# How to set up an email server with postfix/cyrus

## audiodef

I'm leaving my shared hosting account with Godaddy and rolling my own with a VPS from vr.org. I have my site set up. Now I need to set up my mail server. I'm going with postfix based on a recommendation. How do I get started? I'm a total n00b to mail servers.

EDIT: 

Can I use postfix to handle email from two different domains hosted under Apache vhosts?

----------

## audiodef

Another thing I want to do is have postfix do a catch-all, so that when unknown_user@domain comes in, it routes it to a default address for that domain. I currently do this with my Godaddy account, and I find it useful for things I don't actually want to create a real email account for (like using Redbox or Facebook - you know, things that really only want an identifier of some kind and never actually send you useful email messages).

----------

## Ant P.

Install postfix and set "myhostname"/"mydomain"/"mydestination" in main.cf, the latter is where you set which hostnames to accept mail for.

I'm not sure about catch-all stuff but you might want to look at the comments for "recipient_delimiter" in there.

----------

## cach0rr0

 *audiodef wrote:*   

> Another thing I want to do is have postfix do a catch-all, so that when unknown_user@domain comes in, it routes it to a default address for that domain.

 

normally handled by the luser_relay setting in main.cf 

Can also do something like this if you have multiple domains

```

# cat /etc/mail/virtual

@blueball.me meat@whitehathouston.com

@blueballed.me meat@whitehathouston.com

@whitehathouston.com meat@whitehathouston.com

@renee.whitehathouston.com meat@whitehathouston.com

```

```

# grep virtual /etc/postfix/main.cf 

virtual_alias_maps = hash:/etc/mail/virtual

```

HOWEVER...what that virtual_alias_maps is supposed to do, normally, is define a one-to-one aliasing. 

What I've done above takes e-mail for *all four* of those domains, regardless of the recipient, and send to 'meat@whitehathouston.com'

what you probably want is luser_relay for unknown recipients, and not the above suggestion

now, actually defining your "known recipients" list is another matter entirely.

----------

## cach0rr0

 *audiodef wrote:*   

> I'm leaving my shared hosting account with Godaddy and rolling my own with a VPS from vr.org. I have my site set up. Now I need to set up my mail server. I'm going with postfix based on a recommendation. How do I get started? I'm a total n00b to mail servers.
> 
> 

 

Start by planning honestly. Once you have it planned out how you're going to handle mailboxes on the backend (for example, you can backend to your regular old /etc/passwd users, so that mail to 'user1@domain1.com' and mail to 'user1@domain2.com' both go to the same place, /home/user1/.maildir, the homedir for a user you've added to the systemas per usual with 'useradd',  or,  you can do the "virtual hosting" nonsense, where user1@domain1 is viewed as different from user1@domain2)

You have it planned out, plain old emerge postfix, then dive through main.cf and master.cf

master.cf basically controls the way Postfix listens for e-mail (e.g. do i listen on tcp 25? do i just listen on a unix socket? which)

main.cf controls acceptance/delivery/routing, that sort of thing. It's your "policy engine" for lack of a better term

 *audiodef wrote:*   

> 
> 
> Can I use postfix to handle email from two different domains hosted under Apache vhosts?

 

absolutely.  Mind you, postfix doesn't actually use any of apache's configuration info, there's no direct tie like that, but yes, it can. The postfix side of *accepting* mail for multiple domains is easy. Where it requires more thought is deciding on *delivery*, as in, where mailboxes are stored, and how.

----------

## cach0rr0

If an example is helpful, I've tweaked my main.cf slightly to reflect your main domain

this would:

-accept mail for audiodef.com

-accept mail for my domains too actually (since i was lazy and left them in that file)

-deliver them to cyrus-imap via lmtp

example main.cf

example master.cf

some of the other miscellaneous files you see referenced - all of which must be postmapped

For the scenario where user1@anydomain should go to /home/user1/.maildir/ ? 

example main.cf - this is something I might use with, for example, Dovecot. Very straightforward setup, but not as flexible. 

You can also get a bit more tricky, and go with something like this:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

Now, in my case, I don't do any recipient validation, since I route everything to myself  :Smile: 

Before I did that, though, I used cyrus-imap, with the "autocreate" patch, which basically just meant, any username at my domains would be considered valid, and cyrus would automatically create a mailbox for any new email address it sees (which, would be any address that makes it past postfix). Cyrus has its own little storage backend, rather than storing mail directly on disk.

EDIT: I should really write up a new guide for this. The existing one is fine I guess, but I don't much care for Courier. Rather write something for cyrus, or dovecot.

----------

## audiodef

How about this guide?

http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap1

----------

## audiodef

I may have missed something about changing my MX entry in my Godaddy account. Currently, it's set to 

mailstore1.secureserver.net

smtp.secureserver.net

Do I simply change that to audiodef.com (since audiodef.com now points to my VPS where I'm setting up postfix)?

----------

## cach0rr0

 *audiodef wrote:*   

> How about this guide?
> 
> http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap1

 

the guide works, just not personally a fan of courier, nor backending things to a database - but that's a personal preference. 

For any of these setups, the postfix side is fairly trivial insofar as making the mail go where your IMAP/POP daemon wants it to be. Most of the difficulty is in planning out how you want your imap/pop client to store the mail. The above guide works perfectly well if you don't mind backending to mysql.

----------

## cach0rr0

 *audiodef wrote:*   

> I may have missed something about changing my MX entry in my Godaddy account. Currently, it's set to 
> 
> mailstore1.secureserver.net
> 
> smtp.secureserver.net

 

aye, those are the defaults, for folks who host their mail with godaddy

 *audiodef wrote:*   

> 
> 
> Do I simply change that to audiodef.com (since audiodef.com now points to my VPS where I'm setting up postfix)?

 

That will work, yes. Set up only MX record, for the domain 'audiodef.com', with the MX pointed at 'audiodef.com' with a priority of zero if you can, if not that then 5

Can also add a new A record, that still points at the same host, but named, say, 'smtp.audiodef.com', and then set your MX to be 'smtp.audiodef.com' - this gives you no functional advantage, just easier on the eyes (for me personally) to see an MX that's host.domain.tld and not domain.tld - even though strictly speaking domain.tld is fine.

----------

## audiodef

 *cach0rr0 wrote:*   

> The above guide works perfectly well if you don't mind backending to mysql.

 

Actually, I don't mind that at all. I do other things with MySQL, so while I can't think of WHAT exactly I could do off the top of my head, I could possibly play around with database-stored mail and my other projects.

----------

## audiodef

 *cach0rr0 wrote:*   

>  *audiodef wrote:*   I may have missed something about changing my MX entry in my Godaddy account. Currently, it's set to 
> 
> mailstore1.secureserver.net
> 
> smtp.secureserver.net 
> ...

 

Hm. I can't seem to change the default settings in my Godaddy account. It just won't let me do it, with a "the settings that could be saved have been saved" message. I could add another record, but the defaults are still there. Is this going to cause problems?

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> Actually, I don't mind that at all. I do other things with MySQL, so while I can't think of WHAT exactly I could do off the top of my head, I could possibly play around with database-stored mail and my other projects.

 

that guide doesnt actually store message contents in the database

what it does is use the database to lookup where a mail should be stored for a particular user 

(I may have misspoke or been a touch confusing above)

basically something like 'select mailbox from blah', save result as $foo, mail goes to /home/vmail/$foo

that's not exactly how it works, but you get the idea.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> Hm. I can't seem to change the default settings in my Godaddy account. It just won't let me do it, with a "the settings that could be saved have been saved" message. I could add another record, but the defaults are still there. Is this going to cause problems?

 

should be able to go here:

https://dns.godaddy.com/ZoneFile.aspx?zone=AUDIODEF.COM&zoneType=0&refer=dcc

below the MX section, should be a 'quick add'

add your new MX

then as you hover over your other/old MX records, should be a red X button over on the far right that lets you delete. 

If you're stuck, screencap the page you're on (editing out any personal data obviously), and post 'er up. Curious if you're looking at the same thing.

----------

## audiodef

OK, deleting the old MX records worked. Now to see if I've at least set up the very basics or if mail gets sent to la-la land.

----------

## audiodef

Part 8 of this tutorial as an error in the genericmailsql.sql file. There's a line of dashes. A double-dash is a comment, but continuous dashes throws a mysql error.

----------

## audiodef

In this guide, code listing 9.2 is somewhat ambiguous. I did have a default ssl conf, but...

Do I add a NameVirtualHost host.domain.name:443 and at what point in the file, if so?

host.domain.name = ? On my hosting account, I named my server serverdef, so does host.domain.name = audiodef.com or does it = serverdef.audiodef.com?

----------

## cach0rr0

 *audiodef wrote:*   

> In this guide, code listing 9.2 is somewhat ambiguous. I did have a default ssl conf, but...
> 
> Do I add a NameVirtualHost host.domain.name:443 and at what point in the file, if so?
> 
> 

 

None of that is strictly necessary unless you want phpmyadmin. I tend to avoid it, if nothing else because it has a relatively long and seedy history of nasty vulns. Not that there are better packages out there for such a thing, but an unnecessary risk as the tool itself is unnecessary (IMHO - I just do all my mysql stuff on the command line, and actually find it a bit easier)

However, even for using phpmyadmin via SSL, the default setting for NameVirtualHost at the top of 00_default_ssl_vhost should be fine. 

The format of this file is basically the same as 00_default_vhost.conf, except a few params added to turn on SSL, and paths to the keys/certs provided:

(mine)

```

 <IfDefine SSL_DEFAULT_VHOST>

    <IfModule ssl_module>

      Listen 443

      NameVirtualHost *:443

      <VirtualHost *:443>

        SSLEngine on

        SSLCertificateFile /etc/ssl/apache2/bauer.crt

        SSLCertificateKeyFile /etc/ssl/apache2/bauer.key

        ServerName whitehathouston.com

        ServerAlias www.whitehathouston.com

        SSLOptions StrictRequire

        SSLProtocol all -SSLv2

        DocumentRoot /www/whitehathouston.com/htdocs

        <Directory /www/whitehathouston.com/htdocs/>

          SSLRequireSSL

          Order Deny,Allow

          Allow from All

        </Directory>

      </VirtualHost>

      <VirtualHost *:443>

        SSLEngine on

        SSLCertificateFile /etc/ssl/apache2/bauer.crt

        SSLCertificateKeyFile /etc/ssl/apache2/bauer.key

        ServerName mail.whitehathouston.com

        SSLOptions StrictRequire

        SSLProtocol all -SSLv2

        DocumentRoot /www/mail.whitehathouston.com/htdocs

        <Directory /www/mail.whitehathouston.com/htdocs/>

          SSLRequireSSL

          Order Deny,Allow

          Allow from All

        </Directory>

      </VirtualHost>

      <VirtualHost *:443>

        SSLEngine on

        SSLCertificateFile /etc/ssl/apache2/bauer.crt

        SSLCertificateKeyFile /etc/ssl/apache2/bauer.key

        ServerName sysmon.whitehathouston.com

        SSLOptions StrictRequire

        SSLProtocol all -SSLv2

        DocumentRoot /usr/share/nagios/htdocs

        <Directory /usr/share/nagios/htdocs/>

          SSLRequireSSL

          Order Deny,Allow

          Allow from All

        </Directory>

      </VirtualHost>

    </IfModule>

  </IfDefine>

</IfDefine>

```

Now, there are a handful of ways to access phpmyadmin

You can either just do:

```

cd /path/to/audiodef.com/htdocs

mkdir phpmyadmin

```

and access phpmyadmin by just going to http://audiodef.com/phpmyadmin

OR 

if you want to have a different dedicated URL for this, you'd need to add a new CNAME in godaddy called, for example, 'dbadmin' that points at '@', which would mean you could browse to dbadmin.audiodef.com and hit this server

Now, how do you tell apache to serve different files for 'dbadmin.audiodef.com' than you do for just 'audiodef.com' ?

A new virtualhost. HTTP (or HTTPS) requests to any hostnames that match the ServerName or ServerAlias directives inside a <VirtualHost> block, will have that block's files served. So in this case, you'd add a new VirtualHost block, set the ServerName value to dbadmin.audiodef.com, and make its DocumentRoot point to /path/to/phpmyadmin/installation/htdocs

 *Quote:*   

> 
> 
> host.domain.name = ? On my hosting account, I named my server serverdef, so does host.domain.name = audiodef.com or does it = serverdef.audiodef.com?

 

If you want people to be able to browser to 'serverdef.audiodef.com' (just as an aside, i realize that's not what you're asking) you'd need a new DNS entry at GoDaddy, probably another CNAME pointed at @, and then add 'serverdef.audiodef.com' to the ServerAlias value for whichever VirtualHost you want such requests to be routed to (or, if you want serverdef.audiodef.com to serve completely different content, add a new VirtualHost block specifically for that purpose, point it at whichever path in the DocumentRoot that'll have the files you want to serve, and that's done and done)

----------

## cach0rr0

actually

im going to see if i can get a howto written faster than you can finish up that piece of doc, because I really really don't like that doc  :Laughing: 

that, and, i was just poking around inside cyrus' configuration files, it looks to be much easier to do the 'virtualdomains' nonsense with cyrus

----------

## audiodef

Aha, a race. You're on! On your mark... get set... hey! I dinnae say go!

----------

## audiodef

I ran into a couple of things:

1. Putting SSLRequireSSL in my audiodef.conf file results in a permission denied error in a browser. 

2. Setting up my ssl-vhost.conf results in 

```

(98)Address already in use: make_sock: could not bind to address [::]:443

```

when I restart apache. 

I wonder if vr.org has set things up so that you have to buy SSL certs rather than generate your own. I'm hoping I've just done something wrong, though, that I can fix.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> ```
> 
> (98)Address already in use: make_sock: could not bind to address [::]:443
> ...

 

```

grep -r Listen /etc/apache2/*

```

if you have a Listen line somewhere earlier that's binding an apache process to 443, then later within your vhost config set another Listen line, the second one will fail

You might just flat out shut apache down instead of restarting it when you make these changes, just in case it's being slow to give up that port, or finicky for some other reason. 

And of course all of this is assuming that netstat -anp doesnt show any other non-Apache process bound to 443

----------

## cach0rr0

 *audiodef wrote:*   

> Aha, a race. You're on! On your mark... get set... hey! I dinnae say go!

 

 :Laughing: 

I'm about a third of the way finished. The last "plain english" doc I did, I took my time, drew up an outline, and it was all fairly organized. Trying to wing it on this one, brain is all over the place.

----------

## cach0rr0

So, a disclaimer here. 

I haven't slept in a while, just finished this, and ill be damned if it isn't an all nighter that ends with me hitting the final :wq at noon the next day! 

What that means is, this isn't thoroughly tested. 

But here ya go - if you get completely stuck on the doc you're using, have a gander at this - http://whitehathouston.com/documentation/gentoo/postfix_cyrus_vhost_howto.htm

Like I said, some of it was done on zero sleep, so I can't promise I've completely tested everything. But well, at least the page validates as HTML 4.01 Transitional  :Laughing: 

It should be solid, though. If you get to where you try it out, or if anyone else reading this fancies trying it out, feedback appreciated. I think it may still be a useful read even for people reading the existing docs, because it goes into greater detail breaking things down, explaining how things piece together, WHY you do something instead of just "copy and paste this, ok now copy and paste this". But that's a matter of opinion I suppose. 

~1000 lines of HTML in vi and I'm pretty sure my ass is broken, but the lil fucker is done. I'll probably go through it after a nap and a weekend boozer to see if I've missed anything obvious.

----------

## audiodef

I'm all in favour of documentation that goes into why, or anything more than "hey, just do this, OK? Thanks". 

Beginning read... now.   :Cool: 

----------

## audiodef

So far, so good. Well written! 

Here's a suggestion: "However, as this database isn't going to be particularly large nor resource-intensive, MySQL is realistically overkill, and SQLite should be perfectly suitable unless you have thousands upon thousands of users, and you have multiple people updating the database at the same time."

You could add "or if you already have MySQL and it's therefore convenient to just use that".

----------

## cach0rr0

doc tweaked accordingly.

----------

## audiodef

I'm a little slow because it's been busy the past few days. 

You write very well!

I was wondering if there was any reason for suggesting /root/overlays as PORTDIR_OVERLAY instead of the usual /usr/local/portage. Also, and I've done this on my own server for Cyrus, I make sure the necessary category dir exists, and then do cp -rv /usr/portage/category/package /usr/local/portage/category, and then download or modify ebuilds. I'm sure it's just a matter of personal preference.

----------

## audiodef

I'm debating whether to enable pop3 in cyrus.conf. Why don't you like it?

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> You write very well!

 

Thank ya! When I finally get motivated enough to write, it comes out fairly well. Though towards the end it will be a bit more obvious I was falling asleep at my keyboard and just trying to finish up  :Laughing: 

 *audiodef wrote:*   

> 
> 
> I was wondering if there was any reason for suggesting /root/overlays as PORTDIR_OVERLAY instead of the usual /usr/local/portage. Also, and I've done this on my own server for Cyrus, I make sure the necessary category dir exists, and then do cp -rv /usr/portage/category/package /usr/local/portage/category, and then download or modify ebuilds. I'm sure it's just a matter of personal preference.

 

Yeah, all personal preference. No real good reason, other than ~/overlays being easier for me to remember.

----------

## cach0rr0

 *audiodef wrote:*   

> I'm debating whether to enable pop3 in cyrus.conf. Why don't you like it?

 

whoops, noticed this one a bit late 

if i were to enable pop3 at all, it'd be pop3s 

I don't generally like POP3, because I access my e-mail from multiple places. I want the messages to stay on the server so I can just as easily access them from home as I can from my phone or anywhere else. 

http://www1.umn.edu/adcs/guides/email/imapvspop.html

As far as data-security goes, it *is* possible for clients to be configured to keep a local copy of e-mail with IMAP (this is the default with POP), but if I have control of a machine and am setting it up, I disallow this (moreso a concern for commercial type environments), because there may well be a case that someone loses their laptop or phone, and someone can easily hop on (e.g. boot sysrescuecd, ntfs-3g mount) and read all of those cached copies of the e-mail. Of course, if the user's disk is encrypted, that's not really a concern, but that's not always practical, AND if we're talking about Windows users, I'm quite certain "authorities" can get around BitLocker.

If your mail volume is such that storage is at a premium, you may well want to enable pop3s. Then again, you can just as easily keep watch over your disk usage, and if it gets to an unacceptably high level, enable pop temporarily, download the mail, dump in a backup somewhere locally, disable pop now that you've freed up space, and go on about your business. Of course, enforcing mailbox quotas gets you around the issue entirely.

----------

## audiodef

That all sounds good. 

OK, I've gotten through the tutorial, and it's a nice one. But mail just doesn't seem to be working, and I rather suspect I haven't configured stuff right on Godaddy. I set up a webmaster at audiodef dot com email in postfix/cyrus/mysql and then went to Godaddy to change things there. 

I think we went over this earlier in this thread, but I'm just not sure I've done everything right on the Godaddy end. 

I went to DNS manager, edit zone, scroll down to MX, quick add, points to = audiodef.com, host = @, priority = 0. Do I leave the mailstore1.secureserver.net and mtp.secureserver.net lines there (I removed them earlier, I have since put them back to avoid bouncing emails from anyone trying to reach me)? How do I actually test the webmaster email I set up? I tried testing it with mail2web.com as a quick and dirty test, but got a no such email address error.

----------

## cach0rr0

I get this when i try to connect to audiodef.com on port 25:

```

ricker ~ # telnet audiodef.com 25

Trying 209.177.157.239...

Connected to audiodef.com.

Escape character is '^]'.

Connection closed by foreign host.

```

if an SMTP server sending to you gets this, it will fall back over to 'smtp.secureserver.net'

```

ricker ~ # host audiodef.com

audiodef.com has address 209.177.157.239

audiodef.com mail is handled by 0 audiodef.com.

audiodef.com mail is handled by 0 smtp.secureserver.net.

audiodef.com mail is handled by 10 mailstore1.secureserver.net.

```

Do you get a banner at all if you telnet localhost 25 on that server? 

Grep through all of /var/log/* for my IP here (75.148.243.90). Also any logging output you can pastebin from Postfix would be useful. 

I remember seeing this same behavior before you started on this (the setup in my doc i mean), and had just assumed you were working on getting the setup started.

Once we can sort out this connection issue, you should remove both of the secureserver lines from your DNS setup (e.g. your only MX should be 'audiodef.com')

----------

## cach0rr0

 *audiodef wrote:*   

>  I tried testing it with mail2web.com as a quick and dirty test, but got a no such email address error.

 

also, regarding this, i just had a look - their freebie service doesn't support IMAPS on 993. 

I'd snag a fat client you don't have to compile, set it up. Something like thunderbird-bin (whereupon you can happily remove it)

Ideal way of testing, hop on gmail, tail -f /var/log/mail.log (or wherever postfix logs to), send yourself an email, watch it process in the logs. If it never even seems to get to Postfix, I'd be inclined to blame something like denyhosts (I don't think it's iptables, since it allows the initial connection but *then* kicks me out)

Personally not a fan of webmail in general (and can't echo the statements here strongly enough - https://bugs.gentoo.org/show_bug.cgi?id=101270#c30)

If you at some point decide to toss up a webmail app, be darn sure you put it in a password-protected directory, for that very reason. 

You can even have Apache authenticate against an IMAP server if need be, instead of having the user remember two passwords (I did that in the past - can post info if needed)

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> Do you get a banner at all if you telnet localhost 25 on that server? 
> 
> 

 

Nope, no banner. 

 *cach0rr0 wrote:*   

> 
> 
> Grep through all of /var/log/* for my IP here (75.148.243.90). Also any logging output you can pastebin from Postfix would be useful. 
> 
> 

 

I found this:

```

/var/log/messages:Apr 13 09:48:59 serverdef postfix/smtpd[1517]: connect from gw.whitehathouston.com[75.148.243.90]

```

I'm certain I changed everything in the examples over to my information. Does this log entry mean I should fix something?

I need to hit the hay. I'll follow up some more in the morning. Otherwise, I'll permanently look like this:   :Shocked: 

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> I'm certain I changed everything in the examples over to my information. Does this log entry mean I should fix something?
> 
> 

 

The log entry itself just shows that i successfully connected to the Postfix daemon. 

I'd be more keen to look a few entries before and after that line to see if you're seeing any errors thrown. 

I'd even check dmesg to see if Postfix is segfaulting for some reason. 

If you're not getting a banner, something is amiss, and it *should* be getting logged. 

 *audiodef wrote:*   

> 
> 
> I need to hit the hay. I'll follow up some more in the morning. Otherwise, I'll permanently look like this:  

 

no worries. If I missed something in the doc, now is good a time to find it as any - but there shouldn't realistically be anything missing, i used my live main.cf as an example in there. 

If there's stuff you dont want to make public (e.g. invasive logging info, or full main.cf) just PM it to me and ill have a look

----------

## audiodef

OK, finally got another chance to sit down and look at this. 

