Postfix – techish.net

ISPConfig, Dovecot, Postfix and LetsEncrypt SSL

Please See: https://www.howtoforge.com/community/threads/lets-encrypt-working-with-ispconfig-interface-postfix-dovecot-tls-pure-ftpd-monit.75546/

ARCHIVED
I successfully configured Dovecot and Postfix to use my LetsEncrypt SSL certificate for my mail domain.

Generate SSL Certificate

When I installed ISPConfig 3.1b, I followed instructions on setting up LetsEncrypt which placed it in /opt/letsencrypt; If you have LetsEncrypt installed elsewhere, substitute the path below with the correct path.
I run in standalone mode so I need to stop Apache2.

service apache2 stop

Create the certificate.
Update: 12/2016 Install the certbot tool following this guide for Debian Jessie 8: https://certbot.eff.org/all-instructions/#debian-8-jessie-apache

certbot certonly --standalone -d mail.techish.net

The certificate now lives in /etc/letsencrypt/live/mail.techish.net/

Configure Dovecot

I modified /etc/dovecot/conf.d/10-ssl.conf and added the following lines:

ssl = yes
ssl_cert = </etc/letsencrypt/live/mail.techish.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.techish.net/privkey.pem

Then I restarted Dovecot

service dovecot restart

That didn’t seem to work; it was still publishing an invalid certificate, so I had a look around at more configuration files.
I then modified /etc/dovecot/dovecot.conf file. In this file I saw the ssl_cert and ssl_key variables and I also noted the protocols. The bolded items are what I changed/added.

protocols = imap pop3 imaps pop3s
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
#ssl_cert = </etc/postfix/smtpd.cert
#ssl_key = </etc/postfix/smtpd.key
ssl_cert = </etc/letsencrypt/live/mail.techish.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.techish.net/privkey.pem

I then restarted Dovecot

service dovecot restart

Configure Postfix

I looked at /etc/postfix/main.cf and noted that the cert was pointed to /etc/postfix/ directory. I decided to backup the certs that existed and then create a symlink.

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

Backup and create symlinks.

cd /etc/postfix
mkdir ssl-backup
mv smtpd.* ssl-backup/
ln -s /etc/letsencrypt/live/mail.techish.net/fullchain.pem smtpd.cert
ln -s /etc/letsencrypt/live/mail.techish.net/privkey.pem smtpd.key

Restart Postfix

service postfix restart

DNS Caching for Spamassassin RBLs

So I’m tweaking the mail filter server which is a Debian Linux server running Postfix, MailScanner and SpamAssassin.

I just wanted to share some of the performance improvements after installing pdns-recursor for local caching.

Install PowerDNS

root@mxfilter:~# apt-get install pdns-recursor

Obtain a sample spam email

root@mxfilter:~# wget http://people.apache.org/~wtogami/sample-spam.eml

First Test

root@mxfilter:~# cat sample-spam.eml | spamassassin -D 2>&1 | grep 'async: timing' | sed 's/^.*dbg: async: //'
timing: 0.740 . dns:A:45.135.176.118.iadb.isipp.com.
timing: 0.741 . dns:A:45.135.176.118.dnsbl.sorbs.net.
timing: 0.749 . dns:TXT:45.135.176.118.sa-accredit.habeas.com.
timing: 0.749 . dns:A:45.135.176.118.bb.barracudacentral.org.
timing: 0.750 . dns:TXT:45.135.176.118.bl.spamcop.net.
timing: 0.752 . dns:A:45.135.176.118.psbl.surriel.com.
timing: 0.753 . dns:A:45.135.176.118.list.dnswl.org.
timing: 0.756 . dns:A:45.135.176.118.zen.spamhaus.org.
timing: 0.758 . dns:A:45.135.176.118.bl.score.senderscore.com.
timing: 1.790 . dns:TXT:45.135.176.118.sa-trusted.bondedsender.org.

