Vous êtes sur la page 1sur 19

Ex Ratione Consulting Blog Archives Feed

A Mailserver on Ubuntu 12.04: Postfix, Dovecot, MySQL


By Reason May 15, 2012 Permalink This long post contains a recipe for building a reasonably secure Ubuntu 12.04 mailserver in Amazon Web Services, using Postfix 2.9.1, Dovecot 2.0.19, and MySQL 5.5.22, with anti-spam packages in the form of amavisd-new 2.6.5, Clam AntiVirus 0.97.3, SpamAssassin 3.3.2, and Postgrey 1.3.4. Local users are virtual rather than being system users. Administration of users and domains is achieved through the Postfix Admin 2.3.5 web interface. Webmail is provided by Horde Groupware Webmail Edition 4.0.7. A number of people have assisted in correcting errors and suggesting additional sections since this recipe was first posted. If you find a blocking issue, let me know. 1) Introduction Building a Linux mailserver from scratch to your own liking is a painful process unless you happen to be one of the few folk who do that day in and day out - there's no way around that fact. A mailserver generally consists of a range of different packages that separately handle SMTP, POP/IMAP, local storage of mail, and spam-related tasks: they must all talk to one another correctly, all have small novels in place of configuration documentation, and there is no one obvious best practice for how users are managed, how to store user data, or how to glue the various different components together. There are any number of different viable setups for moving mail between Postfix and Dovecot, for example. Further, the whole assembly tends to be unforgiving on matters such as permissions, choice of users for specific processes, and tiny errors in esoteric configuration files. Unless you know what you are doing the end result will likely be either insecure, non-functional, or otherwise misconfigured. There are a number of fairly up to date recipes for creating mailservers out there; one of the better ones is an Ubuntu recipe by Ivar Abrahamsen, which gives you Postfix for SMTP, Courier for IMAP/POP, MySQL to store account information, virtual user mail directories, and an array of anti-spam tools that are highly effective when working in concert. It's a good set of documents, as the author places an emphasis on producing a secure mailserver as the end result. There are also a great many partial recipes and out of date guides that are frankly more of a hindrance than a help - especially when it comes to Dovecot, which has changed greatly between its 1.* and 2.* versions. The configuration is completely different, and so are many of the administrative and tool binaries. I've used Abrahamsen's guide as a basis for my mail servers running on AWS for a few years now. Upgrade time always rolls around eventually, however, and this time I decided to move to a new setup to mark the release of Ubuntu 12.04: swap out Courier for Dovecot and try out a web front-end for managing mail users. Finding a good all-in-one-place guide was a challenge, however - hence this document. 2) Outlining the Goal The end result of following this guide will be a secure mail server for your domain equipped with the following software packages: Postfix: sends and receives mail via the SMTP protocol. It will only relay mail on to other mailservers if the mail is sent by an authenticated user, but anyone can send mail to this server for local delivery. Dovecot: a POP and IMAP server that manages local mail directories and allows users to log in and download their mail. It also handles user authentication. Postgrey: greylists incoming mail, requiring unfamiliar deliverers to wait for a while and then resend. This is one of the better tools for cutting down on spam. amavisd-new: a manager for organizing various antivirus and spam checking content filters. Clam AntiVirus: a virus detection suite. SpamAssassin: for sniffing out spam in emails. Postfix Admin: a web front end for administering mail users and domains. Horde Groupware Webmail Edition: a webmail interface for users. The server will accept plain text or encrypted SMTP and POP/IMAP connections at the standard ports, but will not allow user authentication without encryption. It will pass through a minimal set of mail headers for mail sent by local users, removing identifying information from the original sender's mail software. 3) Fire up an Ubuntu 12.04 AWS Instance Start up an Elastic Block Store (EBS) server instance - at the time of writing, Ubuntu 12.04 is one of the options right there in the quick start menu for launching a new instance. Mail servers don't generally have to be all that big if you aren't in the business of email; a micro instance has served me just fine for a fairly well trafficked web site with a mailing list of thousands, for example. That said, the server produced by following this guide runs at close to 80% memory utilization for a micro instance when operating unloaded - a sudden blizzard of unexpected web traffic would probably cause issues. So adjust your expectations accordingly. 4) Some Basic Configuration The baseline Ubuntu instance is lacking in near every package you might need, so you are building from fairly close to scratch. You'll log in as the "ubuntu" user and then switch to root; most of what you need to do requires root access:
sd s uo u

You must set up an Elastic IP to give your server a permanent IP address. By default, an AWS instance will have its own strange-looking hostname, so changing to the domain the server will have is the first item on the list:
hsnm mi.xml.o otae aleapecm

mail.akashi.com

Now set the contents of /etc/hostname to be the hostname:


mi.xml.o aleapecm

And add your hostname to the first line of /etc/hosts:


17001mi.xml.o lclot 2... aleapecm oahs

#Uulysm Iv cniuainblwtefrtln,btlaeta aoe sal oe P6 ofgrto eo h is ie u ev ht ln. .. .

tai sinh chung thuc cho server mac dinh, de no noi voi domain name

Now you'll want to regenerate the server's default self-signed SSL certificate so that it matches the domain name. You may have purchased an SSL certificate for your mail server, but it is perfectly possible and completely secure to run a mail server using a self-signed certificate. The only consequences will be warning screens when using webmail hosted on the server and warnings from Microsoft Outlook when connecting via POP, IMAP, or SMTP.
atgtisalslcr p-e ntl s-et mk-s-etgnrt-eal-nkol-freoewie aeslcr eeaedfutsaei -oc-vrrt

5) Now Build a LAMP Web Server You will need the mailserver to also be a LAMP (Linux, Apache, MySQL, PHP) web server, since you will want webmail and a web-based administrative interface for managing users. So turning your Ubuntu instance into a web server is a good place to start. There is a shortcut to install the basic LAMP packages, so start by updating the repository data and installing the packages. Notice the "^" at the end of the command there - it is necessary:
atgtudt p-e pae atgtugae p-e prd atgtisallm-evr p-e ntl apsre^

cai dat LAMP web server for "web mail" + "web admin users"

During this install you will be asked to choose a root password for MySQL. Choose something sensible, and then move on to adding an array of basic additional packages for PHP such as APC bytecode caching, memcache support, cURL, an XML parser, and GD image processing. Add more to suite your own taste and the applications you want to support on this server.

them cac goi nay support server

atgtisalppacpp-eccepp-ulpp-dppxlpre p-e ntl h-p h5mmah h5cr h5g h-m-asr

6) Configure PHP The default configuration for PHP and the additional packages mentioned above is sufficient for most casual usage. So unless you have something complicated or high-powered in mind, you should probably only change the expose_php setting in /etc/php5/apache2/php.ini. Set it to "Off":
;DcdswehrPPmyeps tefc ta i i isaldo tesre eie hte H a xoe h at ht t s ntle n h evr ;(..b adn issgauet teWbsre hae) I i n scrt eg y dig t intr o h e evr edr. t s o euiy ;tra i aywy bti mksi psil t dtriewehryuuePP het n n a, u t ae t osbe o eemn hte o s H ;o yu sre o nt n or evr r o. ;ht:/h.e/xoepp tp/ppnteps-h eps_h =Of xoepp f

cau hinh mac dinh cho PHP va them cac goi tren de hoat dong tot nhat

7) Configure Apache The expected end result for Apache is that it will serve a single site with a couple of running web applications: webmail and Postfix Admin hidden away in a subdirectory. All traffic will be directed to HTTPS - there is no good reason to allow non-secure access to any of what will be on the web server. Firstly configure the following lines in /etc/apache2/conf.d/security to minimize the information that Apache gives out in its response headers:
# #SreTkn evroes #Ti drciecniue wa yurtr a teSre HT rsos hs ietv ofgrs ht o eun s h evr TP epne #Hae.Tedfuti 'ul wihsnsifrainaotteO-ye edr h eal s Fl' hc ed nomto bu h STp #adcmie i mdls n opld n oue. #Stt oeo: Fl |O |Mnml|Mnr|Mjr|Po e o n f ul S iia io ao rd #weeFl cnestems ifrain adPo telat hr ul ovy h ot nomto, n rd h es. # SreTkn Po evroes rd # #Otoal adaln cnann tesre vrinadvrulhs pinly d ie otiig h evr eso n ita ot #nm t sre-eeae pgs(nenlerrdcmns FPdrcoy ae o evrgnrtd ae itra ro ouet, T ietr #lsig,mdsau admdif otu ec,btntCIgnrtd itns o_tts n o_no upt t. u o G eeae #dcmnso cso errdcmns. ouet r utm ro ouet) #Stt "Mi"t as icueamit:ln t teSreAmn e o Eal o lo nld alo ik o h evrdi. #Stt oeo: O |Of|Eal e o n f n f Mi # SreSgaueOf evrintr f

cau hinh lai apache -> chay https

Make sure that mod_rewrite, mod_ssl, and the default SSL virtual host is enabled - you'll need these line items to be able to force visitors to use HTTPS.
aemdrwiesl 2no ert s aest dfutsl 2nie eal-s

enable mode_rewrite && mode_ssl

The default site configuration in /etc/apache2/sites-available/default can be edited to look something like this for the sake of simplicity:
<itaHs *8> Vrulot :0 SreAmnwbatrlclot evrdi emse@oahs DcmnRo /a/w ouetot vrww <ietr "" Drcoy /> OtosFloSmik pin olwyLns AlwvrieAl loOerd l <Drcoy /ietr> Erro $AAH_O_I}errlg roLg {PCELGDR/ro.o #Psil vle icue dbg if,ntc,wr,err ci, osbe aus nld: eu, no oie an ro, rt #aet eeg lr, mr. Lgee wr oLvl an

no trong kha phuc tap, chi can hieu don gian nhu sau:

CsoLg$AAH_O_I}acs.o cmie utmo {PCELGDR/ceslg obnd <Vrulot /itaHs>

But of course your taste and needs may vary. Keeping the same simple approach, the upper portion of the SSL configuration in /etc/apache2/sites-available/default-ssl can be set up as follows:

thay doi

<fouemdslc IMdl o_s.> <itaHs _eal_43 Vrulot dfut:4> SreAmnwbatrlclot evrdi emse@oahs DcmnRo /a/w ouetot vrww <ietr "" Drcoy /> OtosFloSmik pin olwyLns AlwvrieAl loOerd l <Drcoy /ietr> Erro $AAH_O_I}errlg roLg {PCELGDR/ro.o #Psil vle icue dbg if,ntc,wr,err ci, osbe aus nld: eu, no oie an ro, rt #aet eeg lr, mr. Lgee wr oLvl an CsoLg$AAH_O_I}slacs.o cmie utmo {PCELGDR/s_ceslg obnd # SLEgn Sic: S nie wth # Eal/ial SLfrti vrulhs. nbeDsbe S o hs ita ot SLnieo SEgn n # #..mr dfutSLcniuain.. . oe eal S ofgrto . #Yuwl poal ne t cag ti nx Drcoydrciea wl o il rbby ed o hne hs et ietr ietv s el #i odrt mthteeriroe n re o ac h ale n. <ietr "" Drcoy /> SLpin +tEvas SOtos SdnVr <Drcoy /ietr> #..ytmr dfutSLcniuain.. . e oe eal S ofgrto .

site co san, nhung chua kich hoat !

