Mail server %on&t generall' have to be all that big if 'ou aren&t in the business of email ( a micro instance has serve% me )ust fine for a fairl' well trafficke% web site with a mailing list of thousan%s - a su%en bli.ar% of une pecte% web traffic woul% probabl' cause issues.
Mail server %on&t generall' have to be all that big if 'ou aren&t in the business of email ( a micro instance has serve% me )ust fine for a fairl' well trafficke% web site with a mailing list of thousan%s - a su%en bli.ar% of une pecte% web traffic woul% probabl' cause issues.
Mail server %on&t generall' have to be all that big if 'ou aren&t in the business of email ( a micro instance has serve% me )ust fine for a fairl' well trafficke% web site with a mailing list of thousan%s - a su%en bli.ar% of une pecte% web traffic woul% probabl' cause issues.
Fire up an Ubuntu 12.04 AWS Instance with a Suitable Security Group
Start up an Elastic Block Store (EBS) server instance - at the time of writing, Ubuntu 12!" is one of the options right there in the #uick start menu for launching a new instance $ail servers %on&t generall' have to be all that big if 'ou aren&t in the business of email( a micro instance has serve% me )ust fine for a fairl' well trafficke% web site with a mailing list of thousan%s, for e*ample +hat sai%, the server pro%uce% b' following this gui%e runs at close to ,!- memor' utili.ation for a micro instance when operating unloa%e% - a su%%en bli..ar% of une*pecte% web traffic woul% probabl' cause issues So a%)ust 'our e*pectations accor%ingl' /irewall settings in 01S are manage% through assignment of Securit' 2roups 3ou&ll probabl' want to create one before starting the server +he Securit' 2roup shoul% allow inboun% +45 traffic from an' 65 a%%ress to these ports7 28 (S$+5), ,! (9++5), 11! (5:5;), 1"; (6$05), ""; (9++5S), "<8 (S$+5S), ==; (6$05S), an% ==8 (5:5;S) +hat is in a%%ition to whatever rules 'ou might have for SS9 access over port 22 - it is not a goo% i%ea to leave that open to the worl%, so lock it %own to the 65 a%%ress ranges 'ou use 6n fact it is a goo% i%ea to restrict all inboun% traffic to the server to 'our 65 a%%ress ranges while 'ou are buil%ing it 3ou can a%)ust the rules to allow traffic from the rest of the worl% after 'ou&re certain that ever'thing is secure an% shipshape /or %etails follow the bwlow links which contain the mail server configuration bul%ing mail server from scratch
https7>>wwwe*rationecom>2!12>!8>a-mailserver-on-ubuntu-12!"-postfi*-%ovecot- m's#l> S+E5S +: /:??:1 @EAU6@EB 055?640+6:CS +: 6CS+0?? 7 D 5ostfi*7 sen%s an% receives mail via the S$+5 protocol 6t will onl' rela' mail on to other mailservers if the mail is sent b' an authenticate% user, but an'one can sen% mail to this server for local %eliver' Bovecot7 a 5:5 an% 6$05 server that manages local mail %irectories an% allows users to log in an% %ownloa% their mail 6t also han%les user authentication 5ostgre'7 gre'lists incoming mail, re#uiring unfamiliar %eliverers to wait for a while an% then resen% +his is one of the better tools for cutting %own on spam amavis%-new7 a manager for organi.ing various antivirus an% spam checking content filters 4lam 0ntiEirus7 a virus %etection suite Spam0ssassin7 for sniffing out spam in emails 5ostfi* 0%min7 a web front en% for a%ministering mail users an% %omains 1eb mail %epen%s on the user there are %ifferent web mails available like roun%cube,hor%e,s#urriel mail an' one of this can be use% as web mail for users that can sen% an% receive mails
4onfiguration process 7 STEP 1: 9ost name shoul% be configure% Use the following comman% to change the host name 4omman%7 hostname mail.example.com After adding the hostname.The host name should be set in the hosts. And add your hostname to the first line of /etc/hosts can be done using text editor. It support to look as: 127.0.0.1 mail.example.com localhost ST! 2" o! you"ll !ant to regenerate the ser#er"s default self$signed %%& certificate so that it matches the domain name. 'ou may ha#e purchased an %%& certificate for your mail ser#er( but it is perfectly possible and completely secure to run a mail ser#er using a self$signed certificate. The only conse)uences !ill be !arning screens !hen using !ebmail hosted on the ser#er and !arnings from *icrosoft +utlook !hen connecting #ia ,+,( I*A,( or %*T,. -se the follo!ing commands for installing ssl certs . apt#$et install ssl#cert . %a&e#ssl#cert $enerate#'e(ault#sna&eoil )(orce#o*erwrite ST! +" o! /uild a &A*, 0eb %er#er 'ou !ill need the mailser#er to also be a &A*, 1&inux( Apache( *y%2&( ,3,4 !eb ser#er( since you !ill !ant !ebmail and a !eb$based administrati#e interface for managing users. %o turning your -buntu instance into a !eb ser#er is a good place to start. There is a shortcut to install the basic &A*, packages( so start by updating the repository data and installing the packages. otice the 565 at the end of the command there $ it is necessary: -se the follo!ing commands for instllaing lamp ser#er. , apt#$et up'ate , apt#$et up$ra'e , apt#$et install la%p#ser*er- 7uring this install you !ill be asked to choose a root pass!ord for *y%2&. 8hoose something sensible( and then mo#e on to adding an array of basic additional packages for ,3, $ such as A,8 bytecode caching( memcache support( c-9&( an :*& parser( and ;7 image processing. Add more to suite your o!n taste and the applications you !ant to support on this ser#er. -se the follo!ing command and install mods and applications. , apt#$et install php#apc php.#%e%cache php.#curl php.