Second Test

timing: 0.002 . dns:A:45.135.176.118.iadb.isipp.com.
timing: 0.006 . dns:TXT:45.135.176.118.sa-accredit.habeas.com.
timing: 0.012 . dns:A:45.135.176.118.list.dnswl.org.
timing: 0.016 . dns:A:45.135.176.118.bl.score.senderscore.com.
timing: 0.206 . dns:A:45.135.176.118.psbl.surriel.com.
timing: 0.996 . dns:A:45.135.176.118.dnsbl.sorbs.net.
timing: 1.001 . dns:TXT:45.135.176.118.bl.spamcop.net.
timing: 1.003 . dns:A:45.135.176.118.bb.barracudacentral.org.
timing: 1.003 . dns:TXT:45.135.176.118.sa-trusted.bondedsender.org.
timing: 1.009 . dns:A:45.135.176.118.zen.spamhaus.org.

After running pdns-recursor for about 5 minutes here are some statistics.

root@mxfilter:~# rec_control get-all
all-outqueries  116
dlg-only-drops  0
dont-outqueries 0
outgoing-timeouts       0
tcp-outqueries  4
throttled-out   0
throttled-outqueries    0
unreachables    0
answers-slow    0
answers0-1      0
answers1-10     0
answers10-100   1
answers100-1000 24
case-mismatches 0
chain-resends   0
client-parse-errors     0
edns-ping-matches       0
edns-ping-mismatches    0
ipv6-outqueries 0
no-packet-error 0
noedns-outqueries       120
noerror-answers 15
noping-outqueries       0
nsset-invalidations     0
nxdomain-answers        18
over-capacity-drops     0
qa-latency      893
questions       33
resource-limits 0
server-parse-errors     0
servfail-answers        0
spoof-prevents  0
tcp-client-overflow     0
tcp-questions   0
unauthorized-tcp        0
unauthorized-udp        0
unexpected-packets      0
cache-entries   496
cache-hits      0
cache-misses    25
concurrent-queries      0
negcache-entries        10
nsspeeds-entries        369
packetcache-entries     24
packetcache-hits        8
packetcache-misses      25
sys-msec        36
tcp-clients     0
throttle-entries        0
uptime  462
user-msec       48

Check for configuration errors with FAM/Gamin Library

Popup in Outlook and webmail:

Your IMAP server wants to alert you to the following: filesystem notification initialization error — contact your mail administrator (check for configuration errors with the FAM/Gamin library)

I have a Courier IMAP+SASL+Maildrop+Postfix+MySQL setup.
I don’t know what the root problem is; I just know things have been working until recently updating the system (which inevitably broke something).