If you are using a purchased rather than self-signed SSL certificate, and you probably have a CA certificate bundle from the issuer, then you'll want to further change these lines in /etc/apache2/sites-enabled/default-ssl:
# Asl-ind(nkol criiaecnb cetdb isaln efsge saei) etfct a e rae y ntlig # teslcr pcae Se h s-et akg. e # /s/hr/o/pce.-omnRAM.eing frmr if. ursaedcaah22cmo/EDEDba.z o oe no # I bt kyadcriiaeaesoe i tesm fl,ol te f oh e n etfct r trd n h ae ie ny h # SLetfctFl drciei nee. SCriiaeie ietv s edd SLetfctFl SCriiaeie /aht/ycr.r pt/om/etct SLetfctKyie/aht/ykyky SCriiaeeFl pt/om/e.e # Sre CriiaeCan evr etfct hi: # PitSLetfctCaniea afl cnann te on SCriiaehiFl t ie otiig h # cnaeaino PMecddC criiae wihfr te octnto f E noe A etfcts hc om h # criiaecanfrtesre criiae Atraiey etfct hi o h evr etfct. lentvl # terfrne fl cnb tesm a SLetfctFl h eeecd ie a e h ae s SCriiaeie # we teC criiae aedrcl apne t tesre hn h A etfcts r iety pedd o h evr # criiaefrcniine etfct o ovnec. SLetfctCanie/aht/yc-udect SCriiaehiFl pt/om/abnl.r

file enabled --> chua site da kich hoat

To push visitors to HTTPS, put something similar to the following snippet into /var/www/.htaccess:
RwienieO ertEgn n Rwieod%SRE_OT 8 ertCn {EVRPR} 0 Rwieue^.)hts/mi.xml.o/1[] ertRl (* tp:/aleapecm$ L

de moi truy cap --> HTTPS --> edit lai nhu sau

8) Install and Configure Memcached You will need to install Memcached to support the webmail applications intended to run on this server:
atgtisalmmahd p-e ntl ecce

The default configuration file at /etc/memcached.conf is good enough for a small server: it locks down access to localhost and provides generally sensible configuration parameter values. If you are building a larger machine for heavy usage, you will probably want to bump the memory allocation to be higher than the default of 64M:
#Satwt acpo 6 mg o mmr.I' raoal,adtedeo dfut tr ih a f 4 es f eoy ts esnbe n h amn eal #Nt ta tedeo wl go t ti sz,btde ntsatothligti mc oe ht h amn il rw o hs ie u os o tr u odn hs uh #mmr eoy - 6 m 4

mac dinh thi no da tot roi, neu cho so luong user lon -> sua 64M

9) Install the Mailserver Packages Now we're ready to start in on the harder stuff. As for the LAMP server, there is a shortcut for installing the basic packages for a mail server. Again, note the "^" at the end of the command:
atgtisalmi-evr p-e ntl alsre^

lenh cai cac goi mail server

When Postfix installs, you will be asked to choose a general type of mail configuration - select "Internet site". You will be asked for the system mail name, which is the hostname of your mailserver - e.g. mail.example.com. What this gives you is pretty much just bare bones, aimed at a mailserver that manages its users as straightforward Unix users, and which doesn't use a SQL database to store data. So we need the rest of the cast - such as MySQL support for Postfix and Dovecot, and the coterie of spam-mashing packages. You might also have to install IMAP support for Dovecot, as it may or may not be included in the mail-server packages:
atgtisalpsfxmsldvctmsldvctiadpsge p-e ntl oti-yq oeo-yq oeo-mp otry atgtisalaai caa caa-amnsaassi p-e ntl mvs lmv lmvdeo pmsasn atgtisalpp-mp p-e ntl h5ia

cac goi can install them !

apt-cache search ***

The php5-imap package actually supports POP3 as well as the IMAP protocol, and will be needed by Postfix Admin and many of the possible options for PHP webmail applications. Restart Apache to have that running and ready:
srieaah2rsat evc pce etr

amavis <-- thay = amavisd-new

Next you'll want some optional packages that extend the abilities of the spam and virus detection packages, such as by allowing greater inspection of attached files:
atgtisallbe-n-elpzrrzr p-e ntl intdspr yo ao atgtisalajbi2cbxrc ci fl gi nmrhpxuzpzp p-e ntl r zp aetat po ie zp oac a ni i

You probably also want a package for dealing with RAR-format archives - but I've found unrar-free to be somewhat buggy and unstable, while unrar is not free. So you may just choose to skip that and shrug. 10) Create a Mail Database and User in MySQL Log in to MySQL as the root user, entering the password you set earlier:
msl-ro yq uot p

Now set up a database and user for the mail software. This database will store information on user accounts and mail domains, using schema set up by the Postfix Admin package:
cet dtbs mi; rae aaae al gatalo mi. t 'al@lclot ietfe b 'alasod; rn l n al* o mi''oahs' dniid y mipswr'

11) Install Postfix Admin and the MySQL Schema Postfix Admin is installed as follows. To start things off, download the package from Sourceforge, unpack it, and move it into a subdirectory of your webroot. You will probably also need to change ownership to the www-data user:
we ht:/onod.oreog.e/rjc/otiamnpsfxdi/otiamn235psfxdi-...a.z gt tp/dwlassucfrentpoetpsfxdi/otiamnpsfxdi-../otiamn235trg gni psfxdi-...a.z uzp otiamn235trg tr-fpsfxdi-...a a x otiamn235tr m psfxdi-.. /a/w/otiamn v otiamn235 vrwwpsfxdi con- wwdt:w-aa/a/w/otiamn hw R w-aawwdt vrwwpsfxdi

Next is an interesting sort of a two-phase setup process. Firstly alter the following lines in /var/www/postfixadmin/config.inc.php:
/******************************** ********************************* * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! *Yuhv t st$OF'ofgrd]=tu;bfr te o ae o e CN[cniue' re eoe h *apiainwl rn plcto il u! *Digti ipisyuhv cagdti fl a rqie. on hs mle o ae hne hs ie s eurd *ie cniuigdtbs ec seiyn stppppswr ec .. ofgrn aaae t; pcfig eu.h asod t. * / $OF'ofgrd]=tu; CN[cniue' re / PsfxAmnPt / oti di ah / Sttelcto o yu PsfxAmnisalto hr. / e h oain f or oti di ntlain ee / YUMS ETRTECMLT ULeg ht:/oantdpsfxdi / O UT NE H OPEE R .. tp/dmi.l/otiamn $OF'oti_di_r' ='tp:/aleapecmpsfxdi' CN[psfxamnul] hts/mi.xml.o/otiamn; / Dtbs Cni / aaae ofg / msl=MSL32 ad40 41o 5 / yq yQ .3 n ., . r / msl =MSL41 / yqi yQ .+ / psl=PsgeQ / gq otrSL $OF'aaaetp' ='yq' CN[dtbs_ye] msl; $OF'aaaehs' ='oahs' CN[dtbs_ot] lclot; $OF'aaaeue' ='al; CN[dtbs_sr] mi' $OF'aaaepswr' ='alasod; CN[dtbs_asod] mipswr' $OF'aaaenm' ='al; CN[dtbs_ae] mi' / St Amn / ie di / Dfn teSt Amn ealadesblw / eie h ie dis mi drs eo. / Ti wl b ue t sn eal fo t cet mibxs / hs il e sd o ed mis rm o rae aloe. $OF'di_mi' ='eeapecm; CN[amneal] m@xml.o' / Mi Sre / al evr / Hsnm (QN o yu mi sre. / otae FD) f or al evr / Ti i ue t sn ealt Psfxi odrt cet mibxs / hs s sd o ed mi o oti n re o rae aloe. / / / Stti t lclotfrnw btcag i ltr / e hs o oahs o o, u hne t ae. $OF'mpsre' ='oahs' CN[st_evr] lclot; $OF'mppr' ='5; CN[st_ot] 2' / Ecyt / nrp / I wa wyd yuwn tepswrst b cytd / n ht a o o at h asod o e rpe? / m5rp =itra psfxamnm5 / dcyt nenl oti di d / m5=m5smo tepswr / d d u f h asod / sse =waee yuhv sta yu PPsse dfut / ytm htvr o ae e s or H ytm eal

sua : http://mail.akashi.com/postfixadmin

me@akashi.com

/ ceret=certx pswrs(uh) / latx la et asod oc! / mslecyt=ueu frPMitgain / yq_nrp sfl o A nerto / atlb=spotfrcuiratlbsyepswrs / uhi upr o ore-uhi tl asod / dvctCYTMTO =uedvctw- 'RP-EHD.Eape dvctCA-D / oeo:RP-EHD s oeop s CYTMTO' xml: oeo:RMM5 $OF'nrp' ='dcyt; CN[ecyt] m5rp' / Mibxs / aloe / I yuwn t soetemibxsprdmi stti t 'E' / f o at o tr h aloe e oan e hs o YS. / Eape: / xmls / / YS /s/oa/ita/oantduenm@oantd E: urlclvruldmi.l/sraedmi.l / / N: /s/oa/ita/sraedmi.l O urlclvruluenm@oantd $OF'oanpt' ='O; CN[dmi_ah] N' / I yudntwn t hv tedmi i yu mibxstti t 'O. / f o o' at o ae h oan n or alo e hs o N' / Eape: / xmls / / YS /s/oa/ita/oantduenm@oantd E: urlclvruldmi.l/sraedmi.l / / N: /s/oa/ita/oantduenm O urlclvruldmi.l/srae / Nt:I $OF'oanpt' i stt N,ti stigwl b fre t YS / oe f CN[dmi_ah] s e o O hs etn il e ocd o E. $OF'oani_alo' ='E' CN[dmi_nmibx] YS;

Next open up a web browser and visit your mail server at:
hts/mi.xml.o/otiamnstppp tp:/aleapecmpsfxdi/eu.h

Follow the instructions on that page to choose a setup password, and generate a hash of that password. Add that hash to the configuration file and save it:
/ I odrt stpPsfxdi,yuMS seiyahse pswr hr. / n re o eu otiamn o UT pcf ahd asod ee / T cet tehs,vststpppi abosradtp apswr it tefed / o rae h ah ii eu.h n rwe n ye asod no h il, / o sbiso i wl b ehe ott yua ahse vle / n umsin t il e cod u o o s ahd au. $OF'eu_asod]='.aln hs srn..; CN[stppswr' .. og ah tig.'

Then return to the setup page. You can now use the password you selected in order to create an initial administrator account. Postfix Admin will also automatically create its database schema at this point. It is probably wise to restrict access to /var/www/postfixadmin/setup.php after having used it. Create a file /var/www/postfixadmin/.htaccess and put the following instructions into it:
<ie "eu.h" Fls stppp> dn fo al ey rm l <Fls /ie>

Note that there is an annoying little issue involving the incorrect display of non-ASCII characters in Postfix Admin 2.3.5. It's easy to patch, however, so you may as well do that while you are here. Make the following small changes: /var/www/postfixadmin/templates/list-virtual.php:
/ Rpaigti ln: / elcn hs ie / pit" / rn <d".hmette(talo[i[nm')."/d\" t> tlniis$Mibx$]'ae] <t>n; pit" rn <d" t> .hmette(talo[i[nm',ETQOE,'T-' tlniis$Mibx$]'ae] N_UTS UF8) ."/d\" <t>n;

/var/www/postfixadmin/templates/admin_list-domain.php:
/ Rpaigti ln: / elcn hs ie / pit"t> .hmette(dmi_rpris$]'ecito')."/d" / rn <d" tlniis$oanpoete[i[dsrpin] <t>; pit"t> rn <d" .hmette(dmi_rpris$]'ecito',ETQOE,'T-' tlniis$oanpoete[i[dsrpin] N_UTS UF8) ."/d" <t>;

12) Create the Domain and Accounts in Postfix Admin Now navigate to the main Postfix Admin login page:
hts/mi.xml.o/otiamn tp:/aleapecmpsfxdi/

Log in as the newly created administrator account, and then choose the "New domain" option under "Domain List" in order to create the example.com domain. You can then add mail users ("Add mailbox") and aliases ("Add alias") while viewing your domain. This will populate the schema, but it won't do anything else yet as none of the other mailserver components are configured to look at the database at this point. Postfix Admin does have another useful function during this long setup process - it allows you to send mail to local users through the web interface, which is helpful when testing your configuration and chasing down errors. 13) Create a User to Handle Virtual Mail Directories Virtual mail users are those that do not exist as Unix system users. They thus don't use the standard Unix methods of authentication or mail delivery and don't have home directories. That is how we are managing things here: mail users are defined in the database created by Postfix Admin rather than existing as system users. Mail will be kept in subfolders per domain and account under /var/vmail - e.g. me@example.com will have a mail directory of /var/vmail/example.com/me. All of these mail directories will be owned by a single user called vmail, and Dovecot will use the vmail user in order to create and update mail files.
uead- - 10- mi - /a/mi - /bnnlgn- "ita midrhnlr val srd r u 5 g al d vrval s si/ooi c Vrul ali ade" mi mdr/a/mi ki vrval cmd70/a/mi ho 7 vrval convalmi /a/mi hw mi:al vrval

Note that the user and virtual mail directory folder are using the "mail" group, and allowing other users in that group to modify the contents.

