Email Server using IMAP and SMTP

Why

I wanted to have an email server so that we would have access our email from any host on our network and so that I could filter my children's email until they are old enough to handle SPAM.

What

For this email server, I needed an IMAP server and an SMTP server. There are several choices. Even CentOS provides choices for both. Because I have experience running a CMU Cyrus IMAP server and a Sendmail SMTP server, I decided to use them. One can easily argue that the CMU Cyrus IMAP server and the Sendmail SMTP server are overkill for home use. However, since I know how to configure them, they were the natural choice for me. CentOS comes with packages for both.

Authentication

Both the CMU Cyrus IMAP server and the Sendmail SMTP server support the use of SASL for authentication. Therefore, I decided to authenticate using saslauthd with an LDAP backend. On GNU/Linux in general and CentOS in particular, the SASL library of choice is CMU Cyrus SASL library. Therefore, I used the CMU Cyrus SASL library.

CMU Cyrus SASL

Installation

Since the cyrus-sasl and cyrus-sasl-plain packages were already installed, there was nothing additional to install. Since I store LDAP passwords in SSHA hashed format, only plaintext authentication methods are supported. Therefore, I did not need any other authentication methods provided by the other Cyrus SASL packages.

Configuration

I have configured saslauthd to use LDAP. Our configure files (/etc/saslauthd.conf and /etc/sysconfig/saslauthd) are simple. The files should be self explanatory.

Sendmail

Installation

I installed the sendmail and sendmail-cf packages. I installed the sendmail-cf package because I needed the ability to compile /etc/mail/sendmail.mc into /etc/mail/sendmail.cf.

Configuration

Our configuration files (/etc/mail/sendmail.mc, /etc/mail/access and /usr/lib64/sasl2/Sendmail.conf) are simple.

We have a dynamic IP address from our ISP. In an attempt to reduce spam, some ISPs have been blocking email from SMTP servers that use a dynamic IP address. In order to avoid email being blocked for this reason, I have configured Sendmail to forward all non-local mail to our ISP's mail server (smtp-server.san.rr.com).

Sendmail uses SASL for SMTP AUTH. The SASL configuration information for Sendmail is in /usr/lib64/sasl2/Sendmail.conf. I have configured Sendmail to use the saslauthd, which in turn uses LDAP.

CMU Cyrus IMAP

Installation

I installed the cyrus-imapd and cyrus-imapd-utils packages. I installed the cyrus-imapd-utils package because I needed the 'sieveshell' utility.

Configuration

Our configuration files (/etc/cyrus.conf and /etc/imapd.conf) are relatively simple.

Sieve

The CMU Cyrus IMAP server has Sieve filter support. I use the Sieve filtering capability to filter messages based on mail headers added by MIMEDefang. Currently, I have configured every user's account to use the Sieve script: default.script.

The CMU Cyrus IMAP server provides access to the Sieve filters by running the timsieved daemon. Since timesieved does not support SSL, I have configured timsieved to listen only on localhost. Since users are not allowed access to their Sieve filters, the only user I added to the 'users-sieve' group is CMU Cyrus IMAP server administrator (root-imap).

Originally, I used the 'sieveshell' utility to upload and activate the Sieve scripts. Later, I configured the server to install default.script whenever it creates a new IMAP user account.

MIMEDefang, ClamAV and SpamAssassin

Sendmail supports processing mail using mail filters (milters). One powerful milter is MIMEDefang. In addition to checking for potentially harmful MIME parts on its own, it checks for viruses using ClamAV and for spam using SpamAssassin. Also, MIMEDefang can easily be extended to do other checks by adding the appropiate Perl code to MIMEDefang's configuration file.

Installation

Extra Packages for Enterprise Linux includes a MIMEDefang package. So, I installed it.

Extra Packages for Enterprise Linux includes a ClamAV package. So, I installed it.

CentOS includes a SpamAssassin package. So, I installed it.

Configuration

I am using MIMEDefang to reduce the chance that unwanted (and harmful) inbound mail will enter my network and to reduce the chance that unwanted (and harmful) outbound mail will leave my network. I am using MIMEDefang as the milter for ClamAV and SpamAssassin, because MIMEDefang allows me to configure the behaviors that I want using Perl code that I add to MIMEDefang's configuration file (/etc/mail/mimedefang-filter file).

I have configured MIMEDefang to apply a SPAM rating using SpamAssassin. The SPAM rating is placed in the mail headers 'X-Spam-Flag' and 'X-Spam-Status'. The 'X-Spam-Flag' indicates whether or not SpamAssassin thought that the mail was spam, and the 'X-Spam-Status' header indicates how SpamAssassin decided whether or not the mail was spam. The 'X-Spam-Flag' header is used by the CMU Cyrus IMAP server's Sieve filter to filter the mail.

I have configured MIMEDefang to check for viruses using ClamAV. If a virus is found in outbound mail, then the server logs the event and does not accept the mail from the client. If a virus is found in inbound mail, then the server logs the event and deletes the mail.

I have configured MIMEDefang to check the sender address for outbound mail. If the sender address is not in the 'mail' attribute of the user's LDAP entry, then the server does not accept the mail. This prevents a virus from forging the from address.

I have configured MIMEDefang to check the recipient addresses for outbound mail. If the recipient address is not in the LDAP directory, then the server does not accept the mail. This prevents my children from sending mail to people that we do not know.

I have configured MIMEDefang to check the sender for inbound mail. If the sender address is in the LDAP directory, then the server adds the mail header 'X-Spam-Whitelist: Yes'. Otherwise, the server adds the mail header 'X-Spam-Whitelist: No'. This header is used by the CMU Cyrus IMAP server's Sieve filter to filter the mail. This reduces the chance that my children will receive mail from people that we do not know.

RoundCube Webmail

Under some situations, being able to access email from a web browser is useful. For example, it is much easier to use webmail when using a public computer.

There are many webmail packages. In the past, I have used SquirrelMail and Horde IMP. However, my current favorite is RoundCube Webmail, because it use of AJAX provides a more dynamic user interface than other webmail clients that I have used. Therefore, I am using RoundCube Webmail.

Installation

I installed roundcubemail-0.1.1 from the source tarball by extracting it into the directory /usr/share and linking the resulting directory to /var/www/html/mail. I have not upgraded to roundcubemail-0.2 because it requires a minimum PHP version that is newer than the PHP version included in CentOS 5.2.

I applied the patches preview_pane, ldap_wildcard_fix and ldap_bind_session_identity. in order to enable features useful in our configuration. The first patch adds the preview pane configuration option. The second patch fixes a bug in wildcarded LDAP searching when the search pattern is empty. The third patch adds the ability to automatically bind to an LDAP server using user's RoundCube Webmail login username and password.

Configuration

I configured according to the instructions in the INSTALL file. I set the file ownership to root:apache. I set the permissions such the user has read-write acces, group has read-only access and other has read-only access, except for the logs and temp directories where group has read-write access, and for the files in the config directory where other has no access.

My RoundCube Webmail configuration files are db.inc.php and main.inc.php.