Installing Exim and Courier Installing and configuring Exim and Courier are very straightforward thanks to the quality of the packages that come with Debian. Chances are, if you have a new Debian system, it already has a version of Exim installed. However, you’ll want to use a specific version of Exim that contains features for content scanning. Here are the installation steps: 1. Start by installing this particular Exim package: # apt-get install exim4-daemon-heavy 2. You need to change a few of the configuration options from the defaults. Run the follow- ing command: # dpkg-reconfigure priority=medium exim4-config You are asked a number of questions. Here's how to answer them:  Split configuration into small files: Yes.  General type: Select “Mail sent by smarthost; received via SMTP or fetchmail” if you need to send all of your outgoing mail through a server at your Internet service provider. Otherwise, select “Internet site; mail is sent and received directly using SMTP.”  Mail name: Enter the name of your mail server here.  IP addresses: Clear this box (or leave it empty if it is already so) so that Exim will lis- ten on all local IP addresses.  Destinations to accept mail for: Enter any domains that your server will be accept- ing mail for. Be sure to separate them with colons, and not commas or spaces.  Domains to relay for: Enter the names of any domains that your machine will relay mail for, meaning that it can receive mail from them but then passes it on. In most cases, you will not want to enter anything here.  Machines to relay for: Enter the IP address ranges of any client machines that you want your server to accept mail from. Another (safer) option is to leave this empty and require clients to authenticate using SMTP authentication. SMTP authentication is best performed over an encrypted connection, so this process is described in the security section at the end of this chapter.  Keep DNS queries to a minimum: No. 3. This configuration uses Maildrop for local mail delivery. Maildrop can deliver messages to the Maildir-style folders that Courier is expecting, and can also handle basic sorting and filtering (as described in the “Configuring Mail Clients” section). This package is not installed by default, so install it as follows: # apt-get install maildrop 676 Running Servers Part V 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 676 4. Create Maildir mail directories for every user already on the system. This step must be performed for every user that is already on the system, and must be run as the user because running this command as root will result in Maildrop being unable to write to the folders: $ maildirmake.maildrop $HOME/Maildir $ maildirmake.maildrop -f Trash $HOME/Maildir 5. Create mail directories under /etc/skel. The contents of /etc/skel will be copied to the home directories of any new accounts that you create after the setup is completed: # maildirmake.maildrop /etc/skel/Maildir # maildirmake.maildrop -f Trash /etc/skel/Maildir 6. Configure Maildrop to deliver to the Maildir folders instead of mbox files stored in /var/spool/mail. Use your favorite text editor to edit /etc/maildroprc and add this line at the end of the file: DEFAULT="$HOME/Maildir/" 7. Exim needs to be configured to deliver messages using Maildrop. Use your preferred text editor to open /etc/exim4/update-exim4.conf.conf and add the following line at the end of the file: dc_localdelivery='maildrop_pipe' 8. Tell Exim to load the most recent configuration change: # invoke-rc.d exim4 reload 9. Install Courier IMAP and Courier POP: # apt-get install courier-imap courier-pop Select “no” when asked whether or not the installer should create directories for Web- based administration. Your system should now be capable of receiving messages. You should also be able to connect to your server using a mail client such as Thunderbird or Evolution. This is a good time to test mail delivery, even if you’re planning to follow the directions in the next section to enable virus and spam filters later. More information about configuring a mail client to connect to your server can be found in the section “Configuring Mail Clients” later in this chapter. 677 Running a Mail Server 25 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 677 Installing ClamAV and SpamAssassin Installing and configuring the virus and spam filtering mechanisms is more involved than installing Exim and Courier, but should still go smoothly as long as you follow the steps carefully. Keep in mind, however, that this will add a lot of complexity to the system, so it is a good idea to make sure the Exim mail server is working first so that you don’t have as many things to check if the system doesn’t work as expected. The version of ClamAV included with Debian starting with version 3.1 (aka “Sarge”) uses an older virus-scanning engine. Because the updated engine is not likely to make it into an update any time soon because of the Debian upgrade policies, a group of Debian developers has created special sets of the ClamAV packages that are designed for easy installation on Sarge. For more information about how to use these packages instead of the stock versions, see http://volatile .debian.net/. You may choose to do this from the start, or to add the appropriate URIs to your APT configuration later and do an upgrade. In either case, the configuration process detailed in this section will be about the same. You can also upgrade the database routinely using clamav-freshclam, clamav-getfiles to generate new clamav-data packages. Here’s how to install ClamAV and SpamAssassin, and then configure Exim to use them for scan- ning messages: 1. Install the ClamAV and SpamAssassin packages: # apt-get install clamav-daemon clamav-testfiles \ spamassassin spamc You’ll be asked a number of questions about how ClamAV should be configured. Here’s how to answer them:  Virus update method — This is the method that freshclam (part of ClamAV) will use to download updated virus databases. The recommended option is to run freshclam as a daemon.  