14) Configure Dovecot Dovecot will manage IMAP and POP3 connections, local mail directories, and receive incoming mail handed off from Postfix. It will also manage authentication for SMTP connections - no point in having two separate authentication systems when Dovecot can handle both cases. Configuration is spread across a number of files in /etc/dovecot and subfolders thereof, and might seem a little intimidating, but it's all laid out fairly logically. The first thing to do is to ensure that Dovecot is looking for user data in the database created by Postfix Admin, so edit or create the file /etc/dovecot/conf.d/auth-sql.conf.ext to have the following contents:
#Lo u ue pswrsfo aSLdtbs a ok p sr asod rm Q aaae s #dfndi /t/oeo/oeo-q.ofet eie n ecdvctdvctslcn.x psd { asb die =sl rvr q ag =/t/oeo/oeo-q.ofet rs ecdvctdvctslcn.x } #Lo u ue ifrainfo aSLdtbs a ok p sr nomto rm Q aaae s #dfndi /t/oeo/oeo-q.ofet eie n ecdvctdvctslcn.x ued { srb die =sl rvr q ag =/t/oeo/oeo-q.ofet rs ecdvctdvctslcn.x }

Now edit these lines in /etc/dovecot/dovecot-sql.conf.ext such that it uses the MySQL database created by Postfix Admin:
#Dtbs die:msl psl slt aaae rvr yq, gq, qie die =msl rvr yq #Eape: xmls # cnet=hs=9.6.. dnm=sr onc ot121811 baeues # cnet=hs=q.xml.o dnm=ita ue=ita pswr=lr onc otsleapecm baevrul srvrul asodbag # cnet=/t/oeo/uhbslt onc ecdvctatd.qie # cnet=hs=oahs dnm=alue=alpswr=alasod onc otlclot baemi srmi asodmipswr #Dfutpswr shm. eal asod cee # #Ls o spotdshmsi i it f upre cee s n #ht:/ii.oeo.r/uhniainPswrShms tp/wk2dvctogAtetcto/asodcee # dfutps_cee=M5CYT eal_asshm D-RP #Dfn teqeyt oti aue pswr. eie h ur o ban sr asod pswr_ur =\ asodqey SLC uenm a ue,pswr,'vrval%/n a ued_oe \ EET srae s sr asod /a/mi/d%' s srbhm, 'ali:vrval%/n a ued_al 10a ued_i,8a ued_i \ midr/a/mi/d%' s srbmi, 5 s srbud s srbgd FO mibxWEEuenm ='u ADatv ='' RM alo HR srae %' N cie 1 #Dfn teqeyt oti ue ifrain eie h ur o ban sr nomto. ue_ur =\ srqey SLC 'vrval%/n a hm,'ali:vrval%/n a mi,\ EET /a/mi/d%' s oe midr/a/mi/d%' s al 10A ud 8A gd cna(driesoae' qoa A qoa\ 5 S i, S i, oct'isz:trg=, ut) S ut FO mibxWEEuenm ='u ADatv ='' RM alo HR srae %' N cie 1

Then change the controlling definitions in /etc/dovecot/conf.d/10-auth.conf such that Dovecot will read the SQL configuration files. While you are there, you should also make sure that plaintext authentication is disabled unless the connection is encrypted or local:
#DsbeLGNcmadadalohrpanetatetctosuls ial OI omn n l te litx uhniain nes #SLTSi ue (OIDSBE cpblt) Nt ta i termt I S/L s sd LGNIALD aaiiy. oe ht f h eoe P #mthstelclI (e yur cnetn fo tesm cmue) te ace h oa P i. o'e oncig rm h ae optr, h #cneto i cniee scr adpanetatetcto i alwd oncin s osdrd eue n litx uhniain s loe. dsbepanetat =ys ial_litx_uh e #Saesprtdls o wne atetcto mcaim: pc eaae it f atd uhniain ehnss # panlgndgs-d ca-d nl raao aoyosgsp opse li oi ietm5 rmm5 tm p pp nnmu sai t ky # gssng s-peo #NT:Seas dsbepanetat stig OE e lo ial_litx_uh etn. at_ehnss=panlgn uhmcaim li oi # # # Pswr adue dtbss # asod n sr aaae # # # #Pswr dtbs i ue t vrf ue' pswr (n ntigmr) asod aaae s sd o eiy srs asod ad ohn oe. #Yucnhv mlil psdsadueds Ti i ueu i yuwn t o a ae utpe asb n srb. hs s sfl f o at o #alwbt sse ues(ecpsw)advruluest lgnwtot lo oh ytm sr /t/asd n ita sr o oi ihu #dpiaigtesse uesit vruldtbs. ulctn h ytm sr no ita aaae # #<o/iiPswrDtbs.x> dcwk/asodaaaett # #Ue dtbs seiisweemisaelctdadwa ue/ru Is sr aaae pcfe hr al r oae n ht srgop D #onte.Frsnl-I cniuainue"ttc ued. w hm o igeUD ofgrto s sai" srb # #<o/iiUeDtbs.x> dcwk/sraaaett #icueat-eycn.x !nld uhdn.ofet #icueat-atrcn.x !nld uhmse.ofet #icueat-ytmcn.x !nld uhsse.ofet #UeteSLdtbs cniuainrte ta ayo teeohr. s h Q aaae ofgrto ahr hn n f hs tes !nld at-q.ofet icue uhslcn.x #icueat-dpcn.x !nld uhla.ofet

#icueat-asdiecn.x !nld uhpswfl.ofet #icueat-hcpswr.ofet !nld uhcekasodcn.x #icueat-ppalcn.x !nld uhvomi.ofet #icueat-ttccn.x !nld uhsai.ofet

Next up, tell Dovecot where to put the virtual user mail directories. That requires the following changes in /etc/dovecot/conf.d/10-mail.conf:
#Lcto frues mibxs Tedfuti epy wihmasta Dvct oain o sr' aloe. h eal s mt, hc en ht oeo #tist fn temibxsatmtcly Ti wntwr i teue re o id h aloe uoaial. hs o' ok f h sr #dentythv aymi,s yusol epiil tl Dvcttefl os' e ae n al o o hud xlcty el oeo h ul #lcto. oain # #I yur uigmo,gvn apt t teIBXfl (g /a/al%) f o'e sn bx iig ah o h NO ie e. vrmi/u #inteog.Yul as ne t tl Dvctweeteohrmibxsae s' nuh o'l lo ed o el oeo hr h te aloe r #kp.Ti i cle te"otmi drcoy,adi ms b tefrt et hs s ald h ro al ietr" n t ut e h is #pt gvni temi_oainstig ah ie n h allcto etn. # #Teeaeafwseilvralsyucnue e. hr r e pca aibe o a s, g: # # % -uenm u srae # % -ue pr i ue@oan sm a % i teesn dmi n sr at n srdmi, ae s u f hr' o oan # % -dmi pr i ue@oan epyi teesn dmi d oan at n srdmi, mt f hr' o oan # % -hm drcoy h oe ietr # #Sedcwk/aibe.x frfl ls.Sm eape: e o/iiVralstt o ul it oe xmls # # mi_oain=midr~Midr allcto ali:/ali # mi_oain=mo:/alIBX/a/al% allcto bx~mi:NO=vrmi/u # mi_oain=mo:vrmi/d%n%:NE=vridxs%/1/n allcto bx/a/al%/1/nIDX/a/nee/d%n% # #<o/iiMiLcto.x> dcwk/aloaintt # mi_oain=midr/a/mi/d% allcto ali:vrval%/n #Sse ue adgopue t acs mis I yuuemlil,ued ytm sr n ru sd o ces al. f o s utpe srb #cnoerd teeb rtrigudo gdfed.Yucnueete nmes a vrie hs y eunn i r i ils o a s ihr ubr #o nms <o/iiUeIstt r ae. dcwk/srd.x> mi_i =val alud mi mi_i =mi algd al #VldUDrnefrues dfut t 50adaoe Ti i msl ai I ag o sr, eals o 0 n bv. hs s oty #t mk sr ta uescntlgi a deoso ohrsse ues o ae ue ht sr a' o n s amn r te ytm sr. #Nt ta dnigro lgn i hrcddt dvctbnr adcnt oe ht eyn ot ois s adoe o oeo iay n a' #b dn ee i frtvldudi stt 0 e oe vn f is_ai_i s e o . # #Uetevalue udhr. s h mi sr i ee frtvldud=10 is_ai_i 5 ls_ai_i =10 atvldud 5

If you are bringing your own SSL certificate to the party, you have to let Dovecot know about by editing these lines in /etc/dovecot/conf.d/10-ssl.conf. Remember to include your CA certificate bundle if provided with one by the certificate issuer:
#SLTSspot ys n,rqie.<o/iiSLtt S/L upr: e, o eurd dcwk/S.x> sl=ys s e #PMecddX59SLTScriiaeadpiaeky Te'eoee bfr E noe .0 S/L etfct n rvt e. hyr pnd eoe #dopn ro piiee,s ke tekyfl uraal b ayn bt rpig ot rvlgs o ep h e ie nedbe y noe u #ro.Icue dcmcr.hcnb ue t esl gnrt sl-ind ot nldd o/kets a e sd o aiy eeae efsge #criiae js mk sr t udt tedmisi dvctoeslcf etfct, ut ae ue o pae h oan n oeo-pns.n slcr =<pt/om/etpm s_et /aht/ycr.e slky=<pt/om/e.e s_e /aht/ykypm #I kyfl i pswr poetd gv tepswr hr.Atraiey f e ie s asod rtce, ie h asod ee lentvl #gv i we satn dvctwt - prmtr Sneti fl i otn ie t hn trig oeo ih p aaee. ic hs ie s fe #wrdraal,yumywn t paeti stigisedt adfeet ol-edbe o a at o lc hs etn nta o ifrn #ro ond00 fl b uigslkypswr =<ah ot we 60 ie y sn s_e_asod pt. #s_e_asod= slkypswr #PMecddtutdcriiaeatoiy Stti ol i yuitn t ue E noe rse etfct uhrt. e hs ny f o ned o s #slvrf_letcr=e.Tefl sol cnanteC criiaes s_eiycin_etys h ie hud oti h A etfct() #floe b temthn CLs.(..slc =<ecslcrsc.e) olwd y h acig R() eg s_a /t/s/et/apm #s_a=<pt/oc.e slc /aht/apm

Next, edit these lines in /etc/dovecot/conf.d/10-master.conf to add the Postfix option:


srieat { evc uh #at_oktpt pit t ti ued sce b dfut I' tpcly uhsce_ah ons o hs srb okt y eal. ts yial #ue b dvctla dvam psil ia poes ec Isdfut sd y oeo-d, oed, osby mp rcs, t. t eal #prisosmk i raal ol b ro,btyumyne t rlxtee emsin ae t edbe ny y ot u o a ed o ea hs #prisos Uesta hv acs t ti sce aeal t gtals emsin. sr ht ae ces o hs okt r be o e it #o aluenmsadgtrslso eeyn' ued lous f l srae n e eut f vroes srb okp. ui_itnrat-srb{ nxlsee uhued md =00 oe 60 ue =val sr mi gop=mi ru al } ui_itnr/a/po/oti/rvt/uh{ nxlsee vrsolpsfxpiaeat md =06 oe 60 #Asmn tedfutPsfxue adgop suig h eal oti sr n ru ue =psfx sr oti

gop=psfx ru oti }

You may have to explicitly set a postmaster address in /etc/dovecot/conf.d/15-lda.conf; if you see "Invalid settings: postmaster_address setting not given" showing up in the mail log, then this is the fix for that. Make sure that a suitable alias or mailbox exists for your chosen postmaster address:
#Adest uewe snigrjcinmis drs o s hn edn eeto al. #Dfuti psmse@ eal s otatr. psmse_drs =psmse@xml.o otatrades otatreapecm

You'll want to change the Dovecot configuration to be accessible to both dovecot and vmail users:
con- valdvct/t/oeo hw R mi:oeo ecdvct cmd- orx/t/oeo ho R -w ecdvct

A final note on Dovecot: it only creates a user's mail directory when mail is first delivered to that virtual user. So creating a user in Postfix Admin will not result in the immediate creation of a mail directory under /var/vmail, and that's just fine. 15) Configure Amavis, ClamAV, and SpamAssassin Before configuring Postfix, we may as well take a short detour into configuring the spam and virus tools. Their default configuration is close to what most people will need, and tools like SpamAssassin auto-detect many of the optional additional packages you may have installed. If you have specialist needs or greater knowledge, you can of course spend a fair amount of time here crafting intricate rules. For the casual user, this is a quick and straightforward process, however. Note that here we are putting off the portions relating to integration with Postfix - e.g. additions to the master.cf file - into the Postfix section of this post. First add Amavis and ClamAV users to one another's groups to enable them to collaborate:
adsrcaa aai due lmv mvs adsraai caa due mvs lmv

