So now to repair my mistake I am adding the following features to my already existing mail server. To find out how to setup the  mail server itself read my earlier article.

• Use spamassassin to mark spam in the header
• Change the mail delivery to dovecot LDA, this is needed for step 3
• Automatically move marked e-mails to the spam folder of the user

Sounds easy right. Well it should be .

Install spamassassin and set it up in postfix

The first step we will take is installing and setting up the spamassassin tool. First lets install it with the default options from Debian by running:


apt-get install spamassassin
useradd -g spamd -s /bin/false -m -d /home/spamassassin spamd

Next we setup the basics of spamassassin configuration, the file called /etc/spamassassin/local.cf

report_safe        0
required_score     2.0
use_bayes          1
bayes_auto_learn   1
use_bayes_rules    1

# Some basic configuration
score DCC_CHECK 4.000
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
score RAZOR2_CHECK 2.500
score BAYES_99 4.300
score BAYES_95 3.500
score BAYES_80 3.000

# Headers to be added for all scanned messages
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_

So what we’ve done so far is set spamassassin up to automatically learn from mail it receives and to mark anything with a bayes score over 2 as spam. But we still need to integrate it into postfix to get it to work. Add the following to the postfix configuration (/etc/postfix/master.cf):

spamassassin unix -     n       n       -       -       pipe
 user=spamd argv=/usr/bin/spamc -f -e
 /usr/sbin/sendmail -oi -f ${sender} ${recipient}

You will also need to change the smtp line in the same file to the following, this will set up spamassassin as a pre delivery filter:

smtp      inet  n     -     -     -     -     smtpd -o content_filter=spamassassin

This will add the spamassassin service as a unix service through a pipe connection. Sounds complicated but it’s really easy it basically uses a binary file to comunicate between postfix and spamassassin. Make sure the user spamd exists and create the folder /usr/bin/spamc with full access to the spamd user. Also edit the file spamassassin to the following:

# /etc/default/spamassassin
# Change to one to enable spamd
ENABLED=1

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
SAHOME="/var/lib/spamassassin/"
OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir ${SAHOME} -s ${SAHOME}spamd.log"
PIDFILE="${SAHOME}spamd.pid"
CRON=0

Make sure to create the directory /var/lib/spamassassin and give spamd full access right to it, otherwise the service might not run properly. Spamassassin is now setup and will start scanning your e-mail. So if all you are interested in is the header being changed to indicate if a message is spam then you are done. If you also wish yo move it to a different folder then continue reading.

Settup Dovecot as LDA (Local Delivery Agent)

Next step is setting up dovecot as the default LDA for postfix. This is needed to let dovecot filter messages into the proper locations. First setup the connection to the between postfix and dovecot by adding the following to the /etc/postfix/master.cf:

dovecot   unix  -       n       n       -       -       pipe
 flags=DRhu user=dovecot:dovecot
 argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

Please note that we now need to keep track of the fact that dovecot will be the user that is running this part of the mail server. So every file needed, log or configuration and mailboxes related, need to be owned by dovecot:dovecot. I have had issues with files having the wrong owner so it is important! Before activating the postfix connection lets configure dovecot for LDA by editing the /etc/dovecot/dovecot.conf file. Add the following piece of code in the group auth default >> socket listen:

        master {
          path = /var/run/dovecot/auth-master
          user = dovecot
          group= ssl-cert
          mode = 0600
        }


This will setup the authentication service that dovecot will use for delivering the e-mail to the correct user and authenticating users. Also add the following at the bottom of the file to configure the LDA of dovecot:

protocol lda {
  mail_plugins = cmusieve
  sieve_global_path = /etc/dovecot/globalsieverc/global.sieve
  log_path = /var/log/dovecot-delivery_log
  postmaster_address = noreply@domain.com
}

plugin {
 sieve = /etc/dovecot/globalsieverc/global.sieve
}

Again make sure that the user dovecot has full access to both the logfile and the global sieve directory (which you will need to make) . The plugin group is just for safety. I don’t know if it is needed but it doesn’t break anything. Also check the dovecot-mysql.conf that you made earlier to make sure that the uid and gid are those of the dovecot user. You can find this out by running:

:> id dovecot

If this is all setup in dovecot restart it by running:

:>/etc/init.d/dovecot force-reload

Now it is time to wrap things up and activate dovecot as the LDA for postfix, edit the file /etc/postfix/main.cf and change the virtual_transport from virtual to dovecot. Last but not least is creating the globe.sieve file.

:> vi /etc/dovecot/globalsieverc/global.sieve

require ["fileinto"];
if anyof (
    header :contains ["X-Spam-Flag"] "Yes"
) {
    fileinto "Spam"; stop;
}

Now restart postfix and send yourself a test mail. If everything is setup correctly it should be delivered to your mailbox. If not then first check ‘/var/log/mail.info’ to gather some information as to what is going on. If this indicates a delivery was attempted but it failed then check ‘/var/log/dovecot-delivery_log’ to find out more.

I hope you have fun using your spam free mail server. If you have any issues let me know, but please include snippets from the log as this will help me help you

My setup is as follows:

• Postfix as a SMTP service
• Dovecot as the IMAPS service and authentication service
• MySQL as a storage location indicating the virtual email boxes and domains
• PostfixAdmin as a package to manage the virtual domains and boxes

Installing the whole thing

The first thing you might wanna do is install the needed services and applications on your Debian machine. You can install everything using:

apt-get install dovecot-common dovecot-imaps postfix postfix-mysql

At this point I am asuming you already have MySQL installed and configured. If not then you should do so, but I won’t include that in this tutorial. The PostfixAdmin needs to be downloaded from http://sourceforge.net/projects/postfixadmin/. You will need to setup this somewhere on the webserver site, either in an already configured apache directory or by configuring a new one.

