Tuesday, September 14, 2010

Mail Server Setup

(This is a test mail server setup)

We need two servers for mails.

1. Live server.
2. Backup server for emergency.

LIVE SERVER DETAILS.

HDD Partition Details

Root Partition : 3GB.
Home : 5GB
Swap : 2GB
/var/spool/mail : 27GB (Mail file location).


Hostname : - server1.corp.example.com
IP Address : - 10.203.121.100

HARDWARE DETAILS.

Processor : Intel(R) Pentium(R) 4 CPU 1.80GHz
Memory : 1 GB RAM
Hard Disk : 40 GB IDE HDD.
Model : Wipro Super Genius.

OS DETAILS.

OS : RedHat Linux 7.2
Kernel version : 2.4.9-e.24

APPLICATIONS.

SMTP : Postfix 1.1
Postfix rpm : postfix-1.1.11-5
POP3/IMAP : UW-imap
Uw-IMAP rpm : imap-2001a-10.0as
BACKUP SERVER DETAILS.


HDD Partition Details

Root Partition : 8GB.
Home : 8GB
Swap : 2GB
/var/spool/mail : 20GB (Mail file location).

We have selected customize package installation to select only the required packages while installing RHEL. We have removed sendmail package during the time of installation, because we are using Postfix as SMTP server. Here we included webmail also, so we added Apache tomcat and Squirrelmail. For IMAP, we selected Dovecot.

Hostname : - server2. corp.example.com
IP Address : - 10.203.121.101

HARDWARE DETAILS.

Processor : Intel Pentium-4 2.3 GHz.
Memory : 1 GB DDR 266MHz
Hard Disk : 40 GB IDE HDD.
Model : Wipro Super Genius.

OS DETAILS.

OS : RedHat Enterprise Linux 5.3
Kernel version : 2.6.18-128.el5

APPLICATIONS.

SMTP : Postfix 2.3
Postfix rpm : postfix-2.3.3-2.1.el5_2.i386.rpm
POP3/IMAP : Dovecot 1.0
Dovecot rpm : dovecot-1.0.7-7.el5.i386.rpm
Squirrelmail : squirrelmail-1.4.8-4.0.1.el5
Apache : Tomcat Apache (httpd-2.2.3-22.el5)

CONFIGURATION DETAILS OF POP3/SMTP.
SMTP
The below lines are modified or added in main.cf file in postfix configuration.
Configuration file : /etc/postfix/main.cf
---------------------------------------------------------------------------------------------------------------
myhostname = live.example.com
mydomain = example.com
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
relayhost = [smtp.corp.example.com]
--------------------------------------------------------------------


virtual_alias_maps : This is where we are telling postfix to deliver all incoming mails from MS exchage server (currently runner.corp.example.com) mails to our local server (server2.example.com).

Configuration file : /etc/postfix/virtual

After adding virtual_alias_maps you need to run postmap command for generating virutal.db file in /etc/postfix/. Otherwise Postfix will getnerate an error “virtual.db” not found in log file and SMTP service will not function.

$sudo postmap /etc/postfix/virtual

(This will auto create /etc/postfix/virtual.db file.
: file /etc/postfix/virtual.db
Berkeley DB (Hash, version 8, native byte-order)

From /etc/postfix/virtual.
-x-x-x-x-x--x-x-x-x-x-x-x-x-x-x--x-x-x-x-x-x-x-x-x-x--x-x-x-x-x

drop.corp.example.com accept
@drop.corp.example.com @server2.corp.example.com

-x-x-x-x-x--x-x-x-x-x-x-x-x-x-x--x-x-x-x-x-x-x-x-x-x--x-x-x-x-x

Useful commands : $sudo service postfix (stopstartrestartreload)
$sudo postmap /etc/postfix/virtual (for creating virtual.db file for adding virtual domains)
$sudo postconf message_size_limit
$sudo postconf mailbox_size_limit

POP3/IMAP.
Live server, we are using uw-imap as a POP3 server and we moved to dovecot in backup server, since we don't have proper rpm available for uw-imap. Also RedHat removed this package from there package list.
Dovecot supports all the traditional mbox and maildir formats, so we may not face any problem as of now or future.

Since we are NOT planning for IMAP, this configuration is only about POP3. The same is applicable for IMAP server also, if we are opening the port 143 in iptables.

There is only one line modified for configuring POP3 server.

Configuration file : /etc/dovecot.conf
-------------------------------------------------------------------------------

mail_location = mbox:~/mail:INBOX=/var/mail/%u
-------------------------------------------------------------------------------

INBOX location : /var/spool/main (this location can be changed /etc/dovecot.conf)
Authentication : PAM (as default, dovecot uses PAM)
Log file : /var/log/maillog


Useful Commands : $dovecot -n (reads configuration from /etc/dovecot.conf and display)
$sudo service dovecot (startstoprestart)
$telnet server2.example.com 110 (+OK Dovecot ready.)

SQUIRRELMAIL

We can configure Squirrelmail with $sudo /usr/share/squirrelmail/config/conf.pl script.

From the conf.pl script console the below options are modified..

