# Email System For The Home Network - Version 2.1

## beowulf

Email System For The Home Network

For Gentoo Linux

Beowulf <beowulf_agate AT imap DOT cc>

Version 2.1 - Fixed an error that resulted in sasl using sasldb, added link to AV solution.

Version 2.0 - Complete Rewrite to ease SSL, SASL, OE and general setup time.

Version 1.5 - Added Outlook Express 6, updated Apache/PHP setup to Apache2, small fixes.

Version 1.4 - software version updates, misc enhancements/clarifications. Added Troubleshooting section.

Version 1.3 - Typo corrections, Added Spam Solutions thanks to (puddpunk,proteus)

Version 1.2 - Fixed some errors, re-wrote some sentances for clarity. Added Squirrelmail

Version 1.1 - Fixed a number of errors.  Added pam config for courier-imap

Version 1.0 - Initial guide.

Abstract:

This guide will help you create a fully functional email service within a home network.  You will run servers to allow you to both send and receive email from all over the world.  We will use free services to facilitate this such as DynDNS[1].

This guide can be used as full blown mail server provided you have an MX record pointing to your mail server.  No changes are necessary.

[1] DynDNS - A DNS service offering up to 5 hosts.

 Introduction

 Preperation

 Sending Email

 Filtering Email

 Providing IMAP Email Access

 Fetching Email From External Sources

 Email Client Setup

 Squirrelmail Webmail Setup

 Bogofilter Mail Filtering Solution

 Spam Assassin Mail Filtering Solution

 Troubleshooting

 Resources

1. Introduction:

There's already quite a number of email systems available on the net, on Gentoo's web site and even in this very forum.  Here's yet another email setup.  Created since I could never find a middle ground for setting up email, either they were too simple or too robust for my needs.  Perhaps if you find yourself in this position, this guide can help.

We will create a fully functional email service within a home network.  We will become our very own SMTP, POP3/IMAP provider using free services, free software and a free operating system.  We use SMTP Auth through Cyrus-SASL so that we can force users to authenticate before using our service.

1.1 Sending:

Email Client->Cyrus-SASL[2]->Postfix[3]->Internet

This setup allows you to use this SMTP server from anywhere in the world, provided your ISP does not block port 25 incoming.  This may not be what you want though, so we have another method of sending, taking a few extra steps to allow you to forward (or relay) your email to your ISP's SMTP server.  You would use this method if you don't want port 25 open to the Internet and you only need to access it inside your lan.  It is a safer since you can block all port 25 connections from the Internet using IPTables[4].  So just to recap, the above method is used if you want to become your own full-blown SMTP server, the method just below is used for an internal SMTP server with access to your ISP's SMTP server.

Email Client->Cyrus-SASL->Postfix->Cyrus-SASL->ISP SMTP Server->Internet

[2] Cyrus-SASL - Enables SMTP Auth

[3] Postfix - A robust Mail Transport Agent.

[4] IPTAbles - A stateful firewall.

1.2 Receiving:

ISP IMAP/POP3 Server->Fetchmail[5]->Procmail[6]->Courier-IMAP[7]->Email Client

This is a standard setup covered extensively on the forum, gentoo's site and on the Internet.  This is the setup you would choose if your ISP blocks port 25 (incoming) or you need to get email from external email services.

The second method makes your email service inside your lan function just like the big boys.  You'll be able to use your own domain name (or free service) and create your own cool email address.  For example, beowulf AT apparition DOT ath DOT cx is my custom email address.

Internet->Postfix->Procmail->Courier-IMAP->Email Client

[5] Fetchmail - a full-featured remote-mail retrieval utility

[6] Procmail - Mail delivery agent/filter

[7] Courier-IMAP - An IMAP daemon designed for maildirs

1.3 Software Versions Used:

Please note, this guide was written using these versions of the software.  If by the time you read this, a newer version of the software has been released, I encourage you to check the developer's web site and read the changelog or find changes in behaviour.

 net-mail/fetchmail-6.2.3

 net-mail/procmail-3.22-r6

 net-mail/courier-imap-2.1.2-r1

 net-mail/postfix-2.0.11

 dev-libs/cyrus-sasl-2.1.14 [8]

 net-mail/squirrelmail-1.4.2-r1 [9]

 net-mail/bogofilter-0.11.2 [10]

 dev-perl/Mail-SpamAssassin-2.55-r1 [11]

 dev-libs/openssl-0.9.7c-r1

[8] Cyrus-SASL - Cyrus Simple Authentication and Security Layer

[9] SquirrelMail - A PHP web mail for use with maildir

[10] BogoFilter - A Bayesian spam filter tuned for speed

[11] SpamAssassin - A program to filter spam.

1.4 What This Guide Doesn't Do Well:

This email system does not scale well.  I can't imagine managing more than 5 accounts with the current set up as it will just become cumbersome in my opinion.  When sending email using your own SMTP server, or this setup; some POP server's may regard your mail as spam and it will either be blocked entirely or filtered into a spam folder.  Yahoo! is one such email service Thanks to dteisser for the info.  I haven't encountered this problem yet so it may be rare.  All the same, it is something you should be wary about.

2. Preparation:

Since we're dealing with 2 computers, we must designate one of them a server.  We'll refer to the two computer's workstation and server.  We will assume that you already have your hostname setup (should have been done during your install process[12]).  So all that is needed is to find the information.

2.1 Local Servers:

Below is an ASCII chart of what is needed, and the possible values that could be used.  Of course your network setup may differ, and i do encourage you to find out all information needed before you continue.

```

Chart 2.1

.--------------------------------------------,

| Needed    ||     Server    |  Workstation  | Chart 2.1 - Server Info

|===========||===============================|

| Network   ||         192.168.2.0/24        |  - Copy paste this code

|-----------||-------------------------------|    block into a text editor

| IP        ||  192.168.2.2  |  192.168.2.3  |    editor for reference

|-----------||---------------|---------------|    later on.

| Hostname  ||    Chimera    |   Illusion    |

|-----------||-------------------------------|  - Substitute the values

| Domain    ||      apparition.ath.cx        |    here with your values

|-----------||-------------------------------|

| Username  ||   21s-beo     |      N/A      |

|-----------||---------------|---------------|

| Password  ||  21s-pass123  |      N/A      |

'--------------------------------------------'

```

Since we're a home user, we probably don't have a dns server running with an MX record pointing to our server.  Therefore to facilitate the need to access this server from other places, I suggest a free IP service.  I have used "apparition.ath.cx" as the domain name provided by DynDNS[13], however No-IP.com[14] is another solution.  Therefore my FQDN for my server is: Chimera.apparition.ath.cx.

In case you have skipped it, please enter your FQDN in /etc/hosts substituting your values that you've recorded in chart 2.1 with the one's I have used.

```

root@server # echo 'Chimera' > /etc/hostname && echo 'apparition.ath.cx' > /etc/dnsdomainname

root@server # vi /etc/hosts

127.0.0.1       localhost

192.168.2.2     Chimera.apparition.ath.cx               Chimera

```

[13] DynDNS - A free IP redirection service offering 5 free entries

[14] No-IP - A free IP redirection service offering lots of free entries.

2.2 Remote Email Services:

You should obtain this information from your ISP/Email service provider.  We will use 3 different examples as designated in chart 2.2 (below).  Copy the chart to the same text file and label it accordingly.  We'll be referring to it later in the guide.

```

Chart 2.2

.----------------------------------------------------------------,

| Needed    ||      SMTP     |   IMAP / SSL      | POP3 / No SSL |

|===========||===============|===================|===============|

| Server    || smtp.isp.com  | imap.fastmail.com |  pop.huah.com |

|-----------||---------------|-------------------|---------------|

| User      ||    beo739     |    beo_agate      |  beowulf_999  |

|-----------||---------------|-------------------|---------------|

| Password  ||  rsmtp-pass   |   rimap-pass      |   rpop-pass   |

'----------------------------------------------------------------'

```

2.3 Installing The Software:

It's about time we did something.  Since we use portage and benefit from the Gentoo build system, this step is easy.  Don't worry about editing make.conf as we'll set the flags we need on the command line.  If you are installing this system on a system without portage, you should "./configure --help" to find out the configure flags needed to match our use flags. Please SSH into your server now, or physically walk over there.

NOTE: If you already have a MTA such as Sendmail[15] or ssmtp[16], you may receive a block message from portage. Simply unmerge the package before continuing.

```

root@server # USE="ssl pam nls maildir sasl gdbm berkdb -mysql -ldap \

      -mbox -postgres -kerberos -java -static" emerge courier-imap \

      cyrus-sasl fetchmail postfix -pv

root@server # emerge procmail -pv

```

What we've done is set our use flags on the command line to avoid editing /etc/make.conf.  Since we won't be using mysql or postgres with this email setup, we explicitly tell portage not to compile support for them.  This command simply pretends and shows the use flags associated with each package.  Once you accept it, simply remove the -pv switch.  Do not start any service or add anything to run-time yet since we need to set everything up.

[15] Sendmail - A popular MTA used everywhere

[16] SSMTP - An extremely simple MTA installed as a dependancy to *cron when you installed.

3. Sending Email:

Let's set up Postfix to send email out.  This can be the hardest section of the guide.  Let's get it out of the way.

3.1 Postfix Main Configuration:

We'll use a base configuration before we get into any configuring.  Please make sure that your file matches mine so that we can all start with the same base.  If you don't see an option in the following code block, it means it should be commented.  Thanks to requiem for pointing out the mailbox_command variable to me.

```

root@server # vi /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.2.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

```

The mynetworks variable needs to be changed to match your internal network.  If you experience hostname problems, please fill out the variables myhostname and mydomain with the appropriate information.  This however should not be needed since postfix tries to get the information automatically making any declaration on our part a bit redundant.

3.2 Adding SMTP-AUTH to Postfix:

We'll add SMTP-AUTH to postfix by way of Cyrus-SASL.  Since everything is already configured, let's simply configure it.  New in v2.0 of this guide, we use saslauthd and auth against shadow.  This should cut down on some confusion generated from earlier versions of this guide.

The first thing to do is edit /etc/smtpd.conf and tell SASL the method and mechanisms we intend to use for auth.  Make sure your file matches this one exactly.

```

root@server # vi /etc/sasl2/smtpd.conf

pwcheck_method:saslauthd

mech_list: plain login

```

NOTE: You may also be required to edit this file with the same information, I strongly urge you to do this.  Thanks to Woolong for pointing this out.

```

root@server # vi /usr/lib/sasl2/smtpd.conf

pwcheck_method:saslauthd

mech_list: plain login

```

What we have specified is that we will use saslauthd (daemon) for authentication, thus no longer relying on sasldb and it's quirky ways.  Next up, we will have to edit the conf file for the daemon start up.  Let's go and do that now.

```

root@server # vi /etc/conf.d/saslauthd

SASL_AUTHMECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

```

You'll notice I have removed the gentoo generated line.  The reason for this is because the current version of SASL that I have would not start with the default line.  I have commented out everything and suggest you do the same so that your file matches mine exactly.  We've stated in this file that saslauthd should use shadow as the auth mechanism.

All we have to do now is to tell postfix that you want to use sasl.  Let's do that now:

```

root@server # vi /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

```

This tells Postfix that we want to use SASL to provide SMTP-AUTH and that any user who can't authenticate against SASL should be rejected.

3.3 Postfix TLS Support:

A section that has caused more than it's fair share of trouble, this has now become fairly easy since postfix now provides some default key's for us.  No more editing the CA.pl file, no more -nodes.

Simply copy this code block exactly down in your /etc/postfix/main.cf file.

```

root@server # vi /etc/postfix/main.cf

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

We have told postfix to always use TLS for authentication or reject the mail.  Since we've decided to use plain text to send our passwords, we must use encryption to ensure any network sniffer doesn't get our password.

3.4 Making Postfix a Relay to our ISP:

As was mentioned in section 1.1, we can use Postfix to be an email relay and send any mail to our ISP's SMTP server before it hits the Internet.  Please keep in mind, that this step is NOT needed if you intend to use Postfix as a full-blown MTA.  This step is optional and should NOT be used if you have an MX record.

Email Client->Cyrus-SASL->Postfix->Cyrus-SASL->ISP SMTP Server->Internet

This is easily accomplished as well.  Although it's not really needed, it may be needed with some ISP's or some network setups so I've included for anyone who may need it.

First you must create a file that holds our ISP's SMTP Server authentication information.  The format is rather simple "[server] [user]:[pass]".  Here's what one could look like if we used the information in chart 2.2 under the SMTP heading:

```

root@server # vi /etc/postfix/saslpass

smtp.isp.com          beo739:rsmtp-pass

```

After you've completed that, let's protect the file and hash it so postfix can work with it.  We do this with the following commands:

```

root@server # /bin/chown root:root /etc/postfix/saslpass

root@server # /bin/chmod 600 /etc/postfix/saslpass

root@server # /usr/sbin/postmap hash:/etc/postfix/saslpass

```

Next, all we must do is tell Postfix that we want it to relay the email using SASL to our ISP's SMTP server.  Let's do that now.

```

root@server # vi /etc/postfix/main.cf

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous

```

3.5 Adding Anti-Virus Protection:

I have not done this myself (yet) but there is a detailed guide by john5211 on how he got clam-av working on his server.  If you are interested, I would recommend clicking here for more information.  axxackall also adds a few more comments in his post which is on the same page.

3.6 Automating and Finalizing:

The sending section is just about done.  We should add/edit our aliases that we want to use on our system.  Let's do that now:

```

root@server # vi /etc/mail/aliases

# Well-known aliases -- these should be filled in

 root:          2ls-beo

```

You'll notice I aliased root to my username on my server (information found in chart 2.1 under the "Server" column.  Let's create the alias db and check our postfix configuration:

```

root@server # /usr/bin/newaliases

root@server # /usr/sbin/postfix check

```

If all went okay, and no errors arose we can continue.  If an error occured during the "postfix check" procedure.  Double check your main.cf file for spelling errors, syntax errors.  One note to keep in mind, any option that is prefixed with a blank space will produce an error.  Thanks to paulfl for pointing this out.

Now let's just automate the server's startup and start the actual server.  Your ouput should match mine exactly:

```

root@server # /etc/init.d/saslauthd start

 * Starting saslauthd...                                                  [ ok ]

root@server # /etc/init.d/postfix start

 * Starting postfix...                                                    [ ok ]

root@server # rc-update add saslauthd default

 * saslauthd added to runlevel default

 * Caching service dependencies...                                        [ ok ]

 * rc-update complete.

root@server # rc-update add postfix default

 * postfix added to runlevel default

 * Caching service dependencies...                                        [ ok ]

 * rc-update complete.

```

Remember, the username and password you use to authenticate to your SMTP server is the same pair that we listed in chart 2.1.  It is the same information that is found in /etc/passwd.

4. Filtering Email:

We made mention to Procmail in the Sending secion so it's only fitting that we set that up next.  Procmail is a powerful piece of software that is very stable.  Procmail uses rules (or recipes) similar in idea to the rules used in email clients, the difference however is we sort everything on the server side and deliver the email to various mail directories.  Let's create our procmail file now.

First thing to do is drop out of root and go to our regular user.

```

user@server $ cd ~

user@server $ touch .procmailrc

user@server $ vi ~/.procmailrc

MAILDIR=$HOME/.maildir/

DEFAULT=$MAILDIR

#

## Begin recipes

#

# put cron job emails in my aptly named cron-jobs maildir

:0

* ^Subject:.Cron*

.cron-jobs/

# Deliver Gentoo Specific email to our special maildir's

:0

* ^List-Id:.*gentoo-announce\.gentoo\.org

.gentoo-announce/

:0

* ^List-Id:.*gentoo-gwn\.gentoo\.org

.gentoo-gwn/

# Catch email from Gentoo not related to the lists (IE: Forums,Bugs)

:0

* ^From:.*gentoo\.org

.gentoo/

# Catch all email directed to my business email address:

:0

* ^To:.*myrealname\@apparition\.ath\.cx

.business/

## All the rest of our email will be delivered to our default INBOX

## so no additional rule is needed

```

As you can see, I have a very simple procmailrc file.  You could do real special things with procmail such as set up autoresponders, automatically forwarding email, parse the email and call external applications.  It's really a powerful piece of software, but for our needs, this example file works nicely.  Make sure any maildir you wish to filter to is preceded with a dot (.) and that a forward slash (/) follows.  This will deliver email in maildir format.

We only need to make our base maildir, procmail will create any other directory structure you need.  Let's make our default maildir.

```
user@server $ maildirmake ~/.maildir/
```

5. Providing IMAP Email Access:

We use Courier-IMAP as the server to provide access to our email from anywhere on the Internet or in our LAN.  We chose this piece of software since it's designed to work with maildir's.  We've already emerged the software, so let's configure it.

5.1 Setting up Authentication:

First thing to do is change to root and check that authdaemon is running with the appropriate method:

```

user@server $ su -

Password:

root@server # vi /etc/courier-imap/authdaemond.conf

AUTHDAEMOND="authdaemond.plain"

```

We've told the authdaemond to use a plain method.  It simply means we aren't going to use some of the more robust solutions such as mysql or ldap.  After that variable has been set, we need to edit the conf file for authdaemond.  Let's make sure that the authmodulelist is using pam.  Again, as mentioned in the beginning of this guide, this setup is not for hundreds of users, so pam fits the bill nicely.

```

root@server # vi /etc/courier-imap/authdaemondrc

authmodulelist="authpam"

```

Since we're authing against pam, please make sure the imap pam file matches mine exactly.  Now these values should be there by default, but just in case, they are provided here.

```

root@server # vi /etc/pam.d/imap

# PAM setup for

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

```

5.2 Adding SSL Support:

As mentioned, we want to only use SSL to connect to our IMAP server.  Since we have chosen a safer method of authentication, it requires a bit more work.  Let's do it now while we're still as root:

```

root@server # vi /etc/courier-imap/imapd.cnf

[ req_dn ]

C=CA

ST=ON

L=Toronto

O=Mail Server

OU=Automatically-generated IMAP SSL Key

CN=localhost

emailAddress=root@localhost

```

As you can see, I've changed the variables to match my network and location.  I recommend you do the same.  It doesn't really matter, but you should do it anyways.  You can find all the variables to change in the "[ req_dn ]" section of the file.  After you've done that, we can make our certificate file:

```
root@server # cd /etc/courier-imap && mkimapdcert
```

5.3 Automating and Finalizing:

We've created the base maildir in secion 4, all that's left is adding the servers to our default runlevel and starting the servers.  Since we don't want IMAP to authenticate without SSL, we have only started the appropriate server.  Make sure that authdaemond.plain started as a dependancy.

```

root@server # /etc/init.d/courier-imapd-ssl start

 * Starting authdaemond.plain...                                          [ ok ]

 * Starting courier-imapd-ssl...                                          [ ok ]

root@server # rc-update add courier-imapd-ssl default

 * courier-imapd-ssl added to runlevel default

 * Caching service dependencies...                                        [ ok ]

```

Please remember, the username and password combination that you use to authenticate here is the same pair found in chart 2.1.  It is the same username / password you use to login to the server.

6. Fetching Email From External Sources:

Fetchmail is a program that allows a user to fetch email from various external servers.  It's a great little program that can handle just about any protocol (IMAP/S - POP3).  Fetchmail does not need to run as root, so let's not have any more programs running as super user than needed.  First thing to do is drop out of root.

6.1 Setting up the Configuration File:

First we will go to our home directory, create the file and then add a configuration.  We'll discuss what goes where and how to customize this file to your unique setup after.  First let's look at the commands and template-like view of the fetchmail file.

```

user@server $ cd ~

user@server $ touch .fetchmailrc

user@server $ vi .fetchmailrc

set postmaster "[SERVER-USERNAME]"

poll [IMAP-SERVER] with proto IMAP user "[IMAP-USER]" there with password "[IMAP-PASSWORD]" is [SERVER-USERNAME] here options warnings 3600

```

As you can see, the options are surrounded with square brackets ([]). In chart 2.1 you have recorded your server's username.  Substitute [SERVER-USERNAME] with your username.  In chart 2.2 we gave two examples of servers which we could fetch email from.  They are under the headings "IMAP/SSL" and "POP3/No SSL".  Let's assume that this is my fetchmail file and the server I am fetching email from (polling) is under the "IMAP/SSL" heading.  Here's what my .fetchmailrc file would look like:

```

set postmaster "2ls-beo"

poll imap.fastmail.com with proto IMAP user "beo_agate" there with password "rimap-pass" is 2ls-beo here options warnings 3600

```

Let's take a look at another example, this time a POP3 server without SSL support found in chart 2.2 under the "POP3/No SSL" heading:

```

set postmaster "2ls-beo"

poll pop.huah.com with proto POP3 auth password user "beowulf_999" there with password "rpop-pass" is 2ls-beo here options warnings 3600

```

As you can see, we added "auth password" to our poll line.  This tells fetchmail not to use SSL when trying to fetch the email.

Chances are some of you have more than one email account that you'd like to fetch.  Luckily, fetchmail can handles this with ease.  Here's our two examples above combined into one file:

```

set postmaster "2ls-beo"

poll imap.fastmail.com with proto IMAP user "beo_agate" there with password "rimap-pass" is 2ls-beo here options warnings 3600

poll pop.huah.com with proto POP3 auth password user "beowulf_999" there with password "rpop-pass" is 2ls-beo here options warnings 3600

```

Now that we've configured fetchmail, let's change it's permissions.  Fetchmail is picky about the permissions of this file, so to meet it's requirements, we must chmod our file:

```
user@server $ chmod 710 ~/.fetchmailrc
```

If you are a HotMail user, you might also consider installing GotMail.  A simple solution to this problem is detailed by marienZ can be found by  clicking here.  I have not tested this as I do not have a HotMail account, but from what I've heard here and elsewhere, gotmail works fine.  Even as a replacement.

6.2 Automating and Finalizing:

Since we're using Fetchmail in non-daemon mode, we'll use cron to emulate it.  Here's the correct cron line, however I have found vcron tends to choke on it.

```

*/10 * * * * /usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d \%T"

```

The above code block adds a cron job that will run every 10 minutes and fetch email and then passes it directly to procmail.  Thanks to requiem for the correct crontab line.  If you're like me though, you'll want a script that you can run whenever you want.  That way, if somebody tells you to check your email, you simply ssh into your server and run the script.  This script should also be used in your cron in case cron chokes on the line above.  As a nomral user, enter this:

```

user@server $ mkdir ~/bin

user@server $ chmod 700 ~/bin

user@server $ echo -e "\043\041/bin/bash\n/usr/bin/fetchmail -a -s -m \"/usr/bin/procmail -d

%T\"" > ~/bin/getmyemailnow

user@server $ chmod +x ~/bin/getmyemailnow

```

Now all you have to do is add a line to cron similar to this:

```

*/10 * * * * $HOME/bin/getmyemailnow

```

NOTE: If you're using an anti-virus system, you should instead have fetchmail redirect to port 25 (the default option).  You will need to edit /etc/postfix/main.cf and edit this line:

```
smtpd_recipient_restrictions = permit_sasl_authenticated, reject
```

... So that it reads like this:

```
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject
```

This will allow fetchmail to send email through postfix so that it can be scanned.  Thanks to Advo for letting me know about this caveat.

7. Client Email Setup:

If you haven't already done so, close the SSH session to your server and let's setup your workstation.  The username and passwords you use to authenticate can be found in chart 2.1 under the Server heading.

7.1 Kmail

Kmail[17] is the default Email client that is emerged with KDE[18].  It is a fully functional email client with support for every protocol we'll use and many we don't.  In it's latest incarnation (3.2) it is lightning fast and very stable.  It is the client I use and have the most experience with.  For this setup, we'll assume you have already set up your Identities section.

 Create a new network Configuration (Settings->Configure Kmail) and make sure you're viewing the "Sending" tab.

 Click on "Add..." button.  A new window will open offering you a choice of Sendmail or SMTP.  Select SMTP.

 Choose a name to enter in the Name field.  The host field should contain the [IP] of your server (in my example: 192.168.2.2).

 Check the box that says "Server requires authentication", then enter the username and password you  have recorded in chart 2.1.

 Click on the "Security" tab and click the button that reads: "Check What the Server Supports."  In my case it was TLS for encryption and PLAIN for authentication method.  Now click OK.

 Still in the Networking Options, click on the Receiving tab.  Now click "Add..." and when a new window opens up, choose "IMAP"

 Enter the exact same information you used before, same host, user and password.

 In the security tab, click on the button: "Check What the Server Supports" and wait until the options are changed.  In my case it was "Use SSL for secure mail download" and "Plain" as the authentication method.

Click on the OK button and you're all set.  Apply the changes and test the email by sending yourself an email and receiving it.

[17] Kmail - The default Email client

[18] KDE - A fully featured powerful desktop environment.

7.2 Sylpheed-Claws

Sylpheed-Claws[19] is a GTK+ application based on the Sylpheed[20] email client.  It can be referred to as the bleeding edge version.  Although it is bleeding edge, it is very stable.  This is also the client preferred by several anti-bloat people over Evolution

list=1]

[*] First thing we do is create a new account (Configuration->Create new account...).

[*] Fill out the Personal Information and set a name for the account.

[*] In the server information, change Protocol to IMAP4.

[*] Change the server for both receiving and sending to [IP] or in my example: 192.168.2.2

[*] Fill in User ID and Password with the Server user's username and password found in chart 6 under "Local IMAP server"

[*] Under the "Send" tab, make sure to check off the SMTP Authentication (SMTP AUTH) option.  Next fill in the the username and password found in chart 2.1 under the "Server" heading.

[*] Under the "SSL" tab, check off "Use SSL for IMAP4 connection" option and below that, check off Use STARTTLS command to start SSL session

[/list]

Apply the changes and test the email setup by sending yourself an email and then check to see that it was received correctly.

[19] Sylpheed-Claws - A solid lightweight GTK+ email client

[20] Sylpheed - The stable branch of the Sylpheed family

[21] Evolution - A GNOME groupware application

7.3 Outlook Express 6

Outlook Express is the default email client used on most Windows Machine.  It comes pre-installed on every Windows version and is freely updated at Windows Update.  NOTE: that I cannot test what happens with the million and one types of anti-virus programs out there and their outbound email scanning.  Since we've changed the mechanisms for authentication (from CRAM-MD5 to PLAIN), Outlook Express should have no problem authenticating now.  Here's what you need to do:

 Start Outlook Express and go to the menu option Tools->Accounts.

 When the new window opens, click on the "Mail" tab, then click on the "Add" button followed by "Mail".  You will be presented with a wizard, enter the data as you see fit until you reach the 3rd page where you're asked for your Sending and Receiving servers.  Please enter the IP address of your server (in my example it's 192.168.2.2) in both text fields and use the pull down to select "IMAP".

 Next you'll be asked for your IMAP server's username/password.  Please enter the information you found in chart 6 under the "Local IMAP" heading.

 The wizard will finish, but you must open up the properties of that connection again.  Under the "Mail" tab you should see your connection, highlight it with a single click and select the "Properties" button off to the right.  A new window will open

 Click on the "Advanced" tab and check the checkboxes so that you are enabling SSL for both sending and receiving.  You'll notice the port for your IMAP server has changed to 993.

 Click on the "IMAP" tab and under the Root folder path option, enter the word "INBOX" and make sure that "Check for new messages in all folders" is enabled.

 Click on the "Servers" tab and enable the box that says "My server requires authentication", then click on the "Settings..." button.

 You'll presented with a new window with radio buttons.  Click on the option that says "Log on using", thus enabling the text fields below and enter your account information found in chart 6 under the "Local SMTP" heading.  

Click the Apply/OK button and you're all set.  Check your email and send out a test email to yourself.

--

Grover reports that new in Gkrellm's mail checker there is support for SSL so you can monitor your inbox now without the stunnel workaround.

8. Squirrelmail Webmail Setup:

We're going to set up Squirrelmail Webmail.  Although this step is optional, it may be of use to some.  If you're a fan of webmail, this piece of software is a godsend. Let's continue.

I will assume you have a working Apache and PHP setup.  First thing to do is SSH into your server again and become root.

8.1 Emerge the Software:

Sounds simple right?  Well thanks to portage, this section is short and to the point:

```
root@server # emerge squirrelmail
```

8.2 Configuration:

This software is rather simple to set up.  It comes with it's own ncurses? configuration utility.  So let's run that now:

```

root@server # cd /var/www/localhost/htdocs/squirrelmail/config

root@server # perl conf.pl

```

You should be presented with a screen showing menu choices allowing you to enter a number.  Let's start with Organization Data by pressing 1.  As you can see, every option is prefixed with a number, so to edit the option you would type in the corresponding number and enter a new value.

Once you're finished, press "R" to return to the main menu.

Now press "2" to configure the server settings.

Here are what my options look like, and perhaps you are able to extrapolate what yours should be.

```

General

-------

1.  Domain                 : apparition.ath.cx

2.  Invert Time            : false

3.  Sendmail or SMTP       : Sendmail

IMAP Settings

--------------

4.  IMAP Server            : localhost

5.  IMAP Port              : 993

6.  Authentication type    : login

7.  Secure IMAP (TLS)      : true

8.  Server software        : courier

9.  Delimiter              : detect

```

As you can see, it's fairly straight forward.  I entered my domain name after pressing "1", after pressing "3" I told squirrelmail to use Sendmail as opposed to SMTP.  I then pressed "A" to get the IMAP settings available.  I changed the port, TLS and server software to match this setup.

But wait!  We never installed sendmail.  Here's the beauty of Postfix, it seamlessly replaces sendmail even creating a link named sendmail in /usr/sbin/ for programs expecting the binary.  Pretty clever of Postfix eh?  Nothing to worry about.

Once you're done, press "S" to save your settings and then press "Q" to quit the configuration utility.

8.3 Finalizing and Automating:

Point your browser to this address "https://192.168.2.2/squirrelmail" and login using the same data you have written down in chart 2.1.  Just remember to replace the IP in the URL that matches your Server.

Now, you must tell SquirrelMail that you wish to subscribe to various folders.  Click on the link "Folders" that runs along the top of the page.  Once the new page has loaded, simply highlight the folders listed in the select box such as "INBOX.gentoo and click on the Subscribe button.  Refresh your folder listing and you'll see how Procmail has sorted all your email.

Send an email to yourself and receive it... you should know the drill.

All that's left is to add apache to your default runtime:

```
root@server # rc-update add apache2 default
```

9. Bogofilter Mail Filtering Solution

By Chris Smith

This guide was written so that bogofilter[15] may be implimented in the "Email System for the Home Network" Guide. This guide proves that bogofilter can be used in client AND in server side filtering solutions, still leaving the user in total control.

The script contained in this guide depends on most of this guide being followed word for word. Feel free to edit and modify my guide and script for your own use, just post on this thread and let us know what your doing with it. We're very interested to see where this goes  :Smile: 

All code contained in this documentation is released under the GPL Public Licence. Of course  :Smile:  Right... Here we go!

```
root@server # emerge bogofilter
```

9.1 Bogofilter Instructions

Make the spam maildirs:

```
$ cd ~/.maildir

$ mkdir .Spam{,.False-Positives,.False-Negatives}

$ mkdir .Spam{,.False-Positives,.False-Negatives}/{cur,tmp,new}
```

NOTE: If you change these, I hope you know python, as you will need to hack the script so it knows which maildirs to treat as spam.

Load your mail client and move ALL your spam mail out of your normal directories, and into the Spam directory.

OPTIONAL: If you have a LOT of mail (i.e. thousands), and not just spam either, all mail, you may choose to have a "Ham" directory, which you can put a selection of a few hundred messages in.

You may choose to do this, because the script currently walks through all your directories (that aren't spam!) and commits all that mail to bogofilter as "Good" mail. If you have a lot of messages, this will take quite a while (but not _that_ long  :Smile: ), but bogofilter will be more thourughly trained. Do this only in special cases:

 Create ham directory:

```
mkdir .Ham

mkdir .Ham/{cur,tmp,new}
```

Move a selection of a few hundred good messages into the new Ham directoryThe script will auto-detect the precense of a .Ham directory, so it won't walk all your maildirs.

Copy the following script, and name it as: 

```
~/Bin/bogotrainer
```

```
#! /usr/bin/python

import os, os.path

#Configuration entries. Not much ATM. More if needed.

bogodir = "~/.bogofilter/"

maildir = "~/.maildir/"

#Leave everything below here unless you want to do some hacking :)

needdbs = 0

bogodir = os.path.expanduser(bogodir)

maildir = os.path.expanduser(maildir)

def cleanhamdirs(dir):

   #We don't want Spam in the hamdirs :)

   if dir[len(maildir):len(maildir) + 5] == ".Spam":

      return 0

   #The maildirs of the inbox, must be handled especially

   if dir[len(maildir):len(maildir) + 3] == "cur":

      return 0

   if dir[len(maildir):len(maildir) + 3] == "tmp":

      return 0

   if dir[len(maildir):len(maildir) + 3] == "new":

      return 0

   #If you threw it away, you obviously don't want it :)

   if dir[len(maildir):len(maildir) + 6] == ".Trash":

      return 0

   return 1

if os.path.isdir(bogodir):

   print "Bogofilter directory found"

   #I'm just assuming if the spamlist.db exists, goodlist.db does too

   #Program will die if goodlist.db doesn't exist anyway.

   if os.path.isfile(os.path.join(bogodir, "spamlist.db")):

      print "Databases found"

   else:

      print "Databases NOT found. Generating..."

      needdbs = 1

else:

   print "Bogofilter directory NOT found. Generating..."

   needdbs = 1

if needdbs:

   print "Generating databases:"

   print "Regestering spam messages from", os.path.join(maildir,".Spam/cur")

   spamlist = os.listdir(os.path.join(maildir,".Spam/cur"))

   for spam in spamlist:

      spampath = os.path.join(maildir,".Spam/cur/",spam)

      print "- ", spampath

      os.system("bogofilter -s < " + spampath)

   if os.path.isdir(os.path.join(maildir, ".Ham")):

      #If a specific .Ham dir exists, use that.

      print "Regestering ham messages from", os.path.join(maildir,".Ham/cur")

      hamlist = os.listdir(os.path.join(maildir,".Ham/cur"))

      for ham in hamlist:

         hampath = os.path.join(maildir,".Ham/cur",ham)

         print "- ", hampath

         os.system("bogofilter -n < " + hampath)

   else:

      #Or else, use everything that isn't spam!

      print "Registering ham messages from", os.path.join(maildir,"cur")

      hamlist = os.listdir(os.path.join(maildir,"cur"))

      for ham in hamlist:

         hampath = os.path.join(maildir,"cur",ham)

         print "- ", hampath

         os.system("bogofilter -n < " + hampath)

      maildirs = [os.path.join(maildir,dir) for dir in os.listdir(maildir)]

      maildirs = filter(os.path.isdir, maildirs)

      maildirs = filter(cleanhamdirs, maildirs)

      for dir in maildirs:

         print "Regestering ham messages from", dir

         hamlist = os.listdir(os.path.join(dir,"cur"))

         for ham in hamlist:

            hampath = os.path.join(dir,"cur",ham)

            print "- ", hampath

            os.system("bogofilter -n < " + hampath)

# So, everything exists, this must be an "updating run", easy!

# First, correct misdetected ham from the false-positives directory,

# and move it into the inbox.

print "Correcting ham messages from", os.path.join(maildir,".Spam.False-Positives")

hamlist = os.listdir(os.path.join(maildir,".Spam.False-Positives/cur"))

for ham in hamlist:

   hampath = os.path.join(maildir,".Spam.False-Positives/cur",ham)

   print "- ", hampath

   os.system("bogofilter -Sn < " + hampath)

   #Feed it back through procmail :)

   os.system("/usr/bin/procmail -d $USER < " + hampath)

   os.remove(hampath)

# Now, correct misdetected spam, and put it in the Spam maildir :)

print "Correcting spam messages from", os.path.join(maildir,".Spam.False-Negatives")

spamlist = os.listdir(os.path.join(maildir,".Spam.False-Negatives/cur"))

for spam in spamlist:

   spampath = os.path.join(maildir,".Spam.False-Negatives/cur",spam)

   print "- ", spampath

   os.system("bogofilter -Ns < " + spampath)

   #Don't bother procmailing it, put it in spam! :)

   os.rename(spampath, os.path.join(maildir,".Spam/cur",spam))
```

Now, make the script executable:

```
chmod +x ~/Bin/bogotrainer
```

If you have a previous training of bogofilter, the script won't overwrite it (so it's cronjob-able) but it's a good idea to start a fresh.

```
rm -rf ~/.bogofilter
```

 Run the script and wait while it takes in all of your mail and builds its databases. Bogofilter is quite fast, so it shouldn't take too long and you get to see it's progress!

```
~/Bin/bogotrainer
```

Add these recipies before all your other recipies:

```
#Bogofilter filtering solution.

:0fw

| bogofilter -u -e -p

:0e

{ EXITCODE=75 HOST }

:0:

* ^X-Bogosity: Yes,

.Spam/
```

Add this line to your crontab:

```
user@server $ crontab -e

* 23 * * * ~/Bin/bogotrainer >/dev/null 2>&1
```

This sets it to run once a day at 11pm, you can change it. Once a day is about right.

Done! Now you have 2 sub spamdirs which you can use to train bogofilter as you see fit, right from your mail client.

When you recieve a mail that bogofilter moves to your spam directory, but isn't actually spam, move it into the False-Positives dir in your email client. You can either run the script immediately, or wait until the cronjob triggers. It retrains bogofilter correctly, then feeds the mail back through procmail for proper classicification. If it happens again, don't ignore, put it back in the False-Positives dir and run the script again until bogofilter learns it correctly!

When you recieve a spam in your inbox, move it into the False-Negatives directory. Next time the script is run, it will retrain bogofilter to recognise that mail as spam then the mail is moved into your .Spam maildir.

When you feel that your bogofilter is 100% accurate (when it comes to false-positives, you don't want to lose any mail) you can edit your .procmailrc so that when bogofilter detects a mail as spam, it moves it to /dev/null (deleting it). Use with caution! But with that method, you don't even have to look at the filth!

9.2 Conclusion

Well, I think that's about it for this. If there is anything I've forgotten, don't hesitate to drop me a PM. I will give out my email over PM if needed. I may look at updating and streamlining the script soon, so check back here in a little while.

9.3 Thanks and References

Thanks a lot to beowulf for creating this awesome guide, and all the other active participants on this thread (Proteus in particular  :Smile: ). The community is what makes Gentoo thrive!

The sites I used researching this little project are as follows:

MairasWiki - Anti Spam System

Bayesian Filtering with Bogofilter and Sylpheed-Claws

Re: [Evolution] Built-in spam filtering?

Spam Filtering with Bogofilter

10. Spam Assassin Mail Filtering

By Proteus

I have managed to get SpamAssassin[16] 2.55-r1 - this version has bayesian filtering, too.

I implemented it in a very simple way (basically combining the .procmailrc file from this guide and the example file that comes with SA, setting up a .spam maildir and setting up cronjobs to let SA learn the difference between spam and other emails):

10.1 Emerge Spam Assassin

First thing we do is emerge the program.  It has a few perl dependencies, but shouldn't take that long.

```
root@server # emerge Mail-SpamAssassin
```

9.2 Edit Your .procmailrc File

Open up your .procmailrc file which is located in your user's home directory.  You will need to add the following:

```
#set up a Spam maildir where all the spam goes for teaching SA spam vs. non-spam

#and to be sure that no mail - even if detected as spam - gets lost (like when you pipe it to /dev/null)

SPAM_FOLDER= $MAILDIR/.spam/

#pipe mails through SA (this is basically from the example files

#but I use a higher limit, every mail up to 512 kB is filtered)

#spamc is the client programm for the daemonized

#version of SA (designed to keep load and overhead down)

#If you don't run SA as a daemon change "spamc" to "/usr/bin/spamassassin"

#If you do use spamc here you must add spamd to your runlevel

#like this: rc-update add spamd default

:0fw: spamassassin.lock

* < 524288

| spamc

#All mail tagged as spam (eg. with a score higher than the set threshold)

#is moved to ".spam".

:0:

* ^X-Spam-Status: Yes

$SPAM_FOLDER

#Work around procmail bug: any output on stderr will cause the "F" in

#"From" to be dropped.  This will re-add it.

#(This is taken directly from the SA example file)

:0

* ^^rom[ ]

{

  LOG="*** Dropped F off From_ header! Fixing up. "

  :0 fhw

  | sed -e '1s/^/F/'

}
```

Try your best to leave the rest of the file as it is described above.

10.3 Setup Spam Maildir

```
user@server $ maildirmake -f spam ~/.maildir
```

10.4 Configure Spam Assassin

This can be done automatically (almost) by using a script you can find here:

http://www.yrex.com/spam/spamconfig.php

Place the config file here: /etc/mail/spamassassin

If you setup SA with bayesian scanning enabled you must teach it to detect spam first.

This is done by putting all detected spam in the .spam maildir

(when some spam gets through, put it there manually, so SA can adapt)

and then letting SA learn from those mails and from those mails (considered good) in your .inbox.

You can do this by hand or - as I did - use a cronjob to do it.

SA will only start to use the bayesian scan after learning from at least 200 mails.

If you only use SA in standard mode or just merge the "stable" version (i.e. without using ACCEPT_KEYWORD="~x86") you do not need to do the next steps. The current stable version is 2.44 as of this writing and does not contain bayesian filtering at all...

(As it seems you can add bogofilter for this task instead, but I have no clue about that, yet.)

10.5 Setup Cronjob for sa-learn (bayesian filter teaching program):

Please enter the following into your crontab.  In the code block below, make sure you substitute the home directory with one more appropriate to your server.  For instance, mine would read: /home/beowulf/.maildir/.spam - yours will be different.

```

user@server $ crontab -e

#This scans for spam and for good mails every half hour.

#Set the interval (30 minutes) appropriatly for your convenience and the amount of mails you get.

*/30 * * * *    sa-learn --dir --spam /home/user/.maildir/.spam > /dev/null 2>&1

*/30 * * * *    sa-learn --dir --ham  /home/user/.maildir/ > /dev/null 2>&1

```

10.6 Conclusion and Testing

So, I hope I haven't left out anything but I think this is all needed to enable spam-filtering with SpamAssassin.

You can check whether or not an email has been scanned by looking at the mail headers, there should be some looking similar to those when it has been scanned:

```

X-Spam-Status: No, hits=2.1 required=5.0

   tests=HTML_00_10,HTML_MESSAGE,NO_REAL_NAME

   version=2.55

X-Spam-Level: **

X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

```

----------------------------------------

The rest of the guide is continued here: 

https://forums.gentoo.org/viewtopic.php?p=570280#570280

This post has reached the maximum size allowed and I cannot keep it all on one page anymore...

----------

## maj

running through it now cheers - couldnt get the official one to work myself, and i dont need all the virtual mail server stuff etc, hopefully this will work for me  :Very Happy: 

cheers again

EDIT: hrm, having same troubles as before - wont let me authenticate - kmail says server rejected the password, but was able to grab all the security certs and what not..

EDIT^2: and pine running on the server claims that .maildir is not a slectable folder! even though i can change into it and see mail in the new dir where fetchmail has just dumped mail from my uni mailserver!

----------

## beowulf

 *maj wrote:*   

> running through it now cheers - couldnt get the official one to work myself, and i dont need all the virtual mail server stuff etc, hopefully this will work for me 
> 
> cheers again
> 
> EDIT: hrm, having same troubles as before - wont let me authenticate - kmail says server rejected the password, but was able to grab all the security certs and what not..
> ...

 

Hey glad you gave it a shot... when using Kmail, you should be using the username/password that you use to SSH into the server.  Since it auth's against PAM, it will need to match /etc/passwd.

I don't know much about pine... does it need something special to work with .maildir/ ?

In any case, let me know if the problems persist... i'll do my best to help out...

----------

## rogue

When I tried to run the emerge line, I got a problem with procmail trying to install ssmtp as it's MTA.  This caused a conflict when postfix was trying to be emerged.  I resolved it by using emerge -O, but I haven't ran through the rest of the install.   Hopefully it will work

----------

## maj

 *beowulf wrote:*   

>  *maj wrote:*   running through it now cheers - couldnt get the official one to work myself, and i dont need all the virtual mail server stuff etc, hopefully this will work for me 
> 
> cheers again
> 
> EDIT: hrm, having same troubles as before - wont let me authenticate - kmail says server rejected the password, but was able to grab all the security certs and what not..
> ...

 

Heh Im not that bad!! using the correct username/password

would appear so with the pine issue - emerged pine-maildir and it works fine, just need remote access  :Very Happy: Last edited by maj on Wed May 28, 2003 8:22 am; edited 1 time in total

----------

## beowulf

rogue: 

you're correct... I'm going to have to change the emerge line to make it two so that procmail is emerged after postfix is finished.

maj:

I assume you mean for receiving email, when authenticating to Courier-IMAP....

Hmm, what methods of authentication does it currently say in Kmail when you go to:

1. Settings->Configure Kmail...->Network->Receiving

2. Modify (modify the connection you have made).

3. Click on the security tab..

What is listed for both Encryption and Authentication mode?

Is the port that Kmail is trying to connect to 993?

does these commands print out the following:

```

# cat /etc/courier-imap/authdaemonrc | grep -v ^# | grep authmodulelist=

authmodulelist="authpam"

# cat /etc/courier-imap/authdaemond | grep -v ^# | grep AUTHDAEMOND=

AUTHDAEMOND="authdaemond.plain"

```

If it does, and i'm pretty sure it does, try changing DEBUG_LOGIN=0 to 1 in /etc/courier-imapd/imapd then watching the logs...

----------

## maj

 *beowulf wrote:*   

> rogue: 
> 
> you're correct... I'm going to have to change the emerge line to make it two so that procmail is emerged after postfix is finished.
> 
> maj:
> ...

 

```

gimli root # cat /etc/courier-imap/authdaemonrc | grep -v ^# | grep authmodulelist=

authmodulelist="authcustom authcram authuserdb authpgsql authpam"

gimli root # cat /etc/courier-imap/authdaemond.conf | grep -v ^# | grep AUTHDAEMOND=

AUTHDAEMOND="authdaemond.plain"

```

Use SSL and Clear Text are selected in KMail for Encryption/Authentication mode, and KMail is trying to connect on port 993

changed the debug_login line to 1, restarted courier-imapd-ssl attempted to check mail with kmail again and it failed, but nothing has appeared in /var/log/mail/current, /var/log/pwdfail/cuirrent or /var/log/everything/current

----------

## beowulf

Okay, i think this is the problem...   Right now the authdaemon is using the wrong authmodulelist.  Try changing authmodulelist="authpam" in teh authdaemonrc file... i made a typo in my guide... going to fix that right now...

```

root@server # vi /etc/courier-imap/authdaemonrc

authmodulelist="authpam"

```

Also, it appears there's an emtpy line... i'd recommend getting rid of the line that reads only... it may cause trouble... it may not...

authmodulelist=

do the same for /etc/courier-imap/authdaemond.conf in regards to the line that reads:

AUTHDAEMOND= 

Then, run the two cat | grep | grep commands again, and try to match the result that i have shown exactly...

----------

## maj

made the changes, results are exactly as yours, restarted the servers still wont let me in  :Sad: 

----------

## beowulf

Did you restart authdaemond?  Since that would be the daemon whose files we edited... I mention this only because authdaemond starts as a dependancy to courier-imapd.... here's the output:

```

root@server # /etc/init.d/courier-imapd stop

 * Stopping courier-imapd...                                              [ ok ]

root@server # /etc/init.d/courier-imapd-ssl stop

 * Stopping courier-imapd over SSL...                                     [ ok ]

root@server # /etc/init.d/authdaemond stop

 * Stopping authdaemond.plain...                                          [ ok ]

root@server # /etc/init.d/courier-imapd start

 * Starting authdaemond.plain...                                          [ ok ]

 * Starting courier-imapd...                                              [ ok ]

root@server # /etc/init.d/courier-imapd-ssl start

 * Starting courier-imapd over SSL...                                     [ ok ]

```

If this doesn't work, i really don't know what went wrong... Check and see what happened in /var/log/mail.info or /var/log/mail.warn or /var/log/mail.err

Let me know what happens..

----------

## rogue

when i'm using kmail i'm getting a connection broken error.  I have it download mail fine on the server using fetchmail..if i use the wrong password in kmail it gives me a wrong password error so i know that's working right...but when it tries to get the mail it just dies.  this is what mail.info says:

May 30 02:00:54 hrothgar imapd-ssl: Connection, ip=[192.168.0.114]

May 30 02:00:54 hrothgar imapd-ssl: LOGIN: DEBUG: ip=[192.168.0.114], command=CAPABILITY

May 30 02:00:54 hrothgar imapd-ssl: LOGIN: DEBUG: ip=[192.168.0.114], command=LOGIN

May 30 02:00:54 hrothgar imapd-ssl: LOGIN: DEBUG: ip=[192.168.0.114], username=rbattle

May 30 02:00:55 hrothgar imapd-ssl: LOGIN, user=rbattle, ip=[192.168.0.114]

I'm not quite sure what's going on as the logs don't seem to show a disconnection error or anything..I believe I have it set up exactly as specified in the most recent edit of the original post.  

authdaemonrc:

  authmodulelist="authpam"

authdaemond.conf:

  AUTHDAEMOND="authdaemond.plain"

----------

## beowulf

I think i might have found the file that is the culprit...

```
# vi /etc/pam.d/imap

#%PAM-1.0

#

# $Id: system-auth.authpam,v 1.1 2001/02/02 05:42:57 mrsam Exp $

#

# Copyright 1998-2001 Double Precision, Inc.  See COPYING for

# distribution information.

#

# This is a sample authpam configuration file that uses pam_stack

# (circa linux-pam 0.72).

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

```

This might be it, and if it is... i have missed a step in my guide... check for the existence of that file, and if different, or holds different information, create a file that looks exactly like that...

If this is the case, let me know so i can add it to the guide and fix it up... sorry for my errors...

----------

## maj

 *beowulf wrote:*   

> I think i might have found the file that is the culprit...
> 
> ```
> # vi /etc/pam.d/imap
> 
> ...

 

Sweet! that did it - had the file BUT the 4 bottom lines were commented out and what was in there from the virtual mailhosting guide was in there!, works fine now  :Very Happy: 

----------

## beowulf

Ahhh great to hear!  I've edited the guide to include the pam.d information.

My appologies to you guys... i missed such an integral part of the guide.  Everything should be a-okay now... again, sorry.

----------

## maj

 *beowulf wrote:*   

> Ahhh great to hear!  I've edited the guide to include the pam.d information.
> 
> My appologies to you guys... i missed such an integral part of the guide.  Everything should be a-okay now... again, sorry.

 

nothing to be sorry about - guide would have worked if i had not previously tried to do the virtual mailhosting guide

----------

## rogue

i found the answer to my problem..i had everything right, except i had no mail, so my .maildir was empty so it was having problems logging in.  i deleted the .maildir directory and just did "maildirmake .maildir" and it worked fine

----------

## dtessier

Cool! I will be trying this today or tomorrow. Now that I've upgraded Evolution to 1.4 rc1 it stopped being able to get mail from my (admittedly broken) ISP's POP server, so now's a good time to give it a shot. I'll report later on how it went.

----------

## dtessier

Well, I'm done with the install, and things are working, though not exactly as I'd expect. First, a few comments on the procedure:

 *Quote:*   

> root@server # vi /etc/ssl/openssl.cnf
> 
> countryName_default      = CA
> 
> stateOrProvinceName_default   = Ontario
> ...

 

When I generated my certificates, it complained that I was missing commonName. I continued anyway, but later on the SMTP connection failed. I regenerated the certificates with commonName_default set to "Postmaster", and restarted postfix. That fixed the problem.

 *Quote:*   

> root@server # cp deomCA/cacert.pem /etc/postfix 

 

I took me a second or two to realize that there was a typo, it's actually "demoCA"...

Finally, what does not quite work as I'd expected. I sent myself an e-mail from my Yahoo! account, which I got fine, and then replied to it, which also worked fine. However, in my Yahoo! account, the e-mail was flagged as SPAM! I checked out the headers, and I noticed this:

```
X-Apparently-To:    dtessier2@yahoo.com via 66.163.169.96; 31 May 2003 23:02:36 -0700 (PDT)

X-YahooFilteredBulk:   68.4.79.151

Return-Path:   <dan.tessier@cox.net>

Received:   from 68.4.79.151 (EHLO hobbes.oc.cox.net) (68.4.79.151) by mta150.mail.scd.yahoo.com with SMTP; 31 May 2003 23:02:35 -0700 (PDT)

Received:   from hobbes.oc.cox.net (hobbes.oc.cox.net [192.168.0.100]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by hobbes.oc.cox.net (Postfix) with ESMTP id 8C4B11B1EC2 for <dtessier2@yahoo.com>; Sat, 31 May 2003 23:02:44 -0700 (PDT)

Subject:   Re: test

From:   "Daniel Tessier" <dan.tessier@cox.net> | This is not spam | Add to Address Book

To:   "Daniel Tessier" <dtessier2@yahoo.com>
```

Yikes! 68.4.79.151 is my router's WAN IP address. It went straight to Yahoo!, and not to my ISP first. Is that how it's supposed to work? And later on, it says it's received from hobbes.oc.cox.net [192.168.0.100]!!! That's my internal LAN IP address on the server! That can't be right, can it? I double-checked my ISP's server name, as well as user name and password in /etc/postfix/saslpass, and they were correct. Any thoughts?

Well that's it for now. Thanks for all the help.

----------

## beowulf

Thanks for the feedback.  I will correct the typo's and add the commonName_default flag of which i forgot.

Regarding the email headers showing your internal ip.  I had always assumed that was expected, as postfix would write that info down no matter what.  The email should go directly to Yahoo! since it would appear you aren't using your ISP's smtp server.  So in that respect, it should be expected that your external IP be logged as well. However, what i did not know, nor plan on was Yahoo! treating it as spam. 

I have never seen the "X-YahooFilteredBulk:	68.4.79.xxx" header before.  With your permission, i would like to send you an email using the same system to determine if it's the local email system that is causing the  spam warning, or someone on your IP block is a known spammer.  Let me know either via pm or here and the address to use...

Thanks again for the corrections and the information regarding Yahoo!

----------

## dtessier

You can e-mail me at dtessier2@yahoo.com. I'll let you know what happens. I think I may also go back to using my ISP's SMTP server directly. I just figured out I don't really need the extra layer (I can always use the ISP's webmail to send e-mails while not on their network).

----------

## beowulf

Email's sent, let me know what happens... And yeah, the extra layer is somewhat unneeded.  However, in specific situations, it can be helpful hehe  Thanks again

[edit: thanks for the heads up.  I have edited the original post appropriately. /]

----------

## dtessier

I sent you a reply. The same thing happened. I wonder if it's because there's a 192.xxx.xxx.xxx IP address in the header?

Also, in the instructions you wrote  *Quote:*   

> Sending:
> 
> Email Client->Postfix[1]->ISP's SMTP Server 

  so I had assumed that Postfix would send e-mails to my ISP's SMTP server, not directly to the recipient's SMTP server.

----------

## Proteus

 *dtessier wrote:*   

> I sent you a reply. The same thing happened. I wonder if it's because there's a 192.xxx.xxx.xxx IP address in the header?
> 
> Also, in the instructions you wrote  *Quote:*   Sending:
> 
> Email Client->Postfix[1]->ISP's SMTP Server   so I had assumed that Postfix would send e-mails to my ISP's SMTP server, not directly to the recipient's SMTP server.

 

I  thought the same as dtessier.

Is it possible to reconfigure the system to work as mentioned?

----------

## beowulf

To use your ISP's SMTP server, you would need to put that information in the file: /etc/postfix/saslpass

For example, since my ISP is Rogers.com i would enter Rogers as my SMTP server.  I will change that line to simply read SMTP Server instead of ISP....

Sorry for the confusion....

An example of my file:

smtp.xxx.xxx.net.cable.rogers.com             [isp-user]:[isp-pass]

An example of a file using Yahoo! as the SMTP server:

smtp.mail.yahoo.com                   [yahoo-user]:[yahoo-pass]

----------

## jordant

beowulf:

Thanks for the excellent tutorial.  I just setup a second server on my home network for this exact purpose.  After following through the tutorial, most of the stuff worked great (SMTP server doesn't appear to be running at all though?).  IMAP is working awesome.

Right now I've set fetchmail up to grab from two separate e-mail accounts.  Do you know if I can setup (either client side or on the server) to have it reply using that identity depending on what account I'm using?  Or do I have to setup two separate users on the box and have two IMAP connections with diff logins in my e-mail client?

Once again, thanks for the great tutorial.

--jordant

----------

## beowulf

 *jordant wrote:*   

> beowulf:
> 
> Thanks for the excellent tutorial.  I just setup a second server on my home network for this exact purpose.  After following through the tutorial, most of the stuff worked great (SMTP server doesn't appear to be running at all though?).  IMAP is working awesome.
> 
> Right now I've set fetchmail up to grab from two separate e-mail accounts.  Do you know if I can setup (either client side or on the server) to have it reply using that identity depending on what account I'm using?  Or do I have to setup two separate users on the box and have two IMAP connections with diff logins in my e-mail client?
> ...

 

Thanks for giving it a shot!  What do you mean by the SMTP server isn't running... does "/etc/init.d/postfix status" reveal anything?  If not, try restarting the server and checking in your process list "ps aux | grep postfix"

Regarding the fetchmail situation.  If i understand you correctly, you use 2 different email accounts.  You want to be able to reply to any email received through an email with the appropriate email... FOr instance, mail enters to "jordant@isp.com" so you wish to reply using the "jordant@isp.com" identity.  Likewise if another email came in for "jordant@ispisp.com" you would reply with that email.

There's a number of ways to do this.... off the top of my head, and the way i would do this.... I would use Procmail to sort the email into two seperate maildirs.  Such as this recipe line:

```

:0

* ^To:.jordant@isp\.com

.isp1/

:0

* ^To:.jordant@ispisp\.com

.ispisp/

```

Then in Kmail check your email, and once the new directories appear in Kmail, right click on it and select "Properties".  Under the "Identity: Sender pulldown menu, choose the identity to match the directory.  So for mail folder ".ispisp" you would choose your "ISP ISP" identity.

In Sylpheed-Claws, it can be done the same way, right clicking on the .maildir and then choosing properties.  Later selecting the default identity to go with that folder.

If this isn't what you meant, let me know and i'll try to help you further.

Hope this helps, and thanks again for giving it a try  :Smile: 

----------

## jordant

 *beowulf wrote:*   

> 
> 
> Thanks for giving it a shot!  What do you mean by the SMTP server isn't running... does "/etc/init.d/postfix status" reveal anything?  If not, try restarting the server and checking in your process list "ps aux | grep postfix"
> 
> 

 

Postfix is running.  In evolution, when I try to send mail or do anything on that server it can't connect.  I've checked and port 25 isn't even open.  It's not a big deal since I could still send e-mail through my ISP's mail server.

 *beowulf wrote:*   

> 
> 
> Regarding the fetchmail situation.  If i understand you correctly, you use 2 different email accounts.  You want to be able to reply to any email received through an email with the appropriate email... FOr instance, mail enters to "jordant@isp.com" so you wish to reply using the "jordant@isp.com" identity.  Likewise if another email came in for "jordant@ispisp.com" you would reply with that email.
> 
> 

 

Yep, exactly.  I use one for personal, and one for work.  I don't want to reply to work e-mail with my personal e-mail address.

 *beowulf wrote:*   

> 
> 
> There's a number of ways to do this.... off the top of my head, and the way i would do this.... I would use Procmail to sort the email into two seperate maildirs.  Such as this recipe line:
> 
> ```
> ...

 

Okay, I could have them sorted that way.  Any idea how to do it in Ximian Evolution?  I don't use Kmail...  I think I said before, I could have two separate IMAP accounts but that's a little bit of a pain.

Thanks for the help.

--jordant

----------

## beowulf

Having never used evolution.... i couldn't tell you.  Try to search for a way to set properties on a subfolder of INBOX.  Or, perhaps ask in the Desktop forums how you can accomplish this given that you want to associate one email address with one IMAP folder.  

Have you told Evolution to connect to your SMTP server using TLS or SSL?  Is there a firewall preventing you from accessing port 25?  Have you run nmap on your server?  Did you set the use flag "ssl" when emerging evolution?

here's a few links i found while searching on google:

Link 1

Link 2

Link 3 

Link 4 

Hope this helps

----------

## puddpunk

Hey there beowulf. Thats a great guide, put a lot of questions that I had out.

Just one thing, I pull mail from a mailbox on my ISP (I'll have some examples later), the mailbox has 4 alias's pointing to it, so I want to split what i download from that mailbox into 4 different accounts (all have accounts on the linux server).

i.e. I have 4 linux users (with home dirs etc...) chris, russell, sue and steve. I have a main account, e.g. mainmail@isp.com. But my ISP has set it up so chris.rs@isp.com, russell.rs@isp.com, sue.rs@isp.com, steve.rs@isp.com gets dumped into mainmail@isp.com which I can download over POP3.

How can I configure procmail to split those 4 email addresses into 4 different mailboxes on the linux server?

Any help appreciated,

Cheers,

Chris.

----------

## beowulf

Hey puddpunk, thanks for trying it out.

To answer your question, the most immediate thought that comes to my mind is by running fetchmail and procmail in daemon mode under root privaleges.  Here's one untested example that may work, may not, but should give you an idea of how i'd start:

```

root@server # vi /etc/fetchmailrc

set postmaster "[chris i guess...] 

set bouncemail

set properties ""

#Poll the server

poll pop.mail.isp.com with proto POP3

    auth password user "sue.rs" there with password "pass_isp" is sue here with options

        warnings 3600 mda "/usr/bin/procmail -d %s"

    auth password user "chris.rs" there with password "pass123_isp" is chris here with options

        warnings 3600 mda "/usr/bin/procmail -d %s"

    auth password user "russell.rs" there with password "pass_isp" is russell here with options

        warnings 3600 mda "/usr/bin/procmail -d %s"

    auth password user "steve.rs" there with password "pass_isp2rf" is steve here with options

        warnings 3600 mda "/usr/bin/procmail -d %s"

```

Assuming you don't use SSL to connect, if you do, remove the phrase "auth password" from the file completely.  Don't forget to protect the file...

```
 root@server # chmod 710 /etc/fetchmailrc
```

And then a procmailrc file that would need to be in the user's home directory (make sure you make the directory ".maildir/":

```

root@server # vi /home/sue/.procmailrc

MAILDIR=$HOME/.maildir/

DEFAULT=$MAILDIR

:0

* ^Subject:.Cron*

.cron-jobs/

```

You might also want to copy it to /etc/skel so that if you do add another user, the file is there automagically.  You could also make the maildir directory there too...

Next, before you start the daemon, set the amount in seconds that you want fetchmail to run...  Right now it's at 60, but I believe that's too much... perhaps 3600 or 7200..

```
 vi /etc/conf.d/fetchmail
```

Finally, start it up and add it to the default runtime

```

root@server # /etc/init.d/fetchmail start

root@server # rc-update add fetchmail default

```

Theoretically this should work... no guarantees... but it's a place to start.  I've never needed to do this though, but from what i've learned about  fetchmail/procmail this should work.

Hope this helps

[edit: fixed up the code tags... can't figure out why it spans so wide... /]

[edit2: trying to fix the width of this post /]

----------

## puddpunk

Hey beowulf, thanks for the swift reply  :Smile: 

Just looking at that config file, I don't see exactly how that applies to my situation. There is only one POP3 box that I need to poll xtr<something>@isp.com, but in that mailbox are emails that have "chris.rs@isp.com", "sue.rs@isp.com" etc... in the TO: field. I want it to pull all that email down, then sort that into each users (chris, sue, steve etc...) home directory.

Thanks for all your help beowulf!

----------

## Proteus

Thank you very much for this tutorial. I got it working now but still have one more question:

 *Quote:*   

> 2 messages for username at pop3.isp.de (2979 octets).
> 
> reading message username@pop3.isp.de:1 of 2 (1493 octets) .procmail: Incomplete recipe flushed
> 
> reading message username@pop3.isp.de:2 of 2 (1486 octets) .procmail: Incomplete recipe flushed
> ...

 

What does "Incomplete recipe flushed" mean? The mails do seem to be received allright....

Also, it seems that the smtp server is usable only when not using SSL. Shouldn't that be the other way around?

----------

## beowulf

puddpunk:

Geeze, that's what i get for answering posts half asleep.  hehe I completely misread your post.  To answer your question "properly" now...

There are a few ways to do this, one is by setting up a file in /etc/

```
 root@server # vi /etc/procmailrc

:0

* ^To:.chris\.rs*

/home/chris/.maildir/

:0

* ^To:.sue\.rs*

/home/sue/.maildir/

# ...the same for the other two accounts

```

Then, in /etc/fetchmailrc use this:

```

poll pop.mail.isp.com with proto POP3

    auth password user "xtr_asdf" there with password "pass_isp"  with options

        warnings 3600 mda "/usr/bin/procmail /etc/procmailrc"

```

This will be run as root though...  There is another way around running it as root, One user will need write permission in all their home directories... and  then in your $HOME/.procmailrc file, you could use the above example...  I have never tested this... but i believe it should work. 

Another idea that came to mind... Running fetchmail/procmail as your user, you could forward the email.  here's an example recipe line and hopefully you can take it from there:

```

:0

* ^To:.sue\.rs*

!sue@localhost

# Default action leave it to yourself, and let all mail that doesnt match

# be delivered to your maildir... Remember the procmailrc is procedural

```

If all else fails, there's always the "network and security" forums, or the man pages.  My method may not be the best...

Proteus, thanks for going at the guide.  Do you think you could post your procmailrc file?  You can also check that each "recipe" contains 3 lines.  A ":0", a regex line as well as an action line.  Could be a typo?  Not sure, but procmail is choking on one of the recipes...

[Edit:

Also, could you post your /etc/postfix/main.cf file too?

```
grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
```

/]

Hope this helps both of you guys  :Smile: 

----------

## ghetto

wow this looks like a great guide, ive been fooling around with the virtmailhost guide for like a week now and I cant seem to get the entire thing to work.

What I really want to know is how hard would it be to throw a squirrelmail example into the guide? pleeeeaaaasssse?

I only have one domain, and I got that by using a dyndns redirect pointed at my box. All I want is to be able to recieve mail directly to this box from the internet by using local usernames followed by the dyndns redirect name( so local user 'alex' would recieve mail sent to alex@dyndns_redirect_name.com ). 

I also want local users to have the choice of accessing their email locally or through squirlmail. 

The first part is fine, I have that working already from the virtmailhost guide, but I cant seem to get the squirlmail part to work. I can login using the aliases that I have setup through phpmyadmin just like it says to do in the virtmailhost guide, but I after they login then all they can do is view mail, squirrelmail refuses to send any email.

So what I think I'll do is just completely trash my setup, and start all over using your guide. Then I'll try squirrelmail if everything else seems to working alright. Hopefully by then you might have come up with a squirrelmail example for me.   :Very Happy: 

Thanks tones for the guide.

----------

## puddpunk

Cheers beowulf! What a sport!

I don't really mind running fetch/procmail as root. They are quite mature peices of software, and my box is reasonably secure.

Thanks again beowulf,

Chris.

----------

## puddpunk

Lol! Back again beowulf!

Is there a way to get the procmail that runs off the /etc file, to deliver to another procmail that reads each users ~/.procmail file? So that you have the main sorting procmail that splits all the users up, then a "personal" procmail to filter mail per-user based on each individual users ~/.procmail file?

If thats not possible, what about sieve? How easy is that to impliment? Does it work with MS Outlook 2000?

Thanks Beowulf,

Chris.

----------

## beowulf

 ghetto:

I have never used Squirrel Mail as i have never liked checking my email using a browser... Never liked webmail.  That said, I believe running this setup should allow a rather easy insertion of squirrel mail.  I *believe* one could simply "emerge squirrel-mail" (check the package name though) and then configure it.  Since Squirrel mail is simply a front end to your IMAP server, the integration shouldn't be hard at all.  I would start with the desktop guide and see what they do.  http://www.gentoo.org/doc/en/desktop.xml#doc_chap8

I see no reason why this wouldn't work... since the backend stuff is transparent to Squirrel Mail.  Courier-IMAP has already been set up in accordance to the desktop guide, and i cannot forsee any problems.  However, it wouldn't be the first time i've been wrong...

Local access can be provided using an Email client, or even the web mail interface, so that shouldn't pose a problem.

I will attempt to insert Squirrel Mail into my setup though... As I believe it would make a nice addition to the guide.  If you'll give me a day or two to work it out... I should be able to add the new section.  It's kind of late right now, and i have prior arrangements for the better part of tomorrow... 

puddpunk:

I'm venturing into the unknown with this guess... but from what i know about procmail, you could theoretically pipe the result into itself?  Maybe, not quite sure.... 

How about this recipe line:

```

root@server # vi /etc/procmailrc

:0

* ^To:.chris\.rs*

| /usr/bin/procmail -d chris

```

Theoretically, that tells it to pipe the email to itself and deliver to "user" chris, who would then run their own $HOME/.procmailrc file... I have never tested this, don't know if it will work, or any side-effects that could arise... but theoretically it could work...

----------

## Proteus

Here is my main.cf:

```
queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

inet_interfaces = 192.168.0.10, localhost

mydestination = cruncher.local.net, localhost.local.net

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

relay_domains = $mydestination

mynetworks = 192.168.0.0/24,127.0.0.0/8

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains                                                               

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
```

This is .procmailrc:

```
MAILDIR=$HOME/.maildir/

DEFAULT=$MAILDIR

:0

* ^Subject:.Cron*

.cron-jobs/

:0

* ^List-Id:.*gentoo-dev\.gentoo\.org

.gentoo-user/

:0

* ^List-Id:.*gentoo-announce\.gentoo\.org

.gentoo-announce/

:0

* ^List-Id:.*gentoo-gwn\.gentoo\.org

.gentoo-gwn/

:0

* ^From:.*gentoo\.org
```

Since I don't really know what those recipes are or where to find them I cannot check them...

----------

## beowulf

Okay, for the postfix file.  You're missing a few lines...  I would recommend adding this:

```

root@server # vi /etc/postfix/main.cf

smtp_sasl_auth_enable = yes

smtp_sasl_security_options =

```

Aside from that, it should work... What kind of errors are you getting when trying to login using TLS?

RE: Procmail recipe problem.

A procmail recipe is usually 3 lines inside of a .procmailrc file.  For example:

```

:0

* ^From:.*gentoo\.org

.gentoo/

```

As you can see there are 3 lines to a procmail "recipe".  I appologize for the error in the guide regarding the missing line.  I have since edited the guide to include the missed line.

Therefore, your whole .procmailrc file should look like this:

```
MAILDIR=$HOME/.maildir/

DEFAULT=$MAILDIR

:0

* ^Subject:.Cron*

.cron-jobs/

:0

* ^List-Id:.*gentoo-dev\.gentoo\.org

.gentoo-user/

:0

* ^List-Id:.*gentoo-announce\.gentoo\.org

.gentoo-announce/

:0

* ^List-Id:.*gentoo-gwn\.gentoo\.org

.gentoo-gwn/

:0

* ^From:.*gentoo\.org

.gentoo/
```

You should notice a ".gentoo/" line at the very end.  This is the line that i missed and was the cause of the error.  Sorry again,

Hope this helps.

----------

## Proteus

Thanks alot, now everything seems to work just perfectly  :Wink: 

My main.cf already included

```
smtp_sasl_auth_enable = yes
```

but it read

```
smtp_sasl_security_options = noanonymous
```

instead of

```
smtp_sasl_security_options = 
```

.

Your support here is just incredible. I think a lot of people owe you something, including me.

----------

## ghetto

 *Proteus wrote:*   

> Thanks alot, now everything seems to work just perfectly 
> 
> My main.cf already included
> 
> ```
> ...

 

Yes I noticed that In the virtmail host guide it says "noanonymouse" but with that setting I checked my logs and it showed a "fatal" message attached to "noanonymouse" and after I deleted it I was able to telnet into 143 on localhost and got the proper reply's from the server.

However I went back to following the virtmail host guide from the begining, gonna give it one more shot, but I just cant get the darn thing to authenticate when I try to run fetchmail to retrieve mail from the courier-imap.

This is the message fetchmail gives me:

```
fetchmail: 6.2.2 querying division22.merseine.nu (protocol IMAP) at Wed, 04 Jun 2003 12:52:55 -0700 (PDT): poll started

fetchmail: IMAP< * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc.  See COPYING for distribution information.

fetchmail: IMAP> A0001 CAPABILITY

fetchmail: IMAP< * CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE

fetchmail: IMAP< A0001 OK CAPABILITY completed

fetchmail: IMAP> A0002 LOGIN "root" ""

fetchmail: IMAP< A0002 NO Login failed.

fetchmail: IMAP> A0003 *

fetchmail: Authorization failure on root@division22.merseine.nu

fetchmail: IMAP> A0004 LOGOUT

fetchmail: IMAP< A0003 NO Error in IMAP command received by server.

fetchmail: IMAP< * BYE Courier-IMAP server shutting down

fetchmail: IMAP< A0004 OK LOGOUT completed

fetchmail: 6.2.2 querying division22.merseine.nu (protocol IMAP) at Wed, 04 Jun 2003 12:53:00 -0700 (PDT): poll completed

fetchmail: Query status=3 (AUTHFAIL)

fetchmail: normal termination, status 3

Done.
```

This is what my .fetchmailrc looks like

```

# cat .fetchmailrc

# Configuration created Wed Jun  4 12:45:38 2003 by fetchmailconf

set postmaster "postmaster"

set bouncemail

set no spambounce

set properties ""

poll division22.merseine.nu with proto IMAP

       user 'root' there with password '8l&)++wssZ..' is 'root' here

```

I dont know what you guys think but it looks like this should work, so my problem must be with either postfix or courier-imap.. or maybe cyrus-sasl, or perhaps mysql, heh.. the virt-mailhost doc sure is ambitious isnt it? 

Deffinitly no shortage of things that can go wrong.

Any help is deffinitly appreciated. Until I get this to work there is no point trying to use squirrelmail.

----------

## Proteus

I have never used the "virtual mailhost how-to", I read through it but found that it was far too complex for what I wanted. For example I don't need to use mysql, I don't have that much users, it's just me.

Therefor I unfortunately cannot help you with any problems regarding the how-to.

I merely waited for someone to post a tutorial for what I needed.

Well, beowulf did. But I think that he knows a lot about this stuff so maybe he can help you...

(Are you sure you need the "virtual mailhost how-to"? Maybe what beowulf described fits your needs as well? It just seems to work better and without too much hicups.)

----------

## ghetto

I basically just need webemail for virtual users, but I dont need virtual domains, one domain is enough for all my users.

..and I also need email for me, Im the only local user on this box.

The problem is that I want the web email to be very secure, I will have up to maybe 20-50 people using it when its setup and I would hate for anything bad to happen to them if they put important data into there emails. Thats why Im trying to get the virtmail host document to work, because it seems more focused on virtual users, like webemail. 

Https, imaps, and authmysqld using squirrelmail for virtual users seems like exactly what I need. But maybe you're right.

But Im begining to think this might be the better guide simply because it works, the virtmailhost guide seems kind of broken. But in a way thats why I want to use it so that I can iron out the bugs and submit an update to gentoo-doc with all the little quirks worked out. 

Here is a link to my postfix [url=24.77.80.239/main.cf]main.cf[/url] I have put restricted access on my url  ..but thats only to keep out the search engine spiders, the username is 'alex' and the password is 'password'

im open to sudgestions still

----------

## beowulf

Proteus:

I'm happy to hear the guide was helpful for you and it works!

ghetto:

An exit code of "3" means authentication failed when polling as i'm sure you know.  This narrows the places where the problem could lie.  Since you're following the virtual mailhost guide, you are using MySQL.  Is there a mail user in the MySQL db for root?  

What does this output:

```
cat /usr/lib/sasl2/smtpd.conf
```

What does this output:

```
grep -v "^#" /etc/courier-imap/authdaemonrc | grep authmodulelist=
```

What does this output:

```
grep -v "^#" /etc/courier-imap/authdaemond.conf
```

And finally, how about this file:

```
grep -v "^#" /etc/pam.d/imap
```

Those are the places I would check first.  From what i can see, the fetchmailrc file is fine, i don't think it's a postfix issue since you're trying to receive email (or fetch in this case).  My money is on Courier-Imap and MySQL being the reason you can't authenticate.

hope this helps

----------

## ghetto

beowulf

An exit code of "3" means authentication failed when polling 

I cant even begin to say how glad I am to get some help with this

Thanks tones beowulf. :Very Happy: 

beowulf

Is there a mail user in the MySQL db for root? 

yes, here is a snip from the database:

 > select * from alias;

| id | alias | destination             

|  1 | root  | root@division22.mersine.nu 

What does this output:

```
cat /usr/lib/sasl2/smtpd.conf
```

pwcheck_method:saslauthd

mech_list: LOGIN PLAIN

What does this output:

```
grep -v "^#" /etc/courier-imap/authdaemonrc | grep authmodulelist=
```

authmodulelist="authmysql authpam"

What does this output:

```
grep -v "^#" /etc/courier-imap/authdaemond.conf
```

AUTHDAEMOND="authdaemond.mysql"

And finally, how about this file:

```
grep -v "^#" /etc/pam.d/imap
```

auth     optional       pam_mysql.so server=localhost db=mailsql user=mailsql \

  passwd=Fh33dl2vbn^ table=users usercolumn=email passwdcolumn=clear crypt=0

account  required       pam_mysql.so server=localhost db=mailsql user=mailsql \

  passwd=Fh33dl2vbn^ table=users usercolumn=email passwdcolumn=clear crypt=0

so I guess the question is where in courier-imap and mysql is the error

However.. one more thing, Im not sure if this makes a hugh difference or not but you'll notice in my fetchmailrc that I had it written that the user who was logging in is named 'root' but that is incorrect,  the acutal user who should have been logging in according to mysql is 'root@division22.merseine.nu' 

However you will notice in my fetchmail output that it says that user 'root@division22.merseine.nu' failed to Authenticate.

So what I think is happening is that my postfix is appending my hostname onto the end of my user name when they try to log in.

I think I can prove this because when i setup fetchmail to use the proper username, which in this case is 'root@divisioin22.mersine.nu' then the output from fetchmail is that user 'root@division22.merseine.nu@division22.merseine.nu' failed to Authenticate.

What do you make of that? 

 :Very Happy: 

----------

## beowulf

hehe... hmmm... well all the outputs look right... And assuming you've created the hundred /etc/postfix/mysql*.cnf files that are needed correctly... only a few more ideas have come to my mind...

Have you tried authenticating with a regular email client?  Maybe fetchmail is having problems... hehe grasping at straws kind of... 

Also, though not mentioned in the guide, I noticed that it uses the saslauthd service.  Now in /etc/conf.d/ there is a conf file for said service. Could this be where the problem lies?

