TwitterFacebookGoogleYouTubeEmailRSS

An own, completely secured, mail server with Zarafa

I have already written a german tutorial about this topic. Now it is time to write an english one and  I am also about to write my first english blog post here. In this kind of tutorial I like to explain how a Zarafa-Mailserver could be installed to make sure that it runs with a completely secured configuration. For this, we will install a zarafa server with postfix as mail handle base. And we also want to install Amavis as virus scanner, spamassassin as spam protection and use SSL/TLS communication for the encryption. The complete tutorial is based on Ubuntu 14.04 LTS and Zarafa 7.1.11. But it should also work on different versions and Debian as well. If you need support or the entire installation, please contact CVA GmbH (CET / CEST 08:00 am to 06:00 pm). So lets start with the installation process: first we need to fix the requirements.

To see this post in german click here: Diesen Post in Deutsch anzeigen

 

Share-Online

Requirements

First, I have to change the current directory to my personal home directory by using the „cd ~“ command. In the next step, we need to find the correct software version for our operating system. We browse the zarafa web achiev, to find the correct software http://download.zarafa.com/community/final/. I will use Zarafa version 7.1.11 for Ubuntu 14.04 LTS. We may need to download the Microsoft Outlook integration from the windows folder on the web achiev. For the final SSL/TLS integration we also need to create certificates on StartSSL for example. But this step requires a valid unsecure mail server installation first, because we need to confirm our domain.

To download the correct Zarafa software we can use the following shell command:

wget http://download.zarafa.com/community/final/7.1/7.1.11-46050/zcp-7.1.11-46050-ubuntu-14.04-x86_64-free.tar.gz

After the download is completed, we need to extract all files into a new folder.

tar xvfz zcp-7.1.11-46050-ubuntu-14.04-x86_64-free.tar.gz

We also need to install MySQL on our server and maybe we should install Apache2 or Nginx too. One way to do this, is to install a LAMP-Server. To do this, you can follow this guide: Install LAMP-Server on Ubuntu. The installation of MySQL or to have the access to one, is absolute required in this guide. Apache2 and/or Nginx is only required for the web access to our mailserver.

For the next step, we need to configure our domain correctly for the server. We need to create the subdomains „secure“, „mail“ and „www“ and a MX-Record with priority 10, for the mail subdomain. After this, we need to wait until the domain points on the correct server. This can take up to an hour or more. When this is completed, lets get started with the installation process.

 

Installation

Postfix

First of all, we need to install postfix on the server. Because this is the basement of our zarafa, we configurate later. To trigger the installation we could use this command line

apt-get install postfix

After that, a few configuration questions will appear. For most of them we can use the default configuration, because we have to change them later. But it is recommended to do the correct configuration for the domain question.

 

Zarafa

Lets go on with zarafa. First of all we need to change our directory to the unpacked achiev folder. From there, we could start the installation script.

./install.sh

And again we can use the default configuration. Focussed on the installation process, we need to enter a valid zarafa serialnumber. We can buy a license from http://www.zarafa.com/ or we leave the serial empty and run the free version (you can enter a valid serialnumber later). It is important to configure the MySQL informations correctly because the tables for Zarafa will be created in the install process.

If everything is correct, we should already be able to call the web interface for Zarafa. For this, enter http://SERVER_IP/webapp/ in your webbrowser. If this does not work correctly, we might need to check the log files, for possible errors, missing mods and things like this (it only works if Apache2 or Nginx is installed and running). For Apache2, the ssl, rewrite, and the php5 module have to be loaded.

 

SASL Authentication

In the next part of this tutorial, we need to install SASL, to protect our SMTP Gateway. If SASL is installed and running, SMTP will require valid authentications. To install, use this command line:

apt-get install sasl2-bin

Thats all for now. Lets go on with fail2ban.

 

fail2ban

Same as SASL, fail2ban is a great addition for our server. It will protect the server from Brute-Force and DDoS attacks. For the installation, we only need to use this command line:

apt-get install fail2ban iptables-persistent

 

Amavis

Amavis will work as a virus scanner for us.

apt-get install amavisd-new clamav-daemon spamassassin razor pyzor

Now the installation process is nearly completed. In the next step we need to configurate the services we installed.

 

Configuration

Lets start with the configuration of our services. We dont have any certificates yet, so we need to complete the installation process without any kind of certificate. The certificate configuration appears later in this post.

