Category Archives: System Admin

Sysadmin notes for carrying out common basic admin tasks.

Setting up Postfix and Mutt. 01

Install and configure Postfix

This is a basic setup of Postfix. The mail users have system accounts on the mail server so in this instance, will log into the server to read and send mail. The example client is Mutt, shown at the end.

I’ve included the configuration for the SASL (Simple Authentication and Security Layer) daemon here. We do not need it now but for sending mail from remote systems we will. I wanted to keep the blog posts short so the next will follow on, adding to this config.

At time of writing, I’m using Postfix 2.10.0 on Ubuntu Server 13.04 in a virtual machine in VMWare Workstation 10, on Windows Seven Professional.

Instructions below assume you’re running as root.

Install the application and documentation:

apt-get install postfix postfix-doc

The initial configuration screen is somewhat tricky to use with a screenreader. If possible choose no configuration. We’ll edit main.cf by hand.
There are 2 main configuration files in Postfix. /etc/postfix/main.cf and /etc/postfix/master.cf

We will only be making changes in main.cf at this time.

If you have an admin account on the system, edit /etc/aliases accordingly, so that account receives mail for postmaster via root.

# see man 5 aliases for format
postmaster: root
root: admin

Run the newaliases command to rebuild the alias database:

newaliases

Edit main.cf with basic server details. Spaces around the “=” are optional.

myhostname=mail.example.com
mydomain=example.com
myorigin=$mydomain
mydestination=$myhostname, localhost.$mydomain, $mydomain, localhost

Authenticating SMTP with SASL

For clients to authenticate we will use the SASL libraries.

With the below setup, sasl with authenticate email users against the system password file. i.e. The email users have system accounts on the
machine running postfix.

apt-get install sasl2-bin

We want the saslauthd authentication demon to start at boot.

Edit /etc/default/saslauthd

start = yes

Create /etc/postfix/sasl/smtpd.conf and add.

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

If we wanted to use an external method of checking passwords, we’d change the above line to.

pwcheck_method: auxprop

For example to use the sasl password file instead, which is at.
/etc/sasldb2

If using the sasldbd to authenticate users, for example in the case where users do not have system accounts. You need to choose the sasldb
mechanism in /etc/default/saslauthd.
mechanisms = “sasldb”

If using the sasldb2 file, you add users with the saslpasswd2 command.

Example.
saslpasswd2 -c -u example.com newuser
password:
Again for verification:

-c = create.
-u = realm.

Back continuing with our example using the system password file. i.e. we’re assuming our email users also have system accounts.

Add the user postfix, to the sasl group. This isn’t always necessary.

adduser postfix sasl

Edit main.cf

The parameters for working with sasl start with smtpd_sasl for the postfix server and smtp_sasl for postfix acting as a client. i.e. if sending
mail to a relay that requires a login.

Switch on smtpd authentication.
smtpd_sasl_auth_enable = yes

For some older clients, that didn’t implement the smtp authentication protocol correctly, you can add the following line, although it may not now
be necesary
broken_sasl_auth_clients = yes

To help prevent senders spoofing their from address, you can map the email address to a system user in a map file. Create and then run postmap
against it.
newuser@mydomain.com newuser

postmap /etc/postfix/sasl_senders

And add the below line to main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sasl_senders

The next lines for main.cf are to permit legitimate users.

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_sender_login_mismatch
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

By default, postfix will block anonymous logins from outside your network. If you’re using some other method for checking passwords, such as md5,
you will need to list it in main.cf. However, if you do that, you also need to explicitly list noanonymous, as you’ve changed the default.

smtpd_sasl_security_options = noanonymous, plaintext

The below is my main.cf file. I have moved some of the lines around simply for layout purposes. It doesn’t matter which order they’re in as far as postfix is concerned.

Cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
myhostname=mail.example.com
mydomain=example.com
myorigin=$mydomain
mydestination=$myhostname, localhost.$mydomain, $mydomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

smtpd_sasl_auth_enable=yes
smtpd_recipient_restrictions = permit_mynetworks,

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
permit_sasl_authenticated, reject_unauth_destination, reject_sender_login_mismatch
home_mailbox=Maildir/
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA’s job.
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost =

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html

Restart postfix

postfix reload.

