You must be logged into post a comment.
Welcome to Part 4 of the Mailserver setup guide. In this part we are going to be installing and configuring ViMbAdmin (vim-be-admin) to manage users and mailboxes, as well as the domains our mailserver will service. You can find more information about ViMbAdmin on their website here. If you missed the previous parts you can find them here: Part 1 – Server Configuration, Part 2 – Postfix Configuration, Part 3 – PostgreSQL Configuration.
Before installing ViMbAdmin we need to install some PHP stuff. First of all I’m going to be using PHP version 7. We are using the latest version of CentOS and Postfix, we might as well go with the latest PHP. I have written a guide here for installing PHP 7 on your server. Make sure you install the php70w-pgsql package. You will also need mcrypt, composer and git:
yum install httpd mod_ssl php70w-mcrypt composer git
Then set the install path:
export INSTALL_PATH=/usr/share/vimbadmin
Use Git to clone the installation and composer to install:
git clone https://github.com/opensolutions/ViMbAdmin.git $INSTALL_PATH cd $INSTALL_PATH composer install --dev
Set permissions so Apache can serve the web interface:
chown -R apache:apache var/
ViMbAdmin comes with a default configuration file that can be copied for a basic configuration, we will copy that file to the appropriate name now keeping the original as a backup:
cp $INSTALL_PATH/application/configs/application.ini.dist $INSTALL_PATH/application/configs/application.ini
Then edit the new file:
nano $INSTALL_PATH/application/configs/application.ini
We need to change the Database connection properties so that ViMbAdmin will use our PostgreSQL database instead of MySQL. Make the settings in your file look like the ones below, substituting yourpasswordhere for the password you created in the previous section:
resources.doctrine2.connection.options.driver = 'pdo_pgsql' resources.doctrine2.connection.options.dbname = 'vimbadmin' resources.doctrine2.connection.options.user = 'vimbadmin' resources.doctrine2.connection.options.password = 'yourpasswordhere' resources.doctrine2.connection.options.host = 'localhost' resources.doctrine2.connection.options.charset = 'utf8'
Now find the Mailboxes section and modify it to match the following example:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Default values for creating mailboxes ; This sets the uid and gid columns in the mailbox table to the below values defaults.mailbox.uid = 200 defaults.mailbox.gid = 12
Finally just below that section find the following settings and modify them to match his example:
defaults.mailbox.maildir = "%d/%u/" defaults.mailbox.homedir = "/home/mail/"
The next thing we have to do is set access to the .htaccess permissions:
cp $INSTALL_PATH/public/.htaccess.dist $INSTALL_PATH/public/.htaccess
The first thing we have to do is allow the administrator user we created in the previous section to connect to the database, we do that by editing “/var/lib/pgsql/data/pg_hba.conf”:
nano /var/lib/pgsql/data/pg_hba.conf
Scroll to the bottom and add the following line under “# IPv4 local connections:”
host vimbadmin vimbadmin 127.0.0.1/32 md5
It should look like this:
After making these changes, restart PostgreSQL:
systemctl restart postgresql
Now change back to your install directory if your not already there:
cd $INSTALL_PATH
Run this command to create the database:
./bin/doctrine2-cli.php orm:schema-tool:create
If it was successful it should look like this:
ViMbAdmin is installed, now we need to tell Apache to serve the files. For security reasons, I like to move the management page off the standard HTTP and HTTPS ports. We are still going to be using HTTPS to host the page but lets put it on port 7025. Earlier I had you install Apache, and mod_ssl (for serving HTTPS pages) so lets configure those.
All the Apache configuration files are stored in “/etc/httpd/” the HTTPS configuration is stored at “/etc/httpd/conf.d/ssl.conf” but we are going to be working with port 7025, so lets make a new configuration file:
nano /etc/httpd/conf.d/vimbadmin.conf
Configure Apache to listen on our new port and setup the new Virtual Host. Copy and past the following into the new file you just opened: Be sure to modify the ServerName and the certificate names. Notice we are re-using the same certificates we used for Postfix, if you need to look up these names you can find them in “/etc/postfix/certs”.
Listen 7025 NameVirtualHost *:7025 <VirtualHost *:7025> ServerName mailserv.domain.com:7025 DocumentRoot /usr/share/vimbadmin/public SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/postfix/certs/mail.domain.com.crt SSLCertificateKeyFile /etc/postfix/certs/mail.domain.com.key SSLCertificateChainFile /etc/postfix/certs/mail.domain.com.crt SSLCACertificateFile /etc/postfix/certs/mail.domain.com.ca.crt Alias /vimbadmin /usr/share/vimbadmin/public <Directory /usr/share/vimbadmin/public> Options FollowSymLinks AllowOverride FileInfo # For Apache >= 2.4 Require all granted </Directory> </VirtualHost>
Now we can restart Apache, configure it to start on boot, and it should be serving ViMbAdmin. (You won’t be able to access it yet without opening the port in your firewall.)
systemctl restart httpd systemctl enable httpd
The firewall portion of this guide might differ a bit from your server. I always replace the new firewalld service in CentOS 7 with standard iptables so the firewall behaves in the same way as CentOS 6 because that is what I’m used to. Here is a quick run-down on how to do that before I give you the rule you need to add to open port 7025:
I’m much more comfortable with iptables than with the new firewalld service. So here is a quick HowTo for replacing firewalld with iptables:
yum remove firewalld yum install iptables-services systemctl restart iptables systemctl restart ip6tables systemctl enable iptables systemctl enable ip6tables
Now you can modify “/etc/sysconfig/iptables” and “/etc/sysconfig/ip6tables” appropriately for your server configuration. (I will eventually do a more detailed post about iptables.)
