OpenBSD 3.4, Postfix, Procmail, Courier-Imap, Mutt, Pop/Imap before SMTP authentication

Introduction

This document is written for configuring a OpenBSD 3.4-based mailserver, however it there is no reason it should not apply to versions as old as OpenBSD 3.0 or something newer.

Install src

untar src.tar.gz into /usr/src from the if you have an OpenBSD CD. If you're grabbing them from the ftp site then you want both src.tar.gz and srcsys.tar.gz.

Upgrade to -stable

Even OpenBSD can have security updates so be sure to update to the -stable branch of the release you're working with. To update OpenBSD 3.1 change the _3_4 to _3_1.

  # export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
  # cd /usr
  # cvs -q up -rOPENBSD_3_4 -P src

To update this tree later simply cd /usr/src; cvs -q up -rOPENBSD_3_4 -Pd

Rebuild system from stable source

Rebuild Kernel

  # cd /usr/src/sys/arch/i386/conf
  # /usr/sbin/config GENERIC
  # cd /usr/src/sys/arch/i386/compile/GENERIC
  # make clean && make depend && make
  # cd /usr/src/sys/arch/i386/compile/GENERIC
  # cp /bsd /bsd.old          (Save an old copy of your kernel)
  # cp bsd /bsd               (Copy the new kernel into place)
  # reboot

Rebuild userland programs

  # cd /usr/src
  # rm -r /usr/obj/*
  # make obj && make build

Reboot the machine, at this point it's safe to connect it to the internet

Install ports tree, upgrade to stable

  # export CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
  # cd /usr
  # tar -xvzf /path/to/ports.tar.gz
  # cvs -q up -rOPENBSD_3_1 ports

Postfix Install

  # cd /usr/ports/mail/postfix

Optionally, edit Makefile and uncomment out all the SUBDIR+= except for: SUBDIR+= stable,pcre,tls

  # make install

edit /etc/rc.conf

Comment out line:

  #sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"

and add:

  sendmail_flags="-bd -q30m"

edit root crontab (# crontab -e )

Comment out line:

  #*/30  *   *   *   *   /usr/sbin/sendmail -L sm-msp-queue -Ac -q

edit /etc/postfix/main.cf

Set the following fields:

  mydomain = your domain here

  myorigin = $mydomain
  mydestination = $myhostname, localhost.$mydomain, $mydomain
  home_mailbox = .maildir/    # NOTE: the trailing /  is important
  # mailbox_command = /usr/local/bin/procmail

Leave mailbox_command commented out for now. After procmail is configured it will be uncommented.

Run postfix

  # postfix check
  # postfix start

At this point send a test message to a local user, his mail directory should be created $HOME/usrname/.maildir along with sub directories /new /cur /tmp with the new mail being in /new

Mutt Install

This makes it easier for us to test the mailsystem while setting up the server

    # cd /usr/ports/mail/mutt

edit Makefile

comment out:

  #     SUBDIR += snapshot
  # make install
  cd /etc/Mutt

edit Muttrc

Set the following settings:

  set mbox_type=Maildir
  set folder=~/.maildir
  set spoolfile=~/.maildir/

This allows Mutt to read Maildir format mailboxes

Procmail Install

A small change need to be made to the authentice.c source file to make procmail work with the Maildir type mailboxes by default.

    # cd /usr/ports/mail/procmail
    # make fetch extract
    # cd /usr/ports/mail/procmail/w-procmail-3.22/procmail-3.22/src

edit authenticate.c

change line:

  #define MAILSPOOLDIR   "/var/spool/mail/"

to:

  #define MAILSPOOLDIR   ""

change line:

  #define MAILSPOOLHOME "/.mail"

to:

  #define MAILSPOOLHOME "/.maildir"

Compile install procmail:

  # make install

edit /etc/procmailrc

add line at top of file:

  DEFAULT=$HOME/.maildir/

edit /etc/postfix/main.cf

Uncomment the line:

  mailbox_command = /usr/local/bin/procmail  

reload postfix

  # postfix reload

Again you want to send another test message at this point to make sure that procmail is now delivering the mail correctly to the users .maildir mailbox

Courier-Imap Install

  # cd /usr/ports/mail/courier-imap
  # make install
  # cd /etc; mkdir courier-imap
  # cd courier-imap; cp /usr/local/share/examples/courier-imap/* .