root@node1:# apt-cache search fam gamin
gamin - File and directory monitoring system
libgamin-dev - Development files for the gamin client library
libgamin0 - Client library for the gamin file and directory monitoring system
python-gamin - Python binding for the gamin client library
kdelibs4c2a - core libraries and binaries for all KDE applications
root@node1:# apt-get install gamin
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  sensible-mda tnef sendmail-cf sendmail-base daemon libnet-cidr-lite-perl
  clamav-daemon
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  libgamin0 libglib2.0-0 libglib2.0-data shared-mime-info
The following packages will be REMOVED:
  libfam0
The following NEW packages will be installed:
  gamin libgamin0 libglib2.0-0 libglib2.0-data shared-mime-info
0 upgraded, 5 newly installed, 1 to remove and 32 not upgraded.
Need to get 3072 kB of archives.
After this operation, 10.5 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://ftp.us.debian.org/debian/ squeeze/main libglib2.0-0 amd64 2.24.2-1 [1122 kB]
Get:2 http://ftp.us.debian.org/debian/ squeeze/main libgamin0 amd64 0.1.10-2+b1 [42.3 kB]
Get:3 http://ftp.us.debian.org/debian/ squeeze/main gamin amd64 0.1.10-2+b1 [72.9 kB]
Get:4 http://ftp.us.debian.org/debian/ squeeze/main libglib2.0-data all 2.24.2-1 [994 kB]
Get:5 http://ftp.us.debian.org/debian/ squeeze/main shared-mime-info amd64 0.71-4 [841 kB]
Fetched 3072 kB in 2s (1085 kB/s)
dpkg: libfam0: dependency problems, but removing anyway as you requested:
 courier-base depends on libfam0.
 courier-imap depends on libfam0.
(Reading database ... 31853 files and directories currently installed.)
Removing libfam0 ...
Selecting previously deselected package libglib2.0-0.
(Reading database ... 31845 files and directories currently installed.)
Unpacking libglib2.0-0 (from .../libglib2.0-0_2.24.2-1_amd64.deb) ...
Selecting previously deselected package libgamin0.
Unpacking libgamin0 (from .../libgamin0_0.1.10-2+b1_amd64.deb) ...
Selecting previously deselected package gamin.
Unpacking gamin (from .../gamin_0.1.10-2+b1_amd64.deb) ...
Selecting previously deselected package libglib2.0-data.
Unpacking libglib2.0-data (from .../libglib2.0-data_2.24.2-1_all.deb) ...
Selecting previously deselected package shared-mime-info.
Unpacking shared-mime-info (from .../shared-mime-info_0.71-4_amd64.deb) ...
Processing triggers for man-db ...
Setting up libglib2.0-0 (2.24.2-1) ...
Setting up libglib2.0-data (2.24.2-1) ...
Setting up shared-mime-info (0.71-4) ...
Setting up gamin (0.1.10-2+b1) ...
Setting up libgamin0 (0.1.10-2+b1) ...
root@node1:# /etc/init.d/courier-imap restart
Stopping Courier IMAP server: imapd.
Starting Courier IMAP server: imapd.
root@node1:# /etc/init.d/courier-imap
courier-imap      courier-imap-ssl
root@node1:# /etc/init.d/courier-imap-ssl restart
Stopping Courier IMAP-SSL server: imapd-ssl.
Starting Courier IMAP-SSL server: imapd-ssl.
root@node1:# dpkg -l |grep -i libfam|gamin
ii  gamin                               0.1.10-2+b1                  File and directory monitoring system
rc  libfam0                             2.7.0-17                     Client library to control the FAM daemon
ii  libgamin0                           0.1.10-2+b1                  Client library for the gamin file and directory monitoring system

libfam0:

Description: Client library to control the FAM daemon
FAM monitors files and directories, notifying interested applications
of changes.
.
This package provides a shared library to allow programs to connect to
the FAM daemon and ask for files to be monitored.
Homepage: http://oss.sgi.com/projects/fam/

gamin

Description: File and directory monitoring system
Gamin is a file and directory monitoring system which allows
applications to detect when a file or a directory has been added,
removed or modified by somebody else.
.
It can be used by desktops like KDE, GNOME or Xfce to have their
virtual file systems keep track of changes to files and directories.
For example, if a file manager displays a directory to the user, and
the user removes one of the files via the command-line, gamin will
notify the file manager of this change so that it can update the
directory display.
.
Gamin has been designed as a drop-in replacement for FAM with security
and maintainability in mind and can use Linux’s advanced inotify
service when available.

All I know is things work again. I’ll dig into this some other day. In with the new out with the old.

Postfix, MailScanner, SpamAssassin, ClamAV and Baruwa — Oh My!

I spent a better part of Thursday doing a fresh install of Debian GNU/Linux along with MailScanner, SpamAssassin, ClamAV and Baruwa web interface for MailScanner. I also have MailWatch 1.0.5 setup and installed side-by-side with Baruwa.
Below is the web interface to MailScanner (http://www.baruwa.org/) which allows for adding Users and Domains.

Postfix version 2.7.1-1+squeeze1
MailScanner version 4.83.5
Baruwa version 1.1.0
ClamAV 0.97.1/13296/Thu Jul 7 22:28:42 2011
SpamAssassin version 3.3.1
I used quite a bit of information from http://www.spamtips.org/ to help with configuration/update/architecture of the antispam server.