Then turn on Amavis by editing /etc/amavis/conf.d/15-content_filter_mode - the software is disabled by default, so uncomment the @bypass... lines:
uesrc; s tit #Yucnmdf ti fl t r-nbeSA cekn truhsaassi o a oiy hs ie o eeal PM hcig hog pmsasn #adt r-nbeatvrscekn. n o eeal niiu hcig # #Dfutatvrscekn md eal niiu hcig oe #Pes nt,ta at-iu cekn i DSBE b lae oe ht nivrs hcig s IALD y #dfut eal. #I Yuws t eal i,pes ucmettefloiglns f o ih o nbe t lae nomn h olwn ie: @yasvrscek_as=( bps_iu_hcsmp \bps_iu_hcs \bps_iu_hcsal \bps_iu_hcsr) %yasvrscek, @yasvrscek_c, $yasvrscek_e; # #DfutSA cekn md eal PM hcig oe #Pes nt,ta at-pmcekn i DSBE b lae oe ht nisa hcig s IALD y #dfut eal. #I Yuws t eal i,pes ucmettefloiglns f o ih o nbe t lae nomn h olwn ie: @yassa_hcsmp =( bps_pmcek_as \bps_pmcek,\bps_pmcek_c,\bps_pmcek_e; %yassa_hcs @yassa_hcsal $yassa_hcsr) 1 #esr adfndrtr ; nue eie eun

Now enable SpamAssassin by editing these lines in /etc/default/spamassassin:


#Cag t oet eal sad hne o n o nbe pm EALD1 NBE= #Cojb rno #Stt ayhn bt0t eal teco jbt atmtclyudt e o ntig u o nbe h rn o o uoaial pae #saassi' rlso angtybss pmsasns ue n ihl ai CO= RN1

You will have to restart these processes to pick up the new configuration:
srieaai rsat evc mvs etr sriesaassi rsat evc pmsasn etr

16) Configure Postfix Postfix handles incoming mail via the SMTP protocol, and its configuration files have be set up to allow it to integrate with the various other packages we have installed so far. At a high level, we want Postfix to hand off incoming mail to the spam and virus checkers before passing it on to Dovecot for delivery, and to authenticate virtual users who are connecting over SMTP in order to to send mail. Firstly create files describing for Postfix where to find information on users and domains. Note that the "hosts" directive in these files must be exactly the same as the "bind-address" in /etc/mysql/my.cnf. If one side says "localhost" and the other side says "127.0.0.1" then you may find that Postfix cannot connect to MySQL - strange but true. Here are the needed Postfix files: /etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
ue =mi sr al pswr =mipswr asod alasod

hss=17001 ot 2... dnm =mi bae al qey=SLC gt FO aisaisdmi ur EET oo RM la,la_oan WEEaisdmi.la_oan='d HR la_oanaisdmi %' ADaisadescna(%' '' aisdmi.agtdmi) N la.drs=oct'u, @, la_oantre_oan ADaisatv =1 N la.cie

/etc/postfix/mysql_virtual_alias_maps.cf
ue =mi sr al pswr =mipswr asod alasod hss=17001 ot 2... dnm =mi bae al tbe=ais al la slc_il =gt eetfed oo weefed=ades hr_il drs adtoa_odtos=adatv ='' diinlcniin n cie 1

/etc/postfix/mysql_virtual_domains_maps.cf
ue =mi sr al pswr =mipswr asod alasod hss=17001 ot 2... dnm =mi bae al tbe=dmi al oan slc_il =dmi eetfed oan weefed=dmi hr_il oan adtoa_odtos=adbcum =''adatv ='' diinlcniin n akpx 0 n cie 1

/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
ue =mi sr al pswr =mipswr asod alasod hss=17001 ot 2... dnm =mi bae al qey=SLC midrFO mibx aisdmi ur EET ali RM alo, la_oan WEEaisdmi.la_oan='d HR la_oanaisdmi %' ADmibxuenm=oct'u,'' aisdmi.agtdmi ) N alo.sraecna(%' @, la_oantre_oan ADmibxatv =1 N alo.cie

/etc/postfix/mysql_virtual_mailbox_maps.cf
ue =mi sr al pswr =mipswr asod alasod hss=17001 ot 2... dnm =mi bae al tbe=mibx al alo slc_il =CNA(oan '' lclpr) eetfed OCTdmi, /, oa_at weefed=uenm hr_il srae adtoa_odtos=adatv ='' diinlcniin n cie 1

Now create the file /etc/postfix/header_checks, which will contain some directives to remove certain headers when relaying mail. This improves privacy for the sending users by such things as stripping the original IP address and mail software identifiers, for example. This file will be referenced in the main Postfix configuration:
/Rcie: ^eevd/ /Ue-gn: ^srAet/ /XMie: ^-alr/ /XOiiaigI: ^-rgntn-P/ /xc-az*/ ^-r[-]: /Tra-ne: ^hedIdx/ INR GOE INR GOE INR GOE INR GOE INR GOE INR GOE

The following is the complete main Postfix configuration file at /etc/postfix/main.cf, which contains a fair number of complex choices and options on how mail is relayed and how SMTP behaves. It is far beyond the scope of this post to explain each and every choice of best practice or configuration parameter in detail. I strongly suggest that you spend some time reading up on Postfix configuration, as this is where it is easy to fall down and produce a suboptimal or faulty mailserver.
#Se/s/hr/oti/anc.itfracmetd mr cmlt vrin e ursaepsfxmi.fds o omne, oe opee eso #Tefrttx sn t acnetn poes h is et et o oncig rcs. stdbne =$yotaeEMP$alnm mp_anr mhsnm ST mi_ae bf =n if o #apnig.oani teMAsjb pedn dmi s h U' o. apn_o_yoan=n peddtmdmi o ram_ietr =n ededrcoy o #SS prmtr AL aaees #-------------------------------#UeDvctt atetct. s oeo o uhniae stdss_ye=dvct mp_altp oeo #Rfrigt /a/po/oti/rvt/uh eern o vrsolpsfxpiaeat stdss_ah=piaeat mp_alpt rvt/uh stdss_uheal =ys mp_alat_nbe e boe_alat_let =ys rknss_uhcins e stdss_euiyotos=naoyos mp_alscrt_pin onnmu stdss_oa_oan= mp_allcldmi stdss_uhniae_edr=ys mp_alatetctdhae e #TSprmtr L aaees #--------------------------------

#Rpaeti wt yu SLcriiaept i yuaeuigoe elc hs ih or S etfct ah f o r sn n. stdtscr_ie/t/s/et/s-etsaei.e mp_l_etfl=ecslcrsslcr-nkolpm stdtskyfl=ecslpiaeslcr-nkolky mp_l_e_ie/t/s/rvt/s-etsaei.e #Tesaei sl-indcriiaehsn ne fraC fl.Bt h nkol efsge etfct a o ed o A ie u #i yuaeuigyu onSLcriiae te yupoal hv f o r sn or w S etfct, hn o rbby ae #aC criiaebnl fo yu poie.Tept t ta ge A etfct ude rm or rvdr h ah o ht os #hr. ee #mp_l_Aie/aht/afl stdtsCfl=pt/oc/ie stduetsys mp_s_l=e st_l_euiylvl=my mptsscrt_ee a stdtsscrt_ee =my mp_l_euiylvl a #mp_l_uhol =n stdtsat_ny o st_l_oesatl_fe =ys mptsnt_trtsofr e stdtslgee =1 mp_l_olvl stdtsrcie_edr=ys mp_l_eevdhae e stdtsssinccetmot=30s mp_l_eso_ah_ieu 60 tsrno_ore=dv/e/rno l_admsuc e:dvuadm #mp_l_eso_ah_aaae=bre$dt_ietr}stdsah stdtsssinccedtbs te:{aadrcoy/mp_cce #mptsssinccedtbs =bre$dt_ietr}st_cce st_l_eso_ah_aaae te:{aadrcoy/mpsah #Se/s/hr/o/oti/L_EDEg i tepsfxdcpcaefr e ursaedcpsfxTSRAM.z n h oti-o akg o #ifraino ealn SLi test cin. nomto n nbig S n h mp let #STDprmtr MP aaees #-------------------------------#Ucmettenx ln t gnrt "eae mi"wrig nomn h et ie o eeae dlyd al anns #ea_ann_ie=4 dlywrigtm h #wl i b apraeterro tmoay il t e emnn ro r eprr ukonlclrcpetrjc_oe=40 nnw_oa_eiin_eetcd 5 #hwln t ke msaeo qeebfr rtr a fie. o og o ep esg n uu eoe eun s ald #sm hv 3dy,Ihv 1 dy a Ia bcu sre frsm pol oe ae as ae 6 as s m akp evr o oe epe #wo g o hldywt tersre sice of hm o n oia ih hi evr wthd f. mxmlqeelftm =7 aia_uu_ieie d #mxadmntm i scnsbtenrtisi cneto fie a n i ie n eod ewe ere f oncin ald mnmlbcoftm =10s iia_akf_ie 00 mxmlbcoftm =80s aia_akf_ie 00 #hwln t wi we srescnetbfr rciigrs o dt o og o at hn evr onc eoe eevn et f aa st_eotmot=6s mphl_ieu 0 #hwmn adescnb ue i oemsae o ay drs a e sd n n esg. #efciesoprt ms samr,acdna cp i woeadesls fetv tpe o as pmes cietl oy n hl drs it #btmyrsrc itninlmi sos u a etit netoa al ht. stdrcpetlmt=1 mp_eiin_ii 6 #hwmn errbfr bc of o ay ro eoe ak f. stdsf_ro_ii =3 mp_oterrlmt #hwmn mxerr bfr bokn i. o ay a ros eoe lcig t stdhr_ro_ii =1 mp_aderrlmt 2 #Ti nx staeipratfrdtriigwocnsn mi adrlymi hs et e r motn o eemnn h a ed al n ea al #t ohrsres I i vr ipratt gtti rgt-acdnal pouig o te evr. t s ey motn o e hs ih cietly rdcn #a oe rlyta alw uatetctdsnigo mi i aVr BdTig n pn ea ht los nuhniae edn f al s ey a hn. # #Yuaeecuae t ra u o wa eatyec o teeotosacmls. o r norgd o ed p n ht xcl ah f hs pin copih

#Rqieet frteHL saeet eurmns o h EO ttmn stdhl_etitos=pri_yewrs wr_frjc rjc_o_qnhsnm,rjc_nai_otae pri mp_eorsrcin emtmntok, ani_eet eetnnfd_otae eetivldhsnm, emt #Rqieet frtesne dtis eurmns o h edr eal stdsne_etitos=pri_alatetctd pri_yewrs wr_frjc rjc_o_qnsne,rjc_nnw_edrdmi,r mp_edrrsrcin emtss_uhniae, emtmntok, ani_eet eetnnfd_edr eetukonsne_oan e #Rqieet frtecnetn sre eurmns o h oncig evr stdcin_etitos=rjc_b_letslsahu.r,rjc_b_letbakoe.aye.l rjc_b_letdslnalog mp_letrsrcin eetrlcin b.pmasog eetrlcin lchlsesntn, eetrlcin nb.jb.r #Rqieetfrtercpetades Nt ta teetyfr eurmn o h eiin drs. oe ht h nr o #"hc_oiysrieie:2...:02"ealsPsge. cekplc_evc nt17001103 nbe otry stdrcpetrsrcin =rjc_nuhpplnn,pri_yewrs pri_alatetctd rjc_o_qnrcpet rjc_nnw_ mp_eiin_etitos eetuat_ieiig emtmntok, emtss_uhniae, eetnnfd_eiin, eetukon stddt_etitos=rjc_nuhpplnn mp_aarsrcin eetuat_ieiig #rqiepoe hl a cnetos eur rpr eo t oncin stdhl_eurd=ys mp_eorqie e #wsesamr tm bfr rjcigte at pmes ie eoe eetn hm stddlyrjc =ys mp_ea_eet e dsbevf_omn =ys ial_rycmad e #Gnrlhs addlvr if eea ot n eiey no #--------------------------------mhsnm =mi.xml.o yotae aleapecm moii =/t/otae yrgn echsnm #Sm pol seise we stigmdsiainepiil t tesre oe epe e sus hn etn yetnto xlcty o h evr #sboan wielaigi epygnrlydenthr.S i i lf epyhr. udmi, hl evn t mt eeal os' ut o t s et mt ee #mdsiain=mi.xml.o,lclot yetnto aleapecm oahs mdsiain= yetnto #I yuhv asprt wbsre ta snsoton mi truhti f o ae eaae e evr ht ed ugig al hog hs #misre,yumywn t adisI adest tesaedlmtdls i alevr o a at o d t P drs o h pc-eiie it n #mntok,eg a 112233443. yewrs .. s 1.2.3.4/2 mntok =170008[:ff17000/0 [:]18 yewrs 2.../ :ff:2...]14 :1/2 mibxsz_ii =0 alo_ielmt rcpetdlmtr=+ eiin_eiie ie_nefcs=al ntitrae l mntok_tl =hs yewrssye ot #Ti seiisweetevrulmibxfleswl b lctd hs pcfe hr h ita alo odr il e oae.