Setting up everything in MySQL

After everything is installed you will need to prepare everything in MySQL. Connect to your machine and run the following code to generate a database and tables in that database:

create database postfix;
grant all on postfix.* to postfix identified by 'postfix';
grant all on postfix.* to postfixadmin identified by 'postfixadmin';
set password for postfixadmin = old_password('postfixadmin');

This will setup the basic stuff for postfix and postfix admin to work. Next step is setting up the data for postfix. First configure the postfixAdmin plugin by setting some of the settings in ‘config.inc.php’.

Setup Postfix configuration

The next step is configuring Postfix to enable it to sent mails, use the MySQL database and login using the Dovecot application. The latter you will setup in a later stage. First open the ‘/etc/postfix/main.cf’ file and change the entire content to something like:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix## Host name given by ISP
myhostname = <isp hostname>
mydomain   = <domainname>
unknown_local_recipient_reject_code = 550
debug_peer_level = 1

# Virtual domain administration MySQL
virtual_alias_maps      = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps        = static:104
virtual_mailbox_base    = /usr/postfix/
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit   = 51200000
virtual_mailbox_maps    = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid     = 104
virtual_transport       = virtual
virtual_uid_maps        = static:104

# The settings for the SASQL authentication using the autdaemon.
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_unauth_pipelining,
   reject_invalid_hostname,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable           = yes
broken_sasl_auth_clients         = yes

# Setup authentication using Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

In the above configuration you need to manually change the domain name to your primary domain and the ISP domain to the name given by your ISP. Another thing you must change is the number 104 this should be the UID of the postfix user on your system. You can find out what the UID is by running: 

 id postfix

Setting up the Postfix SQL files

The last step in the postfix configuration is setting up the SQL files that instruct postfix on how to load the data from the MySQL database. Run the commands as instructed below.

:> vi /etc/postfix/mysql_virtual_mailbox_maps.cf

user     = postfix
password = <password>
hosts    = <ipaddress>
dbname   = postfix
query    = SELECT maildir FROM mailbox WHERE username='%s' AND active = 1

:> vi /etc/postfix/mysql_virtual_domains_maps.cf

user     = postfix
password = <password>
hosts    = <ipaddress>
dbname   = postfix
query    = SELECT domain FROM domain WHERE domain='%s'

:> vi /etc/postfix/mysql_virtual_alias_maps.cf

user     = postfix
password = <password>
hosts  = <ipaddress>
dbname = postfix
query  = SELECT goto FROM alias WHERE address='%s' AND active = 1 

Change the password and the host name to the ones as configured in your MySQL server. If everything went correct your postfix should be up and running by now. Please note that the logon when sending mail does not work yet as dovecot has not yet been configured.

Configuring Dovecot

Your last step should be easy. Edit the dovecot.conf file into the following.

protocols = imaps
log_path  = /var/log/dovecot_log
log_timestamp = "%Y-%m-%d %H:%M:%S "

default_mail_env      = maildir:/usr/postfix/%d/%n
mail_privileged_group = mail
first_valid_uid       = 100

protocol imap {
  imap_client_workarounds = outlook-idle
}

##
## Authentication processes
##
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth default {
  mechanisms = plain login
  userdb sql {
    args=/etc/dovecot/dovecot-mysql.conf
  }
  passdb sql {
    args=/etc/dovecot/dovecot-mysql.conf
  }
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}


This simple configuration will enable dovecot to use IMAPS (you could also add POP or IMAP). The auth default group defines how to authenticate the user. In our case this is using the MySQL database to locate passwords and the directory of the user. We also define a socket in this group that indicates a location where Dovecot should offer the authentication service for other application, being Postfix in our case.

The last step for the dovecot setup is creating the query to find the data. Run the following command and then paste the code below:

:> vi /etc/dovecot/dovecot-mysql.conf

driver = mysql
connect = host=<host> dbname=postfix user=postfix password=<password>
default_pass_scheme = CRYPT
password_query = SELECT password FROM mailbox WHERE username = '%u'
user_query = SELECT maildir, <uid> AS uid, <uid> AS gid FROM mailbox WHERE username = '%u'

You should change the host, password and UID. The UID is the one you previously obtained for postfix.

If everything is done correctly you can start adding domains, mailboxes and aliasses using PostfixAdmin. As well as starting the Postfix and dovecot service. You can do this by running:

:> /etc/init.d/dovecot start
:> postfix start

And you’re all done. Congratulations you now have a mail service running on you Debian machine. If you have any difficulties please let me know and please post a snippet of the ‘/var/log/mail.info’ to help me understand what’s going on. Trust me that I’ve probably seen most of the errors that you can encounter come by.

Setting up certificate authentication is really simple. Just login to the machine as you would normally. Change to the user you are setting-up a certificate for and enter:

ssh-keygen -t rsa

You will be prompted for a password twice. After this is completed two files will be generated. One being the public file and one being the prive file. You need to download the private file from the server and store it somewhere safe. The public key needs to be copied to:

 ~/.ssh/authorized_keys

After this you will be able to login to the server using your username and the private certificate. Please note that for Putty you will need to import the generated private key into puttygen and export it into a new private key. This is because Putty does not support the SSH generated private key.

Update: fixed the name of the keyfile to actually make it work, thanks for that neosam.