```

root@server # saslauthd -v

saslauthd 2.1.10

authentication mechanisms: ???????????????

root@server # cat /etc/conf.d/saslauthd | grep SASL_AUTHMECH=

SASL_AUTHMECH=?????

```

Perhaps, and i know the probability is low... perhaps this is where the problem lies?  I *believe* it should say "pam" in there but i could be wrong... 

Aside from that, I really don't know what is going wrong... 

I would try with another  email client so as to determine whether fetchmail is the culprit... Other than that, I really don't know what's going on...

Hope this helps....

----------

## ghetto

No regular clients dont work anybetter than fetchmail it seems, and that file you pointed me at for saslauthd does infact say 'pam' so that ok and if i go like this:

`saslauthd -v` 

saslauthd 2.1.12

authentication mechanisms: getpwent pam rimap shadow

So pam "should" be working.

I dont know what else to do.

However this morning I woke up and started all the server and now Im getting Query status=2 error. So I guess I'll look that up and see what broken now. 

Can I ask where you found the info on what query status errors numbers mean?

----------

## beowulf

Exit status of 2 means this:

2      An error was encountered when attempting to  open  a  socket  to

              retrieve  mail.  If you don't know what a socket is, don't worry

              about it -- just treat this as an 'unrecoverable  error'.   This

              error  can  also be because a protocol fetchmail wants to use is

              not listed in /etc/services.

I find this information in "man fetchmail"...  Have you edited your /etc/services to say remove IMAP over SSL etc...?

sorry man, i don't understand why it isn't working... it's far beyond my limited knowledge...  :Neutral: 

----------

## ghetto

hmm.. that was dumb, i forgot to take down my firewall before using fetchmail, I take it down completely when Im working on this imap server problem but I forgot to take it down so fetchmail couldnt access the port. Thats why I got exit status 2.

Once I get everything working I'll adapt my tables to reflect my computers new purpose however until then I like to keep rather paranoid iptable rules.

oh and thanks about the `man fetchmail` I had already read it, or so I thought, but I guess I didnt finish reading all the way down to the bottom because I didnt see the EXIT CODES section at all.

oh yeah, and about /etc/services thats not it either.

grep imap /etc/services

imap2           143/tcp                         # Interim Mail Access Proto v2

imap2           143/udp

imap3           220/tcp                         # Interactive Mail Access

imap3           220/udp                         # Protocol v3

imaps           993/tcp                         # IMAP over SSL

imaps           993/udp                         # IMAP over SSL

----------

## ghetto

Ok, Ive given up _completely_ on the virtmailhost guide.

Ive swtiched to this guide, and it certainly is simpler. Unfortunately it didnt quite work, but maybe somehow it can be fixed.. here is what I have so far.

Postfix seems to be working because I can send/recieve email to/from local users, and I can recieve email from remote users. ie Hotmail. But I cant seem to send any email except locally.

Im still getting an auth failure with my imap server. The imap server seems to be working because I can actually log into it using a "local" users name and password. 

However when I try to use any of the users that I have listed in the sasldb it gives me an auth failure.

So just to make it clear, if i do this:

mutt -f imaps://localhost

Then it asks me for the password for user_name@localhost and after I give it the password I am loged in.

However if i do this:

mutt -f imaps://division22.merseine.nu

Then it asks me for the password for user_name@division22.merseine.nu and no matter what password I give it ALWAYS fails to auth.

The imap server also works if I try to telnet to it like so

# telnet localhost 143

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc.  See COPYING for distribution information.

1 LOGIN alex xxxxxxxxx (<- actual local Linux user's name and passwd)

1 OK LOGIN Ok.

However it doesnt work at all if i try to telnet to it using the dyndns host name like this:

telnet division22.merseine.nu 143

Trying 24.77.80.239...

Connected to division22.merseine.nu.

Escape character is '^]'.

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc.  See COPYING for distribution information.

1 LOGIN alex xxxxxx (<-name and passwd from the sasldb)

1 NO Login failed.

So it seems that sasldb is some how wrong doesnt it?

However this is how i set it up, tell me if you think ive missed anything.

```

 # rm /etc/sasl2/sasldb

 # saslpasswd2 -c -u division22.merseine.nu -a smtpauth alex

Password: xxxxxxx

Again (for verification): xxxxxxx

# /etc/init.d/authdaemond restart

 * Stopping courier-imapd...          

[ ok ] * Stopping courier-imapd over SSL...    

[ ok ] * Stopping authdaemond.plain...

[ ok ] * Starting authdaemond.plain...     

[ ok ] * Starting courier-imapd...                                               

[ ok ] * Starting courier-imapd over SSL... 

# mutt -f imaps://division22.merseine.nu

-- Mutt: SSL Certificate check

(r)eject, accept (o)nce

-- Mutt: SSL Certificate check

Username at division22.merseine.nu: alex

Password for alex@division22.merseine.nu: xxxxxx

Logging in...

Login failed.

```

Could this have anything to do with postfix since I am unable to send email to anywhere outside of my system?

Here is my postfix [url=division22.merseine.nu/main.cf]main.cf[/url]

auth is still user:alex

                passwd: password

Im going to keep trying, this is just soo weird that i simply refuse to give up. Any help is greatly appreciated.

[EDIT]

Ok I can send email to remote servers like hotmail now, stupid me, I forgot a step.. i had changed the saslpass file but forgot to do `postmap hash:/etc/postfix/saslpass` which is why I couldnt send emails except locally.. 

I still cant get the imaps server to auth unfortunately.

----------

## Proteus

Ok, as I said before this all seems to work as good as possible.

But: In step 3.3 of this tutorial you describe how to setup a user.

I did in fact setup a user but never seem to have to use it.

I am using this machine as a desktop system as well and have no users specified in /etc/passwd. Therefore I am running as root all the time .(yeah, I know, it's bad... But I like it.)

Can anyone tell me for what reason step 3.3 exists??

It just wonders me that it sems to be without effect at all.

----------

## ghetto

 *Proteus wrote:*   

> Ok, as I said before this all seems to work as good as possible.
> 
> But: In step 3.3 of this tutorial you describe how to setup a user.
> 
> I did in fact setup a user but never seem to have to use it.
> ...

 

maybe i should let beowulf answer this but what the heck im online anyway, step 3.3 is the part that Im having trouble with. 

Step 3.3 is there because basically enless you want to use your REAL username and REAL password for the system then you need to setup a email username and email password.

I would say that this is highly recomended especially since as you tell us 

"i run as root" so Im going to assume that you've been using your root password to log into your email account.. fewf.. scarry stuff.. even though its imaps I still wouldnt trust it for everyday use... I've done it once or twice myself but only for testing purposes.

----------

## Proteus

Thanks for your fast answer, ghetto.

I know that it would be more secure not to use the root account/password but hey, this is a "network" consisting of a whopping 3 computers...

All owned and used only by myself. The router I use is a NAT router with included switch, so as far as I know nobody should be able to catch my internal traffic. Correct me if i am wrong.

But it's nice to know what step 3.3 actually does  :Smile: 

EDIT: I just tried to log in and check email with the user and password supplied in step 3.3. That does not work   :Sad:  "login failed"

----------

## beowulf

ghetto:

From what i understand, you're trying to auth against courier-imap again?  If that's the case, step 3.3 holds no purpose for you, as explained below it is for postfix and relaying from a lan computer to the internet.

When logging in to Courier-IMAP, you must use your username/password that is contained within your /etc/passswd file.  The benefits are two-fold.  One, user management is rather easy, secondly, once a new user has been created (a la "adduser ....") they already have an IMAP login.  IMAP and SASL do not go together... They are independant of each other...

Login -> Pam (/etc/passwd) -> courier-imap -> Email Client

Login -> sasldb (3.3) -> postfix -> sasl (3.2) -> Internet

Proteus:

Step 3.3 is needed if you are using the SMTP services with postfix.  If you are setting yourself a local SMTP server, the login that you enter is based on step 3.3.  We don't use PAM, we don't use mysql... we specifically tell postfix to allow authenticated users (against sasldb) to relay email out into the internet.  Hope this is a bit more clearer...

Another note, although you ask for me not to say anything... allowing root to login to any daemon is a bad idea...  I believe I will ammend this guide so that it explicitly denies any root login... hehe  :Smile: 

----

I will be making a few changes to the guide to better illustrate this, as after reading through it, I realize how vague I tend to write hehe... Thanks for all your help guys... we are improving this guide daily!

----------

## Proteus

Ok, I understand that in order to send mail with postfix (what I can do) I should have to use the password/username supplied in 3.3.

However, I don't have to. All I supply is root as user and the password.

I don't send any second username/password combination in order to be able to send mail.

Thanks for clearing up my confusion about IMAP authentication, I think I understood it, finally.

----------

## ghetto

oh man  :Embarassed:   ......haHAHahahAHAH.. (<- laughing at myself because I didnt understand the document even though now that I go back and read it it is quite clear.)

fewf.. well, hmm.. I guess now that I understand how the system works, I can happily report that it seems to be working prefectly.

I had just got really really confusing data just moments before reading your post, and now that i read your post everything seems to make perfect sence.

Thanks tones dude! Im going to emerge squirrelmail and procmail and finish things off and then go read a book or something.. this has really been driving me to near insanity.

[EDIT] 

squirrelmail works just fine. I make sure that I log in using https ..and since it is on my local box I dont have to worry about it sending data to imap over a network so it doesnt really need any special authentification.

[EDIT]

If anyone is interested in squirrelmail or has some other php site that they are running then i strongly sudgest this little beauty -> The PHP Accelerator

----------

## Proteus

Shall I assume that you are laughing at me?

Or maybe you can share your newly gained wisdom with us?

I am confused now...

----------

## ghetto

No i was laughing at myself for not understanding the document, ive edited my last comment so it seems less confusing.

I have no wisdom to share, except that Since this is a one box server I dont seem to need fetchmail at all, the mail comes in and somehow it is magically appearing in my .maildir perhaps it is the work of postfix  :Very Happy: 

I am going to try one more thing then im going to go read that book (its amazing how much fun things can suddenly become when they start to work for me and not against me.)

Now I just have to setup some wicked spam filters, and then adjust iptables, and then do my evil laughter thing.

muWahaha <- preview of evil laughter

----------

## Proteus

I am sorry for mis-interpreting your answer...

But I think that your knowledge was indeed wort to share.

I also thought (and basically I am still thinking it) that despite the fact that this is a "one box server" one needs fetchmail to retrieve mail.

AFAIK, postfix just delivers mail and cannot retrieve it. But then again it works that way for you...

I will try to search and find out what the postfix and fetchmail programs do in effect.

If someone already has that knowledge... please share  :Wink: 

----------

## beowulf

Added a squirrelmail section.  Tested sending and receiving... both work nicely.

Posfix is your MTA.  In this guide, I simply use as a relay to a SMTP server that has the rest of the necessary services (DNS MX records).  Fetchmail fetches email from a remote POP/IMAP server and hands it off to procmail.

I don't understand how mail magically lands in your maildir though hehe but hey... it works, that's all that matters!

----------

## ghetto

 *Proteus wrote:*   

> 
> 
> But I think that your knowledge was indeed wort to share.
> 
> I also thought (and basically I am still thinking it) that despite the fact that this is a "one box server" one needs fetchmail to retrieve mail.
> ...

 

Well what would you like to know, I thought you have this working?

As far as fetchmail, well I agree, I thought i needed fetchmail too, however since I uninstalled fetchmail a couple minutes ago and I am still able to send and recieve email I am begining to believe that I dont really need it. 

I'll turn on the packet sniffer tomorrow and send a few emails, maybe I can figure this out.

[EDIT]

Cleaned up some spelling and grammar mistakes..

----------

## Rocker

 *beowulf wrote:*   

> 
> 
> ```
> 
> root@server # vi /etc/ssl/openssl.cnf
> ...

 

What a great guide! It's exactly what I need!

Before starting with implementing it I have a small question: Is it correct to fill in CN=localhost and emailAddress=root@localhost?

Why don't I have to set it to my FQDN or something like that? 

I don't know where those letters are used for, and what they mean? C=country, ST=state, L = city but what do the others mean? (Well.... emailAddress i know....   :Laughing:  )

Okay... Stop talking! Let's start buliding a new mailsystem...

----------

## Proteus

@ghetto:

I have it working I just don't really know why it works. And it works only when auth'ing as root but not when using a special sasl/mail username.

Maybe we could take a look at your main.cf in order to find out how you made postfix do fetchmail's ´job?  :Smile: 

However it is good to work a bit with all this stuff, I have learned a lot already. For example the difference between the IMAP and postfix servers.

------------------------------------------------------------------------

Actually the case is that I was too confused to see that the guide works as expected.

The problems auth'ing as the mailuser were selfmade because I tried to auth to the IMAP server with it. Of course that does not work.

It works (as it should) when I try to use the mailuser to auth on the postfix server.

So at least that problem is solved for me - I hope I have not cased too much confusion, it was all my fault...

------------------------------------------------------------------------

After I read all this it seems that this guide works but creates a lot of questions regarding how and why this system works. Maybe we need more in-depth knowledge. I took a look on the homepages of fetchmail, courier-imap and postfix but I find the information provided there too complicated.   :Confused: 

------------------------------------------------------------------------

Also I have two suggestions:

1) I think we only need to add courier-imapd-ssl to the runlevel, courier-imapd seems unneeded because we only use the ssl'ed services.

2) There is a typo in step 5.2 of the guide:

 *Quote:*   

> user@server $ chmod +x ~bin/getmyemailnow 
> 
> user@server $ crontab -e 
> 
> */10 * * * * ~/bin/getmyemail >/dev/null 2>&1 
> ...

 

There we create a file named "getmyemailnow" but in the crontab we call it getmyemail. It seems obvious that the "now" part must be added. Despite that it seems obvious it took me several hours to actually find out what went wrong...   :Embarassed: 

----------

## ghetto

 *Proteus wrote:*   

> @ghetto:
> 
> Maybe we could take a look at your main.cf in order to find out how you made postfix do fetchmail's ´job? 
> 
> However it is good to work a bit with all this stuff, I have learned a lot already. For example the difference between the IMAP and postfix servers.
> ...

 

Ok first things first, here is main.cf

```
myhostname = division22.merseine.nu

mydomain = merseine.nu

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

inet_interfaces = division22.merseine.nu, localhost

mydestination = division22.merseine.nu, localhost.merseine.nu

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

#relay_domains = $mydestination

mynetworks = x.x.x.x, 127.0.0.0/8

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = division22.merseine.nu

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 5

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

#content_filter = filter: <- im in the middle of applying some filtering, ignore these two rules.

#soft_bounce = yes

```

One interesting thing that I learned after firing up the packet sniffer is that

incoming email comes to me through port 25 which is the smtp port, 

so in otherwords it seems that my email goes directly to Postfix all by 

itself since Postfix is responsible for monitoring the smtp port.

This explains why I get the mail put into my .maildir so magically. Ive

only been able to test this using hotmail and shaw email addresses, both 

of them send email to me by connecting to the smtp port. 

As an interesting consequence of this is that I can now block any 

attempts to connect to my imap2 or imaps servers from any location 

except locally.

This makes me sleep better at night and it seems to work fine because

SquirrelMail is running locally on the box. So to get email I either connect

to squirrelmail or else I ssh to the box and run mutt locally. 

(I love iptables)

About your sudgestion #1 thats a good idea for most people except I am

running squirrelmail, and squirrelmail connects to the imap2 port NOT the

imaps port. The reason I dont mind it connecting to the imap2 port is 

because since squirrelmail is running locally on my box I dont actually

send any info over the network, and secondly because I havent figured

out how to get squirrelmail to authenticate against imaps. 

However I strongly sudgest only connecting to squirrelmail over https that 

way any information you send to it (if your not on your local computer) 

from the webbrowser to the localhost will be nice and safe.

IF someone knows how to get SquirrelMail to authenticate on a imaps server please post it.  :Very Happy: 

If I get some times to try to figure it out in the next couple days I will 

post it myself, because this would eliminate the only reason I have for keeping an imap2 server running.

----------

## beowulf

Rocker:

Yep, i guess you should use your fqdn, but the only people that are going to see this is you, and anyone else on your lan.  This system is not designed for a large lan... just for your home, so it doesn't really matter what you enter there.. hehe

Proteus:

I agree, after testing it, I should remove the standard imap start up.  Since, as you have said it is un-needed.  Thanks for the typo, I will be fixing it after i finish this reply.

ghetto:

To authenticate using IMAPS in squirrelmail,  set it according to the values in 7.4 of this guide.  When i added squirrelmail, I set it up to use IMAPs.  As for postfix grabbing the email... I was under the unique impression it could not replace fetchmail.  It can however replace procmail, but I don't think postfix has fetching abilities.... that said, I don't understand how it's working on your end, and after looking at your conf file, still leaves me wondering.  But email's coming in and that's all that really matters  :Smile: 

[edit: When fetchmail grabs email, it redirects it to port 25 and points it to procmail... could that be what is happening? /]

----------

## Proteus

@ghetto:

Thanks for posting your main.cf.

However, I have to agree with beowulf - I can't see a reason why postfix is suddenly able to fetch mail.

Maybe you can post in which config files you have entered your auth'ing info for your mail provider. We should be able to see then which programs know how to check your mail there.

----------

## ghetto

Ok I could be wrong here, but I dont think its a matter of postfix suddently being able to fetch email. I think whats happening is that the email is being delivered directly TO postfix from the internet.

Allow me to explain what I think is going on:

I have setup my internal system hostname as blah.foo.com and I have also setup a dynamic doman name server redirecter service with dyndns.org so that it matches my real system hostname. Now a mail server gets an email for alex@blah.foo.com so it starts looking for a host named blah.foo.com and after being redirected by dyndns it finds my computer.

Now here is the trick.

Since postfix is running with an open smtp port, the server which is trying to send the email to my host see's that the smtp port is open and trys to send email to it. Postfix is listening and see's that the email is adressed to

alex@blah.foo.com and says "thank you", takes the email, and dilvers it to the apropriet mailbox.

Its kind of strange but it works, like I said fetchmail is not even installed.

@beowulf

Thanks for the tls tips for squirrelmail.. things are getting better everyday.

Now I just have to teach mutt a few tricks  :Wink: 

----------

## Rocker

Well, i've finished the tutorial, but it isn't working correctly.

First at all, I can't send any email when I use authentication. When setting smtpd_tls_auth_only to no, and I send my email anonymous, then it works. But when I (force) to use authentication, then i keeps prompting for my password (using Digest-MD5). It won't accept the password I created in section 3.3

Second, when I log in via a shell and start mutt, it says: ~/.maildir/ is not a mailbox.

Using KMail, it won't connect to it.

Note: I was running the mysql version of postfix before, so maybe I've accidently left some garbage from that tutorial in one of my conf???

----------

## beowulf

Thanks for going through the guide.  hmmm, what does /var/log/mail.info, /var/log/mail.err, /var/log/mail.warn say when you're trying to login to the SMTP server? Bad username? Bad Password?  Bad Authentication method?

When mutt says ~/.maildir/ is not a mailbox, have you set mutt to use maildir format?  Did you emerge mutt with the use flag "maildir" and with the use flag "-mbox"?

Do you have mutt/kmail connecting to an IMAP server?  If so, to authenticate to IMAP, you'll need to use your system password (or PAM password)... If Kmail still cannot connect, what does the logs say... is it an authentication error? Is it even being logged?

Hope to hear back from you.

[edit: Also, I've edited the guide to use the "maildirmake" command, as opposed to mkdir.  Please do this as a user "rmdir ~/.maildir && maildirmake ~/.maildir"  This might be the reason Mutt and Kmail cannot connect... /]

----------

## peterk0

Another happy user here !!! Thanks   :Very Happy: 

Btw is there a way how to set IMAP4 servers port?

----------

## beowulf

 *peterk0 wrote:*   

> Another happy user here !!! Thanks  
> 
> Btw is there a way how to set IMAP4 servers port?

 

THanks for going through the guide.  To set the IMAP server's port, you'll need to do 1 of two things.  

If you're running the server in SSL (TLS), you'll need to edit the file "/etc/courier-imap/imapd-ssl" and change SSLPORT=993 to equal any port you like... Read the comments that are there to better understand what's going on...

If you're using the IMAP server in non-SSL (TLS), you'll need to edit /etc/courier-imap/imapd and change PORT=143 to be whatever you want.  Make sure you're not running two services on the same port... such as both SSL and regular imap...

Another thing that may be required (dependant on what else you have running and such)... do this:

```
cat /etc/services | grep imap
```

...Then change it to match your new ports... I'm not sure if you need to do this, I didn't... but depending on the network setup you're using, it may be necessary...  I would test to see if you can get away without doing this first...

Hope this helps

----------

## peterk0

Well, thanks for quick reply, that would do it !!!   :Very Happy: 

----------

## Rocker

Sorry for my late response, I wasn't able to reply earlier!

All works fine now!

Somehow, I forgot to change the ownership and permissions of /etc/sasl2/sasldb.

I've fixed this, and now I can send my mail.

The mutt problem is also over now I've created the .maildir with the maildirmake command!

So... thanks again for this good tutorial!!!

----------

## Rocker

I'm trying to put my 'getmyemailnow' in a user cronjob.

However, it keeps complaining about

```
-bash: /usr/bin/crontab: Permission denied

```

This is logical because the /usr/bin/cronjob permissions are set to rwxr-w---

A simple solution is to give world executable rights to it, but I won't find that a secure option. I already made a /etc/cron.allow file, but this doesn't help either.

How have you guys solved this??

----------

## beowulf

Hey Rocker, Great to hear it's working out.  As for crontab, make sure your user is in the group "cron".

Get a list of the current groups you're in, then add group "cron" to your groups.  Here's how I would do it if my user wasn't in group cron, and perhaps this will help you do it for your group.

```

beowulf@server$ id

uid=1001(beowulf) gid=100(users) groups=100(users),10(wheel),250(portage)

beowulf@server$ su -

Password:

root@server# usermod -g users -G users,wheel,portage,cron beowulf

```

Then, logout and then log back in and you'll be able to access your crontab.

Hope this helps

----------

## peterk0

Hey, succesfully instaled on second server so far!

ONLY one thing...

Don't you know how to set up a chracterset, i need central european, this should be just for fechmail or procmail, because i'm using this server only to recieve emails.   :Question: 

LMK, thx

----------

## Rocker

I'm already in the cron group, and have changed the ownership of /usr/bin/crontab to root.cron.

When I try to install an new cronjob with crontab -e I now get the message:

seteuid: Operation not permitted

Any idea???

----------

## peterk0

Heeey solved already, just need to setup a font in your favorite email program =)

For me Sylpheed-Claws just RULEZ!

Seeya   :Cool: 

----------

## beowulf

peterk0: Glad it worked!

Rocker: Hmm, is one of the partitions mounted with the setuid bit off?  When you changed the permissions, did you remove the setuid bit?

Other than that, I'd ask in the Other things Gentoo forum... I'm not really sure what's going on... and getting a broader audience for your question would receive better answers.

----------

## Rocker

AFAIK, I haven't mount it in any special way, so I guess that everything is quite normal??

Anyhow, I posted a new message in another part of the Gentoo forums, because where are a bit off-topic now.

So far: thanks for your great howto and support!!!

----------

## mscriv

I had problems sending e-mails to the outside world. I think postfix uses MX records to find where to send e-mail unless a relay host is specified in square brackets in /etc/postfix/main.cf.

relayhost = [smtp.isp.com]

Some text from /etc/postfix/sample/sample-misc.cf:

# The relayhost parameter specifies the default host to send mail to

# when no entry is matched in the optional transport(5) table. When

# no relayhost is given, mail is routed directly to the destination.

# 

# On an intranet, specify the organizational domain name. If your

# internal DNS uses no MX records, specify the name of the intranet

# gateway host instead.

#

# In the case of SMTP, specify a domain, host, host:port, [host]:port,

# [address] or [address]:port; the form [host] turns off MX lookups.

----------

## puddpunk

 *Rocker wrote:*   

> I'm already in the cron group, and have changed the ownership of /usr/bin/crontab to root.cron.
> 
> When I try to install an new cronjob with crontab -e I now get the message:
> 
> seteuid: Operation not permitted
> ...

 

Yeah, Have a look in your /etc directory for cron.allow or something. If you are using fcron, you need to add your user into that list.

```
find /etc -name "cron.allow"
```

Or maybe it's fcron.allow. I can't remember :\

----------

## Rocker

NOI, as if you could see in an earlier post (on page 3), I'm already in the cron group, and also listed in the cron.allow file.  :Wink: 

However, thanks for trying to help me, that's where forums are for, isn't it??  :Razz: 

BTW: the problem is solved already, I changed the permissions with chmod g+s crontab, and now it's working. I know that this solution has something to do with setting uid or something like that, but I don't know what it does exactly...   :Laughing:   I received the tip from anybody else on this forum, and it helped!

----------

## beowulf

mscriv Thanks for trying it out!  Normally that is correct, however in this setup, we tell Postfix to use sasl and the SMPT server listed in the saslpass file.  We're doing this because as you said, we don't have a MX record.  If you're still having trouble, please post your /etc/postfix/main.cf with this command:

```
grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
```

----------

## DefconAlpha

Two things...

First: you will probably have to emerge pine-maildir instead of pine if you want maildir support

Second: try emerging getmail. it's so freakin easy :)

----------

## dispatriot

I, too, have completed the guide. And I, too, am having issues.

Authentication is all set up and working great. I have absolutely no problems accessing my inbox on my postfix server or sending mail via smtp (using outlook as client.) The only problem is, there's no mail. If I send mail via Pine to, for instance, dispatriot@localhost... the email goes through and it will show up in my outlook client. (Interestingly, not in the Pine INBOX folder.) I'm fairly certain the server is recieving the email, because I did get one of these: 

```

This is the Postfix program at host victorygin.ccci.org.

I'm sorry to have to inform you that the message returned

below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can

delete your own text from the message returned below.

The Postfix program

<dispatriot@10.10.2.162>: mail for 10.10.2.162 loops back to myself

```

When I tried to send an email to dispatriot@myserver'sip from outlook.

It's kinda funny... I had a success like the one mentioned above with my redhat 9 server where everything "just worked." I was really counting on it for this project!

Any ideas?

----------

## beowulf

dispatriot - Thanks for trying the guide.  I'm glad it worked for you for the most part.

Could you post your postfix/main.cf file?

```
grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
```

Also, your aliases file which could be "/etc/mail/aliases"

I've never seen that error even when I have sent an email to myself.  That said, i'll wait to hear back from you before trying to figure out what's going on.

----------

## Enclavet

I am having problems with postfix. I can start postfix just fine and when I do /etc/init.d/postfix start it has the regular [ok]. However when I try to restart or stop like /etc/init.d/postfix stop restart I get [!!] meaning it didnt go through. Logs dont show any problems. I'm wondering what could be causing this? I cant even connect to Postfix also. When I try to use KMail to send email it says my ip is broken or cant connect. I can receive but not send.

Also i'm wondering how would I set something up so that other computers on the network including windows computers could use the mail server? 

I would add all the emails to be downloaded in fetchmail and then try to distribute them to different inboxes for outlook to retrieve. I want a centralized spam filtering system. 

Thanks.

----------

## Proteus

Hi Enclavet!

I do not know what is wrong with your postfix server or kmail, I think others are far more qualified to help you with those things...

However, I can try to answer your other questions:

1) You can use this setup with any email-client that is imap enabled (therefore you can use outlook or outlook express, I speak from experience here  :Smile:  )

2) In Order to distribute your emails from different accounts into different inboxes see above in this discussion. It is explained there. And it's really easy. Only some new lines in your .procmailrc.

3) Centralized Spam filtering system:

I do want to use something like this as well. I know it is possible when you emerge spamassassin (there is also some anti-virus scanning daemon in portage if you want that functionality as well).

However, I am currently tryin to find out how spamassassin is configured for myself and have no clue as of now...

Maybe someone can give us both a hint as to where some documentation can be found for that topic.

----------

## Enclavet

Yeah I got the multiple users working but not the SMTP stuff..

I was wondering however how I would beable to get hotmail emails? Is there a way to place getmail > fetchmail into the process somewhere?

----------

## beowulf

Enclavet: Great to hear that receiving is working for you.  Do you think you could post the output from this command:

```
grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
```

Hotmail has it's own system in place... There's probably a way to do it with getmail/fetchmail... but I do not know it... 

Spam Assasin should be placed in your procmailrc file.. but i've never configured it.... There was a guide a while back about spam assasin... and it should detail how to set it up.

----------

## taskara

HI, great work!!

I have a little problem.. it's probably something stupid I'm doing. I am trying to re-create the ssl certificates (under section 3.6) so that they don't need a password.

I have editted the openssl.cnf file with my info, and have added -nodes to the CA.pl file, as per instructions.

when I try and create the files via  ./CA.pl -newca it asks me to specify a password.  *Quote:*   

> root@server misc # ./CA.pl -newca
> 
> CA certificate filename (or enter to create)
> 
> Making CA certificate ...
> ...

 

am I suppossed to put in a password here? and is so, make one up or root password? also, what do I put as the filename ? (I assume newcert.pem and etc)

sorry for my newbie questions! I've never had to re-create my ssl certs before!  :Confused: 

----------

## Enclavet

Heres the output:

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

inet_interfaces = $myhostname, localhost

mydestination = $myhostname, localhost.$mydomain

unknown_local_recipient_reject_code = 450

mynetworks = 192.168.1.0/24, 127.0.0.0/8

relay_domains = $mydestination

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = Mail/

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /etc/postfix/sample

readme_directory = /usr/share/doc/postfix-2.0.9 

smtp_sasl_auth_enable = yes  

smtp_sasl_password_maps = hash:/etc/postfix/saslpass   

smtp_sasl_security_options =

smtpd_sasl_auth_enable = yes

 smtpd_sasl_security_options = noanonymous

 smtpd_sasl_local_domain = $myhostname

 broken_sasl_auth_clients = yes

 smtpd_recipient_restrictions =

    permit_sasl_authenticated,

    permit_mynetworks,

    check_relay_domains

seems that I deleted the tls portion but when I had it in still had the same problems  :Smile: 

Also is there a way to create a folder in Imap where my spam would be placed and the client would download in addition to the inbox, the folder called spam??

I cant create any subdirectories other than any subfolders of Inbox. When I try to create an subfolder under my account like Enclavet's Mailbox as I named it I get this error:

"The Current Command did no succeed" The mail server responded: Invalid mailbox name.

----------

## taskara

here's part of my /etc/ssl/misc/CA.pl file  *Quote:*   

> # create a certificate
> 
>             system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $
> 
>             $RET=$?;
> ...

 

before when I ran 

```
 ./CA.pl -newca
```

 it would ask for a username and password. so I got out of that. now when I run it again, it doesn't ask for anything  *Quote:*   

> server misc # ./CA.pl -newca
> 
> server misc #

  but it does NOT create the file newcert.pem

so I've stuffed something up somewhere.. could anyone point me in the right direction?

many thanks!

----------

## puddpunk

 *Proteus wrote:*   

> 3) Centralized Spam filtering system:
> 
> I do want to use something like this as well. I know it is possible when you emerge spamassassin (there is also some anti-virus scanning daemon in portage if you want that functionality as well).
> 
> However, I am currently tryin to find out how spamassassin is configured for myself and have no clue as of now...
> ...

 

HINT: .procmailrc

SPOILER:

```
# zcat /usr/share/doc/Mail-SpamAssassin-2.44/procmail.example.gz
```

```
# SpamAssassin sample procmailrc

#

# Pipe the mail through spamassassin (replace 'spamassassin' with 'spamc'

# if you use the spamc/spamd combination)

# The condition line ensures that only messages smaller than 250 kB

# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam

# isn't bigger than a few k and working with big messages can bring

# SpamAssassin to its knees.

:0fw

* < 256000

| spamassassin

# Mails with a score of 15 or higher are almost certainly spam (with 0.05%

# false positives according to rules/STATISTICS.txt). Let's put them in a

# different mbox. (This one is optional.)

:0:

* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

almost-certainly-spam

# All mail tagged as spam (eg. with a score higher than the set threshold)

# is moved to "probably-spam".

:0:

* ^X-Spam-Status: Yes

probably-spam

# Work around procmail bug: any output on stderr will cause the "F" in "From"

# to be dropped.  This will re-add it.

:0 H

* ! ^From[ ]

* ^rom[ ]

{

  LOG="*** Dropped F off From_ header! Fixing up. "

  :0 fhw

  | sed -e 's/^rom /From /'

}
```

I just left out the 2nd recipie (the one about a 15 or higher spam score) and just got procmail to filter everything with the spam flag into a directory called Spam  :Smile: 

HTH,

Cheers,

Chris.

P.S. beowulf, bogofilter can be easily intergrated into this type of set up. You could set a cron job to train it, and let it read a Maildir in ~/.maildir called spam/ or something. So if you get spam, move it into spam/, and caught spam gets moved into spam/ too.

If you give me a little while, I could come up with something for this  :Wink: 

----------

## beowulf

taskara:

Great news... You fixed your own problem... almost... I believe you left out the word $DAYS on the new create a certificate stage.  Here's how your codeblock in my file looks like:

```

        # create a certificate

        system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS

");

        $RET=$?;

        print "Certificate (and private key) is in newreq.pem\n"

    } elsif (/^-newreq$/) {

        # create a certificate request

        system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");

        $RET=$?;

        print "Request (and private key) is in newreq.pem\n";

    } elsif (/^-newca$/) {

```

Hope this does it... 

Enclavet:

Everything looks okay in your postfix file... But since you can't connect and the daemon is having problems stoping... well that leads me to believe it is a postfix configuration problem...

A few basic questions... Is there a firewall? Is your hostname working okay?  Did running postfixcheck spit out any errors?

Also, I wonder about this:

unknown_local_recipient_reject_code = 450

What if you changed it to 550?  I know 450 would be better... but I've read things about 450 giving people problems...

Are you using two computers?  Are you attempting to use Postfix to send localmail from one computer on your lan to the server, then out to another computer on the lan?

what does nmap tell you?  Is 25 open? /etc/hosts and hosts.[allow|deny] looking okay?

Do you have any other *.cf files in /etc/postfix/ that could be appending additional values (not including the sample dir).

Was Postfix compiled with the use flag "sasl" and did you create the necessary sasl files and edit /usr/lib/sasl2/smtpd.conf?

RE:  *Quote:*   

> I cant create any subdirectories other than any subfolders of Inbox. When I try to create an subfolder under my account like Enclavet's Mailbox as I named it I get this error: 

 

What about trying to name a subfolder "Enclavets.Mailbox" or something... maybe it's choking on the single quotes... Not sure...

puddpunk:

Thanks for chiming in on the spamassassin issue... I've never needed it since i do all my filtering on the IMAP server @ fastmail... 

If you came up with a bogofilter guide... I would, with your premisssion add it to the front page of this guide as a new section....  Thanks again

----------

## taskara

thanks for the reply beowulf, I really appreciate it.

this is driving me a little batty.. I can't seem to get it to create my newcert.pem

I checked my CA.pl file, and I think I DO have DAYS here (I think the previous quote was wrapped, so you couldn't see it  :Wink: ) here it is unwrapped  *Quote:*   

>             # create a certificate
> 
>             system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS");
> 
>             $RET=$?;
> ...

 

I UNemerged openssl, deleted the /etc/ssl dir and all files under it, and re-emerged openssl, re-editted the files, and still have the same problem. except now when I run 

```
 ./CA.pl -newca
```

 it asks for a name, so I type newcert.pem, and it finishes but creates nothing. if I go on to do the other steps, I get the following error, and I can't find newcert.pem ANYWHERE! lol  :Confused:   *Quote:*   

> root@server misc # ./CA.pl -newca
> 
> root@server misc #
> 
> root@server misc # ./CA.pl -newreq
> ...

 

sorry to hassle you... any thoughts ?

----------

## kram

taskara: I think you need to put stuff in all those fields it asks for. City = Canberra ? etc...

Anyway great guide  :Smile:  I set it up the same, except I used .forward files to forward mail from all my different accounts straight to my postfix server. No need for fetchmail anymore, and its only using bandwidth when necessary  :Smile: 

----------

## taskara

 *kram wrote:*   

> taskara: I think you need to put stuff in all those fields it asks for. City = Canberra ? etc... 

 

I think filling in the details is optional - and the -newca doesn't seem to ask for the info. I will try again anyway with all the info (the lack of details on my quote was from the -newreq section.)

 *kram wrote:*   

>  Anyway great guide  I set it up the same, except I used .forward files to forward mail from all my different accounts straight to my postfix server. No need for fetchmail anymore, and its only using bandwidth when necessary 

  that sounds veryinteresting.. if only I could get past this ssl problem I'd look into it... sigh

----------

## taskara

ok

I've re-emerged openssl and re run 

```
 ./CA.pl -newca
```

it asks me  *Quote:*   

> CA certificate filename (or enter to create)

  I just press enter.

then it continues asking  *Quote:*   

> Making CA certificate ...
> 
> Using configuration from /etc/ssl/openssl.cnf
> 
> Generating a 1024 bit RSA private key
> ...

 

if I just press "enter" it says  *Quote:*   

> Enter PEM pass phrase:
> 
> Verifying password - Enter PEM pass phrase:
> 
> phrase is too short, needs to be at least 4 chars
> ...

 

what do I put in for the PEM pass phrase ?

looks like I'm getting somewhere.. thanks!

----------

## puddpunk

Okay beowulf, I will look at doing that. Of course you have my permission to add it to the front page, it would be an honour  :Wink: 

Basically, I'll have a maildir called Spam, with maildirs underneath it. i.e.

```
Spam

|---Unverified

|---Undetected

|---Misdetected

`---Verified
```

Or something. I'm working full time at the moment (with part time study  :Sad: ) so it might be a week or two before I get this figured out fully. I'll write it in python, because I know it, and it's nice and easy to hack around with.

When it's done, I'll PM it to you beowulf  :Wink: 

Cheers,

Chris.

----------

## Proteus

I have managed to get SpamAssassin 2.55 (emerged with ~x86 but seems stable to me) - this version has bayesian filtering, too.

I implemented it in a very simple way (basically combining the .procmailrc file from this guide and the example file that comes with SA, setting up a .spam maildir and setting up cronjobs to let SA learn the difference between spam and other emails):

1)

Emerge SA:

 *Quote:*   

>  ACCEPT_KEYWORD="~x86" emerge Mail-SpamAssassin

 

2)

Edit your .procmailrc file, add the following:

 *Quote:*   

> #set up a Spam maildir where all the spam goes for teaching SA spam vs. non-spam
> 
> #and to be sure that no mail - even if detected as spam - gets lost (like when you pipe it to /dev/null)
> 
> SPAM_FOLDER= $MAILDIR/.spam/
> ...

 

Leave the rest of the file as it is described at the beginning of this guide.

3)

Setup Spam maildir

```
maildirmake -f spam ~/.maildir/
```

4)

Configure SA

This can be done automatically (almost) by using a script you can find here:

http://www.yrex.com/spam/spamconfig.php

Place the config file here: /etc/mail/spamassassin

If you setup SA with bayesian scanning enabled you must teach it to detect spam first.

This is done by putting all detected spam in the .spam maildir

(when some spam gets through, put it there manually, so SA can adapt)

and then letting SA learn from those mails and from those mails (considered good) in your .inbox.

You can do this by hand or - as I did - use a cronjob to do it.

SA will only start to use the bayesian scan after learning from at least 200 mails.

If you only use SA in standard mode or just merge the "stable" version (i.e. without using ACCEPT_KEYWORD="~x86") you do not need to do the next steps. The current stable version is 2.44 as of this writing and does not contain bayesian filtering at all...

(As it seems you can add bogofilter for this task instead, but I have no clue about that, yet.)

5) 

Setup Cronjob for sa-learn (bayesian filter teaching program):

 *Quote:*   

> #This scans for spam and for good mails every half hour.
> 
> #Set the interval (30 minutes) appropriatly for your convenience and the amount of mails you get.
> 
> */30 * * * *    sa-learn --dir --spam /root/.maildir/.spam > /dev/null 2>&1
> ...

 

So, I hope I haven't left out anything but I think this is all needed to enable spam-filtering with SpamAssassin.

You can check whether or not an email has been scanned by looking at the mail headers, there should be some looking similar to those when it has been scanned:

 *Quote:*   

> X-Spam-Status: No, hits=2.1 required=5.0
> 
> 	tests=HTML_00_10,HTML_MESSAGE,NO_REAL_NAME
> 
> 	version=2.55
> ...

 

###########################################

@all: 

Maybe the system would even be safer if we combined bogofilter and SA?

Or is there a certain advantage to bogofilter?

----------

## beowulf

 *taskara wrote:*   

> ok
> 
> I've re-emerged openssl and re run 
> 
> ```
> ...

 

Taskara:

When you re-merged openssl did you delete the /etc/ssl dir? Or more importantly /etc/ssl/misc/*

I would try getting rid of any old cert's (if they aren't being used elsewhere)... so that when you retry it is fresh...  Other than that, I am at a loss for what is going wrong... I do not see what could be causing this error... Anybody else who's reading know?  Sorry i can't help further... perhaps a general post in the "networking and security" forums would get a good response?

puddpunk:

Thanks for allowing me to post it... As for when you can have it done... well that is up to you completely as it is your time that will be needed to write it... hehe just throw me a pm when it's ready... thanks

Proteus:

Nice work on SA!  With your permission i would like to basically cut & paste your work onto the main post (give you credit of course)... and add it under a heading "Spam Filter" and then perhaps at a later date add puddpunk's bogofilter...

Let me know if this is okay with you... either here or through a pm...

----------

## Proteus

beowulf:

I feel honored that you consider adding my mini-how-to to your great guide.

Basically that's why I posted it - to help people with this setup to easily integrate a spam-filter. 

This guide helped me massively and I thought I can at least try to give some help back - and maybe someone needs/wants this.

I am also looking forward to puddpunk's bogofilter "add-in" to the guide.

That will make the setup - hopefully - even more spam-free.

Currently I am looking for easy ways to integrate a mail scanner (maybe amavis) into this setup. 

Maybe if I can figure it out soon enough for myself I can post that as well.

This might take a bit longer, though, as I have to begin from zero here...

I'll let you know when I succeed - and when I run into trouble as well   :Wink:  !

----------

## taskara

sigh... thanks anyway..

I emerge -C openssl

then rm -fR /etc/ssl/

so yeah I deleted everything..

when I run ./CA.pl -newca is it supposed to ask for a filename and a PEM pass phrase? or should it do nothing?

as you can see in my post above, it asks for a few things when I run -newca and the guide doesn't show what to put in there. so I just put in a password, and it continued, completed "successfully" but there is no newcert.pem file for me to copy anywhere.

this is most distressing  :Sad: 

thanks anyway for your help

----------

## puddpunk

bogofilter is really fast, it is purely a bayes filter, it has no RBL filter (which is useless for me, I have some kind of hybrid spam :\), which is where most of the time goes, in RBL filtering (it has to contact a lot of RBL servers).

This can sometimes take up to 3 times as long as bogofilter  :Smile:  Also, it's faster because it's written in C, as opposed to SpamAssassin's perl base.

MailAssassin is basically the KDE of mail filters  :Wink:  It does everything, it does it well, but it's a bit bloated and slow. bogofilter is the fluxbox of mailfilters. It does what it does cleanly, and quickly.

I'm writing my own python script as we speak to train bogofilter off certain maildirs, and the script can be easily embedded in a cron job.

Cheers,

Chris.

----------

## Proteus

I have edited my little guide.

The crontab is slightly changed:

 *Quote:*   

> */30 * * * * sa-learn --dir --ham /root/.maildir/ > /dev/null 2>&1

 

I changed the directory from ".maildir/cur" to just ".maildir", sa-learn seems to know his way around in maildirs. So there is no need to specify the "/cur".

Also I added a remark about using spamc+spamd or spamassassin in the .procmail file:

 *Quote:*   

> #spamc is the client programm for the daemonized
> 
> #version of SA (designed to keep load and overhead down)
> 
> #If you don't run SA as a daemon change "spamc" to "/usr/bin/spamassassin"
> ...

 

----------

## Proteus

Just a question:

In my /etc/postfix/main.cf is this line

 *Quote:*   

> mailbox_command = /usr/bin/procmail

 

I am not sure if this is needed or not nor do I know what it changes.

Anyone got an idea?

----------

## puddpunk

yup, i think it's when postfix recieves anything on it's SMTP port (like from another computer on the internet, sending mail to the computers host) it doesn't deliver it itself, it hands it to procmail, which is what you want  :Smile: 

----------

## Proteus

Ok, but I don't think this line is mentioned anywhere here in this guide and we work with procmail, too. 

So I assume it's not really needed because postfix passes mail to procmail anyway?

----------

## puddpunk

my main.cf doesn't have it set at all  :Neutral: 

Anyway, this guide was supposed to be for pulling mail off a server (via fetchmail) instead of the computer actually recieving mail via it's SMTP port.

my bogofilter guide is almost finished. The script is written and working, just need to finalise the steps, then i'll post it!

Cheers,

Chris.

----------

## Proteus

Oh yes, I forgot about using fetchmail to receive mail...

Can't wait to see your bogofilter guide  :Smile: 

----------

## puddpunk

Bogofilter mail filtering solution

For use with beowulfs Home Email System Guide

By Chris Smith

Introduction

This guide was written so that bogofilter may be implimented in the "Email System for the Home Network" Guide. This guide proves that bogofilter can be used in client AND in server side filtering solutions, still leaving the user in total control.

The script contained in this guide depends on most of this guide being followed word for word. Feel free to edit and modify my guide and script for your own use, just post on this thread and let us know what your doing with it. We're very interested to see where this goes  :Smile: 

All code contained in this documentation is released under the GPL Public Licence. Of course  :Smile:  Right... Here we go!

Instructions

Make the spam maildirs:

```
$ cd ~/.maildir

$ mkdir .Spam{,.False-Positives,.False-Negatives}

$ mkdir .Spam{,.False-Positives,.False-Negatives}/{cur,tmp,new}
```

NOTE: If you change these, I hope you know python, as you will need to hack the script so it knows which maildirs to treat as spam.

Load your mail client and move ALL your spam mail out of your normal directories, and into the Spam directory.

OPTIONAL: If you have a LOT of mail (i.e. thousands), and not just spam either, all mail, you may choose to have a "Ham" directory, which you can put a selection of a few hundred messages in.

You may choose to do this, because the script currently walks through all your directories (that aren't spam!) and commits all that mail to bogofilter as "Good" mail. If you have a lot of messages, this will take quite a while (but not _that_ long  :Smile: ), but bogofilter will be more thourughly trained. Do this only in special cases:

 Create ham directory:

```
mkdir .Ham

mkdir .Ham/{cur,tmp,new}
```

Move a selection of a few hundred good messages into the new Ham directoryThe script will auto-detect the precense of a .Ham directory, so it won't walk all your maildirs.

Copy the following script, and name it as: 

```
~/Bin/bogotrainer
```

```
#! /usr/bin/python

import os, os.path

#Configuration entries. Not much ATM. More if needed.

bogodir = "~/.bogofilter/"

maildir = "~/.maildir/"

#Leave everything below here unless you want to do some hacking :)

needdbs = 0

bogodir = os.path.expanduser(bogodir)

maildir = os.path.expanduser(maildir)

def cleanhamdirs(dir):

   #We don't want Spam in the hamdirs :)

   if dir[len(maildir):len(maildir) + 5] == ".Spam":

      return 0

   #The maildirs of the inbox, must be handled especially

   if dir[len(maildir):len(maildir) + 3] == "cur":

      return 0

   if dir[len(maildir):len(maildir) + 3] == "tmp":

      return 0

   if dir[len(maildir):len(maildir) + 3] == "new":

      return 0

   #If you threw it away, you obviously don't want it :)

   if dir[len(maildir):len(maildir) + 6] == ".Trash":

      return 0

   return 1

if os.path.isdir(bogodir):

   print "Bogofilter directory found"

   #I'm just assuming if the spamlist.db exists, goodlist.db does too

   #Program will die if goodlist.db doesn't exist anyway.

   if os.path.isfile(os.path.join(bogodir, "spamlist.db")):

      print "Databases found"

   else:

      print "Databases NOT found. Generating..."

      needdbs = 1

else:

   print "Bogofilter directory NOT found. Generating..."

   needdbs = 1

if needdbs:

   print "Generating databases:"

   print "Regestering spam messages from", os.path.join(maildir,".Spam/cur")

   spamlist = os.listdir(os.path.join(maildir,".Spam/cur"))

   for spam in spamlist:

      spampath = os.path.join(maildir,".Spam/cur/",spam)

      print "- ", spampath

      os.system("bogofilter -s < " + spampath)

   if os.path.isdir(os.path.join(maildir, ".Ham")):

      #If a specific .Ham dir exists, use that.

      print "Regestering spam messages from", os.path.join(maildir,".Ham/cur")

      hamlist = os.listdir(os.path.join(maildir,".Ham/cur"))

      for ham in hamlist:

         hampath = os.path.join(maildir,".Ham/cur",ham)

         print "- ", hampath

         os.system("bogofilter -n < " + hampath)

   else:

      #Or else, use everything that isn't spam!

      print "Registering spam messages from", os.path.join(maildir,"cur")

      hamlist = os.listdir(os.path.join(maildir,"cur"))

      for ham in hamlist:

         hampath = os.path.join(maildir,"cur",ham)

         print "- ", hampath

         os.system("bogofilter -n < " + hampath)

      maildirs = [os.path.join(maildir,dir) for dir in os.listdir(maildir)]

      maildirs = filter(os.path.isdir, maildirs)

      maildirs = filter(cleanhamdirs, maildirs)

      for dir in maildirs:

         print "Regestering ham messages from", dir

         hamlist = os.listdir(os.path.join(dir,"cur"))

         for ham in hamlist:

            hampath = os.path.join(dir,"cur",ham)

            print "- ", hampath

            os.system("bogofilter -n < " + hampath)

# So, everything exists, this must be an "updating run", easy!

# First, correct misdetected ham from the false-positives directory,

# and move it into the inbox.

print "Correcting ham messages from", os.path.join(maildir,".Spam.False-Positives")

hamlist = os.listdir(os.path.join(maildir,".Spam.False-Positives/cur"))

for ham in hamlist:

   hampath = os.path.join(maildir,".Spam.False-Positives/cur",ham)

   print "- ", hampath

   os.system("bogofilter -Sn < " + hampath)

   #Feed it back through procmail :)

   os.system("/usr/bin/procmail -d $USER < " + hampath)

   os.remove(hampath)

# Now, correct misdetected spam, and put it in the Spam maildir :)

print "Correcting spam messages from", os.path.join(maildir,".Spam.False-Negatives")

spamlist = os.listdir(os.path.join(maildir,".Spam.False-Negatives/cur"))

for spam in spamlist:

   spampath = os.path.join(maildir,".Spam.False-Negatives/cur",spam)

   print "- ", spampath

   os.system("bogofilter -Ns < " + spampath)

   #Don't bother procmailing it, put it in spam! :)

   os.rename(spampath, os.path.join(maildir,".Spam/cur",spam))
```

Now, make the script executable:

```
chmod +x ~/Bin/bogotrainer
```

If you have a previous training of bogofilter, the script won't overwrite it   (so it's cronjob-able) but it's a good idea to start a fresh.

```
rm -rf ~/.bogofilter
```

 Run the script and wait while it takes in all of your mail and builds its databases. Bogofilter is quite fast, so it shouldn't take too long and you get to see it's progress!

```
~/Bin/bogotrainer
```

Add these recipies in your ~/.procmailrc before all your other recipies:

```
#Bogofilter filtering solution.

:0fw

| bogofilter -u -e -p

:0e

{ EXITCODE=75 HOST }

:0:

* ^X-Bogosity: Yes,

.Spam/
```

Add this line to your crontab:

```
crontab -e

* 23 * * * ~/Bin/bogotrainer >/dev/null 2>&1
```

   This sets it to run once a day at 11pm, you can change it. Once a day is about right.

Done! Now you have 2 sub spamdirs which you can use to train bogofilter as you see fit, right from your mail client.

When you recieve a mail that bogofilter moves to your spam directory, but isn't actually spam, move it into the False-Positives dir in your email client. You can either run the script immediately, or wait until the cronjob triggers. It retrains bogofilter correctly, then feeds the mail back through procmail for proper classicification. If it happens again, don't ignore, put it back in the False-Positives	dir and run the script again until bogofilter learns it correctly!

When you recieve a spam in your inbox, move it into the False-Negatives directory. Next time the script is run, it will retrain bogofilter to recognise that mail as spam then the mail is moved into your .Spam maildir.

When you feel that your bogofilter is 100% accurate (when it comes to false-positives, you don't want to lose any mail) you can edit your .procmailrc so that when bogofilter detects a mail as spam, it moves it to /dev/null (deleting it). Use with caution! But with that method, you don't even have to look at the filth!

Conclusion

Well, I think that's about it for this. If there is anything I've forgotten, don't hesitate to drop me a PM. I will give out my email over PM if needed. I may look at updating and streamlining the script soon, so check back here in a little while.

Thanks and References

Thanks a lot to beowulf for creating this awesome guide, and all the other active participants on this thread (Proteus in particular  :Smile: ). The community is what makes Gentoo thrive!

The sites I used researching this little project are as follows:

MairasWiki - Anti Spam System

Bayesian Filtering with Bogofilter and Sylpheed-Claws

Re: [Evolution] Built-in spam filtering?

Spam Filtering with Bogofilter

Cheers,

Chris.

----------

## Proteus

@taskara:

You can make up a password when doing "./CA.pl -newca".

You just need it when you self-sign that cerificate using "./CA.pl -sign".

At least thats how it works here   :Razz: 

----------

## beowulf

Taskara's problem has been fixed... he kept me updated through PM... he basically needed to unmerge openssl, reboot and try the guide again... He wonders if it's because the ssl libraries were in use at the time... i don't know... and i can't figure it out.. but it works now... so i'm happy for him  :Smile: 

----

Sorry for not updating the guide sooner... but I've been kind of busy from day to day... anyways, go and see the new additions to the guide  :Very Happy: 

Added Spam Assassin and Bogofilter... choice is good... and we've given them both choice... if any of you two want an update on the front page... let me know... I'll be more than happy to update it...

Enjoy

----------

## taskara

yeah thanks guys,

as beowulf said I did finally find a solution..

I was trying to make a new ssl certificate while I was logged in via ssh, and I did get an error about shared libraries at one stage.

I un emerged ssl, deleted /etc/ssl and rebooted.

upon reboot ssh could not start (cause there was no ssl)

I re-built ssl, created the new certificates, restarted ssh and it came back up.

not sure if this was the cause, but it seemed to get it working for me.. thanks for your patience and brain storming  :Very Happy:  much appreciated.

I got a little further along the guide... but got stuck somewhere else.. so I've kinda given up.

while I remember, there was one section that said "let's make out .fetchmailrc file executable", but I think the step is actually skipped, but changing the permissions of the file is included.. someone who knows what their doing can prob verify / deny this.

----------

## beowulf

 *taskara wrote:*   

> yeah thanks guys,
> 
> as beowulf said I did finally find a solution..
> 
> I was trying to make a new ssl certificate while I was logged in via ssh, and I did get an error about shared libraries at one stage.
> ...

 

Ahh geeze, sorry to hear you've gotten stuck... i understand it must be trying on your patience... anyways, when i said to make the .fetchmailrc file executable, we did just that... by the command "chmod 710 ~/.fetchmailrc"

Since fetchmail is picky about what attributes the file has, it's not as simple as a chmod +x or anything... Anyways, if you ever feel like trying it again, I'm here to help you, as is the rest of the community...

----------

## taskara

hey all..

well I persisted on, and now I have fetchmail grabbing mail and putting it into my maildir.

I can connect to my IMAP server, but I have a few problems.

one, I can't send mail out - it gives me an error saying  *Quote:*   

> The connection to the server has failed. Account: 'Chris' IMAP Mail', Server: '192.168.0.10', Protocol: SMTP, Port: 25, Secure(SSL): No, Socket Error: 10061, Error Number: 0x800CCC0E

 

so for now I am sending straight through my isps mail server.

what I am stuck on are cron jobs. I don't fully understand how to add getmailnow to a job. I am using fcron. I followed the commands as per doco 

```
crontab -e
```

(which would only let me run as root, not as normal user for some reason) and it creates a file under /tmp. I copy the contents from the guide into it and save it. I'm sure this sounds absolutely rediculous but I don't know where to go from here, or how to do it properly. I sent a test message through but it was never arrived (so I assume fetchmail is not running properly in the cron job).

the other thing I would like to clarify, is how to get mail for all other users.

I have one mailbox which everyone's email goes to (chris@penguinitis.com, tim@penguinitis.com and etc) and I want fetchmail to grab them all and have them sorted into my maildir and tim's maildir.

how would I go about doing this? do I have to create seperate procmailrc files for each user? once again my apologies for my ignorance.

thank you all very much,

Chris

----------

## BlueEar

I followed the section that explains how to set up postfix to use ISP's smtp server (3.2) but when I e-mail a friend at AOL postfix still attempts to connect directly to their mail servers. In particular, in my log file I see:

 *Quote:*   

> Jun 25 18:58:11 [postfix/smtp] connect to mailin-02.mx.aol.com[64.12.137.184]: server refused mail service (port 25)
> 
> Jun 25 18:58:12 [postfix/smtp] connect to mailin-03.mx.aol.com[64.12.138.57]: server refused mail service (port 25)
> 
> Jun 25 18:58:12 [postfix/smtp] connect to mailin-01.mx.aol.com[64.12.137.89]: server refused mail service (port 25)
> ...

 

Is there a trick to it? The relevant section of my mail.cf reads as follows:

```
 # cat /etc/postfix/main.cf | grep "smtp_sasl"

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options =

```

and I have set up saslpass file

```
 # ls -l /etc/postfix/saslpass

-rw-------    1 root     root          175 Jun 25 10:40 /etc/postfix/saslpass

# cat /etc/postfix/saslpass

# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/saslpass,v 1.1 2002/07/13 20:17:14 raker Exp $

#

# remotehost user:password

 

foo.bar.net user:password

```

What else do I need to do to have postfix relay mail through my ISP's smtp server?

----------

## -leliel-

Hi there.

there's a questions and a problem:

q) how is the maildir organized? There's a new, a tmp and a cur folder currently in there ... where do I have to create my folders procmail should sort in?

p) I could only send mails plain, not with tls or ssl. What's wrong?

thanks for the great guide.  :Wink: 

----------

## Proteus

The maildir subdirs are for new (i.e. unread) mail in the new subfolder and normal mail (i.e. mail you read before) in the cur folder.

I guess the tmp is there for some specific reason, too. Just that is something i don't know.

Just create any subfolders with the maildirmake command, it takes care of the specifics of maildirs.

Can you maybe show us your main.cf so we can guess why tls/ssl does not work. Is there some specific error message?

----------

## -leliel-

sure. these are my options in main.cnf about tls and ssl:

```
smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
```

thanks

----------

## beowulf

taskara:

Great to hear you tried it again!

Regarding the inability to send mail and the error... What client are you using?  Apparently the issue is with TLS... did you emerge the software with the use flags specified?  Can you connect without using SSL?  Can you do this for me:

```
# cat /etc/postfix/main.cf | grep tls
```

RE: the cron jobs.  Are you in the cron group?  Type this as your user 

```
$ id
```

 Does it tell you that you are in the cron group?  I've never used fcron... is it much different from vcron?  If you need to, put the script in /etc/cron.hourly or something and set it to run as your user.

RE: Multiple mail users: There were some posts back on pages 2 and 3 where i gave possibilities to grab email from multiple places and filter it... basically the software you'd use is Fetchmail, with multiple poll lines and procmail to filter using the To: email header... 

BlueEar

I'm glad you tried it out! Can you post this output: 

```
grep -v ^# /etc/postfix/main.cf | grep smtp
```

Did you set up the file in /etc/sasl2/sasldb2?

```
 # ls -l /etc/sasl2/sasldb2

-rw-r-----    1 postfix  root        xxxxxxxx /etc/sasl2/sasldb2

```

The reason i ask for this is that 3.3 shares dependancy on 3.2... without knowing what you have in one section, means i cannot fully diagnose the problem... 

-leliel-

Good to hear you can send email!  Regarding your question, a maildir has 3 directories... "cur, tmp, new"  Cur and New were described by Proteus... so let me tell you what tmp is... the tmp directory is where mail lands first during a fetch... or when receiving... as it's name suggests, it's a temporary place for the email to go... It is later moved to the "new" directory after the fetch/receiving has completed.

As for your problem... Does your output match this?

```

root@server # cat /etc/postfix/main.cf | grep smtp_sasl

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options =

```

Did your ssl certificates generate okay?  Also, can you post any relevant information from your logs... one such log to check is /var/log/mail.err or /var/log/mail.warn... check the other /var/log/mail.* files for relevant information...

-- 

I'll wait to hear back from you guys... hope this helps

----------

## BlueEar

 *beowulf wrote:*   

> [...]Can you post this output: 
> 
> ```
> grep -v ^# /etc/postfix/main.cf | grep smtp
> ```
> ...

 

Amazing! A multi-support!   :Very Happy:  Beowulf, thanks for getting back. I did set up sasldb2, with my regular (bluear) user. The results of the two commands you asked about are:

```
# grep -v ^# /etc/postfix/main.cf | grep smtp

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

# ls -l /etc/sasl2/sasldb2

-rw-------    1 postfix  root        12288 Jun 25 18:54 /etc/sasl2/sasldb2

```

In the meantime I got postfix to use my ISP's smtp server by adding relayhost=foo.bar.com to my /etc/postfix/main.cf, where foo.bar.com is my ISP's host and it is listed in /etc/postfix/saslpass file. I did not see anything about relayhost in your guide so I am wondering if this is a good way of dealing with my issue. Any advice is greatly appreciated!

----------

## taskara

Hey Beowulf,

thanks for your reply.. I should have updated my posts.

I have fcron working, it's grabbing my mail, and I will look into single pop and multiple users  :Smile: 

I have fixed my outgoing mail server problem, however I do have a couple of problems atm:

1) I can send email, but ONLY to my internal network (ie *@taskara.dyndns.org) sending to my work address the smtp mail server rejects it

2) Sending email still works withOUT authentication, but I don't want to be usedas a mail relay!  :Wink: 

3) SSL doesn't seem to be working with smtp

4) every time I connect to my IMAP server it says that my ssl certificate cannot be verified or something, and do I want to continue. I assume this is because it's not officially registered with some global ssl place or something. how can I get aroudn this, so that it doesn't ask all the time? do Ihave to install my public key onto each sdesktop or something?

thanks heaps for your help, here is the output from what you requested:

 *Quote:*   

> root@server chris # cat /etc/postfix/main.cf | grep tls
> 
> smtpd_use_tls = yes
> 
> smtpd_tls_auth_only = yes
> ...

 

----------

## beowulf

First let me appologize for taking so long to get back to you... things are hectic lately for me... sorry...

BlueEar

RE relay host: i didn't include it in my conf file... since sasl should determine where to send the email...

RE grep output:  I gather you aren't using SSL (TLS)?  When you compiled Cyrus-SASL, did your use flags have SSL in it?  I'm not sure what side effects occur when sasl is compiled for SSL but not used...  If on the other hand you intended to use SSL, then you're /etc/postfix/main.cf file is missing the appropriate lines...  Depending on which way you're going (IE: No ssl), you may wish to try SSL hehe and get it working as it should, then work on taking SSL out of the picture...

--

taskara

Great that fcron is working  :Smile: 

1 & 2: I believe the problems to be related...

Can you follow this code block, matching output with yours... except for username specific stuff..:

```
root@server # sasl2dblistuser

beowulf@odin.beowulf.bounceme.net: cmusaslsecretOTP

beowulf@odin.beowulf.bounceme.net: userPassword

root@server # grep -v ^# /usr/lib/sasl2/smtpd.conf | grep pwcheck

pwcheck_method:sasldb

root@server # /etc/init.d/saslauthd status

 * status:  stopped

root@server # grep -v ^# /etc/postfix/saslpass

smtp.isp.some.server.com          isp_smtp_user:isp_smtp_pass

root@server # ls -l /etc/sasl2/sasldb2

-rw-------    1 postfix  root        12288 May 23 21:44 sasldb2

root@server # postfix check

root@server # grep -v ^# /etc/postfix/main.cf | grep smtp

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options =

root@server # 

```

Also, what error do you get when you send to your work email address?

3: What's not working with SSL?  I appologize, as i know you're getting frustrated with this guide and me... but i need a bit more to go on... is authenticating with SSL not working?  If that's the case, did you compile the software with the USE flag ssl?  What errors are you getting? Still the same log error about socket not existing?  Is it when sending an email over SSL it is failing?  Are your ssl cert files in /etc/postfix world readable? Again, sorry... but just a touch more info would be most helpful in solving this re-occuring problem... 

4: Yep... you need your SSL key generated by someone like Thawte, Verisign or one of those other people that charge $100 for a year... It's a home network so who really cares if your SSL cert isn't verified... but if you do, http://www.verisign.com & http://www.thawte.com

--

hope this helps... if not, post back and try to give as much detail as you can... hears to hoping the problems will be solved soon  :Smile: 

----------

## jcummins

I had the same problem with CA.pl asking me for a passphrase as well.   For some reason, executing the CA.pl script, the -nodes switch wasn't being used.  Even after checking the CA.pl to make sure I added the switch in the correct places, it still didn't work.  I bet this is the same problem taskara was having.

I noticed that on the HOWTO, it said to run the command:

./CA.pl -newca

however, the HOWTO says to add the -nodes switch in the -newcert area.  So I ran ./CA.ok -newcert, and it didn't prompt me for the passphrase.Last edited by jcummins on Tue Jul 01, 2003 6:39 am; edited 2 times in total

----------

## jcummins

I am having a slight problem with my setup.  The setup and configuration went (semi) smoothly.  I am able to connect to the gentoo box and get my IMAP mail.  However, I am unable to send email.  When I try, my e-mail client (Outlook Express) fails with this error:

```
Unable to establish a SSL connection with the server. Account: '192.168.1.101', Server: '192.168.1.101', Protocol: SMTP, Server Response: '454 TLS not available due to temporary reason', Port: 25, Secure(SSL): Yes, Server Error: 454, Error Number: 0x800CCC7F
```

here is the output of /var/log/messages:

```
Jul  1 09:26:25 drunkenmonkey imapd-ssl: Connection, ip=[192.168.1.100]

Jul  1 09:26:25 drunkenmonkey imapd-ssl: LOGIN, user=jcummins, ip=[192.168.1.100]

Jul  1 09:26:25 drunkenmonkey imapd-ssl: couriertls: read: Connection reset by peer

Jul  1 09:26:25 drunkenmonkey imapd-ssl: DISCONNECTED, user=jcummins, ip=[192.168.1.100], headers=0, body=0

```

Any Ideas?[/code]

----------

## taskara

I had this same problem..

in your /etc/postfix/main.cf file what do you have for relay_domains?

 *Quote:*   

> 
> 
> relay_domains = $mydestination

 

P.S - did you get squirrelmail working ?

----------

## taskara

 *beowulf wrote:*   

> First let me appologize for taking so long to get back to you... things are hectic lately for me... sorry...
> 
> --
> 
> taskara
> ...

 

MATE, no problems! I have been making leaps and bounds since I posted last.

I have fetchmail working well through fcron as local user (not root), I have courier imap working with ssl, I have squirrelmail working, I have postfix working (and sending to any address I want - the problem was in my main.cf, where I had  *Quote:*   

> relay_domains = $mydomain

  instead of  *Quote:*   

> relay_domains = $mydestination

   :Embarassed: 

I think I have postfix working with ssl, here is the output of the port 

```
root@server / # telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 server.taskara.dyndns.org ESMTP Postfix

EHLO taskara.dyndns.org

250-server.taskara.dyndns.org

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-XVERP

250 8BITMIME

```

u can see 250-STARTTLS there.. I think that should mean it's running tls, but you can see there is NO refernce to AUTH  :Confused: 

I guess the question is - will it still transmit emails withOUT ssl? I assumed it wasn't working, because I could send an email withOUT ssl   :Embarassed: 

SO the only thing that I don't have working now is Authentication on my mail server. atm anyone can send out an email  :Confused: 

ahh here is the output of everything you requested

```
root@server chris # sasldblistusers2

chris@server.taskara.dyndns.org: cmusaslsecretOTP

chris@server.taskara.dyndns.org: userPassword

root@server chris # grep -v ^# /usr/lib/sasl2/smtpd.conf | grep pwcheck

pwcheck_method: sasldb

root@server chris # /etc/init.d/saslauthd status

 * status:  stopped

root@server chris # grep -v ^# /etc/postfix/saslpass

mail.internode.on.net :

root@server chris # ls -l /etc/sasl2/sasldb2

-rw-------    1 postfix  root        12288 Jun 25 22:32 /etc/sasl2/sasldb2

root@server chris # postfix check

root@server chris # grep -v ^# /etc/postfix/main.cf | grep smtp

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

root@server chris #
```

I think everything is the same as yours, except that my isp does not require auth to send email

so I don't know why auth isn't working.. any other ideas?

cheers!

Chris

----------

## taskara

some developments:

I ran some tests and here are the results.

I CAN send email:

WITH auth only

withOUT auth

withOUT auth and with SSL

I could NOT send email:

with auth and with ssl

but I COULD send emails:

with auth and ssl with secure password.

so what I would like is to ONLY be able to send an email with auth ssl and secure password.

so that if ANYONE tries to send an email with out auth or without ssl, then it is rejected.

that's the plan  :Smile: 

thanks guys, any thoughts?

----------

## usingloser

sasl says that there isnt a secret in my database, any help?

----------

## Proteus

Did you delete the existing saslsb file before you tried to follow the steps in the guide?

----------

## usingloser

yes, i deleted the database before i created a new one by adding a new user

----------

## Proteus

Can you please retry that specific section of the guide and post any errors. Normally this should work flawlessly. We need more info to be able to help you.

----------

## tekM

Ok,

First off.....GREAT GUIDE.

I got everything going with one exception.  Im useing postfix, sasl, tls, impa_ssl squirrelmail, kmail etc.  Im not relaying to my isp and just want secure password require over tls smtp services.  Imap over SSL works flawlessly...squirrelmail isalso flawless.

My problem is with Kmail sending to my new smtp service.  I tell it to use authentication and under security I tell it to use TLS and Digest-md5.....first time around cert popped up and i accepted and said continue etc.  then delivery fails saying this:

Sending failed:

Authentication failed.

Most likely the password is wrong.

The server responded: "Error: authentication failed "

Ive re-run through step 3.3 in the guide 4 times now....making sure to delete sasldb2 each time of course.  No matter what I do I keep getting that "Authentication failed" When Ive got authentication and TLS selected. 

Here is what does work.  Authentication with None for encryption and no authentication with none for encryption.  Which is bad cause I only want smtp to work when its athenticated to.  Ive also telnet into my server and did an EHLO example.com followed by a starttls......that worked and server responded tls ready or somthing to that effect.

Here is a copy of my main.cf.   Any help would be enormously appreciated:

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

inet_interfaces = $myhostname, localhost

mydestination = $myhostname, localhost.$mydomain, $mydomain

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

relay_domains = $mydestination

mynetworks = 192.168.2.0/24,127.0.0.0/8

smtp_use_tls = yes

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem

smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = 

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains

----------

## taskara

 *tekM wrote:*   

> 
> 
> Sending failed:
> 
> Authentication failed.
> ...

 

hey.. I have the same problem, where by u can send withOUT auth  :Confused: 

the problem u have should be able to be resolved if you use secure password authentication... it did for me anyway.

as u can see from my post above, sending withOUT auth works (which I dont' want it to) sending WITH auth works, sending WITH tsl and NO auth works, sending WITH tsl and WITH auth FAILS, but sending WITH tsl and WITH auth through secure password authentication WORKS.

bizaare..

----------

## tekM

Ok....Ive got an update.  After clearing my head and thinking about it for a second, Im realizing that I can send outgoing smtp from Kmail unauthenticated simply because Im on $mynetworks...duh for me  :Razz: .  So that leaves the TLS issue + auth issue.  Here is where Im at:

SMTP with NO auth and NO tls works because of $mynetworks

SMTP WITH auth and NO tls works

SMTP WITH auth and WITH tls does NOT work  ("Error: Authentication Failed")

The last one seems to be my only problem here.  In the main.cf the command "smtpd_tls_auth_only = yes" should force postfix to only allow smtp auth to occur once a good tls has been established.  TLS works.....SASL auth works....but they wont play together for some reason.  Im not sure where its failing.  :Sad: 

----------

## tekM

Ok, a little bit more info for anyone with any ideas.

SMTP with NO auth and NO tls works because of $mynetworks

SMTP WITH auth and NO tls works

SMTP with NO auth and WITH tls works

all good 

SMTP WITH auth and WITH tls set to PLAIN fails with "Server doesnt allow PLAIN"  (IS THIS THE PROBLEM??)

SMTP WITH auth and WITH tls set to LOGIN, CRAM-MD5, or DIGEST-MD5 all fail with "Authentication failed"

----------

## Proteus

 *Quote:*   

> smtp_sasl_password_maps = hash:/etc/postfix/saslpass

 

Maybe that's what is missing? Seems that postfix doesn't know where to lookup the saslpasses...

Also, this line:

 *Quote:*   

> smtp_use_tls = yes 

 

ist not included in my conf. Seems that it is not required.

Maybe you just want to use  *Quote:*   

> smtpd_use_tls=yes

  (it's in your conf already)

----------

## taskara

hmm I have that there in my main.cf... any other ideas?

maybe some others can test this to see if their machines are working properly.

----------

## Proteus

It just seems to be the case that tekM has it not included. Maybe it's helpfull for him. 

Sorry that it does not apply to you, taskara.

(And apologies to tekM if this does not help him, too...)

----------

## taskara

gr00vy

----------

## Quint

I've followed the guide to a T, but I get this error when starting postfix

root@linux eric # /etc/init.d/postfix start

 * Could not get dependency info for "postfix"!

 * Could not get dependency info for "postfix"!

 * Starting postfix...                                                    [ ok 

I'm not sure what I did wrong, All help appreciated

thanks in advance

eric

----------

## BlueEar

Beowulf, you were right, I did not enable TLS. Mostly, because my /etc/ssl/openssl.cnf does not have the lines you mention (the one ending in _default). I see commonName, but no commonName_default. Here is the grep result:

```

# fgrep _default /etc/ssl/openssl.cnf

default_ca      = CA_default            # The default ca section

[ CA_default ]

countryName_default             = AU

stateOrProvinceName_default     = Some-State

0.organizationName_default      = Internet Widgits Pty Ltd

#1.organizationName_default     = World Wide Web Pty Ltd

#organizationalUnitName_default =

```

I am using openssl-0.9.6i-r2:

```
 # emerge -s openssl 

Searching...

