Welcome to Part 4 of the Mailserver setup guide. In this part we are going to be installing and configuring ViMbAdmin (vim-be-admin) to manage users and mailboxes, as well as the domains our mailserver will service. You can find more information about ViMbAdmin on their website here. If you missed the previous parts you can find them here: Part 1 – Server Configuration, Part 2 – Postfix Configuration, Part 3 – PostgreSQL Configuration.
Preparation
Before installing ViMbAdmin we need to install some PHP stuff. First of all I’m going to be using PHP version 7. We are using the latest version of CentOS and Postfix, we might as well go with the latest PHP. I have written a guide here for installing PHP 7 on your server. Make sure you install the php70w-pgsql package. You will also need mcrypt, composer and git:
yum install httpd mod_ssl php70w-mcrypt composer git
Then set the install path:
export INSTALL_PATH=/usr/share/vimbadmin
ViMbAdmin Installation
Use Git to clone the installation and composer to install:
git clone https://github.com/opensolutions/ViMbAdmin.git $INSTALL_PATH
cd $INSTALL_PATH
composer install --dev
Set permissions so Apache can serve the web interface:
chown -R apache:apache var/
Database Configuration
ViMbAdmin comes with a default configuration file that can be copied for a basic configuration, we will copy that file to the appropriate name now keeping the original as a backup:
cp $INSTALL_PATH/application/configs/application.ini.dist $INSTALL_PATH/application/configs/application.ini
Then edit the new file:
nano $INSTALL_PATH/application/configs/application.ini
We need to change the Database connection properties so that ViMbAdmin will use our PostgreSQL database instead of MySQL. Make the settings in your file look like the ones below, substitutingyourpasswordhere for the password you created in the previous section:
resources.doctrine2.connection.options.driver = 'pdo_pgsql'
resources.doctrine2.connection.options.dbname = 'vimbadmin'
resources.doctrine2.connection.options.user = 'vimbadmin'
resources.doctrine2.connection.options.password = 'yourpasswordhere'
resources.doctrine2.connection.options.host = 'localhost'
resources.doctrine2.connection.options.charset = 'utf8'
Now find the Mailboxes section and modify it to match the following example:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Default values for creating mailboxes
; This sets the uid and gid columns in the mailbox table to the below values
defaults.mailbox.uid = 200
defaults.mailbox.gid = 12
Finally just below that section find the following settings and modify them to match his example:
defaults.mailbox.maildir = "%d/%u/"
defaults.mailbox.homedir = "/home/mail/"
The next thing we have to do is set access to the .htaccess permissions:
cp $INSTALL_PATH/public/.htaccess.dist $INSTALL_PATH/public/.htaccess
Create the Database
The first thing we have to do is allow the administrator user we created in the previous section to connect to the database, we do that by editing “/var/lib/pgsql/data/pg_hba.conf”:
nano /var/lib/pgsql/data/pg_hba.conf
Scroll to the bottom and add the following line under “# IPv4 local connections:”
host vimbadmin vimbadmin 127.0.0.1/32 md5
It should look like this:
After making these changes, restart PostgreSQL:
systemctl restart postgresql
Now change back to your install directory if your not already there:
cd $INSTALL_PATH
Run this command to create the database:
./bin/doctrine2-cli.php orm:schema-tool:create
If it was successful it should look like this:
Webserver Configuration
ViMbAdmin is installed, now we need to tell Apache to serve the files. For security reasons, I like to move the management page off the standard HTTP and HTTPS ports. We are still going to be using HTTPS to host the page but lets put it on port 7025. Earlier I had you install Apache, and mod_ssl (for serving HTTPS pages) so lets configure those.
Configuring Apache
All the Apache configuration files are stored in “/etc/httpd/” the HTTPS configuration is stored at “/etc/httpd/conf.d/ssl.conf” but we are going to be working with port 7025, so lets make a new configuration file:
nano /etc/httpd/conf.d/vimbadmin.conf
Configure Apache to listen on our new port and setup the new Virtual Host. Copy and past the following into the new file you just opened: Be sure to modify the ServerName and the certificate names. Notice we are re-using the same certificates we used for Postfix, if you need to look up these names you can find them in “/etc/postfix/certs”.
