Virtual Users + Domains With Postfix, Courier + MySQL (+SMTP-AUTH, SpamA, ClamAV)

Hi.

The tutorial was excellent! I am fully up and running/operational.

one question I have regards spamassassin. I understand that it works best if you train it with ham and spam.

I currently have been collecting from users various emails that have come into one or the other category (ham caught by SA, or spam that was not caught).

What is the best way after setting up amavis-spamassassin with the directions in the tutorial to set up a cron job to automatically train spamassassin?

Do I simply pipe the messages thru sa-learn --spam or sa-learn --ham, or is it more complicated?

When I have looked on the web, I see that people do things like --rebuild and so forth, but I am unsure what this all does.

Also, after I train spamassassin with the spam/ham, do I need to ever retain those messages or can they be disgarded?

Thanks in advance-- would be great if the sa-learn method was added to the tutorial since I got the impression this is such an important part of sa to have it being trained.

Sunil

 

Normally you do it like this:

Code:

/usr/bin/sa-learn --spam -p /var/amavisd/.spamassassin/user_prefs --mbox /var/mail/spam

for spam and

Code:

/usr/bin/sa-learn --ham -p /var/amavisd/.spamassassin/user_prefs --mbox /var/mail/notspam

for ham where /var/mail/spam and /var/mail/notspam are mbox mailboxes with spam/ham (you can have your users send spam/ham to these mailboxes for training purposes).

I recommend to run

Code:

man sa-learn

to find the correct options for your setup.

You can delete the messages afterwards.

 

How about reporting the same to Razor and Pyzor?

I noticed that in your description of the virtual setup, you never run razor2 to create a user account for reporting. Is there a reason you avoid this, or is it purely because you think it is a per user preference whether they report spam or not?

I also noticed after I created a user which I was logged into amavis that I had a new directly .razor under /var/lib/amavis. Is this .razor account taken over in preference over the /etc/razor account setup thru your tutorial? There is actually no conf file in /var/lib/amavis/.razor but there are the same server files that contain URLs.

Sunil

 

You don't need to report spam - I think most users will be satisfied if razor identifies spam for them.

What's in /var/lib/amavis/.razor and /etc/razor?

 

Actually, the two directories are very similar. I think I am fine now, but it was just interesting.

However, next question-- I have SPAM tagged and then forwarded to the users, with individual SPAM folders the SPAM filters into so they can check it. They then have the ability to indicate whether the email was not really spam and flip to the inbox and also alert me with the message so I can then use sa-learn to update the bayesian filters, or vice versa for something that slips thru tag it as spam which alerts me the alternative.

My question: You also have us use the amavisd quarantine -- what really is the use of this given what I am doing? That is, what added value do I have quarantining user spam if it is tagged at a certain level? I presume for my setup, I would just disregard this and set the quarantine for spam as undef?

Do many people do this? or is there something special about quarantining I am losing?

 

Quarantine makes emails over a defined threshold go to a quarantine folder which the recipient can check from time to time if it's spam or not.
Given what you're doing I don't think you have to use this feature.

 

Just as a follow up, I thought i'd inform you of my setup in case anyone else thinks it is useful:

(i) Since I run squirrelmail, I installed the spam buttons package and then set it up so if someone detects spam that was not caught they select it and press spam, which sends the email to my spam catching virtual email address. It comes to me and goes into a spam maildir folder.

(ii) For ham, it goes likewise when people select the ham button to a ham maildir folder.

These two folders are actually called "Check Ham" and "Check Spam". I then daily when i get on line take a look. If I decide what they sent me is really spam and ham, I flip the messages over to anohter folder that is monitored once a day with a script, called "Learn Ham" and "Learn Spam".

With a simple script in cron.daily, I copy all the data out to /var/lib/amavis/spamham/ where there are two directories, one to hold all spam emails and one to hold all ham emails. From this directory sa-learn is run for ham and spam, wtih the output piped to a file and emailed me to indicate the status of hte spam run.

The end of script simply deletes the emails that were reviewed/learned.

It all seems to be working beautifully! !

 

Well this looks like yet another easy to implement solution

One quick (and hopefully easy) question though: can I use it without any changes on Ubunty 5.10 (Breezy) as well? I'm specifically asking with regards to the quota patch, as I'm pretty sure that the rest will work like a charm.

