OpenBSD Email support
Posted on July 29th, 2004 in Unfiled by stickyc || No Comment
So begins a long series of posts/logs of my attempts to get a complete email solution up and running on an OpenBSD box.
Alas, I should have started blogging this from the beginning, but I didn’t really think of it until now. I’ll try and fill in the gaps and clean this all up as I go. the intent is to document my hurdles and gotchas and provide some “this is what works/doesn’t work” guidance for others who are attempting the same thing.
The goal - A one-stop e-mail solution that:
- Funnels in all of the emails from my various accounts (Yahoo!, a few scattered POP accounts, HotMail, .Mac, etc.)
- Stores them on a central server, rather than a mailbox on one of my clients.
- Supports IMAP, and secure communications (so I can read mail from anywhere without fear of someone sniffing my packets).
- Gives me constant feedback on what’s going on with the server.
- Has some sort of backup/mirror/raid solution so if the server does crash, I’m not FUBAR.
The plan looks like this: Fetchmail accesses my accounts on other servers and forwards emails from them to Postfix. Postfix also handles email coming directly to my home server. Postfix then hands off the emails to Amavis. Amavis washes the mails through SpamAssassin (checks for Spam using a variety of statistical comparisons), DCC, and Razor (which both check the emails against known spam emails), and then ClamAV (an Open Source virus scanner). Depending on the results of the scanners, Amavis passes the emails through, tags them as spam, or cleans/trashes the infected ones. Passed/tagged emails are then filed by Procmail into their correct IMAP Mailbox folders (Inbox, Junk, etc.). Using an IMAP mail client, I connect to the mailserver using SSL (encryption) and Dovecot handles the IMAP interface between the client and my Mailbox folders. Alternatively, I can make a secure connection via a web browser to the webmail application (IMP or Squirrelmail) which can access my Mailbox folders through Dovecot. A clone of the entire server is backed up on a regular basis to an external machine/drive so even if the power supply detonates and takes out the whole system, the other drive won’t get eaten.
At this point, I’ve got The Email side of things more or less working. I followed the excellent tutorial by Scott Vintinner: Fairly-Secure Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC and the follow up tutorial: Adding ClamAV Anti-Virus to an Anti-SPAM Gateway. Spam is filtered, I can read email with an IMAP client (using Thunderbird for now), reports are generated. No viruses have been trapped as of yet. I also set up some basic Procmail rules to automagically file some of my mailing list emails.
Using the docs here: Generating a Whitelist from Maildir for A-S-K, I pumped all of my good email boxes through Andy Blyler’s Perl script to create a whitelist (you’d be suprised how often my friends send me mis-categorized emails about mortgages and viagra).
I can’t find the URL for it, but I found a good page that documents how to install Dovecot, a fast, secure, open source IMAP server on OpenBSD, so I did that.
More or less following the instructions here: Automatic Backups with rsync and Anacron, I set up another OpenBSD box with a spare HD that the email box rsyncs to. At this point, I’m firing off the rsync manually as I’m trying to minimize the number of computers left on 24/7 in this place.
So, I have an IMAP server that’s only accessible via SSL. I’ve run it past the ORBS Open Relay tests with no insecurities found, and I have fetchmail grabbing mails from my other POP/IMAP accounts and dumping it onto the home server. There are plugins out there for HotMail, I’ll research them later.
Bugs: Several recipient based rules in Amavis are failing. I’m thinking this has something to do with Fetchmail’s grab-and-SMTP-Forward system. I have a feeling it’s Postfix’s issue, not Fetchmail’s. If so, the only solution is to tweak the rulesets in Amavis. An example of one of the rules that fails is the one attached to localdomainsacl, which specifies which hosts Amavis should scan incoming mail for. Typically, this would just be $mydomain, but after Fetchmail passes the emails to Postfix, they’re all for “recipient@localhost” instead of the real $mydomain.
Dovecot has some bug in it that’s chewing up the mailbox index headers. Despite how bad it sounds, it doesn’t appear to be fatal. It just gives the mail clients fits sometimes. It’s apparently a known issue and is already fixed in the latest snapshot. There’s other bugs in the current snapshot, so I think I’ll wait for stable to upgrade.
My SSL certificate is expired/unofficial. I need to read up on how to get a “real” or at least unexpiring certificate.
Rsync wont copy a few files. Even with –archive. There’s probably some kind of exception files that rsync can never touch. As long as the major configuration files are backed up, it’s a back-burner issue for me.
To do:
- Get firewire working in the OpenBSD kernel so I can plug in an external drive for backups, rather than using a whole other box.
- Install a webmail solution - this is a big effort as most require MySQL, PHP, and a half-dozen other bits and pieces and OpenBSD is pretty bare-bones out of the box. The two big candidates are Squirrelmail and IMP/HORDE. IMP looks awesome but looks to be a pretty involved install. The Squirrelmail site is down, so I’ve no idea what that’s like.
- Install some Dynamic DNS agent to update DynDNS.org when my IP changes. You’d think Linksys would have this feature working in their firewalls or remove it altogether, but it’s still there and it’s still broken.