[ Results for search key : openssl ]

[ Applications found : 5 ]

  

*  dev-libs/openssl

      Latest version available: 0.9.6i-r2

      Latest version installed: 0.9.6i-r2

```

I take it, something must have changed between different versions. So unless you have a quick fix, I need to wait with TLS support until I read through openssl documentation ...

----------

## beowulf

jcummins

Do you by chance have Norton Antivirus running on the box that has Outlook Express?  Or perhaps another antivirus that is scanning outgoing mail?  What happens if you disable scanning outgoing mail and try sending again?

taskara

Sending without auth works: Try changing this line in your main.cf and see if it solves it:

```
smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains
```

So what you did was get rid of the condition that allows any host in mynetworks to send email.... I should've mentioned this earlier... never even enterd my head before tekM mentioned it...

Sending with TLS and no Auth: See above

Sending with tls and Auth fails: I assume you mean authenticating in a plain manner does not work?  IE: using PLAIN as the auth method?  It shouldn't work like that... Your email client should send the password as CRAM-MD5 i believe...

tekM

Proteus wrote what i would've... how'd it work out with that change?  

Thanks proteus  :Smile: 

Quint

Hmm... something may be wrong with your init file?  Here's what mine looks like, and perhaps you can check yours to see if ours differ:

```

depend() {

        need net

        use logger dns

        provide mta

}

PIDFILE=/var/spool/postfix/pid/master.pid

start() {

        ebegin "Starting postfix"

        /usr/sbin/postfix start &>/dev/null

        eend $?

}

stop() {

        ebegin "Stopping postfix"

        /usr/sbin/postfix stop &>/dev/null

        eend $?

}

```

Other than that, I'm not sure what would cause that issue... If the problem is not that file, it's one of the dependancies that aren't reporting correctly...

BlueEar

Hmm... things might have changed... Perhaps you could add the necessary lines?  Maybe that'll work?

```

default_ca      = CA_default            # The default ca section

[ CA_default ]

countryName_default             = CA 

stateOrProvinceName_default     = Province

localityName_default            = City

0.organizationName_default      = Beowulf Inc. 

#1.organizationName_default     = World Wide Web Pty Ltd

#organizationalUnitName_default =

commonName_default              = Beowulf

emailAddress_default            = root@localhost

```

I've updated my Openssl, but config_protect kept my older conf file... Maybe you could try adding those lines and then generating it? 

--

Hope all this helps... sorry for taking so long again... i will try to be more prompt in my responses...

----------

## tekM

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

I thought that was only for relaying to an external isp etc.???  Is that hash etc required if you just want a standalone smtp server?  In the guide, when you created saslpass you put your isp domain, user, and pass.  If Im doing a standalone setup, what should I put in there?

Also, I cant get external hosts to authenticate via sasl (using outlook express).  So, my guess is that Ive definately got a sasl issue.  The server is denying them the relay though thankfully.

Thanks  :Smile: 

----------

## beowulf

 *tekM wrote:*   

> smtp_sasl_password_maps = hash:/etc/postfix/saslpass
> 
> I thought that was only for relaying to an external isp etc.???  Is that hash etc required if you just want a standalone smtp server?  In the guide, when you created saslpass you put your isp domain, user, and pass.  If Im doing a standalone setup, what should I put in there?
> 
> Also, I cant get external hosts to authenticate via sasl (using outlook express).  So, my guess is that Ive definately got a sasl issue.  The server is denying them the relay though thankfully.
> ...

 

In section 3.3 of the postfix section, we created a file which holds the authentication information that a client would use to connect to the smtp server.  This information is used when you want to send email.... Here's how it works:

Outlook -> sasldb2 [3.3] -> Postfix -> saslpass[3.2] -> Internet SMTP server -> Internet

Now, if you're doing a standalone server... where you want to skip the Internet SMTP server... IE:

Outlook -> sasldb2 [3.3] -> Postfix -> Internet

...Then i don't really know... I don't have a name server running, don't have mx records, so i could never test this out...

----------

## taskara

 *beowulf wrote:*   

> 
> 
> taskara
> 
> Sending without auth works: Try changing this line in your main.cf and see if it solves it:
> ...

 

I changed that file in my main.cf but it made no difference.

I can still send emails through my mail server without auth (even from my machine at work). I can also still send an email with Auth (and NO tsl). I can send an email with tsl (and NO auth).

I basically want to make sure people NEED auth or it won't send. At the moment it is sort of the opposite!  :Wink: 

could you do me a favour, telnet to port 25 on your mail server and type 

```
EHLO [servername]
```

 and post the results? I would like to compare them to mine

here is an example from my server  *Quote:*   

> root@server chris # telnet localhost 25
> 
> Trying 127.0.0.1...
> 
> Connected to localhost.
> ...

 

thanks!

----------

## tekM

Ive been doing a bunch more research, and it seems that all I need to do is have sasl working in PLAIN auth mode.  Which should be ok since Im using TLS.  This makes sense because if I tell KMail to use PLAIN + TLS for smtp auth it fails telling me that PLAIN is not supported on my smtp server.  So basically I have to figure out how to add/turn on PLAIN support.

Anyone have any ideas on this?

----------

## Proteus

Here is my output when I telnet into the server and EHLO it:

 *Quote:*   

> telnet 192.168.0.10 25
> 
> Trying 192.168.0.10...
> 
> Connected to 192.168.0.10.
> ...

 

I don't see a difference though...

----------

## tekM

Ok, here is where Im at now.  Ive disabled TLS altogther for the moment to work my sasl problems.  From a remote site with Kmail config'd to use smtp auth, Ive got encryption set to none and plain.   Here is what I get:

Sending failed:

One of the recipients was not accepted.

The server responded: "<my@email.com>: Recipient address rejected: Relay access denied "

Here is my current main.cf:

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

inet_interfaces = $myhostname, localhost

mydestination = $myhostname, localhost.$mydomain, $mydomain

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

relay_domains = $mydestination

mynetworks = 192.168.2.0/24,127.0.0.0/8

#smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

#smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem

#smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem

#smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

#smtpd_tls_loglevel = 3

#smtpd_tls_received_header = yes

#smtpd_tls_session_cache_timeout = 3600s

#tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains

----------

## Proteus

This is my main.cf: *Quote:*   

> 
> 
> queue_directory = /var/spool/postfix
> 
> command_directory = /usr/sbin
> ...

 

----------

## Bangz

edit.Last edited by Bangz on Mon Jul 14, 2003 11:31 am; edited 1 time in total

----------

## Bangz

edit.Last edited by Bangz on Mon Jul 14, 2003 11:31 am; edited 1 time in total

----------

## Bangz

Is it possible to extend the current guide (or tell me how) to actually make the server a fully fledged mail server?

It's working awesome at the moment, the local server is d'l the messages without a problem, the workstations d'l the email from the local server and they also send through the local server, which then forwards it to my ISP.

How can I extend this to make my local server an actually mail server which can by itself accept emails for the local box?

----------

## Proteus

I would assume (someone has previously stated such behaviour in this thread) that the server is already capable of receiving mail by itself. All you need is a valid MX-DNS-record. Some dyn-ip services offer it, I believe.

I am not sure how one can change the server's behaviour to not use you isp's smtp server, however.

I, too, would like to know a lot more about postfix as a full-fledged mail server. But tutorials/docu for that stuff is either hard to find or hard to understand or both...

----------

## Bangz

I got it working as a "fully fledged Mail server".

Today I spent time configuring my DNS and getting it going.  Setup my MX record and everything in BIND, then I tried to send an email to myself (bangers@mail.home.threeten.com) and it was rejected.  "recipient is myself" error. 

So I added mail.home.threeten.com into mydestination variable in main.cf, and it has worked fine!

Cheers

----------

## Proteus

Great that you made it working!

----------

## DanWSB

This is almost working perfectly for me, bravo! My only problem comes when I try to access my IMAP server via Outlook Express. I get the following error:

"PLAIN authentication failed. None of the authentication methods supported by your IMAP server (if any) are supported on this computer." -- yet Thunderbird under Win works fine.

So I'm unsure as to where I'm going wrong. Could someone point me in the right directoin?

----------

## glamdringlfo

Dudes,  excellent guides, one and all.

Beowulf:

The main guide was very helpful.  It took me several tries to get things goin, and I'm still trying to make sure that fetchmail and procmail are doing what I want.  But the squirrelmail part went up without a hitch, as did the courier-imap part, and the postfix (I had tried several times in the past to get postfix going, to no avail).

Chris:

I have high hopes for the bogomail thing...it looks like it works, I just haven't received any spam to check it with yet!

Proteus:

Same to you.  Everything appears to be working fine, it's just a matter of time before I train all the spamfilters (and I get tons of SPAM, so that shouldn't take too long.

-----

A few suggestions:

It might be worth while to spend some time constructing different examples for the main guide.  I found myself scratching my head several times to figure out which username I should use for which setting (since mine are all different, and yours are all the same), but eventually I think I got it figured out.

I had one or two more, but my brain is mush, so I'll post them later if I think of them.

Still, it is an excellent guide, and following it very carefully, works fine for me (like I said, I think I broke procmail and fetchmail, but I can't think too hard right now so I'll have at it again later, and post the results).

I'm still trying to get mail sending to work, but I'm in a somewhat different situation.

My workstation connects to the net through a router box running slackware (my goal is to replicate this setup on that box as soon as I can figure out how), so I naturally did everything on my gentoo box, but that made some things weird, what with the hostname config and all.  I think I've got that ironed out, once I made sure to forward the appropriate ports through the firewall to my box.  

The only flaw in my setup now is that I have to use Windows XP several times a week to work with high-powered (and high cost) audio apps for which I haven't found Linux equivalents.  I want to be careful that I don't get important mail stranded between OSes, so if I can get the imap thing w/ fetchmail going on the router box (so I can access it in either linux or windows, or from any outside host (eg at work)) I will be a *VERY* happy camper.  

But this guide will be indispensible in that venture, I think, because of the excellent configuration file walk throughs.

Once again, thank you.

Skal!

Glamdringlfo

----------

## glamdringlfo

OK, so I feel pretty dumb.  

The reason that procmail/fetchmail wasn't working was that I had a type on my .procmailrc.

Oh yeah, and I forgot to turn on cron.  

Anyway, the receiving seems to be going good now, and I'm training the filters, so they should start kicking in (they add their tags to the message headers, they just don't know about spam yet) soon.

Now it's just the outgoing mail (and hopefully, after that, receiving mail locally from outside).  Hopefully it'll be as simple and stupid as the above, but not likely.  We'll see.

Good luck.

Skal!

Glamdringlfo

----------

## puddpunk

Hey man,

Thanks for posting here, and those suggestions I'm sure won't have fallen on deaf ears *pokes beowulf*.

Personally, I've used this guide to install 4 actual mailservers (i.e. central servers) for households with 4 and greater people. Great work!

----------

## -leliel-

Hi,

all works fine since a lot of time working on the mailserver ... instead of sending mails.  :Sad: 

Mails will be send fine, but not bounced through my internet smtp server.  :Sad: 

This is a spamassassin-header from my own mails sent to myself:

 *Quote:*   

> X-Spam-Status: No, hits=2.7 required=7.5
> 
> 	tests=AWL,RCVD_IN_NJABL,RCVD_IN_OSIRUSOFT_COM,
> 
> 	      USER_AGENT_ENTOURAGE,X_OSIRU_OPEN_RELAY
> ...

 

X_OSIRU_OPEN_RELAY (2.9 points)  RBL: DNSBL: sender is Confirmed Open Relay

RCVD_IN_NJABL      (0.9 points)  RBL: Received via a relay in dnsbl.njabl.org

                   [RBL check: found 14.203.224.217.dnsbl.njabl.org., type: 127.0.0.3]

RCVD_IN_OSIRUSOFT_COM (0.6 points)  RBL: Received via a relay in relays.osirusoft.com

                   [RBL check: found 102.168.160.217.relays.osirusoft.com.]

My internet smtp server is a trusted mailserver, not an openrelay, so the openrelay must be my own local mailserver. What's wrong??

this is very urgent, 'cause some companys don't accept my mails.  :Sad: 

thanks a lot

----------

## dr_strange

Help me please, all of a sudden my IMAP server does not recognize my system username and/or password. AFAIK I have not changed any conf files or anything. I have tried to restart courier-imap-ssl and authdaemond, to no avail. What can I do?

----------

## Weejoker

Hi,

I'm having a few problems with stage 3.3:

```
weejoker root # echo "pwcheck_method: sasldb" > /usr/lib/sasl2/smtpd.conf 

weejoker root # cat /usr/lib/sasl2/smtpd.conf 

pwcheck_method: sasldb

weejoker root # rm /etc/sasl2/sasldb2

weejoker root # saslpasswd2 -c -u localnet -a smtpauth weejoker

Password: 

Again (for verification): 

weejoker root # /usr/sbin/sasldblistusers2 

weejoker@localnet: userPassword
```

As you can see I'm missing the first line when compared to beowulfs guide:

```
root@server # /usr/sbin/sasldblistusers

beowulf@beowulf.bounceme.net: cmusaslsecretOTP

beowulf@beowulf.bounceme.net: userPassword
```

Can anyone point me in the correct direction as how to solve this problem?

Cheers,

John

----------

## peje

First tanx for this howto. I can't get bogofilter to work.

When I want to run bogotrainer I just get:

bash-2.05b# su peje

bash-2.05b$ ~/bin/bogotrainer

  File "/home/peje/bin/bogotrainer", line 15

    if dir[len(maildir):len(maildir) + 5] == ".Spam":

     ^

IndentationError: expected an indented block

bash-2.05b$

Any hints?

----------

## jhboricua

Guys, I'm not perfectly clear on this after reading all the thread so I'll ask.

I have my own domain and I don't want to relay to my ISP's smtp server but to send it directly from my box.  I still want to be able to authenticate from outside my network.  How does that affects steps 3.2, 3.3 and 3.4?

----------

## EugeneTSWong

Thanks for the documentation. I must admit, that I haven't tried it yet, & I did find much of this very confusing, but we'll have to see how it works.

I suggest that some people go through the entire thread, & edit out any redundant material. I find that it is very difficult to read through 7 pages.

----------

## numerodix

Brilliant guide!!

I managed to get some basic functionality working, I can connect to imaps, I can send mail through postfix unencrypted. But I can't get the TLS to work. At first the logs indicated there was something wrong with my certificates, I made sure all the entries were present (country, location etc), now that messages doesn't come up anymore. Instead I get this:

```
Sep 22 22:56:12 [postfix/smtpd] starting TLS engine

Sep 22 22:56:12 [postfix/smtpd] connect from unknown[10.0.0.9]

Sep 22 22:56:12 [postfix/smtpd] disconnect from unknown[10.0.0.9]

```

It's a home network and I'm doing this throught the root account on the server. I've never tried ssl with smtp before so I assumed all I had to do was check for "use ssl" in Outlook Express and send. I also have Norton running, which I tried turning off, but I keep getting this message:

```
The connection to the server has failed. Account: 'account-name', Server: '10.x.x.x', Protocol: SMTP, Port: 25, Secure(SSL): Yes, Socket Error: 10061, Error Number: 0x800CCC0E
```

[EDIT: ] { Still no luck with Outlook Express and Evolution but I did get smtp with ssl working in Kmail. In the account prefs, I click for "check what server supports" and I get tls and digest-md5 checked in the box. With those settings I can send mail. Evidently something does work afterall, I just wonder what I need to get it working in other mail clients. Incidentally, I don't like kmail..  :Smile: }

[EDIT 2: ] {Wohoo, using "check for supported types" in Evolution, I managed to get it working, with ssl and digest-md5, as above. The only problem is that sending a message takes half an hour, while in kmail it takes an instant.}

Another thing is that the mail sent never goes through my ISP, I assume it should show in the mail header and it's not there. I'm unsure if there's an MX entry on the domain, which is dyndns.org supplied. I did define an ISP smpt as instructed.

Q. How do I get mail sent to be stored in the sent folder? Here it just seems to disappear.

----------

## dagarath

 *puddpunk wrote:*   

> Just one thing, I pull mail from a mailbox on my ISP (I'll have some examples later), the mailbox has 4 alias's pointing to it, so I want to split what i download from that mailbox into 4 different accounts (all have accounts on the linux server).
> 
> i.e. I have 4 linux users (with home dirs etc...) chris, russell, sue and steve. I have a main account, e.g. mainmail@isp.com. But my ISP has set it up so chris.rs@isp.com, russell.rs@isp.com, sue.rs@isp.com, steve.rs@isp.com gets dumped into mainmail@isp.com which I can download over POP3.
> 
> How can I configure procmail to split those 4 email addresses into 4 different mailboxes on the linux server?
> ...

 

It's much easier to use fetchmail to split this multidrop box out to the seperate users.  You should read the fetchmail man page on multidrop boxes. 

```

set postmaster chris

poll isp.com:

    user mainmail with pass 123456 to 'steve.rs'='steve' 'chris.rs'='chris' 'sue.rs'='sue' 'russell.rs'='russell' here

```

You should be cautious with this setup in general because some messages may not have the appropriate headers to determine the recepient address.  Read the fetchmail man, it explains the dangers.  Usually bcc: mail will be difficult to split.  These messages will default to the postmaster user you have defined... that user can then setup procmail rules to redirect email to the correct person

```

:0

* ^Delivered to: steve.rs@isp.com

! steve
```

----------

## dagarath

The tip that seems to be missing from this configuration guide for a home email server is how to sync your local system names with the email address your isp provides.   There are many occasions where you may want to use a different account name on your local server than the email name your isp uses.   You can configure this in the email client settings... but that may require configuring several user applications.   There's a simple config change you can make to postfix.

http://www.postfix.org/rewrite.html

Reference the Canonical address mapping

an entry like 

localuser@localdomain  luser@isp.com

for each of your home users, will automatically rewrite the outgoing addresses.  Other MTA's like sendmail and exim also support this feature, although the setup is different.

----------

## dstutz97

I have the same problem as Weejoker:

in my postfix logs: 

```
Sep 26 18:20:08 erma postfix/smtpd[2706]: warning: SASL authentication failure: no secret in database
```

Here's me adding user to sasldb:

```
erma root # rm /etc/sasl2/sasldb2

erma root # saslpasswd2 -c -u dstutz.com -a smtpauth dstutz

Password:

Again (for verification):

erma root # /usr/sbin/sasldblistusers2

dstutz@dstutz.com: userPassword
```

Which...is missing the "secret" entry from Beowulf's example:

```
root@server # /usr/sbin/sasldblistusers

beowulf@beowulf.bounceme.net: cmusaslsecretOTP

beowulf@beowulf.bounceme.net: userPassword
```

How do I get a that cmusaslsecretOTP entry???

Thanks

Dave

----------

## daha

great doc, thanks

----------

## dstutz97

Well...it's been a long day.  I got sasl to work, but it was completely by accident.  The guide here wasn't getting me completely up and running so I went googling and found this more detailed guide http://postfix.state-of-mind.de/patrick.koetter/smtpauth/index.html.  I left all the stuff installed like beowulf instructed, but basically started following the instructions for configs from this other howto.  I stopped getting "no secret in database" errors and progressed on to getting 

```
Sep 27 00:49:21 erma postfix/smtpd[2519]: warning: SASL authentication problem: unknown password verifier

```

  I was getting the same message using saslauthd or sasldb.  I then kinda gave up and on a whim changed my sasl auth method to PAM: 

```
erma root # cat /etc/sasl2/smtpd.conf

pwcheck_method: PAM

```

Magically it started working for me.  (I knew it was working because I removed my local lan from the relay config).  I logged into the work vpn for the hell of it and tried it from there and it worked as well.  My other roomate uses outlook 2002 and I wouldn't mind getting it working for him (outlook doesn't support CRAM-MD5 auth method like mozilla does).  If anyone has any suggestions for fixing the "unknown password identifier" I would appreiciate it.

Dave

----------

## Weejoker

Okay, I managed to solve the problem with the "missing secret" and numerous SSL errors in the /var/log/mail/*  :Smile: 

```
[postfix/smtpd] < titus.localnet[192.168.0.2]: AUTH CRAM-MD5

[postfix/smtpd] smtpd_sasl_authenticate: sasl_method CRAM-MD5

...

[postfix/smtpd] > titus.localnet[192.168.0.2]: 235 Authentication successful

```

Here's what I changed:

Set commonName_default in the openssl.cnf to the FQDN of the mailserver

```
commonName_default              = weejoker.localnet
```

Change the /etc/sasl2/smtpd.conf and /etc/sasl2/smtpd-2.0.conf to: 

```
pwcheck_method:auxprop
```

When entering using the saslpasswd2 command, I set the user domain to the FQDN of the mailserver:

```
saslpasswd2 -c -u weejoker.localnet -a smtpauth test
```

(NOTE: The 'sasldblistusers2' command does not return any values indicating if the secret is present... only 'sasldblistusers' does this - you have to check in /var/log/mail/* to see if postfix can find the secret. The pwcheck_method of 'auxprop' also supercedes 'sasldb' in Cyrus-SASL-2.*. )

I don't know which one caused it to work, but I'm not going back to find out as it's working perfectly!   :Twisted Evil: 

John

----------

## dstutz97

If anyone cares....I just found out tonight that Mozilla builds for windows <1.4 do not support CRAM-MD5 authentication.  I had a user that had 1.3 and he was just getting a straight reject message and nothing about sasl or smtp auth showed up in the logs.  I upgraded him to 1.5-rc2 and it works great now.  I also tried on another user's 1.4 and it works fine as well. 

Weejoker: commonName_default is for a person's name, not the hostname of a machine.  

I would assume in your case that  *Quote:*   

> When entering using the saslpasswd2 command, I set the user domain to the FQDN of the mailserver:

  helped you get it working.  But, since I am by no means the expert on this...I'll just leave it at an assumption.

----------

## Weejoker

 *Quote:*   

> Weejoker: commonName_default is for a person's name, not the hostname of a machine. 

 

On my own experience with SSL & Apache 1.x.x servers, I had to set the commonName to the FQDN due to technical issues. The UNIX guru's at my place of work and the Apache documentation said this too at the time (www.snakeoil.com was the example I think). I don't know if this applicable to SMTP servers though, so I could be hopelessly wrong.  :Smile: 

I'll try to verify each of my three "fixes" later however. and see what one made the difference.  :Smile: 

John

----------

## Weejoker

I can confirm that setting the realm/domain in saslpasswd2 to the FQDN of the server was the solution to the "missing secret" and SSL problems. Thanks to dstutz97 for helping me clarify this.  :Very Happy: 

(I set the openssl.cnf commonName to a random word and regenerated the *pem's and then set /etc/sasl/smtp*.conf to "sasldb" for pwcheck_method, to ensure the above was the correct solution.)  

Could someone please add this to the guide (as an alternative)?

John

----------

## bernd

hi,

i have a problem to connect to my smtp server via tls. these is what /var/log/mail.info says

TLS connection established from neo.bernd.bounceme.net[192.168.0.2]: TLSv1 wi$

Sep 28 23:39:31 morpheus postfix/smtpd[2192]: warning: SASL authentication failure: no secret in database

Sep 28 23:39:31 morpheus postfix/smtpd[2192]: warning: neo.bernd.bounceme.net[192.168.0.2]: SASL DIGEST-MD5 authentication $

Sep 28 23:39:32 morpheus postfix/smtpd[2192]: disconnect from neo.bernd.bounceme.net[192.168.0.2]

i set up the database as descripted in 3.2 of the howto (i followed it as it is discrpted). but i can`t connect via tls. 

there is one liddle difference 

/usr/sbin/sasldblistusers2 show in the guide

root@server # /usr/sbin/sasldblistusers

beowulf@beowulf.bounceme.net: cmusaslsecretOTP

beowulf@beowulf.bounceme.net: userPassword 

in my case it is 

morpheus root # sasldblistusers2

bernd@bernd.bounceme.net: userPassword

so there is cmusaslsecretOTP missing.

Can anybody help me??

(!!Sorry for my bad English!!)

Bernd

----------

## dstutz97

You are having the same problem a lot of others and myself were having.  I worked around it by using PAM(CRAM-MD5) as the sasl authentication method and not sasldb(PLAIN).  Obviously you need to have PAM support compiled in.  I did so much trying to get it work I'm not sure if anything else would have to get modified but that setting, but the two guides I was working off of were both trying to accomplish the same thing, using sasldb.  I never found out why the secret wasn't getting generated and Beowulf hasn't been back to comment yet.

```
root@erma dstutz # cat /etc/sasl2/smtpd.conf

pwcheck_method: PAM

mech_list: CRAM-MD5 
```

pwcheck_method is just changed from sasldb to PAM and the mech_list limits the possible authentication methods to just PAM/CRAM-MD5.  You don't need the mech_list option, I just used it cause none of the other methods work for me so why even allow them.  Here's my EHLO output:

```
250-PIPELINING

250-SIZE 10240000

250-ETRN

250-AUTH CRAM-MD5

250-AUTH=CRAM-MD5

250 8BITMIME
```

NOTE: You'll notice the VRFY command is missing from what you'll probably see yourself.  I turned it off for security reasons.  If you want to it's easy, just put disable_vrfy_command = yes into your main.cf for postfix and run postfix reload.

As I said...at this point I'm not sure if all you need to try is just switching the pwcheck_method, but I wouldn't mind knowing if following Beowulf's directions except for this setting will work.  I worked on getting this functioning correctly so much I don't know how to do it from scratch and arrive where I am now cleanly.

Good Luck

Dave

----------

## huhny

Hi!

Great work!

When I start the courier-imapd-ssl deamon I get this error:

```

root@mrsaug / # /etc/init.d/courier-imapd-ssl start

 * Starting authdaemond.plain...

/usr/lib/courier-imap/authlib/authdaemond.plain: line 1: syntax error near unexpected token `entry,'

/usr/lib/courier-imap/authlib/authdaemond.plain: line 1: `fields_cmp(entry, dict_index_get_n_unique(index));'          [ !! ] 

 * ERROR:  Problem starting needed services.

 *         "courier-imapd-ssl" was not started.

```

What's wrong? I can't find my mistake?

Thx for help!

Bye,

Huhny

----------

## beowulf

Email System For The Home Network

For Gentoo Linux

Beowulf <beowulf_agate AT imap DOT cc>

Version 2.1 - Fixed an error that resulted in sasl using sasldb, added link to AV solution.

Version 2.0 - Complete Rewrite to ease SSL, SASL, OE and general setup time.

Version 1.5 - Added Outlook Express 6, updated Apache/PHP setup to Apache2, small fixes.

Version 1.4 - software version updates, misc enhancements/clarifications. Added Troubleshooting section.

Version 1.3 - Typo corrections, Added Spam Solutions thanks to (puddpunk,proteus)

Version 1.2 - Fixed some errors, re-wrote some sentances for clarity. Added Squirrelmail

Version 1.1 - Fixed a number of errors.  Added pam config for courier-imap

Version 1.0 - Initial guide.

-----------------------------------------------------------

I've hit the maximum allowed characters in the mysql database per post.  This is the continuation of the front page:

https://forums.gentoo.org/viewtopic.php?t=56633

-----------------------------------------------------------

11. Troubleshooting

So something went wrong.... Can't figure out what it is?  This section will increase as problems arise with the new version2 of this guide.

11.1 Version?

As I have learned from the beginning of this guide, software updates can make a guide worthless.  You'll notice in section 1.3 I list the software versions I have tested this set up on.  When software updates, it causes problems.  One such problem was SASL which changed the way the CMUSecret worked.  In short, check and see if a different version of software is the reason why something isn't working

11.2 Hostname Problems:

It seems different software reads the hostname from different places.  Please make sure that your /etc/hosts file is up to date and holds the appropriate lines.  Here's mine for comparison:

```

root@server # cat /etc/hosts

127.0.0.1       localhost

192.168.2.2     Chimera.apparition.ath.cx               Chimera

192.168.2.3     Illusion.apparition.ath.cx              Illusion

```

Another possibility is to check these files:

```

root@server # cat /etc/hostname && cat /etc/dnsdomainname && cat /etc/nisdomainname

root@server # rc-update add domainname default

root@server # /etc/init.d/domainname start

```

We've started a service that will set your domainname based on what is held in those three files.  You can test what your FQDN is by entering this command:

```
hostname -f
```

11.3 Checking Your Logs:

Most logging facilities offered by Gentoo log by default all mail error/info/warnings.  If not, read up on how to set it up so it does as the logging is priceless.  I recommend reading the Gentoo Security Guide found by clicking here

11.4 Restarting Servers:

Although it may seem obvious, occassionaly people do forget to restart their servers after making changes.  Not only that, but occasionally a restart isn't enough and you must action stop the server, then start it over again.  I ran into problems using the command "# postfix reload" where it would not re-read my config file changes.  I had to stop the server, then restart it.  Weird eh?

11.5 Re-checking Config Files:

Occassionaly after looking at a very large page of text, your eyes jump lines, occassionaly reading the same line more than once.... or is that just me?  In any case, I've tried to make the config file setups as detailed as possible.  If nothing is working, and you can't figure it out, double check your config files, see if they match mine, and where they differ, it should only be for personal reasons (IE: network, username/pass, etc).

11.6 Folders Not Showing Up In Email Client:

One problem that may exist is your subfolders which you have redirected email to using procmail are not showing up in your email client.  One option to look for is to subscribe to all folders.  Many email clients, even SquirrelMail require the user to specify which subfolders to subscribe to before they show the email there.  Also, keep in mind that the subfolders will be created by procmail when email arrives.  There's no need to maildirmake any directories aside from the main one (~/.maildir).

Another place to look is the file ~/.maildir/courierimapsubscribed.  If you open this file in a text editor you'll notice it has a list of your subsribed folders.  Simply add any folders you want in this file.  One such example:

```

user@server $ vi ~/.maildir/courierimapsubscribed

INBOX.gentoo

INBOX.gentoo-gwn

INBOX.gentoo-announce

```

Normally your email client will take care of this, but this is another place to look for errors.  Simply restart your courier-imapd-ssl server after editing this file and you're set.  Thanks to Fragbeestje for bringing this to our attention.

11.7 Can't Connect To Server:

There may be a number of reasons why your email client cannot connect to your server's SMTP or IMAP server.  Make sure you've opened the necessary ports in your firewall (25 for SMTP and 993 for Imaps).  Also, check if you have a ALL:PARANOID in your /etc/hosts.deny.  Another place to look is if you're using (x)inetd.  If all this fails, netstat -a will show whether or not your server is listening to ports or not.  If it isn't, you may have more serious problems than the server not listening, but rather a socket error.

11.8 Outlook Spitting Out Errors:

Outlook is fickle for lack of a better word.  I have it working fine, and I'm confident that the setup I have described will work for you.  However, I have been proven wrong on more than one occassion.  One reason OE spits out errors is because of Norton Anti-Virus outbound email scanning.  If you are having problems sending email, either not connecting or errors in your logs, try disabling outbound scanning.  It's a known problem that can be researched on Google.

12. Resources

I used many resources found from all over the net in my attempts to create this system.  Hopefully i have left nothing out and perhaps these links can serve as a starting point for your email endeavours.

12.1 Acknowledgements

A special thanks to both Proteus and puddpunk for allowing me to present their work on the front page of this thread.  Their Spam solutions has helped flesh out this guide in becoming a single complete setup in a home email system.  I tip my hat to you guys  :Smile: 

My thanks to many people for their guides as I have used there knowledge in assembling this one.  With help from the manual pages, the people replying in this thread (too many to list) and these resources:

 All who have replied in this thread with typo's, requests for clarity, missing data and errors.

 Quick Start Guide to Mutt E-Mail

 Virtual Mailhosting System Guide

 Postfix SMTP Auth (and TLS) HOWTO

 Gentoo Linux Desktop Configuration Guide

 Gentoo Forums

Errors? Suggestions? Improvements? Additions?  Let me know about them!

Hope this helps!

----------

## beowulf

glamdringlfo: Thanks for the suggestions!  I hope the changes I made in this latest version has cut down on some of the confusion....

dagarath: I've been working through the guide and doing the rewrite stuff you suggested.  I agree, it is a great tip, thanks!  In the next version I'll have this added

Thanks Weejoker for the information regarding sasl's secret pass....

huhny: I guess the immediate question is have you tried re-compiling courier-imap?  I've never seen that error before....

---

About Outlook (and Express) - There is a problem it would seem, but I don't have a windows box to figure out why it isn't working.... MS and their MS-Standards is my guess.... I'll work on it and you can expect the next guide update to include the Outlook/Express setup guide... while I'm there I might also test Eudora... do window's users still use it? hehe

I'll be working on the guide somemore, there's still the rewrite section that needs to be added, as well as outlook...

Again, any more suggestions, just send 'em to me... i'm all for them...  :Smile: 

Sorry for neglecting this post for so long....

----------

## Proteus

Ok... Suddenly problems appeared (I blame them on the new versions).

Imap access is fine but I cannot send mails (log into the smtp/postfix server).

This is from my /var/log/mail:

 *Quote:*   

> Oct 10 09:00:40 [postfix/smtpd] TLS connection established from unknown[192.168.0.2]: TLSv1 with cipher RC4-MD5 (128/128 bits)
> 
> Oct 10 09:00:41 [postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2/sasldb2: Permissi$
> 
> Oct 10 09:00:41 [postfix/smtpd] warning: SASL authentication failure: no secret in database
> ...

 

Does anyone know why this happens? I know I changed the sasldb2 permissions as described in the guide and created a user along with a password   :Sad: 

Also this is a problem with Kmail as well as with Outlook Express.

I also find the following error messages in /var/log/mail/current:

 *Quote:*   

> Oct 14 14:16:37 [postfix/smtp] warning: database /etc/postfix/saslpass.db is older than source file /etc/postfix/saslpass
> 
> Oct 14 14:16:37 [postfix/smtp] fatal: unknown service: smtp/tcp
> 
> Oct 14 12:16:38 [postfix/qmgr] warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description
> ...

 

All these are new to me, too....

----------

## startaq

Works fine so far, but I get the following error when i try to send mail with Sylpheed-Claw:

ESMTP< 250-PIPELINING

ESMTP< 250-SIZE 10240000

ESMTP< 250-VRFY

ESMTP< 250-ETRN

ESMTP< 250-XVERP

ESMTP< 250-8BITMIME

** SMTP AUTH not available

SMTP> MAIL FROM: <someone@mail.com>

SMTP< 250 Ok

SMTP> RCPT TO: <someone@mail.com>

SMTP< 554 <localhost[127.0.0.1]>: Client host rejected: Access denied

** Error in SMTP session

Sending mail with SquirrelMail works without problems.

EDIT: Sending mail works when i add "permit_mynetwork" to the postfix main.cf, so it must be a problem related to sasl.

----------

## ba747heavy

Two things:

First, I have a question about bogomail.  After the bogomail script indexes all of the emails, and the spam dirs, is it ok to delete all of the .spam dir messages?

And, I was having a problem with the bogomail script fscking up on the imapcourierkeyworks directory, so I modified this portion of the code to fix it:

```
try:

       for dir in maildirs: 

               print "Regestering ham messages from", dir 

               hamlist = os.listdir(os.path.join(dir,"cur"))

               for ham in hamlist: 

                  hampath = os.path.join(dir,"cur",ham) 

                  print "- ", hampath 

                   os.system("bogofilter -n < " + hampath) 

      except (RuntimeError, TypeError, NameError, OSError):

      print "Caught the booger"
```

I don't know if anyone else is having that problem(exits with an Error code 2, and OSError), so that fixes it  :Very Happy: 

----------

## at6

hey beowulf,

thanks a lot for this wonderul tutorial. now imap works perfectly together with postfix and squirrelmail. 

so keep on documenting   :Very Happy: 

bye marc

----------

## Proteus

@ba747heavy:

Yes, AFAIK the spam messages are no longer neccessary when they have been indexed. They are only needed to build up a database with certain "spam-structures" and "spam-words". You can therefore delete them safely.

----------

## bruor

ive followed this guide to a T and its great...   i can send mail locally and all works well... however,   i can only send mail to the outside world i cannot receive it ...   heres where i think the problem exists 

in .fetchmailrc

```
set postmaster "bruor"

poll pop.cogeco.ca with proto pop3 auth password user "bruor" there with

password "password" is bruor here options warnings 3600
```

then when i try to run:

```
bruor@tivolinuxserver bruor $ /usr/bin/fetchmail -a -m "/usr/bin/procmail -d \%T"

1 message for bruor at pop.cogeco.ca (882 octets).

reading message bruor@pop.cogeco.ca:1 of 1 (882 octets) sh: -c: line 1: unexpected EOF while looking for matching `''

sh: -c: line 2: syntax error: unexpected end of file

fetchmail: SIGPIPE thrown from an MDA or a stream socket error

fetchmail: socket error while fetching from pop.cogeco.ca

fetchmail: Query status=2 (SOCKET)
```

of course the password is my real email acct password  while bruor is a user on the box that i would like all my email to be pulled in under... 

thats only half of teh problem...  im pretty sure the other half of it is becasue cogeco is blocking inbound smtp  but   though i can send out from bruor@techgeeks.no-ip.org  if i reply to the address i get no errors and also no email...   could they be bit bucketing it? 

thanks in advance for any help

----------

## cripwalk

Thanks for the guide.  Before I attempt to tackle this I just had a quick question. 

In section 3.2 You said

```

root@server # vi /etc/postfix/saslpass

smtp.isp.com            beo739:rsmtp-pass 

```

My ISP's smtp server does not use authentication or ssl.  Since I have no username or pass would i want to do something like this?:

```

root@server # vi /etc/postfix/saslpass

smtp.isp.com            :

```

Or would I not want to use sasl at all for this step, and if not any ideas?

thanks in advance

----------

## beowulf

Proteus: I would check what you have set for your hostname and domain for that server, assuming you entered a fqdn in section 3.3 of the sasl user set up.  If however the problem is still there, let me know and I'll try to figure out what's going on...

startaq: Yes, it's definately a sasl issue with authenticating against the sasldb.  Did section 3.3 of the guide insert a sasl secret?  Did the logs complain about the lack of such a secret or db error as seen in Proteus' log snippet?  In any case, with the permit_mynetworks flag set, you won't need to authenticate to your smtp server.  If you have mynetworks set to an internal IP range you'll be fine though.

ba747heavy: Hmm... to tell you the truth, i don't fully understand the bogofilter script myself.... i'd contact puddpunk for help on that one.....

bruror: Try running the command without the backslash.  The backslash was added in to help prevent cron from choking on the line.... It still does and i've offered an alternative in the guide.... 

Try this command:

 /usr/bin/fetchmail -a -m "/usr/bin/procmail -d %T"

cripwalk: Hmm, unfortunately I can't test that setup.... i have no idea how sasl will react with such a setup.  That said, I do know postfix has a feature that will allow you to relay to another smtp server without authentication.  Sasl was brought in because postfix can't relay to a smtp server that requires authentication.  I would check the examples in /etc/postfix/examples/ for more information on relaying.  Again, I can't test this with you, so you'll have to forgive my answer lacking any useful help....

----------

## marienZ

 *cripwalk wrote:*   

> 
> 
> My ISP's smtp server does not use authentication or ssl.  
> 
> 

 

Same here. I just left out the sasl bits for sending mail, and it seems to work so far. I've also added

```

relayhost = mail.my-isp.com

```

Without this line postfix contacts the destination server directly, instead of relaying through my isp's mailserver. I hope relaying through my isp will cause my mails to not be considered spam.

Now I just have two more things to figure out: why I can't log in to squrrelmail (most likely a typo somewhere), and if it is possible to use an encrypted connection to my isp's smtp server even though I don't have to login (so my mails don't go from here to the isp in cleartext)

[edit: squirrelmail works. One thing to go.]

I've also found another little program which integrates nicely with this setup: gotmail. Gotmail is basically fetchmail for hotmail accounts. To use it, emerge gotmail, then edit as non-root:

~/.gotmailrc

```

# gotmailrc: settings for gotmail

username=myhotmailaccountname

password=mypassword

domain=hotmail.com

# only download mail labeled "new" on the hotmail server

only-new

# use procmail to deliver to the right mailbox

use-procmail

# max. number of retries when fetching a message fails

retry-limit=3

# don't output every action

silent

# delete messages after downloading them

# this only deletes messages downloaded by gotmail, not others

# that are on the server

delete

```

Then add a recipe like this to your ~/.gotmailrc if you like:

```

:0:

* ^X-gotmail-user: \/.*

.IN-hotmail-$MATCH/

```

This puts all mail sent to myaccount@hotmail.com in local mailbox IN-hotmail-myaccount. Might be useful if you use gotmail on more than one hotmail account.

To test if it all works, just run gotmail from the command line:

```

$ gotmail

```

Finally, automate it by putting something like this in your crontab:

```

*/5 * * * * gotmail

```

to run gotmail every 5 minutes.

Perhaps this is useful to someone  :Wink: 

----------

## Proteus

Ok beowulf, I tried it again from the first step on, including re-emerging. Now it still does not work. I have used the FQDN of this computer (helios.liquid.net). This is my log again:

 *Quote:*   

> Oct 30 20:13:39 [postfix/postfix-script] starting the Postfix mail system
> 
> Oct 30 20:13:39 [postfix/master] daemon started -- version 2.0.16
> 
> Oct 30 20:13:39 [postfix/qmgr] CC460201540: from=<>, size=2969, nrcpt=1 (queue active)
> ...

 

mail@adress.de is the masked address to which I wanted to send an email to.

The bolded line is something I find very suspicious but don't know how to interpret or solve.

I am slowly getting desperate. Please help.   :Crying or Very sad: 

Here are the versions of the programs I am using, maybe you could compare yours with mine. Maybe we find a show-stopper:

 *Quote:*   

> USE="ssl pam nls maildir sasl gdbm berkdb -mysql -ldap -mbox -postgres -kerberos -java -static" emerge courier-imap cyrus-sasl fetchmail postfix procmail -pv
> 
> These are the packages that I would merge, in order:
> 
> Calculating dependencies ...done!
> ...

 

----------

## beowulf

marienZ:

Glad to here most of it's working.... to use an encrypted connection to your ISP's SMTP server, assuming they support it, I think you need to edit /etc/postfix/master.cf and uncomment the smtps line so that it reads similar to this:

smtps    inet  n       -       n       -       -       smtpd

  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

As far as I can see, this would be a good place to start.... however, I can't test it so this is just a guess.... take it for what it's worth...

Proteus:

Hey, you're running unstable i think?  My software appears to be a few revisions behind yours.... 

```

USE="ssl pam nls maildir sasl gdbm berkdb -mysql -ldap -mbox -postgres -kerberos -java -static" emerge courier-imap cyrus-sasl fetchmail postfix procmail -pv

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-mail/courier-imap-1.7.3-r1  -ipv6 +gdbm -ldap +berkdb -mysql +pam +nls -postgres

[ebuild   R   ] dev-libs/cyrus-sasl-2.1.14  +gdbm +berkdb -ldap -mysql -kerberos -static +ssl -java +pam

[ebuild   R   ] net-mail/fetchmail-6.2.3  +ssl +nls -ipv6

[ebuild   R   ] net-mail/postfix-2.0.11  +ssl -mysql +sasl -ldap -ipv6 +maildir -mbox

[ebuild   R   ] net-mail/procmail-3.22-r6

```

I checked a few changelogs but couldn't see anything that may have caused the problems.....  

A few things that have come to mind:

```

# netstat -lp | grep :smtp

tcp        0      0 Chimera.beowulf.bounceme.net:smtp *:*                     LISTEN      11655/master

tcp        0      0 localhost:smtp          *:*                     LISTEN      11655/master

```

If you don't have two lines there (only the localhost:smtp line is there), something is wrong with your FQDN and it's not being recognized by postifx.  If this is the case, I'd try explicitly telling postfix what your fqdn is...

Another place to check would be /etc/postfix/master.cf as that controls the actual postfix daemon.

----------

## Proteus

Beowulf: Yes, I was running stable and when it didn't work I tried switching to unstable but with the same results. I am currently emerging back a stable system again. Will try again with setting the FQDN manually when that's done.

The other question is: Why should/could postfix have problems with my FQDN - I have set it as described in the Gentoo install docs and it is shown correctly everywhere as far as I can see....

----------

## beowulf

Not sure why.... But from what I understood (albeit very little) from your logs you have a network problem.  Postfix is having trouble with the sockets... so it was only the first thing that popped in my head....

Also, I just seen your mysql socket problem.... i wonder if these two things are related to a more serious matter than just daemon's not working?

Hopefully everything works after you re-emerge your system....

----------

## Proteus

I thought about a connection between my mysql installation failing and postfix not being able to run, too. However, no one seems to know what the problem really is or how to fix it.

It seems I am always experiencing the problems no one else has...  :Sad: 

----------

## Proteus

!EDIT!

It is still not working. (I thought it was and posted it here.) I was tired last night and tested it from my notebook - but is configured to send mail directly through my isp. When I try it using my own "mail server" it still gives the same errors as before. This is what I have done in the meantime:

I emerged back to stable and "hardcoded" my FQDN into main.cf.

There might be some error either in my gentoo system or in this guide:

In stage 2.1 is this:

 *Quote:*   

> root@server # vi /etc/dnsdomainname 
> 
> beowulf.bounceme.net 
> 
> root@server # vi /etc/hostname 
> ...

 

However when I repeat those steps (using cat instead of an editor to better show the results) I get this:

 *Quote:*   

> helios / # cat /etc/dnsdomainname
> 
> liquid.net
> 
> helios / # cat /etc/hostname
> ...

 

So actually my system seems to think its FQDN is just "helios" instead of "helios.liquid.net. This seems to have something to do with a change to baselayout that is long history now. Before that change (in 1.4rcx times) I think the FQDN was configured completely in /etc/hostname, today it is split into 2 files. /etc/dnsdomainname and /etc/hostname, each containing just a part of the FQDN.

Have I done something wrong while installing? (I checked the installation instructions but noticed nothing wrong.) Do I have to live with hardcoding the FQDN in main.cf? Is something wrong with the current baselayout? Any hints are greatly apprechiated.

(I know that the example in this guide uses "hostname" to actually set the hostname rather than just show it. However, that change is not permanent this way. And I think that it is described a bit irritating, I think beowulf just wanted to show the output of "hostname", not set it. In that case there is a missing End-of-Line in that example.

As always, correct me if I am wrong.)

----------

## Proteus

Ok, I just keep posting what I am doing :

I completely cleaned my system from everything postfix related and started from scratch, then re-emerged postfix and configured it.

It seems to be able to run now (socket problem seems to be solved).

 *Quote:*   

> netstat -al
> 
> Active Internet connections (servers and established)
> 
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> ...

 

However I still cannot send mail via postfix, here is what the log tells me:

 *Quote:*   

> Nov  4 15:00:59 [postfix/smtpd] TLS connection established from unknown[192.168.0.10]: TLSv1 with cipher RC4-MD5 (128/128 bits)
> 
> Nov  4 15:00:59 [postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2/sasldb2: Permission denied
> 
>                 - Last output repeated twice -
> ...

 

I have tried everything in this thread to solve this problem as it seems to be common somehow. Will repeat all that again but right now it still gives me that error.

----------

## paulfl

I'm at step 3.2 and can't get this to work

```
root@server # /usr/sbin/postmap hash:/etc/postfix/saslpass
```

I get this error

```
newaliases: fatal: file /etc/postfix/main.cf: parameter mail_owner: unknown user name value: postfix inet_interfaces = "my FQDN", localhost  mydestination = "my FQDN", localhost."my domain"

```

Any ideas?

thanks

----------

## beowulf

Proteus:

You are correct about the hostname command I used... That's a relic from a prior version of this guide (IE: Prior version of baselayout.... I'll edit it after posting this...).

Okay... just a quick check through... as this problem is baffling to me as well...

```

#ls -l /etc/sasl2/sasldb2

-rw-------    1 postfix  mail        12288 DATE /etc/sasl2/sasldb2

# sasldblistusers2

proteus@helios.liquid.net: userPassword

```

Also, this may be of some consequence.... I always have this set and never thought that it may affect the mail setup? hehe anyways.... check this (with your IP of course).

```

# cat /etc/hosts | grep helios.liquid.net

192.168.0.1    helios.liquid.net   helios

```

This problem has me stumped... sorry I can't be of more assistance.... I don't understand where the problem could be....  :Neutral: 

paulfl:

Hmm... sounds like a conf file error..... does your output match mine?

```

root@server # /usr/sbin/postfix check

root@server # cat /etc/postfix/main.cf | grep mail_owner

# The mail_owner parameter specifies the owner of the Postfix queue

mail_owner = postfix

root@server # cat /etc/passwd | grep postfix

postfix:x:207:207:postfix:/var/spool/postfix:/bin/false

```

Also I assume that in that output you posted you substituted your FQDN with the string "my FQDN".....  :Smile: 

I think the missing user error can be resolved by checking those files.... but it wouldn't be the first time I've been wrong.....  Anyways.... let me know how it goes  :Smile: 

----------

## paulfl

Thanks for the reply.

Instead of:

```
#ls -l /etc/sasl2/sasldb2 

-rw-------    1 postfix  mail        12288 DATE /etc/sasl2/sasldb2 

# sasldblistusers2 

proteus@helios.liquid.net: userPassword
```

I get

```

#  ls -l /etc/sasl2/sasldb2

-rw-r-----    1 root     mail        12288 Nov  1 00:23 /etc/sasl2/sasldb2

```

I've fixed this using chown and chmod. 

But running

```

# sasldblistusers2 

```

Simply returns the root prompt.

I now get a similar error message but the user name postifx appears

```
postfix: fatal: file /etc/postfix/main.cf: parameter mail_owner: unknown user name value: postfix ...
```

----------

## paulfl

Sorry, forgot to add...

My output matches yours

```

root@server # cat /etc/postfix/main.cf | grep mail_owner 

# The mail_owner parameter specifies the owner of the Postfix queue 

mail_owner = postfix 

root@server # cat /etc/passwd | grep postfix 

postfix:x:207:207:postfix:/var/spool/postfix:/bin/false

```

But  

```
root@server # /usr/sbin/postfix check
```

is still giving the postfix: fatal file ... error

----------

## beowulf

Hey, well postfix check says you have an error in your conf..... so would you mind posting the output of this command here so I can look it over?

```
root@server # grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
```

Thanks and sorry for taking so long getting back to you...

----------

## paulfl

main.cf:

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

 inet_interfaces = $myhostname, localhost

  mydestination = $myhostname, localhost.$mydomain

unknown_local_recipient_reject_code = 450

 mynetworks = 192.168.7.0/24, 127.0.0.0/8

 relay_domains = $mydestination

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

mailbox_command = /usr/bin/procmail -a $DOMAIN

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /etc/postfix/sample

readme_directory = /usr/share/doc/postfix-2.0.11

```

----------

## beowulf

The reason postfix is choking on your conf file is that there is some whitespace before certain options...  before the inet_interfaces option, there is one whitespace, the mydestination option has two whitespaces.

By removing those, running "postfix check" will be able to work and you'll be able to continue on with the guide.

Hope this helps

----------

## paulfl

You're right, it works!

I always thought white space was ignored, I've learnt a lesson.

thanks very much

----------

## Bangz

May I ask a question.

I've followed one of the earlier versions of this guide (before spam filtering and db of accepted users)

Anyways, its all working perfectly fine for my LAN.  On my windows boxes I can send mail to user@server and it's fine.

However, how can I allow the public internet to send mail to me?

I have my internal LAN sitting before a router/firewall which uses NAT and port forwarding.  At the moment, my gentoo server already has ssh, ftp and httpd forwarded to it, and its working fine.  However when I forward port 25 to the box, if I send myself an email, from say hotmail...it doesnt work.  user@<myexternalip>

Anyone got an idea why?

----------

## beowulf

To be able to use your SMTP server from outside your lan, you'll need a mx record pointing to your domain.... no-ip.com offers such a service.... there are quite a number of other services that offer mx records as well.... however the name eludes me at the moment...

----------

## Bangz

I have a no-ip account.  I don't think it's a MX record though.

----------

## Bangz

I have a final question.  

Anyone using Microsoft Outlook with this Email System?  Everytime I check EMail on it, I get an "Internet Security Warning" from outlook for the SSL certificate. 

How do I create a certificate from my gentoo box to install on my Machine so I don't get this warning?

----------

## daff

[EDIT]

Ok I am an idiot. I should NOT have uncommented the lines in /etc/pam.d/imap. Leaving them as they were would have been the way to go. I suck  :Smile:  Now at least imapd without ssl works.

I'll leave the post here, maybe someone who has the same problem stumbles across it and can fix it this way.

imapd-ssl still gives the same error as mentioned below though  :Evil or Very Mad: 

[/EDIT]

Ok, I've been at this for 2 days now, having found this guide just in time. Really, really, really, really great work! Thanks! This is supposed to save me a lot of trouble and time. Thanks!

I have a couple of problems though, nonetheless  :Smile: 

I believe the postfix/sasl part will work, haven't tried it out yet, but configuartion seems to have been ok. 

Courier-IMAP. Brrrrr! I am doing this on a nice FreeBSD 5.1 machine, but it should not matter. I know where the differences are and how to work around them (for example, it seems that /etc/pam.d/imap should not be touched at all, or at least only have the 4 lines already in there uncommented).

Running imapd-ssl and trying to authenticate against PAM (or whichever method, tried them all):

Squirrelmail times out and tells me the "imap server has dropped the connection". The log files state something like: imapd-ssl: couriertls: accept: error:140760FC:SSL routines: SSL23_GET_CLIENT_HELLO: unknown protocol

Running plain imapd without SSL and trying to authenticate against PAM:

Squirrelmail tells me that either user or password are incorrect (I am sure they are both correct  :Smile: ) and the log files say 

imapd: Connection, ip=[::ffff:127.0.0.1]

imapd: LOGIN FAILED, ip=[blah]

imapd: DISCONNECTED, ip=[blah]

Now I have no idea why this could or should happen. I am very sure that I followed the guide in 4.3, 4.4 and 7 very thoroughly, although it is late and I might have screwed something up...don't think so though.

Can you help me finding what I am not doing right? Maybe it's something obvious but I don't see it. Help is greatly appreciated!

And thanks again for this really good guide!

I hope someone still reads this  :Smile: 

----------

## daff

well, the solution to my problem was to recompile mod_php4 with support for SSL, IMAP and IMAP-SSL.

----------

## Advo

Thx to beowulf for the great guide. I finally could made the long planned change from sendmail/pop to postfix/imap.

I ran into some trouble integrating a virus scanner (AvMailgate]) into the system. AvMailgate can set up as content-filter through postfix. So I ended up with adjusting the smtpd_recipient_restrictions to 

```
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject
```

Oh, and using

```
/usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d %T" >/dev/null 2>&1
```

is a really bad idea because this way the mail is not handed over to port 25 (where postfix is listening) and hence the mail will not be scanned. Took me a week to figure this out  :Very Happy: .

But now everything works like a charm:)

~Advo

----------

## beowulf

Sorry for taking so long to get back...

Bangz: I believe you'll get that message all the time until you tell Outlook to ignore the fact that you generated the SSL cert yourself.  I *think* outlook is just warning you that the cert was not signed by thawte or verisign.... If it's just you using it, it ain't worth the $150/year.... That said, I could be way off, and if you've read this whole thread, you'll notice it happens more time than I like...

daff: Hey, glad to hear it is all working for you.... I'll make a little note in the next version about using the USE flags or as in your case, recompiling mod_php with the proper configure line...

Advo: Yes, I didn't redirect to postfix since I wanted to use procmail, but since you're using that antivirus and filterer, I can see where the benefit of redirecting to port 25 would be.  I'll add a little note about it... Does this mean that procmail is unneeded in your setup?  Just curious, I have never touched an AV program on the serverside... Glad to hear you've taken this setup a step further than what I've written....  :Smile: 

----------

## Advo

beowulf: Yes, procmail is still needed. The av-scanner gives the mail back to port 25, and postfix invokes procmail via the mailbox_command as defined in its master.cf. This way sorting the mail through ~/.procmailrc still works:).

----------

## fizz

Would this be easy to use if my server was the primary mx record for my domain? What would i need to change because i like this setup verty much. Currently using sendmail, and well.. we all know its not fun  :Smile: 

----------

## beowulf

hey fizz,

Yes, it should work just fine... this setup has worked for others when they have an mx record pointing to the server.... but I'm pretty sure this'll work fine....

however, you might not need SASL to send email.  What I mean is I used sasl to authenticate to a remote SMTP server to sort of relay the email to a SMTP server that requires AUTH.

If you run your own MX record, I doubt that step would be needed....

Hope this helps and sorry for being so late getting back here....

----------

## JHuizingh

I'm at the section of the guide where I edit /etc/postfix/saslpass to put my username and password in there.  I have a possible problem though.  My username for my isp's smtp server has a  colon ( :Smile:  in it.  Is this going to be a problem?

----------

## miha

----Last edited by miha on Mon Dec 08, 2003 3:50 am; edited 1 time in total

----------

## miha

It seems to work fine but.... what's up with this?

```
* Error occurred while sending the message.

* Connecting to SMTP server: 192.168.0.3 ...

[22:54:26] SMTP< 220 zheka.miha ESMTP Postfix

[22:54:26] SMTP> HELO localhost

[22:54:26] SMTP< 250 zheka.miha

[22:54:26] SMTP> MAIL FROM: <mgl@sdf.lonestar.org>

[22:54:26] SMTP< 250 Ok

[22:54:26] SMTP> RCPT TO: <mgl@sdf.lonestar.org>

[22:54:27] SMTP< 554 <unknown[192.168.0.3]>: Client host rejected: Access denied

** error occurred on SMTP session

** Error occurred while sending the message.
```

```
bash-2.05b$ fetchmail

3 messages for mgl at mail.freeshell.org. (2463 octets).

reading message mgl@mx.freeshell.org:1 of 3 (514 octets) fetchmail:  retained

reading message mgl@mx.freeshell.org:2 of 3 (1120 octets) .fetchmail: SMTP error: 554 <localhost[127.0.0.1]>: Client host rejected: Access denied

fetchmail: can't even send to mgl!

 flushed

reading message mgl@mx.freeshell.org:3 of 3 (829 octets) fetchmail: SMTP error: 554 <localhost[127.0.0.1]>: Client host rejected: Access denied

fetchmail: can't even send to mgl!

 flushed

bash-2.05b$ 

```

----------

## beowulf

JHuizingh - I'm not sure... hehe unfortunately I didn't even think about it, or know a colon was a valid character in an email address.... I really don't know....

miha - Are the servers running on your workstation?  More importantly what is your hostname.... Also, at what point in the guide did that output occur?  Did you telnet into the smtp server to get that response? You didn't authenticate, so no email will be allowed to send... it was setup this way....

Is fetchmail redirecting to postfix and not to procmail?  Any 5## error from an SMTP server is basically a message telling the server to stop what it was asked to do and report.... Postfix will not accept anything without first being authenticated to.... this is to keep you from becoming an open relay...

A little bit more information of what you did and at what point you received those errors are needed....

----------

## miha

This happened at the very-very end, using Sylpheed(set-up as described in the guide).

Hostname is zheka.miha

----------

## JHuizingh

I don't know if a colon is valid in an email address.  It's not part of my email address.  It is a part of my login for my pop3 server though.  I'll mess around with it more when I get some time.

----------

## beowulf

miha can you please post the output of this command:

```
root@server # grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
```

Also, what error does Sylpheed give?  the error message you posted, what is that from (not the one with fetchmail) and how did it trigger?

You said it works fine, but you asked what is up with the errors you outputted.  Is it that you cannot send email?  You cannot authenticate to send email? You cannot connect to the server?

A little bit more information of what you did and at what point you received those errors are needed.... I haven't seen those errors before so I can't just at a glance know what is going on...

JHuizingh - Ahh... well let me know how it turns out... It never even occured to me that a colon would be used.... hehe... if it doesn't work, the only suggestion I have is to perhaps use a backslash "\" before it... but who knows... In any case, I hope you keep me/us posted....

----------

## wheelspin

First, I'd like to thank Beowulf and the rest who have contributed to this guide. Its awesome. 

I think I have most everything working properly, but I can't send email. It seems to send it but every thing comes back with things similar to this in the log file:

```
Dec 12 10:17:36 vette postfix/smtp[27726]: 0D4E53B6F: to=<me@mydomain.com>, relay=smtp.comcast.net[216.148.227.125], delay=1691, status=bounced (host smtp.comcast.net[216.148.227.125] said: 550 [PERMFAIL] mydomain.com requires valid sender (in reply to RCPT TO command))

Dec 12 10:17:36 vette postfix/cleanup[12815]: BF0C83B84: message-id=<20031212151736.BF0C83B84@vette.home.mydomain.com>
```

This happens when I send email to all the accounts I have. Obviously its something to do with the receiving email system. my current main.cf has relayhost set to my ISP smtp server. I tried getting sasl to work but got this message:

```
Dec 12 09:49:25 vette postfix/smtp[4306]: warning: SASL authentication failure: No worthy mechs found

Dec 12 09:49:25 vette postfix/smtp[4306]: 0D4E53B6F: to=<bill@mydomain.com>, relay=mydomain.com[205.243.144.68], delay=0, status=deferred (Authentication failed: cannot SASL authenticate to server mydomain.com[205.243.144.68]: no mechanism available)
```

I would like to be able to send valid email to other sites and have them accept it. Is there something I can look at to figure out why this is happening? Any help is cool.

Thanks

Wheelspin

----------

## beowulf

Hey Wheelspin, glad it's almost working.... the first error is a result of the second error hehe

setting relayhost in main.cf will only work if your ISP's SMTP server requires NO authentication.... if you have a username/pass you must use SASL for this to work and unset the relayhost option by commenting it out.... Now the "no mech found" issue...

Please follow this code block and see if the output matches:

```

root@Chimera(/etc/) # ls -l /usr/lib/sasl2/smtpd.conf

lrwxrwxrwx    1 root     root           29 Oct  6 00:47 /usr/lib/sasl2/smtpd.conf -> ../../../etc/sasl2/smtpd.conf

root@Chimera(/etc) # cat /etc/sasl2/smtpd.conf

pwcheck_method: sasldb

root@Chimera(/etc) # /etc/init.d/saslauthd status

 * status:  stopped

root@Chimera(/etc) # ls -l /etc/postfix/saslpass

-rw-------    1 root     root          196 Oct  6 01:47 /etc/postfix/saslpass

root@Chimera(/etc) # sasldblistusers2

beowulf@FQDN: userPassword

root@Chimera(/etc/) # cat /etc/postfix/main.cf | grep sasl

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous,noplaintext

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated,reject

```

Assuming your output matches mine for the most part.... Check the contents of the file /etc/postfix/saslpass and make sure your ISP's information is there with the correct settings in the proper format.

Another possibility, check the file /etc/sasl2/sasldb2 and make sure that it's only readable by user postfix, no group or world rights at all...

If after checking all that and you're still experiencing problems, reply back with the output of this command, preferably wrapped in [code} tags...

```
root@server # grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
```

----------

## wheelspin

After all this time you are still answering questions about this guide. That is what I love about Gentoo and Linux. Coming from the Windows world and the larger Linux distro's its a breath of fresh air. I really appreciate your help. 

On to the task at hand.

The output you asked for:

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

mydomain = home.billrucker.com

inet_interfaces = $myhostname, localhost

mydestination = $myhostname, localhost.$mydomain

unknown_local_recipient_reject_code = 450

mynetworks = 192.168.0.0/24, 127.0.0.0/8

relay_domains = $mydestination

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

mailbox_command = /usr/bin/procmail -a $DOMAIN

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /etc/postfix/sample

readme_directory = /usr/share/doc/postfix-2.0.11

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous,noplaintext

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenicated, reject

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_daemon_random_source = dev:/dev/urandom

tls_random_source = dev:/dev/urandom

```

Also, my regular ISP doesn't require authentication, but every email I send gets returned with the same message I posted before when I send through that system. I also have a web host that provides smtp services and that server is the one I'd like to use. But its also the one that doesn't allow my authentication to work. I can authenticate to it and send fine using KMail. The settings I have configured for that are using TLS and Login. 

I checked all the other items you mention and they all match perfectly. I can log into the IMAP server from another workstation on my network and get all the emails that have been received with no problem. 

Thanks again,

Wheelspin

Keep your tires on the trail.

----------

## beowulf

Just to help me work out what we're doing in my head.

You have the option of 2 SMTP servers, one provided by your ISP, the other is a free web service.  Neither of these SMTP servers require you to use SSL/TLS.

The ISP SMTP server requires no authentication.   If you wish to attempt to use this, you must remove this from your main.cf, preferably commenting them out.

```

smtp_sasl_auth_enable = yes 

smtp_sasl_password_maps = hash:/etc/postfix/saslpass 

smtp_sasl_security_options = noanonymous,noplaintext

```

Then uncomment the relay_host option you previously set.  The error produced (1st in your post) means your client is not sending a proper RCP TO line, meaning the sender email address is not valid.... I'm curious what your client is?  Is the sender email address provided by your ISP.  For example, if my isp is isp.com but the email address I attempt to use is "beowulf@anotherisp.com", I will receive that error.  

The Web SMTP server requires authentication and does not use SSL/TLS.  When using this SMTP server, with the main.cf (as it is posted right now) produces this error:

```
Dec 12 09:49:25 vette postfix/smtp[4306]: warning: SASL authentication failure: No worthy mechs found 

Dec 12 09:49:25 vette postfix/smtp[4306]: 0D4E53B6F: to=<bill@mydomain.com>, relay=mydomain.com[205.243.144.68], delay=0, status=deferred (Authentication failed: cannot SASL authenticate to server mydomain.com[205.243.144.68]: no mechanism available)

```

Could you tell me what web service this is so that I may test it out and find out why SASL can't use their SMTP server?

Hopefully we can get this all sorted out soon as you're really close and your main.cf file looks correct....

----------

## wheelspin

 *Quote:*   

> Just to help me work out what we're doing in my head.
> 
> You have the option of 2 SMTP servers, one provided by your ISP, the other is a free web service.  Neither of these SMTP servers require you to use SSL/TLS.

 

That is correct. The one for my web host allows encryption and requires authentication.

 *Quote:*   

> The error produced (1st in your post) means your client is not sending a proper RCP TO line, meaning the sender email address is not valid.... I'm curious what your client is?  

 

I am using mutt. And I'm no expert at that either. Its perfectly possible that it is not configured correctly. I will work through that and report back. 

 *Quote:*   

> Could you tell me what web service this is so that I may test it out and find out why SASL can't use their SMTP server?

 

The server is running at billrucker.com. Its not really a free service I do have to pay for it. 

 *Quote:*   

> 
> 
> Hopefully we can get this all sorted out soon as you're really close and your main.cf file looks correct....

 

That was my thought and I was just hoping somebody who knows more than I do about this stuff might be able to help. Not to say that that is a difficult request, cuz I don't know that much. 

In the meantime of anything you may be able to find, I'll try and get mutt set up right, if I can figure out how and see how that works.

Thanks

Wheelspin

----------

## wheelspin

The address that is being used as the "From" is bill@home.mydomain.com when it should be bill@mydomain.com. myhome.domain.com will not resolve to a valid email address because my server is set up as a subdomain of a valid domain for which I am not running the dns for. 

There must be a way to force the MAIL FROM to a valid email to get to Postfix and hence be sent to the remote domain. Maybe I'm wrong, but I can't find anything that helps on the web. I tried a couple of different things with Mutt that didn't make any difference.

I wonder if it would make any difference if I were using completely invalid domain at home? It seems to me I'd have the same problem so I'm not inclined to move that direction right now.

Wheelspin

----------

## beowulf

I'm at a loss as to why SASL can't auth..... as for editing the From field in Mutt, I found this page that may help you:

http://www.mutt.org/doc/manual/manual-2.html#ss2.4

You can probably set a default From email address in your ~/.muttrc file.... Something along the lines of "set From = a@b.c".

This should fix the problem... hope this helps

----------

## Fragbeestje

Tnx for this great tutorial! 

Almost everything works great  :Laughing: 

I added some rules similar to the one below to my .procmailrc file : 

```

# filter fragbeestje mail to fragbeestje folder

:0

* ^To:.fragbeestje@myispmail\.com

.fragbeestje/

```

The .fragbeestje dir exists under my ~/.maildir/ folder but it doesn't show up in my IMAP account when I check it with my email client.

I looked into the specific subfolders and noticed that they did not contain the following files:

drwx------    2 cannibal users        4096 Dec  8 16:56 courierimapkeywords

-rw-r--r--    1 cannibal users         693 Dec  8 16:56 courierimapuiddb

Another inbox subfolder, which I created from my email client, does contain these courierimap files and this folder shows in my email client.

To see if it would lead to any changes,I removed the dirs, and recreated them with 

```

maildirmake -f fragbeestje ~/.maildir/

```

However the subfolders still don't contain the courierimap subfile and folder and do not show up in my Imap account.

Am I forgetting something? I read through the thread a few times now and I can't figure out where I went wrong.

I probably overlooked something, as it seems to work for most people by just adding the rules to the .procmailrc file.

**** FIXED ****

Had to add these subfolders to the file 

"~/.maildir/courierimapsubscribed"

and restart the mailserver.

----------

## wheelspin

Well, it looks like I solved the issue with the rejected email because of domain name. It ended up being a Postfix config issue. Not what I would call a mistake, just the way Postfix works. The guide suggests setting up the $mydestination as the default for Postfix which is cool. This appears to be used as the default domain for all mail leaving the server. So the "RCPT TO" sent to the remote MTA is user@host.$mydomain in Postfix speak. If the domain resolves but the host (in my case it failed on the host) doesn't resolve, it is assumed to be spam and is rejected. 

The way to override this setting is to use the $myorigin setting in the main.cf for Postfix. I made this the real top level domain that does actually resolve to a real MX record in DNS and the problems disappeared. I can even send mail to Yahoo users. YaaHooo!!   :Laughing: 

Wheelspin

----------

## beowulf

Fragbeestje: Good to hear it's all working out for you  :Smile: 

 *wheelspin wrote:*   

> Well, it looks like I solved the issue with the rejected email because of domain name. It ended up being a Postfix config issue. Not what I would call a mistake, just the way Postfix works. The guide suggests setting up the $mydestination as the default for Postfix which is cool. This appears to be used as the default domain for all mail leaving the server. So the "RCPT TO" sent to the remote MTA is user@host.$mydomain in Postfix speak. If the domain resolves but the host (in my case it failed on the host) doesn't resolve, it is assumed to be spam and is rejected. 
> 
> The way to override this setting is to use the $myorigin setting in the main.cf for Postfix. I made this the real top level domain that does actually resolve to a real MX record in DNS and the problems disappeared. I can even send mail to Yahoo users. YaaHooo!!  
> 
> Wheelspin

 

Great news!  I'll add this to the next update.... it's been bugging me just a little, but not enough to look into it.... I assume however you have an MX record pointing to your server.... So perhaps I'll make a note about if you have an MX record, you should do this "...".  Thanks for sharing your fix with the rest of us  :Smile: 

----------

## grover

Great guide beowulf  :Very Happy:  I've had my mailserver running perfectly for a while now.

Gkrellm's mail checker now has support for SSL so it can monitor your inbox without having to setup stunnel.

http://web.wt.net/~billw/gkrellm/Changelog2

----------

## beowulf

Guide updated with the addition of a few troubleshooting options, misc fixes/clarifications and of course Outlook Express 6 configuration.  

Thanks to all who have replied in this thread, I've tried my best to include notes where your problems were found and what the solutions were.

----------

## GeoffOs

Great Document, managed to get myself up and running nicely now, except for getting mail into the .spam dir for SpamAssassin to learn from as known spam.

How would I do this?

I have a collection of about 3000 spam messages that exist in a mail folder visible in squirrelmail, but I am uncertain as to the mail dir structure.

Help please.

----------

## GeoffOs

ooops, duplicate posting, sry

----------

## Proteus

I am not using Squirrelmail but I suppose it uses the standard .maildir format for its email storage?

If so it should be easy to just point sa-learn to the dir where the spams are stored.

Like this:

```
sa-learn --dir --showdots --spam /.maildir/.spam/
```

This way sa-learn should automatically search the spam directory in the maildir and all its standard subdirectories (cur/tmp/new).

Tell me if this works. If it does not it may help to post the error message here.[/quote]

----------

## numerodix

I've tried to follow the guide 100%, v1.5 and I'm having trouble sending mail. I'm using Outlook Express as a client and whether I turn off SSL (in which case there's no error but the mail never reaches the receiver) or keep it on (454 TLS not available due to temporary reason', Port: 25, Secure(SSL): Yes, Server Error: 454, Error Number: 0x800CCC7F) it's no good.

