Centos 7 Setup

Read Dovecot Migration - Good background info.

Look at Quick Install Postfix

Postfix

• Merge the old einstein main.cf into the new one.
• Merge the old einstein master.cf into the new one.
• copy bottom part of /etc/aliasses into new one.
• copy nis-peers domains recipients-bcc from old einstein
• RUN:

 postmap /etc/postfix/virtual
 postmap /etc/postfix/domains
 postmap /etc/postfix/nis-peers
 postmap /etc/postfix/recipients-bcc

Start postfix and see if there are errors:

 systemctl start postfix.service
 journalctl -u postfix.service

Test. Note to not send the email to a NPG email address!

 echo "Test 2" | mail -s "Test 2" holtrop@jlab.org
 journalctl -u postfix --since "4 minutes ago"

Spamassassin

• Merge /etc/mail/spamassassin/local.cf

Dovecot

Read QuickConfiguration

doveconf -n -c old_einstein/dovecot.conf > test_new_dovecot.conf

This gives the following warnings:

doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -n > dovecot-new.conf
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:20: 'imaps' protocol is no longer necessary, remove it
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:20: 'pop3s' protocol is no longer necessary, remove it
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:93: ssl_cert_file has been replaced by ssl_cert = <file
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:94: ssl_key_file has been replaced by ssl_key = <file
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:131: login_dir has been removed
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:135: login_chroot has been replaced by service { chroot }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:141: login_user has been replaced by service { user }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:145: login_process_size has been replaced by service { vsz_limit }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:151: login_process_per_connection has been replaced by service { service_count }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:154: login_processes_count has been replaced by service { process_min_avail }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:162: login_max_processes_count has been replaced by service { process_limit }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:169: login_max_connections has been replaced by service { client_limit }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:288: mail_log_max_lines_per_sec has been removed
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:306: fsync_disable has been renamed to mail_fsync
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:340: max_mail_processes has been replaced by service { process_limit }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:435: maildir_copy_preserve_filename has been removed
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:708: add auth_ prefix to all settings inside auth {} and remove the auth {} section completely
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:745: passdb pam {} has been replaced by passdb { driver=pam }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:846: userdb passwd {} has been replaced by userdb { driver=passwd }
doveconf: Warning: Obsolete setting in old_einstein/dovecot.conf:909: auth_user has been replaced by service auth { user }

The new file now has hints on what to change in dovecot.conf and conf.d/xxx files.

Convert crt to pem

Dovecot now only wants a pem certificate: from Stackoverflow

  openssl x509 -in mail.physics.unh.edu.crt  -outform PEM -out mail.physics.unh.edu.pem
  openssl rsa -in mail.physics.unh.edu.key  -outform PEM -out mail.physics.unh.edu.private.pem

dovecot.conf

conf.d/10-auth.conf

 disable_plaintext_auth = yes
 auth_mechanisms = plain login

conf.d/10-mail.conf

 protocols = imap pop3
 dotlock_use_excl = yes
 maildir_copy_with_hardlinks = no
 mail_location = maildir:/var/spool/mail/%u
 #                                                                                                                                                                                                      
 # Sieve Plugin                                                                                                                                                                                         
 #                                                                                                                                                                                                      
 plugin {
   sieve = %h/.sieve
 }

conf.d/10-master.conf

 # Postfix smtp-auth                                                                                                                                                                                  
 unix_listener /var/spool/postfix/private/auth {
   group = postfix
   mode = 0660
   user = postfix
  }
 unix_listener auth-master {
   group = dovecot
   mode = 0600
   user = dovecot
  }
  user = root                                                                                                                                                                                                   
 }

service imap-login {
  chroot = login
  client_limit = 256
  process_limit = 128
  process_min_avail = 3
  service_count = 1
  user = dovecot
  vsz_limit = 64 M
 
  inet_listener imap {
     #port = 143                                                                                                                                                                                        
  }
  inet_listener imaps {
   #port = 993                                                                                                                                                                                        
   #ssl = yes                                                                                                                                                                                         
  }

 service imap {
   process_limit = 1024
 }

service pop3-login {
   chroot = login
   client_limit = 256
   process_limit = 128
   process_min_avail = 3
   service_count = 1
   user = dovecot
   vsz_limit = 64 M
}

service pop3 {
   process_limit = 1024
}

conf.d/10-ssl.conf

Make sure the certs are copied!

 ssl_cert = </usr/share/ssl/certs/mail.physics.unh.edu.crt
 ssl_key = </usr/share/ssl/certs/mail.physics.unh.edu.key

conf.d/15-lda.conf

protocol lda {
   mail_plugins = $mail_plugins sieve
}

conf.d/20-lmtp.conf

protocol lmtp {
  mail_plugins = $mail_plugins sieve 
}

conf.d/10-logging.conf

 mail_debug = yes
 mail_log_prefix = "%Us(%u): "
 login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
 verbose_ssl = yes

conf.d/auth-system.conf.ext

in passed{ section

  args = dovecot

OLD CENTOS5

Master documentation for RedHat Enterprise 5

This is the set of programs that service NPG e-mail.

