# Courier-MTA semi-virtual domains - there and back again

## btg308

I just thought I'd share my trial and tribulations of the last few days. I'm in the process of migrating my main server (mail, ftp, fido, samba, mysql and www-hosting for ~20 domains and about 30 users) from Red Hat 7.1 to Gentoo. It ran sendmail with the UW imap and pop3 servers and I wanted to shift to something neater with the same or more functionality. I was looking at scanning for viruses and spam and the rpm system just wouldn't let me update sendmail to a milter-capable version.

Since this is a production server, I started off with a 1.2 CD since I have experienced some problems emerging packages with gcc 3.x before. Also, no ~x86 hanky-panky for this one, I save that for my workstations. :-) 

After the emerge rsync, portage breaks so I had to do a rescue as outlined in /usr/portage/sys-apps/portage/files/README.RESCUE. No sweat, that's old hat for me now. :-) After emerging all the stuff I wanted (first try for mailserver was with postfix and cyrus-imap) I started configuring but I never got it just the way I wanted. One of the problems that would haunt me until just a few minutes ago was that I had regular system users log in and get their mail, all of them had at least two e-mail addresses in several domains linked to their accounts by virtue of sendmail's virtusertable. A wonderfully simple feature. They are also mostly external users, using SMTP-AUTH to relay mail via my server. 

Both of these features had become so natural to me that I never imagined there would be any problems, I predicted disasters when migrating the MySQL databases (two phpBB forums and a dynamic website) but that was a breeze using Webmin's MySQL database backup feature.

After being disappointed with postfix/cyrus/amavis/f-prot/spamassassin (cyrus was one of the packages that refused to build with gcc 3.2 earlier, haven't tried it again in a while) I looked at exim, looked away and fixed my gaze upon the wonder of wonders known as qmail with courier-imap. Qmail-scanner looked promising since the amavis ebuild flatly refused to find either f-prot or vlnx (it finds the oav scanner, though) ( https://bugs.gentoo.org/show_bug.cgi?id=13117 ). 

A day later, I finally figured out that neither the -r8 nor -r9 qmail ebuilds actually included the required SMTP-AUTH patch and my attempts to patch it manually were in vain ( https://forums.gentoo.org/viewtopic.php?t=24525 ) so I gave up and after actually typing emerge sendmail in a console and looking at it for a long time with my finger hovering above the Enter key, I backspaced and put courier in there instead. Even in my darkest moments with qmail, courier-imap still worked, so I figured I'd give Sam's creation a chance. 

Now, a lot of people are running the courier-imap, but very few Gentoo'ers seem to have taken a liking to Courier-MTA. After today, I can not really understand why. It's easy to install, has a webadmin interface (I just wish it was a webmin module), built-in everything-and-then-some and is still a fairly small package that's possible to learn reasonably well in a day.  You don't have five different packages to sync, five different logfiles to check or five different ways of naming the same features... One MTA to send them all, and on the server mail them.

After a few ups and downs (hint, only sendmail has sendmail's virtusertable), it's now operational. I found a tidbit in the courier mailing list that I will share with anyone wanting to use courier in the same way I did: http://sourceforge.net/mailarchive/message.php?msg_id=2205316

Sam says the webadmin module does the same thing, but I couldn't quite get it right in there.  The problem is the aliases file. It seems Courier strips all addresses of the locals domains BEFORE parsing aliases. In sendmail, you could mix

```

root:    richie

```

and

```

info@domain.com:   gunther

```

freely. Not so in Courier. And the nifty feature of adding

```

@domain.com:    default-user

```

to send all mail to non-existing addresses in a domain to a single real mailbox? "Forget about it! Set up a MySQL backend and full-flegded virtual hosting!" But thanks to Zenon Panoussis, the COS' worst enemy and herald of free speech, I don't have to do that. :-) Why I would want that feature? Simple. Everytime a website asks me for an e- mail address, I give them website.com@mydomain.se - that way I can immediately see if they have sold my address to spammers and I can easily add a filter if that should happen. This way, I won't have to manually add that address in my mailserver. Nifty, eh? ;-)

Now, I'm tired, I'm cold (the heating in the office doesn't seem to work properly when it's below -30 C outside) and I still have spam and virus filtering to figure out plus getting Gentoo's new EVMS kernel to grok my two old LVM volumes (one ~450Gb over 5 disks, one 80GB in one disk, both with ReiserFS) so I think I'll call it a night. But tonight I'll sleep like a baby, knowing my mail works. :-)

----------

## btg308

Hohoho. At the time, I thought that was a clear and concise how-to on how to make virtual domains work in Courier. Today, after my / partition went belly-up, I learned otherwise. Also: The backup didn't include the /etc directory, I only had /home on tape.

Two lessons for the price of one!