Local database mirror site —This is the site that freshclam will retrieve the virus information updates from. The second part of the site is the two-letter country code. Select your country code or that of a nearby country if yours isn’t available.  HTTP proxy information — Do not enter anything here unless you are required to use a proxy server to access Web servers. If your connection is suitable for running a mail server, then you probably don’t need to use a proxy server.  Notify clamd after updates — Select “yes” here. 2. Add the clamav user to the Debian-exim group and restart the ClamAV daemon. This allows the ClamAV daemon access to read the files in Exim’s mail queue: # gpasswd -a clamav Debian-exim # invoke-rc.d clamav-daemon restart NOTE NOTE 678 Running Servers Part V 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 678 3. Replace the report template used by SpamAssassin with one that will fit more easily in a message header. Use a text editor to add these lines to the end of /etc/spamassassin/ local.cf : clear_report_template report _YESNO_, score=_SCORE_, required=_REQD_, summary= report _SUMMARY_ 4. Configure the SpamAssassin background daemon to run automatically and to not attempt to create preference files for users. Change the following options in /etc/default/ spamassassin : ENABLED=1 OPTIONS=" max-children 5" 5. Start the SpamAssassin daemon: # invoke-rc.d spamassassin start 6. Create the entries that will be included in Exim’s ACL (Access Control List) for scan- ning message data. Use a text editor to create a file named /etc/exim4/acl_check_ data_local that contains the following: deny message = $malware_name detected in message demime = * malware = * warn message = X-Spam-Score: $spam_score ($spam_bar) condition = ${if <{$message_size}{80k}{1}{0}} spam = nobody:true/defer_ok warn message = X-Spam-Status: $spam_report condition = ${if <{$message_size}{80k}{1}{0}} spam = nobody:true/defer_ok deny message = Spam score too high ($spam_score) condition = ${if <{$message_size}{80k}{1}{0}} spam = nobody:true/defer_ok condition = ${if >{$spam_score_int}{120}{1}{0}} The first block rejects messages that contain viruses or other malware, and the second and third add headers to messages indicating whether or not SpamAssassin considers them spam. The final block checks $spam_score_int (the spam score multiplied by 10) and rejects the message if it is greater than 120. The /defer_ok in the last three blocks tells Exim that it is okay to continue processing in the event that the SpamAssassin daemon could not be contacted. You can remove it if you would prefer to have the server return a temporary failure code in such cases. You can also add /defer_ok to the end of the malware = * line if you want processing to continue in the event that a message cannot be scanned by ClamAV. 679 Running a Mail Server 25 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 679 7. Tell Exim which virus scanner to use and how to connect to SpamAssassin. Use a text editor to create a file named /etc/exim4/conf.d/main/10_exim4- exiscan_acl_options that contains the following: av_scanner = clamd:/var/run/clamav/clamd.ctl spamd_address = 127.0.0.1 783 CHECK_DATA_LOCAL_ACL_FILE = CONFDIR/acl_check_data_local 8. Tell Exim to load the new configuration: # invoke-rc.d exim4 reload All messages transmitted through your server should now be checked for viruses using ClamAV. Additionally, messages less than 80 kilobytes will also be checked using SpamAssassin. This is a good time to test the configuration again. Fixes for the problems that you are most likely to encounter can be found in the next section. Testing and Troubleshooting This section contains some generic troubleshooting tips, plus specific information about some common errors and how to fix them. Checking Logs All logging information for Exim is written to three log files that can be found in /var/log/exim4. The first of these, mainlog, contains log entries for all events, including normal events such as message deliveries. The second, rejectlog, contains entries for rejected messages. The third, paniclog, contains information about configuration or other errors, and is usually empty unless a serious problem has occurred. Every entry in these files generally starts with a timestamp. Entries in the mainlog will often include a string of 15 characters, such as 1E9PTu-0003jN-QY. This is the message identifier for the message that the log entry is related to. Immediately after the message identifier there will generally be a two-character string. Table 25-1 details what those strings mean. Entries associated with a message that has not been accepted into the queue will not have the mes- sage identifier or two-character flags. Some samples of these types of entries are included in the next section. Logging information for the Courier IMAP and POP daemons is saved to /var/log/mail.log. Normal entries include LOGIN and LOGOUT messages. DISCONNECTED messages generally indicate that a connection was broken before a normal logout was performed. 