#$' php#/%l# parser ST! 4 " 8onfigure ,3, The default configuration for ,3, and the additional packages mentioned abo#e is sufficient for most casual usage. %o unless you ha#e something complicated or high$po!ered in mind( you should probably only change the expose<php setting in /etc/php./apache2/php.ini. %et it to 5+ff5: 1 2 ; " 8 < = 7ecides !hether ,3, may expose the fact that it is installed on the ser#er = 1e.g. by adding its signature to the 0eb ser#er header4. It is no security = threat in any !ay( but it makes it possible to determine !hether you use ,3, = on your ser#er or not. = http:>>php.net>expose$php expose<php ? +ff ST! ." 8onfigure Apache: +he e*pecte% en% result for 0pache is that it will serve a single site with a couple of running web applications7 webmail an% 5ostfi* 0%min hi%%en awa' in a sub%irector' 0ll traffic will be %irecte% to 9++5S - there is no goo% reason to allow non-secure access to an' of what will be on the web server /irstl' configure the following lines in /etc/apache2/conf.d/secu!t" to minimi.e the information that 0pache gives out in its response hea%ers7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, @ @ %er#erTokens @ This directi#e configures !hat you return as the %er#er 3TT, response @ 3eader. The default is "Aull" !hich sends information about the +%$Type @ and compiled in modules. @ %et to one of: Aull B +% B *inimal B *inor B *aCor B ,rod @ !here Aull con#eys the most information( and ,rod the least. @ %er#erTokens ,rod
@ @ +ptionally add a line containing the ser#er #ersion and #irtual host @ name to ser#er$generated pages 1internal error documents( AT, directory 1= @ listings( mod<status and mod<info output etc.( but not 8;I generated @ documents or custom error documents4. @ %et to 5D*ail5 to also include a mailto: link to the %er#erAdmin. @ %et to one of: +n B +ff B D*ail @ %er#er%ignature +ff $ake sure that mo%Grewrite, mo%Gssl, an% the %efault SS? virtual host is enable% - 'ou&ll nee% these line items to be able to force visitors to use 9++5S 1 2 a2enmod re!rite ssl a2ensite default$ssl +he %efault site configuration in /etc/apache2/s!tes#a$a!%a&%e/defau%t can be e%ite% to look something like this for the sake of simplicit'7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F EFirtual3ost G:H0I %er#erAdmin !ebmasterJlocalhost
7ocument9oot >#ar>!!! E7irectory 5>5I +ptions Aollo!%ym&inks Allo!+#erride All E>7irectoryI
8ustom&og KLA,A83D<&+;<7I9M>access.log combined E>Firtual3ostI But of course 'our taste an% nee%s ma' var' Heeping the same simple approach, the upper portion of the SS? configuration in /etc/apache2/s!tes#a$a!%a&%e/defau%t#ss% can be set up as follows7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, 1= 2! 21 22 2; 2" 28 2< 2F 2, 2= ;! ;1 ;2 EIf*odule mod<ssl.cI EFirtual3ost <default<:NNOI %er#erAdmin !ebmasterJlocalhost
7ocument9oot >#ar>!!! E7irectory 5>5I +ptions Aollo!%ym&inks Allo!+#erride All E>7irectoryI
@ %%& Dngine %!itch: @ Dnable>7isable %%& for this #irtual host. %%&Dngine on @
@ ... more default %%& configuration ...
@ 'ou !ill probably need to change this next 7irectory directi#e as !ell @ in order to match the earlier one. E7irectory 5>5I %%&+ptions P%tdDn#Fars E>7irectoryI
@ ... yet more default %%& configuration ... 6f 'ou are using a purchase% rather than self-signe% SS? certificate, an% 'ou probabl' have a 40 certificate bun%le from the issuer, then 'ou&ll want to further change these lines in /etc/apache2/s!tes# ena&%ed/defau%t#ss%7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< @ A self$signed 1snakeoil4 certificate can be created by installing @ the ssl$cert package. %ee @ >usr>share>doc>apache2.2$common>9DA7*D.7ebian.gQ for more info. @ If both key and certificate are stored in the same file( only the @ %%&8ertificateAile directi#e is needed. %%&8ertificateAile >path>to>my>cert.crt %%&8ertificateReyAile >path>to>my>key.key
@ %er#er 8ertificate 8hain: @ ,oint %%&8ertificate8hainAile at a file containing the @ concatenation of ,D* encoded 8A certificates !hich form the @ certificate chain for the ser#er certificate. Alternati#ely @ the referenced file can be the same as %%&8ertificateAile @ !hen the 8A certificates are directly appended to the ser#er @ certificate for con#inience. %%&8ertificate8hainAile >path>to>my>ca$bundle.crt +o push visitors to 9++5S, put something similar to the following snippet into /$a/'''/.htaccess7 1 2 ; 9e!riteDngine +n 9e!rite8ond SL%D9FD9<,+9TM H0 9e!rite9ule 61.G4 https:>>mail.example.com>K1 T&U ST! 0 " Install and 8onfigure *emcached u !ill need to install *emcached to support the !ebmail applications intended to run on this ser#er: apt#$et instal%e%cache' +he %efault configuration file at /etc/(e(cached.conf is goo% enough for a small server7 it locks %own access to localhost an% provi%es generall' sensible configuration parameter values 6f 'ou are buil%ing a larger machine for heav' usage, 'ou will probabl' want to bump the memor' allocation to be higher than the %efault of <"$7 1 2 ; " @ %tart !ith a cap of VN megs of memory. It"s reasonable( and the daemon default @ ote that the daemon !ill gro! to this siQe( but does not start out holding this much @ memory $m VN ST! 1" Install the *ailser#er ,ackages Cow we&re rea%' to start in on the har%er stuff 0s for the ?0$5 server, there is a shortcut for installing the basic packages for a mail server 0gain, note the IJI at the en% of the comman%7 apt#$et install %ail#ser*er- 0hen ,ostfix installs( you !ill be asked to choose a general type of mail configuration $ select 5Internet site5. 'ou !ill be asked for the system mail name( !hich is the hostname of your mailser#er $ e.g. mail.example.com. 0hat this gi#es you is pretty much Cust bare bones( aimed at a mailser#er that manages its users as straightfor!ard -nix users( and !hich doesn"t use a %2& database to store data. %o !e need the rest of the cast $ such as *y%2& support for ,ostfix and 7o#ecot( and the coterie of spam$mashing packages. 'ou might also ha#e to install I*A, support for 7o#ecot( as it may or may not be included in the mail$ser#er packages: 1 2 ; apt$get install postfix$mys)l do#ecot$mys)l do#ecot$imapd postgrey apt$get install ama#is clama# clama#$daemon spamassassin apt$get install phpW$imap +he php8-imap package actuall' supports 5:5; as well as the 6$05 protocol, an% will be nee%e% b' 5ostfi* 0%min an% man' of the possible options for 595 webmail applications @estart 0pache to have that running an% rea%'7 The phpW$imap package actually supports ,+,O as !ell as the I*A, protocol( and !ill be needed by ,ostfix Admin and many of the possible options for ,3, !ebmail applications. 9estart Apache to ha#e that running and ready:
1ser#ice apache2 restart Ce*t 'ou&ll want some optional packages that e*ten% the abilities of the spam an% virus %etection packages, such as b' allowing greater inspection of attache% files7 1 2 apt$get install libnet$dns$perl pyQor raQor apt$get install arC bQip2 cabextract cpio file gQip nomarch pax unQip Qip 3ou probabl' also want a package for %ealing with @0@-format archives - but 6&ve foun% unrar-free to be somewhat bugg' an% unstable, while unrar is not free So 'ou ma' )ust choose to skip that an% shrug ST! 2" 8reate a *ail 7atabase and -ser in *y%2& ?og in to $'SA? as the root user, entering the passwor% 'ou set earlier7 1mys)l $uroot $p Cow set up a %atabase an% user for the mail software +his %atabase will store information on user accounts an% mail %omains, using schema set up b' the 5ostfi* 0%min package7 1 2 create database mail= grant all on mail.G to "mail"J"localhost" identified by "mailpass!ord"= STEP ): 6nstall 5ostfi* 0%min an% the $'SA? Schema 5ostfi* 0%min is installe% as follows +o start things off, %ownloa% the package from Sourceforge, unpack it, an% move it into a sub%irector' of 'our webroot 3ou will probabl' also nee% to change ownership to the www-%ata user7 1 2 ; " 8 !get http:>>do!nloads.sourceforge.net>proCect>postfixadmin>postfixadmin>p ostfixadmin$2.O.V>postfixadmin$2.O.V.tar.gQ gunQip postfixadmin$2.O.V.tar.gQ tar $xf postfixadmin$2.O.V.tar m# postfixadmin$2.O.V >#ar>!!!>postfixadmin cho!n $9 !!!$data:!!!$data >#ar>!!!>postfixadmin Ce*t is an interesting sort of a two-phase setup process /irstl' alter the following lines in /$a/'''/postf!*ad(!n/conf!+.!nc.php7 1 2 ; " 8 < F , >GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG G XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX G 'ou ha#e to set K8+AT"configured"U ? true= before the G application !ill runX G 7oing this implies you ha#e changed this file as re)uired. G i.e. configuring database etc= specifying setup.php pass!ord etc. G> K8+AT"configured"U ? true= 1 2 ; " >> ,ostfix Admin ,ath >> %et the location of your ,ostfix Admin installation here. >> '+- *-%T DTD9 T3D 8+*,&DTD -9& e.g. http:>>domain.tld>postfixadmin K8+AT"postfix<admin<url"U ? "https:>>mail.example.com>postfixadmin"= 1 2 ; " 8 < F , = >> 7atabase 8onfig >> mys)l ? *y%2& O.2O and N.0( N.1 or W >> mys)li ? *y%2& N.1P >> pgs)l ? ,ostgre%2& K8+AT"database<type"U ? "mys)l"= K8+AT"database<host"U ? "localhost"= K8+AT"database<user"U ? "mail"= K8+AT"database<pass!ord"U ? "mailpass!ord"= K8+AT"database<name"U ? "mail"= 1 2 ; " 8 < F , = 1! 11 12 >> %ite Admin >> 7efine the %ite Admins email address belo!. >> This !ill be used to send emails from to create mailboxes. K8+AT"admin<email"U ? "meJexample.com"=
>> *ail %er#er >> 3ostname 1A274 of your mail ser#er. >> This is used to send email to ,ostfix in order to create mailboxes. >> >> %et this to localhost for no!( but change it later. K8+AT"smtp<ser#er"U ? "localhost"= K8+AT"smtp<port"U ? "2W"= 1 2 ; " 8 < F , = 1! >> Dncrypt >> In !hat !ay do you !ant the pass!ords to be cryptedY >> mdWcrypt ? internal postfix admin mdW >> mdW ? mdW sum of the pass!ord >> system ? !hate#er you ha#e set as your ,3, system default >> cleartext ? clear text pass!ords 1ouchX4 >> mys)l<encrypt ? useful for ,A* integration >> authlib ? support for courier$authlib style pass!ords >> do#ecot:89',T$*DT3+7 ? use do#ecotp! $s "89',T$*DT3+7". Dxample: do#ecot:89A*$*7W K8+AT"encrypt"U ? "mdWcrypt"= 1 2 ; " 8 < F , = 1! 11 12 >> *ailboxes >> If you !ant to store the mailboxes per domain set this to "'D%". >> Dxamples: >> 'D%: >usr>local>#irtual>domain.tld>usernameJdomain.tld >> +: >usr>local>#irtual>usernameJdomain.tld K8+AT"domain<path"U ? "+"= >> If you don"t !ant to ha#e the domain in your mailbox set this to "+". >> Dxamples: >> 'D%: >usr>local>#irtual>domain.tld>usernameJdomain.tld >> +: >usr>local>#irtual>domain.tld>username >> ote: If K8+AT"domain<path"U is set to +( this setting !ill be forced to 'D%. K8+AT"domain<in<mailbox"U ? "'D%"= Cote that the last items above are onl' for the purposes of %efining how 5ostfi* 0%min stores its %ata - the' %on&t set s'stem paths for mailbo*es +he actual s'stem paths to virtual mailbo* %irectories are %efine% in the Bovecot configuration outline% in a later section of this post Ce*t open up a web browser an% visit 'our mail server at7 1https:>>mail.example.com>postfixadmin>setup.php /ollow the instructions on that page to choose a setup passwor%, an% generate a hash of that passwor% 0%% that hash to the configuration file an% save it7 1 2 ; " >> In order to setup ,ostfixadmin( you *-%T specify a hashed pass!ord here. >> To create the hash( #isit setup.php in a bro!ser and type a pass!ord into the field( >> on submission it !ill be echoed out to you as a hashed #alue. K8+AT"setup<pass!ord"U ? "...a long hash string..."= +hen return to the setup page 3ou can now use the passwor% 'ou selecte% in or%er to create an initial a%ministrator account 5ostfi* 0%min will also automaticall' create its %atabase schema at this point 6t is probabl' wise to restrict access to /$a/'''/postf!*ad(!n/setup.php after having use% it 4reate a file /$a/'''/postf!