vrulmibxbs =/a/mi ita_alo_ae vrval #Ti i frtemibxlcto frec ue.Tedmiaiss hs s o h alo oain o ah sr h oanlae #mpalw u t mk ueo PsfxAmnsdmi aisfaue a los s o ae s f oti di' oan la etr. vrulmibxmp =msl/t/oti/yq_ita_alo_asc,msl/t/oti/yq_ita_alo_oanlae_asc ita_alo_as yq:ecpsfxmslvrulmibxmp.f yq:ecpsfxmslvrulmibxdmiaissmp.f #adterue i n hi sr d vruludmp =sai:5 ita_i_as ttc10 #adgopi n ru d vrulgdmp =sai: ita_i_as ttc8 #Ti i fraiss Tedmiaissmpalw u t mk hs s o lae. h oanlae a los s o ae #ueo PsfxAmnsdmi aisfaue s f oti di' oan la etr. vrulaismp =msl/t/oti/yq_ita_la_asc,msl/t/oti/yq_ita_la_oanlae_asc ita_la_as yq:ecpsfxmslvrulaismp.f yq:ecpsfxmslvrulaisdmiaissmp.f #Ti i frdmi lous hs s o oan okp. vrulmibxdmis=msl/t/oti/yq_ita_oan_asc ita_alo_oan yq:ecpsfxmslvruldmismp.f #Itgainwt ohrpcae nerto ih te akgs #-------------------------------------#Tl psfxt hn ofmi t tedfnto frdvcti mse.f el oti o ad f al o h eiiin o oeo n atrc vrultasot=dvct ita_rnpr oeo dvctdsiainrcpetlmt=1 oeo_etnto_eiin_ii #Ueaai frvrsadsa sann s mvs o iu n pm cnig cnetfle =aai:17001:02 otn_itr mvs[2...]104 #Hae mnplto edr aiuain #------------------------------------#Gtigrdo uwne haes Se hts/psuscmgie/edrrmvl etn i f natd edr. e: tp:/oln.o/udshae-eoa/ hae_hcs=rgx:ecpsfxhae_hcs edrcek eep/t/oti/edrcek #gtigrdo xoiia-o etn i f -rgnlt eal_rgnlrcpet=n nbeoiia_eiin o

To be clear, if you are using a purchased SSL certificate - and have a CA certificate bundle from the issuer - then you will have to alter these lines in /etc/postfix/main.cf:
#Rpaeti wt yu SLcriiaept i yuaeuigoe elc hs ih or S etfct ah f o r sn n. stdtscr_ie/aht/ycr.e mp_l_etfl=pt/om/etpm stdtskyfl=pt/om/e.e mp_l_e_ie/aht/ykyky #Tesaei sl-indcriiaehsn ne fraC fl.Bt h nkol efsge etfct a o ed o A ie u #i yuaeuigyu onSLcriiae te yupoal hv f o r sn or w S etfct, hn o rbby ae #aC criiaebnl fo yu poie.Tept t ta ge A etfct ude rm or rvdr h ah o ht os #hr. ee #mp_l_Aie/aht/afl stdtsCfl=pt/oc/ie

You must also add some material to /etc/postfix/master.cf, and here is the entire file for clarity, including much of the default material from the package install - such as commented options:
# #Psfxmse poescniuainfl. Frdtiso tefra oti atr rcs ofgrto ie o eal n h omt #o tefl,setemse()mna pg (omn:"a 5mse". f h ie e h atr5 aul ae cmad mn atr) # #D ntfre t eeue"oti rla"atreiigti fl. o o ogt o xct psfx eod fe dtn hs ie # #===================================== ===================================== #srietp piaeupi cro wku mxrccmad+ag evc ye rvt nrv hot aep apo omn rs # (e) (e) (e) (ee)(0) ys ys ys nvr 10 #===================================== ===================================== st mp ie n nt std mp #mp st ie n nt 1 pssre otcen #mp std ps as std mp #nbo dslg ui nx 0 dslg nbo #lpoy ui tsrx nx 0 tsrx lpoy #umsinie n sbiso nt std mp # - sso_aepsfxsbiso o ylgnm=oti/umsin # - stdtsscrt_ee=nrp o mp_l_euiylvlecyt # - stdss_uheal=e o mp_alat_nbeys # - stdcin_etitospri_alatetctdrjc o mp_letrsrcin=emtss_uhniae,eet # - mle_ar_amnnm=RGNTN o itrmcodeo_aeOIIAIG sts mp ie n nt std mp - sso_aepsfxsts o ylgnm=oti/mp - stdtswaproeys o mp_l_rpemd=e - stdss_uheal=e o mp_alat_nbeys - stdtsat_nyys o mp_l_uhol=e - stdcin_etitospri_alatetctdrjc_nuhdsiainrjc o mp_letrsrcin=emtss_uhniae,eetuat_etnto,eet - stdss_euiyotosnaoyosnpanet o mp_alscrt_pin=onnmu,olitx - stdss_l_euiyotosnaoyos o mp_altsscrt_pin=onnmu # - mle_ar_amnnm=RGNTN o itrmcodeo_aeOIIAIG #2 68 ie n nt qqd mp pcu ikp ff n io 6 0 1 pcu ikp - cnetfle= o otn_itr - rcieoerd_pin=ohae_oycek o eev_vrieotosn_edrbd_hcs cenp ui n lau nx 0 cenp lau qg mr ff n io n 30 0 1 qg mr #mr qg ff n io n 30 0 1 omr qg tsg lmr ui nx 10? 1 00 tsg lmr rwie ui ert nx tiilrwie rva-ert buc one ui nx 0 buc one dfr ee ui nx 0 buc one tae rc ui nx 0 buc one vrf eiy ui nx 1 vrf eiy fuh ls ui n nx 10? 0 00 fuh ls

poya ui rxmp nx n poya rxmp poyrt ui rxwie nx n 1 poya rxmp st mp ui nx st mp rly ea ui nx st mp # - st_eotmot5- st_onc_ieu= o mphl_ieu= o mpcnettmot5 soq hw ui n nx soq hw err ro ui nx err ro rty er ui nx err ro dsad ui icr nx dsad icr lcl oa ui nx n n lcl oa vrul ui ita nx n n vrul ita lt mp ui nx lt mp avl ni ui nx 1 avl ni sah cce ui nx 1 sah cce # #================================== ================================== #Itrae t nnPsfxsfwr.B sr t eaietemna nefcs o o-oti otae e ue o xmn h aul #pgso tennPsfxsfwr t fn otwa otosi wns ae f h o-oti otae o id u ht pin t at. # #Mn o tefloigsrie uetePsfxpp()dlvr ay f h olwn evcs s h oti ie8 eiey #aet Setepp()mnpg frifrainaot$rcpet gn. e h ie8 a ae o nomto bu {eiin} #adohrmsaeevlp otos n te esg neoe pin. #================================== ================================== # #mido.SetePsfxMIDO_EDEfl frdtis alrp e h oti ALRPRAM ie o eal. #As seiyi mi.f mido_etnto_eiin_ii= lo pcf n anc: alrpdsiainrcpetlmt1 # mido ui alrp nx n n pp ie fasDh ue=mi ag=urbnmido - $rcpet lg=Ru srval rv/s/i/alrp d {eiin} # #================================== ================================== # #Rcn Crsvrin cnueteeitn "mp mse.fety eet yu esos a s h xsig lt" atrc nr. # #Seiyi crscn: pcf n yu.of # lt mp cd"mp -"lse=lclotlt"pootp m=ltd a itn"oahs:mp rt=c4 # #Seiyi mi.foeo mr o tefloig pcf n anc n r oe f h olwn: # mibxtasot=lt:ntlclot alo_rnpr mpie:oahs # vrultasot=lt:ntlclot ita_rnpr mpie:oahs # #================================== ================================== # #Crs215(msGuu) yu .. Ao oax #As seiyi mi.f crsdsiainrcpetlmt1 lo pcf n anc: yu_etnto_eiin_ii= # #yu crs ui nx n n pp ie # ue=yu ag=crsbndlvr- - $sne}- $etnin $ue} srcrs rv/yu/i/eie e r {edr m {xeso} {sr # #================================== ================================== #Odeapeo dlvr vaCrs l xml f eiey i yu. # #l-yu ui odcrs nx n n pp ie # fasRue=yu ag=crsbndlvr- - $etnin $ue} lg= srcrs rv/yu/i/eie e m {xeso} {sr # #================================== ================================== # #SetePsfxUC_EDEfl frcniuaindtis e h oti UPRAM ie o ofgrto eal. # uc up ui nx n n pp ie fasFh ue=upag=u - - - -$edr-$eto!mi (rcpet lg=qu sruc rvux r n z asne nxhpral $eiin) # #Ohretra dlvr mtos te xenl eiey ehd. # imi fal ui nx n n pp ie fasFue=t ag=urlbimi/fal- $eto (rcpet lg= srfn rv/s/i/falimi r nxhp $eiin) bmp st ui nx n n pp ie fasF.ue=st ag=urlbbmpbmp-$eto -$edr$eiin lg=q srbmp rv/s/i/st/st tnxhp fsne rcpet saealbcedui clmi-akn nx n n 2 pp ie fasRue=clmi ag=urlbsaealbnsaealsoe$nxhp $ue}$etnin lg= srsaeal rv/s/i/clmi/i/clmi-tr {eto} {sr {xeso} mimn ui ala nx n n pp ie fasF ue=itag=urlbmimnbnpsfxt-ala.y lg=R srls rv/s/i/ala/i/oti-omimnp $nxhp $ue} {eto} {sr # #Tenx toetisitgaewt Aai frat-iu/pmcek. h et w nre nert ih mvs o nivrssa hcs # aai mvs ui nx 2 st mp - st_aadn_ieu=20 o mpdt_oetmot10 - st_edxowr_omn=e o mpsn_fradcmadys - dsbedslousys o ial_n_okp=e - mxue2 o a_s=0 17001105ie 2...:02 nt n std mp - cnetfle= o otn_itr - lclrcpetmp= o oa_eiin_as - rlyrcpetmp= o ea_eiin_as - stdrsrcincass o mp_etito_lse= - stddlyrjc=o o mp_ea_eetn - stdcin_etitospri_yewrsrjc o mp_letrsrcin=emtmntok,eet - stdhl_etitos o mp_eorsrcin= - stdsne_etitos o mp_edrrsrcin=

- stdrcpetrsrcin=emtmntok,eet o mp_eiin_etitospri_yewrsrjc - stddt_etitosrjc_nuhpplnn o mp_aarsrcin=eetuat_ieiig - stdedo_aarsrcin= o mp_n_fdt_etitos - mntok=2.../ o yewrs170008 - stderrseptm= o mp_ro_le_ie0 - stdsf_ro_ii=01 o mp_oterrlmt10 - stdhr_ro_ii=00 o mp_aderrlmt10 - stdcin_oncincutlmt0 o mp_letcneto_on_ii= - stdcin_oncinrt_ii= o mp_letcneto_aelmt0 - rcieoerd_pin=ohae_oycek,oukonrcpetcek o eev_vrieotosn_edrbd_hcsn_nnw_eiin_hcs # #Itgainwt Dvct-hn mi oe t i frlcldlvr,ad nerto ih oeo ad al vr o t o oa eiey n #rntepoesudrtevalue admi gop u h rcs ne h mi sr n al ru. # dvct oeo ui nx n n - pp ie fasDh ue=mi:alag=urlbdvctdvctla- $rcpet lg=Ru srvalmi rv/s/i/oeo/oeo-d d (eiin)