Anyway; to get Courier running like I wanted to, I needed to have the following things in place (with kopparhuset.net as my local domain and the others as virtuals):

/etc/courier/aliases/system

```
# Richie

rickard:   richie

webmaster:   richie

@webhackande.se:   richie

@gpz1100.com:   richie

@kopparhuset.net:   richie
```

/etc/courier/locals

```
kopparhuset.net
```

/etc/courier/hosteddomains

```
webhackande.se

gpz1100.com
```

/etc/courier/esmtpacceptmailfor.dir/esmtpacceptmailfor

```
webhackande.se

kopparhuset.net

gpz1100.com
```

The files /etc/courier/me and /etc/courier/defaultdomain must not exist.

Run:

```
makehosteddomains

makeacceptmailfor

makesmtpaccess)

makealiases -dump
```

The last one should give you something like:

```
rickard@kopparhuset.net:   richie@kopparhuset.net

webmaster@kopparhuset.net:   richie@kopparhuset.net

@webhackande.se:   richie

@gpz1100.com:   richie

@kopparhuset.net:   richie
```

In this configuration, the aliases work as one would expect them to, if one has only been exposed to sendmail aliases before (all email sent to any user in the webhackande.se domain gets routed to local user richie). No need to tinker with .courier files, creating foo-domain accounts or any of that mumbo-jumbo. 

This Claimer: This is hardcore Courier configuration, I'm not 110% sure why it works and it'll probably break the next time Sam updates the program.

----------

## btg308

One more: "makealiases -dump" does NOT update the aliases database file. It just displays what it should do if ran as "makealiases". It's probably well documented, but as an old tech writer, I know that no one ever reads the docs, so why should I? :-/

Oh, and this one: 

The unofficial late night recipe for adding Amavis, F-prot and SpamAssassin support to Courier:

F-prot:

```
emerge f-prot
```

was no fun for me. It wanted to install 3.1.2 which, while there's probably nothing wrong with it, is waaay old. The current version is 4.2.1, but as of writing this, the 4.1.2 and 4.2.0 ebuilds are masked as ~x86 and ~sparc, there is no 4.2.1 ebuild. The way around that is to 

```
cp /usr/portage/net-mail/f-prot/f-prot-4.2.0 /usr/portage/net-mail/f-prot/f-prot-4.2.1
```

, change the version number and KEYWORDS in the file:

```
# $Header: /home/cvsroot/gentoo-x86/net-mail/f-prot/f-prot-4.2.1.ebuild,v 1.2 2003/08/27 23:01:04 weeve Exp $

KEYWORDS="x86"
```

, and either manually download the file to the /usr/portage/distfiles directory or 

```
emerge f-prot
```

 and then run 

```
ebuild 

/usr/portage/net-mail/f-prot/f-prot-4.2.1 digest
```

 and 

```
emerge -k f-prot
```

 That should install f-prot 4.2.1 in /opt/f-prot. 

```
cp /opt/f-prot/check-updates.pl /etc/cron.daily
```

 will run an update script every night that checks for new virus definitions at updates.f-prot.com, downloads and installs them. Hooray!

Now for the rest of the fun:

Amavis:

```
emerge amavis
```

Edit /usr/sbin/amavis:

Set the options for warning sender/recipient/admin and translate/customize the warning messages if you like. Then look for the virus scan paths and check that the F-prot entry reads:

```
# FRISK F-Prot

$fprot = "/opt/f-prot/f-prot";
```

because that's where it should have been installed.