There aren't separate log files for postfix and cyrus, and since the messages file was 134MB, with too-numerous-to-count entries for postfix, I moved it to a backup file and restarted my server. Now I see a bunch of TLS errors in /var/log/messages:

```

Apr 17 22:55:50 serverdef syslog-ng[2292]: syslog-ng starting up; version='3.1.4'

Apr 17 22:55:50 serverdef kernel: [    0.000000] Initializing cgroup subsys cpuset

Apr 17 22:55:50 serverdef kernel: [    0.000000] Initializing cgroup subsys cpu

Apr 17 22:55:50 serverdef kernel: [    0.000000] Linux version 2.6.34-xen-vr.org (root@gentoo64) (gcc version 4.3.4 (Gentoo 4.3.4 p1.0, pie-10.1.5) ) #2 SMP Mon Jul 5 20:54:35 PDT 2010

Apr 17 22:55:50 serverdef kernel: [    0.000000] Command line: root=/dev/hda3

Apr 17 22:55:50 serverdef kernel: [    0.000000] Xen-provided physical RAM map:

Apr 17 22:55:50 serverdef kernel: [    0.000000]  Xen: 0000000000000000 - 0000000020800000 (usable)

Apr 17 22:55:50 serverdef kernel: [    0.000000] NX (Execute Disable) protection: active

Apr 17 22:55:50 serverdef kernel: [    0.000000] last_pfn = 0x20800 max_arch_pfn = 0x80000000

Apr 17 22:55:50 serverdef kernel: [    0.000000] initial memory mapped : 0 - 00000000

Apr 17 22:55:50 serverdef kernel: [    0.000000] init_memory_mapping: 0000000000000000-0000000020800000

Apr 17 22:55:50 serverdef kernel: [    0.000000]  0000000000 - 0020800000 page 4k

Apr 17 22:55:50 serverdef kernel: [    0.000000] kernel direct mapping tables up to 20800000 @ 1990000-1a96000

Apr 17 22:55:50 serverdef kernel: [    0.000000] Zone PFN ranges:

Apr 17 22:55:50 serverdef kernel: [    0.000000]   DMA      0x00000000 -> 0x00001000

Apr 17 22:55:50 serverdef kernel: [    0.000000]   DMA32    0x00001000 -> 0x00100000

Apr 17 22:55:50 serverdef kernel: [    0.000000]   Normal   empty

Apr 17 22:55:50 serverdef kernel: [    0.000000] Movable zone start PFN for each node

Apr 17 22:55:50 serverdef kernel: [    0.000000] early_node_map[2] active PFN ranges

Apr 17 22:55:50 serverdef kernel: [    0.000000]     0: 0x00000000 -> 0x00020000

Apr 17 22:55:50 serverdef kernel: [    0.000000]     0: 0x00020800 -> 0x00020800

Apr 17 22:55:50 serverdef kernel: [    0.000000] On node 0 totalpages: 131072

Apr 17 22:55:50 serverdef kernel: [    0.000000] free_area_init_node: node 0, pgdat ffffffff81740ac0, node_mem_map ffff880001a96000

Apr 17 22:55:50 serverdef kernel: [    0.000000]   DMA zone: 56 pages used for memmap

Apr 17 22:55:50 serverdef kernel: [    0.000000]   DMA zone: 0 pages reserved

Apr 17 22:55:50 serverdef kernel: [    0.000000]   DMA zone: 4040 pages, LIFO batch:0

Apr 17 22:55:50 serverdef kernel: [    0.000000]   DMA32 zone: 1764 pages used for memmap

Apr 17 22:55:50 serverdef kernel: [    0.000000]   DMA32 zone: 125212 pages, LIFO batch:31

Apr 17 22:55:50 serverdef kernel: [    0.000000] setup_percpu: NR_CPUS:8 nr_cpumask_bits:8 nr_cpu_ids:2 nr_node_ids:1

Apr 17 22:55:50 serverdef kernel: [    0.000000] PERCPU: Embedded 19 pages/cpu @ffff880001876000 s45480 r8192 d24152 u77824

Apr 17 22:55:50 serverdef kernel: [    0.000000] pcpu-alloc: s45480 r8192 d24152 u77824 alloc=19*4096

Apr 17 22:55:50 serverdef kernel: [    0.000000] pcpu-alloc: [0] 0 [0] 1 

Apr 17 22:55:50 serverdef kernel: [    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 129252

Apr 17 22:55:50 serverdef kernel: [    0.000000] Kernel command line: root=/dev/hda3

Apr 17 22:55:50 serverdef kernel: [    0.000000] PID hash table entries: 2048 (order: 2, 16384 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.000000] early_res array is doubled to 64 at [0 - 7ff]

Apr 17 22:55:50 serverdef kernel: [    0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.000000] Software IO TLB disabled

Apr 17 22:55:50 serverdef kernel: [    0.000000] Subtract (30 early reservations)

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #1 [000197c000 - 0001990000]    Xen provided

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #2 [0001000000 - 000186b3c4]   TEXT DATA BSS

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #3 [0001990000 - 0001a96000]         PGTABLE

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #4 [0020000000 - 0020800000]         BALLOON

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #5 [0001a96000 - 00021b2000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #6 [000186b400 - 000186b408]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #7 [000186b440 - 000186b5c0]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #8 [000186b5c0 - 000186b5f0]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #9 [000186b600 - 000186e600]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #10 [000186f000 - 0001870000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #11 [0001870000 - 0001871000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #12 [0001871000 - 0001872000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #13 [00021b2000 - 00022b6000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #14 [0001872000 - 0001872010]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #15 [000186e600 - 000186e608]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #16 [0001873000 - 0001874000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #17 [000186e640 - 000186e64f]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #18 [000186e680 - 000186e68f]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #19 [0001876000 - 000189c000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #20 [000186e6c0 - 000186e6c8]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #21 [000186e700 - 000186e708]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #22 [000186e740 - 000186e748]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #23 [000186e780 - 000186e790]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #24 [000186e7c0 - 000186e8c0]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #25 [000186e8c0 - 000186e908]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #26 [000186e940 - 000186e988]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #27 [000189c000 - 00018a0000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #28 [00018a0000 - 0001920000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000]   #29 [0001920000 - 0001960000]         BOOTMEM

Apr 17 22:55:50 serverdef kernel: [    0.000000] Memory: 505248k/532480k available (4801k kernel code, 8192k absent, 19040k reserved, 2698k data, 288k init)

Apr 17 22:55:50 serverdef kernel: [    0.000000] SLUB: Genslabs=13, HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1

Apr 17 22:55:50 serverdef kernel: [    0.000000] Hierarchical RCU implementation.

Apr 17 22:55:50 serverdef kernel: [    0.000000] NR_IRQS:848 nr_irqs:848

Apr 17 22:55:50 serverdef kernel: [    0.000000] Xen reported: 2133.332 MHz processor.

Apr 17 22:55:50 serverdef kernel: [    0.000000] Console: colour dummy device 80x25

Apr 17 22:55:50 serverdef kernel: [    0.000000] console [tty0] enabled

Apr 17 22:55:50 serverdef kernel: [    0.000000] console [xvc-1] enabled

Apr 17 22:55:50 serverdef kernel: [    0.000000]   alloc irq_desc for 768 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.000000]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.060004] Calibrating delay using timer specific routine.. 4300.52 BogoMIPS (lpj=2150260)

Apr 17 22:55:50 serverdef kernel: [    0.060037] Security Framework initialized

Apr 17 22:55:50 serverdef kernel: [    0.060043] SELinux:  Initializing.

Apr 17 22:55:50 serverdef kernel: [    0.060053] SELinux:  Starting in permissive mode

Apr 17 22:55:50 serverdef kernel: [    0.060060] Mount-cache hash table entries: 256

Apr 17 22:55:50 serverdef kernel: [    0.060160] Initializing cgroup subsys ns

Apr 17 22:55:50 serverdef kernel: [    0.060167] Initializing cgroup subsys cpuacct

Apr 17 22:55:50 serverdef kernel: [    0.060173] Initializing cgroup subsys freezer

Apr 17 22:55:50 serverdef kernel: [    0.060237] SMP alternatives: switching to UP code

Apr 17 22:55:50 serverdef kernel: [    0.089276]   alloc irq_desc for 769 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.089278]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.089285]   alloc irq_desc for 770 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.089286]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.089289]   alloc irq_desc for 771 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.089290]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.089362] Brought up 1 CPUs

Apr 17 22:55:50 serverdef kernel: [    0.089491] khelper used greatest stack depth: 6344 bytes left

Apr 17 22:55:50 serverdef kernel: [    0.090034] NET: Registered protocol family 16

Apr 17 22:55:50 serverdef kernel: [    0.090312] khelper used greatest stack depth: 6248 bytes left

Apr 17 22:55:50 serverdef kernel: [    0.090328]   alloc irq_desc for 772 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.090329]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.091079] SMP alternatives: switching to SMP code

Apr 17 22:55:50 serverdef kernel: [    0.126018] Brought up 2 CPUs

Apr 17 22:55:50 serverdef kernel: [    0.126517] PCI: Fatal: No config space access function found

Apr 17 22:55:50 serverdef kernel: [    0.126522] PCI: setting up Xen PCI frontend stub

Apr 17 22:55:50 serverdef kernel: [    0.127035] khelper used greatest stack depth: 6208 bytes left

Apr 17 22:55:50 serverdef kernel: [    0.133033] bio: create slab <bio-0> at 0

Apr 17 22:55:50 serverdef kernel: [    0.133050] vgaarb: loaded

Apr 17 22:55:50 serverdef kernel: [    0.133050]   alloc irq_desc for 773 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.133050]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.133050] suspend: event channel 11

Apr 17 22:55:50 serverdef kernel: [    0.135061] xen_mem: Initialising balloon driver.

Apr 17 22:55:50 serverdef kernel: [    0.136066] SCSI subsystem initialized

Apr 17 22:55:50 serverdef kernel: [    0.136066] libata version 3.00 loaded.

Apr 17 22:55:50 serverdef kernel: [    0.136066] usbcore: registered new interface driver usbfs

Apr 17 22:55:50 serverdef kernel: [    0.136066] usbcore: registered new interface driver hub

Apr 17 22:55:50 serverdef kernel: [    0.136066] usbcore: registered new device driver usb

Apr 17 22:55:50 serverdef kernel: [    0.137026] PCI: System does not support PCI

Apr 17 22:55:50 serverdef kernel: [    0.137026] PCI: System does not support PCI

Apr 17 22:55:50 serverdef kernel: [    0.137056] cfg80211: Calling CRDA to update world regulatory domain

Apr 17 22:55:50 serverdef kernel: [    0.137056] NetLabel: Initializing

Apr 17 22:55:50 serverdef kernel: [    0.137056] NetLabel:  domain hash size = 128

Apr 17 22:55:50 serverdef kernel: [    0.137056] NetLabel:  protocols = UNLABELED CIPSOv4

Apr 17 22:55:50 serverdef kernel: [    0.137056] NetLabel:  unlabeled traffic allowed by default

Apr 17 22:55:50 serverdef kernel: [    0.137056] Switching to clocksource xen

Apr 17 22:55:50 serverdef kernel: [    0.138813] NET: Registered protocol family 2

Apr 17 22:55:50 serverdef kernel: [    0.138858] IP route cache hash table entries: 16384 (order: 5, 131072 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.139010] TCP established hash table entries: 65536 (order: 8, 1048576 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.139208] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.139409] TCP: Hash tables configured (established 65536 bind 65536)

Apr 17 22:55:50 serverdef kernel: [    0.139415] TCP reno registered

Apr 17 22:55:50 serverdef kernel: [    0.139420] UDP hash table entries: 256 (order: 1, 8192 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.139426] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.139488] NET: Registered protocol family 1

Apr 17 22:55:50 serverdef kernel: [    0.139593] RPC: Registered udp transport module.

Apr 17 22:55:50 serverdef kernel: [    0.139598] RPC: Registered tcp transport module.

Apr 17 22:55:50 serverdef kernel: [    0.139601] RPC: Registered tcp NFSv4.1 backchannel transport module.

Apr 17 22:55:50 serverdef kernel: [    0.139607] PCI: CLS 32 bytes

Apr 17 22:55:50 serverdef kernel: [    0.139810] platform rtc_cmos: registered platform RTC device (no PNP device found)

Apr 17 22:55:50 serverdef kernel: [    0.140657] audit: initializing netlink socket (disabled)

Apr 17 22:55:50 serverdef kernel: [    0.140671] type=2000 audit(1303106145.487:1): initialized

Apr 17 22:55:50 serverdef kernel: [    0.180093] khelper used greatest stack depth: 6048 bytes left

Apr 17 22:55:50 serverdef kernel: [    0.181126] VFS: Disk quotas dquot_6.5.2

Apr 17 22:55:50 serverdef kernel: [    0.181217] Dquot-cache hash table entries: 512 (order 0, 4096 bytes)

Apr 17 22:55:50 serverdef kernel: [    0.182088] msgmni has been set to 1024

Apr 17 22:55:50 serverdef kernel: [    0.182198] SELinux:  Registering netfilter hooks

Apr 17 22:55:50 serverdef kernel: [    0.182627] alg: No test for stdrng (krng)

Apr 17 22:55:50 serverdef kernel: [    0.182755] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)

Apr 17 22:55:50 serverdef kernel: [    0.182762] io scheduler noop registered

Apr 17 22:55:50 serverdef kernel: [    0.182766] io scheduler deadline registered

Apr 17 22:55:50 serverdef kernel: [    0.182883] io scheduler cfq registered (default)

Apr 17 22:55:50 serverdef kernel: [    0.183008] pci_hotplug: PCI Hot Plug PCI Core version: 0.5

Apr 17 22:55:50 serverdef kernel: [    0.186374] Non-volatile memory driver v1.3

Apr 17 22:55:50 serverdef kernel: [    0.186384] Linux agpgart interface v0.103

Apr 17 22:55:50 serverdef kernel: [    0.186550] [drm] Initialized drm 1.1.0 20060810

Apr 17 22:55:50 serverdef kernel: [    0.186556] [drm:i915_init] *ERROR* drm/i915 can't work without intel_agp module!

Apr 17 22:55:50 serverdef kernel: [    0.188451] brd: module loaded

Apr 17 22:55:50 serverdef kernel: [    0.189469] loop: module loaded

Apr 17 22:55:50 serverdef kernel: [    0.189484]   alloc irq_desc for 774 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.189486]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.189559] Xen virtual console successfully installed as xvc0

Apr 17 22:55:50 serverdef kernel: [    0.189924]   alloc irq_desc for 775 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.189925]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.192175] netfront: Initialising virtual ethernet driver.

Apr 17 22:55:50 serverdef kernel: [    0.196611] Console: switching to colour frame buffer device 100x37

Apr 17 22:55:50 serverdef kernel: [    0.197848]   alloc irq_desc for 776 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.197850]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.202402] console [tty0] enabled

Apr 17 22:55:50 serverdef kernel: [    0.203036] input: Xen Virtual Keyboard as /devices/virtual/input/input0

Apr 17 22:55:50 serverdef kernel: [    0.203156] input: Xen Virtual Pointer as /devices/virtual/input/input1

Apr 17 22:55:50 serverdef kernel: [    0.203196]   alloc irq_desc for 777 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.203197]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.210795]   alloc irq_desc for 778 on node 0

Apr 17 22:55:50 serverdef kernel: [    0.210797]   alloc kstat_irqs on node 0

Apr 17 22:55:50 serverdef kernel: [    0.224195] xen-vbd: registered block device major 3

Apr 17 22:55:50 serverdef kernel: [    0.224656]  hda: hda1 hda2 hda3

Apr 17 22:55:50 serverdef kernel: [    0.236515] Intel(R) PRO/1000 Network Driver - version 7.3.21-k5-NAPI

Apr 17 22:55:50 serverdef kernel: [    0.236555] Copyright (c) 1999-2006 Intel Corporation.

Apr 17 22:55:50 serverdef kernel: [    0.236842] e1000e: Intel(R) PRO/1000 Network Driver - 1.0.2-k2

Apr 17 22:55:50 serverdef kernel: [    0.237095] e1000e: Copyright (c) 1999 - 2009 Intel Corporation.

Apr 17 22:55:50 serverdef kernel: [    0.237468] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI

Apr 17 22:55:50 serverdef kernel: [    0.237759] e100: Copyright(c) 1999-2006 Intel Corporation

Apr 17 22:55:50 serverdef kernel: [    0.238206] sky2: driver version 1.27

Apr 17 22:55:50 serverdef kernel: [    0.238705] console [netcon0] enabled

Apr 17 22:55:50 serverdef kernel: [    0.239027] netconsole: network logging started

Apr 17 22:55:50 serverdef kernel: [    0.239558] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver

Apr 17 22:55:50 serverdef kernel: [    0.239927] ehci_hcd: block sizes: qh 104 qtd 96 itd 192 sitd 96

Apr 17 22:55:50 serverdef kernel: [    0.239987] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver

Apr 17 22:55:50 serverdef kernel: [    0.240382] ohci_hcd: block sizes: ed 80 td 96

Apr 17 22:55:50 serverdef kernel: [    0.240440] uhci_hcd: USB Universal Host Controller Interface driver

Apr 17 22:55:50 serverdef kernel: [    0.241017] usbcore: registered new interface driver usblp

Apr 17 22:55:50 serverdef kernel: [    0.241445] Initializing USB Mass Storage driver...

Apr 17 22:55:50 serverdef kernel: [    0.241935] usbcore: registered new interface driver usb-storage

Apr 17 22:55:50 serverdef kernel: [    0.242400] USB Mass Storage support registered.

Apr 17 22:55:50 serverdef kernel: [    0.242927] usbcore: registered new interface driver libusual

Apr 17 22:55:50 serverdef kernel: [    0.244261] i8042.c: No controller found.

Apr 17 22:55:50 serverdef kernel: [    0.244882] mice: PS/2 mouse device common for all mice

Apr 17 22:55:50 serverdef kernel: [    0.245733] rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0

Apr 17 22:55:50 serverdef kernel: [    0.246690] device-mapper: ioctl: 4.17.0-ioctl (2010-03-05) initialised: dm-devel@redhat.com

Apr 17 22:55:50 serverdef kernel: [    0.248658] usbcore: registered new interface driver hiddev

Apr 17 22:55:50 serverdef kernel: [    0.249344] usbcore: registered new interface driver usbhid

Apr 17 22:55:50 serverdef kernel: [    0.249960] usbhid: USB HID core driver

Apr 17 22:55:50 serverdef kernel: [    0.250635] Netfilter messages via NETLINK v0.30.

Apr 17 22:55:50 serverdef kernel: [    0.251297] nf_conntrack version 0.5.0 (4096 buckets, 16384 max)

Apr 17 22:55:50 serverdef kernel: [    0.252073] ctnetlink v0.93: registering with nfnetlink.

Apr 17 22:55:50 serverdef kernel: [    0.253062] ip_tables: (C) 2000-2006 Netfilter Core Team

Apr 17 22:55:50 serverdef kernel: [    0.253711] TCP cubic registered

Apr 17 22:55:50 serverdef kernel: [    0.254323] Initializing XFRM netlink socket

Apr 17 22:55:50 serverdef kernel: [    0.255399] NET: Registered protocol family 10

Apr 17 22:55:50 serverdef kernel: [    0.256816] ip6_tables: (C) 2000-2006 Netfilter Core Team

Apr 17 22:55:50 serverdef kernel: [    0.257535] IPv6 over IPv4 tunneling driver

Apr 17 22:55:50 serverdef kernel: [    0.258703] NET: Registered protocol family 17

Apr 17 22:55:50 serverdef kernel: [    0.259731] registered taskstats version 1

Apr 17 22:55:50 serverdef kernel: [    0.260448] md: Waiting for all devices to be available before autodetect

Apr 17 22:55:50 serverdef kernel: [    0.261087] md: If you don't use raid, use raid=noautodetect

Apr 17 22:55:50 serverdef kernel: [    0.261967] md: Autodetecting RAID arrays.

Apr 17 22:55:50 serverdef kernel: [    0.262619] md: Scanned 0 and added 0 devices.

Apr 17 22:55:50 serverdef kernel: [    0.263354] md: autorun ...

Apr 17 22:55:50 serverdef kernel: [    0.263982] md: ... autorun DONE.

Apr 17 22:55:50 serverdef kernel: [    0.271152] kjournald starting.  Commit interval 5 seconds

Apr 17 22:55:50 serverdef kernel: [    0.271163] EXT3-fs (hda3): mounted filesystem with writeback data mode

Apr 17 22:55:50 serverdef kernel: [    0.271176] VFS: Mounted root (ext3 filesystem) readonly on device 3:3.

Apr 17 22:55:50 serverdef kernel: [    0.271275] Freeing unused kernel memory: 288k freed

Apr 17 22:55:50 serverdef kernel: [    0.271369] Write protecting the kernel read-only data: 7036k

Apr 17 22:55:50 serverdef kernel: [    0.565022] consoletype used greatest stack depth: 5680 bytes left

Apr 17 22:55:50 serverdef kernel: [    0.575360] stty used greatest stack depth: 4312 bytes left

Apr 17 22:55:50 serverdef kernel: [    1.140102] udev: starting version 151

Apr 17 22:55:50 serverdef kernel: [    1.565660] EXT3-fs (hda3): using internal journal

Apr 17 22:55:50 serverdef kernel: [    1.846174] Adding 530140k swap on /dev/hda2.  Priority:-1 extents:1 across:530140k SS

Apr 17 22:55:55 serverdef sshd[2920]: Server listening on 0.0.0.0 port 22.

Apr 17 22:55:55 serverdef sshd[2920]: Server listening on :: port 22.

Apr 17 22:56:04 serverdef master[3118]: setrlimit: Unable to set file descriptors limit to -1: Operation not permitted

Apr 17 22:56:04 serverdef master[3118]: retrying with 1024 (current max)

Apr 17 22:56:04 serverdef master[3118]: process started

Apr 17 22:56:04 serverdef master[3122]: about to exec /usr/lib64/cyrus/ctl_cyrusdb

Apr 17 22:56:05 serverdef ctl_cyrusdb[3122]: recovering cyrus databases

Apr 17 22:56:05 serverdef ctl_cyrusdb[3122]: skiplist: checkpointed /var/imap/mailboxes.db (1 record, 220 bytes) in 0 seconds

Apr 17 22:56:05 serverdef ctl_cyrusdb[3122]: skiplist: checkpointed /var/imap/annotations.db (0 records, 144 bytes) in 0 seconds

Apr 17 22:56:05 serverdef ctl_cyrusdb[3122]: done recovering cyrus databases

Apr 17 22:56:05 serverdef master[3118]: ready for work

Apr 17 22:56:05 serverdef master[3182]: about to exec /usr/lib64/cyrus/ctl_cyrusdb

Apr 17 22:56:05 serverdef master[3180]: about to exec /usr/lib64/cyrus/tls_prune

Apr 17 22:56:05 serverdef master[3181]: about to exec /usr/lib64/cyrus/ctl_deliver

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: checkpointing cyrus databases

Apr 17 22:56:05 serverdef tls_prune[3180]: DBERROR: opening /var/imap/tls_sessions.db: No such file or directory

Apr 17 22:56:05 serverdef tls_prune[3180]: DBERROR: opening /var/imap/tls_sessions.db: cyrusdb error

Apr 17 22:56:05 serverdef master[3118]: process 3180 exited, status 1

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: archiving log file: /var/imap/db/log.0000000001

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: archiving log file: /var/imap/db/log.0000000001

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: archiving log file: /var/imap/db/log.0000000001

Apr 17 22:56:05 serverdef cyr_expire[3181]: Expunged 0 out of 0 messages from 0 mailboxes

Apr 17 22:56:05 serverdef cyr_expire[3181]: duplicate_prune: pruning back 3 days

Apr 17 22:56:05 serverdef cyr_expire[3181]: duplicate_prune: purged 0 out of 0 entries

Apr 17 22:56:05 serverdef master[3118]: process 3181 exited, status 0

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: archiving database file: /var/imap/annotations.db

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: archiving database file: /var/imap/mailboxes.db

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: archiving log file: /var/imap/db/log.0000000001

Apr 17 22:56:05 serverdef ctl_cyrusdb[3182]: done checkpointing cyrus databases

Apr 17 22:56:05 serverdef master[3118]: process 3182 exited, status 0

Apr 17 22:56:06 serverdef postfix/postfix-script[3250]: starting the Postfix mail system

Apr 17 22:56:06 serverdef postfix/master[3251]: daemon started -- version 2.7.3, configuration /etc/postfix

Apr 17 22:56:06 serverdef cron[3368]: (CRON) STARTUP (V5.0)

Apr 17 22:56:16 serverdef sshd[3508]: SSH: Server;Ltype: Version;Remote: 108.48.127.48-36103;Protocol: 2.0;Client: OpenSSH_5.8p1-hpn13v10

Apr 17 22:56:20 serverdef sshd[3508]: Accepted keyboard-interactive/pam for root from 108.48.127.48 port 36103 ssh2

Apr 17 22:56:20 serverdef sshd[3508]: pam_unix(sshd:session): session opened for user root by (uid=0)

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: sql auxprop plugin using mysql engine

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: cannot load Certificate Authority data: disabling TLS support

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: warning: TLS library problem: 3535:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/etc/ssl/postfix/root.crt','r'):

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: warning: TLS library problem: 3535:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: warning: TLS library problem: 3535:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: warning: queue_minfree(150000000) should be at least 1.5*message_size_limit(102400000)

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: connect from host-static-93-116-183-40.moldtelecom.md[93.116.183.40]

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: fatal: non-null host address bits in "209.177.157.239/29", perhaps you should use "209.177.157.232/29" instead

Apr 17 22:57:07 serverdef postfix/master[3251]: warning: process /usr/lib64/postfix/smtpd pid 3535 exit status 1

Apr 17 22:57:07 serverdef postfix/master[3251]: warning: /usr/lib64/postfix/smtpd: bad command startup -- throttling

Apr 17 22:58:04 serverdef sshd[3508]: Received disconnect from 108.48.127.48: 11: disconnected by user

Apr 17 22:58:04 serverdef sshd[3508]: pam_unix(sshd:session): session closed for user root

Apr 17 22:59:01 serverdef cron[3538]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

Apr 17 22:59:12 serverdef sshd[3539]: SSH: Server;Ltype: Version;Remote: 108.48.127.48-40476;Protocol: 2.0;Client: OpenSSH_5.8p1-hpn13v10

Apr 17 22:59:16 serverdef sshd[3539]: Accepted keyboard-interactive/pam for root from 108.48.127.48 port 40476 ssh2

Apr 17 22:59:16 serverdef sshd[3539]: pam_unix(sshd:session): session opened for user root by (uid=0)

```

----------

## audiodef

OK, good, that all fit between code tags. 

So what does this mean I missed?

----------

## cach0rr0

ok, so the first one:

```

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: warning: TLS library problem: 3535:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/etc/ssl/postfix/root.crt','r'): 

```

I doubt you have a 'root.crt' in that directory. For me, that was the root certificate from CACert.org

You won't have this unless of course you went through CACert for your SSL cert. 

If you used a self-signed cert, you don't need 'smtpd_tls_CAfile' at all, and can remove this from main.cf

While you're at it, check smtpd_tls_key_file and smtpd_tls_cert_file, make sure they both point at existent files. The former should point at your private key, the latter should point at the certificate. If you're stumped, post output of ls /etc/ssl/postfix

You should do those same checks for these settings in /etc/imapd.conf:

```

tls_cert_file:          /etc/ssl/cyrus/server.crt

tls_key_file:           /etc/ssl/cyrus/server.key

```

server.crt is my cert, server.key is my private key

(you can leave 'tls_ca_path' as-is, since /etc/ssl/certs is the correct path by default)

There's also this:

```

Apr 17 22:57:06 serverdef postfix/smtpd[3535]: fatal: non-null host address bits in "209.177.157.239/29", perhaps you should use "209.177.157.232/29" instead 

```

you'd probably want simply '209.177.157.239', or if that gives you grief, '209.177.157.239/32'

I used /29 because I have 5 IP addresses from my ISP, and this is correct for my IP range (75.148.243.88/29 covers 75.148.243.89-75.148.243.93). As you only have one IP, the /29 is not appropriate. 

Both of these will be show-stoppers that keep postfix from functioning. Give that a go, let's see if things don't fare a bit better. 

NB: a handy tip, even though you aren't on a hardened profile/build, if you emerge syslog-ng with the 'hardened' USE flag enabled, it'll keep things nicely tucked away in separate files. In the case of mail, you'll have a nice tidy /var/log/mail.log and /var/log/mail.(info|err). Without the 'hardened' use flag enabled, damn near everything goes into /var/log/messages.

----------

## audiodef

Alright! Now we're getting somewhere!

I removed the CAcert line and removed the "29", restarted things, and I can now telnet localhost 25 and get a banner. 

I'm re-emerging syslog-ng with the hardened use flag. Thanks for that tip. 

OK, so now I need to test things. What's the best way to do that?

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> OK, so now I need to test things. What's the best way to do that?

 

first and foremost, at this stage I assume you added a handful (or at least one) of users to the database yeah?