*ad(!n/.htaccess an% put the following instructions into it7 1 2 ; EAiles 5setup.php5I deny from all E>AilesI STEP 1,: 4reate the Bomain an% 0ccounts in 5ostfi* 0%min Cow navigate to the main 5ostfi* 0%min login page7 1https:>>mail.example.com>postfixadmin> ?og in as the newl' create% a%ministrator account, an% then choose the ICew %omainI option un%er IBomain ?istI in or%er to create the e*amplecom %omain 3ou can then a%% mail users (I0%% mailbo*I) an% aliases (I0%% aliasI) while viewing 'our %omain +his will populate the schema, but it won&t %o an'thing else 'et as none of the other mailserver components are configure% to look at the %atabase at this point 5ostfi* 0%min %oes have another useful function %uring this long setup process - it allows 'ou to sen% mail to local users through the web interface, which is helpful when testing 'our configuration an% chasing %own errors STEP 11: -eate a Use to .and%e V!tua% Ma!% /!ecto!es Eirtual mail users are those that %o not e*ist as Uni* s'stem users +he' thus %on&t use the stan%ar% Uni* metho%s of authentication or mail %eliver' an% %on&t have home %irectories +hat is how we are managing things here7 mail users are %efine% in the %atabase create% b' 5ostfi* 0%min rather than e*isting as s'stem users $ail will be kept in subfol%ers per %omain an% account un%er /$a/$(a!% - eg meKe*amplecom will have a mail %irector' of /$a/$(a!%/e*a(p%e.co(/(e 0ll of these mail %irectories will be owne% b' a single user calle% vmail, an% Bovecot will use the vmail user in or%er to create an% up%ate mail files 1 2 0 1 usera'' #r #u 1.0 #$ %ail #' /*ar/*%ail #s /sbin/nolo$in #c 34irtual %ail'ir han'ler3 *%ail %&'ir /*ar/*%ail ch%o' 110 /*ar/*%ail chown *%ail"%ail /*ar/*%ail Cote that the user an% virtual mail %irector' fol%er are using the ImailI group, an% allowing other users in that group to mo%if' the contents ST! 12" 5on(i$ure 6o*ecot Bovecot will manage 6$05 an% 5:5; connections, local mail %irectories, an% receive incoming mail han%e% off from 5ostfi* 6t will also manage authentication for S$+5 connections - no point in having two separate authentication s'stems when Bovecot can han%le both cases 4onfiguration is sprea% across a number of files in /etc/do$ecot an% subfol%ers thereof, an% might seem a little intimi%ating, but it&s all lai% out fairl' logicall' +he first thing to %o is to ensure that Bovecot is looking for user %ata in the %atabase create% b' 5ostfi* 0%min, so e%it or create the file /etc/do$ecot/conf.d/auth# s2%.conf.e*t to have the following contents7 1 2 ; " 8 < F , = 1! 11 12 7 8oo& up user passwor's (ro% a S98 'atabase as 7 'e(ine' in /etc/'o*ecot/'o*ecot#s:l.con(.e/t pass'b ; 'ri*er < s:l ar$s < /etc/'o*ecot/'o*ecot#s:l.con(.e/t = 7 8oo& up user in(or%ation (ro% a S98 'atabase as 7 'e(ine' in /etc/'o*ecot/'o*ecot#s:l.con(.e/t user'b ; 'ri*er < s:l ar$s < /etc/'o*ecot/'o*ecot#s:l.con(.e/t = Cow e%it these lines in /etc/do$ecot/do$ecot#s2%.conf.e*t such that it uses the $'SA? %atabase create% b' 5ostfi* 0%min7 1 2 7 6atabase 'ri*er" %ys:l> p$s:l> s:lite 'ri*er < %ys:l 1 2 ; " 8 < @ Dxamples: @ connect ? host?1Z2.1VH.1.1 dbname?users @ connect ? host?s)l.example.com dbname?#irtual user?#irtual pass!ord?blarg @ connect ? >etc>do#ecot>authdb.s)lite @ connect ? host?localhost dbname?mail user?mail pass!ord?mailpass!ord 1 2 ; " 8 < @ 7efault pass!ord scheme. @ @ &ist of supported schemes is in @ http:>>!iki2.do#ecot.org>Authentication>,ass!ord%chemes @ default<pass<scheme ? *7W$89',T 1 2 ; " 8 @ 7efine the )uery to obtain a user pass!ord. pass!ord<)uery ? [ %D&D8T username as user( pass!ord( ">#ar>#mail>Sd>Sn" as userdb<home( [ "maildir:>#ar>#mail>Sd>Sn" as userdb<mail( 1W0 as userdb<uid( H as userdb<gid [ A9+* mailbox 03D9D username ? "Su" A7 acti#e ? "1" 1 2 ; " 8 @ 7efine the )uery to obtain user information. user<)uery ? [ %D&D8T ">#ar>#mail>Sd>Sn" as home( "maildir:>#ar>#mail>Sd>Sn" as mail( [ 1W0 A% uid( H A% gid( concat1"dirsiQe:storage?"( )uota4 A% )uota [ A9+* mailbox 03D9D username ? "Su" A7 acti#e ? "1" +hen change the controlling %efinitions in /etc/do$ecot/conf.d/1,#auth.conf such that Bovecot will rea% the SA? configuration files 1hile 'ou are there, 'ou shoul% also make sure that plainte*t authentication is %isable% unless the connection is encr'pte% or local7 1 2 ; " 8 @ 7isable &+;I command and all other plaintext authentications unless @ %%&>T&% is used 1&+;I7I%A/&D7 capability4. ote that if the remote I, @ matches the local I, 1ie. you"re connecting from the same computer4( the @ connection is considered secure and plaintext authentication is allo!ed. disable<plaintext<auth ? yes 1 2 ; " 8 @ %pace separated list of !anted authentication mechanisms: @ plain login digest$mdW cram$mdW ntlm rpa apop anonymous gssapi otp skey @ gss$spnego @ +TD: %ee also disable<plaintext<auth setting. auth<mechanisms ? plain login 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, 1= 2! 21 22 2; 2" 28 2< 2F 2, @@ @@ ,ass!ord and user databases @@
@ @ ,ass!ord database is used to #erify user"s pass!ord 1and nothing more4. @ 'ou can ha#e multiple passdbs and userdbs. This is useful if you !ant to @ allo! both system users 1>etc>pass!d4 and #irtual users to login !ithout @ duplicating the system users into #irtual database. @ @ Edoc>!iki>,ass!ord7atabase.txtI @ @ -ser database specifies !here mails are located and !hat user>group I7s @ o!n them. Aor single$-I7 configuration use 5static5 userdb. @ @ Edoc>!iki>-ser7atabase.txtI