```
# cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

#inet_interfaces = $myhostname, localhost

inet_interfaces = localhost

mydestination = $myhostname, localhost.$mydomain

unknown_local_recipient_reject_code = 450

mynetworks = 10.0.1.0/24, 127.0.0.0/8

relay_domains = $mydestination

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

mailbox_command = /usr/bin/procmail -a $DOMAIN

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /etc/postfix/sample

readme_directory = /usr/share/doc/postfix-2.0.11

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous,noplaintext

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_daemon_random_source = dev:/dev/urandom

tls_random_source = dev:/dev/urandom

```

Also, postfix will start but gives an error while stopping. The log prints:

```
Jan  5 21:46:42 [postfix/postfix-script] starting the Postfix mail system

Jan  5 21:46:42 [postfix/master] fatal: bind 127.0.0.1 port 25: Address already in use

```

Netstat shows port 25 locally is listening for connections. It's also available remotely according to nmap.

I would test the certs but I don't know how. They "look" correct.

What I want ultimately is a system to fetch mail from multiple accounts, sort it into folders, then send mail (ie. replies) based on where the message is located, thus selecting the correct reply-to address, possibly relaying through the respective smtp servers but that's not as important. Is that even possible you think?

----------

## beowulf

Hey numerodix, your conf file looks good...

I'm also assuming you've setup OE correctly.... there is one problem that I've found when I googled your error string.  Are you running Norton Anti-Virus?  Apparently the outgoing email scan is interfering with SMTP over TLS and can be fixed by telling Norton not to scan outgoing email (but to keep scanning incoming)....

Here's the search link I used... Of course if that isn't the case, let me know and I'll look further into it.

As to your question, yes this is possible, but it's dependant on the client.  I use Kmail for email, and I have it setup so that any email that is delivered to the ".personal/" maildir is replied using my email address (or Identity) that is closer to my real name.  I'm pretty sure something like this can be set up, but I don't have access to my windows box anymore as it was re-wiped and back to serving an intranet site for my lan....

----------

## wilddev

Hey beowulf, inspired by your great example, I've posted my short guide to setting up cyrus-imapd with postfix and spamassassin here. Keep up the good work dude!

----------

## numerodix

Thanks, that did help get rid of the error. I now get this instead:

The connection to the server has failed. Account: 'kramer-alex', Server: 'kramer', Protocol: SMTP, Port: 25, Secure(SSL): Yes, Socket Error: 10061, Error Number: 0x800CCC0E

I was thinking maybe I could somehow get procmail to rewrite the headers to include a to: [the relevant account], for instance when it's from a mailing list. Then email clients would most likely try to use that address for outgoing mail, no?

EDIT: I know kmail usually works the best of all my email clients so I tried it with the setup. When sending a message, I get this:

```
Jan  6 19:15:28 [postfix/smtpd] TLS connection established from frasier.matusiak.lan[10.0.1.11]: TLSv1 with cipher RC4-MD5 (128/128 bits)

Jan  6 19:15:28 [postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2/sasldb2: Permission denied

                - Last output repeated twice -

Jan  6 19:15:28 [postfix/smtpd] warning: SASL authentication failure: no secret in database

Jan  6 19:15:28 [postfix/smtpd] warning: frasier.matusiak.lan[10.0.1.11]: SASL DIGEST-MD5 authentication failed

Jan  6 19:15:29 [postfix/smtpd] disconnect from frasier.matusiak.lan[10.0.1.11] 
```

```
ls -l /etc/sasl2/sasldb2 

-rw-r-----    1 root     root        12288 Jan  5 21:33 /etc/sasl2/sasldb2
```

EDIT: turned out to be a dns problem. I now have kmail working (yey!). I don't know what I'm going to do about that Windows error but at least it works at all.

EDIT: I learnt that the server wants to use digest-md5 for authentication. Both kmail and evolution are fine with it but Outlook Express doesn't have any options for authentication, so that's probably why it doesn't work.

----------

## puke

This thread is great!

 :Question:   Is there any way I can restrict the IP addresses of clients who connect via courier-imap-ssl, other than using iptables?

----------

## beowulf

wilddev - Nice guide!  :Smile: 

numerodix

The reason that error is showing up in your logs is because postfix can't read the sasldb2 file..... The fix is this:

```
root@server # /bin/chown postfix /etc/sasl2/sasldb2

root@server # /bin/chmod 600 /etc/sasl2/sasldb2
```

This should allow Outlook to authenticate since it was complaining that it couldn't read/open the file....

Outlook Express 6 supports MD5-Cram if you enable "Secure Password Authentication".... Is this option enabled in your client? or what version of OE are you using?

puke - Unfortunately I don't think you can restrict based on IP from the server.  IP tables will allow you to easily do this however by dropping port 993.

hope this helps guys.

----------

## numerodix

 *beowulf wrote:*   

> 
> 
> numerodix
> 
> The reason that error is showing up in your logs is because postfix can't read the sasldb2 file..... The fix is this:
> ...

 

I'm not sure that is what it was, I set the permissions the first time. But I think the hostname/dns name was set wrong and fixing solved the problem.

My settings correspond exactly to those you published and to my great surprise today I was able to send mail   :Question:   I know that I didn't change anything from last night so this behavior I find quite puzzling. But satisfying all the same.  :Smile: 

Thanks so much for all your help, beowulf!!! I tried this guide once before and I didn't get anywhere, I gave it another try now and viola, determination conquers.

----------

## beowulf

Great to hear you stuck with it!  :Smile: 

----------

## numerodix

The only oddity currently in existence is Outlook Express asking me to pass a username, password and domain (?) for every session, required to send mail. Obviously, the login info is stored in the settings so I don't know what this is about but once it gets the values, sending mail works fine. 

I also picked up a tip on the forum about adding "always_bcc = " to the postfix main.cf, thus enabling me to sort my sent mail in foders corresponding to the account it was sent from.  :Smile: 

When you mentioned virus scanning, you said one should direct the mail to the mta at port 25, any pointers on how to do that?  :Smile: 

----------

## beowulf

 *numerodix wrote:*   

> The only oddity currently in existence is Outlook Express asking me to pass a username, password and domain (?) for every session, required to send mail. Obviously, the login info is stored in the settings so I don't know what this is about but once it gets the values, sending mail works fine. 
> 
> I also picked up a tip on the forum about adding "always_bcc = " to the postfix main.cf, thus enabling me to sort my sent mail in foders corresponding to the account it was sent from. 
> 
> When you mentioned virus scanning, you said one should direct the mail to the mta at port 25, any pointers on how to do that? 

 

For outlook express, what version do you have and did you enable SPA?

The always_bcc thing sounds good, I assume you're using procmail to filter the email to a .sent-email/ maildir or something similar?  I think I'm going to add that to my system and also the guide.  Thanks.

As for the virus scanning on the server side, I have no idea really.... never added one just mentioned it because a previous poster brought up an issue where the email was not scanned because mail was not directed to port 25.... I have no tips for that... sorry...

----------

## numerodix

Outlook Express 6.

I've tried both on and off. If I turn it on, I get a message box with 3 input fields for user, pass and domain. If I turn it off, I get the same box only the user name is correctly filled in. I then type in the password and click ok and the message gets sent.

The idea was that if you want to use the same setup for multiple pop/imap accounts, you can use procmail to filter the mail accordingly. For instance using a few special filters and then dumping the rest into separate folders for the respective accounts so that you know where the mail was sent to. But when you send mail, you might want to know which account you sent it from, so that you avoid a huge pile of sent mail all mixed up.

Some clients (kmail) let you specify that mail sent from a certain profile goes into a certain sent dir. Others don't, the most elegant would be to have a server side mechanism for it. So I thought I would use the always_bcc directive to send a copy of each message back to the server (again filtered through procmail).

For example..

```
########################################################

######### default recipes outgoing

########################################################

# ---> john@free.com <---

:0

* ^From:.*john@free\.com

.john@free.sent/

# ---> sally@house.net <---

:0

* ^From:.*sally@house\.net

.sally@house.sent/

########################################################

######### default recipes incoming

########################################################

## default sorting when all else fails ##

# ---> john@free.com <---

:0

* ^TO_john@free\.com

.john@free/

# ---> sally@house.net <---

:0

* ^TO_sally@house\.net

.sally@house/

```

I will not vouch for those procmail rules, I'm sure they are quite lame since I've used procmail now for 2 days but I think you get the idea.

Note that if you do this, and you send mail from john to sally, you should either remove the duplicate filter rule (if you have it) or send it to another account not involved here, otherwise it will be marked as a duplicate (either the mail sent or the bcc returned, depending on which one gets there first).

----------

## beowulf

Interesting... I think I'll set this up on my system as well.... thanks!

 *numerodix wrote:*   

> Outlook Express 6.
> 
> I've tried both on and off. If I turn it on, I get a message box with 3 input fields for user, pass and domain. If I turn it off, I get the same box only the user name is correctly filled in. I then type in the password and click ok and the message gets sent.
> 
> 

 

As to the Outlook Express issue.....  When you're asked for your domain what are you entering?  Have you tried the various domains such as:

1 - Windows machine Host name or "computer name"

2 - Server FQDN

3 - Server hostname

4 - Windows machine Computer name with Server domain name.

I think I missed a step in my email setup and I'll need to fix it...  I remember being asked for a domain and fiddling around with it until it sent without any errors.....

Thanks for showing me my error, I'll have it fixed in the next update....

----------

## numerodix

No, I tried all of those and that message box always pops up anyway. It's not an error per se, it does successfully send mail, only that extra authentication seems unnecessary.

----------

## puke

numerodix Outlook Express has extra authentication options that are likely proprietary M$ extensions.  They will probably need to be turned off to work with a system that uses an implementation of an open standard eg IMAP.

You may want to try using Mozilla Thunderbird instead of Outlook Express, if you are able to.  In my experience Outlook Express is less featured and more of a dog to get working.

Of course you may not consider this a helpful response to your problem..!   :Confused: 

----------

## puke

 *beowulf wrote:*   

> 
> 
> puke - Unfortunately I don't think you can restrict based on IP from the server.  IP tables will allow you to easily do this however by dropping port 993.

 

Not only can you not restrict client IPs, courier-IMAP also runs as root!  I guess a solution would be to use chrooted postfix for secure IMAP (instead of courier)?

----------

## cmassa

can anyone tell me why ./CA.pl -newca does nothing? the first time i ran it i got to the password input and i thought it took the input, but it just hung. i ctrl-c'd out and now if i run it again it does nothing.

if i continue with ./CA.pl -newreq it runs fine, but when i try to sign the cert i get this:

# ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

unable to load CA private key

17964:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:666:Expecting: ANY PRIVATE KEY

Signed certificate is in newcert.pem

any ideas???

----------

## numerodix

 *puke wrote:*   

> numerodix Outlook Express has extra authentication options that are likely proprietary M$ extensions.  They will probably need to be turned off to work with a system that uses an implementation of an open standard eg IMAP.
> 
> You may want to try using Mozilla Thunderbird instead of Outlook Express, if you are able to.  In my experience Outlook Express is less featured and more of a dog to get working.
> 
> Of course you may not consider this a helpful response to your problem..!  

 

I don't mean to be negative about it but I've been using Thunderbird for a couple of months and been forced to conclude that it's junk. The thing that ticks me off the most is how weird the polling is, Outlook Express always represents an up-to-date status of my mailbox, while Thunerbird sometimes doesn't know new mail has arrived, doesn't show the contents of some folders etc. I click to download mail, nothing happens, even though there is new mail to be found (talking about imap here btw). The account settings screen is also very cumbersome and if you want to change a default setting for one account, you have to do the exact same thing for them all.

But the number one most annoying Thunderbird problem is this.. it won't let me send mail. I haven't tried with my new postfix server but I have 2 pop accounts and one imap account that I use and with Thunderbird, I get errors from all of them when sending mail. Stuff like "recipient host not on accepted recipient list", whereas other email clients will just send the damn mail. I don't know what it is Thunderbird does, I certainly have tried jiggling with the settings but it's no good.

----------

## beowulf

puke - Yeah it really is the only feasable solution to the problem... and even then, the chroot needs to be able to work with non-chrooted software as well.... quite a configuration nightmare, but something I'd rather leave to another guide....

cmassa - After you've ran and killed CA.pl, have you gone and cleaned up the mess?  Remove all the *.pem files as well as another file located further down.... Read the Troubleshooting section where I describe what files need to be removed....

If you have cleaned up the mess, could you please post the output of "ls -l /etc/ssl/misc" as well let me know if you added the nodes switch.

----------

## cmassa

i clobbered the pem files, but i had just looked at the perl. and apparently, not very closely-- didnt see that anything was created in another directory. 

just to clarify-- what pass phrase is required when running that first script?

thx--

----------

## cmassa

this post on another thread has me a little concerned...apparently there should be no request for a password:

 *Quote:*   

> as you can see up the top, I was running ./CA.pl -newca  
> 
> even so, they should screen out idiots like me from using gentoo :S 
> 
> anyway, this time when I en-emerged openssl I rebooted.. the other times I didn't.. 
> ...

 

could ssh running be the cause? i hope not because the machine im working on is console only, and I'm not anywhere near it...it's only administered remotely...via ssh

heres the complete thread:

https://forums.gentoo.org/viewtopic.php?t=61398&highlight=pem+pass+phrase

had to kill it again-- 

here's the error:

18422:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:114:

18422:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:367:

oh yeah-- i did add the nodes switch. in fact, i followed the guide to the letter up to this point. (quite a comprehensive guide too...nice work!)

----------

## puke

 *numerodix wrote:*   

> I don't mean to be negative about it but I've been using Thunderbird for a couple of months and been forced to conclude that it's junk. 

 

MUAs are always a personal preference thing so I try never to get religious about using one over another.  In my experience, Thunderbird has been easier to configure than OE with various imap daemons.  Just my 0.02! 

I've got both Thunderbird and OE working perfectly with Courier-IMAP.  Why don't you post some shots of your configs?  I recall the domain prompt is something that can be turned off easily, I'm sure it was SPA, I think someone has already suggested that.

----------

## numerodix

Here it is then:

[img:1e7706f36d]http://www.juventuz.com/_temp/postfix.jpg[/img:1e7706f36d]

Note: that bottom radiobox in the right window is actually selected, I clicked the other one by mistake when taking the screenshot  :Smile: 

----------

## beowulf

cmassa

No, I doubt it has anything to do with SSH running... as I've ran through this guide in an SSH session.... The password you're asked to create can be anything you like.... just use the same one throughout the codeblock dealing with certificate creation.

The errors listed are due to openssh not being able to sign the key because the password is wrong... either it wasn't set properly, or the -newreq and -newca used different passwords.... at least that is what my expierence tells me.... 

However, if this is not the case let me know and we'll continue to work on this...

----------

## puke

 *numerodix wrote:*   

> Note: that bottom radiobox in the right window is actually selected, I clicked the other one by mistake when taking the screenshot 

 

Well isn't that your problem then?  "Use Secure Password Authentication" is checked on the bottom radiobox in the right window.

Uncheck "Use Secure Password Authentication".

And I'd uncheck the "Remember my password" as well.  It's never a good idea on Windows clients IMHO.  (What's the point of authentication when you're bypassing it on the client anyway)

----------

## numerodix

 *puke wrote:*   

> 
> 
> Well isn't that your problem then?  "Use Secure Password Authentication" is checked on the bottom radiobox in the right window.
> 
> Uncheck "Use Secure Password Authentication".
> ...

 

As stated earlier, I've tried it on and off and it doesn't make a difference.

 *numerodix wrote:*   

> I've tried both on and off. If I turn it on, I get a message box with 3 input fields for user, pass and domain. If I turn it off, I get the same box only the user name is correctly filled in. I then type in the password and click ok and the message gets sent.

 

----------

## sourmash

Great guide however am I right in thinking that it is just aimed towards those that want to use their ISP to do smtp rather than do the smtp themselves?

I currently have an smtp server on one of my networks that I have friends connect in to and send email from ( using popbeforesmtp to authenticate them )  and would prefer to use sasl to authenticate them and to provide them with both pop and imap, would this guide work for me as it stands? 

sourmash

----------

## beowulf

 *sourmash wrote:*   

> Great guide however am I right in thinking that it is just aimed towards those that want to use their ISP to do smtp rather than do the smtp themselves?
> 
> I currently have an smtp server on one of my networks that I have friends connect in to and send email from ( using popbeforesmtp to authenticate them )  and would prefer to use sasl to authenticate them and to provide them with both pop and imap, would this guide work for me as it stands? 
> 
> sourmash

 

You are correct that we use the ISP's SMTP server to send since this guide was written for a home network without it's own MX record.... However, if you have an MX record and an already working SMTP server, then this guide can be adapted.  I believe it's a matter of removing any config option starting with "smtp_sasl_*" in the /etc/postfix/main.cf file.  You'll still need to keep the "smtpd_sasl_*" options however.  Also, enter your FQDN in the mydestination variable in main.cf... That shoudl do it, the guide is pretty much set up to act as a proper server but needs a few modificiations.

A few people have adapted this guide to work with a real SMTP server (real in the sense of an MX record pointing to the server), and I believe it's a trivial procedure.  .....  The "receiving" section of this guide is pretty much independant of the sending section... so offering pop/imap to your friends shouldn't deviate from this guide too much....

All that said, this guide was not intended to offer services to a lot of people... As it stands now, it's tedious imo to maintain over 5 accounts.... just something to keep in mind... perhaps the virtual mailhosting guide would better suit you?

----------

## sourmash

Thanks for the advice, I only have at present 2 people relaying through my server and do not intend on going above 4 so this should be suitable to my needs.  On reading through the guide it appears that you only provide mail via IMAP and not via pop3s as well, I am not familiar with IMAP so can it run alongside pop3s in harmony or is it just best to stick with IMAP.  My main concern with IMAP is that the users have to stay connected to the internet to download the mail as and when they read it from my server where as with pop3s they download it all to their workstations and can read it 'offline'.  

Thanks

sourmash

----------

## beowulf

It should work fine...

```

root@server # vi /etc/courier-imap/pop3d.cnf

root@server # cd /etc/courier-imap && mkpop3dcert

root@server # /etc/init.d/courier-pop3d-ssl start

 * Starting courier-pop3d over SSL...                                     [ ok ]

root@server # rc-update add courier-pop3d-ssl default

```

Then connect to the server using POP over SSL at port 995.

Hope this helps.

[edit: forgot to mention, they will co-exist fine together /]

----------

## sourmash

Thanks again for your help, I have updated the config as suggested however when I try to log in via pop3s using SSL not TLS i keep getting an error in my mail log showing:

[pop3d-ssl] Unexpected SSL connection shutdown.

If I use TSL I get no error messages which is good but i also get no email !!

Any ideas?

Thanks

sourmash

----------

## beowulf

 *sourmash wrote:*   

> Thanks again for your help, I have updated the config as suggested however when I try to log in via pop3s using SSL not TLS i keep getting an error in my mail log showing:
> 
> [pop3d-ssl] Unexpected SSL connection shutdown.
> 
> If I use TSL I get no error messages which is good but i also get no email !!
> ...

 

What client are you using?  Also keep in mind that you need to use your username/password that is stored in /etc/passwd when logging in... we used authpam  for authdaemond...

Does this match?

```

cat /etc/courier-imap/pop3d | grep MAILDIR=

MAILDIR=.maildir

```

Is there mail in ".maildir/cur" or is it all stored in a subfolder of INBOX?

----------

## sourmash

I am using Kmail and the same username/passwords I use to log on normally.

Yes it does match!

It appears to store new mail that is not first filtered with a procmail recipe in .maildir/new

However there are some emails in .maildir/cur

I dont appear to have a folder called inbox so i guess where mail retrieved by imap and shown in the email client as being in the inbox is located in cur. I am supprised that it  is not just in a folder called .inbox

Thanks

sourmash

----------

## sourmash

update:  Appears to be working fine now with pop3 and imap from within kmail, however in outlook express 6 (which my friends use) it just keeps asking for a username and password and does not appear to accept any connections, in my logs it shows this:

unknown password verifier

On searching it appears this is a common problem with OE6 and that cyrus-sasl needs to be compiled with the --enable-logon option which I am not sure if it is by default - do you? and that you have the following in your main.cf:

broken_sasl_auth_clients = yes

Which I have but still no joy, anyone else experiencing this as well as I followed the guide to the letter so I cant be the only one...can i...

thanks

sourmash

----------

## beowulf

 *sourmash wrote:*   

> update:  Appears to be working fine now with pop3 and imap from within kmail, however in outlook express 6 (which my friends use) it just keeps asking for a username and password and does not appear to accept any connections, in my logs it shows this:
> 
> unknown password verifier
> 
> On searching it appears this is a common problem with OE6 and that cyrus-sasl needs to be compiled with the --enable-logon option which I am not sure if it is by default - do you? and that you have the following in your main.cf:
> ...

 

Yeah, OE is fickle for lack of a better word... Cyrus-Sasl is compiled, or configured with --enable-logon... cat /usr/portage/dev-libs/cyrus-sasl/cyrus-sasl-2.1.14.ebuild | grep login

For some, OE works with SPA enabled, with others SPA must be disabled.... it really is an annoying thing from what I've found... In any case step 3.3 is where we setup sasl for auth, so that's where I would double check.. Unfortunately, OE has trouble with CRAM-MD5, so I think the whole guide would need to be changed to not require CRAM-MD5 to send.... I've never looked into it as I've never needed to use OE... If I get a chance, I'll see if I can change the setup for better OE integration.... Sorry couldn't be of more help...

----------

## sourmash

No probs youve helped me a lot and I appreciate that.  I will see if I can persuade my friends to use a different email client on windows for the moment, any suggestions??

sourmash

----------

## bruzzler

Hi,

i have encountered this strange error following the tutorial:

linuxsrv root # /usr/sbin/postmap hash:/etc/postfix/saslpass

postmap: warning: valid_hostname: invalid character 44(decimal): linuxsrv.bruzzler.dyndns.org,

postmap: fatal: unable to use my own hostname

anyone's knowing where this damn "," comes from. It's not in /etc/dnsdomainname, but if i type in # dnsdomainname, it appears too.

Thanks for your Help

----------

## beowulf

Perhaps it's a typo in /etc/hosts ?

----------

## Bob Shroom

hi there, great tutorial, but i think, i got a similar problem like miha had before with the 'client host rejected'.

https://forums.gentoo.org/viewtopic.php?t=56633&postdays=0&postorder=asc&highlight=client+host+rejected+access+denied&start=221

imap works fine via ssl; i can login with tunderbird from a client in my lan or via squirrelmail and can browse my mail.

but when it comes to sending mail, i must have done something wrong.

doesn't matter, if i try to send mail from the mail-client (sylpheed-claws) installed on the server or from a client inside my lan (thunderbird or squirrelmail)... i always get this:

 *Quote:*   

> 
> 
> Jan 29 00:07:46 [postfix/master] daemon started -- version 2.0.16
> 
> Jan 29 00:07:52 [postfix/smtpd] starting TLS engine
> ...

 

what am i doing wrong?   :Sad: 

maybe somebody can point me in the right direction. 

thanx in advance.

bob

maybe this helps:

```

doobistic root # grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myhostname = doobistic.no-ip.com

unknown_local_recipient_reject_code = 450

mynetworks = 192.168.4.0/24, 127.0.0.0/8

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous,noplaintext

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_daemon_random_source = dev:/dev/urandom

tls_random_source = dev:/dev/urandom

```

----------

## beowulf

Hey Bob, Shrooms and Doob's eh?  :Shocked: 

Well, there's a few  things I can suggest:

1. Check your SSL generation steps.  It would appear there's a problem with the *.pem files you generated.  Did you add the -nodes switch?

2. is your FQDN listed in /etc/hosts ?  What does this code output: hostname -f

As a side note, I am in the process of re-writing the whole guide and plan to bump it to version 2 in a couple days....  I think I've found better ways to do the stuff that causes the most problems (IE: sasl, SSL and OE).  If you're willing to give me a few days, I'll have it updated and will bump the thread....

----------

## Bob Shroom

 *beowulf wrote:*   

> Hey Bob, Shrooms and Doob's eh? 

 

 :Laughing:   not in combination and not while i was setting up the server...that's for sure!   :Wink: 

 *beowolf wrote:*   

> 
> 
> Well, there's a few  things I can suggest:
> 
> 1. Check your SSL generation steps.  It would appear there's a problem with the *.pem files you generated.  Did you add the -nodes switch?
> ...

 

yes, i added -nodes matching your tutorial.

i also removed the old certificate and generated a new one...here is the output:

```

doobistic root # cd /etc/ssl/misc/

doobistic misc # ls -al

insgesamt 44

drwxr-xr-x    2 root     root         4096 29. Jan 09:52 .

drwxr-xr-x    7 root     root         4096 26. Jan 01:09 ..

-rwxr-xr-x    1 root     root         5220 26. Jan 22:42 CA.pl

-rwxr-xr-x    1 root     root         3505 25. Jan 13:06 CA.sh

-rwxr-xr-x    1 root     root          119 25. Jan 13:06 c_hash

-rwxr-xr-x    1 root     root          152 25. Jan 13:06 c_info

-rwxr-xr-x    1 root     root          113 25. Jan 13:06 c_issuer

-rwxr-xr-x    1 root     root          110 25. Jan 13:06 c_name

-rwxr-xr-x    1 root     root         6733 25. Jan 13:06 der_chop

doobistic misc # ./CA.pl -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 1024 bit RSA private key

...........++++++

.......................++++++

writing new private key to './demoCA/private/cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [DE]:

State or Province Name (full name) [Bavaria]:

Locality Name (eg, city) [Nuremberg]:

Organization Name (eg, company) [doobistic.no-ip.com]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:chris

Email Address [chris@doobistic.no-ip.com]:

doobistic misc # ./CA.pl -newreq

Generating a 1024 bit RSA private key

...++++++

............................................................................................++++++

writing new private key to 'newreq.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

phrase is too short, needs to be at least 4 chars

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [DE]:

State or Province Name (full name) [Bavaria]:

Locality Name (eg, city) [Nuremberg]:

Organization Name (eg, company) [doobistic.no-ip.com]:

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:chris

Email Address [chris@doobistic.no-ip.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Request (and private key) is in newreq.pem

doobistic misc # ./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Jan 29 08:56:58 2004 GMT

            Not After : Jan 28 08:56:58 2005 GMT

        Subject:

            countryName               = DE

            stateOrProvinceName       = Bavaria

            localityName              = Nuremberg

            organizationName          = doobistic.no-ip.com

            commonName                = chris

            emailAddress              = chris@doobistic.no-ip.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                6E:E3:FB:71:0E:B0:6E:8D:F2:6F:BF:E8:87:AF:59:F3:06:63:19:4C

            X509v3 Authority Key Identifier:

                keyid:C9:E2:BC:AE:7F:2F:70:07:20:F1:47:3F:F1:02:0C:86:4A:F2:FB:CE

                DirName:/C=DE/ST=Bavaria/L=Nuremberg/O=doobistic.no-ip.com/CN=chris/emailAddress=chris@doobistic.no-ip.com

                serial:00

Certificate is to be certified until Jan 28 08:56:58 2005 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Signed certificate is in newcert.pem

doobistic misc # rm /etc/postfix/new*.pem

doobistic misc # cp new*.pem /etc/postfix

doobistic misc # cp demoCA/cacert.pem /etc/postfix

doobistic misc # /etc/init.d/postfix stop

 * Stopping postfix...                                           [ ok ]

doobistic misc # /etc/init.d/postfix start

 * Starting postfix...                                           [ ok ]

```

the only difference to your output was, that i was asked a password when executing ./CA.pl -newreq (right after "writing new private key to 'newreq.pem' ")

but somehow that didn't do the trick!

 *Quote:*   

> 
> 
> doobistic misc # tail -f /var/log/everything/current
> 
> Jan 29 10:00:06 [postfix/smtpd] starting TLS engine
> ...

 

EDIT:

hold on...there is definitely something wrong with my ssl-cert.

when i connected to my imap @ home, i examined the certificate and found out, that it uses the old cert, i generated 2 days ago.

i must be missing something here....as you can see in the output above, i deleted the old certs in /etc/postfix. is there some cache, where the old certs are stored?

how can i make sure, that i definitely use only one (the right one) certificate?

 *beowolf wrote:*   

> 
> 
> 2. is your FQDN listed in /etc/hosts ?  What does this code output: hostname -f
> 
> 

 

```

doobistic root # cat /etc/hosts

# /etc/hosts:  This file describes a number of hostname-to-address

#              mappings for the TCP/IP subsystem.  It is mostly

#              used at boot time, when no name servers are running.

#              On small systems, this file can be used instead of a

#              "named" name server.  Just add the names, addresses

#              and any aliases to this file...

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/hosts,v 1.7 2002/11/18 19:39:22 azarah Exp $

#

127.0.0.1       localhost

-- deleted --

192.168.4.10    doobistic.no-ip.com     doobistic

-- deleted --

-- deleted --

```

```

doobistic root # hostname -f

doobistic.no-ip.com

```

well...quite frankly, this is where i got stuck a little bit.

the thing with the FQDN is something i find it a little bit confusing...as the FQDN (according to your tutorial, my FQDN would be: doobistic.doobistic.no-ip.com...right?) doesn't resolve at all.

```

doobistic root # echo $(cat /etc/hostname).$(cat /etc/dnsdomainname)

doobistic.doobistic.no-ip.com

doobistic root #

```

i enabled NAT in my router/firewall to forward all relevant packages to the serverbox and when i nmap myself from the outside it just looks fine. but when i try to connect from the outside via thunderbird, the connection times out when connecting to 'doobistic.no-ip.com' and doesn't even try to connect when using 'doobistic.doobistic.no-ip.com'. (-> host does not exist)

this might a entirely different problem, but i just like to know, if i have to adjust my firewall-settings (right now port 25 TCP and port 993 TCP get forwarded) or has it something to do with restrictive imap/postfix/sasl settings?

EDIT:

ok...got the last problem solved! it wasn't my local firewall needed to be adjusted, but the firewall from the outside-lan was blocking my attempts to connect to imap @ home.

but i'm still not able to send mail!   :Rolling Eyes: 

 *beowolf wrote:*   

> 
> 
> As a side note, I am in the process of re-writing the whole guide and plan to bump it to version 2 in a couple days....  I think I've found better ways to do the stuff that causes the most problems (IE: sasl, SSL and OE).  If you're willing to give me a few days, I'll have it updated and will bump the thread....

 

sure, man...as far as i'm concerned, i got all the time in the world.  :Wink: 

keep up the good work.   :Smile: 

bob

----------

## bruzzler

Hi,

i corrected the error above by simply typing in my domain and hostname into /etc/postfix/main.cf

Now i have another problem with postfix whenever i try to deliver local mail i get this error:

[postfix/postdrop] warning: unable to look up public/pickup: No such file or directory

Anyone who can help me ?

----------

## beowulf

Bob Shroom - Unfotunately I haven't been able to finish the guide... a few things came up that need my attention for the next week or so.... However, I may be able to help you with your SSL problem....

The new way I've been talking about regarding SSL is to use some pregenerated SSL certs I found in /etc/ssl/postfix.  They're pre-generated so no more editing -nodes and no more entering all sorts of stuff.... Anyways, here's a snippet from /etc/postfix/main.cf that shows which key files go with what option:

```

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

```

You hosts issue should be resolved by enabling wild-cards with no-ip.org and changing /etc/hosts to read:

doobistic.doobistic.no-ip.com     doobistic

I believe you not being able to send is tied in with the SSL cert issue.... since you will be rejected if SSL fails... If after editing your main.cf and are still not able to send, please post back with another log entry....

bruzzler - Hmm... never seen the error before, but I searched Google and came up with this.  Unfortunately I haven't found a fix, but this post suggests that /var/spool/postfix/public is missing, and missing some files....

I would check there to see if there's anything wrong....

Here's my output for reference, though I don't know if this would be unique or not:

```
 ls -l /var/spool/postfix/public/

total 8

drwx--x---    2 postfix  postdrop     4096 Jan 25 22:22 .

drwxr-xr-x   14 root     root         4096 Jan 25 22:04 ..

srw-rw-rw-    1 postfix  postfix         0 Jan 25 22:22 cleanup

srw-rw-rw-    1 postfix  postfix         0 Jan 25 22:22 flush

prw--w--w-    1 postfix  postfix         0 Jan 31 05:34 pickup

prw--w--w-    1 postfix  postfix         0 Jan 31 05:34 qmgr

srw-rw-rw-    1 postfix  postfix         0 Jan 25 22:22 showq

```

---------

Hope this helps guys

----------

## Bob Shroom

ok, i've edited main.conf so it uses the pre-generated ssl-certs:

```

doobistic root # cat /etc/postfix/main.cf | grep smtpd_tls

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

```

and i've modified /etc/hosts:

```

doobistic root # cat /etc/hosts | grep doobistic

192.168.4.10    doobistic.doobistic.no-ip.com   doobistic

```

enabled wildcard @ no-ip.com (now i can ping doobistic.doobistic.no-ip.com from the outside)

stopped and started postfix...

but unfortunately still no success in sending out some mail...   :Crying or Very sad: 

but at least the tls engine seems to start up correctly now:

 *Quote:*   

> 
> 
> Feb  1 17:26:50 [postfix/smtpd] starting TLS engine
> 
> Feb  1 17:26:50 [postfix/smtpd] connect from localhost[127.0.0.1]
> ...

 

above is the output, i am getting, when i try to send via squirrelmail.

anyways...i'm not giving up on this...    :Wink: 

i will check _all_ my settings once again...maybe i'm lucky this time.

bob

EDIT:

after nuking my old one, i've edited a completely fresh main.cf and double checked, nothing is missing.

fasten your seatbelt....now i'm getting this output, when i wanna send out some mail....this time i am using thunderbird: (using squirrelmail still gives the same output as stated above)

 *Quote:*   

> Feb  1 19:01:23 [imapd-ssl] Connection, ip=[192.168.4.20]
> 
> Feb  1 19:01:26 [imapd-ssl] LOGIN, user=chris, ip=[192.168.4.20], protocol=IMAP
> 
> Feb  1 19:01:48 [postfix/smtpd] starting TLS engine
> ...

 

----------

## beowulf

Bob,

If I understand it correctly, you want to become your own SMTP server, not using SASL to auth to your ISP's SMTP server...

In that case, here's a few more changes to /etc/postfix/main.cf that needs to be placed....

```

myorigin = $myhostname

.....

mydestination = $myhostname, localhost.$mydomain $mydomain

```

Also, you don't need any options that start with "smtp_sasl..." since you're going to become your own SMTP server.  This was the big error I made in the guide, not specifying what needed to be done...

This should enable your Server inside your lan to act as a true mail transport....

----------

## Bob Shroom

beowulf, i have the feeling, that my system is doomed for some reason.   :Sad: 

edited main.cf and enabled myorigin and mydestination and disabled all smtpd_sasl stuff.

mmmhhh....still no luck. postfix still bitches about a 'bad certificate' (see output in my last post)....looks like nothing has changed.

EDIT:

stopping and starting postfix should be enough for the changes to take effect, right? 'shutdown -r now ' is not necessary, right?

i hope, i'm not getting on your nerves...

before i started with your guide, i tried the gentoo virtual mailhosting guide, which worked fine, but for my small home lan, this setup was a little oversized in my opinion. so i was really happy, when i found your guide, as it is exactly what i want/need.

maybe i should just wait for your version 2.0 and try my luck again with this one then.

anyway....thanks for your help and time so far.   :Smile: 

----------

## pubecon

having trawled around looking for a howto on how to set up virtual users for postfix, I came across (of course) the gentoo howto but also...

http://annapolislinux.org/docs/plc/postfix-courier-howto.html

now, the gentoo howto is all well and good but I have my linux server running alongside a windows 2000 server and so would like to be getting some active directory integration/authentication going on

ANYWAY,

on the topic of virtual users there is very little said in either of these howtos

the gentoo howto has a throwaway  *Quote:*   

> So now when you're setting up vmail accounts, use the vmail uid, gid, and homedir. When you're setting up local accounts, use that users uid, gid, and homedir.

  which I thought the light had been shed on via the  second howto i mentioned  via

 *Quote:*   

> Step 7. Setup Filesystem for new users
> 
> a. as root run the following
> 
> ```
> ...

 

(aside: where did /home/1000 come from?!)

specifically the 

```
su -s
```

 line to change to the virtual mail user but when I 

```
id
```

 all I get is root this means I cannot continue with the remainder of the howto.

so, anyone know of a good howto or where I'm going wrong?

thanks for reading

----------

## IcedTerror

I have no problems with auth in imap.

but eveytime I try to send anything I get this error:

```

smtp < 220 mindseye.metalrooster.net ESMTP postfix

ESMTP > EHLO gen2.box.metalrooster.net

***connection closed by remote host.

```

I obviously missed somthing but can't seem to find it.

Any suggestions ??

IT

----------

## beowulf

Bob Shroom - I hope you made a typo in your post about th smtpd_sasl stuff... I hope you really meant you removed the smtp_sasl stuff  :Smile: 

The only time you have to reboot is when you change your kernel... 

I'm at a loss why SSL isn't working.... Bad certificate has me stumped since the pre-generated ones should've fixed it...

In any case, I'll be able to work on v2.0 some time this week, sorry if it's taking a while... and sorry to hear you dumped your working setup for this one which isn't.... I'll try to get the guide done quicker...

pubecon - Sorry man, I really don't have much knowledge in virtual mail users and all that jazz.... I think it would be best if you posted in the "Network And Security" forum as it will reach a much broader audience and your chances of getting a helpful reply will increase.

IcedTerror - I assume that's a telnet error and it disconnects you after EHLO?  Hmm... Not quite sure why.... one thing I might suggest is to make postfix's logging a bit more verbose by editing /etc/postfix/master.cf.  Find this line (about 65% in my file):

smtp      inet  n       -       n       -       -       smtpd

--- and append a -v switch to smtpd, like this ----

smtp      inet  n       -       n       -       -       smtpd -v

restart the server and see if it spits out any further errors....

----------

## bruzzler

Hi,

i have corrected the above error, it whas caused by the init.d postfix skript, that stated out postfix was started, but it wasn't really.

By now i have another problem:

Some of my local email is delivered by postfix and some not. I get email from cron, but whenever i try to send local email e.g. through kmail i don't receive it. I don't receive any from ddclient, too.

Regards,

Bruzzler

----------

## IcedTerror

Added the -v and recieved the same message.

This is a great tut but I just can't get it to work.

Thanks for the howto and mabey after I reread and redo the config

things will work.

I may not have my networking setup correctly

thanks 

IT

----------

## Woolong

Hi,

Thanks to author about the great guide. I have the imap working already.   :Smile: 

However, when I tried to send a msg through postfix from a workstation on the same network, the authentication always fails. I'm sure postfix is alive because Kmail actually detected "TLS" for encryption and "DIGEST-MD5" for authentication.

So here is what I did:

```

rm /etc/sasl2/sasldb2

saslpasswd2 -c -u woolong.dyndns.org -a smtpauth mardiana

```

I've double checked the passwd several times, but postfix just keeps prompting for authentication.   :Crying or Very sad: 

I've even tried to change pwcheck_method to pam

```

root@server # vi /etc/sasl2/smtpd.conf

pwcheck_method:pam

```

and use the username and passwd on the gentoo system, but still fails.

Here is part of my /etc/postfix/main.cf

```

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous,noplaintext

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_daemon_random_source = dev:/dev/urandom

tls_random_source = dev:/dev/urandom

```

----------

## Woolong

Sorry the prev post was unfinished.

Can anyone help me with the problem? I got prompts for username and passwd, and I'm pretty sure they are correct having reset the db over and over again.

Actually, is it possible to authenticate against pam instead of sasldb?

Thanx!

----------

## john5211

First let me say that this is a great guide, and this setup seems to be exactly what I am looking for ... kudos!

Unfortunately, I am having problems with the first part of the guide.  I am happily recieving mail and I have webmail setup, but I can't seem to get postfix to work correctly.  When I run the check command, here is what I get:

```

root@mailtux etc # /usr/sbin/postfix check

postfix: warning: My hostname localhost is not a fully qualified name - set myhostname or mydomain in /etc/postfix/main.cf

postsuper: warning: My hostname localhost is not a fully qualified name - set myhostname or mydomain in /etc/postfix/main.cf

```

I've followed all of the instructions, and even played around a little with setting the hostname directly in main.cf (to no avail).  Also, I own the domain name I am trying to use, and have no-ip.com happily pointing to my ip address.

For what it's worth, here is the my main.cf:

```

root@mailtux etc # grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

inet_interfaces = $myhostname, localhost

mydestination = $myhostname, localhost.$mydomain

unknown_local_recipient_reject_code = 450

mynetworks = 192.168.2.0/24, 127.0.0.0/8

relay_domains = $mydestination

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

mailbox_command = /usr/bin/procmail -a $DOMAIN

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 20

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

smtpd_sasl_auth_enable = yes

smtpd_sasl_password_maps = hash:/etc/postfix/saslpass

smtpd_sasl_security_options = noanonymous,noplaintext

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_use_tls = yes 

smtpd_tls_auth_only = yes 

smtpd_tls_key_file = /etc/postfix/newreq.pem 

smtpd_tls_cert_file = /etc/postfix/newcert.pem 

smtpd_tls_CAfile = /etc/postfix/cacert.pem 

smtpd_tls_loglevel = 3 

smtpd_tls_received_header = yes 

smtpd_tls_session_cache_timeout = 3600s 

tls_daemon_random_source = dev:/dev/urandom 

tls_random_source = dev:/dev/urandom

```

and also my /etc/hosts:

```

mailtux postfix # grep -v "^#" /etc/hosts

127.0.0.1       localhost       mailtux

192.168.2.106   mailtux.johnsland.net   mailtux

```

Thanks for any insights you can offer, and let me know if you need any more info.

John

----------

## john5211

So I guess writing out my post made me look at everything a little harder and figure out what was wrong ... turns out that commenting out the localhost line in my /etc/hosts file and then restarting postfix did the trick.

Thanks again for the great guide!

John

----------

## pubecon

shouldn't you just have deleted the "mailtux" alias on the localhost line?

----------

## Bob Shroom

 *beowulf wrote:*   

> Bob Shroom - I hope you made a typo in your post about th smtpd_sasl stuff... I hope you really meant you removed the smtp_sasl stuff 
> 
> 

 

well, what i wanted to say was, that i commented out the lines starting with smtp_sasl...   :Smile: 

this is how it looks now:

```

...

#smtp_sasl_auth_enable = yes

#smtp_sasl_password_maps = hash:/etc/postfix/saslpass

#smtp_sasl_security_options = noanonymous,noplaintext 

#smtpd_sasl_auth_enable = yes

#smtpd_sasl_security_options = noanonymous

#smtpd_sasl_local_domain = $myhostname

#broken_sasl_auth_clients = yes

#smtpd_client_restrictions = permit_sasl_authenticated, reject 

...

```

 *beowulf wrote:*   

> 
> 
> In any case, I'll be able to work on v2.0 some time this week, sorry if it's taking a while... and sorry to hear you dumped your working setup for this one which isn't.... I'll try to get the guide done quicker...
> 
> 

 

no sweat...whenever you're finished, i'll be here to play the crash test dummy for you.   :Wink: 

----------

## beowulf

Woolong - One suggestion I have is setting this:

smtpd_sasl_local_domain = $myhostname

--to equal this:

smtpd_sasl_local_domain =

That should fix it... but I could be wrong.... Try that and let me know of any log output that seems important if it fails...  As for auth'ing against pam... that's what I'm working on in the new version... I've found sasldb causes more hassles than it's worth.... I think many in this thread would agree...

john5211 - Yeah, do what pubecon suggested.  Don't remove the alias to localhost... because I think that'll break something.  Not sure what it would break, but I think something will break.

Bob Shrooms - Your settings should be like this:

```

... 

#smtp_sasl_auth_enable = yes 

#smtp_sasl_password_maps = hash:/etc/postfix/saslpass 

#smtp_sasl_security_options = noanonymous,noplaintext 

smtpd_sasl_auth_enable = yes 

smtpd_sasl_security_options = noanonymous 

smtpd_sasl_local_domain = 

broken_sasl_auth_clients = yes 

smtpd_client_restrictions = permit_sasl_authenticated, reject 

...

```

I've just about finished the guide... it'll probably be up tomorrow as I have to read over everything, scrap my current setup and restart it to make sure everything works properly....

-------------

Hope this helps guys...

----------

## beowulf

Bad taste I hear to reply after yourself... oh well

Version 2 is up, completely re-written and should have better support for Outlook Express.. We use shadow (pam) to authenticate to both server's as to keep down on the unnessecary confusion that two seperate user/pass combo's created.  Also Sasldb was more hassle than it's worth.

Hopefully this solves some of the major problems that existed before... If anything, let me of any problems, errors or anything else at all

hope this helps

----------

## Bob Shroom

beowulf...you are the man!

i don't know, what actually did the trick....but i can send email now!   :Very Happy: 

tried it via squirrelmail and via sylpheed-claws....works fine with both!

thanx again for your help and this great guide!

bob

----------

## Dolio

Hello,

I just got done following version 2.0 and IMAP works wonderfully.

However, like some previous people here, I'm having problems sending mail. I did the:

KMail -> SASL -> Postfix -> SASL -> ISP

Route, to send things. However, I think the problem is in the first three, because messages never get sent as far as KMail is concerned.

I also tried using Thunderbird, and it complains about a bad or corrupted certificate (Error -8182, I believe).  KMail complained about bad certificates on both the SMTP and IMAP servers, but it said that was just because they were signed by themselves, or some such, so I didn't think much of it.

Do I need to do something to generate keys or certificates for SMTP authentication, or is something else wrong. The relevant (I think) of my postfix main.cf follow (I think I got them right, but many eyes are better than 2):

 *Quote:*   

> # sasl config stuff
> 
> smtpd_sasl_auth_enable = yes
> 
> smtpd_sasl_security_options = noanonymous
> ...

 

Any help would be appreciated. Great tutorial, by the way.

----------

## beowulf

Bob Shrooms - I'm glad everything worked and your email system is back up  :Smile: 

Dolio - There are two lines missing from the conf file... Try adding the following under your "mail relay" section so it looks like this:

```

# mail relay 

smtp_sasl_auth_enable = yes 

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous

```

Regarding the Thunderbird error... Not quite sure about it, but every email client should complain about your certs because they are NOT generated by a trusted certficiate agent.  That said, it should just be for your home network so nothing to worry about.  In Kmail you can choose to accept the SSL cert forever.

Hope this helps.

----------

## Dolio

Thanks for the reply.

I did have those in there, but stupidly deleted them because I thought they were the same as the above ones (missing the difference between smtp and smtpd).

However, that doesn't solve the problem, unfortunately. I had it before I deleted them and still have it now.

I did a tail -f on the mail logs. When I try to send a mail in Thunderbird, and when I try to "check what the server supports" in kmail, I get things like the following:

 *Quote:*   

> Feb  6 04:26:38 [postfix/smtpd] SSL_accept:error in SSLv3 read certificate verify A
> 
> 

 

Along with lots of other SSL stuff.  I'll look back at past posts to see if anything like this was remedied earlier, but if anything jumps out at you, I'd be much obliged.

Thanks for all your help.

Edit:

Seems like I have the same problem as Bob, based on the errors in the log. I tried commenting out the mail relay stuff in main.cf, but that didn't seem to solve anything.  Anyhow, I guess this is a problem for another day. Maybe tomorrow I'll remerge OpenSSL and Postfix and see if that fixes anything.

----------

## beowulf

Curious what client you're currently using... and more importantly, what authentication method you're using with the client.  When you attempt to send email, what error does your client give you?

Those ssl errors:

```
Feb 6 04:26:38 [postfix/smtpd] SSL_accept:error in SSLv3 read certificate verify A
```

 shouldn't prevent you from sending email... A lot of it is verifying various certificates...

If you could post a bit more from your logs, or what your client is saying, it would be helpful...

----------

## Dolio

For clients, both KMail and Thunderbird don't work. I haven't tried others. KMail doesn't generate any errors other than something like "failed to send some messages" in the status bar. Thunderbird gives 'Could not establish an connection because certificate presented is invalid or corrupted. Error Code: -8182' when trying to send.

In the KMail settings, Encryption is TLS, authentication is PLAIN, just like in the tutorial. That's what comes up by default when I click "Check What the Server Supports."  Thunderbird doesn't have a similar button, so I just chose similar settings to KMail.

Here's a complete tail while attempting to send mail from Thunderbird. KMail doesn't generate anything in the logs when attempting and failing to send.

 *Quote:*   

> Feb  6 13:48:59 [postfix/smtpd] 0460 74 c2 0b a3 12 88 da a9|33 4f 2f 3a aa 6b df fd  t....... 3O/:.k..
> 
> Feb  6 13:48:59 [postfix/smtpd] 0470 aa 17 54 ee 17 b8 f8 d8|1f 68 15 52 1e de 88 84  ..T..... .h.R....
> 
> Feb  6 13:48:59 [postfix/smtpd] 0480 ff 28 26 e9 b4 80 ba e0|dd 70 9e cf 21 64 bb a5  .(&..... .p..!d..
> ...

 

Does any of this help? It's not a big deal since I can send through my ISP's server, but this is more of an academic exercise than anything, and I'd like to be able to actually complete it.  :Smile: 

Thanks a bunch.

----------

## beowulf

Well, all that junk means that you're successfully starting a TLS session... the problem must be the client or authentication....

What does it say below the portion of the SSL log you posted?  For instance, my log holds what yours does, and directly below:

```

SSL_accept:SSLv3 flush data

Feb  7 02:00:28 Chimera postfix/smtpd[18375]: TLS connection established from Il

lusion.apparition.ath.cx[192.168.2.3]: TLSv1 with cipher RC4-MD5 (128/128 bits)

Feb  7 02:00:28 Chimera postfix/smtpd[18375]: B82181BC2E: client=Illusion.appari

tion.ath.cx[192.168.2.3], sasl_method=PLAIN, sasl_username=beowulf

```

Kmail should generate a bit more verbose error on the client side... but if it doesn't, something should be recorded since it successfully started a TLS session.... /var/log/mail.err ? /var/log/mail.warn ?

----------

## Dolio

Okay, I don't know what happened but:

KMail now asks for a password when I try to send mail. It hadn't done that before, so that's good. However, it still fails.

But, I looked in /var/log/pwdfail/current, and it says things like:

 *Quote:*   

> 
> 
> Feb  7 02:38:14 [postfix/smtpd] warning: SASL authentication failure: no secret in database
> 
> Feb  7 02:38:14 [postfix/smtpd] warning: localhost[127.0.0.1]: SASL PLAIN authentication failed

 

And the /var/log/mail/current log now ends with:

 *Quote:*   

> Feb  7 02:42:02 [postfix/smtpd] SSL_accept:SSLv3 flush data
> 
> Feb  7 02:42:02 [postfix/smtpd] TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher RC4-MD5 (128/128 bits)
> 
> Feb  7 02:42:02 [postfix/smtpd] warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2/sasldb2: Permission denied
> ...

 

So I assume the permissions on /etc/sasl2/sasldb2 are set wrong. Currently they're:

 *Quote:*   

> -rw-r-----    1 root     mail        49152 Feb  5 19:25 sasldb2

 

Is this incorrect?

I don't know why KMail is connecting to postfix now and it didn't seem to be before, though. I guess I'll just chalk it up to random computer weirdness (like yesterday, when I was fooling around with apache2, and kept getting internal server errors on one file until I copied its contents, deleted the file, re-created the file and pasted the contents back in.  :Smile: ).  Sorry to trouble you so much.

----------

## beowulf

v2.0 of this guide stopped using sasldb since this error became all too common.  If you wish to continue using sasldb though, make sure you `chown postfix /etc/sasl2/sasldb2' ... since Postfix can't read the db as it stands now....

It's no trouble at all... Believe it or not, I've learned far more maintaining this guide than originally setting it up  :Smile: 

----------

## Dolio

Wait, 2.0 doesn't use that file? I used 2.0 though.

What setting causes it to check with sasldb2? Is it SASL_AUTHMECH=shadow?

I don't particularly want to use sasldb if there's an easier way (although I guess I don't care one way or the other).

I guess it's time for me to check my config files against the tutorial again.  :Smile: 

----------

## john5211

Hey Everyone,

Thanks for pointing out that I shouldn't have gotten rid of the whole localhost line in /etc/hosts (if you do then you have to reconfigure the IMAP server; i found that out the hard way  :Smile: ).

Anyway, once i was able to send mail without a problem using postfix, I went on to try to figure out how to recieve mail directly using my new setup.  It took a while (at first I thoght that my ISP might be blocking port 25, but that turned out to be wrong ...), but I finally found that I had to comment out a line in my main.cf, so that the relevent lines now look like:

```

#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

```

I looked around in the docs for postfix some, but I'm still a little unclear ... is commenting out the smtp_client_restrictions line a security risk?  If so does anyone have any suggestions for a good rule?

Dolio:  For me, at least, my permissions (and ownership) for  /etc/sasl2/sasldb2 are:

```

-rw-------    1 postfix  root        12288 Feb  4 20:32 sasldb2

```

So maybe that is your problem?

Also, in case anyone is interested in adding an antivirus component, configuring amavisd-new and clamav to work with this setup is very easy (at least it seemed to be so far ...  :Smile: ).  

Much of this is readily available in the README.postfix file that comes with the amavisd-new distribution.

Oh, and this assumes that you are running a version of postfix >= 2.0 (If you aren't, some of the config for master.cf will be different).

1) Preparation

First, emerge the software for amavisd-new and clamav:

```

emerge -pv amavisd-new clamav

```

2) Setting up amavisd-new

2.1) Initial configurations

Next, edit /etc/postfix/master.cf by adding the following lines (at the bottom of the file worked fine for me):

```

smtp-amavis unix -      -       n       -       2       lmtp

  -o smtp_data_done_timeout=1200

127.0.0.1:10025 inet n  -       n       -       -       smtpd

    -o content_filter=

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o smtpd_restriction_classes=

    -o smtpd_client_restrictions=

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

    -o mynetworks=127.0.0.0/8

    -o mynetworks_style=host

    -o strict_rfc821_envelopes=yes

    -o smtpd_error_sleep_time=0

pre-cleanup  unix n     -       n       -       0       cleanup

    -o virtual_alias_maps=

    -o canonical_maps=

    -o sender_canonical_maps=

    -o recipient_canonical_maps=

    -o masquerade_domains=

cleanup unix    n       -       n       -       0       cleanup

    -o mime_header_checks=

    -o nested_header_checks=

    -o body_checks=

    -o header_checks=

smtp      inet  n       -       n       -       -       smtpd

    -o cleanup_service_name=pre-cleanup

pickup    fifo  n       -       n       60      1       pickup

    -o cleanup_service_name=pre-cleanup

```

Then edit your /etc/postfix/main.cf file to include support for amavis:

```

content_filter = smtp-amavis:[127.0.0.1]:10024

```

2.2) Optional Configurations

Now for some optional configurations.  The configuration file for amavisd-new is ~1500 lines long, so there are many options that can be controlled.  These are the ones that I found most useful for my small home setup (although amavisd should work just fine without changing any of these if you don't want to).

To modify the configuration settings for amavisd-new, open up the config file /etc/amavisd.conf .  From there you can:

1)  Tell amavisd what to do about sending return emails when you get a virus and/or spam (note: this has nothing to do with whether or not the virus/spam  is saved in a quarentine).

By default, amavisd sends a bounce or a reject when it scans a spam or a virus.  To change that behavior so that it does nothing (i.e. just drops the email w/o a reply to the sender), go to ~ line 380 in the file and change the $final_virus_destiny and $final_spam_destiny (and the other ones if you like) to D_DISCARD:

```

$final_virus_destiny      = D_DISCARD;  # (defaults to D_BOUNCE)

$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)

$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)

$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested.  

```

If you prefer to bounce virus emails back to the senders except when the virus is know to spoof the return address, there are more detailed configurations at ~ line 430 that allow you (at least in principle) to do this.

2)   If you would like a notification sent to you or an admin when a virus (or spam) is detected, you can specify a default location at ~ line 450 in the conf file.  In this example, I am sending all the notifications to virusalert@mydomain.com.  In this case, I would either have to create a user named virusalert or specify an alias in /etc/aliases.

```

$virus_admin = "virusalert\@$mydomain";

# $virus_admin = undef;   # do not send virus admin notifications (default)

# $virus_admin = {'not.example.com' => '', '.' => 'virusalert@example.com'};

# $virus_admin = 'virus-admin@example.com';

```

The spam controls are virtually identical and are located directly below.

3)  If you want to quarentine virus and/or spam mail, go to ~ line 510, define the quarentine directory, and tell amavisd to put the mail there:

```

$QUARANTINEDIR = '/var/run/amvis/virusmails';

...

#use the new 'bsmtp:' method as an alternative to the default 'local:'

$virus_quarantine_method = "bsmtp:$QUARANTINEDIR/virus-%i-%n.bsmtp";

$spam_quarantine_method  = "bsmtp:$QUARANTINEDIR/spam-%b-%i-%n.bsmtp";

```

Also, make sure that the lines for virus and/or spam quarentines near line 580 are not commented out (alternately, if you don't want to quarentine anything, comment out the lines):

```

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

...

$spam_quarantine_to = 'spam-quarantine';

```

FInally, you need to make sure that whatever directory you chose as the quarentine directory exists and is owned by amavis:

```

#mkdir /var/run/amavis/virusmails

#chown amavis.amavis /var/run/amavis/virusmails

```

If you are like me and have tons of people sending you the latest viruses via email, you might want to set up a cron job in cron.daily or cron.weekly to delete the quarentined email on a regular basis.

4) If you want to use amavisd to filter out emails with suspicious file types as attachments, look at ~ line 660 and uncomment the following (and add your own types if you like):

```

   qr'.\.(exe|vbs|pif|scr|bat|com)$'i,               # banned extension - basic

```

3) Configuring ClamAV 

Luckily, nothing really needs to be done to clamav, as amavisd just calls the command line scanner (so we don't need to start the daemon).  We do, however, want to make sure that we are updating our virus definitions on a regular basis, so create a file in /etc/cron.daily (i called mine freshclam, but the name doesn't matter ...) with the following content:

```

#! /bin/sh

#This entry updates the virus defs daily

/usr/local/bin/freshclam --quiet -l /var/log/clam-update.log

```

Next, make sure the permissions are correct (it needs to be executable):

```

-rwxr-xr-x    1 root     root          116 Feb  6 23:55 freshclam

```

FInally, as mentioned in the guide, make sure that fetchmail is passing the mail directly to postfix (via port 25)  rather than procmal.  Since i check mine via cron, I just changed my crontab to:

```

*/5  * * * * /usr/bin/fetchmail -K -s

```

(vary your options to taste, of course ... the important thing is to get rid of the '-m procmail ...' part of the line).

4) Testing and Automation

That's it for the config ... now all that's left is to start everything up!  For the first try, you can start amavisd in debug mode:

```

    # su - amavis

    $ /usr/local/sbin/amavisd debug

```

In another window, reload postfix (/etc/init.d/postfix reload).  If there are problems and you can't send/recieve mai (or the virus scanner isn't doing its job), you should be able to see it in the debugging output and the mail logs (mine are in /var/log/mail.log).  

Once you know everything is working, go ahead and set amavisd to start with the system:

```

amavis # rc-update add amavisd default

```

Anyway, this seems to be a little longer than I thought it was going to be!  Hope it heps anyone who wants to add virus scanning into their system.  

Oh, one other tip, if you have SpamAssasin installed on your system, amavis is supposed to integrate with it almost seamlessly ... I don't have it installed so I don't know, so maybe someone who does could let me know if it works?

JohnLast edited by john5211 on Sun Feb 08, 2004 7:13 am; edited 1 time in total

----------

## beowulf

Dolio - It might be caching on your browser or ISP.... anyways, let me know how it goes  :Smile: 

john5211 - Excellent work on clamav!  The way your conf looks now is fine...  :Smile: 

----------

## Dolio

Well, I don't think my web browser was using a cached version, because I've reloaded the first page many times, and I don't think I ever visited this thread before version 2.0 anyway.

I've checked all my config files against the ones in the tutorial, and I can't see any discrepancies.  Is it possible that SASL is just ignoring its configuration or something? I see 5 saslauthd -a shadow processes running, but it seems that when postfix tries to authenticate, it just tries to use sasldb2.

I've googled for solutions, but found none. I found a tutorial similar to your own, but it seemed to talk about saslauthd and sasldb solutions without distinguishing between the two, so that was no help. I searched the forums here and found several people having problem with saslauthd, both with the pam and shadow auth methods. However, the threads just end without a solution, so they are no help (One ends with "Hey, it magically fixed itself!", but that's not a very satisfying solution  :Smile: ).

One other thing I've noticed is that when I click on the "Check what the server supports" and when I turn off TLS momentarily and telnet to postfix, it lists many more options than just PLAIN and LOGIN for logging in. Here's the line:

 *Quote:*   

> 
> 
> 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM
> 
> 250-AUTH=GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM
> ...

 

I don't know if that sheds any light.

I guess I'm about to give up. Such is life.  :Smile: 

----------

## Woolong

Dollo and beowulf:

I encountered the same problem on authentication with postfix/sasl. I've followed the ver.2 guide in order for sasl to authenticate against shadow. However, sasl seems to ignore the setting and continue to authenticate against sasldb!   :Crying or Very sad: 

I think that explains why postfix/sasl always refuses my user/passwd.

The "Virtual Mailhosting System Guide" also mentions the problem: http://www.gentoo.org/doc/en/virt-mail-howto.xml

 *Quote:*   

> 
> 
> Note: Now for some reason, sasl will not play nicely with pam against the shadow file. I banged my head against this problem for, well, a long time. If anyone knows why sasl will not auth against the shadow file in its current gentoo incarnation, please email me as I'd love to hear a solution to this.
> 
> 

 

 *Quote:*   

> 
> 
> As I said before, as it stands now AUTH will not work. that's because sasl will try to auth against it's sasldb, instead of the shadow file for some unknown reason, which we have not set up. So we're going to just plow through and set up mysql to hold all of our auth and virtual domain information.
> 
> 

 

beowulf, do you have any idea how to work around the problem? It'll be nice if I can get sasl works without using mysql.

Thanks for listening

----------

## axxackall

if you just emerged clamav and f-prot *AND* you don't have any other virus scanner then comment out all virusa scanner in amavisd.conf leaving only two of them. I use clamav as a primary scanner and f-prot as a backup, but your milage may vary:

```

@av_scanners = (

  ### http://clamav.elektrapro.com/

  ['Clam Antivirus - clamscan', 'clamscan',

    '--stdout --disable-summary -r {}', [0], [1],

    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

);

@av_scanners_backup = (

  ### http://www.f-prot.com/

  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],

    '-dumb -archive -packed {}', [0,8], [3,6],

    qr/Infection: (.+)/ ],

);

```

I havn't found a convinient way to run either clamav or f-prot as daemon, so I've decided: if it's broken just to install as a daemon then most likely it will also fail to work as a daemon. 

But as a command-line scanner both clamav and f-prot work fine. All infected messages are quarantined. 

I am so excited with clamav and f-prot that I am thinking if I could use them with squid or danguardian.

----------

## MooktaKiNG

When i try to send an email from outlook, using ssl, i get this error:

```
Feb 10 23:22:52 [postfix/smtpd] starting TLS engine

Feb 10 23:22:52 [postfix/smtpd] connect from unknown[192.168.1.2]

Feb 10 23:22:52 [postfix/smtpd] disconnect from unknown[192.168.1.2]

```

Why wouldn't it recognise the 192.168.1.2 ip? weird.

Also i want to use a relay, authenicated, but without ssl. how can i do this?

----------

## Woolong

Another thought on cyrus-sasl& pam: is there any way to make sure that sasl is actually using /etc/sasl2/smtpd.conf?

Would it be possible that sasl checks on another file that doesn't exist, and defaults back to sasldb?

----------

## Woolong

In respons to Dolio and my own question that why sasl won't authenticate against shadow.

```

nano -w /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: LOGIN PLAIN

```

I found this out after reading a hundred times the virtual mailhosting system guide. http://www.gentoo.org/doc/en/virt-mail-howto.xml

One question: how do I change the info to my own in these new certs?

```

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

```

----------

## Dolio

Ah! Wonderful. It works now.

I wonder what's wrong that it doesn't check the /etc/ version.

Must be a missing configure flag in the ebuild, or something, because the manpage for saslauthd doesn't mention that you can specify alternate config files (in which case you could just modify the init script, I guess).

Anyway, thanks so much for your help, and that goes for everyone who puzzled over my problems.  :Smile: 

----------

## beowulf

Sorry for taking so long to reply.... been kind of busy and unable to browse forums and such... in any case, it appears that most of the problems solved themselves so to speak.... Anyways....

 *Woolong wrote:*   

> In respons to Dolio and my own question that why sasl won't authenticate against shadow.
> 
> ```
> 
> nano -w /usr/lib/sasl2/smtpd.conf
> ...

 

woolong, dolio -  Excellent, I'll make the addition to the guide after this post is submitted about /usr/lib/sasl2/smtpd.conf -- I happened to have it set, but didn't think it was getting read so went with /etc/sasl..... I'll list both just to be safe as I can't determine which file is being read... (better to be safe than sorry I guess....)

Thanks for the correction and I'll add it to the guide!

Unfortunately, I'm not sure what you mean by your own certs.  Do you mean you wish to generate them yourself?  Or that you have your own from a "trusted certificate authority" such as Verisign and Thawte?  If it's the first (generate your own), I can post some steps if you'd like?  Let me know....

MooktaKiNG -- Postfix doesn't need to recognize your ip, however, it might be prudent to add a line in /etc/hosts describing your computer at 192.168.1.2...

If you wish to disable SSL, I believe you can simply comment out the SSL stuff in /etc/postfix/main.cf...

---------

Version 2.1 added, it just contains the fix mentioned above, as well as a link to this page for the AV info... Nothing major...

Again, sorry for taking so long to reply....

----------

## MooktaKiNG

Oh i've solved this already. It was a spelling mistake when i was sending my email  :Very Happy:  :Very Happy:  :Very Happy: 

Anyway, this is a fantastic howto. Great help this is.

Maybe you can add samba and Ldap authentication  :Smile: 

Or better yet, maybe a new section on email encryption. 

I've been watching this thread grow, since 1.0, its great work, nicely layed out and great step by step guide.

Thank you  :Smile: 

----------

## MooktaKiNG

Also it would be a great idea to integrate something like hothayd or gotmail to add hotmail compatibility. 

Hothayd can also support other websites, like yaho etc.

I love the way the bogofilter has been setup. Fantastic idea. Now there's no need to look for server side plugins for squirrelmail, and now also any web client can be used  :Smile: 

----------

## PloreOSU

 *beowulf wrote:*   

> 
> 
> woolong, dolio -  Excellent, I'll make the addition to the guide after this post is submitted about /usr/lib/sasl2/smtpd.conf -- I happened to have it set, but didn't think it was getting read so went with /etc/sasl..... I'll list both just to be safe as I can't determine which file is being read... (better to be safe than sorry I guess....)
> 
> 

 

beowulf - On my system /usr/lib/sasl2/smtpd.conf is a symlink to  etc/sasl2/smtpd.conf 

I'm getting the Thunderbird SMTP problem with TLS enabled.

```
Could not establish an encrypted connection because certificate presented by 192.168.1.100 is invalid or corrupted.  Error Code: -8182

```

Setting "smtpd_tls_auth_only = no" and turning TLS off in Thunderbird lets me send okay (but my password is going out cleartext).  I can send with TLS on in Outlook Express 5.0 and Outlook 2000.  It looks like the certificates are bad, but Outlook Express uses them anyway.

 Using Thunderbird 

```
Feb 12 18:24:43 [postfix/smtpd] SSL_accept:SSLv3 flush data

Feb 12 18:24:43 [postfix/smtpd] read from 08094FA8 [080A3408] (5 bytes => -1 (0xFFFFFFFF))

Feb 12 18:24:43 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A

Feb 12 18:29:43 [postfix/smtpd] SSL_accept error from unknown[192.168.0.50]: -1

Feb 12 18:29:43 [postfix/smtpd] disconnect from unknown[192.168.0.50]

```

 Using Outlook Express 5.0 

```
Feb 12 13:31:09 [postfix/smtpd] SSL_accept:SSLv3 flush data

Feb 12 13:31:09 [postfix/smtpd] read from 0809A1D0 [080A38A0] (5 bytes => -1 (0xFFFFFFFF))

Feb 12 13:31:09 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A0] (5 bytes => 5 (0x5))

Feb 12 13:31:10 [postfix/smtpd] 0000 16 03 01 00 86     .....

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A5] (134 bytes => -1 (0xFFFFFFFF))

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A5] (134 bytes => 134 (0x86))

Feb 12 13:31:10 [postfix/smtpd] 0000 10 00 00 82 00 80 58 78|74 71 69 91 dc 28 4f 77  ......Xx tqi..(Ow

Feb 12 13:31:10 [postfix/smtpd] 0010 e5 79 62 ed 4c d7 fe be|3f 8c fc 46 63 0f d8 4e  .yb.L... ?..Fc..N

Feb 12 13:31:10 [postfix/smtpd] 0020 a7 e4 88 a8 64 1f 92 4c|ab 8d 9a 28 29 a8 89 31  ....d..L ...()..1

Feb 12 13:31:10 [postfix/smtpd] 0030 12 bf 52 50 87 3a 40 57|ae a2 41 2b 6a c2 b1 da  ..RP.:@W ..A+j...

Feb 12 13:31:10 [postfix/smtpd] 0040 0b 34 da 97 13 e0 2e 0d|b5 ce ad 34 5b ba fa 27  .4...... ...4[..'

Feb 12 13:31:10 [postfix/smtpd] 0050 15 0e d5 d3 2b 70 04 8c|5d b5 c3 2e 50 4f 24 a8  ....+p.. ]...PO$.

Feb 12 13:31:10 [postfix/smtpd] 0060 7d 65 e9 50 73 a5 81 b0|c9 8e a0 e8 fe bc 17 f4  }e.Ps... ........

Feb 12 13:31:10 [postfix/smtpd] 0070 bb 04 91 de 5d 0d f7 a3|01 80 a7 ab 5d 5c 2c d8  ....]... ....]\,.

Feb 12 13:31:10 [postfix/smtpd] 0080 28 85 be 3e 40 dc     (..>@.

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:SSLv3 read client key exchange A

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A0] (5 bytes => -1 (0xFFFFFFFF))

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:error in SSLv3 read certificate verify A

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A0] (5 bytes => 5 (0x5))

Feb 12 13:31:10 [postfix/smtpd] 0000 14 03 01 00 01     .....

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A5] (1 bytes => -1 (0xFFFFFFFF))

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:error in SSLv3 read certificate verify A

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A5] (1 bytes => 1 (0x1))

Feb 12 13:31:10 [postfix/smtpd] 0000 01     .

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A0] (5 bytes => -1 (0xFFFFFFFF))

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:error in SSLv3 read certificate verify A

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A0] (5 bytes => 5 (0x5))

Feb 12 13:31:10 [postfix/smtpd] 0000 16 03 01     ...

Feb 12 13:31:10 [postfix/smtpd] 0005 - <SPACES/NULS>?

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A5] (32 bytes => -1 (0xFFFFFFFF))

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:error in SSLv3 read certificate verify A

Feb 12 13:31:10 [postfix/smtpd] read from 0809A1D0 [080A38A5] (32 bytes => 32 (0x20))

Feb 12 13:31:10 [postfix/smtpd] 0000 71 8e ff 2a 2e 1b e9 94|83 0b e3 29 08 f3 c3 09  q..*.... ...)....

Feb 12 13:31:10 [postfix/smtpd] 0010 6c 73 bf 7a 1c 9e b2 e6|30 49 fe 23 1a a5 1a fb  ls.z.... 0I.#....

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:SSLv3 read finished A

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:SSLv3 write change cipher spec A

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:SSLv3 write finished A

Feb 12 13:31:10 [postfix/smtpd] write to 0809A1D0 [080B19C8] (43 bytes => 43 (0x2B))

Feb 12 13:31:10 [postfix/smtpd] 0000 14 03 01 00 01 01 16 03|01 00 20 77 d0 f2 d8 0d  ........ .. w....

Feb 12 13:31:10 [postfix/smtpd] 0010 b4 bf c9 04 c8 f5 99 17|aa b7 d9 0c 7e d4 2f 54  ........ ....~./T

Feb 12 13:31:10 [postfix/smtpd] 0020 2c 15 d6 4e f7 23 fc d7|e0 c5 c6     ,..N.#.. ...