If so, you should be able to fire up an IMAP client, connect on port 993 (using SSL), with a username of exactly what's in the database. (e.g. it has to be 'user@domain.com' and not simply 'user')

For the smtp side of things, quickest way to test is via telnet actually

```

$ telnet audiodef.com 25

Trying 209.177.157.239...

Connected to audiodef.com.

Escape character is '^]'.

220 audiodef.com ESMTP Postfix (2.7.3)

EHLO vpn.whitehathouston.com

250-audiodef.com

250-PIPELINING

250-SIZE 102400000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM:<test@whitehathouston.com>

250 2.1.0 Ok

RCPT TO:<invalid@audiodef.com>

550 5.1.1 <invalid@audiodef.com>: Recipient address rejected: User unknown in local recipient table

quit

221 2.0.0 Bye

Connection closed by foreign host.

```

if I were to do RCPT TO with an address you've added to the mysql database, it should accept it and not 550 it

----------

## audiodef

I'm using Thunderbird. Looks like the latest T-bird has a nifty auto-find server settings feature. I keep getting login failed errors with a dialog to enter a new password, but the username and password I've set up are correct. My settings in T-bird are:

IMAP mail server (will want pop3s later, but I'll deal with it later)

server name: imap.audiodef.com (t-bird "discovered" this, but the result is the same if I switch it to "audiodef.com")

port: 143

connection security: STARTTLS

auth method: encrypted password

Other settings I've tried have resulted in either timeouts or more of the same with "incorrect password" errors.

I manually checked maildb and the user/pass are in there.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> port: 143
> 
> connection security: STARTTLS
> ...

 

so for those:

port - 993

connection security: SSL/TLS (starttls is something different)

auth method: normal password

----------

## cach0rr0

993 using SSL/TLS does let me connect

```

# openssl s_client -connect audiodef.com:993

CONNECTED(00000003)

depth=0 /C=US/ST=California/L=Santa Barbara/O=SSL Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 /C=US/ST=California/L=Santa Barbara/O=SSL Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

verify error:num=27:certificate not trusted

verify return:1

depth=0 /C=US/ST=California/L=Santa Barbara/O=SSL Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 0 s:/C=US/ST=California/L=Santa Barbara/O=SSL Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

   i:/C=US/ST=California/L=Santa Barbara/O=SSL Server/OU=For Testing Purposes Only/CN=localhost CA/emailAddress=root@localhost

---

Server certificate

-----BEGIN CERTIFICATE-----

<snip>

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Santa Barbara/O=SSL Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

issuer=/C=US/ST=California/L=Santa Barbara/O=SSL Server/OU=For Testing Purposes Only/CN=localhost CA/emailAddress=root@localhost

---

No client certificate CA names sent

---

SSL handshake has read 1284 bytes and written 343 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

<snip>

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 SASL-IR COMPRESS=DEFLATE] serverdef Cyrus IMAP v2.3.16 server ready

```

all connected, all looks fine, I get that 'OK' at which point i should be able to, theoretically, send the LOGIN command along with a password. 

If you're unable to login with that, the variable would be the database methinks. Maybe there's something I overlooked?

NB: if you tell me a valid email address, ill test out the smtp side here (dont need a pass, i just want to see if postfix 550's a RCPT to a valid address, or 250's it like it should)

----------

## audiodef

Changed the settings, still not getting through. 

I set up a webmaster at audiodef dot com account, you could try that.

----------

## cach0rr0

well, the postfix side of things is working at least

```

meat@houacer01 ~ $ telnet audiodef.com 25

Trying 209.177.157.239...

Connected to audiodef.com.

Escape character is '^]'.

220 audiodef.com ESMTP Postfix (2.7.3)

EHLO vpn.whitehathouston.com

250-audiodef.com

250-PIPELINING

250-SIZE 102400000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM:<test@whitehathouston.com>

250 2.1.0 Ok

RCPT TO:<webmaster@audiodef.com>

250 2.1.5 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

Subject: Test from cach0rr0

From: "me" <meat@whitehathouston.com>

To: "you" <webmaster@audiodef.com>

Sending this message via telnet. As such it will be devoid of most useful cosmetic formatting!

Thankfully, it would seem the Postfix side of this is working fine. 

-Chris

.

250 2.0.0 Ok: queued as B5D5915A71

quit

221 2.0.0 Bye

Connection closed by foreign host.

```

```

meat@houacer01 ~ $ telnet audiodef.com 25

Trying 209.177.157.239...

Connected to audiodef.com.

Escape character is '^]'.

220 audiodef.com ESMTP Postfix (2.7.3)

ehlo vpn.whitehathouston.com

250-audiodef.com

250-PIPELINING

250-SIZE 102400000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM:<test@whitehathouston.com>

250 2.1.0 Ok

rcpt to:<notvalid@audiodef.com>

550 5.1.1 <notvalid@audiodef.com>: Recipient address rejected: User unknown in local recipient table

quit

221 2.0.0 Bye

Connection closed by foreign host.

```

Assuming no errors, you should be able to trace through mail.log and see that message being sent via the lmtp socket to Cyrus

One thing I suppose you might try - in imapd.conf, change the mech list so that it's just:

```

sasl_mech_list: LOGIN PLAIN

```

then restart cyrus. I seem to recall the others giving me fits. Since you are forcing SSL (or well, you should be!), using plaintext login mechanisms is perfectly safe.

----------

## audiodef

Tried that, no difference, but here's /var/log/mail.log (syslog-ng with hardened works well, thanks again!):

```

Apr 18 11:37:15 serverdef postfix/postfix-script[3229]: starting the Postfix mail system

Apr 18 11:37:15 serverdef postfix/master[3230]: daemon started -- version 2.7.3, configuration /etc/

postfix

Apr 18 11:37:15 serverdef postfix/qmgr[3241]: B5D5915A71: from=<test@whitehathouston.com>, size=487,

 nrcpt=1 (queue active)

Apr 18 11:37:15 serverdef postfix/trivial-rewrite[3252]: warning: do not list domain audiodef.com in

 BOTH mydestination and virtual_mailbox_domains

Apr 18 11:37:44 serverdef postfix/smtpd[6511]: warning: queue_minfree(150000000) should be at least 

1.5*message_size_limit(102400000)

Apr 18 11:37:44 serverdef postfix/smtpd[6511]: connect from smtpout06-01.prod.mesa1.secureserver.net

[64.202.165.224]

Apr 18 11:37:44 serverdef postfix/trivial-rewrite[3252]: warning: do not list domain audiodef.com in

 BOTH mydestination and virtual_mailbox_domains

Apr 18 11:37:44 serverdef postfix/smtpd[6511]: NOQUEUE: reject: RCPT from smtpout06-01.prod.mesa1.se

cureserver.net[64.202.165.224]: 550 5.1.1 <damien@audiodef.com>: Recipient address rejected: User un

known in local recipient table; from=<damien@audiodef.com> to=<damien@audiodef.com> proto=SMTP helo=

<smtpout06.prod.mesa1.secureserver.net>

Apr 18 11:37:44 serverdef postfix/smtpd[6511]: disconnect from smtpout06-01.prod.mesa1.secureserver.

net[64.202.165.224]

Apr 18 11:39:30 serverdef postfix/smtpd[17689]: warning: queue_minfree(150000000) should be at least

 1.5*message_size_limit(102400000)

Apr 18 11:39:30 serverdef postfix/smtpd[17689]: connect from smtpauth17.prod.mesa1.secureserver.net[64.202.165.29]

Apr 18 11:39:31 serverdef postfix/trivial-rewrite[17721]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 18 11:39:31 serverdef postfix/smtpd[17689]: 28D9315A79: client=smtpauth17.prod.mesa1.secureserver.net[64.202.165.29]

Apr 18 11:39:31 serverdef postfix/cleanup[17731]: 28D9315A79: message-id=<4DACE7D1.4030405@audiodef.com>

Apr 18 11:39:31 serverdef postfix/qmgr[3241]: 28D9315A79: from=<damien@audiodef.com>, size=906, nrcpt=1 (queue active)

Apr 18 11:39:31 serverdef postfix/trivial-rewrite[17721]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 18 11:39:31 serverdef postfix/smtpd[17689]: disconnect from smtpauth17.prod.mesa1.secureserver.net[64.202.165.29]

Apr 18 11:39:31 serverdef postfix/trivial-rewrite[17721]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 18 11:39:31 serverdef postfix/smtpd[17689]: 28D9315A79: client=smtpauth17.prod.mesa1.secureserver.net[64.202.165.29]

Apr 18 11:39:31 serverdef postfix/cleanup[17731]: 28D9315A79: message-id=<4DACE7D1.4030405@audiodef.com>

Apr 18 11:39:31 serverdef postfix/qmgr[3241]: 28D9315A79: from=<damien@audiodef.com>, size=906, nrcpt=1 (queue active)

Apr 18 11:39:31 serverdef postfix/trivial-rewrite[17721]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 18 11:39:31 serverdef postfix/smtpd[17689]: disconnect from smtpauth17.prod.mesa1.secureserver.net[64.202.165.29]

Apr 18 11:40:44 serverdef postfix/smtpd[17689]: connect from unknown[222.127.68.229]

Apr 18 11:40:48 serverdef postfix/trivial-rewrite[17721]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 18 11:40:48 serverdef postfix/smtpd[17689]: NOQUEUE: reject: RCPT from unknown[222.127.68.229]: 550 5.1.1 <singer@audiodef.com>: Recipient address rejected: User unknown in local recipient table; from=<vlnluiio@activeaging.org> to=<singer@audiodef.com> proto=ESMTP helo=<222.127.68.229>

Apr 18 11:40:49 serverdef postfix/smtpd[17689]: lost connection after RCPT from unknown[222.127.68.229]

Apr 18 11:40:49 serverdef postfix/smtpd[17689]: disconnect from unknown[222.127.68.229]

Apr 18 11:42:15 serverdef postfix/lmtp[3263]: B5D5915A71: to=<webmaster@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=567, delays=267/0.01/300/0, dsn=4.4.2, status=deferred (conversation with audiodef.com[/var/imap/socket/lmtp] timed out while receiving the initial server greeting)

Apr 18 11:42:53 serverdef postfix/lmtp[17749]: 28D9315A79: to=<damien@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=202, delays=0.2/0.01/202/0, dsn=4.4.2, status=deferred (lost connection with audiodef.com[/var/imap/socket/lmtp] while receiving the initial server greeting)

Apr 18 11:44:09 serverdef postfix/anvil[6538]: statistics: max connection rate 1/60s for (smtp:64.202.165.224) at Apr 18 11:37:44

Apr 18 11:44:09 serverdef postfix/anvil[6538]: statistics: max connection count 1 for (smtp:64.202.165.224) at Apr 18 11:37:44

Apr 18 11:44:09 serverdef postfix/anvil[6538]: statistics: max cache size 1 at Apr 18 11:37:44

```

I can see you sending a test, but it doesn't look like it's totally smooth sailing to me.

----------

## cach0rr0

hmm...no, not smooth sailing 

before i forget:

```

Apr 18 11:37:15 serverdef postfix/trivial-rewrite[3252]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains 

```

for 'mydestination', you probably only want to have localhost and $myhostname (which i assume is set to serverdef.audiodef.com), since virtual_mailbox_domains will handle audiodef.com

Might change that, do a 'postfix reload', and pray. I need to see if i can sort out what might cause the 'timed out while receiving the initial server greeting' nonsense on lmtp. Shouldn't have anything to do with that one setting.

----------

## audiodef

Made that change and reloaded... still can't get my login info through. 

I'll go frag some demons or something, maybe close my eyes for several hours   :Razz:  and check back to see if you've found anything. 

It's really nice of you to do this. I can only hope I can pay it forward in equal amounts.   :Very Happy: 

----------

## cach0rr0

no worries, you're helping me debug doc  :Laughing: 

only other thing i can think of, be curious to see your /etc/cyrus.conf, as well this:

```

 # ls -alh /var/imap/socket/

```

if cyrus is running, should see a socket there named 'lmtp' 

might also try:

```

/etc/init.d/cyrus stop

rm /var/imap/db/__db.*

/etc/init.d/cyrus start

```

and see if that doesnt fix things up. 

beyond that, ill have to have a think and google

----------

## audiodef

The lmtp socket is there. 

Interesting... couldn't stop cyrus and all I got was the red !!, no further explanation. 

The files you suggested I rm didn't exist to begin with.

EDIT: Yes, they do. I moved the db dir earlier while poking around at stuff and didn't move it back. I moved it back, but before and after rm'ing those files, it continued not to let me in. 

I did reboot my server with cyrus out of the default runlevel as a way of getting it to stop. Now it stops and starts when I tell it to.

----------

## cach0rr0

ok, with those db files out of the way, once you restart cyrus, they should be recreated 

the login issue - a concern, but less of an immediate concern

first and foremost i want to get rid of the 'timed out waiting for server greeting' issue on the lmtp connection

you can force a retry with 'postfix flush', then check out the logs to see if lmtp is still giving us grief 

if it is, time for thinking cap. 

if not, it narrows the issue down to simply the login failure

this just stinks of something somewhere being corrupted. The good news, once everything is set up with cyrus and oprational, you just rarely if ever have to touch it. Normal operation, the db files and whatnot just dont get corrupted (I'm at ~2 years on my current install without having to touch it). 

Just the headache getting things going at the beginning.

----------

## audiodef

OK, did a flush, moved mail.log and mail.warn to backup files (to make it easier to see new entries), reloaded and restarted postfix, even restarted the server, but now all I can see is postfix starting normally. Nothing at all appears in the logs about my login failure. 

I think what I'll do when I'm properly awake is re-do the postfix/cyrus install from scratch, reading both the how-to and this thread carefully. Somewhere between my doing that and your sporting a stylish thinkin' cap, we'll figure it out. 

Are you sure the password in MySQL should be plain text? Nothing gets hashed somewhere?

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> I think what I'll do when I'm properly awake is re-do the postfix/cyrus install from scratch, reading both the how-to and this thread carefully. Somewhere between my doing that and your sporting a stylish thinkin' cap, we'll figure it out. 
> 
> 

 

Shouldn't need to do that. If anything, uninstalling cyrus, nuking any leftover files (except for config files), reinstalling cyrus, should do the trick. 

Whatever you do, im convinced now your main.cf is fine, so don't lose that - that's where you do most of your work anyway. But hopefully it won't come to that. 

Your logs should in fact be fairly empty, unless you're doing a good bit of inbound SMTP traffic. I Just sent a test message through to webmaster from 'apr19test', if that ended up where it's supposed to end up, then all that's left is the login issue for the imap side. 

 *audiodef wrote:*   

> 
> 
> Are you sure the password in MySQL should be plain text? Nothing gets hashed somewhere?

 

yessir. Unfortunately not every piece of this puzzle can work with encrypted entries in a DB, so we either have to maintain multiple DB's or just shuck crypto.

----------

## audiodef

I'm already getting spam! Jeebus. And maybe something else might be wrong, too. I'm reading "over quota" in the log:

```

Apr 19 06:43:01 serverdef postfix/trivial-rewrite[24033]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 19 06:43:01 serverdef postfix/lmtp[24036]: DAA9C50CDC: to=<damien@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=2225, delays=2225/0.01/0.02/0.01, dsn=4.2.2, status=deferred (host audiodef.com[/var/imap/socket/lmtp] said: 452 4.2.2 Over quota (in reply to RCPT TO command))

Apr 19 06:46:18 serverdef postfix/smtpd[24199]: warning: queue_minfree(150000000) should be at least 1.5*message_size_limit(102400000)

Apr 19 06:46:19 serverdef postfix/smtpd[24199]: warning: 190.25.27.105: hostname adsl190-2527105.dyn.etb.net.co verification failed: Name or service not known

Apr 19 06:46:19 serverdef postfix/smtpd[24199]: connect from unknown[190.25.27.105]

Apr 19 06:46:20 serverdef postfix/trivial-rewrite[24201]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 19 06:46:20 serverdef postfix/smtpd[24199]: NOQUEUE: reject: RCPT from unknown[190.25.27.105]: 550 5.1.1 <jmoore@audiodef.com>: Recipient address rejected: User unknown in local recipient table; from=<hshbly@abraca.org> to=<jmoore@audiodef.com> proto=ESMTP helo=<adsl190-2527105.dyn.etb.net.co>

Apr 19 06:46:20 serverdef postfix/smtpd[24199]: lost connection after RCPT from unknown[190.25.27.105]

Apr 19 06:46:20 serverdef postfix/smtpd[24199]: disconnect from unknown[190.25.27.105]

Apr 19 06:49:40 serverdef postfix/anvil[24200]: statistics: max connection rate 1/60s for (smtp:190.25.27.105) at Apr 19 06:46:19

Apr 19 06:49:40 serverdef postfix/anvil[24200]: statistics: max connection count 1 for (smtp:190.25.27.105) at Apr 19 06:46:19

Apr 19 06:49:40 serverdef postfix/anvil[24200]: statistics: max cache size 1 at Apr 19 06:46:19

Apr 19 06:58:01 serverdef postfix/qmgr[4694]: 48AC915A15: from=<Patty_@dentygret.info>, size=14808, nrcpt=1 (queue active)

Apr 19 06:58:01 serverdef postfix/trivial-rewrite[24784]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 19 06:58:01 serverdef postfix/lmtp[24787]: 48AC915A15: to=<damien@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=21499, delays=21499/0.01/0.02/0.01, dsn=4.2.2, status=deferred (host audiodef.com[/var/imap/socket/lmtp] said: 452 4.2.2 Over quota (in reply to RCPT TO command))

Apr 19 07:03:01 serverdef postfix/qmgr[4694]: DBDB950C81: from=<JewelMint-DesignerJewelrywvf@beautifulowner.info>, size=7965, nrcpt=1 (queue active)

Apr 19 07:03:01 serverdef postfix/trivial-rewrite[25050]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 19 07:03:01 serverdef postfix/qmgr[4694]: D5D87159E2: from=<better2011_@iterstabic.info>, size=25748, nrcpt=1 (queue active)

Apr 19 07:03:01 serverdef postfix/trivial-rewrite[25050]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 19 07:03:01 serverdef postfix/qmgr[4694]: 09EF150CDA: from=<Customer.Care@Apps.JobServe.com>, size=6603, nrcpt=1 (queue active)

Apr 19 07:03:01 serverdef postfix/trivial-rewrite[25050]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 19 07:03:01 serverdef postfix/qmgr[4694]: A85E150CDB: from=<work_at_home@bautacraye.info>, size=12388, nrcpt=1 (queue active)

Apr 19 07:03:01 serverdef postfix/trivial-rewrite[25050]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

Apr 19 07:03:01 serverdef postfix/lmtp[25054]: DBDB950C81: to=<damien@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=17277, delays=17277/0.01/0.02/0.01, dsn=4.2.2, status=deferred (host audiodef.com[/var/imap/socket/lmtp] said: 452 4.2.2 Over quota (in reply to RCPT TO command))

Apr 19 07:03:01 serverdef postfix/lmtp[25056]: D5D87159E2: to=<damien@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=21421, delays=21421/0.01/0.02/0, dsn=4.2.2, status=deferred (host audiodef.com[/var/imap/socket/lmtp] said: 452 4.2.2 Over quota (in reply to RCPT TO command))

Apr 19 07:03:01 serverdef postfix/lmtp[25056]: A85E150CDB: to=<damien@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=8728, delays=8728/0.04/0.01/0, dsn=4.2.2, status=deferred (host audiodef.com[/var/imap/socket/lmtp] said: 452 4.2.2 Over quota (in reply to RCPT TO command))

Apr 19 07:03:01 serverdef postfix/lmtp[25054]: 09EF150CDA: to=<damien@audiodef.com>, relay=audiodef.com[/var/imap/socket/lmtp], delay=8866, delays=8866/0.04/0.01/0, dsn=4.2.2, status=deferred (host audiodef.com[/var/imap/socket/lmtp] said: 452 4.2.2 Over quota (in reply to RCPT TO command))

Apr 19 07:06:21 serverdef postfix/scache[25063]: statistics: start interval Apr 19 07:03:01

Apr 19 07:06:21 serverdef postfix/scache[25063]: statistics: address lookup hits=0 miss=2 success=0%

Apr 19 07:06:21 serverdef postfix/scache[25063]: statistics: max simultaneous domains=0 addresses=1 connection=2

Apr 19 07:08:01 serverdef postfix/qmgr[4694]: F1DA615A7B: from=<lowrates_@wuffloket.info>, size=33926, nrcpt=1 (queue active)

Apr 19 07:08:01 serverdef postfix/trivial-rewrite[1664]: warning: do not list domain audiodef.com in BOTH mydestination and virtual_mailbox_domains

```

Login still fails after re-installing cyrus.

----------

## cach0rr0

out of curiousity:

```

ls /var/imap/domain

```

far as the spam goes, adding those RBL's to the mix should take care of the bulk of it. One thing at a time i suppose

----------

## audiodef

 *cach0rr0 wrote:*   

> out of curiousity:
> 
> ```
> 
> ls /var/imap/domain
> ...

 

No such file or dir... should there be?

----------

## cach0rr0

no that's fine. that means no mailboxes have been autocreated yet, that's what i was looking to check. 

so let's do this:

```

/etc/init.d/cyrus stop

/etc/init.d/postfix stop

emerge -C cyrus-imapd

rm -rf /var/imap

rm -rf /var/spool/imap

emerge cyrus-imapd #with autocreate patch enabled via USE of course

/etc/init.d/cyrus start

/etc/init.d/postfix start

```

also, just in case this is throwing anything off and corrupting our mailbox databases somehow, in main.cf, that setting for mydestination, double check and make sure $mydomain is not in the list (it should only be $myhostname and localhost, assuming $myhostname is set to something other than 'audiodef.com' - I'd figured it was set to 'serverdef.audiodef.com')

give that a go, im going to try and break my setup and shed some light right quick.

----------

## audiodef

 *cach0rr0 wrote:*   

> no that's fine. that means no mailboxes have been autocreated yet, that's what i was looking to check. 
> 
> 

 

Gotcha.

 *cach0rr0 wrote:*   

> 
> 
> so let's do this:
> 
> ```
> ...

 

Check. Still not. 

 *cach0rr0 wrote:*   

> 
> 
> also, just in case this is throwing anything off and corrupting our mailbox databases somehow, in main.cf, that setting for mydestination, double check and make sure $mydomain is not in the list (it should only be $myhostname and localhost, assuming $myhostname is set to something other than 'audiodef.com' - I'd figured it was set to 'serverdef.audiodef.com')
> 
> 

 

Check. It was set to audiodef.com, but I tried serverdef.audiodef.com - no difference. Still can't login to check email on webmaster. 

 *cach0rr0 wrote:*   

> 
> 
> give that a go, im going to try and break my setup and shed some light right quick.

 

I'm going to grab some chow and check back in a bit. 

I've also asked Mark at vr.org if there was anything that could be stopping things in a new server's default set up. He said no, but he offered to take a look, which is nice because they state in their FAQ that it's not what they do. I'm taking him up on that.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> Check. Still not. 
> 
> 

 

are you still getting the quota error? Different error in the logs? 

The 'unable to login' is a separate, final piece to this. 

One which we'll cover off as soon as Postfix is routing things to Cyrus successfully via lmtp, mailboxes are being autocreated, etc. 

The login piece may be as simple as updating the SQL query to adjust to some change in the cyrus auxprop mechanism - but until we have mail flowing/routing/etc no point in covering off the login. 

Soon as the guys from work stop bothering me I'm going to go through the entire install on a spare box and see what i can find.

----------

## cach0rr0

ok, i can repro the login failure error

However, on a brand new virgin install, the lmtp routing is fine. 

I'm going to keep digging, there are some changes we're going to have to make and I'm sorting out exactly which ones. 

stay tuned

EDIT: bingo

cyrus-sasl for me was built without mysql support

and upon login, i was getting these errors in auth.log

```

_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

```

I set up my package.use like so, and re-emerged cyrus-sasl:

```

# cat /etc/portage/package.use/sasl 

dev-libs/cyrus-sasl berkdb crypt gdbm pam ssl mysql

```

Restarted postfix, restarted cyrus. 

```

ricker log # telnet localhost 143

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=LOGIN AUTH=PLAIN SASL-IR COMPRESS=DEFLATE] ricker.whitehathouston.com Cyrus IMAP v2.3.16 server ready

01 login webmaster@audiodef.com password

01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH] User logged in

02 logout

* BYE LOGOUT received

02 OK Completed

Connection closed by foreign host.

```

I'll update the doc for this.

----------

## cach0rr0

also, FYI, this is the main.cf I'm using:

```

queue_directory = /var/spool/postfix

message_size_limit = 102400000

mailbox_size_limit = 1024000000

command_directory = /usr/sbin

daemon_directory = /usr/lib64/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

default_privs = nobody

myhostname = serverdef.audiodef.com

mydomain = audiodef.com

virtual_mailbox_domains = audiodef.com

myorigin = $myhostname

alias_maps = mysql:/etc/postfix/validate.cf

virtual_mailbox_maps = mysql:/etc/postfix/validate.cf

mailbox_transport = lmtp:unix:/var/imap/socket/lmtp

virtual_transport = lmtp:unix:/var/imap/socket/lmtp

inet_interfaces = all

mydestination = $myhostname, localhost

local_recipient_maps = $alias_maps, $virtual_mailbox_maps

unknown_local_recipient_reject_code = 550

mynetworks = 75.148.243.88/29, 127.0.0.0/8

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes

smtpd_tls_auth_only = yes

mail_spool_directory = /var/spool/mail

smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 20

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

smtpd_tls_security_level = may

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_ask_ccert = no

smtpd_tls_loglevel = 1

smtpd_recipient_restrictions =

        permit_mynetworks,

        permit_sasl_authenticated,

        reject_unauth_destination

biff = no

empty_address_recipient = MAILER-DAEMON

tls_random_source = dev:/dev/urandom

smtp_tls_note_starttls_offer = yes

readme_directory = no

sample_directory = /etc/postfix

html_directory = no

manpage_directory = /usr/local/man

```

I guess the only other thing worth noting, which is completely unrelated to this, I omitted queue_minfree, since Postfix has a sensible default for that set already if you leave it out. Doc updating accordingly.