@Xinclude auth$system.conf.ext @ -se the %2& database configuration rather than any of these others. Xinclude auth$s)l.conf.ext @Xinclude auth$ldap.conf.ext @Xinclude auth$pass!dfile.conf.ext @Xinclude auth$checkpass!ord.conf.ext @Xinclude auth$#popmail.conf.ext @Xinclude auth$static.conf.ext Ce*t up, tell Bovecot where to put the virtual user mail %irectories +hat re#uires the following changes in /etc/do$ecot/conf.d/1,#(a!%.conf7 1 2 ; " 8 < F , = 1! 11 12 1; @ &ocation for users" mailboxes. The default is empty( !hich means that 7o#ecot @ tries to find the mailboxes automatically. This !on"t !ork if the user @ doesn"t yet ha#e any mail( so you should explicitly tell 7o#ecot the full @ location. @ @ If you"re using mbox( gi#ing a path to the I/+: file 1eg. >#ar>mail>Su4 @ isn"t enough. 'ou"ll also need to tell 7o#ecot !here the other mailboxes are @ kept. This is called the 5root mail directory5( and it must be 1" 18 1< 1F 1, 1= 2! 21 22 2; 2" 28 2< the first @ path gi#en in the mail<location setting. @ @ There are a fe! special #ariables you can use( eg.: @ @ Su $ username @ Sn $ user part in userJdomain( same as Su if there"s no domain @ Sd $ domain part in userJdomain( empty if there"s no domain @ Sh $ home directory @ @ %ee doc>!iki>Fariables.txt for full list. %ome examples: @ @ mail<location ? maildir:\>*aildir @ mail<location ? mbox:\>mail:I/+:?>#ar>mail>Su @ mail<location ? mbox:>#ar>mail>Sd>S1n>Sn:I7D:?>#ar>indexes>Sd> S1n>Sn @ @ Edoc>!iki>*ail&ocation.txtI @ mail<location ? maildir:>#ar>#mail>Sd>Sn 1 2 ; " 8 @ %ystem user and group used to access mails. If you use multiple( userdb @ can o#erride these by returning uid or gid fields. 'ou can use either numbers @ or names. Edoc>!iki>-serIds.txtI mail<uid ? #mail mail<gid ? mail 1 2 ; " 8 < F , @ Falid -I7 range for users( defaults to W00 and abo#e. This is mostly @ to make sure that users can"t log in as daemons or other system users. @ ote that denying root logins is hardcoded to do#ecot binary and can"t @ be done e#en if first<#alid<uid is set to 0. @ @ -se the #mail user uid here. first<#alid<uid ? 1W0 last<#alid<uid ? 1W0 6f 'ou are bringing 'our own SS? certificate to the part', 'ou have to let Bovecot know about b' e%iting these lines in /etc/do$ecot/conf.d/1,#ss%.conf @emember to inclu%e 'our 40 certificate bun%le if provi%e% with one b' the certificate issuer7 1 2 ; " 8 < F @ %%&>T&% support: yes( no( re)uired. Edoc>!iki>%%&.txtI ssl ? yes
@ ,D* encoded :.W0Z %%&>T&% certificate and pri#ate key. They"re opened before @ dropping root pri#ileges( so keep the key file unreadable by anyone but , = 1! 11 12 1; 1" 18 1< 1F 1, 1= 2! @ root. Included doc>mkcert.sh can be used to easily generate self$ signed @ certificate( Cust make sure to update the domains in do#ecot$ openssl.cnf ssl<cert ? E>path>to>my>cert.pem ssl<key ? E>path>to>my>key.pem
@ If key file is pass!ord protected( gi#e the pass!ord here. Alternati#ely @ gi#e it !hen starting do#ecot !ith $p parameter. %ince this file is often @ !orld$readable( you may !ant to place this setting instead to a different @ root o!ned 0V00 file by using ssl<key<pass!ord ? Epath. @ssl<key<pass!ord ?
@ ,D* encoded trusted certificate authority. %et this only if you intend to use @ ssl<#erify<client<cert?yes. The file should contain the 8A certificate1s4 @ follo!ed by the matching 89&1s4. 1e.g. ssl<ca ? E>etc>ssl>certs>ca.pem4 @ssl<ca ? E>path>to>ca.pem Ce*t, e%it these lines in /etc/do$ecot/conf.d/1,#(aste.conf to a%% the 5ostfi* option7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, ser#ice auth L @ auth<socket<path points to this userdb socket by default. It"s typically @ used by do#ecot$lda( do#eadm( possibly imap process( etc. Its default @ permissions make it readable only by root( but you may need to relax these @ permissions. -sers that ha#e access to this socket are able to get a list @ of all usernames and get results of e#eryone"s userdb lookups. unix<listener auth$userdb L mode ? 0V00 user ? #mail group ? mail M
unix<listener >#ar>spool>postfix>pri#ate>auth L mode ? 0VV0 @ Assuming the default ,ostfix user and group user ? postfix group ? postfix M 3ou ma' have to e*plicitl' set a postmaster a%%ress in /etc/do$ecot/conf.d/13#%da.conf( if 'ou see I6nvali% settings7 postmasterGa%%ress setting not givenI showing up in the mail log, then this is the fi* for that $ake sure that a suitable alias or mailbo* e*ists for 'our chosen postmaster a%%ress7 1 2 ; @ Address to use !hen sending reCection mails. @ 7efault is postmasterJEyour domainI. postmaster<address ? postmasterJexample.com 3ou&ll want to change the Bovecot configuration to be accessible to both %ovecot an% vmail users7 1 2 cho!n $9 #mail:do#ecot >etc>do#ecot chmod $9 o$r!x >etc>do#ecot 0 final note on Bovecot7 it onl' creates a user&s mail %irector' when mail is first %elivere% to that virtual user So creating a user in 5ostfi* 0%min will not result in the imme%iate creation of a mail %irector' un%er /$a/$(a!%, an% that&s )ust fine STEP 10 : -onf!+ue A(a$!s4 -%a(AV4 and Spa(Assass!n Before configuring 5ostfi*, we ma' as well take a short %etour into configuring the spam an% virus tools +heir %efault configuration is close to what most people will nee%, an% tools like Spam0ssassin auto-%etect man' of the optional a%%itional packages 'ou ma' have installe% 6f 'ou have specialist nee%s or greater knowle%ge, 'ou can of course spen% a fair amount of time here crafting intricate rules /or the casual user, this is a #uick an% straightforwar% process, however Cote that here we are putting off the portions relating to integration with 5ostfi* - eg a%%itions to the mastercf file - into the 5ostfi* section of this post /irst a%% 0mavis an% 4lam0E users to one another&s groups to enable them to collaborate7 1 2 adduser clama# ama#is adduser ama#is clama# +hen turn on 0mavis b' e%iting /etc/a(a$!s/conf.d/13#content5f!%te5(ode - the software is %isable% b' %efault, so uncomment the Kb'pass lines7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, 1= 2! use strict=
@ 'ou can modify this file to re$enable %,A* checking through spamassassin @ and to re$enable anti#irus checking.