Feb 12 13:31:10 [postfix/smtpd] SSL_accept:SSLv3 flush data

Feb 12 13:31:10 [postfix/smtpd] TLS connection established from nat-wv.mentorg.com[192.94.38.34]: TLSv1 with cipher RC4-MD5 (128/128 bits)

```

----------

## beowulf

MooktaKiNG -- I think I'll sign up for a hotmail account just to test out gotmail and add it to the guide... I don't have an account so never bothered investigating the matter.... But quite a number of people use it... so I guess it wouldn't hurt  :Smile:  -- I don't think I'll be adding ldap or samba though... not for a very long time... I know nothing of ldap and I can't even get my printer working in samba... I haven't tried very hard since I only play games in Windows... It may go on a possible todo list, not sure yet... thanks for the suggestions.

PloreOSU -- Yeah, it used to be a symlink on my system before my HDD died and had to re-install.  I think one of the newer ebuilds determines if the file/symlink exists and if not copies a file to both places... *shrugs*  -- I believe Thunderbird won't allow you to connect when the SSL cert is not valid (not issued by a trusted source).  If I get some time over the weekend I'll try testing it out and see why only Thunderbird is choking on the certs...  Thanks for the confirmation.

----------

## Woolong

 *Quote:*   

> 
> 
> Unfortunately, I'm not sure what you mean by your own certs. Do you mean you wish to generate them yourself? Or that you have your own from a "trusted certificate authority" such as Verisign and Thawte? If it's the first (generate your own), I can post some steps if you'd like? Let me know.... 
> 
> 

 

What I meant was changing fields like countryName_default and stateOrProvinceName_default to what I want.

Since you've mentioned, I'm also interested in getting a cert from a "trusted certificate authority". I'm curious about how much it costs, which one the best provider, and the steps to get it done.

No need to be sorry. We are all grateful for what you've done for the guide!   :Very Happy: 

----------

## morlix

i still can´t log in to my courier-imap-ssl!

imap works, but imap-ssl not...

i read the hole thread, but i didn´t find the solution for my problem(s)... 

/var/log/messages

```

Feb 14 02:25:38 <hostname> imapd-ssl: Connection, ip=[<ip>]

Feb 14 02:25:39 <hostname> imapd-ssl: LOGIN: DEBUG: ip=[<ip>], command=AUTHENTICATE

Feb 14 02:25:44 <hostname> imapd-ssl: LOGIN FAILED, ip=[<ip>]

Feb 14 02:25:44 <hostname> imapd-ssl: LOGIN: DEBUG: ip=[<ip>], command=LOGIN

Feb 14 02:25:44 <hostname> imapd-ssl: LOGIN: DEBUG: ip=[<ip>], username=morlix

Feb 14 02:25:49 <hostname> imapd-ssl: LOGIN FAILED, ip=[<ip>]

```

/etc/courier-imap/authdaemond.conf

```

AUTHDAEMOND="authdaemond.plain"

```

/etc/courier-imap/authdaemonrv

```

authmodulelist="authpam"

```

/etc/courier-imap/imap-ssl

```

SSLPORT=993

SSLADDRESS=0

SSLPIDFILE=/var/run/imapd-ssl.pid

IMAPDSSLSTART=Yes

IMAPDSTARTTLS=YES

IMAP_TLS_REQUIRED=0

COURIERTLS=${bindir}/couriertls

TLS_PROTOCOL=SSL3

TLS_STARTTLS_PROTOCOL=TLS1

TLS_CERTFILE=/etc/courier-imap/imapd.pem

TLS_VERIFYPEER=NONE

TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache

TLS_CACHESIZE=524288

```

/etc/pam.d/imap

```

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

```

grZ morlix

----------

## tjh

I love this guide... but I have a strange problem...

I have three machines on my network... #1 is my email server, #2 is a gentoo linux client, and #3 is a WIndows XP client.

I can send email great from my linux client.  But from the windows client I always receive the TLS error #454: "TLS not available due to temporary reason"

Why can I access it fine from my linux machine but not from windows?  I have tried using telnet from both client hosts.   I use 'ehlo foo' and then 'starttls'.  this works from my linux client but not from my windows telnet client.

Any ideas????

Thanks...Last edited by tjh on Mon Feb 16, 2004 6:11 pm; edited 1 time in total

----------

## Dillinger

Alright well after chaning all the $myhostname $mydomain to just dillinger.homelinux.org and adding mydomain = dillinger.homelinux.org and my hostname = dillinger.homelinux.org I'm able to send at recieve email on the server. Also had to change the net/mask to 192.168.0.0/24 instead of 192.168.0.1/24. Great guide man, it worked out great once I figured out a couple of my own mistakes!

----------

## anil_et

Hi

I have followed your howto untill 3.4 to setup a mail server just enable my webserver to email passwords to users.

I was unable to do it because my ISP is blocking port 25 with the previous setup.

Now even after I followed the guide I could send mails only to internal addresses, I could send mails to myname@myisp.com. When I try someone@hotmail.com I get the following error  *Quote:*   

> 
> 
> Feb 15 23:37:23 puppy postfix/smtp[12444]: connect to mx3.hotmail.com[65.54.253.99]: Connection timed out (port 25)
> 
> Feb 15 23:37:46 puppy postfix/smtp[12262]: connect to mx1.hotmail.com[65.54.166.99]: Connection timed out (port 25)
> ...

 

Here is my main.cf file

 *Quote:*   

> root@puppy anil # grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
> 
> queue_directory = /var/spool/postfix
> 
> command_directory = /usr/sbin
> ...

 

Any idea where I went wrong

Anil

----------

## Woolong

beowulf:

After solving the problem with sasl, my postfix relays msg for "internal" clients perfectly. However, it refuses to relay for "external" clients. It will only work if I add the external client's IP to "mynetworks", but this approach doesn't work for me because some external clients don't have static IP.

Here is my /etc/postfix/main.cf

```

inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 550

mynetworks = 127.0.0.0/8 10.0.9.0/24

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated,reject

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

Since sasl is doing authentication, is there a way to tell postfix to relay for "untrusted" clients?

----------

## Woolong

beowulf:

To relay to an ISP, I just found out that you also need this line in /etc/postfix/main.cf:

```

relayhost = [smtp.of.isp]

```

note:You need to include [] to avoid mx look up

In my case, it's relayhost = [smtp.mail.yahoo.com]

----------

## anil_et

Hi

 *Quote:*   

> To relay to an ISP, I just found out that you also need this line in /etc/postfix/main.cf: 
> 
> ```
> 
>  relayhost = [smtp.of.isp] 
> ...

 

That solved my problems

I have tried to set the 

```
relaydomain = smtp.of.isp
```

 before without success

Now everything works perfectly

Thankyou for sharing your discovery!!!!  :Wink: 

----------

## axxackall

 *Woolong wrote:*   

> beowulf:
> 
> To relay to an ISP, I just found out that you also need this line in /etc/postfix/main.cf:
> 
> ```
> ...

 

Can it be a list of upstream servers? Let's say, if one of them is down it could be good to have another one for backup in the list.  Just like MX records serve downstream, but in the opposite direction. Is it possible?

----------

## Woolong

axxackall:

I don't know if you can specify multiple hosts. I guess in that case, just comment out "relayhost" to send directly.

You might want to check out transport. Do a "man transport".

----------

## axxackall

 *Woolong wrote:*   

> axxackall:
> 
> I don't know if you can specify multiple hosts. I guess in that case, just comment out "relayhost" to send directly.
> 
> You might want to check out transport. Do a "man transport".

 

Actually my question was about the host behind the firewall that cannot send directly, but only through one of gateway-smtp servers.

I am going to check docs for transport options.

----------

## Woolong

I just found this, dunno if it helps:

```

# The fallback_relay parameter specifies zero or more hosts or domains

# to hand off mail to if a message destination is not found, or if a

# destination is unreachable.

fallback_relay = [smtp.of.isp]

```

----------

## axxackall

 *Woolong wrote:*   

> I just found this, dunno if it helps:
> 
> ```
> 
> # The fallback_relay parameter specifies zero or more hosts or domains
> ...

 

Excelent! Thank you! The problem is solved.

----------

## Woolong

beowulf:

For postfix to relay mails from "untrusted" clients, meaning relaying mails from clients not on the local network.

```

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

```

Your guide needs to include "smtpd_recipient_restrictions"!   :Wink: 

----------

## john5211

 *Woolong wrote:*   

> beowulf:
> 
> For postfix to relay mails from "untrusted" clients, meaning relaying mails from clients not on the local network.
> 
> ```
> ...

 

I think you actually have to be careful which of these lines you include ... in my setup, I want to be able to relay from external clients (not "untrusted", I don't think ... then you would be an open relay, right?) AND recieve mail directly to postfix (i.e. via an MX record).  To get that combintation, I had to use:

```

#smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

```

Leaving the client_restrictions in place actually restricts who is allowed to send mail *into* the network (at least as I understand it) ... so uncommenting that line effectively meant no one could send me mail at my domain unless they could authenticate against sasl (i.e. me).

John

----------

## Woolong

 *john5211 wrote:*   

> 
> 
> I think you actually have to be careful which of these lines you include ... in my setup, I want to be able to relay from external clients (not "untrusted", I don't think ... then you would be an open relay, right?)
> 
> 

 

I was being too brief. I used "untrusted" because the client's IP is not in "mynetworks". I also assumed sasl authentication is used, so it's not an open relay. This is how you have an open relay:

```

smtpd_client_restrictions = permit

smtpd_recipient_restrictions = permit

```

 *Quote:*   

> 
> 
> Leaving the client_restrictions in place actually restricts who is allowed to send mail *into* the network (at least as I understand it) ... so uncommenting that line effectively meant no one could send me mail at my domain unless they could authenticate against sasl (i.e. me).
> 
> 

 

You are right, "smtpd_client_restrictions" states who postfix relays mail from, and your setup works too. However, it works because the default behavior is permit, not reject. Here is an experiment you can run:

```
smtpd_client_restrictions = reject

```

And you'll see even as mail passes sasl authentication, postfix will still refuse relaying. I feel more comfortable to see my settings being explicit.

```

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination

smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination

```

Last edited by Woolong on Thu Feb 19, 2004 11:30 am; edited 1 time in total

----------

## john5211

I apologize, it was I who was too brief   :Embarassed:  ... I certainly didn't mean to imply that your setup was facilitating an open relay.

Anwyay, my main point was that the line:

```

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

```

will prohibit any mail from a server who cannot authenticate against sasl from entering your network, so that if you are trying to recieve mail 'directly from the internet' (i.e. not from an account at your ISP) for delivery to a local account, it will be rejected.  Of course, if that's not what you're trying to do then it doesn't matter whether or not you include it.  

John

----------

## Woolong

 *john5211 wrote:*   

> 
> 
> will prohibit any mail from a server who cannot authenticate against sasl from entering your network, so that if you are trying to recieve mail 'directly from the internet' (i.e. not from an account at your ISP) for delivery to a local account, it will be rejected. Of course, if that's not what you're trying to do then it doesn't matter whether or not you include it.
> 
> 

 

john5211:

To my understanding, "smtpd_client_restrictions" either permits or rejects clients that try to send mail *to* postfix. That's it.

```

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination

smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination

```

You are right, it allows mail relaying for sasl authenticated clients. In reality, it doesn't make any difference if you comment it out because the default behavior is "permit". Hypothetically speaking, if the next version of postfix changes the default behavior to reject, without explicitly stating "permit_sasl_authenticated", *all* clients will get "access_deny".  Therefore, it's safer to tell postfix to always permit_sasl_authenticated clients.Last edited by Woolong on Thu Feb 19, 2004 11:28 am; edited 1 time in total

----------

## john5211

Well, maybe I have something else misconfigured, but I don't think so ... 

When I uncomment the smtpd_client_restrictions line, I can no longer send mail to myself from external addresses (trust me on this, it took me forever to figure out what was wrong).  An example to make sure we are talking about the same thing:

Let's say my domain name here at home  is john.com, and that  I am using an account at work to try to email myself. Also assume that the smtpd_client_restrictions flag is set as in any of your examples.   From my work account (or any other account not routed through my local network), if I try to send a mail to john@john.com, it bounces back with an 'access denied' error, presumably because it cannot autheticate against sasl.  Removing the smptd_client_restrictions line fixes the problem, and <address>@john.com can recieve mail from the outside world (as long as <address> is a valid email address, of course  :Smile: ).

This is a completely seperate issue from trying to relay mail from a client that happens to be outside the network ...  In that case smtpd_client_restrictions does add an extra layer of security (although it's not really needed).   I only mentioned it because it took me a while to figure out why I couldn't recieve mail using my FQDN.

Of course, I could be missing the boat completely, in which case anyone out there should feel free to set me strait  :Smile: .

John

----------

## dan2003

Thanks for the great howto.

Unfortunatly i'm having some dificulies  :Sad: .. i sem to becursed in this aspect !

I'm having a similar problem to john. I can send emails no problem. Even to yahoo (tho it comes in as bulk).

I cannot for the life of me make it receive.

I get a postamster message form the account i try to send to my system with as follows:

```
This report relates to your message:

Subject: test,

        Message-ID: <200402182225.10563.dwer@erwer.cef>,

        To: mdfg@sqs.dfgdfgs.org

of Wed, 18 Feb 2004 22:25:17 +0000

Your message was not delivered to:

        mdfg@sqs.dfgdfgs.org

for the following reason:

Diagnostic was Unable to transfer, -1

Information MTA 'mdfg@sqs.dfgdfgs.org' gives error message <mdfg@sqs.dfgdfgs.org>: Relay access denied

The Original Message follows:

 

Received: from tt.audi (actually host 296.997.9.90.in-addr.arpa) by d2333 with SMTP (XT-PP) with ESMTP; Wed, 18 Feb 2004 22:25:11 +0000

From: Daniel Squires <dwer@erwer.cef>

Reply-To: ddwer@erwer.cef

Organization: werwerwer

To: mdfg@sqs.dfgdfgs.org

Subject: test

Date: Wed, 18 Feb 2004 22:25:10 +0000

User-Agent: KMail/1.5.4

MIME-Version: 1.0

Content-Type: text/plain;

  charset="us-ascii"

Content-Transfer-Encoding: 7bit

Content-Disposition: inline

Message-Id: <200402182225.10563.dwer@erwer.cef>
```

The following errors is in the logs

```
Feb 18 22:25:17 [postfix/smtpd] starting TLS engine

Feb 18 22:25:17 [postfix/smtpd] connect from d2333.dfgdfgt.cfgm[193.134.789.99]

Feb 18 22:25:17 [postfix/smtpd] 8761511DA9F: client=d2333.dfgdfgt.cfgm[193.134.789.99]

Feb 18 22:25:17 [postfix/smtpd] 8761511DA9F: reject: RCPT from d2333.dfgdfgt.cfgm[193.134.789.99]: 554 <mdfg@sqs.dfgdfgs.org>: Relay access denied; from=<dwer@erwer.cef> to=<mdfg@sqs.dfgdfgs.org> proto=SMTP helo=<d2333.dfgdfgt.cfgm>

Feb 18 22:25:18 [postfix/smtpd] disconnect from d2333.dfgdfgt.cfgm[193.134.789.99]

Feb 18 22:30:00 [CRON] (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )_

```

This has me stumped!!

I have tried various combinations of the line:

smtpd_client_restrictions = permit_sasl_authenticated, reject

as mentioned above but have had no success with any  :Sad: 

Cheers

----------

## john5211

Hi Dan,

Could you post your entire main.cf? 

ie the resutls from 

```

grep -v '^#' /etc/postfix/main.cf

```

This is usually a good starting point for figuring out what is wrong.

John

----------

## dan2003

of course..

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = a3.woops.daisy.org

mydestination = smtp.woops.daisy.org, a3.woops.daisy.org

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.22.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtpd_sasl_auth_enable = no

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

Cheers   :Wink: 

Edit: thinking about it now it was a bit pointless but i substituted my domain name for woops.daisy.org.

----------

## Woolong

john5211:

I'm sorry I misunderstood your question, and I verified the problem too.   :Embarassed:  The problem is caused by the keyword "reject"

dan2003:

Add these lines to your /etc/postfix/main.cf

```

mydestination = $myhostname, localhost.$mydomain $mydomain

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination

smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination

```

----------

## dan2003

Many thanks..

All workng now  :Smile: 

----------

## dj_goku

Hi,

Don't know if this is bad or what but I have some questions.

On 3.2 Adding SMTP-AUTH to Postfix: 

root@server # vi /etc/sasl2/smtpd.conf -- I don't have this config

root@server # vi /usr/lib/sasl2/smtpd.conf -- I dont' have this config 

So I made the file anyways and I have emerged Cyrus-SASL.

3.6 Automating and Finalizing: 

```

root@server # vi /etc/mail/aliases

# Well-known aliases -- these should be filled in

 root:          2ls-beo 
```

what do I put for 2ls-beo, I tried putting the user I created for everyday use. And this is what error came up.

```
root@testserver2 tek# /usr/bin/newaliases 

newaliases: fatal: gethostbyname: No such file or directory
```

I'm not sure but this guide does say if you have to emerge things for or what...but other then that is good so far. 

JO

----------

## smok

Hi,

i finally made everything working, not without problems thou. But after  

few hours of searches through all mesages i made everything workable.

but... when started sasl auth. no mails can come from outside world

description:

i got my mail server in my own domain behind firewall. firewall is 10.0.0.1 and mail sever 10.0.0.2. when i made smtp sasl authentification of course all mails which come from outside are rejected. 

how to make it so that everybody who wants to send mails from domain computers uses authentification and incoming mails to the domain not?

thanks in advance

smok

----------

## malloc

I've used this guide by the 2nd time to successfully build my webmail server, however this time i found a big problem on the way. 

Apparently squirrelmail (or php wich is my guess) made some sort of modification and doesn't use dns to translate addresses anymore. 

I couldn't get squirrelmail to login to the imap server.

After much effort i finally found out that you must put THE EXACT ip address to wich the imap server is binded to. 

I tried to put localhost, 127.0.0.1 and neither worked!? This made me totally confused but a quick netstat -an gave the answer. imap was binded to 0.0.0.0 so that was the adress i had to put in the squirrelmail config.

To change this just head to /etc/courier-imap/imapd and change the "ADDRESS=" to either 127.0.0.1 or let it be 0 and change the squirrelmail conf to 0.0.0.0

I don't know if this problem is only mine, or not, but i'll just leave this as a warning to any who need it.

----------

## MooktaKiNG

I'm trying to install the Virus Scanner. I was wonderin g, is there anyway i can turn the Spam filter for amavis off. So that i can use bogofilter, for spam filtering. I just want a virus scanner.

----------

## Dillinger

Alright well after chaning all the $myhostname $mydomain to just dillinger.homelinux.org and adding mydomain = dillinger.homelinux.org and my hostname = dillinger.homelinux.org I'm able to send at recieve email on the server.  Also had to change the net/mask to 192.168.0.0/24 instead of 192.168.0.1/24.  Great guide man, it worked out great once I figured out a couple of my own mistakes!

----------

## Mad_Moo_Cows

Ok so I tried to get mail up and running on my system by fallowing this post....

first few times around I did the whole thing with out testing inbetween steps... and I could send email but not be sent any email from the out side world... 

so I steped thought this again testin as I have went...

and Step 3.2 Adding SMTP-AUTH to Postfix is why I could not get any mail from other mail servers....

So not to get my IMAP up and working  :Very Happy: Last edited by Mad_Moo_Cows on Sat Feb 28, 2004 9:44 pm; edited 1 time in total

----------

## mterlouw

I had to add the following lines to the bogotrainer script keep it from choking on a Courier IMAP folder (in ~/.maildir/)...

```
   if dir[len(maildir):len(maildir) + 19] == "courierimapkeywords":

      return 0

```

```
def cleanhamdirs(dir):

   #We don't want Spam in the hamdirs :)

   if dir[len(maildir):len(maildir) + 5] == ".Spam":

      return 0

   #The maildirs of the inbox, must be handled especially

   if dir[len(maildir):len(maildir) + 3] == "cur":

      return 0

   if dir[len(maildir):len(maildir) + 3] == "tmp":

      return 0

   if dir[len(maildir):len(maildir) + 3] == "new":

      return 0

   if dir[len(maildir):len(maildir) + 19] == "courierimapkeywords":

      return 0

   #If you threw it away, you obviously don't want it :)

   if dir[len(maildir):len(maildir) + 6] == ".Trash":

      return 0

   return 1
```

----------

## malloc

I'm having a little problem with this. I have everything running by-the-book, including the amavisd/clamav thing. However i seem to be having a weird problem. Fetchmail won't work, or rather it will correctly connect to the pop3 servers in wich i have accounts and it will poll them right, however whenever it tries to download any msg it spurts out an error like Unable to connect to localhost, smtp error 10 and it won't download anything. I've made the changes in smtpd_recipient_restrictions that are indicated in the guide however i still have no luck. 

Anyone has any idea?

----------

## mterlouw

 *mterlouw wrote:*   

> I had to add the following lines to the bogotrainer script keep it from choking on a Courier IMAP folder (in ~/.maildir/)...

 

Also, I had to modify the first-run check to look for wordlist.db, since Bogofilter was using a combined wordlist by default, and every time the script ran it would retrain (or actually, overtrain) Bogofilter.

----------

## Dolio

Howdy.

This isn't a request for aid (since I have an idea of what's going wrong) so much as a heads-up for people thinking of using this guide.

I went the:

Email Client->Cyrus-SASL->Postfix->Cyrus-SASL->ISP SMTP Server->Internet

route.  However, I've found that some of my outgoing mail is getting bounced by the recipient.  For example, sending mail to my father at work, and to the ruby-talk mailing list.

Am I correct in assuming that the re-mailing process makes my e-mails look like spam to certain filters, and they're bouncing them accordingly? That seems like it'd be the case (bounce all mail with spoofed headers and such).

Just a pitfall you might want to note in the appropriate section of the howto. Feel free to debunk me if I'm off base.  :Smile: 

Again, great tutorial.

----------

## Ataraxis

Hi, the bogofilter script didn't work for me and I wanted to spamassassin and bogofilter to learn from each other in one script. So i started to look around and adapted a shell script I found on the net.

I tested it for the last two weeks and it worked really well.

What you need:

Calls to Bogofilter and SpamAssassin in you .procmailrc (see first page)

The following folders in your maildir:

-Spam

|-Bogofilter

|-False-Negatives

|-False-Positives

|-SpamAssassin

Call to spamtrainer.sh -vrsnbp in your crontab

for example use crontab -e and add

```
1 1 * * *       /path/to/spamtrainer.sh -vrsnbp
```

What it does:

With mails in Bogofilter

All mails marked as read (security measure) are given to spamassasin to train. Then they will be deleted.

With mails in SpamAssassin

All mails marked as read (security measure) are given to bogofilter to train. Then they will be deleted.

With mails in False-Positives

Both filters will learn that those mails are not spam. The mails will be procmailed again.

With mails in False-Negatives

Both filter will learn that those mails are spam. The mails will be deleted then.

How to use:

Check your spamfolders on a regular basis and mark your spam as read. By marking the mails as read the script is allowed to delete them. This way no False-Positive mail gets deleted by accident.

If there is a nonspam mail in your spamfolder, put it in the folder "False-Positive".

If you get a spam mail into your inbox put it in the folder "False-Negative".

```

 #!/bin/bash

  #

  #  spamtrainer.sh, v1.0

  #

  ## Small shell script to complement bogofilter

  ## and spamassassin in my .procmailrc file

  ## Kai Becker <info@kai-becker.com>, 2004-02-13

  ##    based on handle_bogofilter_misjudgements.sh by

  ##    Stig Sandbeck Mathisen <ssm@fnord.no>, 2003-06-02

  ## Program paths

  spamassassin=/usr/bin/sa-learn

  bogofilter=/usr/bin/bogofilter

  procmail=/usr/bin/procmail

  maildir=~/.maildir

  ## Get options

  while getopts pnbsrv flag

  do

          case $flag in

                  p)      false_positives=$(find ${maildir}/.Spam.False-Positives/{cur,new,tmp} -type f);;

                  n)      false_negatives=$(find ${maildir}/.Spam.False-Negatives/{cur,new,tmp} -type f);;

                  b)      bogo_spam=$(find ${maildir}/.Spam.Bogofilter/cur -type f -name *S);;

                  s)      sa_spam=$(find ${maildir}/.Spam.SpamAssassin/cur -type f -name *S);;

                  r)      rebuild=true;;

                  v)      verbose=true;;

                  ?)      echo "Usage: $0 -vpnbsr"; exit 2;;

          esac

  done

  # Handle false positives (mail misidentified as spam)

  for mail_file in ${false_positives}

  do

          ${spamassassin}  --ham --no-rebuild  "${mail_file}" &&

          ${bogofilter} -Sn < "${mail_file}" &&

                  ${procmail} < "${mail_file}" &&

                          rm -f "${mail_file}" &&

                                  if [ -n "${verbose}" ]

                                  then

                                          echo "${mail_file} marked as good, and procmailed"

                                  fi

  done

  # Mark spam

  for mail_file in ${bogo_spam}

  do

          ${spamassassin} --spam --no-rebuild  "${mail_file}" &&

                rm -f "${mail_file}" &&

                          if [ -n "${verbose}" ]

                          then

                                  echo "${mail_file} marked as spam, and deleted"

                          fi

  done

  for mail_file in ${sa_spam}

  do

          ${bogofilter} -Ns < "${mail_file}" &&

                rm -f "${mail_file}" &&

                          if [ -n "${verbose}" ]

                          then

                                  echo "${mail_file} marked as spam, and deleted"

                          fi

  done

  # Handle false negatives (spam misidentifed as mail)

  for mail_file in ${false_negatives}

  do

          ${spamassassin} --spam --no-rebuild "${mail_file}" &&

          ${bogofilter} -Ns < "${mail_file}" &&

                ${procmail} < "${mail_file}" &&

                     rm -f "${mail_file}" &&

                          if [ -n "${verbose}" ]

                          then

                                  echo "${mail_file} marked as spam, and procmailed"

                          fi

  done

  if [ -n "${rebuild}" ]

  then

        ${spamassassin} --rebuild

  fi

```

What you need to do:

Use it  :Smile: Post your comments, questions, problems, praise, flame here

----------

## MooktaKiNG

SpamAssassin Trainer

OK, since everyone is haring their own scripts for teaching both spamfilters on what spam and ham is. I thought i should share my own script.

I modified the bogofilter trainer for my SpamAssassin training. I found that the bogofiltertrainer had many limitations. For example, i have many folders. I want the filter to learn using ALL my folders. Its not gonna be a good filter if it only looks at spam, and not look at all the ham that i have. So i used the bogofiltertrainer script, to understand how Pythong works (this is my very first python script). Then i created this to scan through all folders that are available in my ~/.maildir folder and learn them as ham, EXCEPT the .Spam.Spam and .Spam folders.

There are 2 clearly named spam folders (.Spam and .Spam.Spam), and there's one folder for ham called .Spam.Ham . The filter will retrain from .Spam.Spam and .Spam.Ham. 

I hated the naming that was used in the original script (with the positive and negative). I kept on mixing it up  :Very Happy:  :Very Happy:  (yeh, i'm an idiot).

The script learns from all the folders starting with dot, except for the . and .. folders (or are they files?).

It learns from the cur folder inside each mail folders, i might expand it to include the new folder too, if its needed.

It does the same things as the original script, if it finds spam or ham.

This script is for SpamAssassin, however it can be very easily modified to work with bogofilter. 

I put spamassassin first, then bogofilter, in my promailcrc. I found bogofilter to make a lot of mistakes. 

Save the file in somwhere like /usr/bin/spamassassintrainer 

Here's the code:

```

#! /usr/bin/python

#########################################################

#  Md Mooktakim Ahmed   Mooktakim@hotmail.com           #

#  http://www.mooktakim.com                             #

#                                                       #

# This scripted was created to teach SpamAssassin       #

# using sa-learn about spam and ham (non-spam)          #

# The script is fairly dynamic, it only requires 3      #

# folders that are .Spam, Spam.Spam, Spam.Ham.          #

# Spam.Spam and Spam.Ham is there if the spam filter    #

# makes a mistake, the user should manually move the    #

# email to the correct folder, so that sa-learn can     #

# learn to correct the mistake. The ham then gets       #

# redirected to procmail, once it has corrected the ham #

# mail, so procmail can filter it to the correct folder #

# instead of the spam folder. The spam gets moved to    #

# the .Spam folder. The script is dynamic in a way that #

# it will learn ALL folders that are inside ~/.maildir  #

# and has . infront of the name as a ham folder.        #

# Warning, this includes the .Trash folder. So make     #

# sure you always put spam email to either the .Spam    #

# folder or .Spam.Spam folder. The emails inside        #

# .Spam.Spam folder will be re-learnt, so that this     #

# mistake does not happen again.                        #

#                                                       #

# As always, this script is GPL Licensed.               #

#                                                       #

#########################################################

import os, os.path

#Configuration entries. Not much ATM. More if needed.

spamdir = os.listdir(os.path.expanduser("~/.maildir"))

home = os.path.expanduser("~/.maildir/")

for dir in spamdir:

   dir = os.path.join(home,dir)

   if (dir[19:] == ".Spam.Spam.Old"):

      print "NOT Regestering spam folder ", dir, " Too BIG"

      #os.system("sa-learn --dir --spam " + dir + "/cur/")

   elif (dir[19:] != ".Sent Items"

                   and dir[19:] != ".Spam.Ham"

                   and dir[19:] != ".Spam.Spam"

                   and dir[19:] != "."

                   and dir[19:] != ".."

                   and dir[19:20] == "." ):

      print "Regestering ham folder ", dir

      os.system("sa-learn --dir --ham " + dir + "/cur/")

   else:

      if (dir[19:] == ".Spam.Spam"):

         print "Correcting spam in ", dir

         os.system("sa-learn --dir --spam " + dir + "/cur/")

         os.system("mv -vv " + dir + "/cur/* $HOME/.maildir/.Spam/cur/")

      elif (dir[19:] == ".Spam.Ham"):

         print "Correcting ham in ", dir

         os.system("sa-learn --dir --ham " + dir + "/cur/")

         filelist = os.listdir(dir + "/cur/")

         for file in filelist:

            os.system("/usr/bin/procmail -d $USER < " + dir + "/cur/" + file)

            os.remove(dir + "/cur/" + file)

print "Regestering ham folder Index"

os.system("sa-learn --dir --ham $HOME/.maildir/cur")

```

I have cron run something like this:

```
0 0,2,4,6,8,10,12,14,16,18,20,22 * * * /usr/bin/spamassassintrainer >/dev/null 2>&1
```

It runs the script every 2 hours. 

I kept a page in my website, that i will most likely use for updates:

http://www.mooktakim.com/Code.php

Enjoy the script. It seems to be working at the moment, but if you find any errors, please let me know.

PS: as you can see my programming skills in python is very limited. I used bash and the system command for most things. This was a learning experience for me

----------

## mterlouw

 *MooktaKiNG wrote:*   

> I found that the bogofiltertrainer had many limitations. For example, i have many folders. I want the filter to learn using ALL my folders. Its not gonna be a good filter if it only looks at spam, and not look at all the ham that i have.

 

The Bogofilter script actually does this. If you have a "Ham" folder, however, it will look in that folder exclusively for ham (we're talking about the first-run  initial training here). This is in case you have a very large ham base to start off with, and thus don't want Bogofilter to scan it all.

 *Quote:*   

> Then i created this to scan through all folders that are available in my ~/.maildir folder and learn them as ham, EXCEPT the .Spam.Spam and .Spam folders.

 

This is what the original script does. It will scan any folder except those that start with ".Spam" (so, Spam and all of its subfolders), and Trash. It should IMO be further modified to only look in folders that begin with a ".". That would have solved my problem, which was the existence of a folder the author didn't anticipate, namely "courierimapkeywords". I think this would be the correct change, but I don't know enough about the maildir structures to be positive.

 *Quote:*   

> I hated the naming that was used in the original script (with the positive and negative). I kept on mixing it up  (yeh, i'm an idiot).

 

Heh, I renamed them too. I called them ".spam.is" and ".spam.not" to make them easier to type in Pine. I'd be willing to share my changes, but since I renamed the folders I think it's too different from the original.

 *Quote:*   

> The script learns from all the folders starting with dot, except for the . and .. folders (or are they files?).

 

Ok, that's what mine does so maybe we're doing the right thing. "." is just a notation for "current directory" and ".." is notation for "parent directory", so no, you don't want to be scanning those.

 *Quote:*   

> I have cron run something like this:
> 
> ```
> 0 0,2,4,6,8,10,12,14,16,18,20,22 * * * /usr/bin/spamassassintrainer >/dev/null 2>&1
> ```
> ...

 

That's a good idea, no sense letting useful email sit in the false-positives folder all day! Since we have our own mail servers, might as well make use of those cycles.  :Smile: 

Thanks for sharing!

----------

## MooktaKiNG

Also i should have mentioned this, but my script considers the .Trash folder be Ham.

This is becuase i like to keep all my emails inside the .Trash as backup. I never delete them. So i don't keep any spam in that folder.

All spam either goes into .Spam or .Spam.Spam (the spam will move from .Spam.Spam folder to the .Spam folder anyway  :Very Happy:  :Very Happy: ).

Also i recommend people don't delete any of their spam mail either.

That way, just incase you want to use a different server, or reinstall, then you won't have to wait for all those spam to arrive for teaching the filters  :Very Happy:  :Very Happy: 

```
if (dir[19:] == ".Spam.Spam.Old"):

    print "NOT Regestering spam folder ", dir, " Too BIG"

    #os.system("sa-learn --dir --spam " + dir + "/cur/")
```

The above lines seem a bit useless. But it all makes sense once i explain why its there  :Very Happy: .

Basicly i also keep another folder called Spam.Spam.Old  :Very Happy:  :Very Happy:  :Very Happy:  i know, i have weird naming folder issues  :Razz:  :Razz: 

I have like 2000 spams in that folder. They are old spam. I just put them lines their just to make the spam filter train from them. Once i run it, i don't have to do it again. It seems waste of time, becuase all the spam inside that folder will be old (already learnt) spam. Therefore i commened that line out.

----------

## dagol

Hello everyone, I've been working through this guide for a few days and I *think* I have things mostly right.

Now I may have misunderstood something somewhere along the way, but what I hope to get out of this endevour is my own personal mail filtering solution. I currently have 2 pop3 accounts, which collectively receive about 300 spam messages per day. Originally, my solution was to add another filter to outlook express, such that mail from anyone I do not know (not in address book) is thrown into a 'Check Me!' folder. This works well enough, until someone I don't know contacts me, and then it falls apart, as I rarely catch the one legitimate e-mail among the hundreds of spam.  

So I'm hoping that between bogofilter and spamassassin the number of spam I have to deal with will be drastically cut down.

So for my setup, there will be only one user (initially) - me.

I've followed the directions for amavisd-new, clamav, and (I *think* - f-prot..at least I emerged it, and amavisd only has clamav and fprot in it's config, as posted elsewhere in this thread), also I went the 'mail is sent through local ISP' route.

So, my questions:

Procmail:

Now in the antivirus setup post, it is mentioned that for the antivirus software to function properly, it skips procmail. So at this stage I 

```
 kraken root # emerge --unmerge procmail 
```

and didn't think about it again, until I entered the script found on page 15 of this thread, to train bogofilter, and spamassassin at the same time, which seems to make use of procmail.. so I re-emerged procmail, read it's man page, and finally understood a little what it did.

Now I want to write a number of recipes to mimic my current outlook express filters, how do I set it up so that the AV and Spam filtering occurs, and then procmail sorts things by folder?

IMAP :

I'd like to be able to access and send messages from anywhere in the world, so long as my server is online. I use dynsns (legion.merseine.nu), so what changes need I make to client, and server to accomplish this?

CRON : 

Not necessarily related, but as a user, I cannot run 

```
 ian@kraken ian $ fcrontab -e 
```

so if anyone has any answers, I'd greatly appreciate hearing from you, 

Thanx!

 ~ Ian

----------

## dromer

Hello, first of all, great howto!!!

and sorry for my bad english I'm Dutch...

I'v been trying to get the virtual howto working, but i think the setup is outdated so i turned over to this one.

I can mail (send and receive) with squirrelmail and pine localaly and from outside. The thing not working is Outlook. I keep receiving the 454 error. So reading this forum i shut down my norton firus scanner..

But i stil get the same error..

So i went to howly log files!!(man i love them).. and i get this message:

Mar  4 13:17:13 TRUUS postfix/smtpd[1526]: starting TLS engine

Mar  4 13:17:13 TRUUS postfix/smtpd[1526]: TLS engine: cannot load CA data

Mar  4 13:17:13 TRUUS postfix/smtpd[1526]: 1526:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('/etc/ssl/postfix/server.pem','r'):

Mar  4 13:17:13 TRUUS postfix/smtpd[1526]: 1526:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106:

Mar  4 13:17:13 TRUUS postfix/smtpd[1526]: 1526:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:

Mar  4 13:17:13 TRUUS postfix/smtpd[1526]: watchdog_create: 0x80a1408 18000

Oke i think i get it, i don't have the /etc/ssl/postfix dir...I think i deleted it when i was fed up with the virtual mail howto....

Oke knowing this, my question is (sorry if its a stupid one): how do i get this directory back?

Do i have to re-emerge a package or anything??

Thanks...!!!  :Question: 

----------

## Gwyd10n

Thank you for the wonderful guide. I finally got everything working, for the most part.

I have one issue still remaining.

If I enable

smtpd_client_restrictions = premit_sasl_authenticated, reject in my main.cf

it seems no mail can get deleivered to my system from an outside source, ie hotmail or my isp's email system.

here is my main.cf

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

unknown_local_recipient_reject_code = 450

debug_peer_level = 2

debugger_command =

        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 10

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

myhostname = shattertheillusion.net

mydomain = shattertheillusion.net

myorigin = $mydomain

inet_interfaces = all

mydestination = $mydomain

mynetworks = 192.168.1.0/24, 127.0.0.0/8

relayhost = smtp.west.cox.net

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

#smtpd_client_restrictions = premit_sasl_authenticated, reject

smtpd_use_tls=yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile =  /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

Now my question is am I wide open to allowing other people to use me as a relay?

----------

## Dillinger

I'm not sure if this has been posted in this thread yet (haven't been through all 15 pages) but squirrelmail had be baffled for a couple of days until I found out after much searching the need to add the PHP4 like below to /etc/conf.d/apache2

```

   APACHE2_OPTS="-D SSL -D PHP4"

```

Just thought I'd post what I needed to do to make it work, might be something to add to the guide.

----------

## MooktaKiNG

I feel like sharing one more handy script that i use:

I like to be subscribed to maling lists, eg: gentoo mailing lists.

I also like to keep ALL my emails. But as we all know, mailing lists grow exponentially.

So i created this script to get rid of all the mailing list emails, which i don't need.

I have two folders, .Trash and .Trash.Old. I like to have .Trash hold all the latest emails that i deleted. I don't like to have the email client list all 3K of emailsm for me to just access few emails that i deleted. Thats why i created .Trash.Old. this folder will eventually hold ALL my deleted mails. This will get BIG, its a folder that i rarely go into.

This script deletes all the mailing list emails. then it moves all the email from .Trash to .Trash.Old

```

#!/bin/bash

MAILDIR="$HOME/.maildir"

CLEANDIRS=".Trash .Trash.Old"

TRASH=".Trash"

OLDTRASH=".Trash.Old"

for CLEANDIR in $CLEANDIRS

do

        for file in `ls $MAILDIR/$CLEANDIR/cur`

        do

                ## Remove all mailing list emails

                cat $MAILDIR/$CLEANDIR/cur/$file | grep "List-Id: Gentoo Linux mail" && rm -vv $MAILDIR/$CLEANDIR/cur/$file

        done

done

ls $MAILDIR/$TRASH/cur/* >/dev/null 2>&1 && mv -vv $MAILDIR/$TRASH/cur/* $MAILDIR/$OLDTRASH/cur/

```

Its crued i know. But i like it  :Very Happy:  :Very Happy: 

I run this script once a day, late at night  :Very Happy: 

Simple, but effective.

----------

## john5211

Gwyd10n,

I had some of the same problems in my main.cf.  The problem is that smtpd_client_restrictions actually restricts who is allowed to send mail to postfix (including outside servers). Using

```
smtpd_client_restrictions = premit_sasl_authenticated, reject
```

causes postfix to reject mail that cannot authenticate via sasl (which is hopefully everyone outside!).  Leaving the line out isn't a security problem, and it won't make you an open relay.  Alternately, if you feel like you need to place restrictions on the mail that comes into your network, you can use something like:

```
smtpd_client_restrictions = premit_sasl_authenticated, reject_unauth_destination

```

Oh, and just in case you ever want to test your configuration to see if you are an open relay, you can go to http://www.abuse.net/relay.html and use their test to check your mailserver.

JohnLast edited by john5211 on Wed Mar 10, 2004 4:34 am; edited 1 time in total

----------

## northfuse

I followed these directions and I can access the IMAP server great from squirrelmail, thunderbird, etc.  But, it won't let me recieve any mail.  Is there anything else that I haven't done?

----------

## avtryck

I followed the guide but I've run into some problems. One that is a bit strange is that if I delete a mail and then want to compress my folder, I recieve the following error message: "Server XXX has disconnected. The server may have gone down or there may be a network problem". This message appears several times but it still compresses my folder. I don't have any particular network problems and It still does what I want i to do.

My client is Thunderbird 0.5. Could the client be responsible for the error messages?

My other problem is about sending mail. Since I just followed the guide instead of learned all the tools, is there a simple way to remove the TLS support in order to se if works without it?

Thanks for a great guide and some thanks in advance for some aid with my current troubles  :Smile: 

-Jimmy

----------

## DozePih

 *Dolio wrote:*   

> For clients, both KMail and Thunderbird don't work. I haven't tried others. KMail doesn't generate any errors other than something like "failed to send some messages" in the status bar. Thunderbird gives 'Could not establish an connection because certificate presented is invalid or corrupted. Error Code: -8182' when trying to send.
> 
> 

 

I'm having the same problem with Thunderbird 0.8. I've spend all day trying to figure this one out. I can connect fins and all my mails are visible. But as soon as I press the send button, Postfix gets to

```

Mar 14 22:16:58 localhost postfix/smtpd[31284]: setting up TLS connection from xxx[213.xx.xx.xx]

```

Thunderbord pops up the "Could not ... Error Code: -8182". I press ok and Postfix continues with

```

Mar 14 22:17:01 localhost postfix/smtpd[31284]:  SSL_accept error from ...

Mar 14 22:17:01 localhost postfix/smtpd[31284]:  31284:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42:

```

This problems seems to be i imapd.pem certificate. According to one post I read he said:

 *Quote:*   

> 
> 
> OK, riddle solved. Mozilla does not accept a certificate if CN of CA is equal 
> 
> to CN of the subject. The sad thing is that the quality of Mozilla'a error
> ...

 

This problem basically means I cannot use my Postfix for sending mails from an TLS/IMAP connected client outside my LAN (eg. when connected from work). Or what options do I have here?

----------

## carpman

Hello, think this howto may be what i need but not sure?

I need to setup a small business email/file sharing/groupware server. 

The business if is connected via adsl with perminant IP and has its web site on a shared server, which is also its mail server.

I have setup a hardware based firewall but there setill remains the problem of viruses via email and as current email server,  on shared server, has no virus checker and one cannot be added. 

The email  setup will need to collect email from external mail server, check it for viruses and make it availble to end user via IMAP using outlook as client (working on changing outlook) or web browser, sent email will need to go via external email smtp server but will also need to be checked for viruses.

I also need to setup a groupware and file sharing at same time so need what ever email setuo i go with to work with or be part of groupware.

Any ideas?

cheers

----------

## MarkG

I'm just in the fine tuning stage of setting up an email system based on this guide and I've noticed an anomaly with the bogofilter scrips on the first page. 

When my cron job runs, it always starts of with

```
Databases NOT found. Generating...
```

Investigating this I notice that the database in ~/.bogofilter is called "wordlist.db" not "spamlist.db" 

The original code:

```
#I'm just assuming if the spamlist.db exists, goodlist.db does too

#Program will die if goodlist.db doesn't exist anyway. 

if os.path.isfile(os.path.join(bogodir, "spamlist.db")):

      print "Databases found"

else:

```

The "goodlist.db" dosnt exist at all, so I can only asume this is cased by a change to bogofilter. Fortunately the code change is obvious, don't forget to update the comments to preserve future sanity  :Smile: 

MarkG

----------

## ufoq

Well, after installing all of the things in proper order, i couldn't connect to the server. I double checked everything aaaand guess what --

during initial emerging of applications beowulf says to enter USE="blablabla"

well, in my case USE didn't work, i had to write 'export USE', then emerge took this options into consideration.

Well, i am a gent(n)oo(b)  :Smile: 

P.S. I have installed the latest 2004.0 dist.

----------

## ufoq

About the TLS certs:

In fact i think you have to make all the things are said in  Virtual mail howto (point 5), because standards certs that come bundled (server.pem etc.) are referring to localhost, thus are useless. 

Following this point you have to replace /etc/postfix with /etc/ssl/postfix cause that's the directory beowulf mentioned in the howto.

Then, launch this command:

```

cd /etc/ssl/postfix

openssl x509 -in cacert.pem -out cacert.crt

```

Next, copy cacert.crt to your client PC, and launch it. It should ask if install the certificate etc...

After that, you should be able to receive the mail from newly made server in i.e. Thunderbird.

Well, to be honest i can't force MS Outlook 2003 to work correctly with this setup, but mentioned Thunderbird works flawlessly.

BTW.

I was unable to get any mail to the server from the internet. I had to hash out line beginning with "smtpd_client_restrictions=". I think smtp_recipient_restrictions is enough to not to have open relay.

----------

## jewps

First off I've gotta thank beowolf for this comprehensive guide, but while trying to setup the servers, I'm encountering a problem that I cannot resolve.

Everytime i try to send email to and from the server, i get a 554 access denied problem, however if i try to send from the server ( echo 'lalal' | sendmail "email@email.com" ), it works. I don't have any problem logging in via Outlook 03 and can receive whatever email i send from the server to the email via outlook.

Attached is the log and main.cf config. help!!

```

myhostname = mobile.yingerdesign.com

mydomain = mobile.yingerdesign.com

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.0.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

#smtpd_sasl_auth_enable = yes

#smtpd_sasl_security_options = noanonymous

#smtpd_sasl_password_maps = hash:/etc/postfix/saslpass

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

#smtpd_recipient_restrictions = check_relay_domains, permit_mynetworks, reject_unauth_destination

#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_auth_destination, permit_mynetworks, check_relay_domains, reject_unauth_destination

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

```

Log:

Mar 28 10:30:02 pukka postfix/master[12791]: daemon started -- version 2.0.19

Mar 28 10:30:12 pukka postfix/smtpd[12795]: starting TLS engine

Mar 28 10:30:12 pukka postfix/smtpd[12795]: connect from web60606.mail.yahoo.com[216.109.118.244]

Mar 28 10:30:12 pukka postfix/smtpd[12795]: A4FF6364069: client=web60606.mail.yahoo.com[216.109.118.244]

Mar 28 10:30:12 pukka postfix/smtpd[12795]: A4FF6364069: reject: RCPT from web60606.mail.yahoo.com[216.109.118.244]: 554 <web60606.mail.yahoo.com[216.109.118.244]>: Client host rejected: Access denied; from=<jewpsie@yahoo.com> to=<lith@mobile.yingerdesign.com> proto=SMTP helo=<web60606.mail.yahoo.com>

Mar 28 10:30:13 pukka postfix/smtpd[12795]: disconnect from web60606.mail.yahoo.com[216.109.118.244]

```

Also, I'm not using my isp's smtp servers cause i have a mx record pointing to my ip, therefore i've commented out a few lines.

thanks  :Smile: 

----------

## ufoq

Comment this :

 *Quote:*   

> 
> 
> smtpd_client_restrictions = permit_sasl_authenticated, reject 
> 
> 

 

and uncomment this:

 *Quote:*   

> 
> 
> #smtpd_recipient_restrictions = permit_sasl_authenticated, permit_auth_destination, permit_mynetworks, check_relay_domains, reject_unauth_destination 

 

in your /etc/postfix/main.cf

----------

## pontifikas

Forgive me for probably presenting an already discussed issue but 16 pages is way too much.  :Confused: 

I've followed the instructions exactly.Everything seems to run smoothly(no errors at start up).But I cannot get mail  :Sad: 

I'm behind a router(Actualy DSL modem:Alcatel Speedtouch Home->Pro).

I want actually to make my system a mailserver so as to be able to sent and receive mail from my machine.

-My local IP is set to 10.0.0.1

-default gateway(the router's ip) is 10.0.0.138

-My connections IP is updated via Dyndns

-Dyndns domain: something.dyndns.org

-My hostname: something(same as dyndns).

I have also added in /etc/hosts

[Code]

127.0.0.1 localhost

10.0.0.1 something something.10.0.0.138 something.dyndns.org

[*Code]

-In /etc/postfix/main.cf I have uncommented the line 

myhostname = something.dyndns.org

-I've redirected port:25 of the router to my port:25

-I have set up kmail according to the instructions.

-I send a mail to username@something.dyndns.org and it cannot be delivered.

What am I doing wrong?

Another question:What about internal mailing?Supposing the above is solved, is the system able to send messages to root?

I Thank you in advance  :Smile: 

----------

## ufoq

Follow my instructions above, if it doesn't help, post some logs, without them we are walking in the dark

----------

## dsegel

Does your router have a logging function? Check that first to make sure that  mail is actually getting delivered to port 25 on the router. If it is, then start looking at the postfix logs.

Also, what's this line in your hosts file for:

10.0.0.1 something something.10.0.0.138 something.dyndns.org 

Is that really what it looks like (and I'm not talking about the 'something')?

Let me be more clear: are you defining 'something.dyndns.org' in your hosts file and pointing it towards your internal network?

----------

## Cybergod091281

first thx for this great howto, i ran today through it and everything works. i've got only one small problem: when acting as normaluser@server how do I get permissions to crontab -e to activate the mentioned crontab entry for fetchmail?

EDIT: solved (crontab -u user -e)

but now I've got another problem:

```
Kerberos postfix/smtpd[23652]: sql_select option missing

Kerberos postfix/smtpd[23652]: auxpropfunc error no mechanism available

Kerberos postfix/smtpd[23652]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Kerberos postfix/smtpd[23658]: sql_select option missing

Kerberos postfix/smtpd[23658]: auxpropfunc error no mechanism available

Kerberos postfix/smtpd[23658]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
```

I've installed mysql for my LAMP, and I searched for some solution to this error but didn't found anything helping me. hope u guys can help me. 

greetz cg

----------

## MarkG

Try this to fix the "sql_select option missing" problem

```

USE="-mysql" emerge cyrus-sasl

```

It should get rid of the warning but I'd like a better fix

Its also mentioned hear

You should be able to edit a users crontab without specifying the -u option is you are logged in as the user. I slipped up on this one because I hadn't added my user to the cron group.

MarkG

----------

## Cybergod091281

thx for the tip, now it works perfectly  :Smile: 

i tried to add my user to the cron group, but nothing happened.

greetz cg

----------

## Obfuscated

Hi everyone. First of all I'm a total Getoo noob so it may be something obvious. I'm trying to install this but I'm getting some errors when I try to emerge procmail. Here's what I get after it unpacks:

```

patching file src/authenticate.c

/bin/sh ./initmake /bin/sh "/bin/sh" "/bin/rm -f" "mv -f" "ln" \

 "-lm -ldir -lx -lsocket -lnet -linet -lnsl_s -lnsl_i -lnsl -lsun -lgen -lsockdns -ldl" \

 "/lib /usr/lib /usr/local/lib" \

 /dev/null "make" o \

 "gcc" "-O3 -march=pentium4 -fomit-frame-pointer -pipe -fno-inline-functions  " "-s  " "procmail lockfile formail mailstat" \

 "procmail formail lockfile" \

 "procmailrc procmailsc procmailex" "src man" \

 "/usr/bin" \

 "strip"

gcc seems to work fine, using that as the C-compiler

        ...scanning for 13 libraries...

        ...scanning for 12 libraries...

        ...scanning for 11 libraries...

        ...scanning for 10 libraries...

        ...scanning for 9 libraries...

        ...scanning for 8 libraries...

        ...scanning for 7 libraries...

        ...scanning for 6 libraries...

        ...scanning for 5 libraries...

        ...scanning for 4 libraries...

Added LDFLAGS= -lm -lnsl -ldl -lc

cd src; make ../autoconf.h

echo Housekeeping file >config.check

make[1]: Entering directory `/var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src'

/bin/sh ./autoconf /bin/sh "/bin/rm -f" "mv -f" /dev/null \

 "grep -F" "make" o "/tmp .     " \

 "/usr/bin" ../autoconf.h

Using the following directories for the LOCKINGTESTs:

  /tmp .

Initiating fcntl()/kernel-locking-support tests

 

Proceeding with kernel-locking-support tests in the background

Testing for const

./autoconf: line 743: 19650 Segmentation fault      grepfor const '#define NO_const'

Testing for volatile

Testing for prototypes

Testing for enum

Checking for POSIX and ANSI/ISO system include files

Checking for network/comsat/biff support

Testing for void*, size_t, off_t, pid_t, time_t, mode_t, uid_t & gid_t

Checking realloc implementation

Testing for WIFEXITED(), WIFSTOPPED(), WEXITSTATUS() & WSIGTERM()

./autoconf: line 1011: 19725 Segmentation fault      grepfor struct '#define WMACROS_NON_POSIX'

./autoconf: line 1011: 19726 Segmentation fault      grepfor union '#define WMACROS_NON_POSIX'

Testing for various struct passwd members

./autoconf: line 1024: 19733 Segmentation fault      grepfor pw_passwd '#define NOpw_passwd'

./autoconf: line 1025: 19734 Segmentation fault      grepfor pw_class '#define NOpw_class'

./autoconf: line 1026: 19735 Segmentation fault      grepfor pw_gecos '#define NOpw_gecos'

Testing for memmove, strchr, strpbrk, strcspn, strtol, strstr,

        rename, setrgid, setegid, pow, opendir, mkdir, waitpid, fsync,

        ftruncate, strtod, strncasecmp, strerror, strlcat,

        memset, bzero, and _exit

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

./autoconf: line 1081: 19758 Segmentation fault      grepfor $func "#define NO$func"

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

./autoconf: line 1081: 19764 Segmentation fault      grepfor $func "#define NO$func"

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

./autoconf: line 1081: 19770 Segmentation fault      grepfor $func "#define NO$func"

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

./autoconf: line 1090: 19774 Segmentation fault      grepfor opendir "

#define NOopendir       /* the readdir library does not seem to be available

                           this will slightly affect the way a filenumber is

                           selected in MH-folders by procmail */

"

./autoconf: line 1092: 19775 Segmentation fault      grepfor setrgid '#define NOsetrgid'

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

Sandbox error : the SANDBOX_READ environmental variable should be defined.

ACCESS DENIED  open_rd:   /var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src/grepfor

./grepfor: ./grepfor: Permission denied

./autoconf: line 1101: 19778 Segmentation fault      grepfor uname "#define NOuname               /* <sys/utsname.h> defines it, the libraries don't */"

./autoconf: line 1102: 19779 Segmentation fault      grepfor endpwent '#define endpwent()'

./autoconf: line 1103: 19780 Segmentation fault      grepfor endgrent '#define endgrent()'

./autoconf: line 1112: 19781 Segmentation fault      grepfor gethostbyname '#define NO_COMSAT'

./autoconf: line 1112: 19782 Segmentation fault      grepfor getprotobyname '#define UDP_protocolno 17'

./autoconf: line 1112: 19783 Segmentation fault      grepfor endhostent '#define endhostent()'

./autoconf: line 1112: 19784 Segmentation fault      grepfor endservent '#define endservent()'

./autoconf: line 1112: 19785 Segmentation fault      grepfor endprotoent '#define endprotoent()'

./autoconf: line 1114: 19786 Segmentation fault      grepfor strstr '#define SLOWstrstr'

./autoconf: line 1114: 19787 Segmentation fault      grepfor clock '#define SLOWstrstr'

./autoconf: line 1179: 19788 Segmentation fault      grepfor memmove '#define NOmemmove'

Determining the maximum number of 16 byte arguments execv() takes

Whoeaaa!  This actually can't happen.

You have a look and see if you detect anything uncanny:

*******************************************************

_autotst.o(.text+0x5d4): In function `main':

: undefined reference to `setrgid'

_autotst.o(.text+0x681): In function `main':

: undefined reference to `setrgid'

collect2: ld returned 1 exit status

make[2]: *** [_autotst] Error 1

*******************************************************

I suggest you take a look at the definition of LDFLAGS*

in the Makefile before you try make again.

make[1]: *** [../autoconf.h] Error 1

make[1]: Leaving directory `/var/tmp/portage/procmail-3.22-r6/work/procmail-3.22/src'

make: *** [autoconf.h] Error 2

 

!!! ERROR: net-mail/procmail-3.22-r6 failed.

!!! Function src_compile, Line 41, Exitcode 2

!!! (no error message)

```

Here's my emerge settings:

```
Portage 2.0.50-r3 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.4.25-gentoo)=================================================================

System uname: 2.4.25-gentoo i686 Intel(R) Pentium(R) 4 CPU 2.40GHz

Gentoo Base System version 1.4.3.13

Autoconf: sys-devel/autoconf-2.58-r1

Automake: sys-devel/automake-1.8.3

ACCEPT_KEYWORDS="x86"

AUTOCLEAN="yes"

CFLAGS="-O3 -march=pentium4 -fomit-frame-pointer -pipe"

CHOST="i686-pc-linux-gnu"

COMPILER="gcc3"

CONFIG_PROTECT="/etc /etc/tomcat /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control"

CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

CXXFLAGS="-O3 -march=pentium4 -fomit-frame-pointer -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="autoaddcvs ccache sandbox"

GENTOO_MIRRORS="http://mirror.tucdemonic.org/gentoo/ http://gentoo.seren.com/gentoo ftp://gentoo.agsn.ca/"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="X alsa apm arts avi berkdb crypt cups encode esd foomaticdb gdbm gif gnome gpm gtk gtk2 imlib java jpeg libg++ libwww mad mikmod motif mozilla mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang spell ssl svga tcltk tcpd truetype x86 xml2 xmms xv zlib"

```

If anyone has some suggestions, I'd appreciate it.

----------

## Obfuscated

Doh, looked around some more and found the solution:

```

FEATURES=-sandbox emerge procmail

```

So the next question is, what exactly is sandbox and why does it need to be disabled?

----------

## Negated Void

Set it up as mentioned.

I can send mail fine, but i cannot recieve mail.

My address i hopt to recieve at is murph@murph.strobe.org

This is the returned mail i get when sending there...

```

The original message was received at Mon, 12 Apr 2004 21:34:42 -0400 (EDT)

from roc-66-66-187-237.rochester.rr.com [66.66.187.237]

   ----- The following addresses had permanent fatal errors -----

<murph@murph.strobe.org>

    (reason: 554 <ms-smtp-01.nyroc.rr.com[24.24.2.55]>: Client host rejected: Access denied)

   ----- Transcript of session follows -----

... while talking to murph.strobe.org.:

>>>>>> DATA

<<< 554 <ms-smtp-01.nyroc.rr.com[24.24.2.55]>: Client host rejected: Access denied

554 5.0.0 Service unavailable

<<< 554 Error: no valid recipients

Reporting-MTA: dns; ms-smtp-01.nyroc.rr.com

Received-From-MTA: DNS; roc-66-66-187-237.rochester.rr.com

Arrival-Date: Mon, 12 Apr 2004 21:34:42 -0400 (EDT)

Final-Recipient: RFC822; murph@murph.strobe.org

Action: failed

Status: 5.0.0

Remote-MTA: DNS; murph.strobe.org

Diagnostic-Code: SMTP; 554 <ms-smtp-01.nyroc.rr.com[24.24.2.55]>: Client host rejected: Access denied

Last-Attempt-Date: Mon, 12 Apr 2004 21:34:44 -0400 (EDT)

Received: from flashmail.com (roc-66-66-187-237.rochester.rr.com [66.66.187.237])

   by ms-smtp-01.nyroc.rr.com (8.12.10/8.12.10) with ESMTP id i3D1Yfdd024402

   for <murph@murph.strobe.org>; Mon, 12 Apr 2004 21:34:42 -0400 (EDT)

Message-ID: <407B43B4.3060402@flashmail.com>

Date: Mon, 12 Apr 2004 20:34:44 -0500

From: Matt <CrazyKid@flashmail.com>

User-Agent: Mozilla Thunderbird 0.5+ (X11/20040215)

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: murph@murph.strobe.org

Subject: Re: You are a nut

References: <36169.192.168.0.9.1081819896.squirrel@murph.strobe.org>

In-Reply-To: <36169.192.168.0.9.1081819896.squirrel@murph.strobe.org>

Content-Type: text/plain; charset=us-ascii; format=flowed

Content-Transfer-Encoding: 7bit

X-Virus-Scanned: Symantec AntiVirus Scan Engine

```

----------

## Dr_Stein

"For clients, both KMail and Thunderbird don't work. I haven't tried others. KMail doesn't generate any errors other than something like "failed to send some messages" in the status bar. Thunderbird gives 'Could not establish an connection because certificate presented is invalid or corrupted. Error Code: -8182' when trying to send. "

Mozilla 1.7b (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7b) Gecko/20040413) gives that -8182 error - so does the Released Mozilla 1.6 for Windows.

If I turn off TLS, everything works great. But I'd like to be able to use TLS.  :Smile: 

How to solve this? Hm..

SOLVED: I paid very close attention to the errors that whizzed by.  :Smile:  Also, I removed the CA, and the *.pem certs and re-created it...very...carefully. Adding defaults for all of the sections seems to have made it a bit easier to deal with, too. Bottom line is that it works.  :Smile: Last edited by Dr_Stein on Sun Apr 18, 2004 5:09 pm; edited 1 time in total

----------

## numerodix

beowulf, I noticed this a long time ago but I forgot to post it. In section 10 for spamassassin, you mention this for spam training:

```
*/30 * * * *    sa-learn --dir --spam /home/user/.maildir/.spam > /dev/null 2>&1

*/30 * * * *    sa-learn --dir --ham  /home/user/.maildir/ > /dev/null 2>&1 
```

I believe that it should actually be:

```
*/30 * * * *    sa-learn --dir --spam /home/user/.maildir/.spam/cur > /dev/null 2>&1

*/30 * * * *    sa-learn --dir --ham  /home/user/.maildir/cur > /dev/null 2>&1 
```

otherwise sa-learn can't find the messages. This of course assumes that they are marked read, otherwise you could substitute "cur" for "new".

----------

## dsd

thanks for the helpful guide

a few comments, i haven't read much of the thread so sorry if they have been mentioned already:

typo in section 5.1, you mention to edit "/etc/courier-imap/authdaemondrc" i dont think that D should be there.

secondly, i had to change MAXPERIP in /etc/courier-imap/imapd to stop mozilla thunderbird saying "server has disconnected, there may be a network problem" now and then (quite irritating). I changed it from 4 to 10 and the problem has gone.

finally, to avoid messages like this in syslog:

```
Failed to create cache file: maildirwatch

Error: Input/output error

Check for proper operation and configuration

of the File Access Monitor daemon (famd).
```

i had to rc-update famd default and then start it. i haven't looked into what FAM actually does yet.

----------

## Kyrra

 *dsd wrote:*   

> finally, to avoid messages like this in syslog:
> 
> ```
> Failed to create cache file: maildirwatch
> 
> ...

 

I think this came with a newer build of courier-imapd.

http://www.courier-mta.org/FAQ.html#fam

I'm guessing the newest ebuilds decided to start building fam in with Courier-Imap?

----------

## dixi

running

```
[sp@yafa - ~ ]sudo netstat -lp | grep :smtp
```

gets me:

```
tcp        0      0 *:smtp     *:*      LISTEN      1403/master
```

From what I've gleaned in the forums it might be because I have a bad master.cf

Would somebody be able to post a working one based on beowolfs HOWTO?

Thanks in advance

----------

## veggie2u

I have half the functionality. I can connect to IMAP folders, using SSL, but I can't sent. When I use Mutt on zeus (my mail server) I can send an email to anywhere, but when I use Outlook on a laptop on my network, I can't send an email. I get this from outlook.

```

The connection to the server has failed. Account: 'cyberward.net', Server: 'zeus.cyberward.net', Protocol: SMTP, Port: 465, Secure(SSL): Yes, Socket Error: 10061, Error Number: 0x800CCC0E

```

Then this is what my email server says.

```

Apr 25 21:30:51 zeus imapd-ssl: Connection, ip=[10.0.0.103]

Apr 25 21:30:51 zeus imapd-ssl: LOGIN, user=veggie2u, ip=[10.0.0.103], protocol=IMAP

Apr 25 21:30:51 zeus imapd-ssl: LOGOUT, user=veggie2u, ip=[10.0.0.103], headers=0, body=0

Apr 25 21:30:51 zeus imapd-ssl: Connection, ip=[10.0.0.103]

Apr 25 21:30:51 zeus imapd-ssl: LOGIN, user=veggie2u, ip=[10.0.0.103], protocol=IMAP

Apr 25 21:30:51 zeus imapd-ssl: Unexpected SSL connection shutdown.

Apr 25 21:30:51 zeus imapd-ssl: DISCONNECTED, user=veggie2u, ip=[10.0.0.103], headers=0, body=0

```

What am I not doing that is doing this?

veggei2u

----------

## bruor

beowulf:   wanted to thank you again for this guide,  i didnt get my issues resolved previosuly but i followed setup again from scratch with the redirect you put up.   heres whats going on. 

as i understand it i am using ssl to login to my mail server on the lan.  my isp blocks ports so i have a but of a work around.   contrary to the last time,  receiving is working great,  it was the fix that you posted that got me up and running the whole \  thing.   (its really late and im rambling)   anyway  ok  so i use ssl to connect to the server here with imap and it has popped down all teh mail and all looks good.   

if i am sending out.  my email client auths using ssl to my server here,  and then my email server does what?  connect with ssl outbound?  

im using outlook.  if i set up the email account to send using ssl with the server i just set up as teh outbound,  the sending times out.  if i take away ssl i get this in an email in my inbox

```
Your message did not reach some or all of the intended recipients.

      Subject:   test

      Sent:   4/30/2004 1:46 AM

The following recipient(s) could not be reached:

      'bruor@cogeco.ca' on 4/30/2004 1:46 AM

            554 <unknown[192.168.0.6]>: Client host rejected: Access denied

```

192.168.0.6 is the IP of the machine i am using outlook on.  i have tried using  relayhost = xxxxx   but that doesnt seem to do anything for me at all,  i have also tried killing teh smtpd_sasl*  lines in main.cf  as well as setting the domainname and hostname for it statically,  although i dont think those have anything to do with it.  

if you need my config files please post a quick grep line that i can use to strip out commented code adn ill reply a lot faster than i would without it  :Wink:     thanks once again for your help

----------

## MooktaKiNG

I have now reinstalled my server, and did everything that was said up there.

There is one problem though. The how to does not say how to make your email server recieve email, without being an open relay.

I had to remove the following line:

```
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject
```

And replace it with this line:

```
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destin

ation
```

beowulf: I think you should add that to the how to. This has been mensioned before in this thread, except its 15+ pages big  :Very Happy: 

----------

## bruor

oh,  i think i forgot to mention that when i am connecting to send through this system i have to have the UN:PW in the outbound fields selected or it will time out as well.

----------

## krunk

I skimmed over the ~400 posts, but forgive me if this has been answered before, but:

My .fetchmailrc:

```

et postmaster "localName"

poll mail.myschool.edu with proto IMAP user "user_name" there with password "user_pass" is localName here options warnings 3600

poll pop.my_dept.edu with proto POP3 auth password user "user_name" there with password "user_pass" is localName here options warnings 3600

poll pop.forum.account with proto POP3 auth password user "user_name" there with password "user_pass" is localName here options warnings 3600

poll mail.isp.account with proto POP3 auth password user "user_name" there with password "user_pass" is localName here options warnings 3600 
```

I run the fetchmail script provided in howto:

```

fetchmail: couldn't find canonical DNS name of mail.school.edu (mail.school.edu)

fetchmail: Query status=11 (DNS)

fetchmail: couldn't find canonical DNS name of pop.eecs.school.edu (pop.eecs.school.edu)

fetchmail: Query status=11 (DNS)

fetchmail: couldn't find canonical DNS name of pop.forum.com (pop.forum.com)

fetchmail: Query status=11 (DNS)

fetchmail: couldn't find canonical DNS name of mail.bellsouth.net (mail.bellsouth.net)

fetchmail: Query status=11 (DNS)

```

What am I missing, please?

----------

## bruor

looks to me like you are having problems with dns  resolution. 

can you ping these addresses etc... 

can you use your fav linux mail client with these addresses standalone? 

if it doesnt work for you try using the ip addresses of these locations rather than hosts names and see if it works for you that way,  if it does then you will know its a DNS issue that you need to TS

----------

## krunk

 *bruor wrote:*   

> looks to me like you are having problems with dns  resolution. 
> 
> can you ping these addresses etc... 
> 
> can you use your fav linux mail client with these addresses standalone? 
> ...

 

I tracked it down, ran an strace and found that some of my perms for /etc/ were off. 

Thanks though.  :Smile: 

----------

## krunk

Ok, now I'm to the part with setting up Kmail. When I click on "detect what the server supports" in sending or receving set-up, it errors out:

Unknown error code 0

I've checked to ensure that all the daemons are running, I can download using fetchmail, and have confirmed that my firewall is letting port 25 through from clients. I'm not sure how to troubleshoot from here.

On a side, how do I make an OR rule in .procmailrc? I tried this (as suggested in Timo's HOWTO):

```
# Personal/Friends

:0

* ^From:.*addyone

  ^From:.*addytwo

  ^From:.*addythree

  ^From:.*addyfour

  ^From:.*addyfive

  ^From:.*addysix

  ^From:.*addyseven

  ^From:.*addyeight

  ^From:.*addynine

.Personal/

```

But this just writes tons of emails to a file named "addytwo".

I've pretty much given up and am installing spamassissin client side. I'm just going to set it as a filter in evolution. But I'd still like to know how to do this since I'd like to set up my own email server over the summer.

----------

## bruor

im not sure on the or rule for procmail...  

just curious  did you set up your smtp server to send mail directly?  or did you set it up to use your ISP's smtp server for outgoing mail ? 

id like to get sending for this whole shebang workign but it isnt looking good.. 

i can deal with only having incomine email if i can set squirrelmail up to use my ISP's smtp server instead of a local one...   at least that way all aspects of  this will  still *seem to work

----------

## krunk

 *bruor wrote:*   

> im not sure on the or rule for procmail...  
> 
> just curious  did you set up your smtp server to send mail directly?  or did you set it up to use your ISP's smtp server for outgoing mail ? 
> 
> id like to get sending for this whole shebang workign but it isnt looking good.. 
> ...

 

Set up to redirect to ISP's smtp server. I figured I should take it in baby steps.  :Smile: 

----------

## bruor

when setting everything up did you have any problems sending at all?   i.e.  authing against your server  etc....    

would you mind pm'ming me a copy of your procmail config ? 

im having a heck of a time getting it to work outbound...

----------

## krunk

From my client I cannot not even detect that my server exists, so my config file might not be what you want.....

----------

## MooktaKiNG

Does anyone know howto get the emails that i send using "mutt -x mma" seem like its coming from domain.com, instead of hostname.domain.com?

i cant seem to figure this out.

----------

## omné

Hello, great HOWTO, but I still have the same problem, I don't read all this thread, since, as you can read, I'm not a native english spoker, but all search I made or test, failed.

OK, here is my problem :

It seems like everything work great, exept one point : I can't use IMAP.

I've created ma maildir with 

```

maildirmake ~/.maildir/

```

I tried Thunderbird and balsa.

[EDIT] Same with kmail.

I can connect to the local IMAP server via SSH, but, after, still the same message (here in thunderbird) :

 *Quote:*   

> 
> 
> The current command did not succed. The mail server responded : Unable to open this mailbox..
> 
> 

 

For me it's like imap don't not that $HOME/.maildir is my mailbox or don't know were to search or that it's a maildir directori.

Looking in my imapd, I foud too variable, that may be the reason, but every change I tried cause the same error :

```

vi /etc/courier-imap/imapd

##NAME: MAILDIRPATH:0

#

# MAILDIRPATH - directory name of the maildir directory.

#

#MAILDIRPATH=Maildir

MAILDIRPATH=Maildir

#Hardwire a value for ${MAILDIR}

#MAILDIR=Mail

MAILDIR=Mail

#Put any program for ${PRERUN} here

PRERUN=

```

Since it's the only place where IMAP seems to look about the mailbox path, I tried other things here, but no result.

Other things...

 - Putting a "." in front of directories in $HOME/procmailrc cause them to be cached-directories, is it normal ?

- I tried to open my $HOME/.maildir like a local directorie, with thunderbird, he don't "see" the cached directories and show me a INBOX.new witch contain 6 other directories who are in fact the 6 mail (so files and not directories) I see with a 

```

ls ~/.maildir/INBOX.new

```

Can anyone help me ? I spend long hours on it know, I would be great if it work  :Smile: 

Thank's

Némo. 

PS : I'm not at all a net master, and It's possible that I made error between my fix IP / localhost / 127.0.0.1 / hostname / domainname in he main.cf, but everything seem's OK, and it's not a reason for imap not finding my mail dir, isn't it ?

[EDIT 09/05/2004]

Solve

I had to say, via /etc/courier-imap/imapd where is my maildir :

```
MAILDIRPATH=Maildir

MAILDIR=.maildir

```

I got two new problem :

imap disconnect me after when changin from a folder to an other (created by procmail)

How do i said to cron no to send me mail each time he check my boxes ?

Némo.Last edited by omné on Sun May 09, 2004 11:36 am; edited 1 time in total

----------

## thekk

In reply to the tip to create an extra /usr/lib/sasl2/smtpd.conf file with the same contents as /etc/sasl2/smtpd.conf (Suggestion by Woolong), I had the same problem, but found a different solution. Create a symlink (which was suggested by Souperman).

You'd have to type:

```
# ln -s /etc/sasl2/smtpd.conf /usr/lib/sasl2/smtpd.conf 
```

If you want to change some options for the authentication, you only have to edit one file.

Thanks for making my life a little easier with this guide!

Thekk

----------

## Gwyd10n

I seem to be having trouble with amavis working correctly. I see this error in the log over and over again.

```

May 6 10:32:06 athame /postfix/qmgr [17418]: warning: connect to transport smtp-amavis: Connection refused

```

When I try to enable the transport mail gets stuck in no-where land.

Any ideas as to what's going on?

Thanks

----------

## slestak

Following version 2.1 of howto.

have script getmymail2 (2nd attempt) returns following output:

```

steve@webserver bin $ ./getmymailnow2

Enter password for steve@/usr/bin/procmail -d %T:

fetchmail: couldn't find canonical DNS name of /usr/bin/procmail -d %T (/usr/bin

/procmail -d %T)

fetchmail: Query status=11 (DNS)

steve@webserver bin $ fetchmail: Query status=11 (DNS)

```

~/bin/getmymail2 contains

```

#!/bin/bash

/usr/bin/fetchmail -a -s -m -k "/usr/bin/procmail -d %T"

```

Any hints on where I can look next.

When I execute same line in bash, not in script, works correctly.  I think %T is not resolving correctly.

Edit - SOLVED

I added the -k switch for testing and interrupted the -m with its arg

Edit2 - spellingLast edited by slestak on Tue May 11, 2004 3:53 pm; edited 1 time in total

----------

## bruor

ok im giving  sending another shot now,   when i try to send out stuff with ssl enabled outlook tells me that my server does not support ssl. 

so i disable it.   and when i send i get a mail immediately that says this 

```

Your message did not reach some or all of the intended recipients.

