"

Get a web certificate, and install it. If you want to use a self-signed cert, you can use [[Generating SSL certs with ACF]] or [[Generating SSL certs with ACF 1.9]]. If you create a certificate with ACF, you can create the "server-bundle.pem" and the "ca-crt.pem" file with these commands:

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certifcate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Editme: We should probably only serve ACF to restricted hosts

Stop and remove mini_httpd; start lighttpd, test

/etc/init.d/mini_httpd stop
rc-update del mini_httpd
apk del mini_httpd
rc-update add lighttpd
/etc/init.d/lighttpd start

At this point you should be able to see ACF being served with lighttpd (Note: this will work well with alpine 1.10. With earlier versions there will be problems.) https://host.example.com/acf/

== Install Postgresql ==

Add and configure postgresql

apk add acf-postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/8.4/data/pg_hba.conf

Editme: What should we recommend?

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\c postfix
create language plpgsql;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.3 was the current release, so (replace host.example.com with the actual domain):
wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin_2.3.tar.gz
tar zxvf postfixadmin_2.3.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'md5crypt';
$CONF['authlib_default_flavor'] = 'md5raw';
$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain.

Go to http://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to http://host.example.com/postfixadmin/setup.php

Create superadmin account.

== Install Postfix ==

Create a user for the virtual mail delivery, and get its uid/gid (you'll need the numeric uid/gid for postfix)

adduser vmail -H -D -s /bin/false
grep vmail /etc/passwd

(In examples below, we use 1006/1006 for the uid/gid)

Create the mail directory, and assign vmail as the owner
mkdir -p /var/mail/domains
chown -R vmail:vmail /var/mail/domains

Install postfix

apk add acf-postfix postfix-pgsql

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:1006
virtual_uid_maps = static:1006
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes
message_size_limit = 10240000
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database.

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

As before, we install dovecot:

apk add acf-dovecot dovecot-pgsql

edit /etc/dovecot/dovecot.conf

<pre>
# Select only the protocols you wish to support - all are listed in the next line
protocols = imap imaps pop pop3s
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
disable_plaintext_auth = no

# Authenticated IMAP
ssl = yes
ssl_cert_file = /etc/lighttpd/server-bundle.pem
ssl_key_file = /etc/lighttpd/server-bundle.pem
auth_verbose = yes
auth_debug = no
mail_location = maildir:/var/mail/domains/%d/%n
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
}
}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add freshclam
rc-update add clamsmtp
/etc/init.d/clamd start
/etc/init.d/freshclam start
/etc/init.d/clamsmtp start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add:
# this is for postfix SASL (authenticated users can relay through us)
socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
}
}
* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki.dovecot.org/LDA deliver] lda for local delivery.

Note: As of Jan 2010, the documention is confusing, with multiple versions of dovecot, PostfixAdmin, and Mysql referenced. These instructions apply to:
* Postgresql 8.4.2
* PostfixAdmin 2.3
* Dovecot 1.2.10
* Postfix 2.6.5

Presumably later versions will work the same, but if not, please update the documentation and versions above.

* Update /etc/dovecot.conf (old lines shown commented out):

<pre>
# old postfix
# userdb static {
# args = uid=1006 gid=1006 home=/var/mail/domains/%d/%n
# }

# new quota support:
userdb prefetch {
}

userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

socket listen {
client {
path = /var/spool/postfix/private/dovecot-auth.sock
mode = 0660
user = postfix
group = postfix
}
# These lines below are for the deliver lda
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
}
}

protocol imap {
mail_plugins = quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

plugin {
quota = dict:user::proxy::quotadict
}

protocol lda {
postmaster_address = postmaster@host.example.com
mail_plugins = quota
auth_socket_path = /var/run/dovecot/auth-master
sendmail_path = /usr/sbin/sendmail
}
</pre>

