Build a Mail Server with Commodity Hardware and FreeBSD, Part 2 (the Extras)

Part 1

The system we built in Part 1 of this Recipe used only free, open-source software. Same with Part 2. All the programs you'll need are free, open-source software. They are all included in the FreeBSD ports and packages system, as discussed in Part 1.

Today, any mail server that lacks protection again spam and viruses is considered incomplete. To provide these functions, I recommend the following freeware:

In this Recipe, I will instruct you to install both the ClamAV and amavisd-new packages from the FreeBSD packages system. So you won't need to manually download them. Also, since SpamAssassin is part of amavisd-new, you won't need to download that separately, either.

Most mail servers now let users send and receive e-mail by using a Webmail interface through a browser-- not just by using a client like Outlook or Eudora. One of the best Webmail packages available is SquirrelMail, a standards-based package written in PHP4. It which renders pages in pure HTML 4.0 with no requirement for Javascript.

id
unit-1659132512259
type
Sponsored post

As I did in Part 1 of this Recipe, I'll use

Courier font

for highlighting commands or filenames, and a percentage sign (%) to represent the command prompt. I'll also continue installing applications using the pre-compiled packages system.

You may remember from Part 1 that we installed our base system from a CD. Assuming your system has Internet access, changing your installation source to one of the FreeBSD FTP mirror servers will let you add packages without needing to swap CD discs. This is extremely handy when working remotely. Installing and Configuring amavisd-new and ClamAV

First, you will need to install amavisd-new, which will act as the interface between Postfix, ClamAV, and SpamAssassin. To do so, install the FreeBSD package:

% /usr/sbin/pkg_add "r amavisd-new

This will install the amavisd-new package along with any required dependencies. Next, open /usr/local/etc/postfix/master.cf in your text editor. Scroll down to the bottom and add the following code (which you can simply copy and paste from this Recipe):

# This section contains the configuration # necessary for Postfix to use amavisd-new # as a message content filter. smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Note: These configuration files are from amavisd-new README file for Postfix. Next, tell Postfix to use amavisd-new as a content filter. Do this by adding the following line to the end of /usr/local/etc/postfix/main./cf:

content_filter=smtp-amavis:[127.0.0.1]:10024

Next, you will need to do some minor customization of amavisd.conf. First, find the line that reads:

$mydomain = 'example.com' ;

Then replace example.com with your domain. In my case, this was davemarkowitz.net. This is important, because amavisd-new adds information to e-mail message headers, and we want that to be accurate. Amavisd-new can use several different anti-virus scanners, including commercial products from F-Prot, Sophos, and McAfee. But we'll configure amavisd-new to route messages through the freely-available, open source ClamAV. Open /usr/local/etc/amavisd-conf, and find the following block of text:

# ### http://www.clamav.net/ # ['ClamAV-clamd', # \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], # qr/\bOK$/, qr/\bFOUND$/, # qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Uncomment all but the first line by removing the initial hash mark (#). Installing amavisd-new from the FreeBSD package automatically adds a line to /etc/rc.conf so that it starts on boot. Now that amavisd-new is installed, the next piece of the puzzle to add is ClamAV for virus scanning. In the command line, type this:

% /usr/sbin/pkg_add "r clamav

ClamAV's executable is /usr/local/sbin/clamd and its configuration is stored in /usr/local/etc/clamd.conf. As with the other packages we're using, reading through the config file will help you gain a better understanding of what options are available. To avoid permissions problems, we're going to add the clamav user to the group vscan, the group of which amavisd-new is a member. Type this in the command line:

% pw groupmod vscan -M clamav

You want ClamAV to automatically start on boot, and you also want it to automatically update its virus database daily. To set this up, add the following lines to the end of /etc/rc.conf:

# Automatically start ClamAV on boot. clamav_clamd_enable="YES"

Like you would with any commercial anti-virus scanner, you'll need to keep ClamAV's virus database kept updated so it can fight any new malware. This is handled with freshclam. You'll need to update the config file /usr/local/etc/freshclam.conf, so that freshclam downloads virus definitions from the appropriate FTP mirror. Open it in your editor and find the line that reads:

#DatabaseMirror db.XY.clamav.net

Uncomment the line by deleting the hash mark. Then replace XY with country's top-level domain code. If you're in the United States it's "us." For other countries, the top-level domain country codes are listed on this Internet Assigned Numbers Authoriity (IANA) page. Next, add the following three lines to the end of /etc/rc.conf so that the freshclam daemon starts each time the server boots:

# Automatically start the freshclam daemon for virus # signature updates. clamav_freshclam_enable="YES"

You can tell the mail is going through the anti-virus and anti-spam scanners by looking at the header of a message. It should include something like this:

X-Virus-Scanned: amavisd-new at davemarkowitz.net

If you've followed the steps so far, you should have a mail server that provides SMTP, POP and IMAP services along with virus and spam filtering. While FreeBSD is an exceptionally stable operating system, Murphy's Law dictates that at some point, the box will have to be rebooted. If for no other reason, a power failure. Going in and restarting everything manually would be inconvenient, so now is a good time to test how your configuration will survive a reboot. To reboot a FreeBSD system from the command line, issue the following command as root:

% shutdown "r now

After the machine is back up, run the top command, which gives output like this:

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND 459 root 1 96 0 2496K 1544K select 0:26 0.00% dovecot 433 clamav 3 20 0 18256K 17116K kserel 0:05 0.00% clamd 405 vscan 1 8 0 40344K 36832K nanslp 0:02 0.00% perl5.8.7 515 dovecot 1 96 0 2476K 1588K select 0:02 0.00% imap-login 431 vscan 1 20 0 41376K 37228K lockf 0:02 0.00% perl5.8.7 519 dovecot 1 96 0 2468K 1580K select 0:01 0.00% pop3-login 432 vscan 1 4 0 41368K 37192K accept 0:01 0.00% perl5.8.7 516 dovecot 1 96 0 2476K 1588K select 0:01 0.00% imap-login 517 dovecot 1 96 0 2476K 1588K select 0:01 0.00% imap-login 520 dovecot 1 96 0 2468K 1580K select 0:01 0.00% pop3-login 514 root 1 96 0 2552K 1492K select 0:01 0.00% dovecot-auth 508 root 1 96 0 1496K 1252K select 0:00 0.00% master 286 root 1 96 0 1292K 868K select 0:00 0.00% syslogd 1006 root 1 96 0 2360K 1644K select 0:00 0.00% top 736 dave 1 96 0 6076K 3140K select 0:00 0.00% sshd 518 dovecot 1 96 0 2468K 1580K select 0:00 0.00% pop3-login 422 root 1 8 0 1312K 1032K nanslp 0:00 0.00% cron 733 root 1 4 0 6100K 3124K sbwait 0:00 0.00% sshd 359 root 1 96 0 1208K 772K select 0:00 0.00% usbd 739 root 1 20 0 4248K 3108K pause 0:00 0.00% csh 986 root 1 20 0 3604K 2584K pause 0:00 0.00% csh 522 postfix 1 96 0 1580K 1308K select 0:00 0.00% qmgr 804 root 1 8 0 1592K 1296K wait 0:00 0.00% login 737 dave 1 8 0 3156K 2000K wait 0:00 0.00% bash 1008 root 1 96 0 2308K 1592K RUN 0:00 0.00% top 928 postfix 1 96 0 1516K 1244K select 0:00 0.00% pickup

Note the usernames and associated commands. The references above to perl5.8.7, imap-login, pop3-login, master, and dovecot-auth show us that all the programs we've installed and configured are running.

Type q to quit top and drop back to a command prompt. Installing and Configuring SquirrelMail

You are almost finished. Adding SquirrelMail to provide Webmail services will top off your server. Install SquirrelMail using the following command:

% /usr/sbin/pkg_add "r squirrelmail

If you watch the messages that FreeBSD shows onscreen, you'll notice that it installs several packages that Squirrelmail depends on, including PHP and the Apache Web server. Read the screen that appears after the SquirrelMail package is installed. It describes configuration actions you will need to take before SquirrelMail will work. To allow access to SquirrelMail in a browser, add an alias in /usr/local/etc/apache/httpd.conf pointing to /usr/local/www/squirrelmail. If the server isn't going to a webserver per se, you can do this by changing the variable DocumentRoot to /usr/local/www/squirrelmail. One dependency that will be installed with SquirrelMail is the scripting language PHP4. This adds several configuration files to /usr/local/etc, including two sample php.ini files. Create a php.ini file for the system as follows:

% cp php.ini-recommended php.ini

Look in your new /usr/local/etc/php.ini and make sure that the following option is set:

file_uploads = On

SquirrelMail has a menu-driven configuration program, accessed by issuing this command:

% cd /usr/local/www/squirrelmail && ./configure

Go through the menu items to configure SquirrelMail's options for your server—for example, the domain name. The menu items are self-explanatory and include examples. Now is a good time to start up Apache and see if your SquirrelMail configuration is any good. First, start Apache:

% /usr/local/sbin/apachectl start

Next, open a Web browser on a second machine on your network and point it to http:///src/configtest.php . Assuming you've done everything right, you should get a screen that looks like this:


http:/// http:/// /etc/rc.conf # Automatically start apache on system boot. apache_enable="YES"

Congratulation, you now have an e-mail server that provides SMTP, POP, and IMAP servers, plus anti-virus and spam filtering, and that is accessible by popular e-mail clients such as Outlook, Mozilla Thunderbird, and Webmail.

That said, we've barely scratched the surface of the functionality offered by each of these programs. I encourage you to delve into their configuration files and the available literature to gain a better understanding of the systems, as well as to learn how to tweak them to best serve your customers' needs.

This is Part 2 of a two-part TechBuilder Recipe. Part 1 shows how how to create a secure, basic e-mail server for SMBs by using three open-source programs: FreeBSD, Postfix, and Dovecot.

DAVID S. MARKOWITZ is a computer network and integration consultant who serves SMBs and home users in the Philadelphia area.