@ @ 7efault anti#irus checking mode @ ,lease note( that anti$#irus checking is 7I%A/&D7 by @ default. @ If 'ou !ish to enable it( please uncomment the follo!ing lines:
1= @ ensure a defined return Cow enable Spam0ssassin b' e%iting these lines in /etc/defau%t/spa(assass!n7 1 2 @ 8hange to one to enable spamd DA/&D7?1 1 2 ; " @ 8ronCob @ %et to anything but 0 to enable the cron Cob to automatically update @ spamassassin"s rules on a nightly basis 89+?1 Spam0ssassin un%er 0mavis will onl' check mail that&s %etermine% to be arriving for local %eliver' +here are a couple of wa's to tell 0mavis which mails are for local %eliver', but here we&ll set it up to check the %atabase set up b' 5ostfi* 0%min E%it /etc/a(a$!s/conf.d/3,#use to look like this7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, 1= 2! 21 22 2; 2" 28 2< 2F 2, 2= use strict=
@ @ ,lace your configuration directi#es here. They !ill o#erride those in @ earlier files. @ @ %ee >usr>share>doc>ama#isd$ne!> for documentation and examples of @ the directi#es you can use in this file @
@ Three concurrent processes. This should fit into the 9A* a#ailable on an @ A0% micro instance. This has to match the number of processes specified @ for Ama#is in >etc>postfix>master.cf. Kmax<ser#ers ? O=
@ Add spam info headers if at or abo#e that le#el $ this ensures they @ are al!ays added. Ksa<tag<le#el<deflt ? $ZZZZ=
@ 8heck the database to see if mail is for local deli#ery( and thus @ should be spam checked. Jlookup<s)l<dsn ? 1 T"7/I:mys)l:database?mail=host?127.0.0.1=port?OO0V"( "mail"( ;! ;1 ;2 "mailpass!ord"U4= Ks)l<select<policy ? "%D&D8T domain from domain 03D9D 8+8AT15J5(domain4 I 1Sk4"=
@ -ncomment to bump up the log le#el !hen testing. @ Klog<le#el ? 2=
@$$$$$$$$$$$$ 7o not modify anything belo! this line $$$$$$$$$$$$$ 1= @ ensure a defined return 3ou will have to restart these processes to pick up the new configuration7 1 2 ser#ice ama#is restart ser#ice spamassassin restart ST! 14" 8onfigure ,ostfix 5ostfi* han%les incoming mail via the S$+5 protocol, an% its configuration files have be set up to allow it to integrate with the various other packages we have installe% so far 0t a high level, we want 5ostfi* to han% off incoming mail to the spam an% virus checkers before passing it on to Bovecot for %eliver', an% to authenticate virtual users who are connecting over S$+5 in or%er to to sen% mail /irstl' create files %escribing for 5ostfi* where to fin% information on users an% %omains Cote that the IhostsI %irective in these files must be e*actl' the same as the Ibin%-a%%ressI in /etc/("s2%/(".cnf 6f one si%e sa's IlocalhostI an% the other si%e sa's I12F!!1I then 'ou ma' fin% that 5ostfi* cannot connect to $'SA? - strange but true 9ere are the nee%e% 5ostfi* files7 /etc/postf!*/("s2%5$!tua%5a%!as5do(a!na%!ases5(aps.cf 1 2 ; " 8 < F , user ? mail pass!ord ? mailpass!ord hosts ? 127.0.0.1 dbname ? mail )uery ? %D&D8T goto A9+* alias(alias<domain 03D9D alias<domain.alias<domain ? "Sd" A7 alias.address?concat1"Su"( "J"( alias<domain.target<domain4 A7 alias.acti#e ? 1 /etc/postf!*/("s2%5$!tua%5a%!as5(aps.cf 1 2 ; " 8 < F , user ? mail pass!ord ? mailpass!ord hosts ? 127.0.0.1 dbname ? mail table ? alias select<field ? goto !here<field ? address additional<conditions ? and acti#e ? "1" /etc/postf!*/("s2%5$!tua%5do(a!ns5(aps.cf 1 2 ; " 8 < F , user ? mail pass!ord ? mailpass!ord hosts ? 127.0.0.1 dbname ? mail table ? domain select<field ? domain !here<field ? domain additional<conditions ? and backupmx ? "0" and acti#e ? "1" /etc/postf!*/("s2%5$!tua%5(a!%&o*5do(a!na%!ases5(aps.cf 1 2 ; " 8 < F , user ? mail pass!ord ? mailpass!ord hosts ? 127.0.0.1 dbname ? mail )uery ? %D&D8T maildir A9+* mailbox( alias<domain 03D9D alias<domain.alias<domain ? "Sd" A7 mailbox.username?concat1"Su"( "J"( alias<domain.target<domain 4 A7 mailbox.acti#e ? 1 /etc/postf!*/("s2%5$!tua%5(a!%&o*5(aps.cf 1 2 ; " 8 < F , user ? mail pass!ord ? mailpass!ord hosts ? 127.0.0.1 dbname ? mail table ? mailbox select<field ? 8+8AT1domain( ">"( local<part4 !here<field ? username additional<conditions ? and acti#e ? "1" Cow create the file /etc/postf!*/heade5chec6s, which will contain some %irectives to remove certain hea%ers when rela'ing mail +his improves privac' for the sen%ing users b' such things as stripping the original 65 a%%ress an% mail software i%entifiers, for e*ample +his file will be reference% in the main 5ostfi* configuration7 1 2 ; " 8 < >69ecei#ed:> I;+9D >6-ser$Agent:> I;+9D >6:$*ailer:> I;+9D >6:$+riginating$I,:> I;+9D >6x$cr$Ta$QUG:> I;+9D >6Thread$Index:> I;+9D +he following is the complete main 5ostfi* configuration file at /etc/postf!*/(a!n.cf, which contains a fair number of comple* choices an% options on how mail is rela'e% an% how S$+5 behaves 6t is far be'on% the scope of this post to e*plain each an% ever' choice of best practice or configuration parameter in %etail 6 strongl' suggest that 'ou spen% some time rea%ing up on 5ostfi* configuration, as this is where it is eas' to fall %own an% pro%uce a suboptimal or fault' mailserver 1 2 ; " @ %ee >usr>share>postfix>main.cf.dist for a commented( more complete #ersion
@ The first text sent to a connecting process. 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, 1= 2! 21 22 2; 2" 28 2< 2F 2, 2= ;! ;1 ;2 ;; ;" ;8 ;< ;F ;, ;= "! "1 "2 "; "" "8 "< "F ", "= 8! 81 82 8; smtpd<banner ? Kmyhostname D%*T, Kmail<name biff ? no @ appending .domain is the *-A"s Cob. append<dot<mydomain ? no readme<directory ? no
@ 9eplace this !ith your %%& certificate path if you are using one. smtpd<tls<cert<file?>etc>ssl>certs>ssl$cert$snakeoil.pem smtpd<tls<key<file?>etc>ssl>pri#ate>ssl$cert$snakeoil.key @ The snakeoil self$signed certificate has no need for a 8A file. /ut @ if you are using your o!n %%& certificate( then you probably ha#e @ a 8A certificate bundle from your pro#ider. The path to that goes @ here. @smtpd<tls<8Afile?>path>to>ca>file
@ ote that forcing use of T&% is going to cause breakage $ most mail ser#ers @ don"t offer it and so deli#ery !ill fail( both incoming and 8" 88 8< 8F 8, 8= <! <1 <2 <; <" <8 << <F <, <= F! F1 F2 F; F" F8 F< FF F, F= ,! ,1 ,2 ,; ," ,8 ,< ,F ,, ,= =! =1 =2 =; =" =8 =< =F =, == 1!! 1!1 1!2 outgoing. This is @ unfortunate gi#en !hat #arious go#ernmental agencies are up to these days.