 

Basic config

As a basic, we should start to configure the SASL authentification on the server. To do this, we need to edit this file

nano /etc/postfix/sasl/smtpd.conf

And add this content

pwcheck_method: saslauthd
mech_list: plain login

If this is done, we need to add the postfix user to the sasl group. For this we need to execute this command:

gpasswd -a postfix sasl

Now we can start with the main postfix configuration:

nano /etc/postfix/main.cf

First we need to disable the „relayhost“ row. After this, we have to add this to the end of the configuration file:

# SASL Auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_relay_domains,reject_unauth_destination 

# Amavis
content_filter=smtp-amavis:[127.0.0.1]:10024 

# Zarafa Mailbox mapping
virtual_mailbox_domains = example.de
virtual_alias_maps = hash:/etc/aliases
mailbox_command = /usr/bin/zarafa-dagent "$USER"
virtual_transport = zarafa: zarafa_destination_recipient_limit = 1

Save and exit the file. Now we need to change the SASL configuration again here:

nano /etc/default/saslauthd

The easiest way is to delete everything in this file and add this:

START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="rimap"
MECH_OPTIONS="127.0.0.1"
THREADS=0
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Now we need to add a virtual mail user.

adduser --system --no-create-home vmail
adduser clamav amavis

Lets add the virtual mail user to our zarafa configuration here:

nano /etc/zarafa/server.cfg

Search for „local_admin_users“ and edit the row, thats shown in the commentary above. Now lets connect amavis to our mail chain by editing this:

nano /etc/amavis/conf.d/15-content_filter_mode

Make sure the file looks similiar to this one:

use strict;

@bypass_virus_checks_maps = (
 \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
 \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

 1;

And go on with spamassassin and enable it by editing this file:

nano /etc/default/spamassassin

Switch the ENABLED variable from 0 to 1. Now lets activate fail2ban for our services by setting the enabled flag on true for postfix, sasl, apache / nginx and ssh by editing this file:

nano /etc/fail2ban/jail.conf

Finally we need to configure our postfix master configuration. Add under the line „pickup    unix  n       –       –       60      1       pickup“ this:

# Amavis
 -o content_filter=
 -o receive_override_options=no_header_body_checks
# Amavis end

And under the line „smtp      unix  –       –       –       –       –       smtp“  this:

smtps inet n - n - - smtpd
 -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

Next we need to replace the submission block incl. -o parameters with this:

submission inet n       -       -       -       -       smtpd -v
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

And at the end this:

zarafa unix - n n - 10 pipe
 flags=DRhu user=vmail argv=/usr/bin/zarafa-dagent -R ${recipient}
# Amavis
smtp-amavis unix - - - - 2 smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o smtpd_data_restrictions=reject_unauth_pipelining
 -o smtpd_end_of_data_restrictions=
 -o mynetworks=127.0.0.0/8
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

So the basic configuration is completed. Now lets add a user to our mailserver to check and obtain the mail for the ssl domain registration.

adduser mailuser --no-create-home
zarafa-admin -c mailuser -p mailpassword -f "Mailuser Example" -e "mailuser@example.de" 
zarafa-admin -u mailuser --enable-feature imap 
zarafa-admin --create-store mailuser

Lets change the aliases next, to make a mail forwarding works.

nano /etc/aliases

For a simple solution, add this line (change mailuser to the mailuser you just created):

root: mailuser

Now execute this:

newaliases

And now all mails will be forwarded to the mailuser. For that amavis can use razor and pyzor, the following is additionally required:

su - amavis -s /bin/bash
razor-admin -create
razor-admin -register
pyzor discover
exit

I also  recommend to change the following settings in the file „/etc/amavis/conf.d/20-debian_defaults„:

$sa_tag_level_deflt  = undef;
$sa_tag2_level_deflt = 5;
$sa_kill_level_deflt = 20;

Finally we need to restart all services with this little „script“:

service saslauthd restart
service spamassassin restart
service clamav-daemon restart
service amavis restart
service postfix restart
service zarafa-dagent restart
service zarafa-server restart
service apache2 restart
service fail2ban restart

Now you should have web access (if you installed apache or nginx) to this webservices:

WebApp: http://SERVER_IP_ADRESSE/webapp/
Webaccess: http://SERVER_IP_ADRESSE/webaccess/

 

Educating the Spam-Filters

You should download some spam mails for the learning process from here: http://untroubled.org/spam/. I will unpack the achiev to „/var/mail/spam/“ and run the learning routin of spamassassin.

sa-learn --no-sync --spam /var/mail/spam/

It is recommanded to download at least the latest 3 achievs from the page above before you executing the learn command. Also you can use a auto learn function by editing this file:

nano /etc/spamassassin/local.cf

And uncomment this two lines:

use_bayes 1
bayes_auto_learn 1

Note: The automatic learn uses a lot of the system resources and it will not learn correctly without any help (such as learn from spam achieves).