----------

## cach0rr0

Spotted another error that will cause authenticated SMTP relay to fail 

/etc/sasl2/smtpd.conf

remove the extra quotes around the '@' sign

e.g. change

```

sql_select: SELECT plainpass FROM aliases WHERE email = '%u'@'%r'

```

to

```

sql_select: SELECT plainpass FROM aliases WHERE email = '%u@%r'

```

the rest of the guide is devoid of this mistake

So at the moment I've tested:

-lmtp communication between postfix and cyrus is successful

-autocreate is working fine as a result of the above

-login to IMAP is no longer failing now that I've built cyrus-sasl with 'mysql' USE enabled 

-authenticated SMTP relay ("ESMTP auth") is now working, after correcting the typo in /etc/sasl2/smtpd.conf

----------

## audiodef

I think I found the problem:

```

Apr 19 12:11:49 serverdef imaps[3517]: sql auxprop plugin using mysql engine

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin Parse the username webmaster

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin try and connect to a host

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin trying to open db 'maildb' on host 'localhost'

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin Parse the username webmaster

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin try and connect to a host

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin trying to open db 'maildb' on host 'localhost'

Apr 19 12:11:49 serverdef imaps[3517]: begin transaction

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin create statement from userPassword webmaster serverdef

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin doing query SELECT plainpass FROM aliases WHERE email = 'webmaster@serverdef';

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin: no result found

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin create statement from cmusaslsecretPLAIN webmaster serverdef

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin doing query SELECT plainpass FROM aliases WHERE email = 'webmaster@serverdef';

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin: no result found

Apr 19 12:11:49 serverdef imaps[3517]: commit transaction

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin Parse the username webmaster

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin try and connect to a host

Apr 19 12:11:49 serverdef imaps[3517]: sql plugin trying to open db 'maildb' on host 'localhost'

Apr 19 12:11:52 serverdef imaps[3517]: sql plugin Parse the username webmaster

Apr 19 12:11:52 serverdef imaps[3517]: sql plugin try and connect to a host

Apr 19 12:11:52 serverdef imaps[3517]: sql plugin trying to open db 'maildb' on host 'localhost'

Apr 19 12:11:52 serverdef imaps[3517]: sql plugin Parse the username webmaster

Apr 19 12:11:52 serverdef imaps[3517]: sql plugin try and connect to a host

```

I'm sure "webmaster@serverdef" leapt out at you as it did at me. 

So this means I have to change something somewhere so that it's looking for "webmaster@audiodef.com" instead.

/etc/conf.d/hostname = serverdef. Should I change that to audiodef.com?

----------

## audiodef

/var/imap/domain still doesn't exist, but!

It doesn't look like I'm getting the quota errors any longer. 

I already had cyrus built with the correct use flags, but I copied over the latest main.cf you posted (changed the IP address and removed the 29), changed serverdef.audiodef.com to just audiodef.com, changed the mail@localhost password to access maildb and the corresponding conf files that password shows up in (not necessary in hindsight, I was just poking around and troubleshooting in case I made a simple typo somewhere), updated smtpd.conf to remove the extra quotes, restarted everything, and now I do not get a login error. 

I just had my gf, who was sitting next to me at her computer while I was typing this, send me a test email from her account and it went through! 

Break out the beer, bro. 

Now I need to create mailboxes for my accounts to replace what I'd been doing with Godaddy. Sending a test email from my regular @audiodef.com account didn't go through and I'm guessing it's because my MX record is expecting to do something from my VPS instead of through Godaddy now.

----------

## audiodef

Hm. I'm getting an over quota error in a different way. 

I set up a tbird account for my regular email address (I'll PM it to you if it will help for you to know it) and it promptly downloaded the spam I'd gotten. I think I'd been having Godaddy do some filtering for me, which I can address in a bit. When I tried to delete a message, tbird said nope, can't do it because you're over quota. That struck me as odd...

----------

## audiodef

Can't seem to connect to send mail. In tbird, I set as an outgoing mail server:

server name: audiodef.com

port 465

SSL/TLS

normal pass

user webmaster@audiodef.com

Did I do this wrong?

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> I'm sure "webmaster@serverdef" leapt out at you as it did at me. 
> 
> 

 

If you try and login with simply 'webmaster', cyrus will append a default realm to the login string (in this case serverdef)

if you try to login with the full 'webmaster@audiodef.com', it should take it exactly as you type it 

I just tested with the guinea pig account i had you create me earlier, and that seemed to take ok far as inbound mail goes. 

I sent myuser@audiodef an email from my other account, and it's there in Thunderbird

Sent a message *from* myuser@ to my other account, still waiting on it, but it may be caught in my company's filters  :Smile: 

----------

## cach0rr0

 *audiodef wrote:*   

> Can't seem to connect to send mail. In tbird, I set as an outgoing mail server:
> 
> server name: audiodef.com
> 
> port 465
> ...

 

Should be on port 25 still (SMTPS is something entirely different) using STARTTLS

Whereas IMAP should be on port 993, using SSL/TLS (though, as you have it set up now, port 143 without any SSL of any sort works)

----------

## audiodef

Thus far, Thunderbird just times out while trying to connect to audiodef.com to send mail, even with STARTTLS on port 25.

----------

## audiodef

Another thing that's bugging me is before I set up postfix, I was using 27% of my server's storage allotment. Now it's 46%. I don't think this should be taking up that much room.   :Shocked: 

I'm also getting the over quota message in mail.log again.

Went to /var/imap/db and noticed that du -h db shows 45M. I shouldn't have 45M worth of mail!   :Shocked:  The db.backup files are each 11M.

----------

## audiodef

Alright... I've enabled pop3s because I don't need to be able to access my email from anywhere and I do need to be conservative about server storage. With that, I've gotten my regular mailboxes in Thunderbird working, plus the new webmaster@. But that's only for receiving. I'm still not able to send despite playing with a variety of settings for the outgoing mail server. 

Once I can solve that and figure out what's eating several GB of space, I'd be all set.

----------

## audiodef

Really helpful folks at vr.org.   :Cool: 

Mark added

```

smtps inet n - n - - smtpd

```

To /etc/postfix/master.cf. I can now send mail to myself, but send fails when I try to send mail to other domains. I get a 5.7.1 relay access denied error.

----------

## audiodef

I wonder if this is something I need to pay attention to.

----------

## cach0rr0

 *audiodef wrote:*   

> I wonder if this is something I need to pay attention to.

 

only in the sense that authentication in general is the crux of the relaying denied issue 

you were getting relay denied because no auth was provided, and the recipient domain was non-local. 

One thing to remember when setting up authentication on your mail client, just like with the imap login, it has to be the full 'user@domain' and not just 'user'

'course, soon as you're happy with the new setup, need to kill off the other two MX records, and leave just 'audiodef.com' - i actually added a transport table to my postfix install here so that mail to your domain would have a hard-coded path, otherwise it might have ended up at smtp.secureserver.net  :Smile: 

----------

## audiodef

I'm a little confused. I thought I did provide appropriate authentication by entering "webmaster@audiodef.com" and not just "webmaster". I listed my entry for my Thunderbird outgoing mail settings above. Is there something else I need to do?

----------

## audiodef

*plays bugle*

Everything works now. I just had to use smtp.audiodef.com instead of audiodef.com. 

Let me shake your hand vigourously and buy you a virtual beer.   :Very Happy: 

----------

## audiodef

I still want to know what's taking up so much space, especially when I do not store mail on the server.   :Question: 

----------

## audiodef

Oh, and I've taken Gosmackyerdaddy out of my MX records. This is awesome. Now watch me fuck it up.   :Razz:   :Razz:   :Razz: 

----------

## cach0rr0

 *audiodef wrote:*   

> I'm a little confused. 

 

this is what happens when I try to reply before I've had my daily dose of nicotine - I reply with confusing limericks! Awful habit (the nicotine, not the limericks), but cripes am I incoherent without it.

 *audiodef wrote:*   

> I thought I did provide appropriate authentication by entering "webmaster@audiodef.com" and not just "webmaster". I listed my entry for my Thunderbird outgoing mail settings above. Is there something else I need to do?

 

you were. are? were/are?

Just that there's two places to authenticate:

-send 'webmaster@audiodef.com' auth data to IMAP (or POP) for reading mail

-send 'webmaster@audiodef.com' auth data to Postfix, so that you can use the Postfix daemon to send mail to external domains

 *audiodef wrote:*   

> 
> 
> Everything works now. I just had to use smtp.audiodef.com instead of audiodef.com
> 
> 

 

hrm. strange. the test account setup i have on thunderbird, for both incoming and outgoing mail server, i specify simply 'audiodef.com', and as the username I use 'theunmentionedtestaccount@audiodef.com' - meaning, i dont use smtp.audiodef.com anywhere. As far as the username you send to Cyrus or Postfix for authentication, so long as that username exists in the 'aliases' table, it shouldn't matter. 

 *audiodef wrote:*   

> 
> 
> I still want to know what's taking up so much space, especially when I do not store mail on the server.
> 
> 

 

If you want to not store mail on the server, you need to use POP rather than IMAP (that's actually a fairly easy change to make, if you want to go that route - just a quick change to cyrus.conf). The downside with POP of course being, the pitfalls I mentioned earlier - if you don't store mail on the server, if you read mail on one machine, you cant turn around later and try reading those same messages from another machine, or phone, or what have you, unless you specifically tick "leave a copy of messages on server". The main difference between this and courier, is that with the courier HOWTO you have a /home/vmail directory underneath which are 80 zillion subfolders, one for each email address, and inside each subfolder are your messages, one file per message. IMHO this is not only inefficient and slow, nevermind not being particularly scalable nor flexible, but it adds a requirement of an additional SQL lookup to determine which subdirectory to store the mail in under /home/vmail. 

Nonetheless, tried the usual method of du / -h --max-depth=1 then walking up and up and up from there? 

 *audiodef wrote:*   

> 
> 
> Oh, and I've taken Gosmackyerdaddy out of my MX records. This is awesome. Now watch me fuck it up
> 
> 

 

Should be safe enough to do at this stage. Give it a day or two of testing, but now that the screwy LMTP issues are sorted out, it should "just work" for a good long while.

----------

## audiodef

I would think that even with imap enabled, if I use pop, it would get the messages off the server. So why would db.0005 or whatever it's called weigh 40M? 

Hm... some hefty log files. I need to look up how to configure syslog-ng to limit log file sizes. Removing some files (I'm assuming they'll just be recreated anew, hence the need to look up config options for syslog-ng) drastically reduced disk usage. It's still high, though. 

I need to ask Mark if my server options are correctly configured. / is 3.9G and df says I'm using 44% but I'm supposed to have a 16G disk size. That does not add up...

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> I would think that even with imap enabled, if I use pop, it would get the messages off the server. So why would db.0005 or whatever it's called weigh 40M? 

 

If you use POP, the messages will indeed be removed from the server, unless you tell your mail client not to. 

As far as the db files, I wouldn't wager yours will get much bigger than they already are. Mine's been in production for a couple years now, biggest file is 41MB. 

 *audiodef wrote:*   

> 
> 
> Hm... some hefty log files. I need to look up how to configure syslog-ng to limit log file sizes. Removing some files (I'm assuming they'll just be recreated anew, hence the need to look up config options for syslog-ng) drastically reduced disk usage. It's still high, though. 
> 
> 

 

emerge logrotate, then set it to rotate the logs daily (it will set up the cron job automatically, assuming youve already merged a cron daemon)

 *audiodef wrote:*   

> 
> 
> I need to ask Mark if my server options are correctly configured. / is 3.9G and df says I'm using 44% but I'm supposed to have a 16G disk size. That does not add up...

 

Could be inode usage at 44%. Already cleaned out /usr/portage/distfiles and /var/tmp/portage? 

I'd also get a bit of spam filtering set up sooner rather than later, for relatively old domains spam is going to make up the vast majority of your mail traffic. 

The more spam you drop rather than quarantine, all the better; this is why I have multiple RBL's running.

----------

## audiodef

I just ran into a fresh problem:

```

Apr 20 10:50:03 serverdef sshd[2890]: Server listening on 0.0.0.0 port 22.

Apr 20 10:50:03 serverdef sshd[2890]: Server listening on :: port 22.

Apr 20 10:50:09 serverdef sshd[3022]: SSH: Server;Ltype: Version;Remote: 71.191.169.85-36819;Protocol: 2.0;Client: OpenSSH_5.8p1-hpn13v10

Apr 20 10:50:09 serverdef saslauthd[3092]: detach_tty      : master pid is: 3092

Apr 20 10:50:09 serverdef saslauthd[3092]: ipc_init        : listening on socket: /var/lib/sasl2/mux

Apr 20 10:50:12 serverdef sshd[3022]: Accepted keyboard-interactive/pam for root from 71.191.169.85 port 36819 ssh2

Apr 20 10:50:12 serverdef sshd[3022]: pam_unix(sshd:session): session opened for user root by (uid=0)

Apr 20 10:51:02 serverdef pop3s[3494]: sql auxprop plugin using mysql engine

Apr 20 10:51:02 serverdef pop3s[3495]: sql auxprop plugin using mysql engine

Apr 20 10:51:02 serverdef pop3s[3496]: sql auxprop plugin using mysql engine

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin Parse the username webmaster

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin try and connect to a host

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin trying to open db 'maildb' on host 'localhost'

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin Parse the username webmaster

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin try and connect to a host

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin trying to open db 'maildb' on host 'localhost'

Apr 20 10:51:02 serverdef pop3s[3494]: begin transaction

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin create statement from userPassword webmaster serverdef

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin doing query SELECT plainpass FROM aliases WHERE email = 'webmaster@serverdef';

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin: no result found

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin create statement from cmusaslsecretPLAIN webmaster serverdef

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin doing query SELECT plainpass FROM aliases WHERE email = 'webmaster@serverdef';

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin: no result found

Apr 20 10:51:02 serverdef pop3s[3494]: commit transaction

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin Parse the username webmaster

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin try and connect to a host

Apr 20 10:51:02 serverdef pop3s[3494]: sql plugin trying to open db 'maildb' on host 'localhost'

Apr 20 10:51:02 serverdef pop3s[3495]: sql plugin Parse the username damien

```

This happened after I rebooted the server to see if that would clear up df incorrectly reporting disk usage - it worked, but now mail is bjorked somehow. I'm now getting auth failure for all of my mailboxes. I've changed nothing - merely rebooted the server.   :Crying or Very sad: 

It seems like it's going back to checking for "serverdef" instead of "audiodef.com"... but I haven't changed anything since it was finally working.

----------

## audiodef

Seems like I have to have /etc/conf.d/hostname set to "audiodef.com", not "serverdef". We are now back in action!

----------

## audiodef

Just looking ahead here... I'll be hosting my gf's web site and her email on my setup. She has her own domain. Is there anything special I need to do in light of discovering that hostname needed to be set to audiodef.com to get her email working with her domain, which is not audiodef.com?

----------

## cach0rr0

 *audiodef wrote:*   

> Seems like I have to have /etc/conf.d/hostname set to "audiodef.com", not "serverdef". We are now back in action!

 

Shouldn't matter. That's what I was getting at - you have to pay special attention to what you put in your 'username' settings inside e.g. thunderbird

If you just put, for example, 'cach0rr0', then it is going to try and append a default domain/realm. 

If I put 'cach0rr0@audiodef.com', then it will NOT try to append a default domain/realm

Having said that, you can add this to imapd.conf:

```

defaultdomain: audiodef.com

```

What this does - if a user merely provides 'cach0rr0' as their IMAP username, it will automatically append '@audiodef.com'

Postfix has a similar setting, for people who try to do authenticated mail relay but only provide 'username' instead of 'username@domain.com': http://www.postfix.org/postconf.5.html#smtpd_sasl_local_domain

I omitted this in the guide, largely because this is contrary to the idea of 'virtual hosting' with email. The idea is supposedly that you have more than one domain you host mail for, and as such the *user* needs to specify the domain, instead of your IMAP/SMTP systems just assuming which domain the user is wanting. If you're only going to host mail for 'audiodef.com' and subdomains (e.g. '*.audiodef.com'), you dont even need to do the 'virtual hosting' nonsense. In fact, you don't even need a database (though it does make some things easier). If you host multiple domains, you need some semblance of virtual domains, and you need the user to provide the domain name rather than having one as a default - for example, I have company A, company B, both have a user name 'chris'. In such a case, since they're two different people, mail for 'chris@companya.com' needs to go to a different mailbox from 'chris@companyb.com'. To that same end, those two different people will have different passwords for checking email - enter 'virtual hosting' (i hate this term, but i suppose it seems to fit)

Basically, if i only handle mail for one domain (in my example, whitehathouston.com), I can set a default domain inside both Postfix and Cyrus, and provide only the username 'meat' like so:

http://ompldr.org/vOGN1cQ/imapwhh.png

Because Postfix/Cyrus will append the @whitehathouston.com to that (as dictated by smtpd_sasl_local_domain in main.cf, and defaultdomain in imapd.conf)

Whereas if I handle multiple domains, where 'meat' at one domain is a different person/mailbox from 'meat' at another domain,  has to be like so:

http://ompldr.org/vOGN1cw/imapvirtual.png

Hope that makes sense somewhat?

----------

## cach0rr0

 *audiodef wrote:*   

> Just looking ahead here... I'll be hosting my gf's web site and her email on my setup. She has her own domain. Is there anything special I need to do in light of discovering that hostname needed to be set to audiodef.com to get her email working with her domain, which is not audiodef.com?

 

ha! I posted my last reply before I saw this post. 

Though, my last reply does explain it. I'm actually glad you're going to be doing another domain, so I didn't have you go through an unnecessary level of complexity this whole time  :Laughing: 

----------

## audiodef

Heh... you must be psychic! 

OK, here's the problem. I've been specifying user@domain.com all along in Thunderbird, and yet, mail will not work until I've set hostname="audiodef.com". 

So I've missed something somewhere. I did read your latest post carefully, but I'm not seeing what I'm missing...

Also, I don't have an imapd.conf anywhere. Should I?

----------

## cach0rr0

 *audiodef wrote:*   

> Heh... you must be psychic! 
> 
> OK, here's the problem. I've been specifying user@domain.com all along in Thunderbird, and yet, mail will not work until I've set hostname="audiodef.com". 
> 
> 

 

Thunderbird has a neat habit of truncating things; revisit Server Settings, as well edit the settings under Outbound Servers. Even if you specify 'user@domain' on the initial setup as your email address, Thunderbird assumes you just use 'user' for auth, so it saves it as such. 

You can do the same tests via telnet actually

```

telnet localhost 143

01 login someuser@audiodef.com theirpassword

#this should log you in successfully

02 logout

```

I know the server portion is functional, because I can do the tests via both telnet and with a thunderbird instance here on that test account, and it lets me in  :Smile: 

To that same end, check your logs and you'll see my logins. Obv my logins aren't successful because of anything I'm doing differently on the server, as I'm not *on* the server  :Smile: 

 *audiodef wrote:*   

> 
> 
> Also, I don't have an imapd.conf anywhere. Should I?

 

you should have an /etc/imapd.conf on the server yeah

----------

## audiodef

OK, I see imapd.conf. I must have not have had my morning coffee when I checked earlier. Of course it's there - I put it there. 

I may have to consider using something other than Thunderbird if I'm already adding the correct entries and Thunderbird is doing something I did not tell it to do. My server settings are correct. If Thunderbird is sending out something other than what I put in - time to kiss that buggy program good-bye.

----------

## cach0rr0

I'd test with telnet just to be certain

But testing here via telnet all is well, testing here with thunderbird-bin 3.1.9 seems well

might PM me a screencap of your Server Settings (Edit=>Account Settings)

As well a screencap of 'Outgoing Server (SMTP)'

If that all looks kosher, toss my hands up, let's try another client.

----------

## audiodef

I tried another client anyway - claws-mail. 

Exactly the same thing happened. Despite using user@audiodef.com instead of just user, I got an auth failure if I did not set the hostname to audiodef.com. 

I've changed it to serverdef and left it there. Are you able to use the test account I created for you? It's still in there.

----------

## audiodef

I just noticed that I can't telnet audiodef.com 25. On the server, I can telnet localhost 25. 

I also just noticed that pinging audiodef.com elicits a response from serverdef.audiodef.com regardless of what hostname is set to. I have both audiodef.com and serverdef associated with my IP address in /etc/hosts, but I don't think that's it, as there is no serverdef.audiodef.com in that file.

----------

## Anarcho

 *audiodef wrote:*   

> I just noticed that I can't telnet audiodef.com 25. On the server, I can telnet localhost 25. 
> 
> I also just noticed that pinging audiodef.com elicits a response from serverdef.audiodef.com regardless of what hostname is set to. I have both audiodef.com and serverdef associated with my IP address in /etc/hosts, but I don't think that's it, as there is no serverdef.audiodef.com in that file.

 

The hostname comes from the reverse DNS lookup, see:

```
T410 ~ $ nslookup 209.177.157.239

Server:      192.168.2.1

Address:   192.168.2.1#53

Non-authoritative answer:

239.157.177.209.in-addr.arpa   name = serverdef.audiodef.com.
```

----------

## audiodef

What's also interesting is that I just noticed I cannot log in to get mail if hostname != audiodef.com AND my IP address in /etc/hosts != serverdef.audiodef.com. 

Actually, I have to leave hostname = audiodef.com for now because I need to stay on top of mail to make plans with friends for this weekend, but I would like to set aside a time for you (cach0rr0) to be able to try to login with hostname set to something other than audiodef.com so we can make sure this is working correctly.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> Actually, I have to leave hostname = audiodef.com for now because I need to stay on top of mail to make plans with friends for this weekend, but I would like to set aside a time for you (cach0rr0) to be able to try to login with hostname set to something other than audiodef.com so we can make sure this is working correctly.

 

soon as you're ready to set it to something seemingly non-functional, give me a shout. 

Cyrus will, flat-out, not change the login string you give it, unless you provide it a login string that does not contain a realm (rather, a 'domain', but in auth nomenclature called a realm). 

If you give it a realm, it doesn't care what your hostname is set to,what you have in /etc/hosts, it will use the realm/domain you've provided. The hierarchy goes like so:

-if the user provides a domain name in the login string, no further lookups are done, it uses the user-provided domain name 

(ex: user@domain => unmodified)

-if the user provides no domain name, it will append the domain name specified in 'defaultdomain' (setting in imapd.conf) 

(ex: user => user + @ + $defaultdomain)

-if the user provides no domain name, and 'defaultdomain' is not set, it will append the server's hostname value 

(ex: user => user + @ + `hostname`)

If your IMAP client is providing a domain on the login string, those external lookups will not be done at all, full stop. 

Postfix has a similar hierarchy:

-if the user provides a domain name, the domain name will be used

ex:

```

openssl s_client -connect audiodef.com:25 -starttls smtp

EHLO somehost.somedomain.tld

AUTH LOGIN

base64_encode(user@domain.com) => unmodified

base64_encode(password)

```

-if the user provides only a username, and no realm, if smtpd_sasl_local_domain is set in main.cf, it will append smtpd_sasl_local_domain

ex:

```

openssl s_client -connect audiodef.com:25 -starttls smtp

EHLO somehost.somedomain.tld

AUTH LOGIN

base64_encode(user) => base64_encode(user + @ + $smtpd_sasl_local_domain)

base64_encode(password)

```

-if the user provides only a username, and smtpd_sasl_local_domain is not set in main.cf, it will append your system's hostname

ex:

```

openssl s_client -connect audiodef.com:25 -starttls smtp

EHLO somehost.somedomain.tld

AUTH LOGIN

base64_encode(user) => base64_encode(user + @ + `hostname`)

base64_encode(password)

```

If you're doing "virtual hosting" type scenario, you don't ever want the lookups to external settings to be done (e.g. you dont want,  it to lookup main.cf/imapd.conf settings, you dont want it to lookup `hostname`). And it won't, if your IMAP/SMTP client is providing a domain as part of the login string.

----------

## audiodef

That's a really good explanation, thanks.   :Cool: 

I'll try to remember to switch hostname before going to bed tonight - usually around 0300 GMT at the latest. I'll reset it Saturday around 1300-1400 GMT to check my mail. 

Saturday I'm going to be out for a while starting at 2200 GMT. I'll not be needing mail until Sunday 1300 or 1400 GMT. I'll try to remember to have hostname set to something other than "audiodef.com" before I go out. 

Hopefully, you can poke around somewhere in there. 

*All times in GMT for ease of translating across time zones, daylight savings, wormholes, temporal anomalies, and (insert demographic category) time.*

----------

## audiodef

OK, I'm done with mail for the night. I just changed hostname to serverdef and checked - nope, can't login from Thunderbird or claws-mail with user@domain.com. 

Let me know if you're able to use your test account to send and receive.

----------

## cach0rr0

ok, it's Fri Apr 22 18:38:43 CDT 2011 right now, just got back from epic steak dinner

tried a handful of logins:

-SMTP authentication is working fine

-IMAP authentication is not

can you ship me your logs (auth.log and mail.log ) and the contents of imapd.conf (with password and username for SQL nuked obv)?

----------

## cach0rr0

actually...

I don't know why it's working this way, but I'm testing here, and I can reproduce the behavior you describe if I have 'defaultdomain' set in imapd.conf

If I remove this setting completely, everything works fine. 

See the following: 

http://ompldr.org/vOGR1ZQ/nodefaultdom.png

http://ompldr.org/vOGR1Zg/defaultdom.png

EDIT:

Looks like we're not alone. 

http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg37017.html

That seems very broken. Easy to work around, but very broken. 

Remove 'defaultdomain', and set:

```

servername: serverdef.audiodef.com

```

in /etc/imapd.conf

----------

## audiodef

So that was the culprit. I just knew it was going to be a small thing. 

I'm now ready to tackle throwing spamassassin and clam into the mix!   :Very Happy: 

Thanks once again, dude. You rock!

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> EDIT:
> 
> Looks like we're not alone. 
> ...

 

Is adding servername necessary? It seems to be working without it.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> Is adding servername necessary? It seems to be working without it.