Now, replace whatever MTA section got installed as default (mine seems to alternate between postfix and sendmail depending on what I have had installed before) with this little snippet:

```
#

# MTA init section

# Error codes - defined below

use vars qw ( $VIRUSERR $REGERR );

#

# postfix

# error codes

$VIRUSERR = 0;

$REGERR = 75;   # EX_TEMPFAIL from sendmail sysexits.h

# don't run suid

# set path explicitly

$ENV{PATH} = "/bin:/usr/bin:/usr/local/bin";

# End postfix

#

# End MTA init section

#

use vars qw($BUFSIZE $buf);

use vars qw($recipline);

# MIME entity, av scanner output and return status

use vars qw($entity $output $errval);

# not really a loop ...

sub main_loop() {

    my($which_section) = "initialization";

    my($sts);

    eval {

   # Already set by milter

   make_tempdir() if (!$TEMPDIR);

   mkdir("$TEMPDIR/parts", oct('700'))

       or die "Can't create directory $TEMPDIR/parts: $!";

   chdir($TEMPBASE) or die "Can't chdir to $TEMPDIR: $!";

   # Read in mail message and save to file; this file is moved

   # to a quarantine area if a virus was found

   # Note: to get the qmail config working again, we now read the

   # actual message (STDIN) before the envelope information (STDOUT)

   # Save original email, or open file if already exists (milter)

   if (-r "$TEMPDIR/email.txt") {

       # already created by milter, just open it

       $fh = IO::File->new("$TEMPDIR/email.txt")

      or die "Can't open file $TEMPDIR/email.txt: $!";

   } else {

       $fh = IO::File->new("+>$TEMPDIR/email.txt")

      or die "Can't create file $TEMPDIR/email.txt: $!";

       $BUFSIZE = 8192;

       $buf = ' ' x $BUFSIZE;

# TODO: safeguard against write errors

       while (read(\*STDIN, $buf, $BUFSIZE)) {

      print $fh $buf;

       }

       # The same file also serves as input to the parser

       $fh->flush() or die "Can't flush file $TEMPDIR/email.txt: $!";

       $fh->seek(0,0) or die "Can't rewind file $TEMPDIR/email.txt: $!";

   }

    };

    if ($@ ne '') {

   chomp($@);

   do_log(0,"tmpdir creation failed, retry: $@");

   do_exit($REGERR, __LINE__);

    }

    # Determine sender and recipient(s)

    # For sendmail, also get the "real" local delivery agent

    # Note: for qmail, this must be done after reading the mail message,

    # see http://www.qmail.org/man/man8/qmail-queue.html

# command line parsing, postfix version

# we won't need any of this once amavis

# receives input from SMTP; but then,

# $SENDER and @RECIPS must be initialised

# from the SMTP dialogue

# need two args in any case

if ($#ARGV < 1) {

    do_log(0,"Missing arguments to postfix");

    do_exit($REGERR, __LINE__);

}

# optionally, we allow to use amavis with a -f <sender> flag

# to make invocation similar to sendmail

if ($ARGV[0] eq "-f") {

    # in this case, we need at least three args

    do_exit($REGERR, __LINE__) if ($#ARGV < 2);

    shift @ARGV;

}

$SENDER = shift @ARGV;

@RECIPS = @ARGV;

# End postfix cmd line parsing
```

There are some more useful info on this at http://www.fremerx.com/open-source/mail/courier.html , that's where I got started with this.

SpamAssassin:

```
emerge Mail-SpamAssassin

rc-update add spamd default
```

Edit the/etc/mail/spamassassin/local.cf config file to your liking and then run the daemon with 

```
/etc/init.d/spamd start
```

Edit the /etc/courier/maildroprc file to read

```
import SENDER

import RECIPIENT

import HOME

if ($SENDER ne "")

{

FROM=$SENDER

}

else

{

FROM="unknown"

}

xfilter "/usr/bin/spamc -x"

xfilter "/usr/sbin/amavis $FROM $RECIPIENT"

LS='ls ${HOME}/.mailfilter'

if ($LS eq "" )

{

to "./.maildir/."

}

```

Now it's time to check some settings in your /etc/courier/courierd file that's maildrop related - if you're already using maildrop, this is old hat to you:

```
DYNAMICDELIVERIES=1

DEFAULTDELIVERY="| /usr/bin/maildrop"

MAILDROPDEFAULT=./.maildir
```

If you change any of that, restart courier:

```
/etc/init.d/courier restart
```

Now send yourself a test message. 

If it doesn't work, comment out (#) both the spamc and amavis xfilter lines and try again. If it still doesn't work, check that you have in fact got a .maildir in your home directory, use maildirmake otherwise, and check Courier's mail routing. 

Check the log files (/var/log/everything/current, /var/log/mail/current). If you're running metalog, disable it's buffering with 

```
killall -USR1 metalog
```

 and re-send the mail. Seeif it's stuck in Courier's mail queue with 

```
mailq
```

Make sure amavis has proper access to the /var/amavis directory. 

Re-enable one of the xfilter lines and test. Now disable that one and enable the other one. Which one works? Fine, focus on the other one.

Use the EICAR.COM test signature for testing.  ( http://www.eicar.org/anti_virus_test_file.htm )

Check the mail headers for both Amavis and SpamAssassin header lines:

```
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

X-Virus-Scanned: by AMaViS 0.3.12
```

Now, what did I forget... Oh, right, This Claimer: Don't blame me if your root filesystem takes a one-way trip into never-neverland. ;-) I do welcome tips, tricks and suggestions to enhance the recipe, though.

----------

## DumbAss

Maybe a silly question, but why don't you use amavisd-new? Everyone uses it and your setup is a bit err.. different.

----------

## btg308

IIRC, Amavis-new didn't have an ebuild at the time and this route seemed easier. The Amavis install I wound up doing was actually fairly straightforward, compared to the Courier virtual domains. It's more or less just telling Amavis you have Postfix as the MTA.

I'll probably switch over to -new when I get the time.

----------

## CarlUman

Just wanted to say thanks for the great info.  Well, I hope it's great info (and still relevent)!

I also plan to use courier-MTA.  Installed just need to setup... along with Postgres, spam and virus scanning  :Shocked:  Also looking to try my hand at virtual domains.

----------