680 Running Servers Part V 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 680 TABLE 25-1 Exim Log File Messages Symbol Description Explanation <= Message arrival These entries show messages coming into Exim, generally through SMTP or local IPC. => Message delivery These entries show message deliveries, whether they are to a local mailbox or to a remote host using SMTP or some other transport. -> These entries show delivery to additional addresses for messages that have already been delivered to another recipient (and logged with an => entry). ** Delivery failure These entries show permanent delivery errors. Errors such as these indicate that the message has been removed from the mail queue and in most cases a DSN (Delivery Status Notification) has been generated and sent to the original message sender. == Delivery deferral These entries show temporary delivery problems. The system will continue to retry sending these until delivery succeeds, or a permanent failure occurs as a result of a retry timeout. The tail utility is useful for watching for new entries to a log. Use the -f switch to instruct tail to watch for new entries and display them to the screen as they are written to the log. For example: tail -f /var/log/exim4/mainlog. Common Errors (and How to Fix Them) There are two common types of problems that you will encounter with your server: messages being rejected or not delivered by Exim and login failures when connecting to Courier. Messages Rejected by Exim The first places to check when messages are rejected by Exim are the mainlog and rejectlog files. Here are examples of some common errors and tips for fixing them:  Relaying Denied — The following error indicates that the client sending the message is not recognized as a client by Exim and that the recipient domain is not in the list of local or relay domains: H=sample.client [10.0.12.16] F=<sender@example.org> rejected RCPT <rcpt@remotesite.example.org>: relay not permitted NOTE NOTE Additional addresses in message delivery 681 Running a Mail Server 25 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 681 If the client IP address will not change frequently or is in part of a trusted range of IP addresses, you can add them by running the following: # dpkg-reconfigure priority=medium exim4-config The same command can also be used to add the recipient domain as a local or relay domain. Do not add client IP ranges unless you trust all of the users that can connect from those addresses. Likewise, do not add a domain as a relay domain unless you know the owner of the domain and have made arrangements to relay mail for them. Doing either of these incorrectly could open your server up as a relay that can be used by spammers to attack other sites. If the client IP address is likely to change frequently and is not part of a trusted range, you should either configure the client to use a mail server that is local to it or configure SMTP authentication in Exim. More information about enabling SMTP authentication can be found on your server in /usr/share/doc/exim4-base/README.SMTP-AUTH and /etc/exim4/conf.d/auth/30_exim4-config_examples. The Courier authdaemon examples in 30_exim4-config_examples can be enabled, allowing Exim to use that facility for authentication and negating the need to set up a different mechanism. In order for it to work, however, you will need to add the Debian-exim user to the daemon group (gpasswd -a Debian-exim daemon) and restart Exim.  ClamAV Misconfiguration — The following error indicates that the ClamAV daemon could not read the temporary message file: 1E9PDq-0003Lo-BY malware acl condition: clamd: ClamAV returned /var/spool/exim4/scan/1E9PDq-0003Lo-BY: Access denied. ERROR Make sure you added clamav to the Debian-exim group and restarted ClamAV, as shown in the installation section.  ClamAV Unavailable — This error usually indicates that the ClamAV daemon is not running: 1E9PGL-0003MX-38 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd.ctl (No such file or directory) Start it using invoke-rc.d clamav-daemon start. You can also use the clamdscan program to test the daemon, as follows: NOTE NOTE CAUTION CAUTION 682 Running Servers Part V 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 682 # clamdscan /usr/share/clamav-testfiles/clam.exe /usr/share/clamav-testfiles/clam.exe: ClamAV-Test-File FOUND SCAN SUMMARY Infected files: 1 Time: 0.001 sec (0 m 0 s) Messages Not Delivered by Exim In some cases, messages will be accepted by the server but will not be deliverable. Some of these errors are considered temporary failures and will not generate a bounced message until the retry timer runs out. The error that you are most likely to see will look something like this in the mainlog file: 1E9PTu-0003jN-QY == user@example.org R=local_user T=maildrop_pipe defer (0): Child process of maildrop_pipe transport returned 75 (could mean temporary error) from command: /usr/bin/maildrop This error indicates that Exim attempted to pass the message to Maildrop, but Maildrop returned an error code. The most likely cause is a missing Maildir directory, or a Maildir directory that is owned by the wrong user. The next section shows how to detect and fix these problems. Login Failures When Connecting to Courier Aside from genuine password errors (which can be remedied by entering the correct password in the mail client), there are also a few other conditions that can result in login failures. Some of these conditions will also result in temporary delivery problems. A normal login failure will result in a log entry that looks similar to this: courierpop3login: LOGIN FAILED, ip=[::ffff:1.2.3.4] In this case, a user from IP 1.2.3.4 entered the wrong username or password. Several of the other errors that may occur will not be logged to the mail log, which means that you may have to test them by connecting manually to the POP3 service (from the mail server, or from a remote machine) and sending a valid username and password. This example shows how to con- nect to the POP3 service from a shell prompt on the mail server: $ telnet localhost 110 Trying 127.0.0.1 Connected to localhost.localdomain. Escape character is '^]'. +OK Hello there. USER username +OK Password required. PASS password The response you receive from the server should be similar to one of the following:  +OK logged in — This is a normal response and should mean that there are no problems with the service. 683 Running a Mail Server 25 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 683  -ERR Maildir: No such file or directory — This error indicates that the user’s account does not have a Maildir directory. Use the maildirmake command to create it, as shown in the section “Installing Exim and Courier.”  -ERR Maildir: Permission denied — This error indicates that the user’s Maildir directory cannot be read or belongs to the wrong user. To remedy this, run this command as root: # chown -R username:groupname ~username/Maildir Be sure to replace username and groupname with the login name and primary group of the user. In a stock Debian system, the primary group name will be the same as the username.  -ERR Login failed — If you’re certain that you are using the correct username and pass- word, it could be that the Courier authdaemon service is not running. Try to start (or restart) it using this command: # invoke-rc.d courier-authdaemon restart Configuring Mail Clients Any mail client with support for POP3 or IMAP should be able to access mail from your server. Just use the name of your server in the mail server settings, and follow the troubleshooting steps in the previous section if something doesn’t work. You can find more information about mail clients for Linux in Chapter 22. Configuring Fetchmail Fetchmail is an MRA (mail retrieval agent) that you can use to pull mail from a remote account to your new server. It is configured in the $HOME/.fetchmailrc file and is very easy to set up. To pull mail to your server, log in as the user that the mail should go to, and then configure and run it from there. Run Fetchmail as the user for whom the mail is being retrieved. You should never run it as root. If you’re doing a complex setup in which you retrieve mail from a single mail- box that needs to be sorted for multiple users, see the fetchmail man page for information about multidrop mailboxes. A .fetchmailrc file can be as simple as this: poll mailserver.yourisp.example protocol pop3 username "foo" If you have more than one mail server, you can add it as an additional line. If the server from which you are pulling mail supports IMAP, you can use imap instead of pop3. Other options that you can have are password=your password and ssl. Storing the password in the file enables you to NOTE NOTE CROSS-REF CROSS-REF 684 Running Servers Part V 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 684 run Fetchmail without entering a password, and the ssl option tells Fetchmail to use an SSL/TLS connection to the server. Your .fetchmailrc file should not be readable by others, and Fetchmail will generally complain if it is. To set the permissions so that only you can read it, run chmod 0600 $HOME/.fetchmailrc/. Running Fetchmail is as simple as typing $ fetchmail If you want to have Fetchmail run in the background, you can use the daemon (or -d) flag with a parameter telling it how often (in seconds) to poll the servers: $ fetchmail daemon 300 To have Fetchmail automatically start when the system boots, add this to your crontab file: @reboot /usr/bin/fetchmail daemon 300 Fetchmail cannot prompt for passwords when run in this manner, which means that you must store the passwords in .fetchmailrc for this to work. If you haven’t configured a crontab file before, setting it up can be as easy as entering the follow- ing three commands: $ cat > mycron @reboot /usr/bin/fetchmail daemon 300 <Ctrl+D> $ crontab mycron Configuring Web-Based Mail If you’re running an IMAP server, you can offer Web-based access by installing SquirrelMail ( http://squirrelmail.org/, also found in the squirrelmail package). Start by configuring your system as a LAMP server (see Chapter 24), and then install and configure the appropriate package. Securing Communications with SSL/TLS Because communication between mail clients and the server often contains sensitive information such as passwords, it is usually desirable to enable SSL/TLS encryption. Here’s how to enable SSL/TLS in Exim and Courier: 1. Install the Courier daemons with SSL/TLS support: # apt-get install courier-imap-ssl courier-pop-ssl NOTE NOTE NOTE NOTE 685 Running a Mail Server 25 30190c25.v6.5.qxd 12/18/07 9:47 AM Page 685 [...]