 

I've come to that same conclusion from reading more (and testing)

One thing it does do, according to that thread, is disable hostname lookups entirely. I don't know that this would be relevant at all, aside from a marginal performance improvement should someone mistakenly type in 'user' instead of 'user@domain' (which of course would be a failed login anyway). 

servername seems to do what defaultdomain was *supposed* to do. 

However, defaultdomain just breaks things entirely, regardless of any other settings. 

Either way, safe to leave servername out from what I can gather. Just need to ensure 'defaultdomain' is not set, that seems to be all that matters. 

I'm just really annoyed defaultdomain is not functioning as it's supposed to function per the doc. 

Oh well - long as it works! I've just flat-out removed all reference to that in the doc, which should be sufficient since people following that guide won't even know that setting exists.

I'd say kick the tires for a day or two, but now that IMAP logins are working (and well, POP logins should work as well), it should be good to go.

At some point I would also recommend you disable the non-ssl protocols in cyrus.conf, so that you only have IMAPS and POP3S. 

We've already set Postfix to only allow auth over an encryption session, so that's fine, but obv you dont want your users sending plaintext passwords over an unencrypted channel. 

They should only be connecting to 993 or 995 (IMAPS/POP3S respectively), using 'SSL/TLS' and not 'STARTTLS'

For SMTP, theyll connect to plain old port 25, using STARTTLS

----------

## audiodef

Adding domains and users sure is easy. Add an entry in maildb, make sure the domain is listed in main.cf, go to registrar, point MX to audiodef.com - voila! 

I can survive without web mail, but my gf would like it so she can check email while out on short trips where she doesn't bring her laptop. Any suggestions on setting up a web mail interface?

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> I can survive without web mail, but my gf would like it so she can check email while out on short trips where she doesn't bring her laptop. Any suggestions on setting up a web mail interface?

 

A few cursory suggestions:

-you're primarily deciding on which interface is going to be "pretty". I've tried horde, atmail, roundcube, squirrelmail, and a handful of others. 

atmail: pretty, but sometimes buggy rendering

roundcube: pretty, but clunky

squirrelmail: very plain looking, but rock solid

horde: decent looking, pretty damn solid

If you think she'll be finicky about aesthetics, I'd probably lean towards Horde. Most of the clients that are AJAX heavy seem to have issues from what I've seen. 

-webmail clients typically have a horrid security record. To alleviate that risk, you should password-protect the directory where you store all of the php nonsense for your webmail client (typically done with an .htaccess file if using apache, but i recommend using mod_auth_imap - more on that in a sec). Now, instead of you having to maintain two different sets of usernames and passwords, there's actually an Apache IMAP authentication module - user browses to site, is prompted for username and password, they enter their login, and only if THAT is successful, can they ever even so much as touch the webmail app (at which point theyll have to provide the user/pass again - the first time they provide it to Apache to get access to the webmail software, the second they provide it to the webmail software itself). Basically, you want an attacker to have to get past a username/password prompt before they can attempt to exploit some known vuln in your webmail client software. 

the IMAP auth module is not included in apache by default; you'll need to merge www-apache/mod_auth_imap2, edit /etc/conf.d/apache2 and add -D AUTH_IMAP, then setup something like this in /etc/apache2/modules.d/10_mod_auth_imap.conf

```

<IfDefine AUTH_IMAP>

LoadModule auth_imap_module modules/mod_auth_imap.so

<Directory /www/mail.whitehathouston.com/htdocs>

        AuthBasicAuthoritative Off

        Auth_IMAP_Enabled on

        AuthName "mail.whitehathouston.com"

        AuthType Basic

        Require valid-user

        Auth_IMAP_Authoritative on

        Auth_IMAP_Server renee.whitehathouston.com

        Auth_IMAP_Port 143

        Auth_IMAP_Log on

</Directory>

</IfDefine>

```

I've set /www/mail.whitehathouston.com/htdocs as the DocumentRoot for 'mail.whitehathouston.com' in my Apache vhost settings, and the settings above say that anyone wishing to access that directory must first provide apache with a username/pass, which it will check against the IMAP server located at renee.whitehathouston.com on port 143 (I block all but SSL connections at the firewall, however i leave a non-SSL instance of cyrus listening on 143 so that servers inside my firewall - including my web server - can connect plaintext to Cyrus. This should be fine for you too, since it's not an external user connecting on 143, but rather Apache, which is located on the server itself)

-just as a general rule, not simply for webmail clients, but for the web in general, any of your sites that accept user input at all, should ideally be hidden behind such a password protection scheme, whether the password backends to IMAP, or a standard htpaswd file. Doing otherwise opens you up for exploitation, and means you have to be damn vigilant about keeping whichever webapp updated. When I have the option, I disable file uploads in PHP (breaks webmail clients if you want to attach files to emails), I build sites in pure HTML/CSS, and dont build them to accept user input. For any sites that say, backend to a database, or that have dynamically generated content (basically, if they generate content conditionally based upon the URL the user provides), I make sure anyone browsing to such a site must first provide apache with a username/password in order to get to the actual site content. For many commercial sites this isn't feasible, but for most personal/informational sites that are a bit smaller in nature, this is definitely workable, and a small price to pay for peace of mind. 

-in general, I steer away from installing webapps through portage. It just ends up being easier to manually download the source, untar it to whichever directory, and go from there. 

-youll want to set up a CNAME record in godaddy's DNS, something like 'mail.herdomain.com', and have it point to audiodef.com. 

-I only have this site served via SSL. This is done by setting up a virtualhost entry for her domain ONLY in 00_default_ssl_vhost.conf, and not in 00_default_vhost.conf. Anyone browsing to http://mail.herdomain.com would just end up at the default vhost - audiodef.com - whereas anyone browsing to https://mail.herdomain.com, would be routed to that vhost, at which point theyd have to give apache their login details, then provide the webmail software their login details. 

And on that note, I have only one working light bulb left in the entire house. Just bought a new stash, time to replace them and clean this pig sty

----------

## cach0rr0

good lord, i didnt think id be typing that much when i started that post. 

whoops! probably didnt come out as particularly organized thought, but hopefully you can decrypt that (this is why for long docs, i *still* go through and do an outline first!)

----------

## audiodef

Well, it was a very well organised and lucid thought!   :Smile: 

Yeah, I manually install webapps, too. I got tired of looking for where portage put them, and then they're not even the latest. Anything that goes in htdocs I just DIY. 

I'm going to go over your explanation above some time next week. Gf's domains on Godaddy expire soon, so I'm going to get her site on my vhost and find a new registrar. I hear Godaddy bites like a bulldog, so she may have to extend service with them and then switch so there's no gap in her service/business. Hopefully, I'll find a good registrar that doesn't bullshit their customers. 

Hm, maybe you need a supply of candles, for next time you run out of light bulbs.   :Razz: 

That reminds me, I need to dig up that info on building a small solar battery. Thought of it last year and am hoping to build it this year to provide partial power to my studio. Should be fun.

----------

## audiodef

One thing I've noticed is much faster performance, and I assume this is at least in part because I'm running mail for only two people, instead of thousands.   :Cool: 

----------

## cach0rr0

 *audiodef wrote:*   

> One thing I've noticed is much faster performance, and I assume this is at least in part because I'm running mail for only two people, instead of thousands.  

 

Even though I haven't the slightest need for scalability with my little home setup, part of the reason I've opted for the combination of Cyrus and Postfix, is because if the exceptional scalability. 

It will certainly be speedy and snappy with a small number of users. But because of the way, especially Cyrus, indexes mailboxes, stores metadata, etc, the speed sticks around even when your needs grow. What you have is truly an "enterprise class" mail setup. 

We've really only scratched the surface of what these two are capable of, but both are flexible and scalable enough I'd doube any need to look elsewhere in the near future. 

Just waiting to see if they decide to include the autocreate functionality in Cyrus 2.5, which is where it is on the current roadmap (2.4 is already out, so it wont make it in there)

----------

## AaronPPC

I love to recognize excellent threads and this is definitely one that riveted me.  I think it will help many people.  I feel motivated to get off my ass and build that email server I want to build.    :Smile: 

----------

## audiodef

 *AaronPPC wrote:*   

> I love to recognize excellent threads and this is definitely one that riveted me.  I think it will help many people.  I feel motivated to get off my ass and build that email server I want to build.   

 

All the credit goes to cach0rr0, but I'm glad I could be a part of shaping an excellent mail server guide.   :Cool: 

----------

## audiodef

I first looked up Horde. It looked like overkill, so I checked out Squirrelmail and decided on that one. My gf is a pragmatist when it comes to tech: she just wants it to work well, so she'll have no trouble with a simple interface like this. 

I just did a basic setup. Tomorrow, I'll go through your mini guide on configuring security.   :Cool: 

----------

## audiodef

OK, set up with auth_imap. It was insanely easy. Makes me wonder why it's not standard to have at least this level of security. Then again, I wonder about a lot of things.   :Razz: 

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> -I only have this site served via SSL. This is done by setting up a virtualhost entry for her domain ONLY in 00_default_ssl_vhost.conf, and not in 00_default_vhost.conf. Anyone browsing to http://mail.herdomain.com would just end up at the default vhost - audiodef.com - whereas anyone browsing to https://mail.herdomain.com, would be routed to that vhost, at which point theyd have to give apache their login details, then provide the webmail software their login details. 
> 
> 

 

If I have the mail interface on audiodef.com/squirrelmail (I don't, but thought it safer to use a fake example in a public venue), how would I make that url (just that subdir, not the TLD) only accessible via SSL?

EDIT: Come to think of it, is there really any reason why I should not just make audiodef.com an SSL site? I don't sell anything and there's no sensitive information, but it is dynamically generated.

----------

## audiodef

I finally got around to following the Content Filtering section. My gf asked how she would know whether the RBL's (which she doesn't know about, I just told her I set some filtering config options) are picking up email she wants to get by mistake, and I realised I don't know the answer to that. 

I used the config you specified for RBL's, verbatim.

----------

## darkphader

 *audiodef wrote:*   

> I finally got around to following the Content Filtering section. My gf asked how she would know whether the RBL's (which she doesn't know about, I just told her I set some filtering config options) are picking up email she wants to get by mistake, and I realised I don't know the answer to that.

 

By examining the logs to see what is getting rejected.

I must admit that my life is so much simpler now that I've moved myself and my clients to Google Apps. Keeping up with anti-spam tweaks can get to be a full-time job. One could spend hours for weeks (maybe months) on end and still not come close to what Google/Postini provides out-of-the-box (unbelievably low false positives or false negatives). Google Apps also provides DKIM support, even for the free version.

My Postfix/Cyrus installation is basically used for archives now.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> If I have the mail interface on audiodef.com/squirrelmail (I don't, but thought it safer to use a fake example in a public venue), how would I make that url (just that subdir, not the TLD) only accessible via SSL?

 

you can forcibly redirect to https via mod_rewrite, but this is among the reasons i think it's easier to just have a secondary vhost with its own alias (e.g. mail.domain.com)

 *audiodef wrote:*   

> 
> 
> EDIT: Come to think of it, is there really any reason why I should not just make audiodef.com an SSL site? I don't sell anything and there's no sensitive information, but it is dynamically generated.

 

Certificate errors. Your users may not feel like dealing with certificate errors, as well it's a small increase in resource usage doing SSL. Avoiding cert errors means paying for a cert realistically (I mean yeah, people can just accept your cert as trusted, but that only works with regular users of the site). 

You may prune out a fraction of the blind "spray and pray" type attacks out there by shifting to SSL, but it's a nominal gain in terms of protecting input. What you're more likely to stop, is the handful of bots that can be used for one attack or another, as it's not always the case an author will want to account for the extra bloat/overhead of including the necessary SSL libs in their bot. 

 *audiodef wrote:*   

> My gf asked how she would know whether the RBL's (which she doesn't know about, I just told her I set some filtering config options) are picking up email she wants to get by mistake, and I realised I don't know the answer to that. 

 

Basically, what darkphader said. Rejections will be very visibly logged in mail.log - and among the things i do like about postfix, when troubleshooting mail, dear god how important good logging is. 

If you emerge logwatch, included in its summary email will be a list of hosts that get rejected by the RBL. 

Of course, I don't like having to review that, so I've chosen conservative but effective RBL's. I could, for example, go with zen.spamhaus.org - Spamhaus Zen includes blacklist data from many sources, including the CBL list that I use, and many others. It's a very acceptably accurate list on the whole, but it isn't one I trust to reject my e-mail at the perimeter (for example, it includes the 'PBL', which is a list of dynamic/residential IP addresses - a lot of ADSL hosts in South Africa end up stuck on the PBL for some reason, and they do a poor job of keeping those .za hosts from being wrongly blacklisted)

CBL on the other hand, check out its listing policy - you basically have to be identified for absolute certain as an infected host, and one that's generating spam. It also has a no-nonsense delisting policy, so it's quick and easy for any false positives to get themselves delisted. 

More's the point, since you're rejecting these messages rather than accepting and quarantining, the sender *knows* their message didn't get through, whereas quarantine leaves them in silence. 

Now, giving the user the ability to *see* any of their incoming email that's been quarantined would be great, but to date I haven't found any decent freebie anti-spam system that actually has a decent and functional quarantine management interface. Quarantine is fine if you have it, but somewhat of a quiet black hole if you don't. And unless your quarantine management system includes something like quarantine summary digest e-mails, you'll have a difficult time training your users to actually make use of their ability to retrieve messages from quarantine. 

If you do at some point go the route of adding extra functionality (e.g. amavis/spamassassin/clamd), instead of doing quarantine for spam (viruses obv you want to delete, flat-out), even though this is something I'd never recommend in the "commercial" filtering world, I'd say you'd be better off simply tagging messages identified as spam, instead of quarantine, then showing your users how to set up rules on their mail client to automatically move messages tagged as spam to a junk folder. 

The risk there, is that the lines between spam and malware are pretty damn grey nowadays. Pretty much everything you see is a so-called "blended threat". 

Anyway, I'm already off on a tangent. I guess some of the point, is that there's a different strategy when doing "best practices" for freebie solutions, VS commercial solutions.

----------

## cach0rr0

 *darkphader wrote:*   

> 
> 
> I must admit that my life is so much simpler now that I've moved myself and my clients to Google Apps. 
> 
> 

 

It's a solid enough service, but it has some fundamental problems that IMHO  make it completely impractical for commercial use (something a handful of my clients have found out the hard way)

-support: you have pretty well zero chance of getting ahold of a live body. This simply does not fly with a paid service

-routing: every single message is treated by Google's mail systems as an outbound message. So even if you're sending something intra-office, it goes out, then comes back in. 

 *darkphader wrote:*   

> 
> 
> Keeping up with anti-spam tweaks can get to be a full-time job. One could spend hours for weeks (maybe months) on end and still not come close to what Google/Postini provides out-of-the-box (unbelievably low false positives or false negatives).

 

Depends. That actually *was* part of my full-time job for a commercial vendor for a good while, and because SpamAssassin had a nice large chunk of the same functionality available to me in terms of rules that could be written and checks that could be done, I could pretty closely mirror rules between the two (though, obviously, I couldn't really share the custom SA rules I'd written). Header tokenization - surprisingly effective, and I shall say no more. 

If you have the resources to do the research, and have a large volume of spam from which to craft your rules, you can certainly get the same rate of accuracy with a freebie filter. Where the commercial vendors win out, more than anything, the management tools, and the amount that's just flat turnkey. 

If I ever get rich, I plan on writing heaps of shit, and contracting out some of the guys I've worked with to help writing heaps of shit, to just flat hand over to the open source community. Of course, first I have to get rich.

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> you can forcibly redirect to https via mod_rewrite, but this is among the reasons i think it's easier to just have a secondary vhost with its own alias (e.g. mail.domain.com)
> 
> 

 

OK. I'll work on setting it up that way. 

Here's to hoping you get rich!   :Cool: 

----------

## darkphader

 *cach0rr0 wrote:*   

> It's a solid enough service, but it has some fundamental problems that IMHO  make it completely impractical for commercial use (something a handful of my clients have found out the hard way)
> 
> -support: you have pretty well zero chance of getting ahold of a live body. This simply does not fly with a paid service
> 
> -routing: every single message is treated by Google's mail systems as an outbound message. So even if you're sending something intra-office, it goes out, then comes back in. 
> ...

 

Don't know about the "live body" issue, so far email support has been fine, haven't needed to get to the phone support level.

As for the routing, not seen as an issue by any one of my clients, even those still using Exchange for an in house app, the benefit of having all messages (outbound and inbound) available from any place far outweighs the issue. Even in this case here, are we not looking at a non-locally hosted IMAP store? Not so different from "the cloud". Except we're missing the calendaring, the Google Docs equivalent, and all of the other Google services.

 *cach0rr0 wrote:*   

> If you have the resources to do the research, and have a large volume of spam from which to craft your rules, you can certainly get the same rate of accuracy with a freebie filter. Where the commercial vendors win out, more than anything, the management tools, and the amount that's just flat turnkey.

 

Oh yes, the "resources", my point exactly. It is, at the least, a time consuming job trying to find the balance, tune the whitelist, tune the blacklist, etc. Not to mention that many screw up the basics: making sure the smtp helo name matches the A record and the PTR is in agreement, a proper SPF record and then adding DKIM to help insure delivery.

As to the the commercial vendors it's a bit more than that, it's the economies of scale. When x% of a gazillion gmail/postini/google apps users flag messages as spam you get the benefit when you're part of the system. Sometimes size does matter.

My summation is:

Running email servers is quite an experience, if you do it proper you will learn a lot but spend a lot of time doing so. When you're ready to get a life let the big boys take over and move on to learning something new.

Chris

----------

## cach0rr0

 *darkphader wrote:*   

> 
> 
> As for the routing, not seen as an issue by any one of my clients, even those still using Exchange for an in house app, the benefit of having all messages (outbound and inbound) available from any place far outweighs the issue. 

 

Hosted Exchange gives that same benefit. And as far as the routing goes, we helped a ~3000 user shop migrate over to Google Apps. The migration was painless and easy once we plucked the data we needed out of their directory server. All looked great. Until 3 or 4 days go by, and users start getting 30+ minute delays for internal e-mail - major problem for your average joe who's just sending an e-mail 10 feet away to someone, "hey, let's grab lunch". Ended up being a major PITA, and worse still, while this was going on there was no live body at google to get in touch with. Nevermind for a moment, when you're having e-mail delivery issues, it's not particularly great to have your sole means of communication with support be, well, e-mail. 

That much worse if you're using a different SaaS provider, and not Postini. Now, in order to e-mail someone who's 10 feet away, it goes out through ~3 google systems, hits your SaaS provider - who realistically, because of the very real danger of routing loops shouldn't ever be handling internal e-mail - loops back to google, goes through 3 more different servers, and finally  makes it to its destination. 

We had to pull a German client off of Google Apps for that very reason - they were using a German data security company, and had special compliance requirements as many operations in Germany and elsewhere in Europe do, this just became an untenable compliance/DLP nightmare. 

 *darkphader wrote:*   

> 
> 
> Oh yes, the "resources", my point exactly. It is, at the least, a time consuming job trying to find the balance, tune the whitelist, tune the blacklist, etc. 

 

Interactive whitelisting/blacklisting is realistically a waste of time. A good commercial content filter is going to have some permutation of what we called "adaptive whitelisting", and well, blacklisting in and of itself has zero merit. 

 *darkphader wrote:*   

> 
> 
> Not to mention that many screw up the basics: making sure the smtp helo name matches the A record and the PTR is in agreement, a proper SPF record and then adding DKIM to help insure delivery.
> 
> 

 

Never considered improper A/PTR/HELO a particularly good spam indicator for that very reason. I don't know of many vendors that do, most filters (both commercial ones *and* the likes of SpamAssassin actually) use that at most a contributor to overall spam evaluation, and score it in the 5-10% range (of $triggerlevel)

 *darkphader wrote:*   

> 
> 
> As to the the commercial vendors it's a bit more than that, it's the economies of scale. When x% of a gazillion gmail/postini/google apps users flag messages as spam you get the benefit when you're part of the system. Sometimes size does matter.
> 
> 

 

True enough having a larger sample set is useful, but what you'll find is:

-users often consider opt-in marketing emails to be spam, when they aren't. Users can't really be trusted to be able to identify genuine spam from solicited junk

-reporting a message that's genuine spam is meaningless if the information a vendor extracts from the message isn't up to snuff

-very few commercial vendors still use a classical bayesian system. We spent more time than anything reverse-engineering spam bots/trojans, watching their templates get downloaded realtime, and updating signatures accordingly. After a while we were able to create processes that would extract tokens from a message header in an existing/known piece of spam, look for those same tokens in an inbound mail system, and automagically update filters on the fly. You find more of this, and behavioural analysis  (works beautifully for blended threats), in filters nowadays. Any other magic they purport to use is marketing tripe - makes me laugh seeing some of the shit vendors use as selling points, I'm thinking to myself "all you did was this and this and this, you coded it in a day, and it's something that's been around since the last century"

Is it useful? yes. absolutely. but the utility shouldn't be overstated. Volume itself critical? Heavens yes. But not so much on user submissions. I'd say easily 85% of the user submissions I've seen between the last company and this one, are ones we simply discard.

At any rate, like I said, not to discount the importance of scale, but pretty well every major filter out there - free or otherwise - has the same physical tools available, and pretty well any modern content filter out there is going to fetch you a 95-99% hit rate. 

What sells, normally, is an intuitive policy engine, intuitive management interface, then whatever other miscellaneous IT buzzword the manager buys into, or where someone resides in the damn Gartner "magic quadrant". 

 *darkphader wrote:*   

> 
> 
> Running email servers is quite an experience, if you do it proper you will learn a lot but spend a lot of time doing so. When you're ready to get a life let the big boys take over and move on to learning something new.
> 
> 

 

There are other big boys besides Google, and frankly their development on Postini by Google has been horribly lackluster since the acquisition. It was sad to see really - though, granted, if you're using Google Apps, it pretty much makes using anyone BUT Postini horribly impractical. 

Postini is fine as a relatively basic spam filter. As a content filter on the whole, though, that's about all it does. 

No real attachment type detection (extensions are meaningless), no recursive unpacking of attachments, no enforcement of S/MIME or PGP, no real DLP scanning, no configurable certificate validation on TLS-enabled connections, no ability to require TLSv1 Method, no ability to require TLS for specific domains, no ability to differentiate between outbound/inbound/internal scanning policy, no ability to do custom policy-based routing. All of which are hugely significant problems in compliance audits, depending on the locale. Functionality available from pretty much any major non-SaaS vendor, available from a handful of other SaaS vendors, but not Postini. Google has pretty much acquired Postini, and not bothered advancing it any further beyond a "spam filter", leaving it pretty well stuck back in ~2004. Its sole real benefit? "It's in the cloud!"

...and of course, in my case, I've been one of those other "big boys" (vendors) for the last decade and change. Not that this little Postfix/Cyrus setup is "big boy" material, but with the problems I've seen from Postini I'm not quite ready to concede victory to Google as anything at all resembling a de facto standard. They let Postini die a slow painful death, couldn't even be bothered buying up a web filtering company (they have an OEM deal with..zscaler is it?), but people will still buy it up in droves because of the promised availability (at the expense of control and security), and because it has the Google name on it. It has its own Applesque cult following.

Having said that, I'm generally a fan of Google. But they did to Postini what the product black hole Symantec seems to do with every company *it* acquires, just shoving it onto a shelf somewhere.

----------

## audiodef

It's a real shame that capitalistic behaviour kills off techno-intellectual advancement that way. I'm not saying here that "capitalism sucks" (although that's my personal opinion) - I'm actually looking at this objectively and thinking that if more of these companies were more interested in effectiveness and pragmatism and cared more about quality than quantity (not to mention obsession with The Almighty Dollar At All Costs), I might actually be a Google fan myself. They have some good ideas, but they keep doing things here and there that make me say "uh... no, thanks". 

In other words, I just wish that quality rather than making money by whatever - sometimes apparently arbitrary/random/qualitatively meaningless - means were more important to more people. It's a good business approach. If your shit works well and your products are well-liked by people who truly understand the technology, the money will follow (if you want it to). I also mean to say that I would prefer to have the general population a little more educated about computers so that companies like Microsoft don't need to try to make "all things for all people" software in order to make a buck. Goodness, Windows fails so hard and fast sometimes that I'm frequently reminded of why my Windows partition is 1. not used for anything serious (just games) and 2. not allowed to connect to the internet. In fact, I haven't even installed the driver for my NIC. 

Well, I figured I'd join the conversational melee.   :Razz: 

----------

## audiodef

 *cach0rr0 wrote:*   

> it's easier to just have a secondary vhost with its own alias (e.g. mail.domain.com)
> 
> 

 

I thought I knew how to do this, but I'm afraid I need to swallow my pride and ask. 

What I've done so far:

Put squirrelmail in /var/www/mail/htdocs (htdocs contains is the main squirrelmail dir, there's no subdir in htdocs except for squirrelmail's various subdirs). 

Played with settings in /etc/apache2/vhosts.d/00_default_vhost.conf. 

Create mail.conf in /etc/apache2/vhosts.d like so:

```

<VirtualHost server_name:80>

ServerAdmin my_email

DocumentRoot "/where/it/is"

<Directory "/where/it/is">

    SSLRequireSSL

    Options Indexes FollowSymLinks

    AllowOverride All

    Order allow,deny

    Allow from all

</Directory>

</VirtualHost>

```

Went to godaddy and set up forwarding for mail.audiodef.com to https://audiodef.com/(subdir). 

I'm really not working from knowledge, clearly. What should I do?

----------

## audiodef

I figured it out. 

mail.conf:

```

<VirtualHost full_server_name:443>

ServerAdmin myemail

DocumentRoot "/where/it/is"

ServerName myservername

SSLEngine on

SSLCertificateFile /etc/ssl/apache2/server.crt

SSLCertificateKeyFile /etc/ssl/apache2/server.key

<Directory "/where/it/is">

    SSLRequireSSL 

    Options Indexes FollowSymLinks

    AllowOverride All

    Order allow,deny

    Allow from all

</Directory>

</VirtualHost>

```

I just needed to add

```

ServerName myservername

SSLEngine on

SSLCertificateFile /etc/ssl/apache2/server.crt

SSLCertificateKeyFile /etc/ssl/apache2/server.key

```

----------

## audiodef

Now I have a problem trying to set up a second virtual host with SSL. Copying my first virtual host file and changing the params, I get:

```

[Tue Apr 26 18:30:39 2011] [warn] VirtualHost (subdomain2).audiodef.com:443 overlaps with VirtualHost (subdomain1).audiodef.com:443, the first has precedence, perhaps you need a NameVirtualHost directive 

```

What do I need to do?