@ These are ,ostfix 2.2 only. @ @ Dnable 1but don"t force4 use of T&% on incoming smtp connections. smtpd<use<tls ? yes smtpd<enforce<tls ? no @ Dnable 1but don"t force4 use of T&% on outgoing smtp connections. smtp<use<tls ? yes smtp<enforce<tls ? no
@ These are ,ostfix 2.O and later. @ @ Dnable 1but don"t force4 all incoming smtp connections to use T&%. smtpd<tls<security<le#el ? may @ Dnable 1but don"t force4 all outgoing smtp connections to use T&%. smtp<tls<security<le#el ? may
@ %ee >usr>share>doc>postfix>T&%<9DA7*D.gQ in the postfix$doc package for @ information on enabling %%& in the smtp client.
@ -ncomment the next line to generate 5delayed mail5 !arnings @delay<!arning<time ? Nh @ !ill it be a permanent error or temporary unkno!n<local<recipient<reCect<code ? NW0 @ ho! long to keep message on )ueue before return as failed. @ some ha#e O days( I ha#e 1V days as I am backup ser#er for some people @ !hom go on holiday !ith their ser#er s!itched off. maximal<)ueue<lifetime ? 7d @ max and min time in seconds bet!een retries if connection failed minimal<backoff<time ? 1000s maximal<backoff<time ? H000s @ ho! long to !ait !hen ser#ers connect before recei#ing rest of data smtp<helo<timeout ? V0s @ ho! many address can be used in one message. @ effecti#e stopper to mass spammers( accidental copy in !hole 1!; 1!" 1!8 1!< 1!F 1!, 1!= 11! 111 112 11; 11" 118 11< 11F 11, 11= 12! 121 122 12; 12" 128 12< 12F address list @ but may restrict intentional mail shots. smtpd<recipient<limit ? 1V @ ho! many error before back off. smtpd<soft<error<limit ? O @ ho! many max errors before blocking it. smtpd<hard<error<limit ? 12
@ This next set are important for determining !ho can send mail and relay mail @ to other ser#ers. It is #ery important to get this right $ accidentally producing @ an open relay that allo!s unauthenticated sending of mail is a Fery /ad Thing. @ @ 'ou are encouraged to read up on !hat exactly each of these options accomplish.
@ 9e)uirements for the 3D&+ statement smtpd<helo<restrictions ? permit<mynet!orks( !arn<if<reCect reCect<non<f)dn<hostname( reCect<in#alid<hostname( permit @ 9e)uirements for the sender details smtpd<sender<restrictions ? permit<sasl<authenticated( permit<mynet!orks( !arn<if<reCect reCect<non<f)dn<sender( reCect<unkno!n<sender<domain( reCect<unauth<pipelining( permit @ 9e)uirements for the connecting ser#er smtpd<client<restrictions ? reCect<rbl<client sbl.spamhaus.org( reCect<rbl<client blackholes.easynet.nl( reCect<rbl<client dnsbl.nCabl.org @ 9e)uirement for the recipient address. ote that the entry for @ 5check<policy<ser#ice inet:127.0.0.1:1002O5 enables ,ostgrey. smtpd<recipient<restrictions ? reCect<unauth<pipelining( permit<mynet!orks( permit<sasl<authenticated( reCect<non<f)dn<recipient( reCect<unkno!n<recipient<domain( reCect<unauth<destination( check<policy<ser#ice inet:127.0.0.1:1002O( permit smtpd<data<restrictions ? reCect<unauth<pipelining
@ re)uire proper helo at connections smtpd<helo<re)uired ? yes @ !aste spammers time before reCecting them smtpd<delay<reCect ? yes disable<#rfy<command ? yes
@ ;eneral host and deli#ery info @ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
myhostname ? mail.example.com myorigin ? >etc>hostname +o be clear, if 'ou are using a purchase% SS? certificate - an% have a 40 certificate bun%le from the issuer - then 'ou will have to alter these lines in /etc/postf!*/(a!n.cf7 1 2 ; " 8 < F , @ 9eplace this !ith your %%& certificate path if you are using one. smtpd<tls<cert<file?>path>to>my>cert.pem smtpd<tls<key<file?>path>to>my>key.key @ The snakeoil self$signed certificate has no need for a 8A file. /ut @ if you are using your o!n %%& certificate( then you probably ha#e @ a 8A certificate bundle from your pro#ider. The path to that goes @ here. @smtpd<tls<8Afile?>path>to>ca>file /urther, if 'ou are running 5ostfi* version 21! or later, which might be the case if 'ou are rea%ing this recipe for pointers on an installation on a later version of Ubuntu, then 'ou will nee% to a%% the following lines7 1 2 ; @ This is a ne! option as of ,ostfix 2.10( and is re)uired in addition to @ smtpd<recipient<restrictions for things to !ork properly in this setup. smtpd<relay<restrictions ? reCect<unauth<pipelining( permit<mynet!orks( permit<sasl<authenticated( reCect<non<f)dn<recipient( reCect<unkno!n<recipient<domain( reCect<unauth<destination( check<policy<ser#ice inet:127.0.0.1:1002O( permit 3ou must also a%% some material to /etc/postf!*/(aste.cf, an% here is the entire file for clarit', inclu%ing much of the %efault material from the package install - such as commente% options7 1 2 ; " 8 < F , = 1! 11 12 1; 1" 18 1< 1F 1, 1= 2! 21 22 @ @ ,ostfix master process configuration file. Aor details on the format @ of the file( see the master1W4 manual page 1command: 5man W master54. @ @ 7o not forget to execute 5postfix reload5 after editing this file. @ @ ?????????????????????????????????????????????????????????????????? ???????? @ ser#ice type pri#ate unpri# chroot !akeup maxproc command P args @ 1yes4 1yes4 1yes4 1ne#er4 11004 @ ?????????????????????????????????????????????????????????????????? ????????