Edit imapd.cnf

Configure the file for your server

  # mkimapdcert

This reads imapd.cnf and creates an imap ssl certificate in /etc/ssl/private/imapd.pem

Edit authdaemond.conf

Set:

  AUTHDAEMOND="authdaemond.plain"

Edit imapd

Set at the end of the file:

  MAILDIR=.maildir
  IMAPDSTART=YES

Startup Courier-IMAP:

  # /usr/local/libexec/authlib/authdaemond start
  # /usr/local/libexec/imapd.rc start
  # /usr/local/libexec/imapd-ssl.rc start

You might want to put the above into a shell script you can call from /etc/rc.local for startup

At this point you should be able to test out imap access with your favorite mail client.

Pop-before-smtp

If this machine is going to allow remote users to connect and use the mail system, we dont want to have an open relay, so we'll setup pop/imap before smtp authentication to only allow those valid users who have an account and check their email to be able to send it.

Grab pop-before-stmp from its website: and untar into a temp directory like /usr/local/src/pop-before-smtp

edit pop-before-smtp-conf.pl

  uncomment the line under: # Override the DB hash file we will create/update (".db" gets appended).
    $dbfile = '/etc/postfix/pop-before-smtp';

  uncomment:
    $logto = '/var/log/pop-before-smtp';
	  
  change the line under: # Set the log file we will watch for pop3d/imapd records. to read:
    $file_tail{'name'} = '/var/log/maillog';
	  
  uncomment the line under:  # For Courier-POP3 and Courier-IMAP:
    $pat = '^(... .. ..:..:..) \S+ (?:courier)?(?:pop3|imap)(?:login|d|d-ssl): ' .
    'LOGIN, user=\S+, ip=\[[:f]*(\d+\.\d+\.\d+\.\d+)\]$';
	     
  comment out the lines to tell it to use NDBM database:
    #=pod #------------------------ Postfix NDBM_File ---------------------START-
    #=cut #------------------------ Postfix NDBM_File -----------------------END-

  # cp pop-before-smtp-conf.pl /etc
  # cp pop-before-smtp.init /etc
  # cp pop-before-smtp /usr/sbin

Start pop-before-smtp

  /etc/pop-before-smtp.init start

You should see a list of ip addresses etc in /var/log/pop-before-smtp from your imap tests. You should also have a database file in /etc/postfix/pop-before-smtp.db

Setup Postfix for pop-before-smtp authentication

edit /etc/postfix/main.cf

Add the following line:

  smtpd_recipient_restrictions = permit_mynetworks,reject_non_fqdn_recipient,check_client_access 
  hash:/etc/postfix/pop-before-smtp,check_relay_domains

Reload postfix settings:

  # postfix reload

You should be able to verify that postfix will now refuse to accept mail from remote (non local network) connections without logging in via imap or pop3 first.

Spamassassin

Another great tool for configuring email is spamassassin, which is a perl script that can be used to identify and control incoming spam.
Spamassassin website can be found at:

Spamassassin requires HTML-Parser perl module as a prereq so we'll start there.

  # cd /usr/ports/www/p5-HTML-Parser
  # make install

Now onto the spamassasin install

  # mkdir /usr/local/src
  # cd /usr/local/src
  # tar -xvzf /path/to/downloaded/Mail-SpamAssassin-2.41.tar.gz
  # perl Makefile.PL
  # make
  # make install

Lets test the install:

  # spamassassin -t < sample-nonspam.txt > nonspam.out
  # spamassassin -t < sample-spam.txt > spam.out

This runs spamassasin in test, by reading the spam.out file and nospam.out file you can see what it does to each mail message.

At this point spamassassin is ready to be setup in procmail, you can either set it up system wide or in my case on a user by user basis.

Setup spamassassin for your mail account:

  # cd ~

create directory to store spam in

  # maildirmake -f Spam .maildir

This creates a maildir folder inside your ~/.maildir called .Spam

edit .procmailrc

Add the following lines:

  :0fw
  | spamassassin -P

  :0:
  * ^X-Spam-Status: Yes
  $HOME/.maildir/.Spam/

Now simply kick back and watch most if not all of your incoming spam get tagged and redirected into your new imap folder Spam.