You should already have a <tt>socket-> listen-> client</tt> section, but it is listed above to show where it goes in relationship to the <tt>socket -> listen -> master</tt> section

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Side note: [http://wiki.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 1.10 repository

* Add the package and related php modules:
apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv

* link the roundcube application back into the docroot
ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd temp logs

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* restart lighttpd to verify the new php libraries are used
/etc/init.d/lighttpd restart

* Point your browser to http://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 3 of the install to copy the files to the server
* You should now be able to get to roundcube at http://host.example.com/roundcube

After its working, the INSTALL file recommends removing the install directory. If you want to keep the installer around later, you can simply change the ownership and permissions. So do '''one''' of the following:
cd /usr/share/webapps/roundcube
rm -rf LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
or
cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG SQL installer
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG SQL
chmod 700 SQL installer

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even
replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP
applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

'''Note''': Perhaps some packages should be installed from "edge" repository

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

<pre>
cat - <<EOF | psql -U postgres postfix
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
id integer SERIAL,
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE TABLE ldap_attr_mappings_test (
id integer SERIAL,
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL,
PRIMARY KEY(id)
);

CREATE VIEW ldap_dcs AS
(SELECT (domain.id + 100000) AS id,
((('dc='::text || split_part((domain.domain)::text, '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part((domain.domain)::text, '.'::text, 2) = 'com'::text) THEN split_part((domain.domain)::text, '.'::text, 2)
ELSE ((split_part((domain.domain)::text, '.'::text, 2) || ',dc='::text) || split_part((domain.domain)::text, '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL'
UNION
SELECT 100000 AS id,
'dc=com' AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
'com' AS domain);

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 1)) || ',dc='::text) ||
CASE WHEN (split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) = 'com'::text)
THEN split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2)
ELSE ((split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 2) || ',dc='::text) ||
split_part(split_part((mailbox.username)::text, '@'::text, 2), '.'::text, 3))
END) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
EOF
</pre>

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

<pre>
cat - <<EOF | psql -U postgres postfix
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.

COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
EOF
</pre>

* Check that "ldap_dcs" view presens something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view presens something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH
TLSCACertificateFile /etc/lighttpd/ca-crt.pem
TLSCertificateFile /etc/lighttpd/server-bundle.pem
TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}<Hashed password for root dn>

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
### by peername.ip=<IP>%<netmask> read
### by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL

Edit /etc/conf.d/slapd:

<pre>
echo rc_need="postgresql"
OPTS="-h 'ldaps:// ldap://127.0.0.1'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldaps://host.example.com

TLS_CACERT /etc/lighttpd/ca-crt.pem
TLS_CERT /etc/lighttpd/server-bundle.pem
TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

Edit /usr/share/webapps/roundcube/config/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'ldap';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('example.com');
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Configure DNS ==

This server hosts three separate web applications, and these can be handled as three different virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS A records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

Template:Latest 1.9 alpine iso-filename

2010-03-12T07:17:11Z

Djhughes: Updated to 1.9.3

alpine-1.9.3-x86.iso

ISP Mail Server HowTo

2010-02-19T09:55:36Z

Djhughes: corrected typo

ISP Mail Server HowTo

2010-02-17T13:41:30Z

Djhughes: Added some steps for logrotation.

ISP Mail Server HowTo

2010-02-16T14:16:17Z

Djhughes: added missing "}"

ISP Mail Server HowTo

2010-02-16T09:36:52Z

Djhughes: tidied up code

ISP Mail Server HowTo

2010-02-16T09:09:07Z

Djhughes: Undo revision 3348 by Djhughes (Talk) - removed incorrect domain name

ISP Mail Server HowTo

2010-02-16T09:06:12Z

Djhughes: changed config according to what actually worked for me

ISP Mail Server HowTo

2010-02-16T08:42:25Z

Djhughes: specify dns A records

ISP Mail Server HowTo

2010-02-15T19:14:17Z

Djhughes: config file typo