@ %*T, o#er %%& on port NVW. smtps inet n $ $ $ $ smtpd $o syslog<name?postfix>smtps $o smtpd<tls<!rappermode?yes $o smtpd<sasl<auth<enable?yes $o smtpd<tls<auth<only?yes $o smtpd<client<restrictions?permit<sasl<authenticated(reCect<unauth< destination(reCect $o smtpd<sasl<security<options?noanonymous(noplaintext $o smtpd<sasl<tls<security<options?noanonymous
@V2H inet n $ $ $ $ )m)pd pickup fifo n $ $ V0 1 pickup $o content<filter? $o recei#e<o#erride<options?no<header<body<checks cleanup unix n $ $ $ 0 cleanup )mgr fifo n $ n O00 1 )mgr @)mgr fifo n $ n O00 1 o)mgr tlsmgr unix $ $ $ 1000Y 1 tlsmgr re!rite unix $ $ $ $ $ tri#ial$ re!rite bounce unix $ $ $ $ 0 bounce defer unix $ $ $ $ 0 bounce trace unix $ $ $ $ 0 bounce #erify unix $ $ $ $ 1 #erify flush unix n $ $ 1000Y 0 flush proxymap unix $ $ n $ $ proxymap proxy!rite unix $ $ n $ 1 proxymap smtp unix $ $ $ $ $ smtp relay unix $ $ $ $ $ smtp @ $o smtp<helo<timeout?W $o smtp<connect<timeout?W sho!) unix n $ $ $ $ sho!) Cote that 0mavis is restricte% to three processes, which shoul% be fine for most casual to mo%erate use +he processes are memor'-heav', so start low an% a%% more onl' if 'ou nee% to %ue to volume of mail - see the notes in this gui%e for pointers on how to %o that Restat E$e"th!n+4 and Test the Se$e @estart all the necessar' processes to pick up configuration changes7 1 2 ; " 8 ser#ice postfix restart ser#ice spamassassin restart ser#ice clama#$daemon restart ser#ice ama#is restart ser#ice do#ecot restart Cow start testingL Heep an e'e on /$a/%o+/(a!%.e an% /$a/%o+/(a!%.%o+ for error messages an% tr' logging in to 5:5 an% 6$05, sen%ing mail to an account create% on the server, an% sen%ing mail from the server 6f 'ou fin% issues, then 2oogle is 'our frien% when it comes to searching on specific error messages in or%er to i%entif' where the configuration is wrong, or when something une*pecte% crops up +hats the en% of the mail server configuration Setup 'e&(a!%: /or eas' to use an% simple instllation process use roun%cube as webmail +his post is a brief a%%en%um to the long Ubuntu 12!" mail server recipe 6 assemble% last 'ear +hat uses 9or%e for webmail an% 6 have become somewhat %isenchante% with that package 6f 'ou nee% calen%aring an% other broa% feature packages offere% b' 9or%e then it is probabl' worth wa%ing through the Swamp of 6nfinite 4onfiguration to get it working 6f not, then there are simpler options @oun%cube is a straightforwar% 595 webmail package, so it&s eas' enough to substitute @oun%cube in place of 9or%e when buil%ing a mail server +he instructions 'ou&ll fin% online on how to install @oun%cube are, shall we sa', somewhat confuse% however +he' will largel' lea% 'ou %own the wrong path if working from a package install on Ubuntu 9ere instea% is the #uick an% eas' wa' to manage things, assuming that 'our mail server was built accor%ing to m' gui%e, an% thus has 0pache an% $'SA? available 6nstallation Start b' installing the necessar' packages +he plugin packages aren&t essential, but it %oesn&t hurt to look them over to see what is available7 1apt$get install roundcube roundcube$plugins roundcube$plugins$extra 6n the package installation process 'ou shoul% choose to have the package set up the %atabase for 'ou 5ick $'SA? as the %atabase t'pe 3ou&ll be aske% for the $'SA? root user passwor%, an% to choose a passwor% for the roun%cube user that will be create% 4onfiguration Set the following line in /$a/%!&/oundcu&e/conf!+/(a!n.!nc.php7 1 2 ; " 8 < F , = 1! >> the mail host chosen to perform the log$in >> lea#e blank to sho! a textbox at login( gi#e a list of hosts >> to display a pulldo!n menu or set one host as string. >> To use %%&>T&% connection( enter hostname !ith prefix ssl:>> or tls:>> >> %upported replacement #ariables: >> Sn $ http hostname 1K<%D9FD9T"%D9FD9<A*D"U4 >> Sd $ domain 1http hostname !ithout the first part4 >> Ss $ domain name after the "J" from e$mail address pro#ided at login screen >> Aor example Sn ? mail.domain.tld( Sd ? domain.tld Krcmail<configT"default<host"U ? "localhost"= 0t this point @oun%cube is now installe% an% minimall' configure%, but it isn&t accessible from the server webroot +he @oun%cube webroot containing 595 files an% various s'mlinks is sitting in /$a/%!&/oundcu&e, an% the ne*t step is to make that available to visitors :ption 17 @oun%cube in a Subfol%er 6f 'ou have a bus' webroot with other applications running, 'ou ma' want to stick @oun%cube into a subfol%er, to be accesse% via https7>>maile*amplecom>roun%cube or similar +his is easil' accomplishe% b' creating a s'mlink in the webroot7 1ln $s >#ar>lib>roundcube >#ar>!!!>roundcube 6f 'ou have nothing in the upper %irector' of 'our webroot an% want to re%irect arrivals to the webmail login 'ou might set up a re%irect in /$a/'''/.htaccess7 19e!rite9ule 6>YK >roundcube T&U +his has the a%vantage of leaving other sub%irectories un%er /$a/''' accessible for whatever 'ou might want to use them for, such as a 5ostfi* 0%min installation :ption 27 @oun%cube is the 1ebroot 0n alternate approach is to switch the whole webroot over to /$a/%!&/oundcu&e, such that http7>>maile*amplecom is the webmail login 6n 'our site %efinition files un%er /etc/apache2/s!tes# ena&%ed 'ou&ll want to change the Bocument@oot %irective7 1 2 ; @ 9eplace the standard !ebroot !ith the 9oundcube directory. @ 7ocument9oot >#ar>!!!> 7ocument9oot >#ar>lib>roundcube +his means that ever'thing in /$a/'''/.htaccess, such rewrite rules to re%irect all incoming traffic to SS?, must be copie% an% inserte% into the e*isting @oun%cube htaccess file at /$a/%!&/oundcu&e/.htaccess Bon&t )ust overwrite it as @oun%cube nee%s its rules in or%er to function 0n' files an% fol%ers un%er /$a/''' must now be s'mlinke% from /$a/%!&/oundcu&e, or the' will now be inaccessible /or e*ample if 'ou are using 5ostfi* 0%min an% have it set up at /$a/'''/postf!*ad(!n then 'ou woul% nee% to create this s'mlink7 1ln $s >#ar>!!!>postfixadmin >#ar>lib>roundcube>postfixadmin Thats the end of the !ebmail configuration. ;enerally !ebmails does"nt come !ith the most settings that !e are see in yahoo or gmail etc !e ha#e to enable them in roundcube by enabling them in the form of plugins. 7ifferent types of plugins are used for different settings most of the plugins are a#ailable for do!nload and ha#e to enable them manually.