----------

## cach0rr0

Reckon my example might help. 

This is /etc/apache2/vhosts.d/00_default_ssl_vhost.conf

```

<IfDefine SSL>

  <IfDefine SSL_DEFAULT_VHOST>

    <IfModule ssl_module>

      Listen 443

      NameVirtualHost *:443

      <VirtualHost *:443>

        SSLEngine on

        SSLCertificateFile /etc/ssl/apache2/bauer.crt

        SSLCertificateKeyFile /etc/ssl/apache2/bauer.key

        ServerName whitehathouston.com

        ServerAlias www.whitehathouston.com

        SSLOptions StrictRequire

        SSLProtocol all -SSLv2

        DocumentRoot /www/whitehathouston.com/htdocs

        <Directory /www/whitehathouston.com/htdocs/>

          SSLRequireSSL

          Order Deny,Allow

          Allow from All

        </Directory>

      </VirtualHost>

      <VirtualHost *:443>

        SSLEngine on

        SSLCertificateFile /etc/ssl/apache2/bauer.crt

        SSLCertificateKeyFile /etc/ssl/apache2/bauer.key

        ServerName mail.whitehathouston.com

        SSLOptions StrictRequire

        SSLProtocol all -SSLv2

        DocumentRoot /www/mail.whitehathouston.com/htdocs

        <Directory /www/mail.whitehathouston.com/htdocs/>

          SSLRequireSSL

          Order Deny,Allow

          Allow from All

        </Directory>

      </VirtualHost>

   </IfModule>

 </IfDefine>

</IfDefine>

```

This is the only file in which I have anything SSL-related defined

It may well be possible one/some of your other SSL-related .conf files, if you have any, are conflicting.

----------

## audiodef

Thanks, that helped a lot.   :Smile: 

The only thing now is that my second SSL virtual host is getting a "you don't have permission to access / on this server" message.

EDIT: Which I solved with a chmod -R +x (second virtual host dir).

EDIT++: And now I see:

```

Fatal error: Unknown: Failed opening required '/var/www/db/htdocs/setup/index.php' (include_path='.:/usr/share/php5:/usr/share/php') in Unknown on line 0

```

The path to index.php is correct.   :Shocked: 

EDIT: Solved with a chown to apache.

----------

## cach0rr0

honestly, I'd cd to one level below your htdocs directory and do:

```

chown -R apache:apache htdocs/

```

First thing I do immediately after untarring a webapp and getting files where they need to be

if you still find yourself getting issues you think are related to permissions, cd to the htdocs directory and:

```

find . -type d -print0 |xargs -0 chmod 755

find . -type f -print0 |xargs -0 chmod 644

```

----------

## audiodef

Thanks for the tip. 

I've got my site up, mail, webmail, db web app behind SSL (I know you don't recommend it. Actually, I would like to have MySQL Workbench access it but not sure how to configure MySQL to allow it) and mod_auth_imap2 (hey, it's good for more than just mail!), and I'll soon do the same for my private little chat server. 

This is a real nice setup. I take my hat off to you, sir.   :Very Happy: 

----------

## cach0rr0

 *audiodef wrote:*   

> Thanks for the tip. 
> 
> I've got my site up, mail, webmail, db web app behind SSL (I know you don't recommend it. Actually, I would like to have MySQL Workbench access it but not sure how to configure MySQL to allow it) and mod_auth_imap2 (hey, it's good for more than just mail!), and I'll soon do the same for my private little chat server. 
> 
> This is a real nice setup. I take my hat off to you, sir.  

 

if your db webapp is password-protected, i wouldnt worry about it. For some people having to give login info to Apache is too annoying, so they do without it, and it's this I have a bigger problem with. If someone has to first get past a username/pass prompt before they can attack your webapp, that's fine. 

As far as giving mysql access to anything, done with a 'grant' statement followed by a 'flush privileges', e.g. "grant all privileges on *.* to 'username'@'whateverhostorIP' identified by 'whateverpass'; flush privileges;"

not sure about a chat server. I ran an ircd (inspircd + anope if i recall correctly) here a while back, but nobody used it so I killed the box. It's a bit tenuous to set up *correctly*. Don't have any particularly recent knowledge there.

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> not sure about a chat server. I ran an ircd (inspircd + anope if i recall correctly) here a while back, but nobody used it so I killed the box. It's a bit tenuous to set up *correctly*. Don't have any particularly recent knowledge there.

 

I'm actually all set there. I've been using a nice little program called Moha Chat. What I like is that it uses TLS - hard-coded. So it may not be necessary to put it behind SSL, but I'm going to do that anyway, plus slap a new coat of mod_auth_imap2 on it because it's just for me and my gf to use while she's at work, since I can't use a phone if I need to get a hold of her. With mod_auth_imap2, no one else will be able to wander by and sign up for shits and giggles.

----------

## audiodef

I thought I needed cname entries to set up subdomains with my setup, but apparently not!

----------

## audiodef

I noticed that in squirrelmail, the configure script is accessible in a browser (e.g. https://mail.domain.com/configure). It doesn't actually do anything, but assuming a cracker gets past mod_auth_imap2 on SSL, I would think he could do some damage with that. 

Or not? What do you think?

----------

## cach0rr0

 *audiodef wrote:*   

> I thought I needed cname entries to set up subdomains with my setup, but apparently not!

 

well, there are two ways you can do it from a DNS perspective

-add a new A record for sub.domain.com, which will point to an IP

-add a CNAME for sub.domain.com that points to a hostname, domain.com

I normally choose the latter, but, that was a habit I picked up mainly from the days I had a dynamic IP - when my IP changed, I didn't have to make but one single DNS change (even though my "dynamic DNS updater client" supposedly would have done it automagically, I'd rather not rely on that to be running 24/7)

It is, technically, fractionally quicker for non-cached lookups to do it the first way, as the DNS client only has to do a single lookup as opposed to looking up a hostname, getting a hostname as a reply, then having to look up the reply hostname's IP.

----------

## cach0rr0

 *audiodef wrote:*   

> It doesn't actually do anything, but assuming a cracker gets past mod_auth_imap2 on SSL, I would think he could do some damage with that. 
> 
> Or not? What do you think?

 

since apache doesnt know what to do with that script, it cant be executed from the web. 

now, if someone can upload their own arbitrary file, they could upload a file that executes that configure script - but then again, if they can upload an arbitrary file, they can do far more damage than that. 

So just as I wouldnt worry about it, there's no harm in removing it either.

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> So just as I wouldnt worry about it, there's no harm in removing it either.

 

Cool, thanks. 

I'm not going to worry about CNAME's either, except for subdomains that are publicly accessible. At the moment, I have none. 

Hey, is "cover off" Texas slang? Just curious.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> Hey, is "cover off" Texas slang? Just curious.

 

I have no idea. At this stage my accent, colloquialisms, slang, everything, is completely shot to hell. Some weird mix of things that've rubbed off on me between living abroad for a few years for work and having predominately foreign colleagues even when I while in the US. 

Even now that I've been back for ~2 years, just as things were starting to normalize, I ended up in a job where I spend the first half of my day speaking best I can in Spanish, or speaking intentionally choppy English that I know plugs well into a translator - by the time I start talking to regular old English speakers again in the late afternoon I have to gradually work my way up from "caveman English" to normal English  :Laughing: 

Not that it's a significant hurdle, but you'll notice it - before about 2PM, unless I pay special attention you get caveman English, couple hours later it goes back to normal.

NB: talking someone else through that guide at the moment. He exported it to PDF, the damn thing is 34 pages! 

Might as well have just written a damn book

----------

## CurtE

We can always change the font and make it 17 pages.   LOL

----------

## cach0rr0

 *CurtE wrote:*   

> We can always change the font and make it 17 pages.   LOL

 

well, to make matters worse, the whole thing was written just with vi

no fancy GUI text editor, no html editor. Just plain old vi

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
> Even now that I've been back for ~2 years, just as things were starting to normalize, I ended up in a job where I spend the first half of my day speaking best I can in Spanish, or speaking intentionally choppy English that I know plugs well into a translator - by the time I start talking to regular old English speakers again in the late afternoon I have to gradually work my way up from "caveman English" to normal English 
> 
> 

 

 :Laughing: 

I tend to allow linguistic influence into my speech patterns, too, having had friends from all over. You'll notice it in my spelling (colour, favour, etc.) and sometimes in my choice of words (diggy instead of trunk). 

Good day for it, mate. Cheers.

----------

## costel78

I am not very confident to store  users's email passwords as plain text in database. From postfix SASL Howto:

 *Quote:*   

> Cyrus SASL plugin infrastructure - auxprop .... send credentials encrypted but their verification process requires the password to be available in plaintext. Consequently passwords cannot (!) be stored in encrypted form.

 

So, passwords are not send unencrypted over network, right ?

I see several scenarios:

1. User type the password in mail client app, the client encrypt it and sens it to server. The server read password from database via sasl encrypt it, too and then compare passwords in encrypted form.

2. User type the password in mail client app, the password it's send unecrypted over network, but with tls enforced, it won't walk over net in pure plain text.

3. The password is send over network in plain text - WORST case scenario.

Of course, there are situations when password it's send over network in plain text, web app for example, where you can enforce https protocol.

Bottom line, except database beeing exposed and password stolen, are there any others security flaws ?

The second question:

For a little more structured setup, what about a second table for domain list ?

```
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_domains.conf
```

 and 

```
user = maildb

password = vwwP0q2I5UmM6

hosts = localhost

dbname = maildb

query = SELECT domain FROM domains WHERE domain='%s'
```

structure

```
CREATE TABLE domains (domain VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_bin PRIMARY KEY);
```

----------

## cach0rr0

 *costel78 wrote:*   

> I am not very confident to store  users's email passwords as plain text in database. Consequently passwords cannot (!) be stored in encrypted form.
> 
> <snip>
> 
> So, passwords are not send unencrypted over network, right ?
> ...

 

Consider the attack vectors. 

-allowing unencrypted IMAP/POP connections, while strongly NOT recommended, risks compromise of ONLY that one single user's password. 

-what access does someone need in order to even be able to read the database? They need to know either the root pass, or the password for the user you've set up for DB access. 

-someone should NOT be allowing external connections to their mysql daemon. If at all possible, it should listen exclusively on localhost (skip networking). If it has to listen on the interface/real IP, iptables should be configured such that only specific hosts have access to connect. 

The real risk in storing passwords plaintext in the database is this: if your system becomes otherwise compromised, and someone gains control of your box, they can now go in and retrieve your users' passwords. If your system doesn't become compromised, though, you're just not really anywhere you need to worry about it. And even then, if it's unsalted MD5 (which it'd need to be given the limitations of postfix/cyrus-imap), chances are on a compromised system you'd be able to recover passwords from the hash. 

 *costel78 wrote:*   

> 
> 
> The second question:
> 
> For a little more structured setup, what about a second table for domain list ?
> ...

 

You absolutely can do this. I specifically wanted to avoid doing this, though, in the interest of both simplicity, and minimizing lookups to mysql (though, isn't the "proxy:" nomenclature deprecated, or is it still around?)

For running a personal mail system, this is an unnecessary layer of complexity. 

Since I'm still inclined to avoid database lookups, even if needs grow, I'd probably do something like regexp:/etc/postfix/domain_regex

For my own system, I don't use a database of any sort. 

If I needed some external tool (e.g. some webapp) to be able to add/delete/update domains, I might opt for mysql for storage. 

Then again, if we're talking about an enterprise environment, I'd be more inclined to tie all of this into LDAP

At any rate, you could easily move this, and many other portions of configuration, into a database. Part of the goal of the documentation was to show simplistic, functional examples, and along the way show the user not only how to do this exact setup, but how to deviate from this type of setup if they need to do so. One other thing to keep in mind here, this database is one that can be used by both Postfix AND Cyrus-IMAP. Instead of going a more complex route, here we have one database, with only one table, that serves only one purpose. I want people with no real prior knowledge of databases to be able to understand how to do this, and how everything ties together, just as easily as a seasoned DBA. Therefore, I want the user's interaction with the database to be as infrequent as possible, and when they DO need to do so, they only have to run one type of query.

Not sure if that makes sense. Still not quite awake.

----------

## audiodef

Hey, it makes sense to me. You even avoided Caveman English!   :Very Happy: 

----------

## costel78

It makes perfectly sense. Thank you very much for your help!

I don't enable/use POP3, so allowing only encrypted IMAP conections, and http secure for webmail should be enought.

And yes, mysql  daemon listen only on localhost.

```
skip-networking

bind-address = 127.0.0.1
```

Regarding database, you are perfectly right. MySQL it's more than sufficient. But I plan to migrate from a existing configuration to your (great tutorial by the way). The facts are:

1. I am not a sysadmin, I am a hobbyst. I just help two friends to keep their server's alive, in good condition. It's not the best aproach, but there are not plenty of founds so it's about friendship until they start to make more money   :Smile: 

2. They plan to use a single server for both of them (5 domains in total).

3. They need a free syncml implementation - I chosed egroupware with funambol clients for smartphones, it's working but I still make tests to avoid surprises.

4. The persons in charge with mail accounts are used with postfixadmin, so I need to provide them a similar interface. Of course, I could store data in plain text files, but there are few reports to generate montly, so I stick to mysql, to reuse the code. As you can guest, LDAP it's out of the question, since number of accounts are under 40.

I still make tests, thinking of scenarios and trying to improve the all setup. I plan to live the setup in beta state for one month and, if there are no problems, to give it green light for daily production use.

Thank you very much for your support.

----------

## cach0rr0

 *costel78 wrote:*   

> 
> 
> 4. The persons in charge with mail accounts are used with postfixadmin, so I need to provide them a similar interface. 

 

This is the only one I don't know about. I haven't looked at postfixadmin in ages. 

The little example PHP script I provided on this doc was made mainly just as an example, but if you need to have multiple administrators that have access to edit settings *only* for their own domains, it will not work. I would have to do much more coding in PHP than I'm really comfortable with in order to make a workable solution  :Smile:  (maybe one day, but my job keeps me too busy to spend much time on a big project)

Postfixadmin might work, but I don't know how well it will play with this database schema. I avoided it actually, for this reason: as helpful as it is to have tools like postfixadmin, what very often happens, there ends up being a layer of obfuscation between what you're doing in the interface, and *exactly* what happens in Postfix configuration. So people reading would basically have to "hope and pray" it works, because if it doesn't, they will not know how to troubleshoot. I want people reading the guide to understand not just "how do i make it work?", but "what effect does the change I just made have on my system?", because they may want to change their installation slightly, and with a "magic" tool that makes it "just work", they don't learn that. And if something isn't working quite right? They know where to look. (Plus, I don't want Apache to be a requirement in order to have a functional, easily-maintained mail system - but that's another matter)

If you get stuck on this project, give a shout - I will help as much as my time/knowledge permits. 

Postfix especially, is a very powerful MTA. With any luck one day I'll have the time to write a different HOWTO that's targeted more towards multi-company or multi-administrator environments. It's a shame it's not already well enough documented for people to be able to roll out "free filtering" on a large scale, because the product itself is perfectly capable (and it even has an easy interface for commercial vendors to plug their filtering system into Postfix). Like I said, one day when I am rich, I will write it myself  :Laughing: 

----------

## costel78

I won't use postfixadmin anymore. The main disadvantage of it is it autocreate mailbox - this feature is no longer required. 

It's development is somehow slow, and, before of all, I need to implement some basic reports in admin web interface.

I'll post here the app when it will be ready. I still wait for full specifications to finish server configuration.

It seem that forum doesn't like very long post so I removed autocreate and autosieve patches.

There are a new possible problem that concern me.

Latest version of cyrus-imapd it's 2.4.8 - http://www.cyrusimap.org/ and the latest autocreate official patch it's for 2.3.16 lauched at the end of 2009 - http://email.uoa.gr/projects/cyrus/autocreate/

My first tought was autocreate was integrated in main project, but it's not yet. Anyway, cyrus bugzilla mention it and postponed for 2.5 branch - http://bugzilla.cyrusimap.org/bugzilla3/show_bug.cgi?id=355

If autocreate feature won't be supported in the future, I will have a problem  :Very Happy: 

So, what I did:

I started a new ebuild for 2.4.8 version.

Found ported patches for 2.4.4 version here: http://blog.vx.sk/archives/13-Autocreate-and-autosieve-patches-for-Cyrus-IMAP-Server-24.html By replace 2.4.4 with 2.4.8 the patch apply clean on 2.4.8 version.

I also included autosieve patch, just in case there will be required to sort mails in multiple folders.

The main ebuild modifications: xversion problem present in 2.3.x was solved, also parallel build (at least I didn't encouter it), listext it's not supported anymore by configure and db-5.0 patch didn't apply clean, but it's still required.

Well, the ebuild compile fine and it's working, but I'm not sure I covered all aspects. Perhaps someone with more experience than me will take a look at it and make required corrections.

The first obivious mistake is SRC_URI for patches, as they are not available anywhere for 2.4.8 version. As apply a patch for a patch doesn't sound right, maybe they should be included in files dir ?

cyrus-imapd-2.4.8.ebuild

```
# Copyright 1999-2011 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-mail/cyrus-imapd/cyrus-imapd-2.3.16.ebuild,v 1.3 2011/03/19 17:00:38 eras Exp $

EAPI=1

inherit autotools db-use eutils flag-o-matic ssl-cert fixheadtails pam multilib

MY_P=${P/_/}

DESCRIPTION="The Cyrus IMAP Server."

HOMEPAGE="http://asg.web.cmu.edu/cyrus/imapd/"

AUTOCREATE_VER="0.10-0"

AUTOCREATE_PATCH="${P}-autocreate-${AUTOCREATE_VER}.diff"

AUTOSIEVE_VER="0.6.0"

AUTOSIEVE_PATCH="${P}-autosieve-${AUTOSIEVE_VER}.diff"

SRC_URI="ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/${MY_P}.tar.gz

      autocreate? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOCREATE_PATCH} )

      autosieve? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOSIEVE_PATCH} )"

LIBWRAP_PATCH_VER="2.2"

LICENSE="as-is"

SLOT="0"

KEYWORDS="~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"

IUSE="autocreate autosieve idled kerberos nntp pam replication +sieve snmp ssl tcpd"

RDEPEND=">=sys-libs/db-3.2

   >=dev-libs/cyrus-sasl-2.1.13

   pam? (

         virtual/pam

         >=net-mail/mailbase-1

      )

   kerberos? ( virtual/krb5 )

   snmp? ( >=net-analyzer/net-snmp-5.2.2-r1 )

   ssl? ( >=dev-libs/openssl-0.9.6 )

   tcpd? ( >=sys-apps/tcp-wrappers-7.6 )

   nntp? ( !net-nntp/leafnode )"

DEPEND="$RDEPEND

   sys-devel/libtool

   >=sys-devel/autoconf-2.58

   sys-devel/automake"

# get rid of old style virtual - bug 350792

# all blockers really needed?

RDEPEND="${RDEPEND}

   !net-mail/dovecot

   !mail-mta/courier

   !net-mail/bincimap

   !net-mail/courier-imap

   !net-mail/uw-imap"

new_net-snmp_check() {

   # tcpd USE flag check. Bug #68254.

   if use tcpd ; then

      if has_version net-analyzer/net-snmp && ! built_with_use net-analyzer/net-snmp tcpd ; then

         eerror "You are emerging this package with USE=\"tcpd\""

         eerror "but \"net-analyzer/net-snmp\" has been emerged with USE=\"-tcpd\""

         fail_msg

      fi

   else

      if has_version net-analyzer/net-snmp && built_with_use net-analyzer/net-snmp tcpd ; then

         eerror "You are emerging this package with USE=\"-tcpd\""

         eerror "but \"net-analyzer/net-snmp\" has been emerged with USE=\"tcpd\""

         fail_msg

      fi

   fi

   # DynaLoader check. Bug #67411

   if [ -x "$(type -p net-snmp-config)" ]; then

      einfo "$(type -p net-snmp-config) is found and executable."

      NSC_AGENTLIBS="$(net-snmp-config --agent-libs)"

      einfo "NSC_AGENTLIBS=\""${NSC_AGENTLIBS}"\""

      if [ -z "$NSC_AGENTLIBS" ]; then

         eerror "NSC_AGENTLIBS is null"

         einfo "please report this to bugs.gentoo.org"

      fi

      for i in ${NSC_AGENTLIBS}; do

         # check for the DynaLoader path.

         if [ "$(expr "$i" : '.*\(DynaLoader\)')" == "DynaLoader" ] ; then

            DYNALOADER_PATH="$i"

            einfo "DYNALOADER_PATH=\""${DYNALOADER_PATH}"\""

            if [[ ! -f "${DYNALOADER_PATH}" ]]; then

               eerror "\""${DYNALOADER_PATH}"\" is not found."

               einfo "Have you upgraded \"perl\" after"

               einfo "you emerged \"net-snmp\". Please re-emerge"

               einfo "\"net-snmp\" then try again. Bug #67411."

               die "\""${DYNALOADER_PATH}"\" is not found."

            fi

         fi

      done

   else

      eerror "\"net-snmp-config\" not found or not executable!"

      die "You have \"net-snmp\" installed but \"net-snmp-config\" is not found or not executable. Please re-emerge \"net-snmp\" and try again!"

   fi

}

fail_msg() {

   eerror "enable "snmp" USE flag for this package requires"

   eerror "that net-analyzer/net-snmp and this package both build with"

   eerror "\"tcpd\" or \"-tcpd\". Bug #68254"

   die "sanity check failed."

}

pkg_setup() {

   use snmp && new_net-snmp_check

   enewuser cyrus -1 -1 /usr/cyrus mail

}

S=${WORKDIR}/${MY_P}

src_unpack() {

   unpack ${A} && cd "${S}"

   # ht_fix_file "${S}"/imap/xversion.sh

   # Fix prestripped binaries

   epatch "${FILESDIR}/${PN}-strip.patch"

   epatch "${FILESDIR}/${P}+db-5.0.patch"

   # Add libwrap defines as we don't have a dynamicly linked library.

   use tcpd && epatch "${FILESDIR}/${PN}-${LIBWRAP_PATCH_VER}-libwrap.patch"

   # Apply autocreate patch if USE enabled

   if use autocreate ; then

      epatch "${DISTDIR}/${AUTOCREATE_PATCH}" || die "epatch failed"

   fi

   # Apply autosieve patch if USE enabled

   if use autosieve ; then

      epatch "${DISTDIR}/${AUTOSIEVE_PATCH}" || die "epatch failed"

   fi

   # Fix master(8)->cyrusmaster(8) manpage.

   for i in `grep -rl -e 'master\.8' -e 'master(8)' "${S}"` ; do

      sed -i -e 's:master\.8:cyrusmaster.8:g' \

         -e 's:master(8):cyrusmaster(8):g' \

         "${i}" || die "sed failed" || die "sed failed"

   done

   mv man/master.8 man/cyrusmaster.8 || die "mv failed"

   sed -i -e "s:MASTER:CYRUSMASTER:g" \

      -e "s:Master:Cyrusmaster:g" \

      -e "s:master:cyrusmaster:g" \

      man/cyrusmaster.8 || die "sed failed"

   # Remove unwanted m4 files

   rm "cmulocal/ax_path_bdb.m4" || die "Failed to remove cmulocal/ax_path_bdb.m4"

   # Recreate configure.

   WANT_AUTOCONF="2.5"

   AT_M4DIR="cmulocal" eautoreconf

   # When linking with rpm, you need to link with more libraries.

   sed -i -e "s:lrpm:lrpm -lrpmio -lrpmdb:" configure || die "sed failed"

}

src_compile() {

   local myconf

   myconf="${myconf} $(use_with ssl openssl)"

   myconf="${myconf} $(use_with snmp ucdsnmp)"

   myconf="${myconf} $(use_with tcpd libwrap)"

   myconf="${myconf} $(use_enable kerberos gssapi) $(use_enable kerberos krb5afspts)"

   myconf="${myconf} $(use_enable idled)"

   myconf="${myconf} $(use_enable nntp)"

   myconf="${myconf} $(use_enable replication)"

   if use kerberos; then

      myconf="${myconf} --with-krb=$(krb5-config --prefix) --with-krbdes=no"

   else

      myconf="${myconf} --with-krb=no"

   fi

# --enable-listext is no longer supported

   econf \

      --enable-murder \

      --enable-netscapehack \

      --with-service-path=/usr/$(get_libdir)/cyrus \

      --with-cyrus-user=cyrus \

      --with-cyrus-group=mail \

      --with-com_err=yes \

      --without-perl \

      --with-bdb=$(db_libname) \

      ${myconf} || die "econf failed"

   # -j1 for #222529

   cd "${S}"

   emake ${MAKEOPTS} || die "compile problem"

}

src_install() {

   local SUBDIRS

   if use sieve; then

      SUBDIRS="master imap imtest timsieved notifyd sieve"

   else

      SUBDIRS="master imap imtest"

   fi

   dodir /usr/bin /usr/lib

   for subdir in ${SUBDIRS}; do

      make -C "${subdir}" DESTDIR="${D}" install || die "make install failed"

   done

   # Link master to cyrusmaster (postfix has a master too)

   dosym /usr/lib/cyrus/master /usr/lib/cyrus/cyrusmaster

   if ! use nntp ; then

      rm man/fetchnews.8 man/syncnews.8 man/nntpd.8 man/nntptest.1

      rm "${D}"/usr/bin/nntptest

   fi

   doman man/*.[0-8]

   dodoc COPYRIGHT README*

   dohtml doc/*.html doc/murder.png

   cp doc/cyrusv2.mc "${D}/usr/share/doc/${PF}/html"

   cp -r contrib tools "${D}/usr/share/doc/${PF}"

   find "${D}/usr/share/doc" -name CVS -print0 | xargs -0 rm -rf

   insinto /etc

   doins "${FILESDIR}/cyrus.conf" "${FILESDIR}/imapd.conf"

   newinitd "${FILESDIR}/cyrus.rc6" cyrus

   newconfd "${FILESDIR}/cyrus.confd" cyrus

   newpamd "${FILESDIR}/cyrus.pam-include" sieve

   for subdir in imap/{,db,log,msg,proc,socket,sieve} spool/imap/{,stage.} ; do

      keepdir "/var/${subdir}"

      fowners cyrus:mail "/var/${subdir}"

      fperms 0750 "/var/${subdir}"

   done

   for subdir in imap/{user,quota,sieve} spool/imap ; do

      for i in a b c d e f g h i j k l m n o p q r s t v u w x y z ; do

         keepdir "/var/${subdir}/${i}"

         fowners cyrus:mail "/var/${subdir}/${i}"

         fperms 0750 "/var/${subdir}/${i}"

      done

   done

}

pkg_postinst() {

   # do not install server.{key,pem) if they are exist.

   use ssl && {

      if [ ! -f "${ROOT}"etc/ssl/cyrus/server.key ]; then

         install_cert /etc/ssl/cyrus/server

         chown cyrus:mail "${ROOT}"etc/ssl/cyrus/server.{key,pem}

   fi

   }

   if df -T /var/imap | grep -q ' ext2 ' ; then

      ebegin "Making /var/imap/user/* and /var/imap/quota/* synchronous."

      chattr +S /var/imap/{user,quota}{,/*}

      eend $?

   fi

   if df -T /var/spool/imap | grep -q ' ext2 ' ; then

      ebegin "Making /var/spool/imap/* synchronous."

      chattr +S /var/spool/imap{,/*}

      eend $?

   fi

   ewarn "If the queue directory of the mail daemon resides on an ext2"

   ewarn "filesystem you need to set it manually to update"

   ewarn "synchronously. E.g. 'chattr +S /var/spool/mqueue'."

   echo

   elog "For correct logging add the following to /etc/syslog.conf:"

   elog "    local6.*         /var/log/imapd.log"

   elog "    auth.debug       /var/log/auth.log"

   echo

   elog "You have to add user cyrus to the sasldb2. Do this with:"

   elog "    saslpasswd2 cyrus"

}
```