Restart the saslauthd daemon:

service saslauthd restart.

Remember we’re using system accounts at this point. To test your login with saslauthd uset the commands:

testsaslauthd -u username -p password

Also at this point, the only host that can send mail with out authenticating is the server itself. This is the default. You can add your local
private subnet to the mynetworks parameter if desired. Assuming your subnet is 192.168.0.0/24 add to the end.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24

Be careful if you change the default, which networks you add to this parameter. You *Do not* want to make your mailserver an open relay.

The home_mailbox=Maildir/ parameter is an alternative to the Unix style mbox format. We need the Maildir format for later when it comes to adding an IMAP server to our setup. Other IMAP servers are available Dovecot, Cyrus but I’ll be using Courier.

Install and configure the Mutt mail client

Mutt is a text based mail client that the users can access from the terminal

Apt-get install mutt

Alas I can’t recall where, otherwise I’d link to them. But I found the following configuration for the Mutt mail client online and it’s worked for me. Just add the following lines at the end of the /etc/Muttrc configuration file. Note: Muttrc starts with a capital M.

set mbox_type=Maildir
set folder=”~/Maildir”
set mask=”!^\\.[^.]”
set mbox=”~/Maildir”
set record=”+.sent”
set postponed=”+.postponed”
set spoolfile=”~/Maildir”

Notes

You can view and edit parameters in main.cf with the postconf command.

postconf -d (parameter name.) Display
postconf -e (parameter name=value.) Edit.

Always restart the postfix service after making changes so the main configuration file is reread.

Postfix reload

When editing the /etc/aliases file use the newaliases command to rebuild the database. You can move this file where you want but if you do so, you then need to use the postfix command, postalias.

Postalias (path-to-aliases)

In troubleshooting view the log which by default is at. /var/log/mail.log.

To check the sintax of your configuration try the command:

Postfix check

There are various other commands for administration in Postfix. Consult the documentation.

Although published a while ago, a useful book is Postfix the Definitive Guide written by Kile D Dent, published by O’Riely Press.

Setting up a mailserver: Intro

Following will be a few step by step posts on setting up a mailserver on Linux.

I make no guarantees and you’d obviously be wise to do this on a test machine in a private network before setting up a live system.

I’m using a Ubuntu Server for the examples. The MTA (Mail Transport Agent) I’ll be using is Postfix, certainly initially. Later I may look at Exim. I’ll not be touching Qmail or Sendmail because frankly life’s too short.

Postfix’ home page is.

www.postfix.org

vi. Quick notes.

Unless you’ve been a long time *nix user, you may not be part of the EMacx, vs vi school. Perhaps like me, you prefer using something like Nano to edit text files in the terminal.

Problem is, on many systems such as those running embedded Linux and using something like Busybox, these more user friendly editors simply aren’t available. Even if the system has a package manager and their exists your favourite editor in a package repositry, you may not have the permissions to install them. But you still need to edit a text file. Granted, if you’re not root or listed in sudoers, you’re not going to be able to edit anything in /etc anyway but maybe you just need to write a note in /home.

Thankfully the text editor vi should always be included in a Posix compatible environment, like those running Busy Box. But you load it up and realise you can’t use your mouse and you don’t have time to read the manual. Fear not, see below.

Vi operates in 2 modes. Command and insert. Insert is where you actually enter text, command operate upon the text.

Press i to enter insert mode and esc to back out to command mode.

If you’re not sure you’re in command or insert mode. Press escape a couple of times. You may hear a ping indicating you’re already in command mode.

These days cursor keys should work moving around in command mode, otherwise:

Left: UP: Down: Right:
h. j. k. l.

Enter insert mode
i

Some comomn commands: (Note caps.)

Exit with out save, ignore write protect.
:q!

Quit.
:q

Save / write
:w

Save and overwrite protection.
:w!