... the CUPS Server For Linux systems that use SystemV-style startup scripts (such as Fedora, RHEL, and SUSE), starting and shutting down the CUPS print service is pretty easy Use the chkconfig command to turn on CUPS so it starts at each reboot Run the cups startup script to have the CUPS service start immediately Type the following as root user: # chkconfig cupsd on # /etc/init.d/cups start If the CUPS... dealing with very large documents UNIX print commands — To integrate into Linux and other UNIX environments, CUPS offers versions of standard commands for printing and managing printers that have been traditionally offered with UNIX systems Many Linux distributions come with simplified methods of configuring CUPS printers Here are a few examples: In Fedora and other Red Hat Linux systems, the Printer... many Linux systems simply rely on the tools that come with the CUPS software package This section explores how to use CUPS Web-based administration tools that come with every Linux distribution and then examines the printer configuration tool system-config-printer, which comes with Fedora and Red Hat Enterprise Linux systems to enable you to set up printers Using Web-Based CUPS Administration CUPS offers... 26 30 190 c26.qxd:Layout 1 Part V 12/18/07 1:01 AM Page 704 Running Servers In Gentoo Linux, you use the add option of the rc-update command to have the CUPS service start at each reboot and run the cupsd runlevel script to start it immediately For example, type the following as root user: # rc-update add cupsd default # /etc/init.d/cupsd start Most Linux systems have similar ways of starting the CUPS... the queue), and lpc (for controlling printers) Printing with lpr You can use the lpr command to print documents to both local and remote printers Document files can be either added to the end of the lpr command line or directed to the lpr command using a pipe (|) Here’s an example of a simple lpr command: $ lpr doc1 .ps When you specify just a document file with lpr, output is directed to the default... 30 190 c26.qxd:Layout 1 Part V 12/18/07 1:01 AM Page 690 Running Servers Common UNIX Printing Service CUPS has become the standard for printing from Linux and other UNIX-like operating systems It was designed to meet today’s needs for standardized printer definitions and sharing on IP-based networks (as most computer networks are today) Nearly every Linux distribution today comes with CUPS as its printing service Here... application/octet-stream application/vnd.cups-raw 0 After that, you can print files as raw data to your printers without using the -oraw option to print commands Using Printing Commands To remain backward-compatible with older UNIX and Linux printing facilities, CUPS supports many of the old commands for working with printing Most command-line printing with CUPS can be performed with the lpr command Word-processing applications... by default If CUPS was not added when you first installed your Linux distribution, check your original installation medium (DVD or CD) to see if it is there for you to install now Fedora, Slackware, Ubuntu, SUSE, and many other Linux distributions have CUPS on the first CD or DVD of their installation sets Setting Up Printers While it is usually best to use the printer administration tools specifically... administrative tool for adding, deleting, and modifying printer configurations on your computer The CUPS print service (using the cupsd daemon) listens on port 631 to provide access to the CUPS Web-based administrative interface If CUPS is already running on your computer, you can immediately use CUPS Web-based administration from your Web browser To see if CUPS is running and start setting up your printers,... Configuration window adds access information to the cupsd.conf file For other Linux systems, you may need to configure the cupsd.conf file manually You can step through the cupsd.conf file to further tune your CUPS server Let’s take a look at some of the settings in the cupsd.conf file No classification is set by default With the classification set to topsecret, you can have Top Secret displayed on all pages . is dealing with very large documents.  UNIX print commands — To integrate into Linux and other UNIX environments, CUPS offers versions of standard commands for printing and managing printers that. by ClamAV. 6 79 Running a Mail Server 25 30 190 c25.v6.5.qxd 12/18/07 9: 47 AM Page 6 79 7. Tell Exim which virus scanner to use and how to connect to SpamAssassin. Use a text editor to create a file. printing port. To use CUPS, you need to have it installed. Most Linux distributions let you choose to add CUPS during the initial system install or will simply add CUPS by default. If CUPS was not