cyrus-imapd-2.4.8+db-5.0.patch

```
--- cmulocal/cyrus.m4.orig   2011-04-29 18:50:00.689998576 +0300

+++ cmulocal/cyrus.m4   2011-04-29 18:50:06.680998575 +0300

@@ -11,35 +11,12 @@

 dnl (so the runpath for shared libraries is set).

 AC_DEFUN([CMU_ADD_LIBPATH], [

   # this is CMU ADD LIBPATH

-  if test "$andrew_cv_runpath_switch" = "none" ; then

-   LDFLAGS="-L$1 ${LDFLAGS}"

-  else

-   LDFLAGS="-L$1 $andrew_cv_runpath_switch$1 ${LDFLAGS}"

-  fi

+LDFLAGS="-L$1 ${LDFLAGS}"

 ])

 

 dnl add -L(1st arg), and possibly (runpath switch)(1st arg), to (2nd arg)

 dnl (so the runpath for shared libraries is set).

 AC_DEFUN([CMU_ADD_LIBPATH_TO], [

   # this is CMU ADD LIBPATH TO

-  if test "$andrew_cv_runpath_switch" = "none" ; then

-   $2="-L$1 ${$2}"

-  else

-   $2="-L$1 ${$2} $andrew_cv_runpath_switch$1"

-  fi

+$2="-L$1 ${$2}"

 ])

-

-dnl runpath initialization

-AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [

-   # CMU GUESS RUNPATH SWITCH

-  AC_CACHE_CHECK(for runpath switch, andrew_cv_runpath_switch, [

-    # first, try -R

-    SAVE_LDFLAGS="${LDFLAGS}"

-    LDFLAGS="-R /usr/lib"

-    AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-R"], [

-     LDFLAGS="-Wl,-rpath,/usr/lib"

-    AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-Wl,-rpath,"],

-    [andrew_cv_runpath_switch="none"])

-    ])

-  LDFLAGS="${SAVE_LDFLAGS}"

-  ])])
```

Relevant bugzilla entries: #308941 and #350013

Cyrus changelog: http://www.cyrusimap.org/docs/cyrus-imapd/2.4.8/changes.php

As list of change include numerous new features I have to repeat:

I am not sure I covered all aspects. I am NOT an expert. So precautions are required. Feel free to take a look and improve the ebuild.

----------

## cach0rr0

yep. that's why I went with the 2.3.16 version  :Smile: 

Cyrus is looking to incorporate this ability into 2.5 - 2.5 is not out yet 

There are no 2.4 ebuilds in portage, and no "official" autocreate patches for 2.4 anywhere (rather, they aren't on the University of Athens website)

There is an autocreate patch for 2.3.14, and 2.3.16, but not for 2.3.15

So I decided to just document a specific version of Cyrus, and have people add the ebuild to a local overlay

I was going to file a bug @ gentoo bugzilla with updated ebuilds for 2.3.x so that we could get autocreate officially into portage (they stopped including this patch after 2.3.12)

But I think without a 2.3.15 patch, they will probably not include it in official portage update - so I just host the ebuild myself. 

There is a patch out there for 2.3.15, but it is not provided by the same people - so this is another concern, having to maintain an ebuild where the AUTOCREATE_URI is different for every single version. 

Actually I am happy to host these files for 2.4 on my server. It will be alive unless my hardware dies, my connection dies, or we get hit with another hurricane that takes out our electricity for 3 weeks!

However this ebuild should not work for 2.4.4, because:

```

autocreate? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOCREATE_PATCH} )

      autosieve? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOSIEVE_PATCH} )

```

email.uoa.gr does not host these patches for 2.4.4, so the above two URL's will be a "404 - Not Found"

so it should be a failed fetch for these patches

When I have some more time I will look at this in more detail, see if I can fix a few things, and put the files up on my server. 

NB: for files that are too large for a post, you can just go to pastebin(.com) and paste them there, then share the link.

----------

## cach0rr0

http://whitehathouston.com/downloads/gentoo/ebuilds/cyrus/net-mail/cyrus-imapd/

Only remaining problem, aside from some small cosmetic/style things, is that db patch. 

The ebuild is useless unless you can find a way to get that patch to apply, or find an updated patch.

----------

## cach0rr0

ok

config.m4 doesn't even exist

so why are we trying to patch it? 

I removed that from the ebuild, and it unpacks/patches fine for both autosieve and autocreate (on 2.4.8, havent tested 2.4.4 yet)

The source also compiles perfectly fine (I'm not going to install it - 2.3.16 is stable, so I'm sticking with that)

So there ya go. The ebuild I put up, based on your modification, seems to work fine. Haven't yet run repoman on it to see if it's "proper syntax", but it's workable.

EDIT: updated from EAPI=1 to EAPI=2, removed 'built_with_use' in favor of 'has_version ${somevar}[flagname]', and things put in their proper functions (e.g. src_prepare, src_configure added and things moved accordingly). Passes repoman with flying colors, compiles successfully, patches fine, etc

----------

## costel78

Hello,

Regarding autocreate and autosieve patches you are prefectly right. Maybe by including them in $FILESDIR the problem will be solved.

I am confused about cyrus-imapd-2.4.8+db-5.0.patch. The patch I posted apply clean via ebuild. It's a slighty modified version from the one from portage. Without it, the ebuild fail to install. But, I think there is the catch, I don't use db-5.0. My version is 4.8.30. cyrus.m4 it's present in ftp://ftp.cyrusimap.org/cyrus-imapd/cyrus-imapd-2.4.8.tar.gz in cyrus-imapd-2.4.8/cmulocal.

Perhaps you say that with >=sys-libs/db-5.* the things are not going well ? I think there is something I didn't catch   :Smile: 

Anyway, in fact it's doesn't matter at all since you did a great work and ported the ebuild to EAPI 2. I'll try it today (they promise to give me full specifications in few hours) and I will start to code the web app for database administration.

I don't have enough words to thank you. I learn a lot from your 34 pages pdf  :Smile:  The previous setup I used since few years ago (courier-imap and postfixadmin) was proved to have glitches until to fix old things remaining in tutorial. Your works perfectly from first try an setup it's more secure and clean. Thank you!

----------

## cach0rr0

very cool. I am quite happy to update the doc, the ebuild, any of it, if we find something newer or better that works. 

I just wish the autocreate patches were consistent; meaning, I wish we had them for every version - 2.3.14, 2.3.15, 2.3.16, every build of 2.4, and so forth. 

Because if we had that, I would post a new bug on bugzilla and just get the ebuild incorporated into portage. 

Regarding the DB patch, it was my own typo; I was searching for 'config.m4' and not 'cyrus.m4'

I am doing a 3AM session on the grill after the pub, so I have to go flip a burger, but I will play with that patch some more once I have my burger  :Laughing: 

----------

## audiodef

I think this is the longest thread I'm responsible for - ever.   :Cool: 

Yeah, I know, who cares. I'm just that much of a dork.   :Razz: 

----------

## costel78

Something unexpected showed up in specifications regarding egroupware, so it will take a little more time. Probably I will be able to finish on monday.

----------

## costel78

Well, there is still work to do, but here is the first beta version. 

It's not big dial, but it can be extended. Also design can be changed (more columns, menus etc) via generateHeader() and generateFooter(). I don't know if it worth, there are only few tables, so I didn't use any template system or MVC model. The overload don't worth. I focused on security and functionality rather than design. Anyway, I'm not good at design  :Smile: .

The initial user it's admin with admin password. Also htaccess pasword, (if you want to use it rename htaccess.txt and htpassword.txt) is admin.

Configuration it's done in config.inc.php and database structure it's in structure.sql

Unfortunately my PC it's not always on so you can download files form:

http://www.filehost.ro/1930122/emailadmin_tar_bz2/ - file hosting service

or my own PC (when it's on): http://cweb.ro/emailadmin.tar.bz2

Todo list:

```
ToDO:

1. lock/check for concurrent modifications: NOT DONE YET

2. selectbox/checkbox on filter where applicable: IN PROGRESS

3. check html code to validate on validator.w3.org: NOT DONE YET

4. leave only email part in code, remove other system integrations: DONE

5. Better translations: NEED HELP

6. Alomst free design: DONE - possible via generateHeader() and generateFooer()

7. Better translation system, numer index is ambiguous: NOT DONE YET

8. Password might me blank during update, if so, password won't be changed: NOT DONE YET

9. Export in csv format: IN PROGRESS
```

It's not related with this topic, but if running out of time you may use this as apache vhosting administration.

Basically you supply it a file with domain list and they will be created or deleted. 

I haven't yet time to translate them, but it's on ToDO list.

http://cweb.ro/srvadmin.tar.bz2

I am waiting for suggestion, translation fixes and bugs, especially security ones.

----------

## audiodef

My girlfriend just noticed something odd. She hadn't downloaded her mail locally for a few days, but is good at deleting unwanted email on webmail. Today she noticed that trying to send mail resulted in over-quota errors in Squirrelmail. I downloaded her inbox into Thunderbird and things worked again, but I noticed that her new messages were 1, 36, 2, 502, 3, and 36 - all KB. She had a couple of messages in her sent folder in Squirrel, but these were small. Nothing in drafts or trash. 

Yet, when I downloaded what few messages she had on the server, Squirrel worked again. Any idea what happened?

----------

## audiodef

This is a pointless bump to make it show up in my ego search so I can find this #@$%ing thread when I need it!   :Razz:   :Twisted Evil: 

----------

## kaszynek

I have dynamic ip and domain (assume mydomain.com).

I'm sending emails which are qualified as spam by mail servers like gmail (it even don't deliver my emails to spam folder).

My ip is on blacklist becouse there is whole subnet with mask 15 on that blacklist.

Is there any way to improve that?

I have read something about relay host. How to use it?

Whats is an idea of using it?

If i would use yahoo (i don't even know that it is possible to use yahoo) as relay host. I would have to send emails from myaddres@yahoo.com .  But i want to send emails from mail.mydomain.com

----------

## cach0rr0

 *kaszynek wrote:*   

> 
> 
> Is there any way to improve that?
> 
> 

 

nope. if you're on a residential netblock, you will be blacklisted by most RBL providers. 

no way around it, you will need to send your outbound e-mail through a relayhost

 *kaszynek wrote:*   

> 
> 
> I have read something about relay host. How to use it?
> 
> Whats is an idea of using it?
> ...

 

http://www.postfix.org/postconf.5.html#relayhost

You would want to set this to be your ISP's smtp server (for example, comcast users would set:

```

relayhost = [smtp.comcast.net:25]

```

inclusive of the square brackets. If you add the square brackets, it says "deliver directly to the host named 'smtp.comcast.net'". If you omit the square brackets, it says "do an MX lookup for the domain 'smtp.comcast.net', and send to whatever MX record is returned". 

This annoyed me enough that I finally ponied up the extra cash for a "business class" connection whose IP would not be on a blacklist.

----------

## audiodef

I considered a "business class" connection too some time ago, but I think my VPS hosting plan with Host Virtual is cheaper, not to mention not as prone to power outages as my working-class neighbourhood served by the dubious and not well-liked PEPCO. 

Of course, I can't truly test my test virtual server at home, but as long as the logs show it's trying to make the right connections, I can live with that and proceed to do to my production server whatever I just did to my test server.

----------

## kaszynek

 *Quote:*   

> 
> 
> You would want to set this to be your ISP's smtp server (for example, comcast users would set:
> 
> 

 

Ok, but still i dont understand whats the deal with the ISP's smtp server. Is it normal that ISP provide that kind of service? 

Whats the influence on the final mail received via ISP's smtp server (i mean any adnotation in headers of email or something like that).

----------

## cach0rr0

 *kaszynek wrote:*   

> 
> 
> Ok, but still i dont understand whats the deal with the ISP's smtp server. Is it normal that ISP provide that kind of service? 
> 
> 

 

Over here in the US, and at least when I was living in the UK, yes. Usually your broadband provider will have an SMTP server that they allow you to use for outbound e-mail, that accepts *all* outbound e-mail from their customers' IP addresses regardless of who it is to/from. For example, tpnet.pl users will have an SMTP server provided to them to use for outgoing e-mail from their @tpnet.pl e-mail address; however, usually this SMTP server does not care about the e-mail address, it only cares that the sender comes from a tpnet IP address. So, you can route outbound mail through this server even if it is from @yourdomain.com

Maybe not every ISP does this - I do not know if this is common in Poland or not, I would guess it depends on the provider. 

 *kaszynek wrote:*   

> 
> 
> Whats the influence on the final mail received via ISP's smtp server (i mean any adnotation in headers of email or something like that).

 

every SMTP system that receives the message will add a "Received" header at the very least, and maybe even a 'Received-SPF' header. Typically, none of the message formatting or contents should be changed - if it's "Content-Type: multipart/mixed", this should not be changed by *any* server, as this is something the client defines, not the server. The server should only add those tracking headers (e.g. Received, Received-SPF)

There is also one other effect here; since you are sending form Postfix to your ISP's SMTP server, any TLS configuration you do in Postfix for sending of outbound e-mail, will take place only between your server and your ISP's server - so this connection is encrypted. However, there is no guarantee your ISP is going to use TLS for the connection they make to the recipient's SMTP system - most will, SMTP over TLS has been around for ages and nearly everyone supports it, but as I said there is no guarantee. You can only guarantee an encrypted connection between your mail server and the next one, and even then only if the next server supports it.

----------

## kaszynek

Thanks for explanation :]

I will orientate whether my ISP is providing for me SMTP server.

----------

## trigggl

Houston, we have a problem.

I tried following your guide and got the following problem/error message.

I don't know at what point I'm supposed to get the patch, but it's not making it to the 'files' folder.

 *Quote:*   

>  * Messages for package net-mail/cyrus-imapd-2.4.8:
> 
>  * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
> 
>  *
> ...

 

I'll post the logs if you need them, but I'm thinking this is enough info for now.  I followed line by line (the second time).  Do I need to delete and start over?  Is it possible to just download it myself?

----------

## cach0rr0

weird. looks like that patch has been removed. 

part of the instructions say to copy over the ./files directory from the standard /usr/portage/net-mail/cyrus-imapd/

but that does us no good i suppose, if patches get removed, but the ebuild doesnt get updated to reflect that. 

No bother, the old patch contained:

```

--- imtest/Makefile.in.orig     2007-09-07 21:45:46.000000000 +0200

+++ imtest/Makefile.in  2007-09-07 21:45:52.000000000 +0200

@@ -72,7 +72,7 @@

 all: imtest

 

 install:

-       $(INSTALL) -s -m 755 imtest $(DESTDIR)$(exec_prefix)/bin

+       $(INSTALL) -m 755 imtest $(DESTDIR)$(exec_prefix)/bin

        ln -f $(DESTDIR)$(exec_prefix)/bin/imtest $(DESTDIR)$(exec_prefix)/bin/pop3test

        ln -f $(DESTDIR)$(exec_prefix)/bin/imtest $(DESTDIR)$(exec_prefix)/bin/nntptest

        ln -f $(DESTDIR)$(exec_prefix)/bin/imtest $(DESTDIR)$(exec_prefix)/bin/lmtptest

```

you could add that to your files/ directory in your local overlay, digest the ebuild, and carry on

http://whitehathouston.com/downloads/gentoo/ebuilds/cyrus/net-mail/cyrus-imapd/files/cyrus-imapd-strip.patch

Or, I'm quite happy to edit the ebuild to download the patch from my server instead of distfiles. If you're uncomfortable dumping that patch into files/ yourself and redigesting, let me know and I'll change the ebuild. 

EDIT: ...actually, since I'd imagine others will hit this in the future, I'll just change the bloody ebuild!

done and done. Cursory testing, it builds, everything seems to patch ok, etc. 

You may need to mask versions of cyrus greater than 2.4.8

you can do this via:

```

mkdir -p /etc/portage/package.mask

echo ">net-mail/cyrus-imapd-2.4.8" >> /etc/portage/package.mask/cyrus

```

I think one other thing I may do on that page is add a link to this thread so people can see what's going on, what's changed, etc.

----------

## trigggl

 *cach0rr0 wrote:*   

> weird. looks like that patch has been removed. 
> 
> part of the instructions say to copy over the ./files directory from the standard /usr/portage/net-mail/cyrus-imapd/
> 
> but that does us no good i suppose, if patches get removed, but the ebuild doesnt get updated to reflect that. 
> ...

 

I actually had to download the file below.  Not sure why.  

```
http://whitehathouston.com/downloads/gentoo/ebuilds/cyrus/net-mail/cyrus-imapd/files/cyrus-imapd-2.2-libwrap.patch
```

After going through the document and starting everything up, I tried to send an email from root to a user.  Here's a short sample of the error I'm getting in mail.log.

 *Quote:*   

> Sep  2 16:17:04 stephie postfix/trivial-rewrite[11571]: warning: connect to mysql server 127.0.0.1: Access denied for user 'maildb'@'localhost' (using password: YES)
> 
> Sep  2 16:17:04 stephie postfix/trivial-rewrite[11571]: fatal: mysql:/etc/postfix/validate.cf(0,lock|fold_fix): table lookup problem
> 
> Sep  2 16:17:05 stephie postfix/qmgr[11427]: warning: problem talking to service rewrite: Success
> ...

 

I'm assuming there's a typo I made somewhere.  The question is what was the typo and where did I do it?  I think it has something to do with --> 'maildb'@'localhost'.

----------

## cach0rr0

```

127.0.0.1: Access denied for user 'maildb'@'localhost' (using password: YES)

```

that's key. something in your mysql lookup files is incorrect for logging on to your mysql server, either the username or password

you likely need to login to mysql and:

```

grant all privileges on maildb.* to 'maildb'@'localhost' identified by 'whateverpassword';

flush privileges;

```

could it be that you forgot to flush privileges after doing the grant?

----------

## trigggl

 *cach0rr0 wrote:*   

> 
> 
> ```
> 
> 127.0.0.1: Access denied for user 'maildb'@'localhost' (using password: YES)
> ...

 

It was a typo.  I used --> 'maildb@localhost'.

I managed to send an email from root to a user.  Now I just have to get it sending and receiving over the network/internet.

----------

## audiodef

Using the guide, I set up a new dev machine. I think everything is working, but since I don't have a domain to apply to it, I'm working off localhost and the machine's hostname, Bach. No .com, .org, .net. 

So when sending a test message from telnet from/to the same testuser in maildb, I get this:

```

Oct  4 13:06:06 Bach postfix/smtpd[15314]: 1AEEB1A616D5: client=localhost[127.0.0.1]

Oct  4 13:06:56 Bach postfix/cleanup[15316]: 1AEEB1A616D5: message-id=<20111004130606.1AEEB1A616D5@Bach>

Oct  4 13:06:56 Bach postfix/qmgr[15018]: 1AEEB1A616D5: from=<testuser@bach.Bach>, size=357, nrcpt=1 (queue active)

Oct  4 13:06:56 Bach postfix/smtp[15330]: 1AEEB1A616D5: to=<testuser@bach.Bach>, orig_to=<testuser@bach>, relay=none, delay=62, delays=62/0.01/0.06/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=bach.Bach type=A: Host not found)

Oct  4 13:06:56 Bach postfix/cleanup[15316]: 6EF9C1A616D8: message-id=<20111004130656.6EF9C1A616D8@Bach>

Oct  4 13:06:56 Bach postfix/qmgr[15018]: 6EF9C1A616D8: from=<>, size=2199, nrcpt=1 (queue active)

Oct  4 13:06:56 Bach postfix/bounce[15331]: 1AEEB1A616D5: sender non-delivery notification: 6EF9C1A616D8

Oct  4 13:06:56 Bach postfix/qmgr[15018]: 1AEEB1A616D5: removed

Oct  4 13:06:56 Bach postfix/smtp[15330]: 6EF9C1A616D8: to=<testuser@bach.Bach>, relay=none, delay=0.12, delays=0.06/0/0.06/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=bach.Bach type=A: Host not found)

Oct  4 13:06:56 Bach postfix/qmgr[15018]: 6EF9C1A616D8: removed

Oct  4 13:07:00 Bach postfix/smtpd[15314]: disconnect from localhost[127.0.0.1]

```

How can I get around this or have postfix/cyrus (or whatever program is responsible) not append .Bach to addresses and just send test messages to from my local test user, testuser@bach?

----------

## cach0rr0

don't know offhand, but id say easiest to test:

-override a bunch of domains via /etc/hosts (e.g. set your 127.0.0.1 entry to "bach.audiodef.com bach localhost"

-set mydomain to bach.audiodef.com, set mydestination to be $mydomain

-send your telnet messages to user@bach.audiodef.com

otherwise id have to look (which i have to do a bit later)

----------

## audiodef

Maybe part of identifying the problem is with this:

```

audiodef@Bach ~/savonet $ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 bach ESMTP Postfix (2.8.4)

EHLO bach

250-bach

250-PIPELINING

250-SIZE 102400000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM:<testuser@bach>

250 2.1.0 Ok

RCPT TO:<who@bach>

250 2.1.5 Ok

```

There is no "who@bach" in my maildb - only a "testuser@bach". Shouldn't this have said "no such user"?

(On this machine, btw, there is no "audiodef.com" or any kind of TLD at all.)

----------

## cach0rr0

since you're coming from 127.0.0.1, if you have "permit_mynetworks" within "smtpd_recipient_restrictions", it doesn't matter who it's to or from, it will be accepted outright, and never get to the validation lookup. 

That is, assuming you have 127.0.0.1 as part of mynetworks 

It'll never get to any of your virtual alias mapping stuff that way. 

having said that, I'm still a bit in the dark as to why '.Bach' would get appended to the tail end. 

and of course since 'bach.Bach' is not configured to be handled as an inbound domain, and since 127.0.0.1 gets blindly accepted regardless of sender/recipient, it *will* be queued for delivery regardless, and the type of delivery will be a standard SMTP delivery as though it's an outbound message, rather than internally via the LMTP socket to Cyrus

----------

## audiodef

I haven't had a chance to get back to this issue yet, but I have to say this:

Dude, I am TOTALLY digging your way of running a mail server. It's so super-simple to add new domains and users. I've had to add several special-purpose email addresses to my production machine (on which everything works. My above issue is for a new dev machine), and I'm smarfed - nay, FLARGED that all I have to do is drop the address and password into maildb. 

Rock on, bro.   :Very Happy: 

----------

## trigggl

Ok, I've come back to this.  I'm trying to receive mail (from outside the network) on port 587.  What do I have to do for the system to accept that?  Is that a postmap setting?  I don't have port 25 open and would prefer to keep it closed, but I guess I could open it if I had to.  How do I even test port 587, or should telnet work (it doesn't)?

Should this setup just send if it weren't blocked by the ISP or is there something else I need to do?  Am I confined to pop mail with my email provider?  I'm using a dynamic DNS with Comcast as my ISP.

----------

## cach0rr0

 *trigggl wrote:*   

> Ok, I've come back to this.  I'm trying to receive mail (from outside the network) on port 587.  What do I have to do for the system to accept that?  Is that a postmap setting?  I don't have port 25 open and would prefer to keep it closed, but I guess I could open it if I had to.  How do I even test port 587, or should telnet work (it doesn't)?
> 
> Should this setup just send if it weren't blocked by the ISP or is there something else I need to do?  Am I confined to pop mail with my email provider?  I'm using a dynamic DNS with Comcast as my ISP.

 

trouble is, external mail systems aren't going to know to connect to your mail server on a port other than 25 

you can configure your postfix system to send to alternate ports much as you like, but far as receiving mail goes, if you're not able to be connected to on 25 (as in, inbound to your port 25),  you may send mail fine, but you wont be receiving much if any. Some external hosts may automatically try 587, many will not. They should, but they don't. 

having said that, if you want to try it, all you need is this in master.cf

```

submission inet n       -       n       -       -       smtpd

```

that will enable the listener on port 587. Add that, restart postfix. 