Listen 7025
NameVirtualHost *:7025
<VirtualHost *:7025>
ServerName mailserv.domain.com:7025
DocumentRoot /usr/share/vimbadmin/public
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/postfix/certs/mail.domain.com.crt
SSLCertificateKeyFile /etc/postfix/certs/mail.domain.com.key
SSLCertificateChainFile /etc/postfix/certs/mail.domain.com.crt
SSLCACertificateFile /etc/postfix/certs/mail.domain.com.ca.crt
Alias /vimbadmin /usr/share/vimbadmin/public
<Directory /usr/share/vimbadmin/public>
Options FollowSymLinks
AllowOverride FileInfo
# For Apache >= 2.4
Require all granted
</Directory>
</VirtualHost>
Now we can restart Apache, configure it to start on boot, and it should be serving ViMbAdmin. (You won’t be able to access it yet without opening the port in your firewall.)
systemctl restart httpd
systemctl enable httpd
The firewall portion of this guide might differ a bit from your server. I always replace the new firewalld service in CentOS 7 with standard iptables so the firewall behaves in the same way as CentOS 6 because that is what I’m used to. Here is a quick run-down on how to do that before I give you the rule you need to add to open port 7025:
Side-Note: Replace CentOS 7 “firewalld” with “iptables”
I’m much more comfortable with iptables than with the new firewalld service. So here is a quick HowTo for replacing firewalld with iptables:
yum remove firewalld
yum install iptables-services
systemctl restart iptables
systemctl restart ip6tables
systemctl enable iptables
systemctl enable ip6tables
Now you can modify “/etc/sysconfig/iptables” and “/etc/sysconfig/ip6tables” appropriately for your server configuration. (I will eventually do a more detailed post about iptables.)
Firewall Rules
I like to restrict access to port 7025 to specific IP spaces that I will be managing the mailserver from to harden security a bit more. Use the following rule to restrict access from a specific IP. You can add more than one of these lines for each IP that you might be managing the server from: Replace x.x.x.x with your IP address.
-A INPUT -m state --state NEW -m tcp -p tcp -s x.x.x.x --dport 7025 -j ACCEPT
Or if your not that worried about security, you can simply allow connections from anywhere to 7025:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7025 -j ACCEPT
Don’t forget to restart iptables:
systemctl restart iptables
Web Interface
Your ViMbAdmin interface should be visable now, to test you can access it at: https://mail.domain.com:7025/. It should look like the following page: If you don’t like your “Security Salts” just refresh the page and they get re-generated:
You need to update these keys in your “application.ini” file to continue:
nano $INSTALL_PATH/application/configs/application.ini
Find the following section:
Update your keys accordingly, then move on to creating a Super Administrator user. The email address you use doesn’t necessarily have to be an active email address yet, just don’t loose the password you use to create the account. After creating the account you can login, and should see an empty list of domains configured on your server, you can click the “+” I circled in red on the image below to add a domain. Using ViMbAdmin shouldn’t be too hard to figure out after playing with it for awhile, one thing to remember is if you want to forward email, you need to use an Alias.
Postfix and PostgreSQL
While we have a way to manage the database now, it doesn’t do us much good if Postfix doesn’t look to the database for the mailbox configuration information. We need to configure Postfix to use PostgreSQL. To do that we are going to create some files telling Postfix how to read from the database.
