Gerardo Zamudio

Slackware 15 -current Mail Server with MariaDB, Postfix, and Dovecot

2021-01-01T00:00:00-06:00

Introduction

Happy new year! The start of a new year is a perfect time for a fresh mail server, don’t you agree? :)

Slackware 15 has not been released yet but there is demand for an updated guide given Slackware has had many changes since its last stable release.

For the purposes of this guide, the most notable changes are Postfix and Dovecot now being the default MTA and IMAP/POP3 servers, respectively. This doesn’t affect this guide too much. In fact, most of the configuration remains the same as in my previous post for Slackware 14.2.

This post contains some suggestions for a mildly secure mail server running on a Slackware Linux host. The guide assumes a default, fresh installation of Slackware64 15 (post 14.2 -current) that includes at least the A/, AP/, D/, L/, and N/ package series. By the end of the tutorial, you will have:

Postfix for encrypted connections over SMTP
Dovecot for local mail directories and encrypted connections over POP and IMAP
MariaDB to store mailbox information
Postgrey which will require unknown senders to resend their mail, eliminating most spam
SpamAssassin for e-mail spam filtering based on content-matching rules
ClamAV to detect trojans, viruses, malware and other malicious threats in your email
amavisd-new to manage ClamAV and SpamAssasin
OpenDKIM a DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail
nginx as a webserver
Postfix Admin to manage mailboxes and domains using a TLS secured web user interface
Roundcube with some plugins as a TLS secured webmail client
Pigeonhole to add support for email filter rules (forwarding, placing in folders, etc)

Preparation

Hostname

Set up an FQDN as your hostname. We’ll use mail.example.org.

echo "mail.example.org" > /etc/HOSTNAME
hostname -F /etc/HOSTNAME

PHP + nginx

PHP GD

In order to use GD with PHP we’ll need the following packages. You won’t have these if you only installed the recommended package series from above.

# slackpkg install libX11 libXpm libxcb libXau libXdmcp fontconfig libXext libXt libSM libICE

Install nginx

My last guide used nginx 1.14.2, but it’s now at version 1.18.0! I won’t go through all the changes here but I recommend you take a look at the CHANGELOG.

Create your user and use that to run the SlackBuild. If the version of nginx is newer than the one defined in the SlackBuild, simply update the version number in the nginx.SlackBuild file before running it.

useradd -r -M -U -c "User for nginx" -d /srv/httpd -s /bin/false nginx
NGINXUSER=nginx NGINXGROUP=nginx ./nginx.SlackBuild

Remember that if you want to enable syntax highlighlting for the nginx.conf file in vim, you can copy the contents of the contrib/vim directory from the extracted nginx source to ~/.vim.

tar -xvzf nginx-1.18.0.tar.gz 
mv nginx-1.18.0/contrib/vim ~/.vim

SSL Certificates

I’m using ECDSA certificates and the secp384r1 curve here. Remember to change the configuration below if you use something else.

Configure nginx

At minimum, your nginx.conf file will need an events section which can be left blank to activate the defaults or modified depending on the load you’re expecting on the server. Set worker_processes equal to the number of real CPU cores on the machine.

user nginx;
worker_processes 4;
pid /var/run/nginx.pid;

events {

  worker_connections 1024;
}

http {

  map $sent_http_content_type $expires {
    default off;
    application/x-javascript 1d;
    text/css 1d;
    ~image/ 1d;
  }

  expires $expires;
  client_max_body_size 12m;
  default_type application/octet-stream;
  gzip on;
  gzip_vary on;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_min_length 10240;

  gzip_proxied expired no-cache no-store private auth;
  gzip_types text/plain text/css text/xml text/javascript text/json application/json application/x-javascript application/xml application/xml+rss;

  gzip_disable "MSIE [1-6]\.";
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;
  include /etc/nginx/mime.types;
  upstream php_workers {
    server unix:/var/run/php-fpm.sock;
  }
  sendfile on;
  # Hide Nginx version number
  server_tokens off;
  types_hash_max_size 2048;

  include /etc/nginx/conf.d/*.conf;
}

Create your /etc/nginx/conf.d/mailserver.conf

# HTTP
server {

  # Listen on ipv4
  listen 80;

  server_name _;
  return 301 https://$host$request_uri;
}

# HTTPS
server {
    listen 443 ssl http2;
    server_name _;
    root /var/www/html;
    index index.php index.html;
    location ~ ^/.well-known/ {
        allow all;
        access_log off;
        log_not_found off;
        autoindex off;
        #root /var/www/html;
    }

   location ~ /\. { deny all; }
   location = /favicon.ico { access_log off; log_not_found off; }
   location = /robots.txt { access_log off; log_not_found off; }
   
   ssl_protocols TLSv1.3 TLSv1.2;
   ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
   ssl_prefer_server_ciphers on;
   ssl_ecdh_curve secp384r1; 
   ssl_certificate /home/acme/.acme.sh/mail.example.org_ecc/fullchain.cer;
   ssl_certificate_key /home/acme/.acme.sh/mail.example.org_ecc/mail.example.org.key;
   