      Subject:   testing one more time 

      Sent:   5/10/2004 9:16 AM

The following recipient(s) could not be reached:

      '[i]outbound@mail.address[/i]' on 5/10/2004 9:16 AM

            554 <unknown[192.168.0.6]>: Client host rejected: Access denied

```

192.168.0.6  is the IP of the computer i am connecting to the server from. 

can someone at least help me know where to look?   as far as i can tell everything is  as it needs to be in the howto....   

should ssl be enabled for the smtp  connection?  

thanks in advance for any help!

----------

## slestak

when I include the getmymail script in my cron, how will I handle the password prompt?  I have my pop3 password in my fetchmailrc, and it is chmod 700 for the non-priveliged owner.

I would think with the password in the fetchmailrc, getmymail wouldnt prompt.

[Solved] Don't know how, its working now.

----------

## schmeggahead

I have the squirrelmail setup with this how to and the fetchmail setup for each of the users to run daily. I would like to be able to run fetchmail from within squirrelmail to get new mail when anyone is actually needing it but not logged on to the mail system, just using squirrelmail. PHP is probably capable of doing this. 

Could someone point me in the direction of a similar PHP item that can access a shell script?

There has to be one in the squirrelmail system.

----------

## Benzman

First, thank you for this guide!

But I've got a problem:

My e-mail program don't show the folders that I created with procmail. So I wrote them to ~/.maildir/courierimapsubscribed. Now I can see the Folders in my e-mail client, but they are all empty. I've checked the dirs over the cmdline and there are messages in it. I'm also confused, that the maildirs made by procmail aren't in ~/.maildir/. They are directly in ~/. Is this correct or did I / procmail made a mistake? My .procmailrc has the same synthax like the .procmailrc written by beowulf in this guide.

Edit: solved

I forgot to type the first two lines in ~/.procmailrc

----------

## blake121666

Hi, thanks for this guide   :Razz: 

You have pwcheck_method:saslauthd in /etc/sasl2/smtpd.conf but you neglect to add sasl users with saslpasswd2.  I couldn't send mail from my Outlook Express client until I did this.

echo "$passwd" | saslpasswd2 -p -c $username

And I had to specify $username@$host as the username in Outlook Express where $host = the smtp server (short name - not fully-qualified).

I also had to "chown postfix:mail" the /etc/sasl2/sasldb2 file.

----------

## blatch

Ok. Let's say my server is jth.ath.cx. I want to be able to send mail to jth@jth.ath.cx. I don't want fetchmail to read anything from any OTHER e-mail accounts, I want to setup my OWN PERSONAL e-mail account based on this address. How would I do that? I've done EVERYTHING in this tutorial, but I can't receive mail to that address.

----------

## hammerhai

I found a mistake in the "Spam Assassin"-Part of this Howto:

```
server root # sa-learn --dir --spam /home/niklas/.maildir/.spam
```

This just gives you

```
Learned from 1 message(s) (3 message(s) examined).

```

But if you do

```
server root # sa-learn --dir --spam /home/niklas/.maildir/.spam/cur/
```

you will get the expected result

```
Learned from 65 message(s) (66 message(s) examined).

```

So this

```
user@server $ crontab -e 

 

 #This scans for spam and for good mails every half hour. 

 #Set the interval (30 minutes) appropriatly for your convenience and the amount of mails you get. 

 

 */30 * * * *    sa-learn --dir --spam /home/user/.maildir/.spam > /dev/null 2>&1 

 */30 * * * *    sa-learn --dir --ham  /home/user/.maildir/ > /dev/null 2>&1 
```

 should be changed to

```
user@server $ crontab -e 

 

 #This scans for spam and for good mails every half hour. 

 #Set the interval (30 minutes) appropriatly for your convenience and the amount of mails you get. 

 

 */30 * * * *    sa-learn --dir --spam /home/user/.maildir/.spam/cur > /dev/null 2>&1 

 */30 * * * *    sa-learn --dir --ham  /home/user/.maildir/cur > /dev/null 2>&1 
```

edit:

 *Quote:*   

> 10.4 Configure Spam Assassin 
> 
>  This can be done automatically (almost) by using a script you can find here: 
> 
> http://www.yrex.com/spam/spamconfig.php
> ...

 

The config file has to be /etc/mail/spamassassin/local.cf.

I just saw, that there is an init script for Spam Assassin (/etc/init.d/spamd). Isn't it necessary to start the service by using this script?Last edited by hammerhai on Tue May 18, 2004 4:58 pm; edited 1 time in total

----------

## BlinkEye

if i use the suggested crontab entry for a specific user i get

```
May 18 17:52:00 computername CRON[12046]: (username) CMD (/usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d \%T" )

May 18 17:52:21 computername CRON[12045]: (username) MAIL (mailed 696 bytes of output but got status 0xffffffff )
```

and don't get the mails - instead i receive an email from crontab with the following header:

```
Subject: Cron <username@domain> /usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d \%T"

X-Cron-Env:  <SHELL=/bin/sh>

X-Cron-Env:  <HOME=/home/username>

X-Cron-Env:  <PATH=/usr/bin:/bin>

X-Cron-Env:  <LOGNAME=username>
```

and the following message:

```
sh: -c: line 1: unexpected EOF while looking for matching `''

sh: -c: line 2: syntax error: unexpected end of file

fetchmail: SIGPIPE thrown from an MDA or a stream socket error

fetchmail: socket error while fetching from pop.bluewin.ch

fetchmail: Query status=2 (SOCKET)

sh: -c: line 1: unexpected EOF while looking for matching `''

sh: -c: line 2: syntax error: unexpected end of file

fetchmail: MDA returned nonzero status 2

sh: -c: line 1: unexpected EOF while looking for matching `''

sh: -c: line 2: syntax error: unexpected end of file

fetchmail: SIGPIPE thrown from an MDA or a stream socket error

fetchmail: socket error while fetching from pop.gmx.ch

fetchmail: Query status=2 (SOCKET)
```

if i use

```
*/2 * * * * /usr/bin/fetchmail -a -s
```

i get no cron mail and receive my mails. i use procmail and set up some filterrules too - they don't get ignored, so why should i use the more complicated line mentioned above? i'm confused because i had my mailserver running yesterday without any problem. i had to reboot my server and changed ONLY some iptables settings (from built in to modules) and it stopped working. either way it works now and i'm pretty sure someone can explain me the crontab entry and why it doesn't work for me any more.

i don't have a /etc/fetchmailrc file and didn't set the daemon mode in /etc/conf.d/fetchmail. i use userbased ~/.fetchmailrc (no daemon mode)

any ideas?

----------

## BlinkEye

 *blatch wrote:*   

> Ok. Let's say my server is jth.ath.cx. I want to be able to send mail to jth@jth.ath.cx. I don't want fetchmail to read anything from any OTHER e-mail accounts, I want to setup my OWN PERSONAL e-mail account based on this address. How would I do that? I've done EVERYTHING in this tutorial, but I can't receive mail to that address.

 

do it like i did: don't use a /etc/fetchmailrc file with every account written in it, but use a similar but userspecific ~/.fetchmailrc file. remember to set the postmaster in ~/.fetchmailrc to the username for which you want the mails to be downloaded (same goes to every user options in the file too). if you have several mal accounts for one user you may want to use procmail to filter the mails into different mail folders

----------

## barrct

I've been trying to authenticate for 3 days not and after going though pages of forus, I thought to add the -v in master. While I was in there I added an option as well. This has finnaly gotten me up and running to auth to send, and to happily recieve.

```
/etc/postfix/master.cf
```

and add

```
-o smtpd_sasl_auth_enable=yes
```

onto the smtpd line (first one), then kill the client restrictions so that any network can deliver to me, but still use

```
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
```

Anyone want to tell me that that will make me an open relay and give me a slight mod to fix it?

----------

## blatch

 *BlinkEye wrote:*   

>  *blatch wrote:*   Ok. Let's say my server is jth.ath.cx. I want to be able to send mail to jth@jth.ath.cx. I don't want fetchmail to read anything from any OTHER e-mail accounts, I want to setup my OWN PERSONAL e-mail account based on this address. How would I do that? I've done EVERYTHING in this tutorial, but I can't receive mail to that address. 
> 
> do it like i did: don't use a /etc/fetchmailrc file with every account written in it, but use a similar but userspecific ~/.fetchmailrc file. remember to set the postmaster in ~/.fetchmailrc to the username for which you want the mails to be downloaded (same goes to every user options in the file too). if you have several mal accounts for one user you may want to use procmail to filter the mails into different mail folders

 

No. Forget fetchmail. I want OTHER e-mail systems to be able to send to my OWN PERSONAL e-mail address ON MY SERVER and RECEIVE it.

----------

## BlinkEye

i guess i misunderstood you. you have a domain and want to recieve the mail delivered to youruser@yourdomain? i can't help you with virtual users as i haven't figured that out yet neither (so every user who has an email account on my domain has a home folder where the mails are saved). to read the mail sent to youruser@yourdomain you don't need neither fetchmail nor procmail if you don't want to filter your mail. but if postfix works for accounts fetched with fetchmail i don't think somethings wrong. you have to specify the mynetworks settings if you want to check your mail from another box:

```
mynetworks =127.0.0.0/8, 10.10.10.0/24
```

if your on a 10.10.10.0 net homenetwork. i also had to set the 

```
inet_interface
```

to 

```
inet_interface = all
```

to read your mail just specify your servers ip, your user name and your password on the server to connect to your mailbox (which are the same data as if you'd login to your server). simple as that

----------

## Benzman

I have the same problem as bruor. I also get that error mail from Outlook when I try to send mails over postfix:

```
Ihre Nachricht hat einige oder alle Empfänger nicht erreicht.

      Betreff:   test

      Gesendet am:   20.05.2004 15:30

Folgende Empfänger konnten nicht erreicht werden:

      'outbound@email.adress' am 20.05.2004 15:30

            554 <stefan.benzman.ath.cx[192.168.0.3]>: Client host rejected: Access denied

```

I've told postfix to debug and heres my logfile:

```

match_string: mynetworks ~? debug_peer_list

match_string: mynetworks ~? fast_flush_domains

match_string: mynetworks ~? mynetworks

match_string: relay_domains ~? debug_peer_list

match_string: relay_domains ~? fast_flush_domains

match_string: relay_domains ~? mynetworks

match_string: relay_domains ~? permit_mx_backup_networks

match_string: relay_domains ~? qmqpd_authorized_clients

match_string: relay_domains ~? relay_domains

match_string: permit_mx_backup_networks ~? debug_peer_list

match_string: permit_mx_backup_networks ~? fast_flush_domains

match_string: permit_mx_backup_networks ~? mynetworks

match_string: permit_mx_backup_networks ~? permit_mx_backup_networks

maps_append: proxy:unix:passwd.byname

connect to subsystem private/proxymap

send attr request = open

send attr table = unix:passwd.byname

send attr flags = 64

private/proxymap socket: wanted attribute: status

input attribute name: status

input attribute value: 0

private/proxymap socket: wanted attribute: flags

input attribute name: flags

input attribute value: 80

private/proxymap socket: wanted attribute: (list terminator)

input attribute name: (end)

dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120

dict_open: proxy:unix:passwd.byname

maps_append: hash:/etc/mail/aliases

dict_open: hash:/etc/mail/aliases

match_string: smtpd_access_maps ~? debug_peer_list

match_string: smtpd_access_maps ~? fast_flush_domains

match_string: smtpd_access_maps ~? mynetworks

match_string: smtpd_access_maps ~? permit_mx_backup_networks

match_string: smtpd_access_maps ~? qmqpd_authorized_clients

match_string: smtpd_access_maps ~? relay_domains

match_string: smtpd_access_maps ~? smtpd_access_maps

starting TLS engine

watchdog_create: 0x80a7400 18000

watchdog_stop: 0x80a7400

watchdog_start: 0x80a7400

connection established

master_notify: status 0

name_mask: resource

name_mask: software

name_mask: noanonymous

connect from stefan.benzman.ath.cx[192.168.0.3]

> stefan.benzman.ath.cx[192.168.0.3]: 220 server.benzman.ath.cx ESMTP Postfix

watchdog_pat: 0x80a7400

< stefan.benzman.ath.cx[192.168.0.3]: EHLO stefan

> stefan.benzman.ath.cx[192.168.0.3]: 250-server.benzman.ath.cx

> stefan.benzman.ath.cx[192.168.0.3]: 250-PIPELINING

> stefan.benzman.ath.cx[192.168.0.3]: 250-SIZE 10240000

> stefan.benzman.ath.cx[192.168.0.3]: 250-VRFY

> stefan.benzman.ath.cx[192.168.0.3]: 250-ETRN

> stefan.benzman.ath.cx[192.168.0.3]: 250-STARTTLS

match_hostname: stefan.benzman.ath.cx ~? 127.0.0.0/8

match_hostaddr: 192.168.0.3 ~? 127.0.0.0/8

match_hostname: stefan.benzman.ath.cx ~? 192.168.0.0/24

match_hostaddr: 192.168.0.3 ~? 192.168.0.0/24

> stefan.benzman.ath.cx[192.168.0.3]: 250-XVERP

> stefan.benzman.ath.cx[192.168.0.3]: 250 8BITMIME

watchdog_pat: 0x80a7400

< stefan.benzman.ath.cx[192.168.0.3]: MAIL FROM: <benzman@benzman.ath.cx>

extract_addr: input: <benzman@benzman.ath.cx>

extract_addr: result: benzman@benzman.ath.cx

fsspace: .: block size 4096, blocks free 1537772

smtpd_check_size: blocks 4096 avail 1537772 min_free 0 size 0

connect to subsystem public/cleanup

public/cleanup socket: wanted attribute: queue_id

input attribute name: queue_id

input attribute value: C3C6F1EA23

public/cleanup socket: wanted attribute: (list terminator)

input attribute name: (end)

send attr flags = 2

C3C6F1EA23: client=stefan.benzman.ath.cx[192.168.0.3]

> stefan.benzman.ath.cx[192.168.0.3]: 250 Ok

watchdog_pat: 0x80a7400

< stefan.benzman.ath.cx[192.168.0.3]: RCPT TO: <outbound@email.adress>

extract_addr: input: <outbound@email.adress>

extract_addr: result: outbound@email.adress

generic_checks: START

generic_checks: name=permit_sasl_authenticated

generic_checks: name=permit_sasl_authenticated status=0

generic_checks: name=reject

C3C6F1EA23: reject: RCPT from stefan.benzman.ath.cx[192.168.0.3]: 554 <stefan.benzman.ath.cx[192.168.0.3]>: Client host rejected: Access denied; from=<benzman@benzman.ath.cx> to=<outbound@email.adress> proto=ESMTP helo=<stefan>

generic_checks: name=reject status=2

> stefan.benzman.ath.cx[192.168.0.3]: 554 <stefan.benzman.ath.cx[192.168.0.3]>: Client host rejected: Access denied

watchdog_pat: 0x80a7400

< stefan.benzman.ath.cx[192.168.0.3]: QUIT

> stefan.benzman.ath.cx[192.168.0.3]: 221 Bye

disconnect from stefan.benzman.ath.cx[192.168.0.3]

master_notify: status 1

connection closed

watchdog_stop: 0x80a7400

watchdog_start: 0x80a7400

```

I think it's something with the authentication, but I set Outlook to auth with the server when sending mail, so it has to be something on the server.

Hope anyone can help...

----------

## BlinkEye

i mentioned above two important settings - did you verify them?

----------

## Benzman

Yes, I uncommented the line

```
inet_interfaces = all
```

and set

```
mynetworks = 127.0.0.0/8 192.168.0.0/24
```

but it still doesn't work...

----------

## BlinkEye

so we need some further infos. if you haven't modified your logger all messages go to /var/log/messages (at least for syslog-ng) - so, send a mail from another computer and check the output of /var/log/messages and/or post it here (preferably with

```
tail -n 100 /var/log/messages
```

to get only the last 100 messages)

----------

## lorano

I'm having issues getting this thing to connect period. when I run ./getmymailnow I recieve : 

IMAP connection to succubus.gotdns.org failed: No route to host

fetchmail: Query status=2 (SOCKET)

Any help would be greatly appreciatted

----------

## bruor

ok ive gotten this lal set up and working but i have a question or two... 

using kmail from my laptop i can send no problem,  i am using the servers hostname as the mail server location in the settings. 

if i do the same from a machine running terminal server,  on the machine that is also hosting the mail server,  i cannot send email out,  kmail just gives an error that says some messages failed to send.  

using squirrelmail from the server does work however. 

also, more importantly,  i am getting nag screens on my windows email clients,   both outlook and outlook express say

the certificate's CN name does not match the passed value

the certificate i am using was made by running 

openssl x509 -in imapd.pem -out emailserver.crt  

do i need to make it imapd.crt?  instead?   i have check the properties of the certificate and its not saying localhost etc....

----------

## ViceClown

I followed the latest version of this guide last week w/ great success! The only thing I changed was the smtp_client restrictions so I could receive mail to my domain. Im still working out the LAN SSL warning (localhost) but once I get that fixed I'll be all set. Thanks very much to Beowulf for putting this guide together. It's exactly what I've been looking for. I think that with a little more fleshing out in a few areas this post could / should be converted into a guide under the Gentoo docs for setting up an email server solution. 

Great job, Beowulf!!

----------

## brown

ok just a note but postfix-2.0.19-r2 seems to remove the "newaliases" command

----------

## Benzman

If I try to send mail over an other pc I get the same mail from outlook. And here's the output in /var/log/messages:

```

postfix/postfix-script: starting the Postfix mail system

postfix/master[12314]: daemon started -- version 2.0.19

postfix/smtpd[12323]: match_string: mynetworks ~? debug_peer_list

postfix/smtpd[12323]: match_string: mynetworks ~? fast_flush_domains

postfix/smtpd[12323]: match_string: mynetworks ~? mynetworks

postfix/smtpd[12323]: match_string: relay_domains ~? debug_peer_list

postfix/smtpd[12323]: match_string: relay_domains ~? fast_flush_domains

postfix/smtpd[12323]: match_string: relay_domains ~? mynetworks

postfix/smtpd[12323]: match_string: relay_domains ~? permit_mx_backup_networks

postfix/smtpd[12323]: match_string: relay_domains ~? qmqpd_authorized_clients

postfix/smtpd[12323]: match_string: relay_domains ~? relay_domains

postfix/smtpd[12323]: match_string: permit_mx_backup_networks ~? debug_peer_list

postfix/smtpd[12323]: match_string: permit_mx_backup_networks ~? fast_flush_domains

postfix/smtpd[12323]: match_string: permit_mx_backup_networks ~? mynetworks

postfix/smtpd[12323]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks

postfix/smtpd[12323]: maps_append: proxy:unix:passwd.byname

postfix/smtpd[12323]: connect to subsystem private/proxymap

postfix/smtpd[12323]: send attr request = open

postfix/smtpd[12323]: send attr table = unix:passwd.byname

postfix/smtpd[12323]: send attr flags = 64

postfix/smtpd[12323]: private/proxymap socket: wanted attribute: status

postfix/smtpd[12323]: input attribute name: status

postfix/smtpd[12323]: input attribute value: 0

postfix/smtpd[12323]: private/proxymap socket: wanted attribute: flags

postfix/smtpd[12323]: input attribute name: flags

postfix/smtpd[12323]: input attribute value: 80

postfix/smtpd[12323]: private/proxymap socket: wanted attribute: (list terminator)

postfix/smtpd[12323]: input attribute name: (end)

postfix/smtpd[12323]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120

postfix/smtpd[12323]: dict_open: proxy:unix:passwd.byname

postfix/smtpd[12323]: maps_append: hash:/etc/mail/aliases

postfix/smtpd[12323]: dict_open: hash:/etc/mail/aliases

postfix/smtpd[12323]: match_string: smtpd_access_maps ~? debug_peer_list

postfix/smtpd[12323]: match_string: smtpd_access_maps ~? fast_flush_domains

postfix/smtpd[12323]: match_string: smtpd_access_maps ~? mynetworks

postfix/smtpd[12323]: match_string: smtpd_access_maps ~? permit_mx_backup_networks

postfix/smtpd[12323]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients

postfix/smtpd[12323]: match_string: smtpd_access_maps ~? relay_domains

postfix/smtpd[12323]: match_string: smtpd_access_maps ~? smtpd_access_maps

postfix/smtpd[12323]: starting TLS engine

postfix/smtpd[12323]: watchdog_create: 0x80a73f8 18000

postfix/smtpd[12323]: watchdog_stop: 0x80a73f8

postfix/smtpd[12323]: watchdog_start: 0x80a73f8

postfix/smtpd[12323]: connection established

postfix/smtpd[12323]: master_notify: status 0

postfix/smtpd[12323]: name_mask: resource

postfix/smtpd[12323]: name_mask: software

postfix/smtpd[12323]: name_mask: noanonymous

postfix/smtpd[12323]: connect from unknown[192.168.0.103]

postfix/smtpd[12323]: > unknown[192.168.0.103]: 220 server.benzman.ath.cx ESMTP Postfix

postfix/smtpd[12323]: watchdog_pat: 0x80a73f8

postfix/smtpd[12323]: < unknown[192.168.0.103]: EHLO Schlepptop

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250-server.benzman.ath.cx

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250-PIPELINING

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250-SIZE 10240000

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250-VRFY

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250-ETRN

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250-STARTTLS

postfix/smtpd[12323]: match_hostname: unknown ~? 127.0.0.0/8

postfix/smtpd[12323]: match_hostaddr: 192.168.0.103 ~? 127.0.0.0/8

postfix/smtpd[12323]: match_hostname: unknown ~? 192.168.0.0/24

postfix/smtpd[12323]: match_hostaddr: 192.168.0.103 ~? 192.168.0.0/24

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250-XVERP

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250 8BITMIME

postfix/smtpd[12323]: watchdog_pat: 0x80a73f8

postfix/smtpd[12323]: < unknown[192.168.0.103]: MAIL FROM: <benzman@benzman.ath.cx>

postfix/smtpd[12323]: extract_addr: input: <benzman@benzman.ath.cx>

postfix/smtpd[12323]: extract_addr: result: benzman@benzman.ath.cx

postfix/smtpd[12323]: fsspace: .: block size 4096, blocks free 1530071

postfix/smtpd[12323]: smtpd_check_size: blocks 4096 avail 1530071 min_free 0 size 0

postfix/smtpd[12323]: connect to subsystem public/cleanup

postfix/smtpd[12323]: public/cleanup socket: wanted attribute: queue_id

postfix/smtpd[12323]: input attribute name: queue_id

postfix/smtpd[12323]: input attribute value: 9D42A207FD

postfix/smtpd[12323]: public/cleanup socket: wanted attribute: (list terminator)

postfix/smtpd[12323]: input attribute name: (end)

postfix/smtpd[12323]: send attr flags = 2

postfix/smtpd[12323]: 9D42A207FD: client=unknown[192.168.0.103]

postfix/smtpd[12323]: > unknown[192.168.0.103]: 250 Ok

postfix/smtpd[12323]: watchdog_pat: 0x80a73f8

postfix/smtpd[12323]: < unknown[192.168.0.103]: RCPT TO: <outbound@email.adress>

postfix/smtpd[12323]: extract_addr: input: <outbound@email.adress>

postfix/smtpd[12323]: extract_addr: result: outbound@email.adress

postfix/smtpd[12323]: generic_checks: START

postfix/smtpd[12323]: generic_checks: name=permit_sasl_authenticated

postfix/smtpd[12323]: generic_checks: name=permit_sasl_authenticated status=0

postfix/smtpd[12323]: generic_checks: name=reject

postfix/smtpd[12323]: 9D42A207FD: reject: RCPT from unknown[192.168.0.103]: 554 <unknown[192.168.0.103]>: Client host rejected: Access denied; from=<benzman@benzman.ath.cx> to=<outbound@email.adress> proto=ESMTP helo=<Schlepptop>

postfix/smtpd[12323]: generic_checks: name=reject status=2

postfix/smtpd[12323]: > unknown[192.168.0.103]: 554 <unknown[192.168.0.103]>: Client host rejected: Access denied

postfix/smtpd[12323]: watchdog_pat: 0x80a73f8

postfix/smtpd[12323]: < unknown[192.168.0.103]: QUIT

postfix/smtpd[12323]: > unknown[192.168.0.103]: 221 Bye

postfix/smtpd[12323]: disconnect from unknown[192.168.0.103]

postfix/smtpd[12323]: master_notify: status 1

postfix/smtpd[12323]: connection closed

postfix/smtpd[12323]: watchdog_stop: 0x80a73f8

postfix/smtpd[12323]: watchdog_start: 0x80a73f8
```

----------

## BlinkEye

to help you further i suggest you diff again your /etc/postfix/main.cf with others or you post yours here

----------

## davidl

This a a fantastic guide and is just what I need - few people will really need a full blown MTA infrastructure.

However, the only thing I don't want to use is IMAP. I would like a POP3 server instead of this. In the context of your guide what would you recommend and how would you go about setting it up? Perhaps this could be an optional chapter?

Cheers.

----------

## davidl

 *davidl wrote:*   

> However, the only thing I don't want to use is IMAP. I would like a POP3 server instead of this. In the context of your guide what would you recommend and how would you go about setting it up? Perhaps this could be an optional chapter?
> 
> Cheers.

 

Arrghhh - courier-pop3d. I'm tying myself in knots with some of these tools. Perhaps an addition of pop3 to the guide would make it pretty complete.

----------

## Benzman

I've now changed the line

```
smtpd_client_restrictions = permit_sasl_authenticated, reject
```

to

```
smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination
```

like said in the "virtual/mailhost postfix howto"

As result I no longer get the error "Client host reacted: Access denied", I now get "Relay access denied".

I also made the test, mentioned under point 6 of the virtual/mailhost postfix howto (telnet to the mailserver and send a "EHLO benzman.ath.cx" to it). Heres the output:

```
Connected to 192.168.0.2.

Escape character is '^]'.

220 server.benzman.ath.cx ESMTP Postfix

EHLO benzman.ath.cx

250-server.benzman.ath.cx

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-XVERP

250 8BITMIME
```

But the virtual/mailhost postfix howto says that the output should be that:

```
220 mail.domain.com ESMTP Postfix

EHLO domain.com

250-mail.domain.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-XVERP

250 8BITMIME
```

Especially the 2 lines "250-AUTH LOGIN PLAIN" and "250-AUTH=LOGIN PLAIN" irritate me. I'm not an email expert, but I think the smtpauth doesn't work for me...

edit: sorry, I forgot....

Here's my complete /etc/postfix/main.cf file:

```
queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myhostname = server.benzman.ath.cx

mydomain = benzman.ath.cx

myorigin = $mydomain

inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.0.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.19/sample

readme_directory = /usr/share/doc/postfix-2.0.19/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
```

----------

## BlinkEye

this is exactly the info needed to help you out. my problem: sasl authentication doesn't work for me neither. i'm sorry but i can't help you - i've tried to get ssl working for many days but finally gave up.

----------

## BlinkEye

either way, i'm just giving it another try. i added the sasl and ssl lines according to the virt-mail-howto and if i telnet on port 25 i get:

```
#telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 blinkeye.dyndns.org ESMTP Postfix (2.0.19)

EHLO blinkeye.dyndns.org

250-blinkeye.dyndns.org

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-XVERP

250 8BITMIME

```

may you have forgotten this step?:

 *virt-mail-howto wrote:*   

> # nano -w /etc/sasl2/smtpd.conf
> 
> pwcheck_method: saslauthd
> 
> mech_list: LOGIN PLAIN

 

----------

## slestak

I have root aliased to my local user on this machine in /etc/mail/aliases.  Do I need to have a fetchmail entry in fetchmailrc to get local mail?  I cant tell if postfix is not sending local mail, or if fetchmail is not being told to get it.

----------

## BlinkEye

 *slestak wrote:*   

> I have root aliased to my local user on this machine in /etc/mail/aliases.  Do I need to have a fetchmail entry in fetchmailrc to get local mail?

 

nope, you don't. to check what happens with your mail do a

```
tail -f /var/log/messages
```

or wherever you store your mail messages (for my part  this would be /var/log/mail.* (log,warn,err,info)) and send a message and post the messages that show up in your log.

----------

## slestak

i did see postfix output in /var/log/messages.  I tried something that i need to undo.  i aliased the root to my pop3 email address at my isp.  that still didnt send.  I will map it back to localuser and post messages output.

When I had it mapped to my external email addrtess, it did eventually get delivered.

----------

## slestak

tried using mutt to mail root@localhost with root aliased to steve@localhost

```
May 25 15:45:05 webserver postfix/pickup[18728]: 1815044426: uid=0 from=<root>

May 25 15:45:05 webserver postfix/cleanup[18769]: 1815044426: message-id=<200405

25194504.GA18734@webserver.slestak.homelinux.org>

May 25 15:45:05 webserver postfix/qmgr[18729]: 1815044426: from=<root@webserver.

slestak.homelinux.org>, size=507, nrcpt=1 (queue active)

May 25 15:45:05 webserver local[18772]: fatal: execvp /some/where/procmail: No s

uch file or directory

May 25 15:45:06 webserver postfix/local[18771]: 1815044426: to=<steve@localhost.

slestak.homelinux.org>, orig_to=<root@localhost>, relay=local, delay=2, status=b

ounced (Command died with status 1: "/some/where/procmail")

May 25 15:45:06 webserver postfix/cleanup[18769]: 5EB5744427: message-id=<200405

25194506.5EB5744427@webserver.slestak.homelinux.org>

May 25 15:45:06 webserver postfix/qmgr[18729]: 5EB5744427: from=<>, size=2323, n

rcpt=1 (queue active)

May 25 15:45:06 webserver local[18775]: fatal: execvp /some/where/procmail: No s

uch file or directory

May 25 15:45:07 webserver postfix/local[18771]: 5EB5744427: to=<steve@localhost.

slestak.homelinux.org>, orig_to=<root@webserver.slestak.homelinux.org>, relay=lo

cal, delay=1, status=bounced (Command died with status 1: "/some/where/procmail"

)

webserver mail #
```

changed alias to just steve

```
May 25 15:47:04 webserver postfix/master[18917]: daemon started -- version 2.0.1

9

May 25 15:47:41 webserver postfix/pickup[18920]: 5CC2244426: uid=0 from=<root>

May 25 15:47:41 webserver postfix/cleanup[18934]: 5CC2244426: message-id=<200405

25194741.GA18925@webserver.slestak.homelinux.org>

May 25 15:47:41 webserver postfix/qmgr[18921]: 5CC2244426: from=<root@webserver.

slestak.homelinux.org>, size=504, nrcpt=1 (queue active)

May 25 15:47:41 webserver local[18938]: fatal: execvp /some/where/procmail: No s

uch file or directory

May 25 15:47:42 webserver postfix/local[18936]: 5CC2244426: to=<steve@webserver.

slestak.homelinux.org>, orig_to=<root@webserver.slestak.homelinux.org>, relay=lo

cal, delay=1, status=bounced (Command died with status 1: "/some/where/procmail"

)

May 25 15:47:42 webserver postfix/cleanup[18934]: 87FA744427: message-id=<200405

25194742.87FA744427@webserver.slestak.homelinux.org>

May 25 15:47:42 webserver postfix/qmgr[18921]: 87FA744427: from=<>, size=2320, n

rcpt=1 (queue active)

May 25 15:47:42 webserver local[18941]: fatal: execvp /some/where/procmail: No s

uch file or directory

May 25 15:47:43 webserver postfix/local[18936]: 87FA744427: to=<steve@webserver.

slestak.homelinux.org>, orig_to=<root@webserver.slestak.homelinux.org>, relay=lo

cal, delay=1, status=bounced (Command died with status 1: "/some/where/procmail"

)
```

pertinent parts of /etc/hosts

```
127.0.0.1       localhost

192.168.1.1     linksysrouter

192.168.1.2     webserver.slestak.homelinux.org webserver webserver-backup

192.168.1.4     toshiba

192.168.1.5     weezy

192.168.1.8     lol2

192.168.1.50    printserver
```

I think the current setup of the aliases is correct.  steve@webserver.slestak.homelinux.org should stay internal based on my hosts file.

edit - clarify

I do not have an mx record.  am not trying to run a full fledged mail server.

----------

## BlinkEye

well, i see the bug: you set the path to procmail wrong - and i guess it's in /etc/postfix/main.cf. you need to set the line accordingly to your path to procmail, i.e.

```
mailbox_command = /usr/bin/procmail
```

instead of 

```
/some/where/procmail
```

i remember i set that wrong too the first time   :Wink: 

----------

## BlinkEye

i hope you still know how you changed the configs that 

```
to=<steve@localhost.slestak.homelinux.org>
```

changed to

```
to=<steve@webserver.slestak.homelinux.org>
```

i messed up my configs myself and don't know how i get rid of the localhost. i don't have subdomains as you do but in the header of an email i get 

```
for <**username**@localhost.dyndns.org>
```

instead of

```
for <**username**@blinkeye.dyndns.org>
```

----------

## slestak

the main.cf problem took care of it.  thanks.

----------

## dan2003

I followed the guide a few months ago and with a bit of help got it working. I recenlty did an emerge -u world and found that my configs got borked  :Sad: . Anyway after putting them all back to how i had them i can receive mail again but cannot send. I get in my mail client a message saying "authenticatiom failed - probably incorrect password" and in the /var/log/mail/current the message saying authenticatin failed.

I noticed a commnet above

 *Quote:*   

> Hi, thanks for this guide
> 
> You have pwcheck_method:saslauthd in /etc/sasl2/smtpd.conf but you neglect to add sasl users with saslpasswd2. I couldn't send mail from my Outlook Express client until I did this.
> 
> echo "$passwd" | saslpasswd2 -p -c $username
> ...

 

I never had to do this before to make it all work? 

I will give this ago and see if it fixes things.

----------

## dan2003

Still cannot send mail  :Sad: . I'm using kmail 1.6.2 on 3 machines and since the udate world none of them will authenticate for sending mail from my local lan or outside (one is a laptop). I'm confused as receiving mail works fine and the username and password are the same for both.

----------

## jjasghar

i know this has probably answered before but i'm stuck ---> 

```
ERROR

Error connecting to IMAP server: tito.homelinux.org.

111 : Connection refused
```

everything is running but for some odd reason i can't connect....any ideas?

```

Warning: fsockopen(): unable to connect to tito.homelinux.org:143 in /var/www/localhost/htdocs/squirrelmail/functions/imap_general.php on line 445
```

too...

----------

## vlack

If you want to be able to send mail to extneral hosts, and receive mail from external hosts, do the following:

Change smtpd_recipient_restrictions in main.cf to:

```
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination 
```

Comment out smtpd_client_restrictions in main.cf:

```
#smtpd_client_restrictions = permit_sasl_authenticated, reject
```

Could this information be put in the guide? Obviously, it's unnecessary if you are using your ISP's SMTP server + fetchmail, however, it's good for the rest of us  :Very Happy: Last edited by vlack on Thu May 27, 2004 8:57 pm; edited 5 times in total

----------

## Benzman

I've found out sth new:

When I disable TLS support for postfix (comment the tls specific lines in the main.cf file), I get this when I telnet to the mailserver:

```

220 server.benzman.ath.cx ESMTP Postfix

EHLO benzman.ath.cx

250-server.benzman.ath.cx

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-XVERP

250 8BITMIME

```

I'm also able to send mail.

So I think there's no problem with sasl, it's a problem with tls...

----------

## Kope

[edit] ignore this -- re-emerged everything, re-did the rc-update stuff and it all worked .../shrug [/edit]

Well.. I'm befuddled. 

I followed the guide exactly.. and I'm stuck:

```

Porgy new # cat /etc/postfix/main.cf

myhostname = porgy

mydomainname = dyndomain.dyn #it's actually something else, of course

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomainname $myhostname.$mydomainname

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

                  xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

mtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

Here's the SASL stuff

```

Porgy new # cat /usr/lib/sasl2/smtpd.conf && cat /etc/sasl2/smtpd.conf

pwcheck_method:saslauthd

mech_list: plain login 

# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.sasl,v 1.1 2003/09/24 05:08:51 max Exp $

#pwcheck_method:pam

pwcheck_method:saslauthd

mech_list: plain login

Porgy new # cat /etc/conf.d/saslauthd

# $Header: /home/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd2.conf,v 1.2 2004/01/28 14:57:45 max Exp $

# Config file for /etc/init.d/saslauthd

# Initial (empty) options.

#SASLAUTHD_OPTS=""

# Specify the authentications mechanism.

# *NOTE* For list see: saslauthd -v

#SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

#SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

# Specify the hostname for remote IMAP server.

# *NOTE* Only needed if rimap auth mech is used.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

# Specify the number of worker processes to create.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"

# Enable credential cache, cache size, and timeout.

# *NOTE* Size is measured in kilobytes

#        Timeout is measured in seconds

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"

#SASL_AUTHMECH=shadow

#SASL_RIMAP_HOSTNAME=""

#SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

#

#

SASL_AUTHMECH=shadow

#

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

#

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

```

And the imap stuff

```

Porgy new # cat /etc/courier-imap/authdaemond.conf

AUTHDAEMOND="authdaemond.plain"

Porgy new # cat /etc/courier-imap/authdaemondrc

authmodulelist="authpam"

```

The pam 

```

Porgy new # cat /etc/pam.d/imap

#%PAM-1.0

#

# $Id: system-auth.authpam,v 1.1 2001/02/02 05:42:57 mrsam Exp $

#

# Copyright 1998-2001 Double Precision, Inc.  See COPYING for

# distribution information.

#

# This is a sample authpam configuration file that uses pam_stack

# (circa linux-pam 0.72).

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

```

and the SSL 

```

Porgy new # cat /etc/courier-imap/imapd.cnf

RANDFILE = /usr/share/imapd.rand

[ req ]

default_bits = 1024

encrypt_key = yes

distinguished_name = req_dn

x509_extensions = cert_type

prompt = no

[ req_dn ]

C=US

ST=MN

L=Minneapolis

O=Mail Server

OU=Automatically-generated IMAP SSL key

CN=localhost

emailAddress=root@localhost

[ cert_type ]

nsCertType = server

```

I did do the mkimapdcert and it worked

All the daemons are running

When I try to send mail, or check mail, I get something along the lines of:

```

Unable to authenticate via PLAIN.

The server replied:

Login failed.

```

in a dialog box from kmail.

Sending mail from an outside source has it bounce with a "reason: 554 Client host rejected: Access denied" error.

Telneting to the box on port 25 (from inside or outside the subnet) results in an established port connection but no text or prompt of any sort.

Any idea where I've gone wrong?

----------

## ruth

hi @all...

first of all: great guide...

helped me a lot in learning, configuring and trying my first postfix installations....  :Wink: 

now to my problem, just a litte, i hope...

i just pulled postfix-2.1.1.ebuild off bugs.gentoo.org and emerged...

no problem so far - but:

after editing /etc/mail/aliases

i tried to run 

/usr/bin/newaliases

NOPE, its' gone...

somone already wrote, as of version 2.0.19-r2 this program is not installed anymore...

why?

i looked around, and found the postalias command.

is this the current program to create  /etc/mail/aliases.db ?

i already did a

postalias -c /etc/postfix/ hash:/etc/mail/aliases

and all seemed ok, so i just wanted to know, where, why has newaliases been kicked?

is my above command ok?

cheers

rootshell

[EDIT]

ok, the following command seems to work:

```

postalias hash:/etc/mail/aliases

```

just in case, someone's missing the newaliases command...  :Wink: 

[/EDIT]

----------

## geforce

OK, I can't Emerge Procmail !!!

I tried:

 *Quote:*   

> emerge procmail

 

 *Quote:*   

> USE="-X -qt -pdflib -gtk -gnome php mysql apache2 proftpd sendmail xml2 mbox sasl distcc" emerge procmail
> 
> 

 

Even  *Quote:*   

> USE="-X -qt -pdflib -gtk -gnome php mysql apache2 proftpd sendmail xml2 mbox sasl distcc" emerge -O procmail

 

It didn't work, look at this:

 *Quote:*   

> 
> 
> GentooServ root # emerge procmail
> 
> Calculating dependencies ...done!
> ...

 

It says to look at the LDFLAGS ?????

What are the LDFLAGS ???   :Rolling Eyes:   :Twisted Evil: 

I don't really understand how to modify my make.conf, however, here is mine:

 *Quote:*   

> 
> 
> GentooServ root # cat /etc/make.conf
> 
> # Copyright 2000-2002 Daniel Robbins, Gentoo Technologies, Inc.
> ...

 

Thanks !!!!  :Laughing: 

----------

## robfish

I have tried this how-to twice (once a few months ago prior to some changes).

My server and workstation are the same box (is that a problem).

I can send and recieve email using Squirrelmail but I cannot send using either Kmail or Evolution, recieving is fine.

The error messages I get refer to an authentication problem.

----------

## davidl

Well it's official. Ths guide is absolutely fantastic!

I set this up with very little effort at all. The only problem I had was getting saslauthd to start because I had to comment the last four lines of /etc/conf.d/saslauthd, but it is all there and working now. For looking at the various options for procmail, I looked at this guide:

http://www.spambouncer.org/proctut.shtml

Editing of .myemail etc. is very useful for filtering.

Cyrus-sasl wouldn't compile without kerberos support, but since I'm using kerberos for various things and everything works regardless I don't care.

If you just want pop3 support as I did, basically do everything in the guide for courier-imapd-ssl, but replace imapd with pop3d. That easy! Generate your certificates, start the server everything the same, except replce imapd with pop3d.

Couldn't really believe how easy this was.

----------

## geforce

There is something I don't understand:

1) I can't connect with other users than ROOT: if I connect , with squirrelmail, with user geforce I get:

 *Quote:*   

> 
> 
> ERROR:
> 
> ERROR : Connection dropped by imap-server.

 

2) I can't send E-mails:

 *Quote:*   

> 
> 
> Warning: fsockopen(): unable to connect to localhost:25 in /var/www/localhost/htdocs/squirrelmail/class/deliver/Deliver_SMTP.class.php on line 59
> 
> ERROR:
> ...

 

----------

## vlack

ignore me.

----------

## geforce

I do as you said, but i get:

 *Quote:*   

> Transaction failed
> 
> Server replied: 554 <root@geforce.no-ip.org>: Relay access denied

 

----------

## Hagar

I'm a little confused about what %T is replaced with in the crontab.

I have the same problem BlinkEye has but I also recieve delivery errors when I remove the -m flag from the crontab.

/usr/bin/fetchmail -a -v -m "/usr/bin/procmail -d \%T"

```
...

#*sh: -c: line 1: unexpected EOF while looking for matching `''

sh: -c: line 2: syntax error: unexpected end of file

fetchmail: SIGPIPE thrown from an MDA or a stream socket error

fetchmail: socket error while fetching from mail.home.nl

fetchmail: 6.2.5 querying mail.home.nl (protocol POP3) at Sun Jun  6 19:40:03 2004: poll completed

fetchmail: Query status=2 (SOCKET)

...
```

In the console /usr/bin/fetchmail -a -v -m "/usr/bin/procmail -d %T" works fine (without the slash)

With the slash I get the same error as with the crontab.

I'm using vixie-cron and /bin/sh as cron shell, is a different escape method needed ?

/usr/bin/fetchmail -a -v

```
...

fetchmail: SMTP< 250 Ok

fetchmail: SMTP> RCPT TO:<harm@localhost>

fetchmail: SMTP< 554 <localhost[127.0.0.1]>: Client host rejected: Access denied

fetchmail: SMTP error: 554 <localhost[127.0.0.1]>: Client host rejected: Access denied

fetchmail: SMTP listener doesn't like recipient address `harm@localhost'

...
```

That last one is even more confusing as I am able to send mail locally from the console with "mailx -s Subject harm" without any problems.

----------

## oopstu

Hi,

Great guide.  Things are mostly working.  I'm having the same 'bad certificate' Thunderbird problem that many other folks are having or had.  I read through all 19 pages of the topic looking for a succint answer or explanation of the problem and a resolution but couldn't find one.

Could someone explain to me how to generate a new certificate for the server such that Thunderbird and the server can negotiate the TLS transaction and send mail?  

thanks, stu

----------

## Tuinslak

```
Kryptonite courier-imap # /etc/init.d/courier-imapd-ssl start 

 * Starting authdaemond.plain...                                                                                                  [ ok ]

 * Starting courier-imapd over SSL...

bind: Address already in use

ll_daemon_start: Resource temporarily unavailable                                                                                 [ !! ]
```

any idea what's wrong ?

```
Kryptonite courier-imap # grep imaps /etc/services

imaps           993/tcp                         # IMAP over SSL

imaps           993/udp                         # IMAP over SSL

Kryptonite courier-imap # ps ax | grep imap

32363 pts/85   S      0:00 grep imap

Kryptonite courier-imap # netstat -A inet -lp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 *:imaps                 *:*                     LISTEN      10494/stunnel   

```

----------

## BlinkEye

gnah. i had that too and forgot how i solved it. i've googled for it and probably found an answer. i'll do an updatedb on my memory and hopefully i remember what the cause was  :Wink: .

----------

## Tuinslak

hehe, ok, i'm searching google... but ..

----------

## BlinkEye

you could post your configs and i'll compare them to mine or you could pm me and i'd send mine to you or ...

----------

## Tuinslak

this should be the configs:

http://tuinslak.oom-killer.org/config/authdaemonrc

http://tuinslak.oom-killer.org/config/authdaemond.conf

(only imap stuff?!)

and it's possible in this howto, not to enable all authentication for smtp and so on (don't need it at home)?

----------

## BlinkEye

looks good to me. i think i remember what the problem was: the certificates - have you created and placed them in /etc/postfix/ ?

here's a really good guid to postfix and smtp authentication. it takes some time but if you do it the way they suggest it works afterwards:

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_configuration.html

----------

## Tuinslak

ok, thanks, i'll try that

----------

## Magnetron

 *Quote:*   

> 
> 
> 6.2 Automating and Finalizing: 
> 
> Since we're using Fetchmail in non-daemon mode, we'll use cron to emulate it. Here's the correct cron line, however I have found vcron tends to choke on it. 
> ...

 

Where I put this code line?!?!?!?!?!?!  :Embarassed:   :Embarassed:   :Embarassed: 

----------

## BlinkEye

in your user's crontab file which you open with

```
crontab -e 
```

this won't probably work, which means your user isn't in the cron group. so, do the following (as root): 

```
vi /etc/group
```

or

```
nano /etc/group
```

and add your user to the cron line so the cron line looks like this:

```
cron:x:16:cron,*your_user_name*
```

after that you may add user specific crontab entries with the above mentioned command

----------

## Magnetron

Thanks, but I have another problem.

```

 /usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d \%T"

sh: -c: line 1: unexpected EOF while looking for matching `''

sh: -c: line 2: syntax error: unexpected end of file

fetchmail: SIGPIPE thrown from an MDA or a stream socket error

fetchmail: socket error while fetching from *nameofmypopmailserver*

fetchmail: Query status=2 (SOCKET)

```

Any ideas?

----------

## BlinkEye

```
 /usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d \%T" 

sh: -c: line 1: unexpected EOF while looking for matching `'' 

sh: -c: line 2: syntax error: unexpected end of file 
```

i get the same errors with your crontabe entry. i just use 

```
*/2 * * * * /usr/bin/fetchmail -s
```

wich works fine (my setup: fetchmail, procmail, amavisd-new, postfix and spamassassin).

about 

```
fetchmail: SIGPIPE thrown from an MDA or a stream socket error 

fetchmail: socket error while fetching from *nameofmypopmailserver* 

fetchmail: Query status=2 (SOCKET)
```

could it be that you're already logged in - some accounts won't let you login twice so check if that's the problem

----------

## Magnetron

Your code

```

*/2 * * * * /usr/bin/fetchmail -s

```

good for me, it's work.

Thanks.

----------

## massimo

I followed the HowTo and now I'm not sure about the IMAP thing because I've never used it before but I like the idea of it. So I want to make sure, that I didn't miss something: I fetch my emails with fetchmail and procmail passes them on in my maildir directory in the /new subfolder or whatever I specified in .procmailrc? I use KMail, so I grab the new emails and filter them into the created IMAP directories?

Where are the emails in my IMAP folder stored physically on the server? So I could make a backup of them? I noticed that there is one fixed folder "Incoming" and I can only create subfolders in this one on the IMAP server, right?

Thanks in advance for all your help.

----------

## massimo

Sorry for the previous message, I already found the solutions for my questions. I didn't have the default folder ~/.maildir for my emails, and since IMAP looks there... So I moved all my Mails to ~/.maildir and now it's working.

Thanks for the excellent tutorial.

----------

## Tazok

I followed this guide to build an home email system, but now I'm stuck.

If I try to login with mutt or thunderbird, I am getting this error: 

```
Unable to open this mailbox.
```

If I try to login in with squirrelmail, I am getting this: 

```
Error connecting to IMAP server: localhost.

111 : Connection refused
```

This is my main.cf : [...]

Any Ideas?

EDIT: I took another attempt to follow the guide, copied and pasted all settings, but I'm still having the same problem ...

What else can I try?

----------

## lurid

I hate MTA's.  I really do.  The people who came up with this concept should be drug out into the street and shot.  Yes, I understand the UNIX philosophy is to have one program do one thing and have it do it well, but good god, how many programs do you need just to get your frickin email?!

After *hours* of editing text file after text file, I've given up.  I'm way too burnt out to even try this guide, though maybe the next time I feel like stabbing myself in the eye I'll try to set up an MTA instead, and use this guide.  I almost, *almost*, at this point, understand what Windows users mean when they say UNIX/Linux is needlessly complex.

I just wanted SpamAssasin.  Instead I got a migrane.  Sometimes UNIX is teh sux.    :Crying or Very sad: 

----------

## iljohnson

Hi,

not having much luck here, doc seems very good though.

I have a single server at this stage and a dialup connection with a fixed Ip, in the future I want to use NAT to extend my network behind the server. 

My internal eth0 address is 172.0.0.2, external ppp0 203.102.191.24 and localhost 127.0.0.1

Hots name tux, domain name thejohnsonsplace.org

I am just trying to send mail at the moment from the server (127.0.0.1) but I keep getting the following SSL error.

: 0020 85 08 84 01 cf bf a9 2a|3b a2 37     .......* ;.7

Jul  6 20:51:39 tux postfix/smtpd[11631]: SSL_accept:SSLv3 flush data

Jul  6 20:51:39 tux postfix/smtpd[11631]: TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher RC4-MD5 (128/128 bits)

Jul  6 20:51:39 tux postfix/smtpd[11631]: disconnect from localhost[127.0.0.1]

Jul  6 20:52:00 tux CRON[11635]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Jul  6 20:52:14 tux imapd-ssl: Connection, ip=[127.0.0.1]

Jul  6 20:52:14 tux imapd-ssl: Unexpected SSL connection shutdown.

Jul  6 20:52:35 tux imapd-ssl: Connection, ip=[127.0.0.1]

Jul  6 20:52:35 tux imapd-ssl: LOGIN, user=iljohnson, ip=[127.0.0.1], protocol=IMAP

Jul  6 20:52:39 tux imapd-ssl: Unexpected SSL connection shutdown.

Jul  6 20:52:39 tux imapd-ssl: DISCONNECTED, user=iljohnson, ip=[127.0.0.1], headers=0, body=0

Jul  6 20:52:46 tux imapd-ssl: Connection, ip=[127.0.0.1]

Jul  6 20:52:46 tux imapd-ssl: LOGIN, user=iljohnson, ip=[127.0.0.1], protocol=IMAP

Jul  6 20:52:49 tux imapd-ssl: Unexpected SSL connection shutdown.

Jul  6 20:52:49 tux imapd-ssl: DISCONNECTED, user=iljohnson, ip=[127.0.0.1], headers=0, body=0

Jul  6 20:52:55 tux imapd-ssl: Connection, ip=[127.0.0.1]

Jul  6 20:52:55 tux imapd-ssl: LOGIN, user=iljohnson, ip=[127.0.0.1], protoc

I have been looking for an answer, checked my config twice and found a few problems but nothing to fix this.

I have a second problem in relation to the setup with Kmail in that it fails to open the inbox of the IMAP box, I get a server error.

any help appreciated

Ian

----------

## robertnn

I like the guide, though there is one problem left.

Procmail does not seem to even get started, when using via postfix.

It works fine with

/usr/bin/fetchmail -v -m /usr/bin/procmail

all mail gets sorted into the correct folder.

But the local delivery, when I send an email to myname@localhost doesn't seem to have any contact with procmail at all.

Shouldn't 

mailbox_command = /usr/bin/procmail

do exactly that?

tips appreciated

btw,

needed to switch to suse at work, but it should be the same, or not?

----------

## robertnn

Just if anyone is interested: I finally got it.

The config contains a lot of commented stuff at the beginning. That's where i just uncommented the mailbox command.

Then, at the end of the file there are all of the config options again, not commented, so this always overwrote my settings.

Took me some hours, but next time I will know ...

----------

## bdemore

Great Guide, one problem. I tried to configure my server as a full blown mta but I guess Cox Communications blocks port 25 so my mail wouldn't send. I then implemented the alternative method of trying to send mail through their smtp server but I have a problem with the configuration of /etc/postfix/saslpass. I configured it per the guide as noted below with no success. Apparently cox uses no authentication for their outgoing (smtp) servers. 

 smtp.isp.com beo739:rsmtp-pass 

 I also tried the following configurations with no success: 

 smtp.isp.com beo739 

 smtp.isp.com 

Has anyone encountered this before? Is there a way to circumvent the port 25 blocking so that I can run an mta? Thanks in advance.

----------

## jhboricua

After having difficulties with qmail's handling of unauthorized incomming connections and obscure logs I decided to go back to postfix, specially now that the guide was using smtp-auth against shadow and also was adjusted for fully fledge email server setups.

I got pretty much all of the problems described here one way or another on my initial attempt.  SSL certificate errors, not able to authenticate, etc, etc, etc.  After several hours I got it to work flawlessly.  My solution?  I wiped EVERYTHING POSTFIX, COURIER, SASL and OPENSSL related off my hard drive.  Than means I unmerged the programs, then went to /etc and other related directories and deleted every single file/dir that ever had config settings for these programs.

Once I did that I remerged OpenSSL and everything else according to this guide.  I also made my own Postfix certificates using the instructions on the Gentoo Postfix/Virtual Mailserver document on Gentoo's Document section.  Setup everything and was finally able to see smtp-auth work over TLS.  The only problem I got was that when I tried to email myself from work the msg was getting bounced!!!.  Indeed, as pointed out on this thread, the setting on postfix's main.cf file shown on the first page that reads,

```

smtpd_client_restrictions = permit_sasl_authenticated, reject

```

will result in all incomming mail to your box to be rejected because the outside mail server trying to relay the message to your box user account cannot authenticate thru SASL.  I'm surprised that has not been updated on the first page yet.  After figuring that out and making the appropriate changes, I now have a fully working mail setup.

Here's my Postfix main.cf file:

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 192.168.4.0/24 127.0.0.0/8

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

readme_directory = /usr/share/doc/postfix-2.1.3/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

#smtpd_client_restrictions = permit_sasl_authenticated, reject (causes valid incoming mail to be rejected)

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination

smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/newreq.pem # (New custom self-signed certificate with server's fqdn instead of localhost)

smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem # (ditto)

smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem # (ditto)

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

Now that I got that out of the way I'm ready to implement virus scanning and spam-filtering capabilities.  Thx for the guide.

----------

## iljohnson

Hi,

going through the same problems about time I started with a clean sheet of paper now that I have learned alot about this setup.

In your main.cf you have 

 *Quote:*   

> 
> 
> smtpd_sasl_auth_enable = yes 
> 
> smtpd_sasl2_auth_enable = yes 
> ...

 

Why the two entries, is smtpd_sasl for early version of postfix and sasl2 for versions 2.XX and above?

I would like to see some testings stages added so you can check each area to confirm function before going forward. 

Anyway its an interesting experiance.   :Rolling Eyes: 

Ian

 *Quote:*   

> 
> 
> Up and working now after a complete fresh start. Kmail still failed to send mail until it had received one email. Don't know what this is about. After sending an email via Mutt up she came.
> 
> 

 Last edited by iljohnson on Mon Jul 12, 2004 10:36 pm; edited 1 time in total

----------

## CiscoSid

Hello,

Hopefully a few gurus are still reading this   :Razz:   I have a few questions/issues I hope you can help with.

A few points about my setup (and what works):

I'm not using SSL/IMAP - just standard IMAP - port 143.

I want to send mail via my ISPs SMTP server (most of the time). This server doesn't require authentication, though I *assume* it only allows mail from users within the IP ranges which it owns.

What doesn't work:

No TLS authentication - any ideas?

I couldn't send mail unless I commented out this:

```

#smtpd_client_restrictions = permit_sasl_authenticated, reject
```

I want to make sure all sent mail is sent to my ISP. I commented out this from main.cf:

```

#smtp_sasl_auth_enable = yes

#smtp_sasl_password_maps = hash:/etc/postfix/saslpass

#smtp_sasl_security_options = noanonymous

```

However, when my ISP SMTP server is down (it happens quite a bit) I'd like to revert to sending my own mail. Any thoughts on the best way to do this?

What was I doing wrong? I've decided not to use SSL IMAP as I'm happy with standard IMAP, but I'd like to force authentication for my SMTP server.

When sending from mutt (on server) to user@localhost, mail arrives fine. When trying to send to user@192.168.1.2 from a client, the mail gets sent to my ISPs SMTP and obviously doesn't get delivered, I just get the failure message. How can I set it up so that any mail for outside my local subnet is routed to the ISP SMTP but local mail is delivered direct - is this even possible?

Here is my full main.cf for completeness:

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:

        xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

#smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

#smtp_sasl_auth_enable = yes

#smtp_sasl_password_maps = hash:/etc/postfix/saslpass

#smtp_sasl_security_options = noanonymous

```

----------

## snowpatch

CiscoSid:

To use a smart host you need to add the following parameter to main.cf

```
relayhost = smtp.isp.com
```

When you tried to send mail from another machine on your LAN, did you try telnet or just use a MUA such as Evolution? Try 

```
telnet <servername> 25
```

.

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/index.html helped me alot.

----------

## snowpatch

This guide has been great. One thing about TLS has come up though. I noticed in my logs recently that the 'TLS connection established from' lines have changed slightly:

The messages that I have sent using Mozilla-mail a few weeks ago mention TLSv1

 *Quote:*   

> Jul  7 12:57:52 marmolata postfix/smtpd[25994]: SSL_accept:SSLv3 flush data
> 
> Jul  7 12:57:52 marmolata postfix/smtpd[25994]: TLS connection established from
> 
> unknown[10.0.1.125]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> ...

 

and now with the same MUA it has changed to SSLv3

 *Quote:*   

> Jul 19 21:12:46 marmolata postfix/smtpd[15793]: SSL_accept:SSLv3 flush data
> 
> Jul 19 21:12:46 marmolata postfix/smtpd[15793]: TLS connection established from
> 
> unknown[10.0.1.125]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)

 

I gather from reading the ssl and postfix newsgroups that TLSv1 and SSLv3 are basically the same thing.  I am using openssl-0.9.7d-r1 and postfix-2.0.19. Any one know why this would change?

----------

## simon pants

sorry if this is a basic question. i scanned the forum and couldn't find a straight answer:

i get the following error when Postfix attempts to relay mail to my ISP SMTP: 

 *Quote:*   

> 
> 
> Name service error for name=purpleant.net type=MX: Host not found, try again
> 
> 

 

i have tried setting relayhost in /etc/postfix/main.cf. this only changes the error message to include the www in front of the domain name  :Crying or Very sad: 

there is no chrooting in master.cf either.

i have also tried removing authentication for smtp. still fails.

my main.cf is as follows:

```

# Global Postfix configuration file. This file lists only a subset

# of all 300+ parameters. See the sample-xxx.cf files for a full list.

#

# The general format is lines with parameter = value pairs. Lines

# that begin with whitespace continue the previous line. A value can

# contain references to other $names or ${name}s.

#

# NOTE - CHANGE NO MORE THAN 2-3 PARAMETERS AT A TIME, AND TEST IF

# POSTFIX STILL WORKS AFTER EVERY CHANGE.

# SOFT BOUNCE

#

# The soft_bounce parameter provides a limited safety net for

# testing.  When soft_bounce is enabled, mail will remain queued that

# would otherwise bounce. This parameter disables locally-generated

# bounces, and prevents the SMTP server from rejecting mail permanently

# (by changing 5xx replies into 4xx replies). However, soft_bounce

# is no cure for address rewriting mistakes or mail routing mistakes.

#

#soft_bounce = no

# LOCAL PATHNAME INFORMATION

#

# The queue_directory specifies the location of the Postfix queue.

# This is also the root directory of Postfix daemons that run chrooted.

# See the files in examples/chroot-setup for setting up Postfix chroot

# environments on different UNIX systems.

#

queue_directory = /var/spool/postfix

# The command_directory parameter specifies the location of all

# postXXX commands.

#

command_directory = /usr/sbin

# The daemon_directory parameter specifies the location of all Postfix

# daemon programs (i.e. programs listed in the master.cf file). This

# directory must be owned by root.

#

daemon_directory = /usr/lib/postfix

# QUEUE AND PROCESS OWNERSHIP

#

# The mail_owner parameter specifies the owner of the Postfix queue

# and of most Postfix daemon processes.  Specify the name of a user

# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS

# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In

# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED

# USER.

#

mail_owner = postfix

# The default_privs parameter specifies the default rights used by

# the local delivery agent for delivery to external file or command.

# These rights are used in the absence of a recipient user context.

# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.

#

#default_privs = nobody

# INTERNET HOST AND DOMAIN NAMES

#

# The myhostname parameter specifies the internet hostname of this

# mail system. The default is to use the fully-qualified domain name

# from gethostname(). $myhostname is used as a default value for many

# other configuration parameters.

#

#myhostname = host.domain.tld

#myhostname = virtual.domain.tld

# The mydomain parameter specifies the local internet domain name.

# The default is to use $myhostname minus the first component.

# $mydomain is used as a default value for many other configuration

# parameters.

#

#mydomain = domain.tld

# SENDING MAIL

#

# The myorigin parameter specifies the domain that locally-posted

# mail appears to come from. The default is to append $myhostname,

# which is fine for small sites.  If you run a domain with multiple

# machines, you should (1) change this to $mydomain and (2) set up

# a domain-wide alias database that aliases each user to

# user@that.users.mailhost.

#

# For the sake of consistency between sender and recipient addresses,

# myorigin also specifies the default domain name that is appended

# to recipient addresses that have no @domain part.

#

myorigin = $myhostname

#myorigin = $mydomain

# RECEIVING MAIL

# The inet_interfaces parameter specifies the network interface

# addresses that this mail system receives mail on.  By default,

# the software claims all active interfaces on the machine. The

# parameter also controls delivery of mail to user@[ip.address].

#

# See also the proxy_interfaces parameter, for network addresses that

# are forwarded to us via a proxy or network address translator.

#

# Note: you need to stop/start Postfix when this parameter changes.

#

#inet_interfaces = all

#inet_interfaces = $myhostname

#inet_interfaces = $myhostname, localhost

# The proxy_interfaces parameter specifies the network interface

# addresses that this mail system receives mail on by way of a

# proxy or network address translation unit. This setting extends

# the address list specified with the inet_interfaces parameter.

#

# You must specify your proxy/NAT addresses when your system is a

# backup MX host for other domains, otherwise mail delivery loops

# will happen when the primary MX host is down.

#

#proxy_interfaces =

#proxy_interfaces = 1.2.3.4

# The mydestination parameter specifies the list of domains that this

# machine considers itself the final destination for.

#

# These domains are routed to the delivery agent specified with the

# local_transport parameter setting. By default, that is the UNIX

# compatible delivery agent that lookups all recipients in /etc/passwd

# and /etc/aliases or their equivalent.

#

# The default is $myhostname + localhost.$mydomain.  On a mail domain

# gateway, you should also include $mydomain.

#

# Do not specify the names of virtual domains - those domains are

# specified elsewhere (see sample-virtual.cf).

#

# Do not specify the names of domains that this machine is backup MX

# host for. Specify those names via the relay_domains settings for

# the SMTP server, or use permit_mx_backup if you are lazy (see

# sample-smtpd.cf).

#

# The local machine is always the final destination for mail addressed

# to user@[the.net.work.address] of an interface that the mail system

# receives mail on (see the inet_interfaces parameter).

#

# Specify a list of host or domain names, /file/name or type:table

# patterns, separated by commas and/or whitespace. A /file/name

# pattern is replaced by its contents; a type:table is matched when

# a name matches a lookup key (the right-hand side is ignored).

# Continue long lines by starting the next line with whitespace.

#

# DO NOT LIST RELAY DESTINATIONS IN MYDESTINATION.

# SPECIFY RELAY DESTINATIONS IN RELAY_DOMAINS.

#

# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".

#

#mydestination = $myhostname, localhost.$mydomain

mydestination = $myhostname, localhost.$mydomain $mydomain

#mydestination = $myhostname, localhost.$mydomain, $mydomain,

#       mail.$mydomain, www.$mydomain, ftp.$mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS

#

# The local_recipient_maps parameter specifies optional lookup tables

# with all names or addresses of users that are local with respect

# to $mydestination and $inet_interfaces.

#

# If this parameter is defined, then the SMTP server will reject

# mail for unknown local users. This parameter is defined by default.

#

# To turn off local recipient checking in the SMTP server, specify

# local_recipient_maps = (i.e. empty).

#

# The default setting assumes that you use the default Postfix local

# delivery agent for local delivery. You need to update the

# local_recipient_maps setting if:

#

# - You define $mydestination domain recipients in files other than

#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.

#   For example, you define $mydestination domain recipients in

#   the $virtual_mailbox_maps files.

#

# - You redefine the local delivery agent in master.cf.

#

# - You redefine the "local_transport" setting in main.cf.

#

# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"

#   feature of the Postfix local delivery agent (see sample-local.cf).

#

# Details are described in the LOCAL_RECIPIENT_README file.

#

# Beware: if the Postfix SMTP server runs chrooted, you probably have

# to access the passwd file via the proxymap service, in order to

# overcome chroot restrictions. The alternative, having a copy of

# the system passwd file in the chroot jail is just not practical.

#

# The right-hand side of the lookup tables is conveniently ignored.

# In the left-hand side, specify a bare username, an @domain.tld

# wild-card, or specify a user@domain.tld address.

#

#local_recipient_maps = unix:passwd.byname $alias_maps

#local_recipient_maps = proxy:unix:passwd.byname $alias_maps

#local_recipient_maps =

# The unknown_local_recipient_reject_code specifies the SMTP server

# response code when a recipient domain matches $mydestination or

# $inet_interfaces, while $local_recipient_maps is non-empty and the

# recipient address or address local-part is not found.

#

# The default setting is 550 (reject mail) but it is safer to start

# with 450 (try again later) until you are certain that your

# local_recipient_maps settings are OK.

#

#unknown_local_recipient_reject_code = 550

unknown_local_recipient_reject_code = 450

# TRUST AND RELAY CONTROL

# The mynetworks parameter specifies the list of "trusted" SMTP

# clients that have more privileges than "strangers".

#

# In particular, "trusted" SMTP clients are allowed to relay mail

# through Postfix.  See the smtpd_recipient_restrictions parameter

# in file sample-smtpd.cf.

#

# You can specify the list of "trusted" network addresses by hand

# or you can let Postfix do it for you (which is the default).

#

# By default (mynetworks_style = subnet), Postfix "trusts" SMTP

# clients in the same IP subnetworks as the local machine.

# On Linux, this does works correctly only with interfaces specified

# with the "ifconfig" command.

#

# Specify "mynetworks_style = class" when Postfix should "trust" SMTP

# clients in the same IP class A/B/C networks as the local machine.

# Don't do this with a dialup site - it would cause Postfix to "trust"

# your entire provider's network.  Instead, specify an explicit

# mynetworks list by hand, as described below.

#

# Specify "mynetworks_style = host" when Postfix should "trust"

# only the local machine.

#

#mynetworks_style = class

mynetworks_style = subnet

#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in

# which case Postfix ignores the mynetworks_style setting.

#

# Specify an explicit list of network/netmask patterns, where the

# mask specifies the number of bits in the network part of a host

# address.

#

# You can also specify the absolute pathname of a pattern file instead

# of listing the patterns here. Specify type:table for table-based lookups

# (the value on the table right-hand side is not used).

#

#mynetworks = 168.100.189.0/28, 127.0.0.0/8

#mynetworks = $config_directory/mynetworks

#mynetworks = hash:/etc/postfix/network_table

mynetworks = 198.168.0.1/254, 127.0.0.0/8

# The relay_domains parameter restricts what destinations this system will

# relay mail to.  See the smtpd_recipient_restrictions restriction in the

# file sample-smtpd.cf for detailed information.

#

# By default, Postfix relays mail

# - from "trusted" clients (IP address matches $mynetworks) to any destination,

# - from "untrusted" clients to destinations that match $relay_domains or

#   subdomains thereof, except addresses with sender-specified routing.

# The default relay_domains value is $mydestination.

#

# In addition to the above, the Postfix SMTP server by default accepts mail

# that Postfix is final destination for:

# - destinations that match $inet_interfaces,

# - destinations that match $mydestination

# - destinations that match $virtual_alias_domains,

# - destinations that match $virtual_mailbox_domains.

# These destinations do not need to be listed in $relay_domains.

#

# Specify a list of hosts or domains, /file/name patterns or type:name

# lookup tables, separated by commas and/or whitespace.  Continue

# long lines by starting the next line with whitespace. A file name

# is replaced by its contents; a type:name table is matched when a

# (parent) domain appears as lookup key.

#

# NOTE: Postfix will not automatically forward mail for domains that

# list this system as their primary or backup MX host. See the

# permit_mx_backup restriction in the file sample-smtpd.cf.

#

#relay_domains = $mydestination

# INTERNET OR INTRANET

# The relayhost parameter specifies the default host to send mail to

# when no entry is matched in the optional transport(5) table. When

# no relayhost is given, mail is routed directly to the destination.

#

# On an intranet, specify the organizational domain name. If your

# internal DNS uses no MX records, specify the name of the intranet

# gateway host instead.

#

# In the case of SMTP, specify a domain, host, host:port, [host]:port,

# [address] or [address]:port; the form [host] turns off MX lookups.

#

# If you're connected via UUCP, see also the default_transport parameter.

#

#relayhost = $mydomain

#relayhost = gateway.my.domain

#relayhost = uucphost

#relayhost = [an.ip.add.ress]

#relayhost=www.purpleant.net

# REJECTING UNKNOWN RELAY USERS

#

# The relay_recipient_maps parameter specifies optional lookup tables

# with all addresses in the domains that match $relay_domains.

#

# If this parameter is defined, then the SMTP server will reject

# mail for unknown relay users. This feature is off by default.

#

# The right-hand side of the lookup tables is conveniently ignored.

# In the left-hand side, specify an @domain.tld wild-card, or specify

# a user@domain.tld address.

#

#relay_recipient_maps = hash:/etc/postfix/relay_recipients

# INPUT RATE CONTROL

#

# The in_flow_delay configuration parameter implements mail input

# flow control. This feature is turned on by default, although it

# still needs further development (it's disabled on SCO UNIX due

# to an SCO bug).

#

# A Postfix process will pause for $in_flow_delay seconds before

# accepting a new message, when the message arrival rate exceeds the

# message delivery rate. With the default 100 SMTP server process

# limit, this limits the mail inflow to 100 messages a second more

# than the number of messages delivered per second.

#

# Specify 0 to disable the feature. Valid delays are 0..10.

#

#in_flow_delay = 1s

# ADDRESS REWRITING

#

# Insert text from sample-rewrite.cf if you need to do address

# masquerading.

#

# Insert text from sample-canonical.cf if you need to do address

# rewriting, or if you need username->Firstname.Lastname mapping.

# ADDRESS REDIRECTION (VIRTUAL DOMAIN)

#

# Insert text from sample-virtual.cf if you need virtual domain support.

# "USER HAS MOVED" BOUNCE MESSAGES

#

# Insert text from sample-relocated.cf if you need "user has moved"

# style bounce messages. Alternatively, you can bounce recipients

# with an SMTP server access table. See sample-smtpd.cf.

# TRANSPORT MAP

#

# Insert text from sample-transport.cf if you need explicit routing.

# ALIAS DATABASE

#

# The alias_maps parameter specifies the list of alias databases used

# by the local delivery agent. The default list is system dependent.

#

# On systems with NIS, the default is to search the local alias

# database, then the NIS alias database. See aliases(5) for syntax

# details.

#

# If you change the alias database, run "postalias /etc/aliases" (or

# wherever your system stores the mail alias file), or simply run

# "newaliases" to build the necessary DBM or DB file.

#

# It will take a minute or so before changes become visible.  Use

# "postfix reload" to eliminate the delay.

#

#alias_maps = dbm:/etc/aliases

#alias_maps = hash:/etc/aliases

#alias_maps = hash:/etc/aliases, nis:mail.aliases

#alias_maps = netinfo:/aliases

# The alias_database parameter specifies the alias database(s) that

# are built with "newaliases" or "sendmail -bi".  This is a separate

# configuration parameter, because alias_maps (see above) may specify

# tables that are not necessarily all under control by Postfix.

#

#alias_database = dbm:/etc/aliases

#alias_database = dbm:/etc/mail/aliases

#alias_database = hash:/etc/aliases

#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

# ADDRESS EXTENSIONS (e.g., user+foo)

#

# The recipient_delimiter parameter specifies the separator between

# user names and address extensions (user+foo). See canonical(5),

# local(8), relocated(5) and virtual(5) for the effects this has on

# aliases, canonical, virtual, relocated and .forward file lookups.

# Basically, the software tries user+foo and .forward+foo before

# trying user and .forward.

#

#recipient_delimiter = +

# DELIVERY TO MAILBOX

#

# The home_mailbox parameter specifies the optional pathname of a

# mailbox file relative to a user's home directory. The default

# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify

# "Maildir/" for qmail-style delivery (the / is required).

#

#home_mailbox = Mailbox

#home_mailbox = Maildir/

# The mail_spool_directory parameter specifies the directory where

# UNIX-style mailboxes are kept. The default setting depends on the

# system type.

#

#mail_spool_directory = /var/mail

#mail_spool_directory = /var/spool/mail

# The mailbox_command parameter specifies the optional external

# command to use instead of mailbox delivery. The command is run as

# the recipient with proper HOME, SHELL and LOGNAME environment settings.

# Exception:  delivery for root is done as $default_user.

#

# Other environment variables of interest: USER (recipient username),

# EXTENSION (address extension), DOMAIN (domain part of address),

# and LOCAL (the address localpart).

#

# Unlike other Postfix configuration parameters, the mailbox_command

# parameter is not subjected to $parameter substitutions. This is to

# make it easier to specify shell syntax (see example below).

#

# Avoid shell meta characters because they will force Postfix to run

# an expensive shell process. Procmail alone is expensive enough.

#

# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN

# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.