I like to restrict access to port 7025 to specific IP spaces that I will be managing the mailserver from to harden security a bit more. Use the following rule to restrict access from a specific IP. You can add more than one of these lines for each IP that you might be managing the server from: Replace x.x.x.x with your IP address.
-A INPUT -m state --state NEW -m tcp -p tcp -s x.x.x.x --dport 7025 -j ACCEPT
Or if your not that worried about security, you can simply allow connections from anywhere to 7025:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7025 -j ACCEPT
Don’t forget to restart iptables:
systemctl restart iptables
Your ViMbAdmin interface should be visable now, to test you can access it at: https://mail.domain.com:7025/. It should look like the following page: If you don’t like your “Security Salts” just refresh the page and they get re-generated:
You need to update these keys in your “application.ini” file to continue:
nano $INSTALL_PATH/application/configs/application.ini
Find the following section:
Update your keys accordingly, then move on to creating a Super Administrator user. The email address you use doesn’t necessarily have to be an active email address yet, just don’t loose the password you use to create the account. After creating the account you can login, and should see an empty list of domains configured on your server, you can click the “+” I circled in red on the image below to add a domain. Using ViMbAdmin shouldn’t be too hard to figure out after playing with it for awhile, one thing to remember is if you want to forward email, you need to use an Alias.
While we have a way to manage the database now, it doesn’t do us much good if Postfix doesn’t look to the database for the mailbox configuration information. We need to configure Postfix to use PostgreSQL. To do that we are going to create some files telling Postfix how to read from the database.
First of all Postfix needs to do exactly that READ from the database not WRITE so to keep our mailserver secure, lets create a new PostgreSQL user for Postfix with READ-ONLY privileges. Go ahead and connect to PostgreSQL, don’t forget “sudo” because were doing this as another user: (You will need the secure password you created for the postgres user in the previous part)
sudo -u postgres pgsql
Connect to the vimbadmin database (we don’t want this to be a system-wide user)
\c vimbadmin
Finally create a user for Postfix, and assign it the required roles:
CREATE USER mailreader WITH PASSWORD 'yourpasswordhere'; GRANT CONNECT ON DATABASE vimbadmin TO mailreader; GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO mailreader; GRANT SELECT ON ALL TABLES IN SCHEMA public TO mailreader; REVOKE CREATE ON SCHEMA public FROM mailreader
Remember all these commaneds happened after “\c vimbadmin” so “public” is actually only changing the “vimbadmin” database. Now we need to adjust “pg_hba.conf” again to allow logon for the new user:
nano /var/lib/pgsql/data/pg_hba.conf
Add the following line just below the one we added earlier:
host vimbadmin mailreader 127.0.0.1/32 md5
Then restart PostgreSQL:
systemctl restart postgresql
Create a directory to hold the new mappings:
mkdir /etc/postfix/pgsql
For all of the next files we create, remember to replace “password” with your password for the mailreader user we just created.
Create the file:
nano /etc/postfix/pgsql/virtual_alias_maps.cf
Paste in the following:
user = mailreader password = password hosts = localhost dbname = vimbadmin query = SELECT goto FROM alias WHERE address = '%s' AND active = true
Create the file:
nano /etc/postfix/pgsql/virtual_domains_maps.cf
Paste in the following:
user = mailreader password = password hosts = localhost dbname = vimbadmin query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true
Create the file:
nano /etc/postfix/pgsql/virtual_mailbox_maps.cf
Paste in the following:
user = mailreader password = password hosts = localhost dbname = vimbadmin table = mailbox select_field = maildir where_field = username
Create the file:
nano /etc/postfix/pgsql/relay_domains.cf
Paste in the following:
user = mailreader password = password hosts = localhost dbname = vimbadmin table = domain select_field = domain where_field = domain
Create the file:
nano /etc/postfix/pgsql/transport_maps.cf
Paste in the following:
user=mailreader password=password dbname=vimbadmin table=domain select_field=transport where_field=domain hosts=localhost
Create the file:
nano /etc/postfix/pgsql/virtual_mailbox_limits.cf
Paste in the following:
user = mailreader password = password hosts = localhost dbname = vimbadmin table = mailbox select_field = quota where_field = username
You should have 6 files in your “pgsql” directory if you run “ls -alh /etc/postfix/pgsql/” now:
Now we have created files telling Postfix how to get information out of the database we created with ViMbAdmin, we just need to tell Postfix to use them. To tell Postfix where the files are, we need to edit “main.cf” again.
nano /etc/postfix/main.cf
Add the following lines which tell Postfix what Unix user account to create mailboxes with to the end of main.cf:
# Set local user and permissions: local_recipient_maps = virtual_uid_maps = static:200 virtual_gid_maps = static:12
Finally, these lines tell Postfix where the files are that teach it how to use the database we just made using ViMbAdmin.
Add them to the end of main.cf as well:
# Postgresql Config information virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf virtual_mailbox_base = /home/mail virtual_mailbox_limit = 512000000 virtual_minimum_uid = 8 virtual_transport = virtual local_transport = virtual local_recipient_maps = $virtual_mailbox_maps transport_maps = pgsql:/etc/postfix/pgsql/transport_maps.cf
To apply these changes, we need to restart Postfix:
systemctl restart postfix
We covered a lot of configuration in this section, but now Postfix should be using the PostgreSQL database for virtual domain and user mappings. We also configured a Web Interface (ViMbAdmin) to manage the database Postfix reads from. In the next section we will install Spam and Virus filters using SpamAssassin and ClamAV.
If you missed any of the previous parts, you can check them out using the links below:
Part 1: Preparing the Server and Certificates
Part 2: Installing Postfix
Part 3: Installing PostgreSQL
Or you can Continue to Part 5 where we configure mail filters.
You must be logged into post a comment.