Note that Amavis is restricted to two processes, which should be fine for most casual to moderate use. The processes are memory-heavy, so start low and add more only if you need to due to volume of mail - see the notes in this guide for pointers on how to do that. 17) Restart Everything, and Test the Server Restart all the necessary processes to pick up configuration changes:
sriepsfxrsat evc oti etr sriesaassi rsat evc pmsasn etr sriecaa-amnrsat evc lmvdeo etr srieaai rsat evc mvs etr sriedvctrsat evc oeo etr

Now start testing! Keep an eye on /var/log/mail.err and /var/log/mail.log for error messages and try logging in to POP and IMAP, sending mail to an account created on the server, and sending mail from the server. If you find issues, then Google is your friend when it comes to searching on specific error messages in order to identify where the configuration is wrong, or when something unexpected crops up. 18) AWS Mail Restrictions and Reverse DNS Lookup Once configured, with IP address set and DNS records set up, you'll need to have a reverse DNS lookup put in place for your server, and the AWS outgoing mail restrictions lifted. You do that through the standard customer service form. This doesn't take long, and it can actually happen earlier in the process if necessary, prior to the server completion. 19) Install Horde 4 for Webmail Horde 4 is a groupware framework that includes applications focused on webmail. Putting it in place is mix of apt-get and PECL / Pear package installations, much of which I lifted from the Ubuntu guide and then adapted to this server setup. The first step is to install as many of the needed packages as possible through apt-get:
atgtisalpp-e pp-alpppa pp-iypp-mgc p-e ntl h5dv h5ss h-er h5td h5iaik atgtisalpp-ei lbei1gopbngopdtbs p-e ntl h5gop igop ei-i ei-aaae atgtisalppxlsraie pp-ecceppsa pp-nl p-e ntl h-m-eilzr h5mmah h-op h5it atgtisallbd1-e lbaikaddvlbaik+ iaeaik p-e ntl iin1dv imgcwn-e imgc+4 mgmgc atgtisallbal-e lbs2pplbh-prp ppht-edvsre p-e ntl iss2dv ish-h ippjgah h-tpwba-evr

Next update the PECL and Pear package managers and install the remaining required packages:
pc canludt pa.h.e el hne-pae erppnt pa canludt pa.h.e er hne-pae erppnt pc isallf el ntl z pa isal-alescanl/pa.h.e/aeHldy-.15 er ntl -ldp hne:/erppntDt_oias02. pa isal-alescanl/pa.h.e/aeHldy_N-.. er ntl -ldp hne:/erppntDt_oiasUO013 pa isal-alescanl/pa.h.e/aeHldy_S-.. er ntl -ldp hne:/erppntDt_oiasUA011 pa isal-alescanl/pa.h.e/ubr_od-.62 er ntl -ldp hne:/erppntNmesWrs01. pa isal-alescanl/pa.h.e/etCPCA043 er ntl -ldp hne:/erppntTx_ATH-..

Next up is installing the Horde components, which might take a while. Before starting in on the long series of Pear channel installs, this step will prompt for the "Filesystem location for the base Horde application" - enter the full path to your webroot without a trailing slash, i.e. /var/www:
pa canldsoe pa.od.r er hne-icvr erhreog pa isalhreHrerl er ntl od/od_oe pa rnsrpshreHrerl er u-cit od/od_oe pa isal- - hrewbal er ntl a B od/emi

At this point it is a good idea to make sure that all of your PHP extensions are in fact enabled. Some may not be; the following commands ensure that the configuration files that were missing in my installation trial run are created, and then restart Apache to pick them up:
eh "xeso=ecces">/t/h5cn./ecceii co etninmmah.o ecpp/ofdmmah.n eh "xeso=z.o >/t/h5cn./z.n co etninlfs" ecpp/ofdlfii srieaah2rsat evc pce etr

The Horde application will now be sitting in your webroot, but owned by root. So change the ownership to the Apache user:
con- wwdt:w-aa/a/w hw R w-aawwdt vrww

The installation will have overwritten /var/www/.htaccess, so edit that file to reinstate your mod_rewrite rule that redirects all traffic to HTTPS. It will look much like this:
alwfo al lo rm l

RwienieO ertEgn n #Adterdrc t HTSrl. d h eiet o TP ue Rwieod%SRE_OT 8 ertCn {EVRPR} 0 Rwieue^.)hts/mi.xml.o/1[] ertRl (* tp:/aleapecm$ L #Ti i tedfutHrerl. hs s h eal od ue Rwieod %RQETFLNM} !d ertCn {EUS_IEAE Rwieod %RQETFLNM} !f ertCn {EUS_IEAE Rwieue^.) rmaepp[S,] ertRl (*$ apg.h QAL

Once Horde is running it is completely open to the world in order to allow initial configuration. So first lock it down to be accessible from your IP address only - at least until you have an administrator and authentication set up. Do that by making this change to the /var/www/.htaccess file - in the example below replace 10.10.10.10 with the IP address you are using:
#lo fo al alw rm l #Rmv ti bokwe dn eoe hs lc hn oe Odrdn,lo re eyalw dn fo al ey rm l alwfo 1.01.0 lo rm 01.01 alwfo 17001 lo rm 2...

You can check to see that all of the required and/or desired PHP extensions are installed and working by visiting http://mail.example.com/test.php in your browser. It will provide a list of what is and is not presently installed. This guide leaves out LDAP and PAM support in PHP, for example, as they are not needed here. Now log in to MySQL as root:
msl-ro yq uot p

You will need to create a MySQL database for Horde:


cet dtbs hre rae aaae od; gatalo hre*t 'od''oahs'ietfe b 'odpswr' rn l n od. o hre@lclot dniid y hreasod;

20) Initial Configuration for Horde Webmail Horde 4 is complex, and an exploration of all of the configuration possibilities and the rationale behind them is somewhat beyond the scope of this guide. What follows is the bare minimum needed to get up, running, and secure. Bear in mind that many more options exist, as there are a lot of configuration pages to wade through in the administration interface. There are also other components of the Horde framework that can add in yet more capabilities to your webmail application when installed. But first things first: if you want admins specified in the Horde configuration to receive alarm mails, you must add the following crontab entry - once every five minutes is a fair setting. See the Ubuntu crontab help document for instructions on how to add crontab entries.
#HreAam od lrs *5****/s/i/od-lrs / urbnhreaam

An important note: configuration in Horde works by creating or updating PHP configuration files whenever an administrator changes configuration options in the web interface. You can take a shortcut by putting prefilled configuration files in place, as is shown below. This is a fragile shortcut, however, as software changes - this may be broken for later versions of Horde than that used for this post. If this fails for you, remove the configuration files, and go back to the manual setup process described in the Horde documentation. Now create a configuration file at /var/www/config/conf.php and fill it with the contents below. This will achieve the following goals: Disable the http://mail.example.com/test.php page. Set the database connection information. Use the local IMAP server for user authentication. Establish admin@example.com as the administrator. You should of course replace this with your chosen administrator virtual mail account. Make Horde cache CSS and Javascript in the filesystem and use Memcached for general caching. Put in some common sense settings for some of the other needed odds and ends - too many to note here individually.
<pp ?h $of'hss]=fle cn[vot' as; $of'eu_ee' =EAL&~_OIE cn[dbglvl] _L ENTC; $of'a_xctm' =0 cn[mxee_ie] ; $of'opespgs]=tu; cn[cmrs_ae' re $of'ms' =07 cn[uak] 7; / Dsbetets pg. / ial h et ae $of'etial' =tu; cn[tsdsbe] re $of's_s' =2 cn[uesl] ; $of'evr]'ae]=$SRE[SRE_AE] cn[sre'[nm' _EVR'EVRNM'; $of'rs]'oe_ieie]=3; cn[ul'[tknlftm' 0 $of'rs]'mclftm' =3; cn[ul'[ha_ieie] 0 $of'rs]'rty]=fle cn[ul'[pet' as; $of'aeis]=ary) cn[sf_p' ra(; $of'eso'[nm' ='od' cn[ssin]'ae] Hre; $of'eso'[ueol_oke' =tu; cn[ssin]'s_nycois] re $of'eso'[ccelmtr]='oah' cn[ssin]'ah_iie' ncce; $of'eso'[tmot]=0 cn[ssin]'ieu' ; $of'oke]'oan]=$SRE[SRE_AE] cn[coi'[dmi' _EVR'EVRNM'; $of'oke]'ah]='' cn[coi'[pt' /; $of'q'[pritn' =tu; cn[sl]'esset] re

/ Mk sr ta teemthyu Hredtbs ue ifrain / ae ue ht hs ac or od aaae sr nomto. $of'q'[uenm' ='od' cn[sl]'srae] hre; $of'q'[pswr' ='odpswr' cn[sl]'asod] hreasod; $of'q'[pooo' ='nx; cn[sl]'rtcl] ui' $of'q'[dtbs' ='od' cn[sl]'aaae] hre; $of'q'[cast]='t-' cn[sl]'hre' uf8; $of'q'[sl]=fle cn[sl]'s' as; $of'q'[slted]=fle cn[sl]'pira' as; $of'q'[ppye]='yq' cn[sl]'htp' msl; $of'dp]'sla' =fle cn[la'[uedp] as; / Ti i tevrulmi ue ta wl b teHreamnsrtr / hs s h ita al sr ht il e h od diitao. $of'uh]'dis]=ary'di@xml.o'; cn[at'[amn' ra(amneapecm) / Atetcto frHrelgnrn truhtelclIA sre, / uhniain o od oi us hog h oa MP evr / adta poesi cnrle b teipcmoet / n ht rcs s otold y h m opnn. $of'uh]'hci' =tu; cn[at'[cekp] re $of'uh]'hcbosr]=tu; cn[at'[cekrwe' re $of'uh]'eepswr' =tu; cn[at'[rstasod] re $of'uh]'lent_oi' =fle cn[at'[atraelgn] as; $of'uh]'eieto_oot]=fle cn[at'[rdrc_nlgu' as; $of'uh]'itues]='nu' cn[at'[ls_sr' ipt; $of'uh]'aas]'p' ='m' cn[at'[prm'[ap] ip; $of'uh]'rvr]='plcto' cn[at'[die' apiain; $of'uh]'aas]'on_a_ois]=fle cn[at'[prm'[cutbdlgn' as; $of'uh]'aas]'oi_lc' =fle cn[at'[prm'[lgnbok] as; $of'uh]'aas]'oi_lc_on' =5 cn[at'[prm'[lgnbokcut] ; $of'uh]'aas]'oi_lc_ie]=5 cn[at'[prm'[lgnboktm' ; $of'inp]'lo' =fle cn[sgu'[alw] as; $of'o'[pirt' ='NO; cn[lg]'roiy] IF' $of'o'[iet]='OD' cn[lg]'dn' HRE; $of'o'[nm' =LGUE; cn[lg]'ae] O_SR $of'o'[tp' ='ylg; cn[lg]'ye] sso' $of'o'[eald]=tu; cn[lg]'nbe' re $of'o_ceses]=fle cn[lgacsky' as; $of'rf'[prm'[diecni' ='od' cn[pes]'aas]'rvrofg] hre; $of'rf'[die' ='q' cn[pes]'rvr] Sl; $of'lrs]'aas]'rvrofg]='od' cn[aam'[prm'[diecni' hre; $of'lrs]'aas]'t' =30 cn[aam'[prm'[tl] 0; $of'lrs]'rvr]='q' cn[aam'[die' Sl; $of'aare]'rvr]='ul; cn[dtte'[die' nl' $of'ru'[diecni' ='od' cn[gop]'rvrofg] hre; $of'ru'[die' ='q' cn[gop]'rvr] Sl; $of'em'[diecni' ='od' cn[prs]'rvrofg] hre; $of'em'[die' ='q' cn[prs]'rvr] Sl; $of'hr'[n_hrn' =fle cn[sae]'osaig] as; $of'hr'[at_rae]=tu; cn[sae]'uocet' re $of'hr'[wrd]=tu; cn[sae]'ol' re $of'hr'[aygop]=fle cn[sae]'n_ru' as; $of'hr'[hde' =fle cn[sae]'idn] as; $of'hr'[cce]=fle cn[sae]'ah' as; $of'hr'[die' ='qn' cn[sae]'rvr] Slg; / Ccigcniuain / ahn ofgrto. $of'ah'[dfutlftm' =840 cn[cce]'eal_ieie] 60; $of'ah'[prm'[pei' ='od_; cn[cce]'aas]'rfx] hre' $of'ah'[die' ='p' cn[cce]'rvr] Ac; $of'ah'[cmrs' =tu; cn[cce]'opes] re $of'ah'[uemmrcce]='; cn[cce]'s_eoyah' ' $of'ahcsaas]'rvr]='ieytm; cn[ccesprm'[die' flsse' $of'ahcsaas]'ieie]=840 cn[ccesprm'[lftm' 60; $of'ahcsaas]'opes]='h' cn[ccesprm'[cmrs' pp; $of'ahcs]=tu; cn[cces' re $of'ahjprm'[die' ='ieytm; cn[ccesaas]'rvr] flsse' $of'ahjprm'[cmrs' ='h' cn[ccesaas]'opes] pp; $of'ahjprm'[lftm' =840 cn[ccesaas]'ieie] 60; $of'ahj' =tu; cn[cces] re $of'ahteeprm'[cek]='pvrin; cn[ccehmsaas]'hc' apeso' $of'ahteeprm'[lftm' =640; cn[ccehmsaas]'ieie] 080 $of'ahtee' =tu; cn[ccehms] re $of'ok]'aas]'rvrofg]='od' cn[lc'[prm'[diecni' hre; $of'ok]'rvr]='q' cn[lc'[die' Sl; $of'oe'[prm'[diecni' ='od' cn[tkn]'aas]'rvrofg] hre; $of'oe'[die' ='q' cn[tkn]'rvr] Sl; / Sn Hrentfcto misottruhlclST,uatoie. / ed od oiiain al u hog oa MP nuhrzd $of'alr]'aas]'uh]=fle cn[mie'[prm'[at' as; $of'alr]'ye]='mp; cn[mie'[tp' st' $of'alomt]'rknf23' =fle cn[mifra'[boerc21] as; $of'f'[prm'[diecni' ='od' cn[vs]'aas]'rvrofg] hre; $of'f'[tp' ='q' cn[vs]'ye] Sl; / Uemmah frssinhnln. / s ecce o eso adig $of'esohnlr]'aas]'rc' =fle cn[ssinade'[prm'[tak] as; $of'esohnlr]'ye]='ecce; cn[ssinade'[tp' Mmah' $of'esohnlr]'ecce]=tu; cn[ssinade'[mmah' re