 

I haven't tested this on Ubuntu, but one problem I can think of is the Postfix version. Debian Sarge uses Postfix 2.1.5, and I guess Ubuntu uses a Postfix 2.2.x. Therefore you should have a look here: http://www.howtoforge.com/forums/showpost.php?p=11463&postcount=2

 

I set this up on Ubuntu 5.10 and it works real nice. I left out the quota bit as it'll be small group of people who will have mail accounts on the server, and that's also where I think the version incompatibility could start and create issues.

One question then though; when I set up users they also are assigned a quota. What if I do not want a user to have a quota. Do I set the number to 0?

Additionally, how do I change a user's password? Would this be something I'd install PostfixAdmin for?

Thanks in advance.

 

Yes, use 0.

You can use phpMyAdmin for this task.

 

I let users change their password using Squirrelmail with teh change_sqlpass plugin. There are multiple ways you could do this...

 

Excellent, thanks!

Well, I can...But I want to enable my users to do this themselves (as I tend to be a bit lazy ) SO I tried the change_sqlpasswd plugin for squirrelmail but as I needed to install the compatibility plugin that blew up something in the PHP code. So that's a no go.

My PostfixAdmin looks interesting as it is a frontend that allws me to easily add new users, aliases etc. without having to log in to phpMyAdmin. And it allows users to change their password and forwarding as well.

 

I should've known better than to mess around with integrating two HOWTOs about this subject. So I used the one that works, this one My compliments, your HOWTOs are of great quality and work really well.

Few questions though:
- On Ubuntu 5.10, when I do an apt-get upgrade it tells me it wants to upgrade postfix. Is my assumption correct that this would overwrite the installed version which has the quota patch? And if so, is there a way in which I can exclude postfix from the updates/upgrades?
- Changing a user's encrypted password using phpMyAdmin. As I cannot just go in and plug another password in there, how do I do this for an encrypted password?

Thanks in advance.

 

Yes.

You can do that with apt-pinning:
http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html
http://jaqque.sbih.org/kplug/apt-pinning.html
http://www.argon.org/~roderick/apt-pinning.html

It's explained here: http://www.howtoforge.com/virtual_postfix_mysql_quota_courier_p5

 

Well I finally have a working mail server Excellent HOWTO! And thanks for your help.

I do have a question though, when trying to send e-mail to an external domain it works when I use Squirrelmail. Next I have set up the exact same account on Thunderbird.

When sending an e-mail to the same external address I get the error message that Relay Access is denied. The mail is not sent.

/var/log/mail.log shows the following:
Mar 3 00:04:10 blabla postfix/smtpd[30093]: connect from bla.bla.net[10.0.0.150]
Mar 3 00:04:10 blabla postfix/smtpd[30093]: NOQUEUE: reject: RCPT from bla.bla.net[10.0.0.150]: 554 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[10.0.0.150]>
Mar 3 00:04:19 blabla postfix/smtpd[30093]: lost connection after RCPT from
bla.bla.net[10.0.0.150]
Mar 3 00:04:19 blabla postfix/smtpd[30093]: disconnect from bla.bla.net[10.0.0.150]

This is what's in my /etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP ready
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = bla.bla.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = bla.bla.net, localhost, localhost.localdomain
relayhost = mailrelay.direct-adsl.nl
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email
.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtu
al_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relo
cated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

I've seen the suggestion to edit the /etc/postfix/local-host-names file and that may solve the issue, but what about POP3 access from outside my network? That wouldn't work then would it?

Another piece of information that might be useful is that my router does not support loopback. So on my LAN I have to define the IMAP server name as 10.0.0.x

Any suggestions? Your help is much appreciated.

 

You must enable something like "Server requires authentication." in your email client.

 

I tried that in Thunderbird (Tools -> Account Settings -> Server Settings -> Security Settings -> Use secure authentication) but then it completely refuses access.

So, here's where I am at now: I can read and write e-mail, but I cannot save copies to Sent etc. when using Thunderbird from outside my LAN. Outside my LAN I use a different SMTP server by the way.

From inside my LAN I cannot send e-mails due to the error mentioned earlier. It seems that my SMTP server is refusing connections from other machines than localhost.

Could it be that it has something to do with this line:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

 

If your clients are within the mynetworks value in /etc/postfix/main.cf, then they are allowed to send without authentication. OTherwise you must enable "Server requires authentication." in your email client. In Outlook you do it like this: http://mail.cs.uiuc.edu/relay/outlook-config.html There must be a similar setting in Thunderbird.

Then your sending problem has to do with the different SMTP server.

 

Bingo! That must be it! The howto specifies 127.0.0.0/8. So now it makes sense why it was a bit wonky

Thanks again!