PostgreSQL user for Postfix
First of all Postfix needs to do exactly that READ from the database not WRITE so to keep our mailserver secure, lets create a new PostgreSQL user for Postfix with READ-ONLYprivileges. Go ahead and connect to PostgreSQL, don’t forget “sudo” because were doing this as another user: (You will need the secure password you created for the postgres user in the previous part)
sudo -u postgres pgsql
Connect to the vimbadmin database (we don’t want this to be a system-wide user)
\c vimbadmin
Finally create a user for Postfix, and assign it the required roles:
CREATE USER mailreader WITH PASSWORD 'yourpasswordhere';
GRANT CONNECT ON DATABASE vimbadmin TO mailreader;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO mailreader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO mailreader;
REVOKE CREATE ON SCHEMA public FROM mailreader
Remember all these commaneds happened after “\c vimbadmin” so “public” is actually only changing the “vimbadmin” database. Now we need to adjust “pg_hba.conf” again to allow logon for the new user:
nano /var/lib/pgsql/data/pg_hba.conf
Add the following line just below the one we added earlier:
host vimbadmin mailreader 127.0.0.1/32 md5
Then restart PostgreSQL:
systemctl restart postgresql
Postfix Mappings
Create a directory to hold the new mappings:
mkdir /etc/postfix/pgsql
For all of the next files we create, remember to replace “password” with your password for the mailreader user we just created.
Virtual Alias Mapping
Create the file:
nano /etc/postfix/pgsql/virtual_alias_maps.cf
Paste in the following:
user = mailreader
password = password
hosts = localhost
dbname = vimbadmin
query = SELECT goto FROM alias WHERE address = '%s' AND active = true
Virtual Domain Mapping
Create the file:
nano /etc/postfix/pgsql/virtual_domains_maps.cf
Paste in the following:
user = mailreader
password = password
hosts = localhost
dbname = vimbadmin
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true
Virtual Mailbox (user) Mapping
Create the file:
nano /etc/postfix/pgsql/virtual_mailbox_maps.cf
Paste in the following:
user = mailreader
password = password
hosts = localhost
dbname = vimbadmin
table = mailbox
select_field = maildir
where_field = username
Relay Domains
Create the file:
nano /etc/postfix/pgsql/relay_domains.cf
Paste in the following:
user = mailreader
password = password
hosts = localhost
dbname = vimbadmin
table = domain
select_field = domain
where_field = domain
Transport Maps
Create the file:
nano /etc/postfix/pgsql/transport_maps.cf
Paste in the following:
user=mailreader
password=password
dbname=vimbadmin
table=domain
select_field=transport
where_field=domain
hosts=localhost
Virtual Mailbox Limits
Create the file:
nano /etc/postfix/pgsql/virtual_mailbox_limits.cf
Paste in the following:
user = mailreader
password = password
hosts = localhost
dbname = vimbadmin
table = mailbox
select_field = quota
where_field = username
You should have 6 files in your “pgsql” directory if you run “ls -alh /etc/postfix/pgsql/” now:
Using the new files
Now we have created files telling Postfix how to get information out of the database we created with ViMbAdmin, we just need to tell Postfix to use them. To tell Postfix where the files are, we need to edit “main.cf” again.
nano /etc/postfix/main.cf
Add the following lines which tell Postfix what Unix user account to create mailboxes with to the end of main.cf:
# Set local user and permissions:
local_recipient_maps =
virtual_uid_maps = static:200
virtual_gid_maps = static:12
Finally, these lines tell Postfix where the files are that teach it how to use the database we just made using ViMbAdmin. Add them to the end of main.cf as well:
# Postgresql Config information
virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/mail
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 8
virtual_transport = virtual
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
transport_maps = pgsql:/etc/postfix/pgsql/transport_maps.cf
To apply these changes, we need to restart Postfix:
systemctl restart postfix
Conclusion
We covered a lot of configuration in this section, but now Postfix should be using the PostgreSQL database for virtual domain and user mappings. We also configured a Web Interface (ViMbAdmin) to manage the database Postfix reads from. In the next section we will install Spam and Virus filters using SpamAssassin and ClamAV.
If you missed any of the previous parts, you can check them out using the links below:
Part 1: Preparing the Server and CertificatesPart 2: Installing PostfixPart 3: Installing PostgreSQL
Or you can Continue to Part 5 where we configure mail filters.
Leave a comment