Save and exit
:x. Or, :wq. Or ZZ

Save buffered file as:
:w newfile

Return to point of last save.
:E!

Edit another file with out leaving vi:
:e file2

Some editting commands.

Give a number after command if desired.

Delete from cursor to end of word:
dw

Delete from cursor to end of line.
D

Delete lines.
d

Delete from current line to end of file.
:.,$D

Delete character under cursor:
x

Yank (copy) word from cursor
yw

Yank (copy) line.
yy

Paste after cursor.
p

Paste before cursor.
P

Undo
u

Repeat
.

There are many more of course. Have a look at:
http://www.unix-manuals.com/refs/vi-ref/vi-ref.htm

Simple automated backup with Robocopy

Linux / Unix systems have Rsync, a very useful tool that does what it sounds like it does. Remote sync directories and files. It has a number of options and can be used in conjunction with SSH for secure syncing. Whilst there’s a version available for Windows called CWRsync, which operates in the Cygwin environment, it didn’t quite work in my situation.

Since Windows Vista, Microsoft have included a command line tool called Robocopy. However there are gui’s available, see Wiki entry. Robocopy like Rsync, has a number of options and defaults to only copying the source files to the destination if they’re newer or of different sizes.

With something like the simple batch script below, you can automate backups. You could assign this to a schedule in Windows but strangely I prefer to run it manually. I’ll only mention the options I’ve used as there are quite a few.

Syntax is Robocopy

Robocopy “c:\users/me\My Documents\source” \\server\home\me /s /xo /FFT /Z /log+:”c:\users\me\My Documents\scripts\backup.log”
echo

/s. Copy all non empty sub directories. /e will copy all including empty ones.
/xo. Exclude copying files if the destination version is the same or newer than the source.
/Z. Resume mode, in case of network problems.
/fft. FAT File times, 2 second granularity. I read of some people having problems with source dates not being correctly calculated and the source being copied in it’s entirety each time. Using this switch was given as a possible resolution.

Note the quotes in the source path. Needed if you have any spaces in file / folder names.

The last line echo, makes the internal speaker beep when done. There’s actually a character after the echo which has not been displayed here. How to obtain it for a script Open a command prompt. Windows key + r, type cmd.
Echo ^g > beep.txt

Then copy and paste the contents of beep.txt after your echo statement.

Robocopy on Wikipedia

Users on Linux

Quick notes on adding users in Linux. As they say,, check the man pages or get a good book on the subject for more detail. One such book, The Linux Cookbook by Carla Schroder, published by OReilly Press.

Adding new user.

To add a new user and have the system automatically generate them a home directory. Example for Sarah.
useradd -m Sarah

To include space for the GECOS data, use the comment option -c. Typically there are 5
fields. If you just want their full name listed, leave the other fields blank by adding
commas:
useradd -m m -c Sarah Johnson,,,, Sarah

Note, her login name will just be Sarah. This must be unique on the system. Once you’ve run this command, you need to set her password with:

passwd Sarah

You’re then prompted to enter and confirm the new password. There are other options with passwd. For example, -e, expire password at first login, forcing the user to choose a new one. –x specify how long the password will be valid for, in days. -w. Specify how many days before expiry the user should get a warning.

Preventing a user having shell access.

For example, if they have an account on the system just to retrieve email with a client. You need to indicate their shell access is:
/bin/nologin

As opposed to.
/bin/bash

or whatever shell you’re generally using.

You can use the usermod command to set this if the user already exists. Example, no shell access for Derek:
usermod -s /bin/nologin derek

If you’re adding a new user called jerry:
useradd -s /bin/nologin jerry

You can also directly edit passwd instead if you really want, however, it’s a good idea to back up files such as that before manually editing. For example.
cp /etc/passwd b/etc/bk.passwd

To suspend a users account, let’s call them Dan, probably the best way is to use:
passwd -l Dan

To rre-enable their account:
# passwd -u Dan

Again, this can also be done by manually editting the passwd file. I.e. putting an “!” mark at the beginning of the password field or replacing the “x” with an “*”.