 

SSL Configuration

Now lets start with the ssl configuration to encrypt the communication between the server and the desktop clients. You can take certificates from https://www.startssl.com/ for example (Note: this certificates need to be updated each year). We need the „Web Server SSL/TLS Certificate“ kind of certificates for our secure Subdomain. First lets store the private key in a file:

nano /etc/keys/mail.ssl.key

And execute the openssl to „uncrypt“ this private key for our server.

openssl rsa -in /etc/keys/mail.ssl.key -out /etc/keys/mail.ssl.key

Next up we need to store the domain certificate here for example:

nano /etc/keys/mail.ssl.crt

And last but not least we need the CA-Certificate and the Class1-CA-Certificate. If you use StartSSL you could use this:

nano /etc/keys/sub.class1.server.ca.pem

And enter this:

-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
0q6Dp6jOW6c=
-----END CERTIFICATE-----

Next the CA-Certificate:

nano /etc/keys/ca.pem

With this content:

-----BEGIN CERTIFICATE-----
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
+2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE
FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j
ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js
LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM
BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0
Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy
dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh
cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh
YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp
bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ
YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT
TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ
9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8
jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW
FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz
ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1
ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L
EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu
L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq
yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC
O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V
um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh
NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
-----END CERTIFICATE-----

Now we need to combine our certificates with this command:

cd /etc/keys/ && cat mail.ssl.crt mail.ssl.key ca.pem sub.class1.server.ca.pem sub.class1.server.ca.pem > example.de-ssl.pem

Now we can edit our postfix main configuration again

nano /etc/postfix/main.cf

Replace the Part between „# TLS parameters“ and „# See /usr/share/doc…“ with this (dont forget to change the domain right):

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

smtpd_tls_cert_file = /etc/keys/example.de-ssl.pem
maildrop_destination_recipient_limit = 1

smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Last but not least we need to change the zarafa gateway configuration here

nano /etc/zarafa/gateway.cfg

and switch this options to yes:

pop3s_enable    =       yes
imaps_enable    =       yes

Finally restart anything again.

service saslauthd restart
service spamassassin restart
service clamav-daemon restart
service amavis restart
service postfix restart
service zarafa-dagent restart
service zarafa-server restart
service apache2 restart
service fail2ban restart

Now it should be possible to connect via SSL/TLS to our server. If not: Check your firewall and that the services are running. Also check the logfiles.

 

Additional

Greylisting

Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will „temporarily reject“ any email from an origin it does not recognize. If the mail is legitimate the originating server will try to send it again after a delay, and if sufficient time has elapsed the email will be accepted.

To install greylisting use the following command:

apt-get install postgrey

Now you need to add „check_policy_service inet:127.0.0.1:10023“ to the property „smtpd_recipient_restrictions“ in the file „/etc/postfix/main.cf“ (Warning: Port could be different!! If the port is wrong you will see a connection error in the mail log). The configuration should now be like this:

smtpd_recipient_restrictions =  permit_mynetworks,
				permit_sasl_authenticated,
				reject_unauth_destination,
				check_policy_service inet:127.0.0.1:10023

Restart postfix (or reload) to set the config active „service postfix restart„.

 

Zarafa Bayesian Learning

To learn spam mails directly from zarafa you can use this quick tutorial:
Zarafa Bayesian Learning (to install the Perl-IMAP plugin in Debian / Ubuntu you need this command: „apt-get install libmail-imapclient-perl„)

 

Adding a Zarafa license

To add a zarafa license edit this file:

nano /etc/zarafa/license/base

And enter the license as plaintext to this file. Now restart the zarafa services.

service zarafa-dagent restart
service zarafa-gateway restart
service zarafa-ical restart
service zarafa-licensed restart
service zarafa-monitor restart
service zarafa-search restart
service zarafa-server restart
service zarafa-spooler restart

 

Zarafa-Mailserver administration

For a documentation of the zarafa administration possibilitys watch this:
http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html/_UserManagement.html (DB plugin)

 

Changing the MySQL Password

If you change the MySQL password change it here and restart zarafa:

nano /etc/zarafa/server.cfg

 

Weitere Informationen zur Mailserver Funktionsweise

MTA: http://en.wikipedia.org/wiki/Message_transfer_agent
MDA: http://en.wikipedia.org/wiki/Mail_delivery_agent
Zarafa: http://www.zarafa.com/wiki/index.php/Main_Page
Anti-Spam (spamassassin): http://en.wikipedia.org/wiki/SpamAssassin
Anti-Virus (Amavis): http://en.wikipedia.org/wiki/Amavis

 

Finally

I hope this small tutorial could help someone. 🙂

 

You like this post and you want to support me? Share this page in social media networks, check out the amazon links or use PayPal. Every kind of support is great for websites like this.

Ein Gedanke zu “An own, completely secured, mail server with Zarafa

  1. Thank you for this, I used it to install zarafa 7.2 almost without a hitch. There was a couple of changes – 7.2 no longer uses an install script and the one that had me confused for a few hours was in /etc/postfix/main.cf zarafa-dagent has moved to sbin so that line should read ‚mailbox_command = /usr/sbin/zarafa-dagent „$USER“ ‚

Hinterlasse ein Kommentar.

CyberChimps

Cookies erleichtern die Bereitstellung unserer Dienste. Mit der Nutzung unserer Webseite erklären Sie sich damit einverstanden, dass wir Cookies verwenden. Informationen zum Datenschutz

Die Cookie-Einstellungen auf dieser Website sind auf "Cookies zulassen" eingestellt, um das beste Surferlebnis zu ermöglichen. Wenn du diese Website ohne Änderung der Cookie-Einstellungen verwendest oder auf "Akzeptieren" klickst, erklärst du sich damit einverstanden.

Schließen