The order of operations for starting mail by hand is as follows:

Dovecot, Spamassassin, Postfix, Mailman.

And to safely stop the mail system, stop the services in this order:

Mailman, Postfix, Spamassassin, Dovecot.

The reason for this order is we stop recieving mail from other servers once postfix is down, stop processing incoming/outgoing mail with spamassassin because there's no more incoming/outgoing mail, and then we stop users from being able to get their mail and change things with dovecot. This allows us to take the mail system down and not bounce or lose any, since the servers trying to send us mail simply wait until we're receiving again.

Postfix

Centralized set of programs to send/recieve mail, as well as put recieved mail through spam/virus filters. The RPM is pretty good in that it automatically puts entries for some of the below programs in the appropriate configuration files. Sometimes it's necessary to un-comment them, though.

Configuration is: /etc/postfix/main.cf

Noteworthy Variations on standard setup

main.cfg

# LIMITS
#
# The maximal size in bytes of a message, including envelope information.
# Default is 10 MiB.
message_size_limit = 51200000

For authentication, the previous (before 11/4/2014) setup used the Cyrus SASL module, which was not configured correctly. It would look for a database that did not exist, and it would request authentication methods (AUTH CRAM-MD5 DIGEST-MD5 PLAIN LOGIN GSSAP) most of which would not work. This messed up mail from Apple Yosemite systems, causing fail2ban to ban the ip. We switched to Dovecot SASL module on 11/4/2014, which seems to behave correctly. Lines in mail.cfg that were changed:

# Enabling cyrus sasl
############################# Switch to Dovecot 11/4/2014 - Maurik
#smtpd_sasl_path = smtpd

# Enabling dovecot sasl
smtpd_sasl_type = dovecot
########################### Switch 11/4/2014 - Maurik -- make sure Dovecot is setup to put auth in /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth

Note that this also required a change in the /etc/dovecot.conf file.

mynetworks = 10.0.0.0/24, 127.0.0.0/8, 10.8.16.0/24, 132.177.88.0/22 hash:/etc/postfix/nis-peers

master.cfg

spamassassin unix -	n	n	-	-	pipe
  user=spamd	argv=/usr/bin/spamc -u ${user} -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Note: The -u ${user} flag will allow spamc to run as that user (the recipient of the mail) and to then parse the ~user/.spamassassin/user_prefs files. If that file does not exist, spamc will create it. This is an important aspect of the spam system. Without it, the user has no control over the spam settings and can thus not run a personal, more strict (or loose) policy.

THIS USED TO READ:

#

spamassassin unix -     n       n       -       -       pipe
  user=spamd    argv=/usr/local/bin/postfixfilter -f ${sender} ${recipient}

These customizations did nothing, but prevented proper running of spamc.

Dovecot

We run dovecot as our mail server. We're using a pretty much default setup, for ease of administration. The dovecot website has all necessary documention, and most of the system is fairly self-explanatory. The only thing that's weird is we have the sieve plugin, so that we can have and process sieve scripts for filtering.

SpamAssassin

Postfix uses SpamAssassin to filter e-mail. Needs an entry in /etc/postfix/master.cf and Procmail configuration

• Start Using SpamAssassin links
• Already Using SA tips

Presently, we only mark spam with some header flags, and by prepending "[SPAM] " to the subject of spammy messages. This allows the user's "sieve" script to figure out what to do with the email marked as spam. It can be discarded or stored in a junk mail folder, depending on the user's setup.

More information is at the SpamAssassin page

GNU Mailman

Manages mailing lists. Currently, we have three mailing lists. "Mailman" is a list used internally by the service. "Npg-admins" goes to us, the admins. "Npg-users" should go to all the users who have an account on our systems, if it's kept up to date.

In the event of strange errors with mailman (say, from rebuilding einstein), you should set STEALTH_MODE = 0 in /usr/lib/mailman/scripts/driver so that you can see errors in the web interface. This allows you to find strange errors like writing to /var/log/mailman/error, or any traceback information.

If you're having any permissions errors, you should (as true root, not sudo) run /usr/lib/mailman/bin/check_perms. If it gives any errors, run it with the -f flag to fix permissions automatically. This should take care of everything for you.

Web interface on einstein
More info