And yes, this setup should just flat-out send. If you want to see if any ports are blocked, telnet to my server on port 25 (renee.whitehathouston.com)

If it connects (you'll get a 554 error, but that's expected on a dynamic IP) then your connections to other hosts on port 25 aren't blocked. If it doesn't, then Comcast is blocking you (unless, of course, you have some other firewall that you control that might be blocking you)

Now, as far as sending to others whose systems are listening on 587, you'd want to set up transport_maps, meaning, you'd have to do it on a per-domain basis. Which is annoying, but no other way around it. 

Ultimately if you cant accept inbound connections on 25, you're not going to receive much mail, and if you're unable to make outbound connections to remote hosts on 25, you aren't going to be sending much mail either. 

Best of luck either way, hope that's somewhat helpful!

----------

## trigggl

 *cach0rr0 wrote:*   

> trouble is, external mail systems aren't going to know to connect to your mail server on a port other than 25 
> 
> you can configure your postfix system to send to alternate ports much as you like, but far as receiving mail goes, if you're not able to be connected to on 25 (as in, inbound to your port 25),  you may send mail fine, but you wont be receiving much if any. Some external hosts may automatically try 587, many will not. They should, but they don't. 
> 
> having said that, if you want to try it, all you need is this in master.cf
> ...

 

That was easy. (press little red button)  I was even able to telnet from the AIX system at work.  Thanks for that.

 *cach0rr0 wrote:*   

> And yes, this setup should just flat-out send. If you want to see if any ports are blocked, telnet to my server on port 25 (renee.whitehathouston.com)  
> 
> If it connects (you'll get a 554 error, but that's expected on a dynamic IP) then your connections to other hosts on port 25 aren't blocked. If it doesn't, then Comcast is blocking you (unless, of course, you have some other firewall that you control that might be blocking you)

 

..and no I couldn't get there.  It sat at "Trying..." and never made it.  Do you think that 587 would be blocked?  Do you know of anyone that would be using it that I could test it at?

 *cach0rr0 wrote:*   

> Now, as far as sending to others whose systems are listening on 587, you'd want to set up transport_maps, meaning, you'd have to do it on a per-domain basis. Which is annoying, but no other way around it. 

 

I don't suppose that's an easy thing to set up for one domain?  Would it be a problem to post an example?

 *cach0rr0 wrote:*   

> Ultimately if you cant accept inbound connections on 25, you're not going to receive much mail, and if you're unable to make outbound connections to remote hosts on 25, you aren't going to be sending much mail either. 
> 
> Best of luck either way, hope that's somewhat helpful!

 

You've been a great help.  Maybe some day I'll be able to find a way to get around the service provider issue.  I suspect it will cost me, though.  I guess I should open port 25 to see if I can telnet home, if that's blocked as well.  Anyways, I have a working system now and if I were able to use it on an open network of a friends or something, I'll be able to set up mail for them.  More specifically on BOINC (seti@home, milkyway@home, etc...) I'm on a team (SETI.USA) that's trying to get an email blast setup to send mail to a team email list.

----------

## cach0rr0

i hate conference calls. but i have one in 15, so i have to be brief. Man, weekend needs to come fast, this week has been insane. 

 *trigggl wrote:*   

> 
> 
> You may want to fix the com0 for those who find this by way of a search or google.  

 

done. 

 *trigggl wrote:*   

> 
> 
> ..and no I couldn't get there.  It sat at "Trying..." and never made it.  Do you think that 587 would be blocked?  Do you know of anyone that would be using it that I could test it at?
> 
> 

 

offhand no, i could probably set mine up to do that in a little bit

 *trigggl wrote:*   

> 
> 
> I don't suppose that's an easy thing to set up for one domain?  Would it be a problem to post an example?
> 
> 

 

actually very easy

set 

```

transport_maps = hash:/etc/postfix/transport

```

in main.cf

then edit /etc/postfix/transport to have e.g.

```

destination.com smtp:[mxhost.destination.com]:587

```

note the square brackets are important. Too long to explain, but you DO need them (having them bypasses any DNS lookup for that domain). The above says "do not look up an MX in DNS, send direct to 'mxhost.destination.com', do not pass go, etc. Of course, if you omitted them, you would want to do something like

```

destination.com smtp:destination.com:587

```

which says "look up the MX for destination.com, and connect to it on port 587

 *trigggl wrote:*   

> 
> 
> You've been a great help.  Maybe some day I'll be able to find a way to get around the service provider issue.  I suspect it will cost me, though.  I guess I should open port 25 to see if I can telnet home, if that's blocked as well.  Anyways, I have a working system now and if I were able to use it on an open network of a friends or something, I'll be able to set up mail for them.  More specifically on BOINC (seti@home, milkyway@home, etc...) I'm on a team (SETI.USA) that's trying to get an email blast setup to send mail to a team email list.

 

short answer: I'm paying $120/mo to comcast for guaranteed 16/2 (though i normally get 40/5.5), and 5 static IP's (i can set PTR records, too). I look at it this way, to run the VPS's I'd need for what I do, plus maintaining a residential connection at home, it would cost at least that, probably more. Much better running VPS's at home with the caveat being, if power at my house goes down, or my connection temporarily drops out, mail/web/vpn/otherstuff drops off whereas on a VPS it would stay up. I'll take that risk in exchange for the control i have (plus, none of that comcast 200GB/mo quota nonsense)

----------

## cach0rr0

now that I'm off that bloody call, a few more points

-587 is very likely NOT blocked

-the other advantage to a "business class" line, is that your IP won't be listed on any DNS blacklists/RBL's, whereas dynamic, residential comcast IP's, are all listed on, for example, Spamhaus PBL (which is used in the Spamhaus ZEN list....which, is a very, very, very widely used list, if you're on the PBL, few corporate mail servers are going to accept mail from your home IP, and any servers that use zen.spamhaus.org are going to block mail from your IP). Also, for the business customers, theyre rolling out DOCCIS 3, which I plan on moving to sooner rather than later (i think it's free?).

no, i dont work for comcast  :Laughing: 

i made this move because i was pissed at being blacklisted, and although they dont block 25 in my area, i was worried they might at some point. I'd have moved to another provider if there was one available that fit  my needs, but there isn't, and this ultimately ended up being the most cost-effective path for me

----------

## trigggl

I'm getting the following message in my imapd.conf

 *Quote:*   

> Oct 21 10:18:26 stephie lmtpunix[26273]: IOERROR: fstating sieve script /var/imap/sieve/domain/s/setiusa.webhop.org/s/setiusa-join/defaultbc: No such file or directory

 

Is this something I should be concerned about?  Should I just create the /var/imap/sieve/domain directory?

----------

## cach0rr0

unless you plan on setting up sieve scripts, i wouldnt worry about it

i dont use them. maybe i should, but sieve is one "language" i just cant be bothered learning.

----------

## cach0rr0

Hi guys - Just a quick heads up!

I've updated the ebuild for cyrus-imapd-2.4.12 since there was the GLSA/vuln published for prior versions

http://www.gentoo.org/security/en/glsa/glsa-201110-16.xml

I have not tested it other than "it patches and compiles without issue" (see note, it's actually not "without issue)". I upgraded my production box for this maybe 5 minutes ago, and will holler if anything catches fire. I don't expect anyone else to be an "early adopter", I am guinea pigging it, and at least this way with me going first I will know if "issues" that pop up are related to these patches, or just related to new cyrus without patches, or unrelated at all. 

NOTE: in order for this to build cleanly, you have to have 'sieve' enabled in your USE, otherwise there are files missing, and although things patch correctly, the build fails with:

```

x86_64-pc-linux-gnu-gcc -c -I.. -I./../lib -I../com_err/et  -I/usr/include/mysql -I/usr/include/db4.8   -DHAVE_CONFIG_H  -march=native -O2 -pipe \

autosieve.c

<irrelevant stuff snipped>

autosieve.c:27:29: fatal error: sieve_interface.h: No such file or directory

```

So, even if you dont use sieve, for now, USE="${USE} sieve" anyway  :Smile:  I will spend more time figuring out a "correct" way of handling this at some point, but right now I am full of mucus, and feel like resting. 

Ebuild snagged here:

http://whitehathouston.com/downloads/gentoo/ebuilds/cyrus/net-mail/cyrus-imapd/cyrus-imapd-2.4.12.ebuild

and pasted text in case for some reason I die or my server goes down:

```

# Copyright 1999-2011 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-mail/cyrus-imapd/cyrus-imapd-2.4.12.ebuild,v 1.6 2011/10/11 19:04:16 jer Exp $

EAPI=4

inherit db-use eutils flag-o-matic ssl-cert pam multilib

MY_P=${P/_/}

DESCRIPTION="The Cyrus IMAP Server."

HOMEPAGE="http://www.cyrusimap.org/"

AUTOCREATE_VER="0.10-0"

AUTOSIEVE_VER="0.6.0"

AUTOCREATE_PATCH="${PN}-2.4.4-autocreate-${AUTOCREATE_VER}.patch"

AUTOSIEVE_PATCH="${P}-autosieve-${AUTOSIEVE_VER}.patch"

SRC_URI="ftp://ftp.cyrusimap.org/cyrus-imapd/${MY_P}.tar.gz

        autocreate? ( http://www.vx.sk/download/patches/cyrus-imapd/${AUTOCREATE_PATCH} )

        autosieve? ( http://www.vx.sk/download/patches/cyrus-imapd/${AUTOSIEVE_PATCH} )"

LICENSE="as-is"

SLOT="0"

KEYWORDS="amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86"

IUSE="autocreate autosieve afs berkdb kerberos mysql nntp pam postgres replication sieve snmp sqlite ssl tcpd"

RDEPEND="sys-libs/zlib

        >=dev-libs/cyrus-sasl-2.1.13

        afs? ( net-fs/openafs )

        berkdb? ( >=sys-libs/db-3.2 )

        kerberos? ( virtual/krb5 )

        mysql? ( virtual/mysql )

        nntp? ( !net-nntp/leafnode )

        pam? (

                        virtual/pam

                        >=net-mail/mailbase-1

                )

        postgres? ( dev-db/postgresql-base )

        snmp? ( >=net-analyzer/net-snmp-5.2.2-r1 )

        sqlite? ( dev-db/sqlite )

        ssl? ( >=dev-libs/openssl-0.9.6 )

        tcpd? ( >=sys-apps/tcp-wrappers-7.6 snmp? ( net-analyzer/net-snmp[tcpd=] ) )"

DEPEND="$RDEPEND"

# get rid of old style virtual - bug 350792

# all blockers really needed?

RDEPEND="${RDEPEND}

        !mail-mta/courier

        !net-mail/bincimap

        !net-mail/courier-imap

        !net-mail/uw-imap"

REQUIRED_USE="afs? ( kerberos )"

S=${WORKDIR}/${MY_P}

pkg_setup() {

        enewuser cyrus -1 -1 /usr/cyrus mail

}

src_prepare() {

        # Apply autocreate and autosieve patches if USE enabled

        if use autocreate ; then

                epatch "${DISTDIR}/${AUTOCREATE_PATCH}" || die "epatch failed"

        fi

        #build failure without both 'sieve' AND 'autosieve' in USE. Latter depends on former

        if use sieve ; then

                if use autosieve ; then

                        epatch "${DISTDIR}/${AUTOSIEVE_PATCH}" || die "epatch failed"

                fi

        fi

        # Fix master(8)->cyrusmaster(8) manpage.

        for i in `grep -rl -e 'master\.8' -e 'master(8)' "${S}"` ; do

                sed -i -e 's:master\.8:cyrusmaster.8:g' \

                        -e 's:master(8):cyrusmaster(8):g' \

                        "${i}" || die "sed failed" || die "sed failed"

        done

        mv man/master.8 man/cyrusmaster.8 || die "mv failed"

        sed -i -e "s:MASTER:CYRUSMASTER:g" \

                -e "s:Master:Cyrusmaster:g" \

                -e "s:master:cyrusmaster:g" \

                man/cyrusmaster.8 || die "sed failed"

        # do not strip

        sed -i -e '/(INSTALL/s/-s //' "${S}"/imtest/Makefile.in

        # correct afs include and liblwp.a directory

        sed -i -e '/I${with_afs_incdir/s/\/include//' \

                -e '/liblwp/s/liblwp/afs\/liblwp/' \

                "${S}"/configure{,.in} || die

        # same with lock.h

        sed -i -e '/lock.h/s:lock.h:afs/lock.h:' \

                ptclient/afskrb.c || die

        # libcom_err.a to libafscom_err.a

        sed -i -e '/afs\/libcom_err.a/s:libcom_err.a:libafscom_err.a:' \

                configure{,.in} || die

}

src_configure() {

        local myconf

        if use mysql ; then

                myconf=$(mysql_config --include)

                myconf="--with-mysql-incdir=${myconf#-I}"

        fi

        if use afs ; then

                myconf+=" --with-afs-libdir=/usr/$(get_libdir)"

                myconf+=" --with-afs-incdir=/usr/include/afs"

        fi

        if use berkdb ; then

                myconf+=" --with-bdb-incdir=$(db_includedir)"

        fi

        econf \

                --enable-murder \

                --enable-netscapehack \

                --enable-idled \

                --with-service-path=/usr/$(get_libdir)/cyrus \

                --with-cyrus-user=cyrus \

                --with-cyrus-group=mail \

                --with-com_err=yes \

                --with-sasl \

                --without-perl \

                --without-krb \

                --without-krbdes \

                --with-zlib \

                $(use_enable afs) \

                $(use_enable afs krb5afspts) \

                $(use_with berkdb bdb) \

                $(use_enable nntp) \

                $(use_enable replication) \

                $(use_enable kerberos gssapi) \

                $(use_with mysql) \

                $(use_with postgres pgsql) \

                $(use_with sqlite) \

                $(use_with ssl openssl) \

                $(use_enable sieve) \

                $(use_with snmp) \

                $(use_with tcpd libwrap) \

                ${myconf}

}

src_install() {

        emake DESTDIR="${D}" install

        # file collision - bug #368245

        if ! use nntp ; then

                rm "${D}"/usr/share/man/man8/fetchnews.8*

        fi

        dodoc README*

        dohtml doc/*.html doc/murder.png

        docinto text

        dodoc doc/text/*

        cp doc/cyrusv2.mc "${D}/usr/share/doc/${PF}/html"

        cp -r contrib tools "${D}/usr/share/doc/${PF}"

        rm -f doc/text/Makefile*

        insinto /etc

        doins "${FILESDIR}/cyrus.conf" "${FILESDIR}/imapd.conf"

        # turn off sieve if not installed

        if ! use sieve; then

                sed -i -e "/sieve/s/^/#/" "${D}/etc/cyrus.conf" || die

        fi

        newinitd "${FILESDIR}/cyrus.rc6" cyrus

        newconfd "${FILESDIR}/cyrus.confd" cyrus

        newpamd "${FILESDIR}/cyrus.pam-include" sieve

        for subdir in imap/{,db,log,msg,proc,socket,sieve} spool/imap/{,stage.} ; do

                keepdir "/var/${subdir}"

                fowners cyrus:mail "/var/${subdir}"

                fperms 0750 "/var/${subdir}"

        done

        for subdir in imap/{user,quota,sieve} spool/imap ; do

                for i in a b c d e f g h i j k l m n o p q r s t v u w x y z ; do

                        keepdir "/var/${subdir}/${i}"

                        fowners cyrus:mail "/var/${subdir}/${i}"

                        fperms 0750 "/var/${subdir}/${i}"

                done

        done

}

pkg_postinst() {

        # do not install server.{key,pem) if they exist.

        if use ssl ; then

                if [ ! -f "${ROOT}"etc/ssl/cyrus/server.key ]; then

                        install_cert /etc/ssl/cyrus/server

                        chown cyrus:mail "${ROOT}"etc/ssl/cyrus/server.{key,pem}

                fi

        fi

        elog "For correct logging add the following to /etc/syslog.conf:"

        elog "    local6.*         /var/log/imapd.log"

        elog "    auth.debug       /var/log/auth.log"

        echo

        elog "You have to add user cyrus to the sasldb2. Do this with:"

        elog "    saslpasswd2 cyrus"

}

```

ALSO: for anyone that cares, I'm writing something I will never use, for shits and giggles - a crudely done "pretty-ish" UI for handling all of the user/domain creation stuff. Work in progress, going to add support for routing overrides in the near future, and update the doc to reflect as much. http://whitehathouston.com/testcode is downloadable stuff (doc explains which is which), but not the latest, http://whitehathouston.com/yapmi is the latest, but not downloadable.

----------

## audiodef

 *cach0rr0 wrote:*   

> 
> 
>  in case for some reason I die 
> 
> 

 

No! Forbidden! You can not!   :Laughing: 

 *cach0rr0 wrote:*   

> 
> 
> ALSO: for anyone that cares, I'm writing something I will never use, for shits and giggles - a crudely done "pretty-ish" UI for handling all of the user/domain creation stuff. Work in progress, going to add support for routing overrides in the near future, and update the doc to reflect as much. http://whitehathouston.com/testcode is downloadable stuff (doc explains which is which), but not the latest, http://whitehathouston.com/yapmi is the latest, but not downloadable.

 

That sounds cool, actually. I'll try to give it a whirl at some point.

----------

## audiodef

Came across this today: http://thewalter.net/stef/software/clamsmtp/postfix.html

Might be useful to integrate it into the howto.

----------

## cach0rr0

basically the same steps there that one would use for integrating amavisd-new

Might add a link for it, dunno that id include any piece of that actual HOWTO. 

First I need to get a new laptop, one that has its O key intact. I'm currently hitting the little rubber nipple directly.

----------

## audiodef

I have a phpbb board for which I want to enable new user self-validation via email. I'm having trouble getting this to work and I'm not sure why. I've set the email settings like so:

SMTP settings

Use SMTP server for e-mail: yes

SMTP server address: audiodef.com (which is what I use in my mail client and this works)

SMTP server port: I've tried both 587 and 995

Authentication method for SMTP: Tried both plain and login (other options are cram and md5, which I don't use in my mail clients, so I figure they don't apply here, either)

SMTP username/pass: I enter a webmaster account for this, no typos

I thought I'd post this here first to make sure it's not just me using incorrect mail server settings. I have not gotten phpbb to send out a validation email yet.

----------

## cach0rr0

a few quick things - sorry so late, very busy times 'round these parts !

-do the connection attempts from your web server even show up in mail.log ? debug_peer might be useful. 

-smtpd_tls_auth_only means that you cannot do AUTH, nor will the extension even be advertised, unless the connecting host first establishes a TLS-enabled session (i.e. via STARTTLS). 

-if your web server, where you have this phpbb instance, is included in $mynetworks, you shouldn't need to auth. I would of course avoid doing such a thing if you had your site on some kind of shared hosting environment where the unwashed masses were hosted on your same IP, but for your own server that shouldn't be an issue. 

I'll tick the 'notify me' box on this one, otherwise I'll never notice a new post has been made  :Smile: 

My world isn't going to be calm for at least another few months. In the good sense, all work stuff, big great things happening for me there, but those big great things mean a time vortex.

----------

## audiodef

Thanks for your as-usual in-depth and helpful advice.   :Smile: 

How do I get postfix to have it's own mail log? Right now, it gets dumped into /var/log/messages, which can be a pain to grep through. 

I finally grokked what you said about not needing auth if it's all on the same server, so I disabled phpBB's "use smtp for mail" and replaced "mail" with "sendmail" in the local mail function box. This is what succeeded.   :Very Happy: 

So what great, big things are happening? Good stuff, I hope.

----------

## cach0rr0

 *audiodef wrote:*   

> 
> 
> How do I get postfix to have it's own mail log? Right now, it gets dumped into /var/log/messages, which can be a pain to grep through. 
> 
> 

 

that's a function of syslog, so you could either edit syslog's configuration to put the mail target into a different file, OR, if youre using syslog-ng, just re-merge it with USE="hardened", and when it's restarted everything - not just mail - should start going to a nicely organized individual log file, in the case of postfix/cyrus, to /var/log/mail.(log|err)

 *audiodef wrote:*   

> 
> 
> So what great, big things are happening? Good stuff, I hope.

 

all very good stuff! But the sort that has me running around at a fever pitch doing those 4-hour-sleep nights regularly. Glad I live next door to a coffee shop. About 2 weeks away from my little startup finalizing a really big deal for us - then comes an entirely new kind of chaos.

----------

## audiodef

I thought I had syslog-ng on hardened, since I knew about that, but I it wasn't. Well, that's fixed now.   :Embarassed: 

Nice. I wish you all the best with the good stuff, busy coffee-laced schedule notwithstanding.   :Smile: 

----------

## whatalotta

Hi cach0rr0,

Thanks for a great HowTo!  I tried the official Gentoo Virtual Mail Server and even with a lot of googling and searching in the forums, I couldn't get past the "Relay Access Denied" errors when trying to receive on my virtual domains (although the domain in mydestination worked fine).

The only difficulty I had with your instructions was in the adding domains section.  I created the table in mysql, created virtual_domain_lookup.cf, added the virtual domains to the new table and changed virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org  to read virtual_mailbox_domains = mysql:/etc/postfix/virtual_domain_lookup.cf.  Unfortunately, my virtual domains started giving me the "Relay Access Denied" error upon testing receive functionality.  I think it might have worked if I had understood what you meant by "(adjust your SQL lookups accordingly!).  I went back to virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org and bingo -- everything worked!

Thanks, and good luck with the start-up!

-w

----------

## cach0rr0

 *whatalotta wrote:*   

> Hi cach0rr0,
> 
> Thanks for a great HowTo!  I tried the official Gentoo Virtual Mail Server and even with a lot of googling and searching in the forums, I couldn't get past the "Relay Access Denied" errors when trying to receive on my virtual domains (although the domain in mydestination worked fine).
> 
> The only difficulty I had with your instructions was in the adding domains section.  I created the table in mysql, created virtual_domain_lookup.cf, added the virtual domains to the new table and changed virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org  to read virtual_mailbox_domains = mysql:/etc/postfix/virtual_domain_lookup.cf.  Unfortunately, my virtual domains started giving me the "Relay Access Denied" error upon testing receive functionality.  I think it might have worked if I had understood what you meant by "(adjust your SQL lookups accordingly!).  I went back to virtual_mailbox_domains = drumm1.ath.cx, like.webhop.org and bingo -- everything worked!
> ...

 

sorry so late a reply, been on the road

"adjust your sql lookups accordingly" i just meant to make sure whatever you put in /etc/postfix/virtual_domain_lookup.cf for your query, matches e.g. the table names, column names, etc, you'd created in the step above

which goes to the next point; apparently I provided an example virtual_domain_lookup.cf that will not work with the example table I provided. 

where i have:

```

query = SELECT email from domainlist where domain='%d'

```

I should have:

```

query = SELECT domain from domainlist where domain='%d'

```

I've updated the doc to reflect this. The relay error was likely because the mysql lookup was looking for the domain in a column named 'email', when no such column exists in the 'domainlist' table. Since nothing was returned by the query, postfix assumed the domain was not found, ergo it was seen as an illegal relay attempt. 

If it finds the domain (represented by '%d') in the 'domain' column of the 'domainlist' table, it allows the relay. 

NB: unless you want multiple domains served by this, you dont need to go the mysql route for your virtual domains.

----------

## audiodef

I've been using Claws Mail. I like it a lot, except for one thing: it appears not to do anything when I select Options -> Request Return Receipt before sending a message. 

Does Claws Mail use DSN or MDN for return receipts? How can I make either of these work? I'm posting this here because I'm wondering if this has to do with my postfix setup, which was done according to the how-to in this thread. 

Since I run my own mail server, this would be a very useful function for me, as opposed to checking the server logs every time I want to verify a message was successfully delivered. 

I'm also open to other ways of receiving DSNs or MDNs, if anyone has such suggestions.

----------

## ChrisJumper

Little Offtopic:

Before i follow your How-To..

- Could i use/integrate Roundcube as Webfrontend?

- Is this a solution for collecting all/much emails for multiple Accounts from different Mailhosters?

 (This off Course could be done with IMAP and E-Mail forwarding, but i would prefer a single Point of interact and Collecting).

- Or did the Postfix/Cyrus just handle my Domain and its as MTA?

EDIT Ok, the Cyrus and Postfix Service is really easy to use with a roundcube Webfrontend. So now i am really lucky to got that worked. Just one thing on that guide did not work for me as expected. The magic autocreation of the new INBOX ad co. The Useflags have changed and i think that you have to add "sieve" to it. Even with it the autocreation fails. I activate in roundecube that the first logged in Users, roundcube will autocreate INBOX, Sent, Trash and Junk.

Since i just checked this with roundecube it could work with other imap-Mail Clients. After create this Folders the service work as expected.

Since i am new to cyrus i don't know how to use or configure and use net-mail/cyrus-imap-admin. Would be nice if your great hwoto could add some aspect there. Since you add an admins in your /etc/imap.conf i never could connect as admin to my cyrus.. even if i add this user with a pass in the mysql database. I suppose that the cyrus user have to exist on the system as user and should be able to login as user. Both login with cyadm as root or as cyrus did not work. :/

Thinks ill do is to spent some time to HASH, salt and pepper the Passworts in the ICMP Databse or find a good way to allow connections via SSL from Outside. And roundcube would love to use a icmp-proxy inside to speed up the connections..?

 *Quote:*   

> - Is this a solution for collecting all/much emails for multiple Accounts from different Mailhosters? 

 

I need some time to understand and find better words to describe my conception. As user i with a solution to collect al my mail from different hosts. That i could connect to one service like a multi Messenger Service that collects all different Services like Jabber, ICQ.. so just for Mail. Now i know if i would have this i have to refer all emails from different Mails to one Service or that one email address that my postfix Server handles.

As Administrator the virtual Domain for using one Mail Server to handle multiple (virtual) Domains work very well! 

Roundcube itself did not allow to configure one user for more than just one Email. So i expected that roundcube is like Evolution just as Webfrontend. Thats not true. To use more then one Mailservice i have to relay all the mails to that one email-address.

----------