#

mailbox_command = /some/where/procmail

#mailbox_command = /some/where/procmail -a "$EXTENSION"

# The mailbox_transport specifies the optional transport in master.cf

# to use after processing aliases and .forward files. This parameter

# has precedence over the mailbox_command, fallback_transport and

# luser_relay parameters.

#

# Specify a string of the form transport:nexthop, where transport is

# the name of a mail delivery transport defined in master.cf.  The

# :nexthop part is optional. For more details see the sample transport

# configuration file.

#

# NOTE: if you use this feature for accounts not in the UNIX password

# file, then you must update the "local_recipient_maps" setting in

# the main.cf file, otherwise the SMTP server will reject mail for

# non-UNIX accounts with "User unknown in local recipient table".

#

#mailbox_transport = lmtp:unix:/file/name

#mailbox_transport = cyrus

# The fallback_transport specifies the optional transport in master.cf

# to use for recipients that are not found in the UNIX passwd database.

# This parameter has precedence over the luser_relay parameter.

#

# Specify a string of the form transport:nexthop, where transport is

# the name of a mail delivery transport defined in master.cf.  The

# :nexthop part is optional. For more details see the sample transport

# configuration file.

#

# NOTE: if you use this feature for accounts not in the UNIX password

# file, then you must update the "local_recipient_maps" setting in

# the main.cf file, otherwise the SMTP server will reject mail for

# non-UNIX accounts with "User unknown in local recipient table".

#

#fallback_transport = lmtp:unix:/file/name

#fallback_transport = cyrus

#fallback_transport =

# The luser_relay parameter specifies an optional destination address

# for unknown recipients.  By default, mail for unknown@$mydestination

# and unknown@[$inet_interfaces] is returned as undeliverable.

#

# The following expansions are done on luser_relay: $user (recipient

# username), $shell (recipient shell), $home (recipient home directory),

# $recipient (full recipient address), $extension (recipient address

# extension), $domain (recipient domain), $local (entire recipient

# localpart), $recipient_delimiter. Specify ${name?value} or

# ${name:value} to expand value only when $name does (does not) exist.

#

# luser_relay works only for the default Postfix local delivery agent.

#

# NOTE: if you use this feature for accounts not in the UNIX password

# file, then you must specify "local_recipient_maps =" (i.e. empty) in

# the main.cf file, otherwise the SMTP server will reject mail for

# non-UNIX accounts with "User unknown in local recipient table".

#

#luser_relay = $user@other.host

#luser_relay = $local@other.host

#luser_relay = admin+$local

# JUNK MAIL CONTROLS

#

# The controls listed here are only a very small subset. See the file

# sample-smtpd.cf for an elaborate list of anti-UCE controls.

# The header_checks parameter specifies an optional table with patterns

# that each logical message header is matched against, including

# headers that span multiple physical lines.

#

# By default, these patterns also apply to MIME headers and to the

# headers of attached messages. With older Postfix versions, MIME and

# attached message headers were treated as body text.

#

# For details, see the sample-filter.cf file.

#

#header_checks = regexp:/etc/postfix/header_checks

# FAST ETRN SERVICE

#

# Postfix maintains per-destination logfiles with information about

# deferred mail, so that mail can be flushed quickly with the SMTP

# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".

#

# By default, Postfix maintains deferred mail logfile information

# only for destinations that Postfix is willing to relay to (as

# specified in the relay_domains parameter). For other destinations,

# Postfix attempts to deliver ALL queued mail after receiving the

# SMTP "ETRN domain.tld" command, or after execution of "sendmail

# -qRdomain.tld". This can be slow when a lot of mail is queued.

#

# The fast_flush_domains parameter controls what destinations are

# eligible for this "fast ETRN/sendmail -qR" service.

#

#fast_flush_domains = $relay_domains

#fast_flush_domains =

# SHOW SOFTWARE VERSION OR NOT

#

# The smtpd_banner parameter specifies the text that follows the 220

# code in the SMTP server's greeting banner. Some people like to see

# the mail version advertised. By default, Postfix shows no version.

#

# You MUST specify $myhostname at the start of the text. That is an

# RFC requirement. Postfix itself does not care.

#

#smtpd_banner = $myhostname ESMTP $mail_name

#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

# PARALLEL DELIVERY TO THE SAME DESTINATION

#

# How many parallel deliveries to the same user or domain? With local

# delivery, it does not make sense to do massively parallel delivery

# to the same user, because mailbox updates must happen sequentially,

# and expensive pipelines in .forward files can cause disasters when

# too many are run at the same time. With SMTP deliveries, 10

# simultaneous connections to the same domain could be sufficient to

# raise eyebrows.

#

# Each message delivery transport has its XXX_destination_concurrency_limit

# parameter.  The default is $default_destination_concurrency_limit for

# most delivery transports. For the local delivery agent the default is 2.

#local_destination_concurrency_limit = 2

#default_destination_concurrency_limit = 20

# DEBUGGING CONTROL

#

# The debug_peer_level parameter specifies the increment in verbose

# logging level when an SMTP client or server host name or address

# matches a pattern in the debug_peer_list parameter.

#

debug_peer_level = 2

# The debug_peer_list parameter specifies an optional list of domain

# or network patterns, /file/name patterns or type:name tables. When

# an SMTP client or server host name or address matches a pattern,

# increase the verbose logging level by the amount specified in the

# debug_peer_level parameter.

#

#debug_peer_list = 127.0.0.1

#debug_peer_list = some.domain

# The debugger_command specifies the external command that is executed

# when a Postfix daemon program is run with the -D option.

#

# Use "command .. & sleep 5" so that the debugger can attach before

# the process marches on. If you use an X-based debugger, be sure to

# set up your XAUTHORITY environment variable before starting Postfix.

#

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

# If you don't have X installed on the Postfix machine, try:

# debugger_command =

#       PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;

#       echo where) | gdb $daemon_directory/$process_name $process_id 2>&1

#       >$config_directory/$process_name.$process_id.log & sleep 5

# INSTALL-TIME CONFIGURATION INFORMATION

#

# The following parameters are used when installing a new Postfix version.

#

# sendmail_path: The full pathname of the Postfix sendmail command.

# This is the Sendmail-compatible mail posting interface.

#

sendmail_path = /usr/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.

# This is the Sendmail-compatible command to build alias databases.

#

newaliases_path = /usr/bin/newaliases

# mailq_path: The full pathname of the Postfix mailq command.  This

# is the Sendmail-compatible mail queue listing command.

#

mailq_path = /usr/bin/mailq

# setgid_group: The group for mail submission and queue management

# commands.  This must be a group name with a numerical group ID that

# is not shared with other accounts, not even with the Postfix account.

#

setgid_group = postdrop

# manpage_directory: The location of the Postfix on-line manual pages.

#

manpage_directory = /usr/share/man

# sample_directory: The location of the Postfix sample configuration files.

#

sample_directory = /usr/share/doc/postfix-2.0.19/sample

# readme_directory: The location of the Postfix README files.

#

readme_directory = /usr/share/doc/postfix-2.0.19/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject_uauth_destination

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous

```

any ideas  :Question:   :Sad:   :Sad: 

----------

## McManus

Thanks for the guide!  It works almost flawlessly!

The one thing that I can't get to work (and it's pretty trivial), is that I can't get sasl to pass mail to my ISPs smtp server.  I did everything you said but it just doesn't work (I think...  my only way of testing is viewing the headers, so I'm not 100% sure).  Is anyone else having this problem, or are there any steps that might be missing?  It just sends directly from postfix everytime, bypassing my ISPs SMTP server.  :-/

----------

## Laetos

Recheck from :

3.4 Making Postfix a Relay to our ISP:

----------

## wmartino

Hello all. I finally made to jump and put Gentoo on my server. I have now compltede the email tutorial (great job Beowulf). But I am haveing just a few issues. Here is the code:

```
Aug  8 06:25:11 server postfix/qmgr[26718]: warning: connect to transport smtpd-amavis: No such file or directory

Aug  8 06:25:12 server postfix/smtpd[26859]: 5A65937A4E6: client=mtiwmhc11.worldnet.att.net[204.127.131.115]

Aug  8 06:25:12 server postfix/smtpd[26859]: 5A65937A4E6: reject: RCPT from mtiwmhc11.worldnet.att.net[204.127.131.115]: 450 <suestrl@jebus.dyndns.org>: User unknown in local recipient table; from=<dizzydevil282@att.net> to=<suestrl@jebus.dyndns.org> proto=ESMTP helo=<mtiwmhc11.worldnet.att.net>

Aug  8 06:25:14 server postfix/smtpd[26859]: disconnect from mtiwmhc11.worldnet.att.net[204.127.131.115]

```

I first had avamis install, but my amil server was not working. I plan on putting it back on so the first line might not be anything to worry about. I would like to know why this message wont get delivered. I am stumped on the one any help would be great.

William

----------

## sushyad

Great guide! I setup my home email system using this guide about a year ago and it has been great. I am having problem with retrieving yahoo emails with latin characters (ÁéíóúÁÉÍÓÚ). My setup is:

Courier IMAP

Fetchmail

Postfix

Squirrelmail

MrPostman (mail retriever)

In SquirrelMail, Yahoo emails with latin charaters end up with ??? even though Hotmail emails are fine. Both use MrPostman to fetch the emails. If I connect to MrPostman using an email client like ThunderBird, the Yahoo emails appear fine. So the problem is somewhere in the way Yahoo emails are being delivered by Postfix, Courier, Fetchmail. Hotmail works fine.

Has anyone faced this problem?

Thanks.

----------

## Boworr

Hi, this is a great guide and I've got most of it working pretty well. However, I  have a problem with fetchmail and postfix. When I run fetchmail manually I can see it connecting to my various pop3 mail accounts and downloading mail, so that part works OK. When fetchmail gives the mail to postfix for delivery, I see these messages in the log file:

```
Aug 20 11:57:59 [postfix/smtpd] connect from localhost[127.0.0.1]

Aug 20 11:57:59 [postfix/smtpd] NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 <localhost[127.0.0.1]>: Client host rejected: Access denied; from=<dave@myhostname.com> to=<dave@localhost> proto=ESMTP helo=<localhost>

Aug 20 11:57:59 [postfix/smtpd] starting TLS engine

Aug 20 11:57:59 [postfix/smtpd] connect from localhost[127.0.0.1]

Aug 20 11:57:59 [postfix/smtpd] NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 <localhost[127.0.0.1]>: Client host rejected: Access denied; from=<FETCHMAIL-DAEMON@localhost> to=<dave@myhostname.com> proto=SMTP helo=<localhost>

Aug 20 11:57:59 [postfix/smtpd] NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 <localhost[127.0.0.1]>: Client host rejected: Access denied; from=<dave@myhostname.com> to=<dave@localhost> proto=ESMTP helo=<localhost>

Aug 20 11:57:59 [postfix/smtpd] disconnect from localhost[127.0.0.1]
```

NB: I changed myhostname.com in the above text.

----------

## Boworr

I had two problems it seems, the first was easy and I wasn't passing the -m parameter to fetchmail during my tests.. so it was defaulting to use smtp instead of procmail. 

After that I found that I was missing a trailing / on my MAILDIR from my .procmailrc, e.g. MAILDIR=$HOME/.maildir/ If you don't add that, all the mail ends up in ~/.maildir instead of ~/.maildir/new  :Very Happy: 

----------

## mrjackson2k

i'm having a problem getting bogofilter to work properly

```
OSError: [Errno 2] No such file or directory: '/home/xxx/.maildir/courierimapkeywords/cur'
```

if i create that dir it works fine, but deletes the dir when finished. creating the dir each time does work but is a pita

is there something i have done wrong? or has something changed in a new version?

----------

## banjomark78

Hi all - fantastic guide, first off.  This is the first I've attempted to set up a home email system, and I'd never have gotten this far without the gentoo way of things.

Anyway, here's my system.  I have a dyndns record that I want to be my email address for all folks in the outside world to write to.  At the moment I'm leaving squirrellmail out of the mix and just trying to get a basic sasl/imap/postfix combo going.

So, the list of problems I've got is:

1) The default keys from postfix give clients bad SSL errors.  I'm still working on issuing my own cert, but I'll peg at that a bit more before I post for help. 

2) Outside mail can't write me.  For example,  if I send myself mail from hotmail, I get the following:

```

Sep  5 21:43:43 [postfix/smtpd] connect from bay24-f38.bay24.hotmail.com[64.4.18.88]

Sep  5 21:43:43 [postfix/smtpd] CB180AC0CD: client=bay24-f38.bay24.hotmail.com[64.4.18.88]

Sep  5 21:43:43 [postfix/smtpd] CB180AC0CD: reject: RCPT from bay24-f38.bay24.hotmail.com[64.4.18.88]: 554 <bay24-f38.bay24.hotmail.com[64.4.18.88]>: Client host rejected: Access denied; from=<NOSPAM@hotmail.com> to=<NOSPAM@NOSPAM.homeip.net> proto=ESMTP helo=<hotmail.com>

Sep  5 21:43:45 [postfix/smtpd] disconnect from bay24-f38.bay24.hotmail.com[64.4.18.88]

```

Note that I can send myself messages as long as I authenticate to the smtp server.

Anyhow, here's my main.cf:

```

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_ath_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

myhostname = nittany.tahoka.homeip.net

mydomain = tahoka.homeip.net

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.19/sample

readme_directory = /usr/share/doc/postfix-2.0.19/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

```

Before I head to sleep tonight I'm going to kick off an emerge sync and emerge -u world to bring all of this up to current, hopefully that will help.

Any thoughts on the external mails getting rejected?

----------

## Solution_9

Do you need to use fetchmail if you use an email client? Like is fetchmail just used for a console based mail retriever?

----------

## Solution_9

This should be a simple question. Do i need to start courier-imapd for courier imapd-ssl to work? Im using Evolution, and i cannot connect to IMAP unless courier-imapd is running. Should this be happening? I have tried using domainname.com:993 for host also, but this does not work. When i telnet into  localhost under port 143, i can see a bunch of information on IMAP. Now when i telnet into localhost under port 993, i get in, but i do not see any info on IMAP.

Also, I cannot *succesfully* send or recieve any email. When i try to send something, it shows it going through, but never actually reaches its destination.

Leave the second problem to be fixed at a later time. hehe.

----------

## Wilhelm

Maybe this is already known but here is a small tip:

When using sasl in combination courier-imap you can do the follwoing to store the passwords in the database in encrypted form.

Change MYSQL_CLEAR_PWFIELD to MYSQL_CRYPT_PWFIELD in /etc/courier-imap/authmysqlrc

You can now use ENCRYPT('(yourpasswordgoeshere)') in your mysql database to keep passwords in encrypted state. e.g. UPDATE user SET clear=ENCRYPT('mypassword') where clear=mypassword;

BTW I don't see what PAM is doing in the virtual mail system on the IMAP, POP3 and SMTP connections when SASL is authenticating it already.

----------

## Adamal

 *Solution_9 wrote:*   

> This should be a simple question. Do i need to start courier-imapd for courier imapd-ssl to work? Im using Evolution, and i cannot connect to IMAP unless courier-imapd is running. Should this be happening? I have tried using domainname.com:993 for host also, but this does not work. When i telnet into  localhost under port 143, i can see a bunch of information on IMAP. Now when i telnet into localhost under port 993, i get in, but i do not see any info on IMAP.
> 
> Also, I cannot *succesfully* send or recieve any email. When i try to send something, it shows it going through, but never actually reaches its destination.
> 
> Leave the second problem to be fixed at a later time. hehe.

 

For your first question yes you need to have courier-imapd running its the imap server.  For the second one you'll need to play with your postfix configuration.  I havn't given enough info to know what might be causing it.

----------

## Adamal

 *Solution_9 wrote:*   

> Do you need to use fetchmail if you use an email client? Like is fetchmail just used for a console based mail retriever?

 

Fetchmail downloads mail from other pop3 servers into your local mail account.  You then use imap to host those files.  If that is correct then yes you will need fetchmail.  Now if your using your mail client to talk directly to the pop3 servers then no and then what is the point of running imapd.

----------

## Solution_9

Well there is more reason to run IMAP then what you said. But im not using it for saving pop3 email. Im using it so my email isn't stored locally.

----------

## tms

How can you use IMAP to store emails from pop3 in a SQL database? I would prefer if the users were virtual too

----------

## Solution_9

From my knowledge

You can setup fetchmail to recieve the pop3 emails, and put them in the maildir folder. So everything is on the server. Every email message is accessible from anywhere, providing you have a method for loging into you account.

----------

## tms

Solution_9: My previous setup was local accounts storing mail in each users home directory, providing IMAP access.

To be honest, this is a very clumsy setup when the user shouldnt have shell access :P hence why I wish to create virtual users and preferably store the emails in a database. 

Too bad there are no howto's on the subject (virtual mailhosting guide is pretty close though)

----------

## newbie_gentoo

Just finished your HowTo, and got it to work! Thanks for this great document!

----------

## VinnieNZ

Hi,

I've gone through this guide and I think that all is working ok (apart from sending email via Thunderbird, I'm having invalid certificate issues and because I regenerated my cert for the mailserver I now also have issues with the cert having the same number and getting an invalid cert in Thunderbird  :Crying or Very sad: )

But my main problem is using getchmail.  This is the error I whenever I try to run the script:

```
bin/getmyemailnow

Enter password for vinnienz@/usr/bin/procmail -d %T:

fetchmail: couldn't find canonical DNS name of /usr/bin/procmail -d %T (/usr/bin/procmail -d %T)

fetchmail: Query status=11 (DNS)
```

I've had a hunt around and can't find a solution to it, and also can't work out whats going wrong.  Any help would be greatly appreciated.

Cheers

----------

## Sanjiyan

This works great, I use the IMAP option so I can use the webmail for when I am away from the computer, and because I prefer POP3 I also use the courier-pop3-ssl option so I can pickup my email from the pop3 server it provides, all in all this as a hassel free install and setup.

I have only insalled the spam assassin spam filter at the moment, do I really need the other one? or is Spam Assassin good enough? I use Spam Inspector on my email client (OE) which is a spam remover anyway, but this is to see how well a good of a job Spam Assassin does while its sitting there.

----------

## MarkH

Sigh,

This was all going swimmingly until I tried to set up TLS according to beowulf's guide.  I can send / receive email but as soon as I try and use TLS for my SMTP send (from Thunderbird on the same machine)  postfix complains

```
Sep 29 21:51:05 [postfix/smtpd] setting up TLS connection from zeus.howellsfamily.org[127.0.0.1]

Sep 29 21:51:06 [postfix/smtpd] SSL_accept error from zeus.howellsfamily.org[127.0.0.1]: 0

Sep 29 21:51:06 [postfix/smtpd] 6692:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42:

Sep 29 21:51:06 [postfix/smtpd] disconnect from zeus.howellsfamily.org[127.0.0.1
```

My server hostname is 'zeus'.  Here's the content of /etc/hosts

```
127.0.0.1       zeus.howellsfamily.org localhost

192.168.0.2     athena

```

my /etc/courier-imap/imapd.cnf is

```
RANDFILE = /usr/share/imapd.rand

[ req ]

default_bits = 1024

encrypt_key = yes

distinguished_name = req_dn

x509_extensions = cert_type

prompt = yes

[ req_dn ]

C=UK

ST=CB

L=Cambridge

O=Courier Mail Server

OU=Automatically-generated IMAP SSL key

CN=zeus.howellsfamily.org

emailAddress=root@localhost

[ cert_type ]

nsCertType = server

```

I have tried CN=localhost and CN=zeus all give the same error.

I'm not particularly familiar with openssl but I can't help but think the certifcate is invalid in some way.  Surely beowulf's guide would mention if the default CA were invalid in some way?

I've been googling and searching here and haven't yet founda solution that works for me.  If anyone can help, I'd appreciate some advice.  More config files available upion request ... :Wink: 

TIA

Mark

----------

## tapted

Yup. Great howto.

It might be worthwile adding famd to the list of services to start.

I don't know why it wasn't in my runlevel already, but before I started/rc-updated it I was getting these errors in /var/log/messages:

```
Oct  2 17:45:24 giant imapd-ssl: Failed to create cache file: maildirwatch (tapted)

Oct  2 17:45:24 giant imapd-ssl: Error: Input/output error

Oct  2 17:45:24 giant imapd-ssl: Check for proper operation and configuration

Oct  2 17:45:24 giant imapd-ssl: of the File Access Monitor daemon (famd).

```

So I did this:

```
root@giant:/home/tapted (bash)

$ /etc/init.d/famd status

 * status:  stopped

root@giant:/home/tapted (bash)

$ rc-update add famd default

 * famd added to runlevel default

 * Caching service dependencies...

 * rc-update complete.

root@giant:/home/tapted (bash)

$ /etc/init.d/famd start

 * Starting famd...                                                       [ ok ]
```

and now all is peachy.

Moo.

----------

## Torstello

Hi @ all,

i followed this great howto until 7.2 sylpheed-claws.

receiving my emails works fine but if i try to send an email i get:

 *Quote:*   

> 
> 
> could not queue message for sending
> 
> 

 

i have no idea why this message appears.

i cant find an error in my /var/log/messages on my server.

And another important question:

where are the posfix-logs ? i simply can't find them.

Torsten

----------

## TheHermit

Great guide, I got everything but SMTP working. Thunderbird doesn't report an error just that sending failed. Looking at the logs myself I though that maybe I needed to add my ip to the mynetworks options but that did not work. I also tried to disable TLS as that seemed to help someone else but that as well didn't work.

```
Oct 22 23:43:16 [postfix/master] daemon started -- version 2.1.5

Oct 22 23:43:19 [postfix/smtpd] match_string: mynetworks ~? debug_peer_list

Oct 22 23:43:19 [postfix/smtpd] match_string: mynetworks ~? fast_flush_domains

Oct 22 23:43:19 [postfix/smtpd] match_string: mynetworks ~? mynetworks

Oct 22 23:43:19 [postfix/smtpd] match_string: relay_domains ~? debug_peer_list

Oct 22 23:43:19 [postfix/smtpd] match_string: relay_domains ~? fast_flush_domains

Oct 22 23:43:19 [postfix/smtpd] match_string: relay_domains ~? mynetworks

Oct 22 23:43:19 [postfix/smtpd] match_string: relay_domains ~? permit_mx_backup_networks

Oct 22 23:43:19 [postfix/smtpd] match_string: relay_domains ~? qmqpd_authorized_clients

Oct 22 23:43:19 [postfix/smtpd] match_string: relay_domains ~? relay_domains

Oct 22 23:43:19 [postfix/smtpd] match_string: permit_mx_backup_networks ~? debug_peer_list

Oct 22 23:43:19 [postfix/smtpd] match_string: permit_mx_backup_networks ~? fast_flush_domains

Oct 22 23:43:19 [postfix/smtpd] match_string: permit_mx_backup_networks ~? mynetworks

Oct 22 23:43:19 [postfix/smtpd] match_string: permit_mx_backup_networks ~? permit_mx_backup_networks

Oct 22 23:43:19 [postfix/smtpd] dict_open: unix:passwd.byname

Oct 22 23:43:19 [postfix/smtpd] dict_open: hash:/etc/mail/aliases

Oct 22 23:43:19 [postfix/smtpd] match_string: smtpd_access_maps ~? debug_peer_list

Oct 22 23:43:19 [postfix/smtpd] match_string: smtpd_access_maps ~? fast_flush_domains

Oct 22 23:43:19 [postfix/smtpd] match_string: smtpd_access_maps ~? mynetworks

Oct 22 23:43:19 [postfix/smtpd] match_string: smtpd_access_maps ~? permit_mx_backup_networks

Oct 22 23:43:19 [postfix/smtpd] match_string: smtpd_access_maps ~? qmqpd_authorized_clients

Oct 22 23:43:19 [postfix/smtpd] match_string: smtpd_access_maps ~? relay_domains

Oct 22 23:43:19 [postfix/smtpd] match_string: smtpd_access_maps ~? smtpd_access_maps

Oct 22 23:43:19 [postfix/smtpd] smtpd_sasl_initialize: SASL config file is smtpd.conf

Oct 22 23:43:20 [postfix/smtpd] starting TLS engine

Oct 22 23:43:20 [postfix/smtpd] match_string: fast_flush_domains ~? debug_peer_list

Oct 22 23:43:20 [postfix/smtpd] match_string: fast_flush_domains ~? fast_flush_domains

Oct 22 23:43:20 [postfix/smtpd] watchdog_create: 0x80ab9b8 18000

Oct 22 23:43:20 [postfix/smtpd] watchdog_stop: 0x80ab9b8

Oct 22 23:43:20 [postfix/smtpd] watchdog_start: 0x80ab9b8

Oct 22 23:43:20 [postfix/smtpd] connection established

Oct 22 23:43:20 [postfix/smtpd] master_notify: status 0

Oct 22 23:43:20 [postfix/smtpd] name_mask: resource

Oct 22 23:43:20 [postfix/smtpd] name_mask: software

Oct 22 23:43:20 [postfix/smtpd] name_mask: noanonymous

Oct 22 23:43:21 [postfix/smtpd] connect from h00045a57fec4.ne.client2.attbi.com[24.62.29.24]

Oct 22 23:43:21 [postfix/smtpd] match_list_match: h00045a57fec4.ne.client2.attbi.com: no match

Oct 22 23:43:21 [postfix/smtpd] match_list_match: 24.62.29.24: no match

Oct 22 23:43:21 [postfix/smtpd] match_list_match: h00045a57fec4.ne.client2.attbi.com: no match

Oct 22 23:43:21 [postfix/smtpd] match_list_match: 24.62.29.24: no match

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 220 tux.bbck.net ESMTP Postfix

Oct 22 23:43:21 [postfix/smtpd] watchdog_pat: 0x80ab9b8

Oct 22 23:43:21 [postfix/smtpd] < h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: EHLO [127.0.0.1]

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 250-tux.bbck.net

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 250-PIPELINING

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 250-SIZE 10240000

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 250-VRFY

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 250-ETRN

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 250-STARTTLS

Oct 22 23:43:21 [postfix/smtpd] match_list_match: h00045a57fec4.ne.client2.attbi.com: no match

Oct 22 23:43:21 [postfix/smtpd] match_list_match: 24.62.29.24: no match

Oct 22 23:43:21 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 250 8BITMIME

Oct 22 23:43:21 [postfix/smtpd] watchdog_pat: 0x80ab9b8

Oct 22 23:43:22 [postfix/smtpd] < h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: QUIT

Oct 22 23:43:22 [postfix/smtpd] > h00045a57fec4.ne.client2.attbi.com[24.62.29.24]: 221 Bye

Oct 22 23:43:22 [postfix/smtpd] disconnect from h00045a57fec4.ne.client2.attbi.com[24.62.29.24]

Oct 22 23:43:22 [postfix/smtpd] master_notify: status 1

Oct 22 23:43:22 [postfix/smtpd] connection closed

Oct 22 23:43:22 [postfix/smtpd] watchdog_stop: 0x80ab9b8

Oct 22 23:43:22 [postfix/smtpd] watchdog_start: 0x80ab9b8

Oct 22 23:45:02 [postfix/smtpd] idle timeout -- exiting

Oct 22 23:47:55 [imapd-ssl] DISCONNECTED, user=chris, ip=[24.62.29.24], headers=0, body=0
```

----------

## LiamRoutt

I found this guide quite useful (I located it on gentoo-wiki, but it seems to be the same). I have a few tips and pointers to add:

1. The Thunderbird problem is fixed by creating your own certificates, and using those. I will try to post the exact steps to do that in the next day or two (I am pressed fro time right now), but suffice it to say that I managed to locate the right general process (as suggested by another poster here) in The Virtual Mail How-To: http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap5 you have to change some filenames, and stuff, but it works pretty easily.

2. In order to relay to your ISP there is an additional postfix config line you need to add (unless I missed it somewhere here) to main.cf:

relayhost = [mailhost.isp.com]

Where mailhost.isp.com is your isp's mail server you wish to use (which matches the hostname in the saslpass file). The square brackets are important - they mean "do not look for the MX record for this host". If you don't put them, and your ISP has an MX record for their mailserver (mine did) you can end up with your mail trying to be routed through an entirely different system (which doesn't want to know about you).

Without this line, the system will use the smtp_sasl_auth info if it has to send mail to your isp, but will try to send each piece of mail directly to the host for the addressee, which is not relaying through your isp, is it?  :Smile: 

----------

## TheHermit

Tried making my own cert and that didn't work.

----------

## LiamRoutt

The Hermit: I noticed that you are getting messages which are different from the ones that most people (and I) were getting, so I'm sure your problem is of a different nature. One thing you might want to check is that you have compiled postifx and the auth packages with the correct USE flags. I found that I had inadvertently left off a few on my installation. I also chose to use -gdbm to force the use of berkley over gdbm (which seemed as though it was going to be a problem). The other thing I notice from your output is that your failure seems to be related to a match-string failure. You probably want to go line by line through the match string lines, chekcking the relevant portions of the postfix/main.cf to see whether you've made a typo or definied something that doesn't match your situation (different ip addresses for your subnet, for example)... Perhaps someone else has some more insight?

Anyway, here's my promised step-by-step on making the certs. Thunderbird would not connect (with an auth failure) before these steps, and was fine afterwards:

# cd /etc/ssl/

# nano -w openssl.cnf

In here you want to sent your defaults, if only because it will save you entering them again and again when you make other certs in the future. The defaults are part-way down in the file, after a lot of stuff you should leave alone. You can search for "countryName_default" and that should get you to the start of the section. Make sure you edit or add the *_default values, and not the others.

I used something like this:

countryName_default = AU

stateOrProvinceName_default = Victoria

localityName_default = Balwyn

0.organizationName_default = MyServer

organizationalUnitName_default = Mailserver

commonName_default = my.mailserver.address.com

emailAddress_default = postmaster@my.mailserver.address.com

I had to add one or two of those lines, but most were present and could be edited. Obviously you need to insert your own information. I don't know whether there is a list of country codes out there somewhere... I read that the commonName needs to match the name of your mailserver (from the client's point of view), and Thunderbird did complain when I set it incorrectly.

Next up is potentially the most confusing step (for me):

# cd misc

# nano -w CA.pl

Here we need to change the script that generates the certificates for us, so that we add the -nodes flag to each of the two relevant commands. This means that the server can startup without requiring your password each time, I believe.

In order to locate the lines to check you might want to search for the comments, below:

# create a certificate

system ("$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS");

# create a certificate request

system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");

For each command (and only these, as far as I know) you want to add the "-nodes" flag to the list of flags, making sure to leave the rest of the line intact. Once this is done, you are ready to generate your certificates. Note that you only need to do these first two steps (this and the oppenssl.cf edit) the first time you are doing this, later certificates will not need these edits.

# ./CA.pl -newca

# ./CA.pl -newreq

# ./CA.pl -sign

These three commands create your certificates. You will be asked questions along the way, most of which you will already have set the defaults for, with the above editing. I think you can leave most everything as it is. For the last step you are asked for a pass phrase, which I think is the only thing I entered. It may be that the passphrase there must match the challenge password requested in the -newreq run.

Next we copy the resulting files to our postfix setup:

# cp newcert.pem /etc/ssl/postfix

# cp newreq.pem /etc/ssl/postfix

# cp demoCA/cacert.pem /etc/ssl/postfix

They will not overwrite the defaults, luckily (although the defaults seem to be useless).

Finally, we need to change the main.cf to point to these new files, and restart postfix.

# cd /etc/postfix

# nano -w main.cf

Here we need to edit the following lines, putting in the names of our new files, as shown:

smtpd_tls_key_file = /etc/ssl/postfix/newreq.pem

smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem

smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem

I note that the extensions are different from the default config, and that lead to my making several replacement mistakes, until I simply reentered the information from scratch. At this point you have told postfix to use the new files.

# postfix check

It is always worth checking your update.

# /etc/init.d/postfix restart

That should restart the service, and use the new certificates as a result.

I then send a message from Thunderbird on another machine in my LAN. I was asked to okay a certificate that matched the info I had created. From that point on the client has been able to connect fine, and that problem has vanished.

The info to do this was presented in this thread before, or at least referred to, but it was perhaps not so simply presented. I hope this helps someone else (not The Hermit, it would seem!).

----------

## lisnalinchy

Excellent work Beowulf and co. 

I am not sure if this has been mentioned before, but about the only thing I could suggest adding to the guide would be integrating some basic antivirus software like clamav or f-prot for incomming mail.

Just a thought

Cheers

 :Very Happy: 

----------

## Torstello

Hi @all,

i'm able to send and to receive emails after installing postfix-bogofilter.

but i've a strange output im my /var/log/messages when i send an email.

Can someone give me a hint whats going up here? Or is this quite normal?

 *Quote:*   

> 
> 
> Oct 27 22:23:23 fileserver postfix/smtpd[795]: starting TLS engine
> 
> Oct 27 22:23:23 fileserver postfix/smtpd[795]: connect from myserver.org[192.168.1.112]
> ...

 

and a lot more lines like the last one ...

 *Quote:*   

> 
> 
> Oct 27 22:23:24 fileserver postfix/smtpd[795]: 04d1 - <SPACES/NULS>?
> 
> Oct 27 22:23:24 fileserver postfix/smtpd[795]: SSL_accept:SSLv3 flush data
> ...

 

----------

## LiamRoutt

This happens to me as well, and seems to be the standard debug output from the TLS or SASL connection layer. There might be a way to limit it, however, by changing settings... But I haven't looked into that yet...

----------

## Holly

 *beowulf wrote:*   

> 
> 
> 3.4 Making Postfix a Relay to our ISP:
> 
> Email Client->Cyrus-SASL->Postfix->Cyrus-SASL->ISP SMTP Server->Internet
> ...

 

I've setup my email system after this guide, but i used qmail instead of postfix. How do I setup qmail to relay my mail to my ISP with smtp-auth?

edit: well, sometimes you should really look at the docs which are installed with the software.  :Wink: 

/usr/share/doc/qmail-1.03-r15/README.remote-auth.gz told me everything i needed to know.

----------

## Torstello

Hi @all,

after the setup of my mail-system everything worked fine (thanks beowulf) and  i tried to add amavisd-new and clamav support as written in this howto:

https://forums.gentoo.org/viewtopic.php?p=842754#842754

i have a problem connecting to my localhost:10025 to get my amavisd-new scanned emails back to qmgr.

error:

```

Nov  8 21:27:26 fileserver postfix/lmtp[31240]: 774CF71B31DA: to=<ts@fileserver.buddhital.org>, orig_to=<ts>, relay=127.0.0.1[127.0.0.1],delay=197842, status =deferred (host 127.0.0.1[127.0.0.1] said: 450 4.4.1 Can't connect to 127.0.0.1 port 10025, Bad file descriptor at /usr/sbin/amavisd line 2862, <GEN3> line 3294., id=29823-02-10 (in reply to end of DATA command))

```

the mentioned line in /usr/sbin/amavisd is the one with defined($smtp_handle):

```

       Hello => $localhost_name, ExactAddresses => 1,

       Timeout => max(60, min(5*60,$remaining_time)), # for each operation

     # Debug => debug_oneshot(),

     # LocalAddr => 10.11.12.13,   # (bind) source IP address

     );

   defined($smtp_handle)

       or die "Can't connect to $relayhost port $relayhost_port, $!";

```

I re-emerged amavisd-new but this didn't help.

What can be wrong here?

master.cf

```

smtp-amavis     unix    -       -       n       -       2       lmtp

        -o smtp_data_done_timeout=1200

127.0.0.1:10025 inet    n       -       n       -       -       smtpd

        -o content_filter=

        -o local_recipient_maps=

        -o relay_recipient_maps=

        -o smtpd_restriction_classes=

        -o smtpd_client_restrictions=

        -o smtpd_helo_restrictions=

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

        -o mynetworks=127.0.0.0/8

        -o mynetworks_style=subnet

        -o strict_rfc821_envelopes=yes

        -o smtpd_error_sleep_time=0 #

pre-cleanup     unix    n       -       n       -       0       cleanup

        -o virtual_alias_maps=

        -o canonical_maps=

        -o canonical_maps=

        -o sender_canonical_maps=

        -o recipient_canonical_maps=

        -o masquerade_domains=

cleanup unix    n       -       n       -       0       cleanup

        -o mime_header_checks=

        -o nested_header_checks=

        -o body_checks=

        -o header_checks=

smtp    inet    n       -       n       -       -       smtpd

        -o cleanup_service_name=pre-cleanup

pickup  fifo    n       -       n       60      1       pickup

        -o cleanup_service_name=pre-cleanup

```

main.cf

 *Quote:*   

> 
> 
> content_filter = smtp-amavis:[127.0.0.1]:10024
> 
> 

 

----------

## soulwarrior

Thanks for this greate howto, works without a problem   :Smile: 

I have a question concerning the other computers in my network:

Is it possible to transfer all the local mails on every computer in the local network (like cron emails) to the one mail server, so one has only to look in one place for this sort of emails?

----------

## altstadt

As far as I can tell, the only thing missing from your mini howto is what I am trying to get working.

You are missing any instructions on how to set up the workstation illusion to forward mail on to the server chimera. What must be configured on illusion (assuming postfix and cyrus-sasl have been emerged there as well) to get email from cron jobs, and other non-client software, sent to the mailbox on chimera? Does anything need to change in the chimera config?

Sorry if this is already explained somewhere in the 21 pages, but I searched for both illusion and its IP on every page.

----------

## altstadt

 *altstadt wrote:*   

> Sorry if this is already explained somewhere in the 21 pages, but I searched for both illusion and its IP on every page.

 

But apparently I didn't look at the very last message to see if someone had already asked the same question.  :Smile: 

----------

## lodder_

hello,

i'm having a problem wel actually a few. 

If i send a mail to a external or in ternal adrass it appears lodder@lodder.bounceme.net at any location exernal or internel but if people wnat to replay on it internel or exteral i don't get a thini i don't even receive them? plz help me on that. and i use this methode of sending : Email Client->Cyrus-SASL->Postfix->Cyrus-SASL->ISP SMTP Server->Internet 

my second questions is i have 1 email adres at my isp but there are a few aliases but no i need to filter them for example me@isp.com should go to me , dad@isp.com should go to dad it's account but they all start from the same account plz help me to filter it and deliver it in the correct mailbox

thx in advance folder hope i get an answer soon

----------

## soulwarrior

 *altstadt wrote:*   

> 
> 
> You are missing any instructions on how to set up the workstation illusion to forward mail on to the server chimera. What must be configured on illusion (assuming postfix and cyrus-sasl have been emerged there as well) to get email from cron jobs, and other non-client software, sent to the mailbox on chimera? Does anything need to change in the chimera config?
> 
> 

 

Hey, someone else is trying to do the same thing  :Wink: 

I wonder if it would be necessary to install a dns service to resolve internally to the right mailserver?

----------

## lodder_

first thing is sloved now

but i still can't figurer out this : my second questions is i have 1 email account at my isp but there are a few aliasses but no i need to filter them for example me@isp.com should go to me , dad@isp.com should go to dad it's account but they all start from the same account plz help me to filter it and deliver it in the correct mailbox

----------

## altstadt

 *///lodder\\\ wrote:*   

> for example me@isp.com should go to me , dad@isp.com should go to dad it's account but they all start from the same account

 

Check out fetchmail, and more specifically, the man page entry on multidrop mailboxes.

I haven't used this feature, but it looks like it was designed for the situation you are asking about. Note the caveats about the envelope address.

----------

## strider2003

NOTE: I have posted this message also in the network and security forum.

I'm following the tutorial, and I'm having a lot of problems. These are some of them. I hope you can help me  :Crying or Very sad: 

1) I can't receive emails.

```

$ fetchmail -a -k

leyendo el mensaje my_pop_user@pop3.ono.com:1 de 18 (3588 octetos) fetchmail: Error de SMTP: 554 <localhost[127.0.0.1]>: Client host rejected: Access denied

fetchmail: ¡ni siquiera es posible enviar a my_local_user!

 no eliminado

```

2) I can't use sylpheed

I have configured sylpheed as the example in the tutorial (for sylpheed-claws), and I can't do anything since my password seems to be wrong.   :Crying or Very sad: 

3) I can't send email

I have sent an email with this command:

```

$ mailto test

Subject: Test from localhost

Test #1

~.

```

Then I see in webmin, that this email is in the queue, and then it seems sent, but I can't find where this email has gone.

Thank you all.

----------

## strider2003

This is my output for 'postconf -n'. Do you see anything wrong?

```

alias_database = hash:/etc/mail/aliases

alias_maps = hash:/etc/mail/aliases

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 2

home_mailbox = .maildir/

html_directory = no

local_destination_concurrency_limit = 2

mail_owner = postfix

mailbox_command = /usr/bin/procmail

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain $mydomain

mydomain = [hidden for privacy]

myhostname = frodo

mynetworks = 127.0.0.0/8 192.168.0.0/24

mynetworks_style = subnet

myorigin = $myhostname

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.1.1/readme

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 450

```

----------

## thompsonmike

I am getting a error on line 46 when trying to run the script.

Here is the error:

  File "/home/mike/Bin/bogotrainer", line 46

    spamlist = os.listdir(os.path.join(maildir,".Spam/cur")))

    ^

SyntaxError: invalid syntax

Any ideas??

----------

## TriKster_Abacus

Beowulf and all of you who have had the patience to stick it out with some of us mail noobs.

The directions were pretty clear, but I am stuck big time.

I use bellsouth.net as my dsl provider, my outgoing email has to go through bellsouth.net.

I am not concerned about recieving email, I just need to send so that username/passwords can be sent for my personal webpage.

This is my /etc/procmail/main.cf:

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

inet_interfaces = all

myhostname = trikster.homelinux.org

mydomain = trikster.homelinux.org

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/ 

I can send email to myself within my server, I.E. from root to user, but it will not go out from the network.

I did:

telnet trikster.homelinux.org 25

Trying 192.168.1.4...

Connected to trikster.homelinux.org.

Escape character is '^]'.

220 trikster.homelinux.org ESMTP Postfix

mail from: [my_username]@trikster.homelinux.org

250 Ok

rcpt to: [my_username]@linux-militia.net

250 Ok

data

354 End data with <CR><LF>.<CR><LF>

This is a test

.

250 Ok: queued as F181441622

Then I watch my /var/log/messages and see these messages:

Dec 13 13:15:24 trikster postfix/smtp[25079]: connect to mail.linux-militia.net[206.225.84.44]: Connection timed out (port 25)

Dec 13 13:15:24 trikster postfix/smtp[25079]: F181441622: to=<[my_username]@linux-militia.net>, relay=none, delay=76, status=deferred (connect to mail.linux-militia.net[206.225.84.44]: Connection timed out)

Then do another test message to [a_username]@bellsouth.net to see if I am actually being blocked.. (of which I am not) and recieve this:

Dec 13 13:17:38 trikster postfix/smtp[25079]: 73B5741634: to=<[my_username]@bellsouth.net>, relay=mx01.mail.bellsouth.net[205.152.59.33], delay=16, status=bounced (host mx01.mail.bellsouth.net[205.152.59.33] said: 550 Invalid recipient: <[my_username]@bellsouth.net> (in reply to RCPT TO command))

So dns is working, everything seems to be working except that all the messages end up with (the bounce above was because I did in fact use a bad email address, but it shows that it is trying to connect to bellsouth.net):

(connect to mail.linux-militia.net[206.225.84.44]: Connection timed out) and such.

What could I be missing?

I also am going through a linksys dsl/cable router and I forwarded port 25 to port 25 on 192.168.1.4 with no luck either.

Thank you

Sincerely,

TriKster Abacus

----------

## chiwi

hey the guide is great!, 

smtp works fine and fetchmail works fine too. I'm having problems with (i think) imap.

I've configured kmail correctly, but it seems that never receives any email. Although they are received because i can see them with another email client such as pine. I don't know if i'm missing something here.

please, i've searched everywhere, gone thruogh almost all posts and found nothing. I dont know what to do. I need some help here, let me know if you need some configuration files.

thanks guys.

c.

----------

## menetto

I have made an adjustment in the section for installing SpamAssassin. The emerge command is 

```
emerge spamassassin
```

 instead of 

```
emerge Mail-SpamAssassin
```

I have also added information on spamassassin-ruledujour.

Sorry I didn't post it here, but I was waiting to log in, when it suddenly was saved. And I overlooked the section for changes   :Confused:  .

Hope you like it though. Great tutorial btw. Maybe add a message about clamassassin? That's for virus scanning.

----------

## greatguru

I'd like to thank beowulf for the EXCELLENT guide on this.  I was just wondering if perhaps you could add the info given by LiamRoutt into the guide about creating your own certs.  I followed the guide to the T earlier today and was frustrated b/c of the Thunderbird errors.  Thunderbird doesn't like unsigned certs. or at least the default ones provided by postfix, so I was stumped for a couple hours until I found that posting on page 20.  Adding it to the guide would be of great benefit to many who use Thunderbird....

also, another small note, but you (in several places) mentioned /etc/courier-imap/authdaemondrc when in fact it's /etc/courier-imap/authdaemonrc.  I don't point this out to be a jerk, only because it stumped me for a little while when tab-completion wasn't getting the file and I was confused as to what file we were looking for...

EXCELLENT guide!!! Thanks a bunch beowulf!!!!!

-GreatGuru

----------

## bubbas

  SCRIPT OUTDATED, newest informations in the Bogotrainer-Thread

Hi,

thank you very much for this excellent Howto, beowulf!

I had a little time these days and i was willing to learn python. So i decided to finetune the nice script from Chris Smith, because it is a little outdated and has some problems due to changes of bogofilter and courier-imap. In fact it was told already here in this thread that one needs to add the "courierimapkeywords" to the ignored folders. Also the name of the wordlist has changed so that the script run the database generation every time instead of only once.

So i wrote the script based on the old one, but with some fancier output and adapted to the current situation, also it is more configurable now. 

If someone wonders why i put somuch work in the output, it is because i wanted to practice gentoo-like console output with python. All i can say is that i have found my favorite scripting language. Python is great for such small scripts!

Ok now to the script:

It is now in three parts. One is the real bogotrainer script (bogotrainer2.py) with some modifications and some more configuration options, second a module which contains all the output functions (md_output.py) and third another module (md_dirtest.py) which contains some tests if all necessary folders exist. All three parts have to be in the same folder but only bogotrainer2.py needs to be executable (chmod +x bogotrainer2.py). You can find the scripts at the end of my posting in a tar.gz archive which also contains a readme i recommend to read before use, especially for the configuration options! The scripts were too large to post here in the thread and im not sure if all the identation would be ok, so i think its better to download it:

bogotrainer-2.1.0.tar.gz

For using it just follow the section 9. Bogofilter Mail Filtering Solution of this Email System For The Home Network thread until point 9.1.4. Then follow my instuctions here.

9.1.4

Copy all three files bogotrainer2.py, md_output.py and md_dirtest.py to a directory. 

for example:

```

 ~/bin/bogotrainer2.py 

 ~/bin/md_output.py

~/bin/md_dirtest.py

```

9.1.5

Adapt bogotrainer2.py to your needs changing the configuration options. If you have doubt about how to do that read the included readme.txt

Change your maildir if you use something different than ~/.maildir/

Also make sure your bogofilter directory exists and is set correct 

in the script.

for example:

```

~/.bogofilter/

```

If you created your ".Spam", ".Spam.False-Positives", ".Spam.False-Negatives" 

like descriped in part 9.1.1 your done, otherwise change the configuration in the script. If you use a Ham Folder other then ".Ham" then also configure it.

9.1.6

Make the script executable

```

chmod +x ~/bin/bogotrainer2.py

```

9.1.7

Run it for generating the database with your messages

```

~/bin/bogotrainer2.py

```

9.1.8

In your ~/.procmailrc add these recipies before all your other recipies:

```

# filter mail through bogofilter, tagging it as spam and

# updating the wordlist

:0fw

| bogofilter -d ~/.bogofilter/ -u -e -p 

# if bogofilter failed, return the mail to the queue, the MTA will

# retry to deliver it later

# 75 is the value for EX_TEMPFAIL in /usr/include/sysexits.h

:0e

{ EXITCODE=75 HOST }

# file the mail to spam-bogofilter if it's spam.

:0:

* ^X-Bogosity: Yes, tests=bogofilter

.Spam/

```

This was taken from the bogofilter manpage!

where "~/.bogofilter/" has to be the same as you used in the script 

configuration above and "./Spam" has to be your spamfolder

9.1.9

Add this line to your crontab:

```

user@server $ crontab -e 

01 23 * * * ~/bin/bogotrainer2.py >/dev/null 2>&1

```

This sets it to run once a day at 23:01, you can change it. Once a day is about right. 

This was wrong on the howto on the first page of this thread because like it is there it will run every minute from 23.00 to 23.59

every minute!

From here you can go on with the original thread again.

Thanks:

I want to thank beowulf for this guide, without it i wouldn't have a running mailsystem *g*

Thx to Chris Smith for the original bogotrainer script, i learned much from it!

Thx to Merlin-TC for pointing out that imap folders containing whitespaces werent working. Fixed now!

Thx to MarkG for poiting out problems with imap folders containing some special characters. Fixed now!

I have to say no warranty for what this script does to you or your mail. I have tested it as good i could but there can always be 

situations a script doesn't what one expects. You are free to use and modify it but please let us all know about so we can make 

it better or correct errors! 

sorry for bad english!

if you want to contact me dont doubt in writing me a PM, i will answer as early i can. I would like to hear your sugestions and also if you find any error!

salu2

vale

ChangeLog:

06-01-2005 

Initial public release 2.0

06-03-2005 

Version 2.1 released

* moved md_bgt.py to md_output.py

* added more tests for checking if all needed directories exists

* moved directory tests to md_dirtest.py, for more clarity

* added support for imap directories containing whitespaces

* fixed broken specific Hamfolder (.Ham) support

* fixed missing import sys in md_output.py

22-03-2005 

Version 2.1.1 

* fix for special characters in imap folder names

Download Script:

Bogotrainer ThreadLast edited by bubbas on Sun May 08, 2005 2:57 pm; edited 6 times in total

----------

## stalinski

Real nice guide, exspecially the one with bogotrainer2 pleasures me...

Oki, now i will do a little bit Helper Work.

found by looking around in the protagee Tree and getting a little bit Help from a tutorial in the French Forum. ((Which was very annoying, cause i don't do speak a single word french...))

The guide will be found under: https://forums.gentoo.org/viewtopic.php?t=246082 written by chipsterjulien.

Thanks to him although i havent understood his French descriptions  :Wink: 

Virusprotection with Clamassassin and Clamav

what we need:

```
#emerge -a clamassassin clamav
```

Next we have to do some editworks with clamavs Configfiles:

/etc/freshclam.conf

comment:

```
9: #example
```

this is everything we have to do there ,)

Next, get /etc/clamd.conf

comment:

```
8: #example
```

uncomment the following lines:

```
76: FIxStaleSocket

133: User clamav

190: ScanMail

214: ScanArchieve

```

I also activated support for rar archieves

```
222: ScanRAR
```

Now we are finished with the configuration.

lets fire up freshclam:

```
/etc/init.d/clamd start
```

And you should get:

```
/etc/init.d/clamd start

 * Starting freshclam...                            [ ok ]
```

Add clamd to deafult runlevel:

```
rc-update add clamd default
```

Next thing we should create an virus folder:

```
maildirmake ~/.maildir/.virus
```

And adjust our .procmailrc:

```
#clamassassin Antivirus...

:0fw: clamassassin.lock

| /usr/bin/clamassassin

:0:

* ^X-Virus-Status: Yes

.Virus/
```

Or use:

```
#clamassassin Antivirus...

:0fw: clamassassin.lock

| /usr/bin/clamassassin

:0e

{ EXITCODE=75 HOST }

:0:

* ^X-Virus-Status: Yes

.Virus/
```

Now we should have finished everything.

Send yourself an email and you should see in its Headers:

```
X-Virus-Status: No
```

if there was a virus inside you should get:

```
X-Virus-Status: Yes
```

and a additional line showing which one was found.

I hope i could have helped a little bit  :Wink: 

----------

## digby_ttf

I'd just like to say thanks for the great guide.

I have just one adjustment I'd make to clarify something.

6.2 Automating and Finalizing

 *Quote:*   

> 
> 
> */10 * * * * /usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d \%T" 
> 
> 

 

The commad above, most specificaly the -a option caused me some trouble.

I'd worked out how set one of my accounts to leave messages on server. 

 *Quote:*   

> 
> 
> set postmaster "2ls-beo"
> 
> poll pop.huah.com with proto POP3 uidl auth password user "beowulf_999" there with password "rpop-pass" is 2ls-beo here options keep warnings 3600 
> ...

 

However I just could not work out why it kept fetching ones it had read already.

It turned out to be the -a option on fetchmail.  This option tells it to collect everything regardless of status.

Whilst this is useful if you check a primary account on another machine,  this is not so useful if you have a work account you need to check with the mail server we have just setup.

Looking into the fetchmail man page reveals the -f option which allows you to specify an alternate path.

Two cron jobs could then be set, one to run fetchmail with the -a reading an rc file that contains the accounts that are to be permanently downloaded, then another without -a that contains accounts that are to be left as found on the server.

I don't think I've explained this too well but I hope you get the idea.

Would it be possible to update the guide to mention the significance of the -a option in certain situations. 

Once again, thanks for the guide.

----------

## aronparsons

For those wanting to use 465 for SSL communications, if Postfix keeps complaining, change the entry in 'master.cf' for 'smtps' to 'ssmtp'.  'smtps' is not defined in /etc/services, thus, Postfix won't start with it enabled.  Just thought I"d add my 2 cents after spending a couple of hours hacking at it.

Sorry if this has been covered, I haven't read through all 22 pages of posts.  :Smile: 

----------

## orionrobots

Having played with this to tighten up security on the orionrobots.co.uk mailserver - I spotted a few things. First I made a fix in the bogo script - so it ignored the courierimap keywords a hieracl directories. This was before I noticed the V2.

The other thing is that the clamassassin system is easier to set up than the amavis one initially linked to by the guide. I had a lot of problems with amavis. 

If you find postfix log messages still referring to amavis when you have removed it - try this:

```
 postsuper -r 
```

This will requeue all messages.

I am still playing with this set-up, but at the moment it is catching most spam and viruses, where before I was relying on client filters.

Orion

----------

## lysergicacid

[edit] deleted this post as fixed problem, gone back to gentoo vmail setup [/edit]

----------

## webnoelle

hello  :Smile:  first off i'd like to say that this is a great guide. I struggled through putting together my own email system, before finding this guide. I found some things I very much liked in here, so I went back and fine tuned my own system.

My question is, once SpamAssasin is up and running, and Spam is detected for someone, where does that message go? I remember running the 

```
maildirmake -f spam ~/maildir
```

command. but I didn't see any directory or anything new actually created by that command. I am using squirrelmail, is there a way for that spam to be re-directed to say a squirrelmail folder or something?

Thanks to any help someone can provide!!!

[edit]

I found the .spam directory, but I'm not sure how to tell if the filter is processing correctly. The X-Spam-Level tag in the headers does not have a value next to it. Any ideas? Thanks!

My headers looks like:

```

X-Spam-Checker-Version: SpamAssassin 3.0.2-gr0 (2004-11-16) on

     romeo.webnoelle.com

X-Spam-Level:

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

     version=3.0.2-gr0

```

----------

## tkhobbes

Hi there

Please, could someone desperately help me! I did an emerge --world today and now the whole system does not work any more.

It seems to have something to do with new / different authentication mechanisms (or, more precise, with new configuration settings), but since I am not really an expert on these things (yet), I would appreciate if someone could tell me what to alter in order to get my system up and running again.

Neither Squirrelmail ("connection dropped by imap-server") nor my outlook-client (something about "temporary error") do work...

thanks a lot in advance

thomas

----------

## j-m

 *tkhobbes wrote:*   

> Hi there
> 
> It seems to have something to do with new / different authentication mechanisms (or, more precise, with new configuration settings), but since I am not really an expert on these things (yet), I would appreciate if someone could tell me what to alter in order to get my system up and running again.
> 
> 

 

Many threads in this forum: https://forums.gentoo.org/viewforum.php?f=18

Some hints: 

configs moved to /etc/courier/authlib

/etc/init.d/courier-authlib start

----------

## cheeby

Nice hints!

My system was back up and running in under five minutes.  I had to edit authdaemonrc so as to remove authmysql from the authmodulelist:

```
authmodulelist="authshadow authpam"

```

since I noticed in the mail logs:

```
Feb  5 17:13:04 [authdaemond] failed to connect to mysql server (server=mysql.example.com, userid=admin): Unknown MySQL Server Host 'mysql.example.com' (1)

```

that authdaemon was attempting to use a mysql db for authentication, which I don't bother with on this sytem.

Thanks again!

cheeby

----------

## tkhobbes

Hi all

Thanks a lot - I searched through the forum yesterday already, but somehow nothing did work.

However, after re-booting the server today, everything is up and running again - so probably, I messed up with some init-scripts and lost the overview on which were restarted and which not...  :Smile: 

thomas

----------

## carpman

Hello, having  a little trouble getting this to work and am confused over couple of lines.

In section 3.2 you have line

```

smtpd_client_restrictions = permit_sasl_authenticated, reject

```

With this set email was not being accepted and client host was rejects, remove 'reject' and it is not rejected but i getting error about connection 127.0.0.0 refused. Went over guide again and found that i needed to edit this line:

```

smtpd_recipient_restrictions = permit_sasl_authenticated, reject

```

to this

```

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject

```

Problem is this line does not exist in guide! 

Wondering if you mean the first line:

```

smtpd_client_restrictions = permit_sasl_authenticated, reject

```

----------

## carpman

Hello, not sure if this is related to my previous post but will list more details on my problems:

When receiving external email logs show:

```

Feb 18 15:34:47 smartmail postfix/smtpd[26610]: starting TLS engine

Feb 18 15:34:47 smartmail postfix/smtpd[26610]: connect from localhost[127.0.0.1]

Feb 18 15:34:47 smartmail postfix/smtpd[26610]: BB34D658B: client=localhost[127.0.0.1]

Feb 18 15:34:47 smartmail postfix/cleanup[26613]: BB34D658B: message-id=<20050218153412.6FC1CEDFDC@ws6-1.us4.outblaze.com>

Feb 18 15:34:47 smartmail postfix/qmgr[27960]: BB34D658B: from=<michael@mydomain.com>, size=1331, nrcpt=1 (queue active)

Feb 18 15:34:47 smartmail postfix/lmtp[26614]: BB34D658B: to=<sysadmin@localhost.home.com>, orig_to=<sysadmin@localhost>, relay=none, delay=0, status=deferred (connect to 127.0.0.1[127.0.0.1]: Connection refused)

Feb 18 15:34:47 smartmail postfix/smtpd[26610]: disconnect from localhost[127.0.0.1]

```

The sysadmin account does receive error message mail from mailer-daemon ok

The other issue is connecting from kmail, this is for checking mail and trying to subscribe to folders which gives error 'connection to host 192.168.1.3 lost' with messages logs showing:

```

Feb 18 15:34:47 smartmail postfix/smtpd[26610]: disconnect from localhost[127.0.0.1]

Feb 18 15:35:57 smartmail imapd-ssl: Connection, ip=[::ffff:192.168.1.189]

Feb 18 15:35:57 smartmail authdaemond: ldap_simple_bind_s failed: Can't contact LDAP server

Feb 18 15:35:57 smartmail imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:192.168.1.189]

Feb 18 15:35:57 smartmail imapd-ssl: authentication error: Input/output error

Feb 18 15:35:59 smartmail postfix/qmgr[27960]: 12F1F6588: from=<michael@innes.com>, size=1331, nrcpt=1 (queue active)

Feb 18 15:35:59 smartmail postfix/qmgr[27960]: 22DEB4EC0: from=<michael@innes.com>, size=1331, nrcpt=1 (queue active)

Feb 18 15:35:59 smartmail postfix/lmtp[26614]: 12F1F6588: to=<sysadmin@localhost.getsmaart.com>, orig_to=<sysadmin@localhost>, relay=none, delay=1085, status=deferred (connect to 127.0.0.1[127.0.0.1]: Connection refused)

Feb 18 15:36:00 smartmail postfix/lmtp[26619]: 22DEB4EC0: to=<sysadmin@localhost.getsmaart.com>, orig_to=<sysadmin@localhost>, relay=none, delay=1276, status=deferred (connect to 127.0.0.1[127.0.0.1]: Connection refused)

```

any ideas?

cheers

----------

## carpman

sorted  :Smile: 

----------

## tkhobbes

Hi all

It's me again.  :Smile: 

Now, afte I have set up a Gentoo-client with evolution, I want to be able to connect to my IMAP-server, of course.

However, the connection does not work; Evolution (2.0.2) is either complaining about "connection refues" (when using SSL and authentication method=password) or about "authentication method digest-md5 not supported" when using SSL and authentication medhod digest-md5.

What do I need to do? I mean, it worked in Outlook, so it can't be...  :Wink: 

----------

## carpman

Hello, ok i setting this up behind a firewall, smoothwall corp, and was wondering if i can set it so local users do not need all the security settings and can log on without them, just keeping the security side of things for remote logins?

Or is this not possible?

cheers

----------

## carpman

Have few points need clearing up:

when starting courier-imap-ssl the service starts ok but there is nothing about authdaemon.plain starting which is what is shown happening in this guide.

I can start the authdaemon.plain manually ok.

I have tried connecting to server via thunderbird, seem to connect ok but cannot subscibe any folders?

Also want to run fetchmail as daemon, how i set it so with anti virus it is forwarded to port 25 as suggested in guide.

also couple questions about config file:

/etc/conf.d/saslauthd

in the line

```

sasl_rimap-hostname""

```

should there be something between the "" ?

There is also a uncommneted line

```

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

```

should this be uncommented?

cheers

----------

## rpmohn

 *tkhobbes wrote:*   

> Hi all
> 
> It's me again. 
> 
> Now, afte I have set up a Gentoo-client with evolution, I want to be able to connect to my IMAP-server, of course.
> ...

 

I'm having this exact same problem with Evolution  :Sad:   ! If you have resolved this, please tell me how!

Thanks! -RPM

----------

## bubbas

i think you have made an non standard ssl certificate

----------

## rpmohn

 *bubbas wrote:*   

> i think you have made an non standard ssl certificate

 

Sounds reasonable. I'll try making a new one...

----------

## rpmohn

 *rpmohn wrote:*   

>  *bubbas wrote:*   i think you have made an non standard ssl certificate 
> 
> Sounds reasonable. I'll try making a new one...

 

No luck on that. Interesting piece of information -- I was able to setup mutt to use IMAP-SSL and connect sucessfully, so it seems to definitely be a problem with my emerge of Evolution  :Sad:  . I'm about to emerge thunderbird and give that a try as well...

Any thoughts? -RPM

----------

## rpmohn

 *rpmohn wrote:*   

> Interesting piece of information -- I was able to setup mutt to use IMAP-SSL and connect sucessfully, so it seems to definitely be a problem with my emerge of Evolution  . I'm about to emerge thunderbird and give that a try as well...

 

Deleting the email accounts, closing evolution, then creating the email accounts all over again solved the problem. I'll never hear the end of this from my wife.  :Sad:   :Mad:   :Sad: 

-RPM

----------

## tkhobbes

Hi all

 *rpmohn wrote:*   

> 
> 
> Deleting the email accounts, closing evolution, then creating the email accounts all over again solved the problem. I'll never hear the end of this from my wife.   
> 
> -RPM

 

OK - could you give me the exact steps you performed?

I mean: You created a new certificate - how did you do that (I mean, basically I know how to do this, but apparently, it did not work...)

And: what settings do you use with Evolution now?

Thanks a lot!

----------

## rpmohn

 *tkhobbes wrote:*   

> OK - could you give me the exact steps you performed?
> 
> I mean: You created a new certificate - how did you do that (I mean, basically I know how to do this, but apparently, it did not work...)
> 
> And: what settings do you use with Evolution now?

 

Sure thing. I did several things that did not solve the problem, but you may want to try them as necessary. First was to unmerge / emerge evolution. Then I tried creating a new certificate by verifying my entries in the [req_dn] section of /etc/courier-imap/imapd.cnf and then running mkimapdcert while in the /etc/courier-imap directory. Neither of those fixed the problem.

What fixed the problem was to

1. Startup evolution and go to Tools/Settings...

2. From there, you highlight your email account and press Remove

3. Then you close evolution down

4. When you start it up again, enter your email account settings exactly as before

5. The key points are to choose the IMAP Server type for receiving mail, and to use SSL

Let me know if it works! -RPM

----------

## tkhobbes

Funny - I re-created the account, it works now...  :Smile: 

Well, don't bother WHY - main thing is, it DOES work...  :Smile: 

thanks

----------

## bubbas

Updated the bogotrainer2 script to Version 2.1.0

06-03-2005 

Version 2.1 released 

* moved md_bgt.py to md_output.py 

* added more tests for checking if all needed directories exists 

* moved directory tests to md_dirtest.py, for more clarity 

* added support for imap directories containing whitespaces 

* fixed broken specific Hamfolder (.Ham) support 

* fixed missing import sys in md_output.py

Read my posting here

Thx to Merlin-TC for pointing out the problem with whitespaces!

bye

vale[/url]

----------

## slestak

for anyone having troubles with the courier-authlib conversion, just try rebooting.  I spent most of the afternoon trying this, looking at that, rebooted and it worked fine.

----------

## MarkG

 *bubbas wrote:*   

> Updated the bogotrainer2 script to Version 2.1.0
> 
> 06-03-2005 
> 
> Version 2.1 released 
> ...

 

Single quotes in imap directory names cause problems  :Sad: 

MarkG

PS I like the scripts output  :Smile: 

----------

## bubbas

hi MarkG,

can you post an example of such an foldername please?

thank you for contributing

bye

vale

----------

## MarkG

 *bubbas wrote:*   

> hi MarkG,
> 
> can you post an example of such an foldername please?
> 
> 

 

```
Sarah's Notes

```

I've just discovered '&' characters are a problem, as in:

```
Sue & Dean
```

the actual directory name in .maildir for this one turns out to be

```
.Sue &- Deean
```

MarkG

----------

## bubbas

thank you!

You are right this doesnt work. I will look at it after tuesday!

cu

bubbas

----------

## bubbas

Updated the bogotrainer2 script to Version 2.1.1 

22-03-2005

Version 2.1.1

* fix for special characters in imap folder names

Read my posting here

Thx to MarkG for pointing out this problem!

bye 

vale

----------

## MarkG

Ok, the fix for special characters in folder names seems to work.

I'm not using the script at the moment for a few reasons:

i) For Historic reasons I have Multiple Spam Folders, the script only allows for one Spam folder. I guess I need to throw out some spam. 

ii) The script doesn't seem to like running as a cron job. I think its something to do with the TERM Environment variable. I have a hacked version of the original scrip that has no output when there is nothing to do so I only get an cron email when something happens. It would be nice if the script had a quiet option to turn off that lovely output when used in a cron job.

iii) The script is very slow to generate the initial wordlist.db. I have a years worth of Spam ~20,000 emails and a similar amount of ham mails, which I used to rebuild the wordlist.db. As yet I have not had the patients to let the script run to completion (I run it in a 1.2GHz VIA C3 MiniITX board). To rebuild my wordlist.db I used bogofilter -B (bluk mode) which is a lot quicker than classifying mails individually. The script should probably be updated to use this technique.

I hope these suggestions are useful

MarkG

----------

## rpmohn

I've been using this setup for over a year now and it's great! But I still have one problem. I can't seem to get a simple perl script using either Net::SMTP or Net::SMTP_auth to relay email outside my network! I've tried many things, but I always get the same error:

```
Mar 22 23:04:08 porcupine postfix/smtpd[3760]: NOQUEUE: reject: RCPT from porcupine.adelphia.net[192.168.1.2]: 554 <porcupine.adelphia.net[192.168.1.2]>: Client host rejected: Access denied; from=<tenshi> to=<rpmohn> proto=ESMTP helo=<localhost.localdomain>
```

Here is the Net::SMTP code I'm testing:

```
#!/usr/bin/perl -w

use Net::SMTP;

$smtp = Net::SMTP->new(192.168.1.2);

if (!$smtp->auth('rpmohn, 'passwd')) {print "auth failed";}

$smtp->mail(tenshi);

$smtp->to(rpmohn@external.com);

$smtp->data();

$smtp->datasend("To: Me\n");

$smtp->datasend("\n");

$smtp->datasend("A simple test message\n");

$smtp->dataend();

$smtp->quit;
```

And here's the Net::SMTP_auth code I'm testing:

```
#!/usr/bin/perl -w

use Net::SMTP_auth;

#$method="LOGIN";

$method="PLAIN";

#$method="CRAM-MD5";

$smtp = Net::SMTP_auth->new(192.168.1.2);

if (!$smtp->auth("$method", 'rpmohn, 'passwd')) {print "auth failed";}

$smtp->mail(tenshi);

$smtp->to(rpmohn@external.com);

$smtp->data();

$smtp->datasend("To: Me\n");

$smtp->datasend("\n");

$smtp->datasend("A simple test message\n");

$smtp->dataend();

$smtp->quit;
```

No matter what I try, I get auth failed printed out and the above error in messages. Note that the scripts DO work if it is an internal email address even though auth failed still prints out.

Any advise appreciated!

Thanks! -RPM

----------

## MarkG

 *rpmohn wrote:*   

> I've tried many things, but I always get the same error: 
> 
> ```
> Mar 22 23:04:08 porcupine postfix/smtpd[3760]: NOQUEUE: reject: RCPT from porcupine.adelphia.net[192.168.1.2]: 554 <porcupine.adelphia.net[192.168.1.2]>: Client host rejected: Access denied; from=<tenshi> to=<rpmohn> proto=ESMTP helo=<localhost.localdomain>
> ```
> ...

 

What are your  smtpd_client_restrictions settings in the postfix/main.cf

MarkG

----------

## DrWilken

I've had a few problems with the smtpd_client_restrictions line in postfix main.cf (/etc/postfix/main.cf).

When I comment it out it all works, but then I guess it's not authenticated through SASL??

If I leave as the guide suggests:

```

stmpd_client_restrictions = permit_sasl_authenticated, reject

```

I can't receive mails from outside. I get "... Client host rejected: Access denied ..."

If I edit it to:

```

smtpd_client_restrictions  = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

```

it works perfectly fine.... BUT:

What have I actually done? In the guide You use reject NOT reject_unauth_destination.

BTW my smtpd_recipient_restrictions line is the same as the smtpd_client_restrictions above...

----------

## rpmohn

 *MarkG wrote:*   

>  *rpmohn wrote:*   I've tried many things, but I always get the same error: 
> 
> ```
> Mar 22 23:04:08 porcupine postfix/smtpd[3760]: NOQUEUE: reject: RCPT from porcupine.adelphia.net[192.168.1.2]: 554 <porcupine.adelphia.net[192.168.1.2]>: Client host rejected: Access denied; from=<tenshi> to=<rpmohn> proto=ESMTP helo=<localhost.localdomain>
> ```
> ...

 

Just as in the guide:

```
smtpd_client_restrictions = permit_sasl_authenticated, reject
```

But I must admit that I don't fully understand this line...

Any insight? -RPM

----------

## bubbas

@MarkG,

thx for the suggestions. Here it works with a cronjob, just like i wrote in the howto. But sure its a nice idea to disable output. I will try to implement some of your sugestions. But this will take some time cause i am a little busy at the moment.

but i really apreciate that you post your experience and all this suggestions!

cu

vale

----------

## rpmohn

 *DrWilken wrote:*   

> If I edit it to:
> 
> ```
> 
> smtpd_client_restrictions  = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
> ...

 

This sounds promising. I'll give it a try, but I would have the same question: What have I actually done?

EDIT: This seems to have worked. I made the change to my smtpd_client_restrictions only and now I can sent out emails from the commandline to external sites. Why is this change necessary?

Thanks! -RPM

----------

## MarkG

 *DrWilken wrote:*   

> 
> 
> If I edit it to:
> 
> ```
> ...

 

I would have thought 

```

smtpd_client_restrictions  = permit_sasl_authenticated, permit_mynetworks, reject

```

 would have been correct, I don't see reject_unauth_destination documented in documentation on smtpd_client_restrictions documentation.

This dosnt answer why rpmohn perl scripts require the permit_my_networks setting. I guess that the the perl script is failing to authenticate via sasl correctly and being allowed as it passes the my_networks check. Anyone understand the Perl script?

MarkG

----------

## rpmohn

 *MarkG wrote:*   

> I would have thought 
> 
> ```
> 
> smtpd_client_restrictions  = permit_sasl_authenticated, permit_mynetworks, reject
> ...

 

You are correct! The reject_unauth_destination restriction is only documented for smtpd_recipient_restrictions, which, BTW, I don't have set at all.

 *Quote:*   

> This dosnt answer why rpmohn perl scripts require the permit_my_networks setting. I guess that the the perl script is failing to authenticate via sasl correctly and being allowed as it passes the my_networks check. Anyone understand the Perl script?

 

I understand the Perl script well enough, but don't know why Postfix is rejecting my authorization attempts. Is there a debug mode for Postfix that would show more info?

-RPM

----------

## MarkG

 *rpmohn wrote:*   

> 
> 
> ```
> #!/usr/bin/perl -w
> 
> ...

 

Is Net::SMTP_auth in an ebuild? If it is I cant find it.

I've go a quite couple of days so I thought I'd brush up on my perl...

MarkGLast edited by MarkG on Thu Mar 24, 2005 10:45 am; edited 1 time in total

----------

## rpmohn

 *MarkG wrote:*   

>  *rpmohn wrote:*   
> 
> ```
> #!/usr/bin/perl -w
> 
> ...

 

Nope. Run the cpan command and then from the cpan prompt type in install Net::SMTP_auth. Let me know if you find anything. I won't have a chance to play with this again until after this weekend.  :Sad: 

Thanks! -RPM

----------

## MarkG

 *rpmohn wrote:*   

> I always get the same error:
> 
> ```
> Mar 22 23:04:08 porcupine postfix/smtpd[3760]: NOQUEUE: reject: RCPT from porcupine.adelphia.net[192.168.1.2]: 554 <porcupine.adelphia.net[192.168.1.2]>: Client host rejected: Access denied; from=<tenshi> to=<rpmohn> proto=ESMTP helo=<localhost.localdomain>
> ```
> ...

 

I've had a play with the perl scripts and it all seems to work for me. I had to modify them as there was a missing quote on the user name as originaly posted (thats not the problem I hope!). I have tried running the scripts both locally on the mail server and on another client machine on my network. Both give the same results except of the 'connect from unknown[192.168.99.4]' problem see below. 

My smtpd_client_restrictions are 

```
smtpd_client_restrictions = permit_sasl_authenticated, permit_auth_destination, reject
```

which should give the same result default setting in this guide as I'm not sending to an authorised destination.

The plane Net::SMTP script:

```
#!/usr/bin/perl -w

use Net::SMTP;

$smtp = Net::SMTP->new("mail.homedomain");

$smtp->mail("markg\@porthos.homedomain");

$smtp->to("markg\@someware.co.uk");

$smtp->data();

$smtp->datasend("To: Me\n");

$smtp->datasend("\n");

$smtp->datasend("A simple test message\n");

$smtp->datasend("With no auth\n");

$smtp->dataend();

$smtp->quit;

```

I get the expected  Access denied, as there is no authorisation

```
Mar 25 13:09:44 porthos postfix/smtpd[29117]: connect from unknown[192.168.99.4]

Mar 25 13:09:44 porthos postfix/smtpd[29117]: NOQUEUE: reject: RCPT from unknown[192.168.99.4]: 554 <unknown[192.168.99.4]>: Client host rejected: Access denied; from=<markg@porthos.homedomain> to=<markg@someware.co.uk> proto=ESMTP helo=<localhost.localdomain>

Mar 25 13:09:44 porthos postfix/smtpd[29117]: disconnect from unknown[192.168.99.4]

```

The  Net::SMTP_auth script:

```
#!/usr/bin/perl -w

use Net::SMTP_auth;

$method="PLAIN";

$smtp = Net::SMTP_auth->new("mail.homedomain");

#print ($smtp->auth_types());

if (!$smtp->auth("$method", 'markg', 'passwd')) {print "auth failed";}

$smtp->mail("markg\@porthos.homedomain");

$smtp->to("markg\@someware.co.uk");

$smtp->data();

$smtp->datasend("To: Me\n");

$smtp->datasend("\n");

$smtp->datasend("A simple test message\n");