$of'pl'[die' ='; cn[sel]'rvr] ' $of'np'[kyevr]=ary'olsskyevr.e'; cn[gug]'esre' ra(po.k-esresnt) $of'np'[tmot]=1; cn[gug]'ieu' 0 $of'oae4ig]=fle cn[nbs6_m' as; $of'mg'[die' ='mgc' cn[iae]'rvr] Iaik; $of'xf]'rvr]='ude' cn[ei'[die' Bnld; $of'ie]'ai_b]='ursaems/ai' cn[mm'[mgcd' /s/hr/icmgc; / Rpaeteewt yu dmi adealadesfrsle o ue polm. / elc hs ih or oan n mi drs o ovr f sr rbes $of'rbes]'mi' ='emse@xml.o' cn[polm'[eal] wbatreapecm; $of'rbes]'aloan]='xml.o' cn[polm'[midmi' eapecm; $of'rbes]'ikt' =fle cn[polm'[tces] as; $of'rbes]'tahet' =tu; cn[polm'[atcmns] re $of'eu]'ps]=ary) cn[mn'[ap' ra(; $of'eu]'las]=fle cn[mn'[awy' as; $of'eu]'ik'[hl' ='l' cn[mn'[lns]'ep] al; $of'eu]'ik'[pes]='uhniae' cn[mn'[lns]'rf' atetctd; $of'eu]'ik'[polm]='l' cn[mn'[lns]'rbe' al; $of'eu]'ik'[lgn]='l' cn[mn'[lns]'oi' al; $of'eu]'ik'[lgu' ='uhniae' cn[mn'[lns]'oot] atetctd; $of'otl]'ie_lcs]=ary) cn[pra'[fxdbok' ra(; $of'cons]'rvr]='ul; cn[acut'[die' nl' $of'sr]'eiyfo_dr]=fle cn[ue'[vrf_rmad' as; $of'sr]'eetve' =tu; cn[ue'[slc_iw] re $of'aeok]'nbe' =fle cn[fcbo'[eald] as; $of'wte'[eald]=fle cn[titr]'nbe' as; $of'rsotnr]=fle cn[ulhree' as; $of'ete'[poie' =fle cn[wahr]'rvdr] as; $of'mp]'nbe' =fle cn[is'[eald] as; $of'oa'[eald]=fle cn[klb]'nbe' as; / Uemmah. / s ecce $of'ecce]'otpc]=ary'oahs'; cn[mmah'[hsse' ra(lclot) $of'ecce]'ot]=ary'11'; cn[mmah'[pr' ra(121) $of'ecce]'egt]=ary) cn[mmah'[wih' ra(; $of'ecce]'esset]=tu; cn[mmah'[pritn' re $of'ecce]'_hehl' =0 cn[mmah'[ctrsod] ; $of'ecce]'opeso' =tu; cn[mmah'[cmrsin] re $of'ecce]'rfx]=hre; cn[mmah'[pei' od_ $of'ecce]'ag_tm' =tu; cn[mmah'[lreies] re $of'ecce]'nbe' =tu; cn[mmah'[eald] re $of'cieyc]'tt'[prm'[dvctbe]='od_cieycdvc' cn[atvsn'[sae]'aas]'eieal' hreatvsn_eie; $of'cieyc]'tt'[prm'[saeal' ='od_cieycsae; cn[atvsn'[sae]'aas]'tttbe] hreatvsn_tt' $of'cieyc]'tt'[prm'[mpal' ='od_cieycmp; cn[atvsn'[sae]'aas]'atbe] hreatvsn_a' $of'cieyc]'tt'[prm'[uesal' ='od_cieycdvc_sr' cn[atvsn'[sae]'aas]'srtbe] hreatvsn_eieues; $of'cieyc]'ogn'[tp' ='od' cn[atvsn'[lgig]'ye] hre; $of'cieyc]'ig]'erbamn]=6; cn[atvsn'[pn'[hateti' 0 $of'cieyc]'ig]'erbamx]=20; cn[atvsn'[pn'[hateta' 70 $of'cieyc]'ig]'erbadfut]=40 cn[atvsn'[pn'[hateteal' 8; $of'cieyc]'ig]'eieig]=tu; cn[atvsn'[pn'[dvcpn' re $of'cieyc]'ig]'atnevl]=5 cn[atvsn'[pn'[wiitra' ; $of'cieyc]'euiyoiis]'rvsoig]=fle cn[atvsn'[scrtplce'[poiinn' as; $of'cieyc]'nbe' =tu; cn[atvsn'[eald] re / Teed N ne fraPPcoetg / h n. o ed o H ls a.

Make sure that the file is owned by the web user:


conwwdt:w-aa/a/w/ofgcn.h hw w-aawwdt vrwwcni/ofpp

Now fire up you web browser and navigate to your server at http://mail.example.com/ to verify that you can log in as the configured administrative mail user. Once logged in you will probably see error notices complaining about missing database tables - this is fine. Before dealing with that, you must first regenerate the configuration file; follow the warning notices at Administration->Configuration to visit the main Horde configuration form pages and click on one of the "Generate Horde Configuration" buttons. This will rebuild the configuration file with the keys and comments that Horde likes to have in there. Next you will set up the database schema: return to Administration->Configuration and click the "Update DB Schemas" button at the top of the page. This may or may not correctly create schema for all of the installed components. Any that are missed due to errors or wrong ordering can be created individually by clicking on the "missing schema" warning notices for each component, or by clicking the "Update DB Schemas" button again. Now you can create the Mail (imp) component configuration file in much the same way as was done for the general Horde configuration file. Create the file /var/www/imp/config/conf.d and populate it with the PHP code below. This specifies a fairly limited user experience - inbox only, and sending and recieving mail with few frills.
<pp ?h $of'sr]'lo_odr' =fle cn[ue'[alwfles] as; $of'sr]'lo_iwsuc' =tu; cn[ue'[alwve_ore] re $of'evr]'evrls' ='oe; cn[sre'[sre_it] nn' $of'evr]'ie_odr' =ary) cn[sre'[fxdfles] ra(; $of'sstig'[fleig]'od' ='/ofgfle.x' cn[mgetns]'itrn'[wrs] .cni/itrtt; $of'sstig'[fleig]'elcmn' ='**; cn[mgetns]'itrn'[rpaeet] **' $of'pm]'eotn' =fle cn[sa'[rprig] as; $of'osa'[rprig]=fle cn[ntpm]'eotn' as; $of'rn'[adpitdy]=fle cn[pit]'d_rneb' as; $of'ops'[uevs]=fle cn[cmoe]'s_f' as; $of'ops'[ln_tahet' =fle cn[cmoe]'ikatcmns] as; $of'ops'[atc_ielmt]=0 cn[cmoe]'tahsz_ii' ; $of'ops'[atc_on_ii' =0 cn[cmoe]'tahcutlmt] ; $of'ops'[cnett_eae' =tu; cn[cmoe]'ovr_orltd] re

$of'ops'[rpylmt]=200; cn[cmoe]'el_ii' 000 $of'ops'[a_rwe' =5; cn[cmoe]'cbosr] 0 $of'ops'[a_hehl' =3 cn[cmoe]'ctrsod] ; $of'alo'[uemilg]=tu; cn[milg]'s_alo' re $of'etal]'aas]'hehl' =6; cn[snmi'[prm'[trsod] 0 $of'etal]'aas]'ii_eid]=2; cn[snmi'[prm'[lmtpro' 4 $of'etal]'aas]'al' ='m_etal; cn[snmi'[prm'[tbe] ipsnmi' $of'etal]'aas]'rvrofg]='od' cn[snmi'[prm'[diecni' hre; $of'etal]'rvr]='q' cn[snmi'[die' Sl; $of'akit]'s_akit]=tu; cn[tsls'[uetsls' re $of'oea'[uentpd]=tu; cn[ntpd]'s_oea' re $of'ip]'iwot]'ufrpgs]=1; cn[dm'[vepr'[bfe_ae' 0 $of'ip]'iwot]'iwotwi' =1; cn[dm'[vepr'[vepr_at] 0 $of'eu]'ps]=ary'no,'nm' 'ub'; cn[mn'[ap' ra(ig' meo, tra) $of'eu]'psirm' =fle cn[mn'[ap_fae] as; / Teed N ne fraPPcoetg / h n. o ed o H ls a.

Next up is the Calendar (kronolith) configuration file. Create the file /var/www/kronolith/config/conf.d and populate it with the PHP code below. This is again a fairly limited configuration:
<pp ?h $of'aedr]'aas]'al' ='rnlt_vns; cn[clna'[prm'[tbe] kooiheet' $of'aedr]'aas]'rvrofg]='od' cn[clna'[prm'[diecni' hre; $of'aedr]'aas]'t' =tu; cn[clna'[prm'[uc] re $of'aedr]'rvr]='q' cn[clna'[die' sl; $of'trg'[prm'[tbe]='rnlt_trg' cn[soae]'aas]'al' kooihsoae; $of'trg'[prm'[diecni' ='od' cn[soae]'aas]'rvrofg] hre; $of'trg'[die' ='q' cn[soae]'rvr] sl; $of'uohr'[saeem' ='oe; cn[atsae]'hrprs] nn' $of'hr'[ntf' =fle cn[sae]'oiy] as; $of'oias]'nbe]=tu; cn[hldy'[eal' re $of'eu]'motepr' =tu; cn[mn'[ipr_xot] re $of'eu]'ps]=ary'od' 'm' 'no,'nm' 'ub'; cn[mn'[ap' ra(hre, ip, ig' meo, tra) $of'eu]'psirm' =fle cn[mn'[ap_fae] as; $of'as]'rvr]=fle cn[mp'[die' as; / Teed N ne fraPPcoetg / h n. o ed o H ls a.