1. Organization Preferences
1. Organization Name : Example
2. Organization Logo : ../images/sm_logo.png
3. Provider link : http://www.example.com/
4. Provider name : Example

4. Server Settings

1. Domain : corp.example.com
2. Sendmail or SMTP : SMTP


D. Set pre-defined settings for specific IMAP servers
1. dovecot = Dovecot Secure IMAP server

Test your configuration by http://server2/webmail/src/configtest.php

There are some modifications made on /usr/share/squirrelmail/src/login.php file.

[root@server2 src]# diff -u login.php.org login.php
--- login.php.org 2010-09-01 19:55:43.000000000 +0530
+++ login.php 2010-09-01 20:07:43.000000000 +0530
@@ -143,8 +143,7 @@
' />
' . "\n"
: '' ).
( (isset($hide_sm_attributions) && $hide_sm_attributions) ? '' :
- '' . sprintf (_("SquirrelMail version %s"), $version) . '
' ."\n".
- ' ' . _("By the SquirrelMail Project Team") . '
' . "\n" ) .
+ ' ' . _(" Webmail") . '
' . "\n" ) .
html_tag( 'table',
html_tag( 'tr',
html_tag( 'td',
[root@server2 src]#
PLUGINS (Available in /root/plugin)

Squirrelmail uses plugins for additional options and making SM more attractive. We have used below plugins. You can read plugin readme, and INSTALL files for more details about plugin.
change_passwd v3.1 : Change password
user_logo v 1.1 : Example login after login.
compatibility 1.3 : For plugin compatibility.
msg_flags 1.4 : for getting message icons and flags.

MIGRATING UNIX USERS AND MAILS.

Here we are doing this step to avoid any overwriting of system users in backup server. By executing the below steps, we are adding the users which got UID > 500.

User Migration

There are some simple steps we can follow here for user migration. This will not disturb the existing system users.
(Here the location of files using for migration may change depends on the backup location in rsync)

$export UIDLIMIT=500

$awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/backup/passwd > /etc/backup/passwd.mig

$awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /ect/backup/group > /etc/backup/group.mig

$awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/backup/passwd tee - egrep -f - /etc/backup/shadow > /etc/backup/shadow.mig

$cat passwd.mig >> /etc/passwd
$cat group.mig >> /etc/group
$cat shadow.mig >> /etc/shadow

MAIL BACKUP.

We have an rsync with existing live server. So backup server's are always have updated mail files in /var/spool/mail.

RSYNC script running in backup.

30 * * * * /usr/local/sbin/server2-backup.sh > /dev/null 2>&1
-----------------------------
#!/bin/sh
#set -x
>/tmp/errortext
RSYNC=/usr/bin/rsync
# This backups up mail-files and userid from live to live-mail2

MAIL=/var/spool/mail/

$RSYNC -av -e "ssh -l root" /etc/ 10.203.121.101:$MAIL/migrate/backup
$RSYNC -av -e "ssh -l root" $MAIL 10.203.121.101:$MAIL
# Send mail to Ops Wipro
if [ $? -ne 0 ];then
echo "rsync failed" /bin/mail -s "FAILED: backup" user@example.com
echo hello
else
echo " " >/dev/null
fi


The below steps are additional, if you need a manual backup.
(Making a tar bundle will keep the user permissions intact and this can be untar after 'scp' to backup.

Backup mails : $sudo tar -zcvpf /var/spool/mail/mailbkp.tar.gz /var/spool/mail

Untar on server2: $sudo tar -xvf mailbkp.tar.gz

IPTABLES

Rules : Reject All

Accept : PORT (25, 110, 80,) on mail server VIP IP.
: Port 22 open on server2 server IP.

: $sudo service iptables (startstoprestartsaverestore)

[root@server2 ~]# ls -l /root/iptables
-rwxr-xr-x 1 root root 510 Sep 4 13:58 /root/iptables

[charihar@server2 postfix]$ sudo cat /root/iptables
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -i eth0 -d 10.203.121.100 -p TCP --sport 1024:65535 --dport 22
/sbin/iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -i eth0 -d 10.203.121.101 -p TCP --sport 1024:65535 -m multiport --dports 25,110,80
/sbin/iptables -A INPUT -j ACCEPT -p udp -i eth0 --sport 53 --dport 1024:65535
/sbin/iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --sport 1024:65535
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p udp --sport 1024:65535
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

[charihar@server2 postfix]$

If you stop iptables for any reason, you can run $ sudo /root/iptables to re-enable.

EMERGENCY FAILOVER

Here we need to consider two things.

1. Update the passwd, shadow, group and gshadow files with latest backup.
2. Mail files in /var/spool/mail will the latest. (This is in place because we have rsync mail files with current server.)

Adding VIP to backup server.

$sudo mv /etc/sysconfig/network-scripts/backup /etc/sysconfig/network-scripts/ifcfg-eth0:1

And restart network service to bringup eth0:1 interfaces

$sudo service network restart

And check eth0:1 interfaces is up.
$sudo ifconfig eth0:1
eth0:1 Link encap:Ethernet HWaddr 08:00:27:0D:88:E6
inet addr:10.203.121.100 Bcast:10.203.121.255 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xd010 Memory:f0000000-f0020000
Check POP3, SMTP and HTTP services are running and accessible from outside.

Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)