$smtp->datasend("With Auth PLAIN\n");

$smtp->dataend();

$smtp->quit;
```

Works with no errors:

```
Mar 25 13:16:56 porthos postfix/smtpd[29158]: connect from unknown[192.168.99.4]

Mar 25 13:16:56 porthos postfix/smtpd[29158]: 204E57E7: client=unknown[192.168.99.4], sasl_method=PLAIN, sasl_username=markg

Mar 25 13:16:56 porthos postfix/cleanup[29159]: 204E57E7: message-id=<20050325131656.204E57E7@porthos.homedomain>

Mar 25 13:16:56 porthos postfix/qmgr[29027]: 204E57E7: from=<markg@porthos.homedomain>, size=394, nrcpt=1 (queue active)

Mar 25 13:16:56 porthos postfix/smtpd[29158]: disconnect from unknown[192.168.99.4]
```

The only strange thin is this:

```
Mar 25 13:16:56 porthos postfix/smtpd[29158]: warning: smtpd_peer_init: 192.168.99.4: address not listed for hostname porthos.homedomain

Mar 25 13:16:56 porthos postfix/smtpd[29158]: connect from unknown[192.168.99.4]
```

 as I'm running the script on porthos [192.168.99.4] which is the mail server running postfix and dns, which normally has no problem resolving its own name! I think this is unrelated though.

I guess this doesn't help, as it all points to a problem with your server configuration, but you know that  :Confused: 

MarkG

----------

## Strowi

hi,

this guide is really great! After struggling with qmail for a long time, this worked fine after like 1 hour. :Wink: 

But i have a question left: Is it somehow possible to make fetchmail/sa-learn run globally? I would like to make fetchmail run for every user, without the need of user-interaction (well, users only specify .fetchmailrc, but not the cronjob).

Another question that came to my mind: Is there a mail-client who can manage server-side filtering rules (i suppose no, but please correct me;))?

----------

## jack_mort

Hi,

I followed this guide to install a mail server and everything is OK, except pop access !

With IMAP, I get my mails in thunderbird without any problem, but with pop3, I don't get anything... I verified the courier-pop daemon is up and running, and everything seems OK. Anyone with an idea ?

----------

## MasterC

Port related?

Any logs you can post with ANY error message?

COol

----------

## jack_mort

Well, I don't have ANY error, in ANY log. Everything seems OK...

Edit : it works ! Strange... I just stopped the daemon, regenerated a new ssl key, and now it's OK !  :Razz: 

----------

## jack_mort

Just another couple of questions : is there a way to make the Sent/Trash/etc folders not showing as Inbox subfolders (within Thunderbird) when using IMAP ? And is using pop3 access with spamassassin useful, or does it only makes sense with IMAP ?

----------

## bubbas

So there it is an all new bogotrainer version. Many new features and better than ever  :Laughing: 

Support-Thread

Please for questions and suggestions use the new Thread!

cu

bubbas

----------

## odborg

i wish to relay some domains how do i go about this?

example

i and a friend both have a user with the same name on our servers (two seperate domains)

i wish to be able to work as an relay for his server (sort of mx backup) so that if his machine is not online people can stilll send mail to him.

If I receive a mail to user@mydomain.com it will be delvivered to the inbox of 'user' on my machine.

If I receive a mail to user@hisdomain.com it will be delivered to the inbox of 'user' on his machine.

It would be perfect i i could also relay user@thirddomain.com to someothername@yahoo.com

I would like to have general solution, not through procmail for each user. 

Any ideas where I should go looking?

----------

## Sanjiyan

I seem to have found a problem with sending email via this HOWTO:

I can send emails from my email clients just fine, but when I try to send email via the Squrriel Mail webmail software, my ISP bounces back with the following error message:

(Attached it the entire message, including headers)

Received: from pop3.blueyonder.co.uk [195.188.53.61]

     by localhost with POP3 (fetchmail-6.2.5)

     for xxxx@localhost (single-drop); Sun, 29 May 2005 14:50:15 +0100 (BST)

Received: from smtp-in2.blueyonder.co.uk ([172.23.146.13]) by cluster3 with Microsoft SMTPSVC(5.0.2195.6713); Sun, 29 May 2005 14:48:34 +0100

MIME-Version: 1.0

Content-Type: multipart/report;

     report-type=delivery-status;

     boundary="----_=_NextPart_001_01C56455.1B9A87FE"

X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0

Received: from eback03.blueyonder.co.uk ([195.188.53.214]) by smtp-in2.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Sun, 29 May 2005 14:48:34 +0100

Received: from [172.23.164.205] (helo=anti-virus02-0 :Cool:  by eback03.blueyonder.co.uk with smtp (Exim 4.32) id 1DcO8r-0005Yf-2S for xxxxx@blueyonder.co.uk; Sun, 29 May 2005 14:47:49 +0100

Received: from [195.188.213.7] (helo=smtp-out4.blueyonder.co.uk) by exim8.blueyonder.co.uk with esmtp (Exim 4.41) id 1DcO84-0006Y8-Jg for xxxx@blueyonder.co.uk; Sun, 29 May 2005 14:47:00 +0100

X-DSNContext: 7ce717b1 - 1184 - 00000002 - 00000000

X-Envelope-To: xxxx@blueyonder.co.uk

Return-Path:

X-OriginalArrivalTime: 29 May 2005 13:48:34.0670 (UTC) FILETIME=[1B8620E0:01C56455]

content-class: urn:content-classes:dsn

Subject: Undeliverable:sdfsf

Date: Sun, 29 May 2005 14:48:34 +0100

Message-ID: <YQtv4dXwu000c954e@smtp-out4.blueyonder.co.uk>

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator:

Thread-Topic: sdfsf

Thread-Index: AcVkVRuYI2H4MFWzSFynf3iarJHmzwAAAAB8

From: "System Administrator" <postmaster@blueyonder.co.uk>

To: <xxx@blueyonder.co.uk>

Your message

  To:      xxxx@blueyonder.co.uk

  Subject: sdfsf

  Sent:    Sun, 29 May 2005 14:50:07 +0100

did not reach the following recipient(s):

xxxxx@blueyonder.co.uk on Sun, 29 May 2005 14:48:33 +0100

    The message contains a content type that is not supported

    <smtp-out4.blueyonder.co.uk #5.6.1 smtp;554 5.6.1 Body type not

supported by Remote Host>

Any ideas?

----------

## linux_girl

i d like to see a printable version of this howto  :Very Happy: 

[EDIT:] being french i am wondering does False-Negatives is the folder where i should move spam that wasnt catched by bogo ?[/EDIT]

[EDIT 2]

i ve set gotmail to retrive all hotmail's email not only new & i set it to delet. but it didnt delet already read mails. so evry 10 minuts he was adding duplicats to mailbox 

workaround move all of ~/.maildir/IN-hotmail/cur/* to /tmp/mails then add this rules in top of ~/.procmailrc:

```

:0 Whc:msgid.lock

|formail -D 8192 msgid.cache

:0 a:

.duplicates/

```

then 

```

cd /tmp/mails

for i in * ;do procmail <$i && rm $i;done

```

this will put all duplicats mail to ~/.maildir/.duplicats u could also move them to /dev/null if u want

----------

## LLSLIM

I have a quick edit to the guide's section 3.4 on relaying mesages through our ISP SMTP Server, which is important to ensure against messages being classified as spam. This was a head scratcher for a couple of days for me, but like the whole Gentoo experience made me become familar with certain packages like postfix. I feel the section needs to take in account that the MX records for the ISP may not be set as intended to guard against spam, and other things unbenounced to the home user using the SMTP server to relay messages. Here is just my suggestions on what to add to the section.

Diclaimer: Didn't know much about the postfix, cyrus sasl, courier imap mail set up until last Sunday (6 days prior to this message) when I discovered this guide. So this may be known to season vets, but I feel it should be touched upon in the guide for noobs like myself. So any corrections are very much welcome.

To demostrate the problems of  the current message relay configuration section of this guide, I will use a real-world and active smtp server for a common ISP. The example ISP is the SBC GLOBAL DSL service provide in the United Sates which the web services are managed by well known YAHOO!. Then followed by a simple How-to on using Postfix as an SMTP Authorization client to relay messages through a YAHOO! Server.

The example server adress: smtp.sbcglobal.yahoo.com (SBC SMTP)

Again in the  original section with the example server added... 

 *beowulf wrote:*   

> 
> 
> 3.4 Making Postfix a Relay to our ISP:
> 
> As was mentioned in section 1.1, we can use Postfix to be an email relay and send any mail to our ISP's SMTP server before it hits the Internet.  Please keep in mind, that this step is NOT needed if you intend to use Postfix as a full-blown MTA.  This step is optional and should NOT be used if you have an MX record.
> ...

 

The original /etc/postfix/main.cf look like this:

```

root@server # vi /etc/postfix/main.cf

# the name of our SMTP server of our ISP for relaying messages in original guide format

#relayhost = smtp.isp.com

# sbcglobal server in original guide format

relayhost=smtp.sbcglobal.yahoo.com

```

I ran into trouble when trying to send mail to my ISP due to a feature of postfix as described in the documentation of the relayhost option. Where postfix automatically tries to look up and connect to the machine in the domain name  MX record (DNS MX)  of the supplied "smtp.isp.com" address, and NOT directly to the "smtp.isp.com" machine  unless it is enclosed by square brackets in both our /etc/postfix/main.cf  and our /etc/postfix/saslpass files to disable MX record lookup by postfix.  

Like the original version of the section said, if you run a local Domain Name server and have your domain MX record set to "smtp.isp.com", then you should skip this section. Most likely if the home network is small a name server with MX record would be overkill, instead local domain name resolution is a carefully crafted array of host files. That's what my home network resolution is at the moment. 

Also if the ISP SMTP server's DNS MX record points to the same machine as supplied relayhost variable (i.e. both are "smtp.isp.com"), then  puting square brackets in around "smtp.isp.com" are optional and unneccessary, but they won't break the postfix configuration  either way. Some major mail service providers like YAHOO! have a dummy server called "nomail" as the MX records for their SMTP servers that collects anything not legal. SMTP authorization to the "nomail" server just times out. To check for a SMTP server's DNS MX record use the 'dig' command line tool from the bind-tools ebuild package (emerge bind-tools). 

An example dig for the MX record for the SBC STMP server looks like the following:

```

root@server # dig smtp.sbcglobal.yahoo.com mx

; <<>> DiG 9.2.5 <<>> smtp.sbcglobal.yahoo.com mx

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29362

;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6

;; QUESTION SECTION:

;smtp.sbcglobal.yahoo.com.      IN      MX

;; ANSWER SECTION:

smtp.sbcglobal.yahoo.com. 653   IN      CNAME   smtp-sbc.mail.yahoo.com.

smtp-sbc.mail.yahoo.com. 108    IN      CNAME   smtp-sbc-v1.mail.vip.sc5.yahoo.com.

smtp-sbc-v1.mail.vip.sc5.yahoo.com. 1800 IN MX  1 nomail.yahoo.com.

```

For those not familar with DNS terminology and/or lookup scheme, here is a quick synopsis of the above ANSWER SETION resulting from the 'dig' command. You see smtp.sbcglobal.yahoo.com is just a CNAME or alias for the real name of the SMTP server which is smtp-sbc-v1.mail.vip.sc5.yahoo.com (ports vary). The SMTP server has a MX record that points to nomail.yahoo.com. Therefore the "nomail" server address gets passed to postfix and not the actual SMTP server address such as smtp.sbcglobal.yahoo.com that is needed as the relay host.  

This results in the message being put in the postfix delayed message queue and the following log messages:

```

Jun 15 12:46:37 [postfix/qmgr] 7EF221057F1: from=<local_user@intra.net>, size=3556, nrcpt=1 (queue active)

Jun 15 12:47:07 [postfix/smtp] connect to nomail.yahoo.com[216.145.48.35]: Connection timed out (port 25)

Jun 15 12:47:07 [postfix/smtp] 7EF221057F1: to=<outside_user@gmail.com>, relay=none, delay=30, status=deferred (connect to nomail.yahoo.com[216.145.48.35]: Connection timed out)

```

To correct the problem we'll put square brackets around the server name that we want to relay messages. The solution works for server CNAME or aliases as well.

Relevant changes to the files using the guide's terminology, and the real life SBC example. They should look like the following segments:

```

root@server # vi /etc/postfix/main.cf

# the name of our SMTP server of our ISP for relaying messages. 

#relayhost = [smtp.isp.com] 

# sbcglobal server

relayhost=[smtp.sbcglobal.yahoo.com]

```

```

root@server # vi /etc/postfix/saslpass

# the name of our SMTP server of our ISP for relaying messages. 

#[smtp.isp.com]     beo739:rstmp-pass

#sbcglobal server

[smtp.sbcglobal.yahoo.com]       our_sbcglobal_username@sbcglobal.net:our-sbc-password

```

Then from here on, follow the guide like normal. starting from this point...

 *beowulf wrote:*   

> 
> 
> After you've completed that, let's protect the file and hash it so postfix can work with it.  We do this with the following commands:
> 
> ```
> ...

 

Hope this helps and is clear. To reiterate the addition of brackets can't hurt exsisting working installs, but it does cause a few headaches without them. Just my 2 cents.

peace and regards,

-Slim.

----------

## VoiDeR

I have almost everything working here except i cant relay my mail to my isp. If i send an email to say fubar@hotmail.com it trys to connect to hotmail directly. I can send to local users and recieve mail just fine. I can login to the imap and view my mail that way. I just cant send out. Here is all the config files that i had to edit in the send section of the guide

```

#/etc/postfix/main.cf

myhostname = localhost

mydomain = localdomain

inet_interfaces = $myhostname, localhost

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.1/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/ 

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject 

#smtpd_use_tls=yes

#smtpd_tls_auth_only = yes

#smtpd_tls_key_file = /etc/ssl/postfix/server.key

#smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

#smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

#smtpd_tls_loglevel = 3

#smtpd_tls_received_header = yes

#smtpd_tls_session_cache_timeout = 3600s

#tls_random_source = dev:/dev/urandom

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous 
```

```

#/etc/sasl2/smtpd.conf 

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

pwcheck_method:saslauthd

mech_list: plain login

#/usr/lib/sasl2/smtpd.conf 

pwcheck_method:saslauthd

mech_list: plain login 

# /etc/conf.d/saslauthd 

# $Header: /var/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd-2.1.20.conf,v 1.1 2004/10/31 06:13:48 langthang Exp $

SASL_AUTHMECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}" 

#/etc/postfix/saslpass

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.pass,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

#

# remotehost user:password

smtp.suscom.net xxxxxxxxx:xxxxxxxxx
```

Im not sure what to do from here. Ive searched but still havent came up with a solution.

VoiDeR

----------

## c_riis

Hi, first id like to say thanks for this howto !!!

Im have just been through it and i ran into a problem and a few things i dont understand.

When, on my laptop, im trying to get the mail from the server, which looks like it gets mail from my ISP, Kmail says "the connection to SERVER is broken... and in my servers logfiles the imapd thinks it needs sql... How do i make this work ?

Kmail can get the info when i press "Check what the servers support" ind the Security-tab. So some sort of connection is working..

```

pbk1111@kosmo ~/bin $ /usr/bin/fetchmail -vvv -a -m "/usr/bin/procmail -d %T"

fetchmail: 6.2.5.2 querying gmail (protocol POP3) at Sat Jul 30 16:01:43 2005: poll started

fetchmail: Issuer Organization: Thawte Consulting cc

fetchmail: Issuer CommonName: Thawte Server CA

fetchmail: Server CommonName: pop.gmail.com

fetchmail: gmail key fingerprint: F2:BE:86:E4:E2:51:76:AA:B6:00:91:7B:97:A4:E6:F3

fetchmail: Warning: server certificate verification: unable to get local issuer certificate

fetchmail: Issuer Organization: Thawte Consulting cc

fetchmail: Issuer CommonName: Thawte Server CA

fetchmail: Server CommonName: pop.gmail.com

fetchmail: Warning: server certificate verification: certificate not trusted

fetchmail: Issuer Organization: Thawte Consulting cc

fetchmail: Issuer CommonName: Thawte Server CA

fetchmail: Server CommonName: pop.gmail.com

fetchmail: Warning: server certificate verification: unable to verify the first certificate

fetchmail: POP3< +OK Gpop 35pf2846136wra ready.

fetchmail: POP3> CAPA

fetchmail: POP3< +OK Capability list follows

fetchmail: POP3< USER

fetchmail: POP3< RESP-CODES

fetchmail: POP3< EXPIRE 0

fetchmail: POP3< LOGIN-DELAY 300

fetchmail: POP3< X-GOOGLE-VERHOEVEN

fetchmail: POP3< .

fetchmail: POP3> USER TEST@gmail.com

fetchmail: POP3< +OK send PASS

fetchmail: POP3> PASS *

fetchmail: POP3< +OK Welcome.

fetchmail: POP3> STAT

fetchmail: POP3< +OK 1 463

1 message for TEST@gmail.com at gmail (463 octets).

fetchmail: POP3> LIST 1

fetchmail: POP3< +OK 1 463

fetchmail: POP3> RETR 1

fetchmail: POP3< +OK message follows

reading message TEST@gmail.com@gmail-pop.l.google.com:1 of 1 (463 octets)

#* flushed

fetchmail: POP3> DELE 1

fetchmail: POP3< +OK marked for deletion

fetchmail: POP3> QUIT

fetchmail: POP3< +OK Farewell.

fetchmail: 6.2.5.2 querying gmail (protocol POP3) at Sat Jul 30 16:01:48 2005: poll completed

fetchmail: normal termination, status 0

```

```

kosmo ~ # tail -f  /var/log/messages

Jul 30 16:24:22 kosmo imapd: authentication error: Input/output error

Jul 30 16:25:49 kosmo imapd: Connection, ip=[::ffff:192.168.1.2]

Jul 30 16:26:30 kosmo authdaemond: failed to connect to mysql server (server=mysql.example.com, userid=admin): Unknown MySQL Server Host 'mysql.example.com' (1)

Jul 30 16:26:30 kosmo imapd: LOGIN FAILED, user=pbk1111, ip=[::ffff:192.168.1.2]

Jul 30 16:26:30 kosmo imapd: authentication error: Input/output error

Jul 30 16:27:47 kosmo imapd: Connection, ip=[::ffff:192.168.1.2]

Jul 30 16:27:47 kosmo imapd: Disconnected, ip=[::ffff:192.168.1.2], time=0

Jul 30 16:27:47 kosmo imapd-ssl: Connection, ip=[::ffff:192.168.1.2]

Jul 30 16:27:47 kosmo imapd-ssl: Unexpected SSL connection shutdown.

Jul 30 16:27:47 kosmo imapd-ssl: Disconnected, ip=[::ffff:192.168.1.2], time=0, starttls=1

```

As i read from this howto, on my laptop, i need to supply the login and password for the user om ny server, [postmaster] in one of the configfiles..,  right ? Im a bit confused i must say...

Must the sending and receiving part of the Kmail configuration include the same login/password ?

Another thing i dont understand is what the "/etc/mail/aliases" does ? why alias root to some other user (or is it the other way around?) i cant see the purpose.

Would it be possible to leave out the procmail part ?

The part about PAM, how do i check that i have pam running ? as i understand its for authentificating users... and i suppose i got it, and it works... but how to check it ?

Any idea would be appreciated!! 

- Christian from Denmark  :Smile: 

----------

## robfish

I used the guide about a year ago to successfully set up a mail server on a Gentoo server.

I can use Kontact (Kmail) successfully on my desktop Gentoo machine but I am having trouble sending from a Windows XP machine.

With Outlook and Outlook Express I can read mail fine but when trying to send I get a message...

"The server you are connecting to is using a security certificate that could not be verified.

The signature of the certificate could not be verified"

With Thunderbird I get.....

"Could not establish an encrypted connection because certificate presented by 192.168.10.11 is invalid or corrupted. Error Code -8182"

What do I do to sort out this problem?

----------

## al

First i would like to say thanks for this fantastic tutorial! :Very Happy: 

I have been following the wiki here: http://gentoo-wiki.com/HOWTO_Email_System_for_the_Home_Network

Everything appears to be working fine on my server end.

If i ssh into my server and load Mutt i can send and receive mail from the internet.

If i load Sylpheed on my workstation (inside the same lan) i can receive mail from the server but when i try and send i get an error 554 Relay Access Denied.

```
[11:35:53] ESMTP> AUTH LOGIN

[11:35:53] ESMTP< 334 VXNlcm5hbWU6

[11:35:53] ESMTP> [USERID]

[11:35:53] ESMTP< 334 UGFzc3dvcmQ6

[11:35:53] ESMTP> [PASSWORD]

[11:35:53] ESMTP< 235 Authentication successful

[11:35:53] ESMTP> MAIL FROM:<alunt2003@alunt2003@homelinux.org> SIZE=347

[11:35:53] SMTP< 250 Ok

[11:35:53] SMTP> RCPT TO:<alunt2003@yahoo.com>

[11:35:53] SMTP< 554 <alunt2003@yahoo.com>: Relay access denied

** error occurred on SMTP session

** Error occurred while sending the message.
```

On the server i get a long tail of woe in my /var/log/message.

My log file snippet is here: http://thomson.podzone.org/files/messages

Can anyone help?

Thanks  :Confused: 

EDIT: I should probably mention that i have set it up as a full blown smtp server. I am not routing through my existing yahoo email.Last edited by al on Wed Sep 14, 2005 8:32 pm; edited 1 time in total

----------

## al

Okay been messing around with it again.

I changed the following line in my /etc/postfix/main.cf

```
mynetworks = 192.168.0.1/255, 127.0.0.1

to

mynetworks = 192.168.0.1/24, 127.0.0.0/8
```

and now i can send from my client box but in my log on my server i see this:

```
Aug 28 16:45:41 alunt2003 postfix/smtp[23460]: 1C55D208F8E: to=<edited@btinternet.com>, relay=mx1.bt.mail.yahoo.com[195.50.106.135], delay=0, status=sent (250 ok dirdel)
```

I thought i was the email provider so why does it say bt.mail.yahoo.com? Is that because my broadband is with bt/yahoo?

I do have a Yahoo mail account but i'm pretty sure i didn't use it in the config.

I'm horribly confused  :Confused: 

----------

## appetitus

 *LLSLIM wrote:*   

> I ran into trouble when trying to send mail to my ISP due to a feature of postfix as described in the documentation of the relayhost option. Where postfix automatically tries to look up and connect to the machine in the domain name  MX record (DNS MX)  of the supplied "smtp.isp.com" address, and NOT directly to the "smtp.isp.com" machine  unless it is enclosed by square brackets in both our /etc/postfix/main.cf  and our /etc/postfix/saslpass files to disable MX record lookup by postfix.  
> 
> 

 

THANKS!   That problem was driving me crazy.   :Very Happy:   :Very Happy: 

----------

## sander2

hi!

i read almost the whole thread but couldn't get the thunderbird -> sasl -> postfix thing working.

can someone please help me/us?

please see this thread: https://forums.gentoo.org/viewtopic-t-331546.html

thank you!

----------

## carpman

hello, need bit of advice on webapp-config.

Have home server behind smoothwall box, have setup LAMP with vhost flag, have got main apache server in /var/www/localhost but have setup a virtual server using IP alias which points to /home/user/public_html which i use as public server.

This user is also the one used for this guide, thing is how and where do i install squirrelmail? 

Following this guide the squirrelmail section does not work as squirrelmail is now a webapp-config ebuild.

cheers

----------

## bdemore

The excellent guide states in regard to setting up Squirrelmail "I will assume you have a working Apache and PHP setup".  Unfortunately, I don't.  I used to have an excellent guide and I think it was a how-to document under Desktop Configuration.  I can't find it anymore.  Anyway, if someone could point me in the right direction with regard to the Apache config. files that need to be modified in order to get Squirrelmail working on this setup I'd be very grateful, thanks.

----------

## jbiggs77

Been working on getting this system working for a week or so now.  At first, retrieving emails with fetchmail was working great and I could view them with mutt locally but I couldn't get courier-imap working.  Came to find out it was an issue with DNS.

Now imap is working and I can view all the emails fetchmail had placed in my maildir but I can not fetch any more emails.  Fetchmail seems to be working but I am receiving "Returned to sender" emails in my inbox.  How can I check to make sure fetchmail is working correctly?  How can I see if it is handing off the emails to Postfix, etc., all the way down the line?

Edit:  It seems that when fetchmail hands the emails off to Postfix, Postfix then tries to deliver the mails to me by relaying them through my ISP's smtp server to address mylogin@localhost.mydomain.  Why is it doing this and why is it sending them to that address?

Edit 2: OK, so the problem was that I was just calling fetchmail and not telling it implicitly to deliver to procmail, which I have done.  I am still having problems with procmail not creating my folders though.  It did create one of the folders about a week ago when I started on this but it is not listed inside the courierimapsubscribed file.

----------

## ChojinDSL

I originally had a perfect working email server. But the mobo got fried, so I reinstalled on a new pc with a different cpu.

anyways, I just hooked up my server's original harddrive to the new machine and just recompiled everything for the new cpu. So there might be some legacy configs lying around. Its not a sparkly clean new install from scratch.

I've followed the guide, but for some reason I cant connect to my server via imap.

My log file spits this out whenever I try to connect. And sylpheed-claws gives me an error of course as well.

```
Oct 20 16:49:10 [imapd] Connection, ip=[::ffff:192.168.2.100]

Oct 20 16:49:10 [imapd] LOGIN FAILED, user=chojin, ip=[::ffff:192.168.2.100]

Oct 20 16:49:10 [imapd] authentication error: Input/output error

Oct 20 16:49:10 [authdaemond] failed to connect to mysql server (server=mysql.example.com, userid=admin): Unknown MySQL Server Host 'mysql.example.com' (1)

```

Now Im a little confused. While I do use mysql for my mythtv setup. I made sure to emerge all the mentioned programs with a USE="-mysql". So that they were built without the need for mysql.

Furthermore, I noticed that when I emerged courier-imap, at the end there was a message warning me that authdaemond was no longer provided and that courier-authlib or something like that was used. Do I still need authdaemond? Which packages provides that?

*****EDIT***********

I managed to fix it. I just went into all of the relevant configs for courier-imap and courier in /etc/ and made sure that there were no references to mysql. I had also forgotten to restart courier-authlib. So it was probably still using an unedited config file.

Anyways, now it works again.

----------

## mxa055

Hi there,

I am getting this error when trying to start courier-imap-ssl

```

/etc/init.d/courier-imapd-ssl start

 * Starting courier-authlib: authdaemond ...                              [ ok ] * Starting courier-imapd over SSL ...

bind: Address already in use

ll_daemon_start: Resource temporarily unavailable                         [ !! ]

```

Some people already mentioned that they have solved this issue but don't point to the solution. 

Any help?

Regards,

Michael

----------

## mxa055

 *mxa055 wrote:*   

> Hi there,
> 
> I am getting this error when trying to start courier-imap-ssl
> 
> ```
> ...

 

A restart fixed the problem!   :Rolling Eyes: 

----------

## AMSch

I get the following error when I try to fetch mail from my 2 pop accounts:

```

procmail: Missing recipient

sh: line 1: andreas: command not found

fetchmail: MDA returned nonzero status 127

```

```

#!/bin/bash

/usr/bin/fetchmail -a -s -m "/usr/bin/procmail -d

%T"

```

"andreas" is the mail user - can anybody help please?

----------

## AMSch

Messages are recieved from my pop servers, but they arent deleted and recieved again the next time the script runs -> I had over 1000 mail in my inbox but only 5 different mails  :Sad: 

----------

## AMSch

Solved it - error was in script - had newline after "-d"

----------

## miscdebris

Fetchmail is working perfectly, however, it returns status 1 whenever it can't find any email, and that causes frcon to send an email to my root account.  anything we can do to stop this?

One of my sub[/list]folders keeps deleting the email contained within it.

I have kmail set to use imap to store the groupware information, but, and while it's not losing the information, it fails to process it.  My contacts won't display, my schedule is blank, though it should be full, no tasks even though I have many, etc.

Anyone have any ideas on these?

----------

## Rwilson

I'm in the process of using this Howto to setup my own little email server and have come upon a hitch. I have two email accounts, one with gmail and one with yahoo. I use each one for different things, so I need to be able to send emails through each host based on which account the email is from. Do I need to do any special configuration to handle this?

----------

## luctor

 *mxa055 wrote:*   

>  *mxa055 wrote:*   Hi there,
> 
> I am getting this error when trying to start courier-imap-ssl
> 
> ```
> ...

 

A restart didn't fix my problem.

This however did ...

```

tux rob # /etc/init.d/famd stop

 * Stopping famd ...                                                      [ ok ]

tux rob # /etc/init.d/courier-imapd-ssl start

 * Starting famd ...                                                      [ ok ]

 * Starting courier-imapd over SSL ...                                    [ ok ]

```

When I tried to start famd again ..

```
tux rob # /etc/init.d/famd start

 * WARNING:  "famd" has already been started.

```

So i removed it from default run-level

```

tux rob # rc-update -d famd

 * famd removed from the following runlevels: default

 * rc-update complete.

```

----------

## feld

I've been following this guide, too, and I hope that I can reach my goals.

I have my ISP email and Gmail that I want on my server and I want access to that email via IMAP so I can dual boot and have access to my emails.

Gmail/ISP -> check/store on my server -> access from Windows/Linux

Windows/Linux -> send mail to my server -> forward to correct smtp for gmail or ISP, or just use one.

I hope that made sense.

Now I have just about finished the core of the guide but I have a problem. My check email script bombs. Here is my .fetchmailrc

```

set postmaster "feld"

poll pop.charter.net with proto POP3 auth password user "feld@charter.net" there with password "$PASSWORD" is feld here

options warnings 3600

poll "pop.gmail.com" with proto POP3 user "felderado@gmail.com" there with password "$PASSWORD" is feld here

options warnings 3600

```

my username on the server is feld. Both email providers require I login with the full email address. Gmail actually wants SSL, my ISP does not. When I run the checkmail script (which is referenced by the cronjob i setup according to the guide) it just hangs... doesnt seem to do anything.

Any tips, suggestions? I'd really like to get this going, it would be very handy! Thanks!

edit: found out gmail needs an ssl cert that someone provided perfect info to -- was missing procmail, think i might have fixed this... need to setup clients / cron for spamassassin and hope sending emails works and I might be configured! YAY!

Note: I had some odd error pop up about failing to send an email to feld@localhost? 

-Feld

Gmail cert info:

http://download.gna.org/hpr/fetchmail/FAQ/gmail-pop-howto.html

----------

## feld

hrm okay im very much confused...

i cant send any emails... smtp just isnt working. I'm showing that its listening, but starttls isnt working. my logs show:

Mar 17 22:00:04 mythtv postfix/postfix-script: starting the Postfix mail system

Mar 17 22:00:04 mythtv postfix/master[6937]: daemon started -- version 2.2.9, configuration /etc/postfix

Mar 17 22:00:06 mythtv postfix/smtpd[6989]: initializing the server-side TLS engine

Mar 17 22:00:06 mythtv postfix/smtpd[6989]: connect from skeletor.universe[192.168.1.110]

Mar 17 22:00:08 mythtv postfix/smtpd[6989]: lost connection after EHLO from skeletor.universe[192.168.1.110]

Mar 17 22:00:08 mythtv postfix/smtpd[6989]: disconnect from skeletor.universe[192.168.1.110]

what the heck is going on?

and telnet localhost 25 shows:mythtv etc # telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mythtv.universe ESMTP Postfix

so what is happening any why cant i send emails?  :Sad: 

Thanks

edit: relayhost = [mailhost.isp.com] was needed so I could properly forward SMTP, and also I redid all my configs anyway just for clarification. It is now functioning. Sylpheed works great, but Outlook and Thunderbird in Windows dont like this for some reason so I'll just use the win32 build of Sylpheed.

Thanks for the great guide! This is a really great experience and it is extremely handy!!!!

edit #2: Oh my, what a discovery! Sylpheed for Windows actually gave me a USEFUL error message! "Avast does not accept TLS connections". If only Outlook and Thunderbird could have told me that my antivirus was the issue as plainly as Sylpheed did.... Anyway, Thunderbird gained progress but is now barking about a corrupt certificate even after I cleared them out and tried again. I guess native Windows email clients suck. Sylpheed is kickin ass, that's all I gotta say  :Wink: 

Thanks again for the guide!!!

-Feld

----------

## feld

Last question:

https://forums.gentoo.org/viewtopic-t-412468.html

The previous link shows how sSMTP can use your Gmail SMTP server... It requires StartTLS and your username and password to auth before sending your gmail. Is the previous obtainable through the tools used in your guide?

It appears to me that our setup will not work this way. In fact, I am quite confused as to of why we configured /etc/postfix/saslpass to include an smtp server + username/password when it refuses to use this information until we set our /etc/postfix/main.cf to use the relayhost setting and list our SMTP server. It just seems odd, but obviously it IS using that username/password or else I know I couldnt send emails. ANYWAY, I am unable to locate information showing that there are settings in either configuration file that will allow me to enable StartTLS.

Prove me wrong please, as I'd like to be able to have Gmail as a backup SMTP server if something was to happen.

(my ISP isn't the most stable thing in this world.... )

-Feld

----------

## fuzz

i'm getting 

```
ERROR: Connection dropped by IMAP server.
```

my configs are

postfix/main.cf

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.100/124

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample

readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/ 

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject 

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom 

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous 

relayhost = [smtp.gmail.com]:587

```

courier-imap/authdaemond.conf

```

AUTHDAEMOND="authdaemond.plain"

```

courier-imap/authdaemond.conf

```

authmodulelist="authpam"

```

etc/sasl2/smtpd.conf  (had to create file. was not there)

```

pwcheck_method:saslauthd

mech_list: plain login 

```

etc/conf.d/saslauthd

```

SASLSASL_AUTHMECH=shadow

_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"hd 

```

etc/mail/aliases

```

# Basic system aliases -- these MUST be present.

MAILER-DAEMON:      postmaster

postmaster:         root

# General redirections for pseudo accounts.

adm:                root

bin:                root

daemon:             root

exim:               root

lp:                 root

mail:               root

named:              root

nobody:             root

postfix:            root

# Well-known aliases -- these should be filled in!

root:           linux user name

# operator:

# Standard RFC2142 aliases

abuse:              postmaster

ftp:                root

hostmaster:         root

news:               usenet

noc:                root

security:           root

usenet:             root

uucp:               root

webmaster:          root

www:                webmaster

# trap decode to catch security attacks

# decode:           /dev/null

```

squirrelmail/config

```

General

-------

1.  Domain                 : chargednetworks.com

2.  Invert Time            : false

3.  Sendmail or SMTP       : Sendmail

IMAP Settings

--------------

4.  IMAP Server            : localhost

5.  IMAP Port              : 993

6.  Authentication type    : login

7.  Secure IMAP (TLS)      : true

8.  Server software        : courier

9.  Delimiter              : detect 

```

var/log/messages

```

Mar 25 02:05:12 fuzzserv imapd-ssl: Connection, ip=[::ffff:127.0.0.1]

Mar 25 02:05:13 fuzzserv imapd-ssl: LOGIN FAILED, user=******, ip=[::ffff:127.0.0.

1]

Mar 25 02:05:13 fuzzserv imapd-ssl: authentication error: Input/output error

Mar 25 02:05:13 fuzzserv authdaemond: failed to connect to mysql server (server=

mysql.example.com, userid=admin): Unknown MySQL server host 'mysql.example.com' 

(1)

```

please help 

*hopefully i posted all the info needed

thanks 

~fuzz

----------

## kernelcowboy

The HOWTO states to edit the file 

```

authdaemond.conf

```

which may be in

```

/etc/courier/authlib/ or

/etc/courier-imap/ 

```

and put in this line

```

AUTHDAEMOND="authdaemond.plain"

```

I couldn't find the file.  So, I ignored it, 

and everything seems to be working fine.  

I didn't create it.

I did notice this in 

```

/etc/init/courier-authlib

```

```

setauth() {

        source /etc/courier/authlib/authdaemonrc

        AUTHLIB="/usr/lib/courier/courier-authlib"

        AUTHDAEMOND="authdaemond"

        pidfile="/var/run/authdaemon.pid"

        logger="/usr/sbin/courierlogger"

        export DEBUG_LOGIN DEFAULTOPTIONS LOGGEROPTS

}

start() {

        checkconfig || return 1

        setauth

```

I didn't change it.

I'm sort of posting to help others, and to double check I'm not doing something wrong.

----------

## aaronamd

I just ran throug this guide and can say that I'm definatly impressed with the time that has been put into it. Unfortunatly I still have not gotten this to work. For some reason evolution rejects my password and says unknown error. I have read through some of this thread and not yet found anything that works, any ideals?

----------

## Grilo

Hi, I have followed this entire guide and it works great. I have only one problem I just noticed. Root does not get any mail. I have logwatch installed and ddclient and both mail root when needed. Using root and squirrel mail i can email my user and user can email out to anyone. but root cannot get mail from the user or from the system. 

Any ideas. and i found an error in the messages log  here it is

```
May 30 11:59:34 Sloop imapd-ssl: Connection, ip=[::ffff:127.0.0.1]

May 30 11:59:35 Sloop imapd-ssl: LOGIN, user=pat, ip=[::ffff:127.0.0.1], protoc$

May 30 11:59:35 Sloop imapd-ssl: Error reading ACLs for INBOX..cmeta: Invalid a$

May 30 11:59:35 Sloop imapd-ssl: Error reading ACLs for INBOX..ibex.index.data:$

May 30 11:59:35 Sloop imapd-ssl: Error reading ACLs for INBOX..ibex.index: Inva$

May 30 12:00:01 Sloop cron[11058]: (root) CMD (test -x /usr/sbin/run-crons && /$

May 30 12:00:01 Sloop cron[11059]: (root) CMD (rm -f /var/spool/cron/lastrun/cr$

```

Thanks for your help

Grilo

----------

## rpcyan

Anybody have success with storing maildirs outside of one's homedir? I'd like to use my raid array for mail storage, but symlinks are rejected by procmail as being "BOGUS" and the procmailrc files are ignored completely since maildirs aren't real-time delivery or some such nonsense.  I've seen reccomendations on changing the src/authenticate.c file and changing the MAILSPOOLDIR, which is set to /var/spool/mail.  Thing is I doubt changing that will do any good since there are no spools present there other than for root, which was last modified a very long time ago.

Suggestions appreciated.

----------

## matbintang

Has anyone implimented a reliable back-up regime for their Home e-mail system on the server side?

----------

## bludger

 *matbintang wrote:*   

> Has anyone implimented a reliable back-up regime for their Home e-mail system on the server side?

 I use rdiff-backup to backup all of my maildirs to a remote computer.

----------

## echto

/etc/courier/authlib/authdaemonrc  needs to be like this.

authmodulelist="authshadow authpam"

 :Cool: 

 *fuzz wrote:*   

> i'm getting 
> 
> ```
> ERROR: Connection dropped by IMAP server.
> ```
> ...

 

----------

## rosschilen

I have setup everything in the guide successfully except imap.  From what I can tell my server is not listening for imap connections.  "netstat -a" produces the following output:

```
Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 *:imaps                 *:*                     LISTEN

tcp        0      0 *:http                  *:*                     LISTEN

tcp        0      0 *:ssh                   *:*                     LISTEN

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ]         DGRAM                    7235   @/org/kernel/udev/udevd

unix  2      [ ACC ]     STREAM     LISTENING     459076 /var/lib/courier/authdaemon/socket.tmp

unix  2      [ ACC ]     STREAM     LISTENING     13462  /var/run/cgisock

unix  3      [ ]         STREAM     CONNECTED     458740

unix  3      [ ]         STREAM     CONNECTED     458739

```

I have checked that courier-imap-ssl and courier-imap-authlib have started.  I have rebooted.  I have triple checked my config files according to this guide.  I have the following /etc/courier/authlib/authdaemond.conf

```
AUTHDAEMOND="authdaemond.plain"
```

In /etc/courier/authlib/authdaemonrc 

```
#blah blah comments

authmodulelist="authpam authshadow"

authmodulelistorig="authpam authshadow"

daemons=5

authdaemonvar=/var/lib/courier/authdaemon

DEBUG_LOGIN=0

DEFAULTOPTIONS=""

LOGGEROPTS=""
```

The following  /etc/pam.d/imap 

```
I'm unsure of# PAM setup for

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
```

I am unsure of how to debug courier-imap, any suggestions?  Also, btw I have squirrellmail up and running.

----------

## bluni

I apologize if this has been asked before, but what is the password that is used to encrypt /etc/ssl/postfix/server.crt ?

Thunderbird is asking for it when I try to import the cert and I've given it all the passwords that could be it. Any ideas? The setup is verbatim from the howto, everything else is working perfectly.

Thanks for your help,

Brian

----------

## tkhobbes

Hello

I am desperately seeking help, I have no idea what's wrong. A world update (emerge -uD world) switched the baselayout - and since then, courier-imapd-ssl won't start anymore.

Unfortunately, I have no log-files (how the heck do I have courier-imapd-ssl to log what's wrong?) - all I can say is that on starting up the service /etc/init.d/courier-imapd-ssl, I get a [!!] instead of an [ok] - no further error-messages...

Any idea what I could do?

I already skipped through many conf-files, and also re-emerged both courier-authlib and courier-imap - did nothing...  :Sad: 

thomas

----------

## robfish

I had the same problem but then found...

https://forums.gentoo.org/viewtopic-t-488476-highlight-courierimapd.html

(I went back to the previous version of baselayout)

----------

## tkhobbes

Wow, thanks man!  :Smile: 

The post says you can update to the latest courier-imap (~x86) which is what I did - and it works again!

 :Very Happy: 

so long

thomas

----------

## fank

Hello ALL !!!

I hope this suggestions can help to anyone who get "Input/output error!" with courier-imap or other error.

if you get this stupid non-infomative message try this:

1. DOUBLE check your conf for typos. For example, all paths to mysql socket ( I loss _hours_ before found my "typo" because after I got non-working conf from official gentoo howto I tried to use other "useful" links and there was wrong path to mysql socket)

2. Use strace utility to attach to process and save the log to file (-o option). Then grep this logs for "Access denied" or "No such file" keywords and you  will solve wrong permissions and path.

3. I found TONS of references for "Input/output error!" without solution and after wasting few (!!!) days, probably I found bug in "make install" of courier-imap - wrong permissions to /var/lib/courier/authdaemon/ dir. This could help you:

```
cd /var/lib/courier/authdaemon/

chmod 777 ..

chmod 777 .
```

sorry for my really bad english, I hope this will help to make working mail server!

GOOD LUCK !!!Last edited by fank on Fri Feb 23, 2007 12:54 pm; edited 1 time in total

----------

## RS2

Hello Beowulf, hello Chris Smith 

thanks a lot for the great work.

Because of a change in Bogofilter in release 0.16 I searched for a problem that doesn't realy exist. 

It just costs me some time to realize, that it isn't a ownership-problem or anything else.

The problem:

all the time, the cronjobs runs bogotrainer, I saw the message

 *Quote:*   

> bin/bogotrainer
> 
> Bogofilter directory found
> 
> Databases NOT found. Generating...
> ...

 

It seemed, that he creates and creates ....

In Chapter 9 Bogofilter Mail Filtering Solution Underchapter 

  9.1 Bogofilter Instructions

      Step 4 is the script ~/Bin/bogotrainer

the lines 

```
   if os.path.isfile(os.path.join(bogodir, "spamlist.db")): 

       print "Databases found" 
```

aren't correct anymore. The goodlist and spamlist are now the wordlist.db

So I would suggest to alter the script in 

```
#! /usr/bin/python 

 import os, os.path 

 

 #Configuration entries. Not much ATM. More if needed. 

 bogodir = "~/.bogofilter/" 

 maildir = "~/.maildir/" 

 

 #Leave everything below here unless you want to do some hacking :) 

 needdbs = 0 

 bogodir = os.path.expanduser(bogodir) 

 maildir = os.path.expanduser(maildir) 

 

 def cleanhamdirs(dir): 

    #We don't want Spam in the hamdirs :) 

    if dir[len(maildir):len(maildir) + 5] == ".Spam": 

       return 0 

    #The maildirs of the inbox, must be handled especially 

    if dir[len(maildir):len(maildir) + 3] == "cur": 

       return 0 

    if dir[len(maildir):len(maildir) + 3] == "tmp": 

       return 0 

    if dir[len(maildir):len(maildir) + 3] == "new": 

       return 0 

    #If you threw it away, you obviously don't want it :) 

    if dir[len(maildir):len(maildir) + 6] == ".Trash": 

       return 0 

    return 1 

 

 if os.path.isdir(bogodir): 

    print "Bogofilter directory found" 

    if os.path.isfile(os.path.join(bogodir, "wordlist.db")): 

       print "Databases found" 

    else: 

       print "Databases NOT found. Generating..." 

       needdbs = 1 

 else: 

    print "Bogofilter directory NOT found. Generating..." 

    needdbs = 1 

 

 if needdbs: 

    print "Generating databases:" 

    print "Regestering spam messages from", os.path.join(maildir,".Spam/cur") 

    spamlist = os.listdir(os.path.join(maildir,".Spam/cur")) 

    for spam in spamlist: 

       spampath = os.path.join(maildir,".Spam/cur/",spam) 

       print "- ", spampath 

       os.system("bogofilter -s < " + spampath) 

    if os.path.isdir(os.path.join(maildir, ".Ham")): 

       #If a specific .Ham dir exists, use that. 

       print "Regestering ham messages from", os.path.join(maildir,".Ham/cur") 

       hamlist = os.listdir(os.path.join(maildir,".Ham/cur")) 

       for ham in hamlist: 

          hampath = os.path.join(maildir,".Ham/cur",ham) 

          print "- ", hampath 

          os.system("bogofilter -n < " + hampath) 

    else: 

       #Or else, use everything that isn't spam! 

       print "Registering ham messages from", os.path.join(maildir,"cur") 

       hamlist = os.listdir(os.path.join(maildir,"cur")) 

       for ham in hamlist: 

          hampath = os.path.join(maildir,"cur",ham) 

          print "- ", hampath 

          os.system("bogofilter -n < " + hampath) 

       maildirs = [os.path.join(maildir,dir) for dir in os.listdir(maildir)] 

       maildirs = filter(os.path.isdir, maildirs) 

       maildirs = filter(cleanhamdirs, maildirs) 

       for dir in maildirs: 

          print "Regestering ham messages from", dir 

          hamlist = os.listdir(os.path.join(dir,"cur")) 

          for ham in hamlist: 

             hampath = os.path.join(dir,"cur",ham) 

             print "- ", hampath 

             os.system("bogofilter -n < " + hampath) 

 

 # So, everything exists, this must be an "updating run", easy! 

 # First, correct misdetected ham from the false-positives directory, 

 # and move it into the inbox. 

 print "Correcting ham messages from", os.path.join(maildir,".Spam.False-Positives") 

 hamlist = os.listdir(os.path.join(maildir,".Spam.False-Positives/cur")) 

 for ham in hamlist: 

    hampath = os.path.join(maildir,".Spam.False-Positives/cur",ham) 

    print "- ", hampath 

    os.system("bogofilter -Sn < " + hampath) 

    #Feed it back through procmail :) 

    os.system("/usr/bin/procmail -d $USER < " + hampath) 

    os.remove(hampath) 

 

 # Now, correct misdetected spam, and put it in the Spam maildir :) 

 print "Correcting spam messages from", os.path.join(maildir,".Spam.False-Negatives") 

 spamlist = os.listdir(os.path.join(maildir,".Spam.False-Negatives/cur")) 

 for spam in spamlist: 

    spampath = os.path.join(maildir,".Spam.False-Negatives/cur",spam) 

    print "- ", spampath 

    os.system("bogofilter -Ns < " + spampath) 

    #Don't bother procmailing it, put it in spam! :) 

    os.rename(spampath, os.path.join(maildir,".Spam/cur",spam))
```

So thanks again to all for the great "Email System For The Home Network " - Documentation.

----------

## bubbas

@RS2

perhaps the new Bogotrainer does the job for you  :Wink: 

https://forums.gentoo.org/viewtopic.php?p=1957681#1957681

https://forums.gentoo.org/viewtopic-t-334239.html

----------

## erik258

I followed this post.  Beowulf, if you still read this, you did a good job.  thank you and to they who contributed to the smamassassin section, that program is pretty nifty if i do say so myself, which i do. 

I found that it was necessary to edit the main.cf file to allow my server to accept mail from the outside world... 

```
smtpd_client_restrictions = permit_sasl_authenticated, permit
```

i changed that so i could recieve mail from my online mail account that i had sent to my home email account.  i could not get the mail to go through.  and this line...

```
#smtpd_recipient_restrictions = permit_mynetworks, rejec
```

i put in to avoid relaying but commented out because it didn't work.  besides, as i learned from reading up on this online, the default options for relaying and the smdtpd_recipient_restrictions is quite sane, allowing only those in mynetworks, anyway.  

is this not a good idea and in fact a necessary step of the setup?  or is nobody trying to run this open to the outside world?

----------

## tkhobbes

Hi all

First, thanks beowulf for the wonderful work - I have recently reinstalled my e-mail system, and the how-to is just wonderful!

Now, what puzzles me: It seems that bogotrainer does not learn anything: I have tons of spam, but they are in the inbox, and I move them to Spam/false-negatives. After a while, they are moved to Spam, as designed, but none of my e-mails will go to the Spam folder directly... as if they were not recognized...

At first, I thought that this is because I reinstalled the whole system and thus bogotrainer being dumb and with no idea about what is spam and what not - but I have done this some weeks ago, and still, the situation has not changed...

so long

thomas

----------

## erik258

first of all, to tkhobbes let me suggest spamassasin.  I never tried bogofilter, but spam assassin now supports bayesian filtering and, for the few days my network was up, it worked really well for me.  

now on to my problem...

arghhh!  Help!  

i have set up a great home email network as directed by this guide.  After it finally got all up and working, it only took me a few days to break it. 

My home directory on the mail server is a nfs mounted partition on my fileserver.  When my fileserver crashed it took my maildir with it, and now when i try to fetch my mail from an online account i get...

 *Quote:*   

> procmail: Couldn't create or rename temp file "/home/dan/.maildir/tmp/1163264403.31958_1.davey"
> 
> fetchmail: MDA returned nonzero status 73
> 
> procmail: Couldn't create or rename temp file "/home/dan/.maildir/tmp/1163264408.31963_1.davey"
> ...

 

My theory was that it was a file locking problem or something, but i am not certain where the lock file would be stored or how to fix the problem.  I was also interested to get this message: 

```
davey tmp # touch 1163264455.32019_1.davey

touch: cannot touch `1163264455.32019_1.davey': Input/output error

```

what's going on?  Any suggestions?  Please help, this has now baffled me for a fortnight!

----------

## carpman

Hello just set this up on local box but get following error when recieving mail:

```

Dec 13 11:29:06 smaartmail postfix/qmgr[4700]: 83D436B62D: to=<root@smaartmail.smaart.co.uk>, orig_to=<root>, relay=none, delay=29880, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]: Connection refused)

```

any ideas?

cheers

----------

## erik258

 *Quote:*   

> (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]: Connection refused) 

 

now why would that be?  Are you running smtp of some kind on localhost?  Are you running a firewall of some kind?  Do you have a 'lo' network device?

----------

## carpman

 *erik258 wrote:*   

>  *Quote:*   (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]: Connection refused)  
> 
> now why would that be?  Are you running smtp of some kind on localhost?  Are you running a firewall of some kind?  Do you have a 'lo' network device?

 

Not that i know of?

I have followed the guide and sent a test mail which was retrieved via fetchmail, it was in que for while then bounced back to me.

The box is on my local network which is behind a firewall but there is no firewall on the box?

I decided to start with simple and then increase functions so have commented out the line:

```

/etc/postfix/main.cf

## AV

#content_filter = smtp-amavis:[127.0.0.1]:10024

```

No i can recieve mail ok but is insists on putting it in .maildir and not Maildir in /home/user !

I grep all files in /etc with .maildir and changed them but still puts them in .maildir?

there is also .procmailrc in user dir which is set to Maildir

any ideas?

----------

## ivanova

everything was working fine, but I updated courier-imap and now I keep getting timeouts when trying to use thunderbird.

----------

## erik258

carpman, 

isn't .maildir a better place for mail?  I think so, personally.  Of course, to each his own.  An easy solution is ln -s ~/.maildir ~/Maildir, effectively making them the same place.  

ivanova,

 *Quote:*   

> I keep getting timeouts when trying to use thunderbird.

 

Doesn't the howto talk about thunderbird specifically?  I never got it working, and much prefer sylpheed-claws as its memory footprint is minimal, and I like that about it.

----------

## ivanova

Thunderbird works, I used it for a while now without problems. But something is broken now. I can view messages, but when I try to delete them I get an error:

```
COPY Failed - no write permission or out of disk space.
```

Disk space is ok and I tried all sorts of permissions on my maildir (although it worked fine before).

I have problems with sylpheed too, so I think the problem lies with courier-imap or courier-authlib

----------

## ivanova

Solved my problems. First I had problems with authentication. Solved it by editing /etc/courier/authlib/authdaemonrc from:

```
authmodulelist="authldap authpam authshadow"
```

to

```
authmodulelist="authpam authshadow authldap"
```

Finally, there was a problem with the Trash folder which cause the errors above. Solved it by removing the folder in .maildir and Thunderbird.

----------

## figueroa

I have a well running mailserver installation that filters mail through spamassassin (calling spamc from procmail) but wanted to call clamav from procmail as well before submitting mail to spamassassin.  What I came up with is posted at: https://forums.gentoo.org/viewtopic-p-3842834.html#3842834

----------

## imanassypov

Hi all,

does anyone know how to forward the identified spam mail to a different MTA? 

I know there are options to file it locally, send it to a specific ip address etc... 

Thanks!

-ig

----------

## moesasji

First of all: Thanks for the great howto.   :Very Happy: 

Based on this I have an IMAP server running without major hickups so far. 

It was a big puzzle however.....

However I stumbled on one question that I can't find a solution for. 

If I look at my log-files for the mail I see the following output

```

Feb 13 17:51:07 [imapd-ssl] couriertls: /var/lib/courier-imap/couriersslcache: No such file or directory

Feb 13 17:51:07 [imapd-ssl] Connection, ip=[127.0.0.1]

Feb 13 17:51:07 [imapd-ssl] LOGIN, user=hge, ip=[127.0.0.1], protocol=IMAP

Feb 13 17:51:10 [imapd-ssl] LOGOUT, user=hge, ip=[127.0.0.1], headers=218092, body=0, time=3, starttls=1

Feb 13 17:53:33 [imapd-ssl] couriertls: /var/lib/courier-imap/couriersslcache: No such file or directory

Feb 13 17:53:33 [imapd-ssl] Connection, ip=[127.0.0.1]

Feb 13 17:53:33 [imapd-ssl] LOGIN, user=hge, ip=[127.0.0.1], protocol=IMAP

Feb 13 17:53:33 [imapd-ssl] LOGOUT, user=hge, ip=[127.0.0.1], headers=0, body=0, time=0, starttls=1

```

As you can see it contains lines that say couriersslcache: no such file or directory

These errors are generated by Squirrelmail....but for some reason I can't get rid of them and google doesn't give an answer.

If I look through the config-files this couriersslcache is defined in the file /etc/courier-imap/imapd-ssl.

However if I understand it correctly from the comments in that file this cache should be created automatically. 

Clearly it is not.... as there is no file named couriersslcache on my system.

Does anybody now how to get rid of this error-message?? (Or am I making a stupid mistake here?)

----------

## benkong2

Well it should work however my kmail gets a connection refused error. I can however telnet 10.0.0.1 25 and get the proper response. What should I check?

Great tutorial

----------

## Bigun

I'm having issues receiving mail:

```
Mar  1 18:57:15 cybergrunge postfix/smtpd[22042]: NOQUEUE: reject: RCPT from nn6.excitenetwork.com[207.159.120.60]: 554 5.7.1

 <nn6.excitenetwork.com[207.159.120.60]>: Client host rejected: Access denied; from=<-deleted-@excite.com> to=<-deleted-@cybergrunge.com> proto=ESMTP helo=<excite.com>
```

My main.cf

----------

## Mr.C.

 *bigun89 wrote:*   

> I'm having issues receiving mail:
> 
> ```
> Mar  1 18:57:15 cybergrunge postfix/smtpd[22042]: NOQUEUE: reject: RCPT from nn6.excitenetwork.com[207.159.120.60]: 554 5.7.1
> 
> ...

 

What IP(s) do you think $mynetworks is ?

Are you behind a NAT'd firewall?

Also, while you are debugging, set:

unknown_local_recipient_reject_code = 450

instead of 550, so that bounces will retry until you get your config worked out.

Its better to post output of postconf -n rather than your entire file - too much to look through.

----------

## Bigun

Sorry, here it is:

```
broken_sasl_auth_clients = yes  

command_directory = /usr/sbin   

config_directory = /etc/postfix 

daemon_directory = /usr/lib/postfix

debug_peer_level = 2            

home_mailbox = .maildir/        

html_directory = /usr/share/doc/postfix-2.3.6/html

inet_interfaces = all           

mail_owner = postfix            

mailq_path = /usr/bin/mailq     

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

mydomain = cybergrunge.com      

myhostname = cybergrunge.com    

mynetworks_style = subnet       

myorigin = $mydomain            

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.3.6/readme

relay_domains = $mydestination  

sample_directory = /etc/postfix 

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop         

smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_sasl_auth_enable = yes    

smtpd_sasl_local_domain = 

smtpd_sasl_security_options = noanonymous

unknown_local_recipient_reject_code = 450

```

I'm not firewalled.  I have a full and open connection.

I'm not sure what you mean by $mynetworks.... I have nothing set for it in main.cf.

Also noticed these:

```
Mar  1 18:57:14 cybergrunge postfix/smtpd[22042]: sql_select option missing

Mar  1 18:57:14 cybergrunge postfix/smtpd[22042]: auxpropfunc error no mechanism available

Mar  1 18:57:14 cybergrunge postfix/smtpd[22042]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Mar  1 18:57:14 cybergrunge postfix/smtpd[22042]: auxpropfunc error invalid parameter supplied

Mar  1 18:57:14 cybergrunge postfix/smtpd[22042]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

Mar  1 18:57:15 cybergrunge postfix/smtpd[22042]: connect from nn6.excitenetwork.com[207.159.120.60]

Mar  1 18:57:15 cybergrunge postfix/smtpd[22042]: NOQUEUE: reject: RCPT from nn6.excitenetwork.com[207.159.120.60]: 554 5.7.1 <nn6.excitenetwork.com[207.159.120.60]>: Client host rejected: Access denied; from=<-deleted-@excite.com> to=<-deleted-@cybergrunge.com> proto=ESMTP helo=<excite.com>

Mar  1 18:57:15 cybergrunge postfix/smtpd[22042]: disconnect from nn6.excitenetwork.com[207.159.120.60]

Mar  1 19:00:35 cybergrunge postfix/anvil[22044]: statistics: max connection rate 1/60s for (smtp:207.159.120.60) at Mar  1 18:57:15

Mar  1 19:00:35 cybergrunge postfix/anvil[22044]: statistics: max connection count 1 for (smtp:207.159.120.60) at Mar  1 18:57:15

Mar  1 19:00:35 cybergrunge postfix/anvil[22044]: statistics: max cache size 1 at Mar  1 18:57:15

```

----------

## Mr.C.

bugun89,

smtpd_client_restrictions = permit_sasl_authenticated, reject

The default is to allow all connections requests.

You are only allowing SASL-authenticated *clients* to connect and relay mail to your system.   That means I cannot send you email, unless I authenticate myself with your system.

# telnet cybergrunge.com 25

Trying 69.18.117.210...

Connected to cybergrunge.com.

Escape character is '^]'.

220 cybergrunge.com ESMTP Postfix

EHLO gomer.com

250-cybergrunge.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

MAIL FROM:<test@example.com>

250 2.1.0 Ok

RCPT TO:<root@cybergrunge.com>

554 5.7.1 <example.com[10.0.0.1]>: Client host rejected: Access denied

RCPT TO:<root>

554 5.7.1 <example.com[10.0.0.1]>: Client host rejected: Access denied

quit

221 2.0.0 Bye

Connection closed by foreign host.

You have a number of other SASL problems (sql_select error, auxpropfunc no mechanism, failure to load the sql plugin for sasl, etc.)

It is generally advised to learn to configure postfix w/out authentication first, and then setup TLS and SASL after you have a working installation.

Get a firewall.

----------

## Bigun

Ok, that is fixed... thank you.

Now I'm having issues sending mail without using squirrelmail (ie - sending something from localhost).  

```
Mar  2 08:31:46 cybergrunge postfix/smtpd[24406]: connect from uslec-***-***-***-***.cust.uslec.net[***.***.***.***]

Mar  2 08:31:46 cybergrunge postfix/smtpd[24406]: NOQUEUE: reject: RCPT from uslec-***.***.***.***.cust.uslec.net[***.***.***.***]: 554 5.7.1 <-deleted-@-deleted-.com>: Relay access denied; from=<-deleted-@cybergrunge.com> to=<-deleted-@-deleted-.com> proto=ESMTP helo=<[192.168.3.100]>

Mar  2 08:31:48 cybergrunge postfix/smtpd[24406]: lost connection after RCPT from uslec-***.***.***.***.cust.uslec.net[***.***.***.***]

Mar  2 08:31:48 cybergrunge postfix/smtpd[24406]: disconnect from uslec-***.***.***.***.cust.uslec.net[***.***.***.***]

```

I did some research and I found that it probably has something to do with my relay_domains setting.  Right now it is set to $mydestination (which seems default).  And $mydestination is set to:

```
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
```

Am I on the right track here?

----------

## Mr.C.

 *bigun89 wrote:*   

> Ok, that is fixed... thank you.
> 
> Now I'm having issues sending mail without using squirrelmail (ie - sending something from localhost).  
> 
> ```
> ...

 

Postfix is now seeing your connection *as an outsider*, and those it will not relay mail for outsiders (nor to you want that).  You can send email via squirrelmail because it connects locally (via the loopback interface (i.e. 127.0.0.1, localhost).  You will also find it succeeds using a simple SMTP conversations, via telnet localhost 25, as I showed earlier.

I see that your HELO is IP addres 192.168.3.100.  But cybergrunge.com has a different IP (a route-able, not private IP).   So, as I asked earlier, what IP do you think postfix is considering as its own?  What IPs are you connecting from when it fails?  I'd guess from the data above and what you said earlier, your server is directly connected with your public IP.  Postfix will accept email for all hosts on that subnet (mynetworks_style=subnet).  That probably is NOT what you want (open relay for all others on the subnet).  And your system from where you are trying to send email to your server are on a private 192.168.3.0/24 net.  Postfix will consider this a foreign address, and will not relay email from foreign address.

You need to get clear in your mind your network topology.  It would be more helpful if described this (you said no firewall or NATing, but something doesn't fit).

MrC

----------

## Bigun

The only actual NAT'ing is on the client side.  My machine is going through a router.  Most homes and businesses go through one, mine being no exception.  However, the actual mail server is sitting in a rack in a ISP.

I have SMTP authentication turned on anyway, can I just tell postfix to accept everyone?

----------

## Mr.C.

 *bigun89 wrote:*   

> The only actual NAT'ing is on the client side.  My machine is going through a router.  Most homes and businesses go through one, mine being no exception.  However, the actual mail server is sitting in a rack in a ISP.
> 
> I have SMTP authentication turned on, anyway I can just tell postfix to accept everyone?

 

Don't make assumptions about what other peoples networks.  Most homes do not use routers, they use "network appliances" which offer a variety of functions including routing, firewall, NAT, PAT, DHCP, etc.

I specifically asked if you were NATd in my first response.  You declined to state, and implied "no".

I specifically asked what you thought your $mynetworks value is.  You declined to determine this and state.

I specifically asked you to describe what *you* believe postfix thinks its IP address is, and what your sending IP address is.

I don't ask these questions because I'm curious - they are asked to get *you* to understand what's going on.

If you just want the answers to "how do I make it work",  I'm not the one to help you.

----------

## Bigun

 *Mr.C. wrote:*   

> I specifically asked if you were NATd in my first response.  You declined to state, and implied "no".

 

I would assume since the machine in question is the server, I didn't think you were asking about my machine.

 *Mr.C. wrote:*   

> I specifically asked what you thought your $mynetworks value is.  You declined to determine this and state.

 

Maybe because I didn't know?

 *Mr.C. wrote:*   

> I specifically asked you to describe what *you* believe postfix thinks its IP address is, and what your sending IP address is.
> 
> I don't ask these questions because I'm curious - they are asked to get *you* to understand what's going on.
> 
> If you just want the answers to "how do I make it work",  I'm not the one to help you.

 

Asking me questions will not help me understand what is going on.  Not everyone learns the same way.  I myself learn by getting something to work first, then tinkering from that point forward.

I'm not sure if this was your intention, but I felt "talked down" to by your reply, and do not wish for that kind of help.  Maybe it would be best to leave this as is.

----------

## carpman

Hello, ok have it working i think, i have set it up TLS in postfix but when trying to connect from clients using TLS it does not work, i can only do it if select ssl, if try the 'see what server supports' again i only get ssl and not TLS!

Is this correct?

cheers

----------

## Mr.C.

You're going to have to give more details than that.

Some clients such as Outlook 2000 will only work via SSL port 465.

MrC

----------

## carpman

 *Mr.C. wrote:*   

> You're going to have to give more details than that.
> 
> Some clients such as Outlook 2000 will only work via SSL port 465.
> 
> MrC

 

The clients are KMail and Thunderbird, what other info do you require?

----------

## Mr.C.

Well, have you verified that port 25 (or your submission port 587) is offering TLS ?

Have you verified that the TLS connection succeeds with "openssl s_client --starttls smtp ..." ?

MrC

----------

## carpman

 *Mr.C. wrote:*   

> Well, have you verified that port 25 (or your submission port 587) is offering TLS ?
> 
> Have you verified that the TLS connection succeeds with "openssl s_client --starttls smtp ..." ?
> 
> MrC

 

Umm no, but if i knew how i would?

----------

## Mr.C.

This should get you started down that path:

http://tinyurl.com/2akj4y

MrC

----------

## carpman

 *Mr.C. wrote:*   

> This should get you started down that path:
> 
> http://tinyurl.com/2akj4y
> 
> MrC

 

Cheers, will try that.

----------

## carpman

 *carpman wrote:*   

>  *Mr.C. wrote:*   This should get you started down that path:
> 
> http://tinyurl.com/2akj4y
> 
> MrC 
> ...

 

Ok tried that command and get lot of output concerning certs:

Some entries edited for security indicated by 'snip'

```

openssl s_client -connect localhost:25 -starttls smtp

CONNECTED(00000003)

depth=0 /C=US/ST=California/L=Santa Barbara/O=Postfix SMTP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=US/ST=California/L=Santa Barbara/O=Postfix SMTP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

verify error:num=7:certificate signature failure

verify return:1

depth=0 /C=US/ST=California/L=Santa Barbara/O=Postfix SMTP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

verify return:1

---

Certificate chain

 0 s:/C=US/ST=California/L=Santa Barbara/O=Postfix SMTP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

   i:/C=US/ST=California/L=Santa Barbara/O=Postfix SMTP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

---

Server certificate

-----BEGIN CERTIFICATE-----

snip

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Santa Barbara/O=Postfix SMTP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

issuer=/C=US/ST=California/L=Santa Barbara/O=Postfix SMTP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost

---

No client certificate CA names sent

---

SSL handshake has read 1375 bytes and written 332 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : DHE-RSA-AES256-SHA

    Session-ID: 2C199F14BCA071DAB8DF0D4B902D726D5C9BCABBCC4E56AB1BC26CE7C1D460A2

    Session-ID-ctx:

    Master-Key: snip

    Key-Arg   : None

    Start Time: 1173957358

    Timeout   : 300 (sec)

    Verify return code: 7 (certificate signature failure)

---

220 mail.publishing.co.uk ESMTP Postfix

DONE

```

Seems to be problems with the certs with line:

```

verify error:num=7:certificate signature failure

No client certificate CA names sent

```

That said the logs show:

```

postfix/smtpd[23999]: TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

```

Nit sure if related but also see this error in logs:

```

imapd-ssl: /etc/courier-imap/shared/index: No such file or directory

```

The dir /etc/courier-imap/shared/  is there but no index ?

cheers

----------

## Mr.C.

It appears you do not have your root CA installed.  Your certificate cannot be verified without the self-signed root CA available.

mrC

----------

## carpman

 *Mr.C. wrote:*   

> It appears you do not have your root CA installed.  Your certificate cannot be verified without the self-signed root CA available.
> 
> mrC

 

Umm, i did follow the guide and created a cert, is there another one i have to create?

----------

## Mr.C.

"A cert", or both your self-signed CA *and* server certificate?

----------

## carpman

 *Mr.C. wrote:*   

> "A cert", or both your self-signed CA *and* server certificate?

 

I did section:

```

5.2 Adding SSL Support:

As mentioned, we want to only use SSL to connect to our IMAP server. Since we have chosen a safer method of authentication, it requires a bit more work. Let's do it now while we're still as root:

Code:

root@server # vi /etc/courier-imap/imapd.cnf

[ req_dn ]

C=CA

ST=ON

L=Toronto

O=Mail Server

OU=Automatically-generated IMAP SSL Key

CN=localhost

emailAddress=root@localhost

As you can see, I've changed the variables to match my network and location. I recommend you do the same. It doesn't really matter, but you should do it anyways. You can find all the variables to change in the "[ req_dn ]" section of the file. After you've done that, we can make our certificate file:

Code:

root@server # cd /etc/courier-imap && mkimapdcert

```

Looking at it now it looks only for IMAP so need to do one for TLS but not sure how?

PS many thanks for the help.

----------

## Mr.C.

Are we trying to solve clients connecting to POSTFIX via TLS or,

are we trying to solve clients connecting to your IMAP server?

I would suggest that it is important to learn about the steps you are taking, and not blindly type them in.   You are trying to configure a *secure* email system, but have no idea how, or why, or *if* it is secure.

MrC

----------

## carpman

 *Mr.C. wrote:*   

> Are we trying to solve clients connecting to POSTFIX via TLS or,
> 
> are we trying to solve clients connecting to your IMAP server?
> 
> I would suggest that it is important to learn about the steps you are taking, and not blindly type them in.   You are trying to configure a *secure* email system, but have no idea how, or why, or *if* it is secure.
> ...

 

I am only following the guide, i am connecting via IMAP using kmail and thunderbird, if there is something that is not in the guide that i should be doing then yes i do not know what i am doing, if i did i would not need the guide?

----------

## tkhobbes

 *john5211 wrote:*   

> FInally, as mentioned in the guide, make sure that fetchmail is passing the mail directly to postfix (via port 25)  rather than procmal.  Since i check mine via cron, I just changed my crontab to:
> 
> ```
> 
> */5  * * * * /usr/bin/fetchmail -K -s
> ...

 

Hi, maybe this has been answered before, but: If I don't use procmail, how do I sort e-mails into different folders, then?

so long

thomas

----------

## mariourk

Could someone take a look at this thread?

It describes the same problem as Benzman and bruor are having.

I hope someone knows how to fix this.   :Confused: 

----------

## rpmohn

I've been going crazy for the past week! I've been using this thread's tutorial/method with great success for several years now, but last Sunday (Nov18) I upgraded postfix to v2.4.5 and ever since then I can't get local delivery to work! I tried downgrading back to v2.3.6, but no luck. I tried reinstalling everything from this tutorial, but still no luck!  :Mad: 

This is the only information I get:

```
(temporary failure. Command output: procmail: [6503] Mon Nov 26 10:56:12 2007 procmail: Assigning "LOGFILE=/home/rpmohn/.procmail/procmail.log" procmail: Opening "/home/ross/.procmail/procmail.log")
```

If I could get some more Command Output, I might be able to figure this out, but I haven't been able to! Procmail is still delivering just fine through fetchmail. It's just the internal stuff. Aaaaargh!   :Mad: 

Please help! -Ross

----------

## rpmohn

 *rpmohn wrote:*   

> I've been going crazy for the past week! I've been using this thread's tutorial/method with great success for several years now, but last Sunday (Nov18) I upgraded postfix to v2.4.5 and ever since then I can't get local delivery to work! I tried downgrading back to v2.3.6, but no luck. I tried reinstalling everything from this tutorial, but still no luck! 
> 
> This is the only information I get:
> 
> ```
> ...

 

OK, If finally solved it. The problem was that Postfix didn't like the size of my bogofilter wordlist.db file. Fetchmail didn't have a problem with it, but Postfix did. Here is the relevant FAQ entry on the bogofilter website (though I never saw DB_PAGE_NOTFOUND as an error message!)

http://bogofilter.sourceforge.net/faq.shtml#page-notfound

Cheers! -Ross

----------

## carpman

Hello would like to increase the rate at which email is processed using this setup.

How best would this be achieved?

I believe i need to increase the postfix precesses plus increase the amavisnew processes ensuring there are more amavis process than postfix processes, is this correct?

Are there any other setting that would need changing such as spamd?

many thanks

----------

## nhe

I have followed this guide to setup my mailserver and it is working fine but I see the following errors in the logs when an imap client attaches to the server:

Jan 17 11:47:51 mythtv authdaemond: PAM unable to resolve symbol: pam_sm_open_session

Jan 17 11:47:51 mythtv authdaemond: PAM unable to resolve symbol: pam_sm_close_session

Anyone an idea?

Thanks,

Nick

----------

## carpman

 *nhe wrote:*   

> I have followed this guide to setup my mailserver and it is working fine but I see the following errors in the logs when an imap client attaches to the server:
> 
> Jan 17 11:47:51 mythtv authdaemond: PAM unable to resolve symbol: pam_sm_open_session
> 
> Jan 17 11:47:51 mythtv authdaemond: PAM unable to resolve symbol: pam_sm_close_session
> ...

 

This guide is out date in regards to pam, guide still uses pam_stack but current pam does not use this anymore, check the pam update page as you will need to alter pam config files to new syntax

http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml

----------

## figueroa

 *Quote:*   

> 
> 
> Nit sure if related but also see this error in logs:
> 
> ```
> ...

 

Me too, and I couldn't just let it be.

There are some references to "shared" in the file imapd /etc/courier-imap/imapd and /usr/share/doc/courier-imap-*/maildir/README.sharedfolders.txt.bz2

This last read, in part:

 *Quote:*   

> 
> 
> NOTE:
> 
> If the "shared" directory doesn't exist, just create it.
> ...

 

So, on one server I did have a "shared" directory, so as root I just did "touch index" from within that directory.

On the 2nd server, I did not have a "shared" directory, so I created one, and then did "touch index"

The error messages went away and I'm happy.

----------

## Bigun

 *beowulf wrote:*   

> cmassa - After you've ran and killed CA.pl, have you gone and cleaned up the mess?  Remove all the *.pem files as well as another file located further down.... Read the Troubleshooting section where I describe what files need to be removed....

 

I've removed the *.pem files.... what other file needs to be deleted, I do not see this mentioned in the troubleshooting section.

----------

## pmatos

Does anyone have a problem emerging courier-authlib 0.62.2 on amd64?

----------