Make sure that these files are owned by the web user:
conwwdt:w-aa/a/w/m/ofgcn.h hw w-aawwdt vrwwipcni/ofpp conwwdt:w-aa/a/w/rnlt/ofgcn.h hw w-aawwdt vrwwkooihcni/ofpp

As before, you will have to regenerate these edited configuration files - do that in the same way as for the main Horde configuration file, by navigating to the configuration form pages for the Mail (imp) and Calendar (kronolith) components and saving the configuration in each. The other component configuration files can be auto-created for now. Navigate to Administration->Configuration and click the "Update All Configurations" button at the top of the page. That will create the remaining configuration files and populate them with default values. Now that Horde is configured to allow login through IMAP, you can remove the temporary IP address restrictions in /var/www/.htaccess and restore this line:
alwfo al lo rm l

21) Further Configuration for Horde 4 Webmail The more usual setup methodology for Horde (as opposed to directly manipulating configuration files) is to walk through the administrative settings pages to set the various values interactively. Directly manipulating the configuration files is a somewhat faster process, however. But now you should wander the administrative interface and tinker with the settings to produce the desired user experience. I should note that unless you know exactly where you are going with that, it might take a while: there is a great deal to explore. 22) Install and Set up Monit for Monitoring Monit is a very useful monitoring tool that helps rescue your server from failed processes. Install it through apt-get:
atgtisalmnt p-e ntl oi

The following are a set of fairly trivial instructions that set monit to watch over the important server processes - but without issuing notifications or doing much more than restarting on failure. Create the following files in the Monit configuration directory. In /etc/monit/conf.d/amavis:
cekpoesaaidwt pdie/a/u/mvsaaidpd hc rcs mvs ih ifl vrrnaai/mvs.i gopmi ru al satporm="ecii./mvssat tr rga /t/ntdaai tr" so porm="ecii./mvsso" tp rga /t/ntdaai tp i fie pr 104pooo st te rsat f ald ot 02 rtcl mp hn etr i 5rsat wti 5cce te tmot f etrs ihn yls hn ieu

In /etc/monit/conf.d/apache2:
cekpoesaah2wt pdie/a/u/pce.i hc rcs pce ih ifl vrrnaah2pd gopww ru w satporm="ecii./pce sat tr rga /t/ntdaah2 tr" so porm="ecii./pce so" tp rga /t/ntdaah2 tp i fie hs lclotpr 8 pooo ht f ald ot oahs ot 0 rtcl tp wt tmot1 scns ih ieu 0 eod te rsat hn etr i 5rsat wti 5cce te tmot f etrs ihn yls hn ieu

In /etc/monit/conf.d/dovecot:
cekpoesdvctwt pdie/a/u/oeo/atrpd hc rcs oeo ih ifl vrrndvctmse.i gopmi ru al satporm="ecii./oeo sat tr rga /t/ntddvct tr" so porm="ecii./oeo so" tp rga /t/ntddvct tp gopmi ru al i fie pr 93tp tps sluopooo ia fr5cce te rsat f ald ot 9 ye csl sat rtcl mp o yls hn etr i 3rsat wti 5cce te tmot f etrs ihn yls hn ieu

In /etc/monit/conf.d/mysql:
cekpoesmsl wt pdie/a/u/yqdmsl.i hc rcs yqd ih ifl vrrnmsl/yqdpd gopdtbs ru aaae satporm="ecii./yq sat tr rga /t/ntdmsl tr" so porm="ecii./yq so" tp rga /t/ntdmsl tp i fie hs lclotpr 30 pooo mslte rsat f ald ot oahs ot 36 rtcl yq hn etr i 5rsat wti 5cce te tmot f etrs ihn yls hn ieu

In /etc/monit/conf.d/memcached:
cekpoesmmahdwt pdie/a/u/ecce.i hc rcs ecce ih ifl vrrnmmahdpd gopww ru w satporm="ecii./ecce sat tr rga /t/ntdmmahd tr" so porm="ecii./ecce so" tp rga /t/ntdmmahd tp i fie hs lclotpr 121te rsat f ald ot oahs ot 11 hn etr i 5rsat wti 5cce te tmot f etrs ihn yls hn ieu

In /etc/monit/conf.d/postfix:
cekpoespsfxwt pdie/a/po/oti/i/atrpd hc rcs oti ih ifl vrsolpsfxpdmse.i gopmi ru al satporm="ecii./oti sat tr rga /t/ntdpsfx tr" so porm="ecii./oti so" tp rga /t/ntdpsfx tp i fie pr 2 pooo st te rsat f ald ot 5 rtcl mp hn etr i 5rsat wti 5cce te tmot f etrs ihn yls hn ieu

In /etc/monit/conf.d/spamassassin:
cekpoessaassi wt pdie/a/u/pm.i hc rcs pmsasn ih ifl vrrnsadpd gopmi ru al satporm="ecii./pmsasnsat tr rga /t/ntdsaassi tr" so porm="ecii./pmsasnso" tp rga /t/ntdsaassi tp i 5rsat wti 5cce te tmot f etrs ihn yls hn ieu

In /etc/monit/conf.d/sshd:
cekpoessh wt pdie/a/u/sdpd hc rcs sd ih ifl vrrnsh.i satporm"ecii./s sat tr rga /t/ntdsh tr" so porm"ecii./s so" tp rga /t/ntdsh tp i fie hs 17001pr 2 pooo shte rsat f ald ot 2... ot 2 rtcl s hn etr i 5rsat wti 5cce te tmot f etrs ihn yls hn ieu

Then restart Monit to pick up the new orders:


sriemntrsat evc oi etr

Monit offers options for notifications, a web console, restarting on high load, logging activity, and many other amenities, so you may want to add more to this very basic configuration. Notes on Serving Multiple Domains You can create multiple domains in Postfix Admin if so desired, under Domain List -> New Domain. If you want to use this mail server for more than one domain, you must (a) add the domains in Postfix Admin, and (b) consider whether or not to create domain-specific configuration files for Horde. Additional domains added in Postfix Admin can be aliased to existing domains (under Virtual List -> Add Alias Domain), such that address@example1.com is always forwarded to address@example2.com, or they can stand as distinct domains with their own accounts, forwards, and so forth. Depending on your use case, you might also want to adjust some of the .htaccess rules to support users accessing the site at mail.example1.com, mail.example2.com, and so forth such as expanding the redirect to SSL to recognize all of the domains used. Horde should work for multiple domains with just the one configuration file, but this may not be optimal for your usage. Try it and see. If not, then you will have to create parallel Horde configuration files for each domain you are using. See the Horde documentation for more on this, as well as the notes for $conf[vhosts] in the Horde configuration web interface. Notes on Managing Quotas If you've been following carefully, you'll note that nothing has been said so far on the matter of user disk space quotas - it was not an important goal for the work that prompted the creation of these instructions. As things stand the necessary fields for quota managment exist in the MySQL database but are not used, as (a) the quota module isn't enabled by default in Dovecot, and (b) Postfix Admin is set not to use quotas by default. So if you want to enable disk quotas, first alter the Postfix Admin quota configuration in /var/www/postfixadmin/config.inc.php:
/ Qoa / ut / We yuwn t efreqoafryu mibxuesstti t 'E' / hn o at o noc ut o or alo sr e hs o YS. $OF'ut' ='E' CN[qoa] YS;

/ Yucnete ue'040'o '087' / o a ihr s 1200 r 1456 $OF'ut_utpir]='040' CN[qoamlile' 1200; / Otoa: / pinl / So ue qoa fo Dvctdcinr bcedi vrul / hw sd uts rm oeo itoay akn n ita / mibxlsig / alo itn. / Se DCMNAINDVCTtt / e: OUETTO/OEO.x / / ht:/ii.oeo.r/ut/it tp/wk2dvctogQoaDc / / $OF'sdqoa' ='E' CN[ue_uts] YS; / i yuuedvct> 12 stti t ys / f o s oeo = ., e hs o e. / Nt aotdvctcni:tbe"ut"i fr10&11 / oe bu oeo ofg al qoa s o . ., / tbe"ut2 i frdvct12adnwr / al qoa" s o oeo . n ee $OF'e_ut_al' ='E' CN[nwqoatbe] YS;

Next, you will want to enable and configure the quota and imap_quota modules in Dovecot. The former manages quotas while the latter enables reporting on quotas via IMAP. You will want to look through the following documentation for instructions on how to do this: Quota (Dovecot 2.*) Quota Configuration (Dovecot 2.*) These configuration changes will be made in 10-mail.conf and 90-quota.conf in the /etc/dovecot/conf.d folder. Bypassing Spam and Virus Checks for Local Mail If you're in the business of sending out newsletters or frequent updates from local software where you completely control the content in those emails, then you probably don't want to run spam and virus checks for those items. It's a pointless use of server processing cycles, and a newsletter run can hammer the server if you are making it process the full range of checks on each and every one of those mails. To have amavisd-new skip the checks for mail originating from a known set of IP addresses (e.g. locally, from a web application on another server, etc), edit /etc/amavis/conf.d/50user as follows:
uesrc; s tit # #Paeyu cniuaindrcie hr. Te wl oerd toei lc or ofgrto ietvs ee hy il vrie hs n #erirfls ale ie. # #Se/s/hr/o/mvs-e/frdcmnainadeape o e ursaedcaaidnw o ouetto n xmls f #tedrcie yucnuei ti fl h ietvs o a s n hs ie # #Rpae111111113 wt yu dsrdls o cin I ades elc 1.1.1.1/2 ih or eie it f let P drs #rne wihwl bps cek. ags hc il yas hcs @yewrs=q(170008[:]111111113 ) mntok w 2.../ :1 1.1.1.1/2 ; #Rlsfrcinsdfndi @yewrs ue o let eie n mntok $oiybn{MNT' ={ plc_ak'YES} bps_pmcek_as = [] #dntsa-hc itra mi yassa_hcsmp > 1, o' pmcek nenl al bps_andcek_as= [] #dntbne-hc itra mi yasbne_hcsmp > 1, o' andcek nenl al bps_edrcek_as= [] #dnthae-hc itra mi yashae_hcsmp > 1, o' edrcek nenl al } ; #------D ntmdf ayhn blwti ln ------------ o o oiy ntig eo hs ie -----1 #esr adfndrtr ; nue eie eun

Replace 111.111.111.111/32 with whatever set of IP address ranges you want to bypass amavisd-new checks. All mail arriving from those sources will fall into MYNETS for amavisd-new and therefore bypass checking. If bypassing by IP address doesn't fit your needs, you can find ways to skip checks for some users, destinations, or sources in a helpful, if dated guide to amavisd-new and Postfix integration. Some Final Notes on Security You'll note that there are a fair number of configuration files that contain database passwords for the mail and Horde data in this server, and that includes PHP files sitting in the webroot. This is not really the dominant security concern: the mail users are virtual and only the server administrator should be logging in as a system user. On AWS the default setup is for SSH login to use keys rather than passwords, and only the ubuntu user has a key setup to allow login. You can also easily lock down the SSH port to selected IP addresses via the security group applied to the server. Further, you can set .htaccess directives to ensure that no web visitor can directly view configuration files - and thus they are only used as includes, which covers the rare case where some error causes PHP files to be served by Apache as plain text. MySQL access is from localhost only, in any case. All in all the lowest bar from a security perspective is probably that the mail server built here runs a couple of complicated PHP web applications with database access. A serious breach there would involve a way to upload and execute an arbitrary PHP script or shell command with the www-data user's permissions, or various other XSS attacks allowing for session hijacking of administrators - either way, or just by getting into the mail and Horde databases, compromise of the webroot is compromise of all of the important functions of the server. Horde has had multiple vulnerabilities in past years, but at some point you have to pick your software. On the whole which given the choice I'd rather go with the output of established development communities whose members have a demonstrated track record of vulnerabilities found and fixed, and where there are a large number of eyes directed at the codebase. These are all good reasons for setting up your webmail on a different server from the one running Postfix and Dovecot - something to bear in mind. Of course being on AWS - or indeed pretty much any sort of easily available hosting in the US wherein the server is not in your front room - means that the US government has free access to your data any time they particularly feel up to the task, and you may never know a copy was taken. One of the welcome forthcoming evolutions in virtual hosting services will be some form of turn-key encrypted server operations such that you can have the convenience of an AWS-style service but without the transparency it affords the present day panopticon-in-the-making.