   # Roundcube
   location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; }
   
   location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; }
   
   location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; }
   
   location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; }
   
   # Redirect URI `/mail` to `/mail/`.
   location = /mail {
        return 301 /mail/;
   }
   
   location ~ ^/mail/(.*\.php)$ {
        add_header Strict-Transport-Security "max-age=31536000";
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_pass php_workers;
        fastcgi_param HTTP_PROXY '';
        fastcgi_param SCRIPT_FILENAME /var/www/roundcubemail/$1;
   }
   
   location ~ ^/mail/(.*) {
        alias /var/www/roundcubemail/$1;
        index index.php;
   }
   
   # Postfixadmin
   location = /postfixadmin {
        return 301 /postfixadmin/;
   }
   
   location ~ ^/postfixadmin/(.*\.php)$ {
        add_header Strict-Transport-Security "max-age=31536000";
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_pass php_workers;
        fastcgi_param HTTP_PROXY '';
        fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin/public/$1;
   }
   
   location ~ ^/postfixadmin/(.*) {
        alias /var/www/postfixadmin/public/$1;
        index index.php;
   }
   
   # Everything else
   location ~ \.php$ {
        include fastcgi_params;
        fastcgi_index index.php;
        fastcgi_pass php_workers;
        fastcgi_param HTTP_PROXY '';
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   }
}

Change the permissions of /var/lib/php since we’re using nginx instead of httpd to run PHP:

chown root:nginx /var/lib/php/

PHP-FPM with FastCGI in nginx

We will start by creating a custom /etc/php-fpm.d/mailserver.conf with the following content:

[mailserver]
user = nginx
group = nginx
listen = /var/run/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 5
request_terminate_timeout = 10s
request_slowlog_timeout = 10s
access.log = /var/log/php-fpm_access.log
slowlog = /var/log/php-fpm_slow.log
security.limit_extensions = .php .php3 .php4 .php5 .html .htm

Make sure the startup script is executable then start php-fpm at least once to make sure everything is fine:

chmod +x /etc/rc.d/rc.php-fpm
/etc/rc.d/rc.php-fpm start
/etc/rc.d/rc.php-fpm stop

Install php-imagick as well since Roundcube will need it later.

Dovecot

Slackware has chosen Dovecot as the new IMAP/POP3 server as of November 2017. Instead of creating a Unix account for each mailbox, we use Postfix Admin to store user information. In the filesystem, the email will be stored in /var/vmail organized by domain and user, so the email for admin@example.org would be stored in /var/vmail/example.org/admin. Since Dovecot is now part of Slackware, the dovenull and dovecot users already exist so there is no need to create them. You will only need to create the vmail user

useradd -r -d /var/vmail -s /bin/false -u 150 -g 12 vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail

Fill in the database information in /etc/dovecot/dovecot-sql.conf.ext

driver = mysql
connect = host=/var/run/mysql/mysql.sock dbname=mail user=mail password=password-here
default_pass_scheme = SHA512-CRYPT

These are the same credentials Postfix Admin will use, so keep that in mind. We’re not creating the database or user yet. That will come later. Now let’s add the password_query and user_query to /etc/dovecot/dovecot-sql.conf.ext:

password_query = \
  SELECT username as user, password, '/var/vmail/%d/%n' as \
  userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, \
  150 as userdb_uid, 12 as userdb_gid \
  FROM mailbox WHERE username = '%u' AND active = '1'

user_query = \
  SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' \
  as mail, 150 AS uid, 12 AS gid, \
  concat('dirsize:storage=', quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'

In the file /etc/dovecot/conf.d/10-auth.conf we will enable the SQL configuration file we just modified, disable plaintext authentication, and comment out the auth-system.conf.ext file that’s loaded by default.

disable_plaintext_auth = yes
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-sql.conf.ext

Since we are using TLS, it’s OK to use plain as the auth mechanism.

Next file to edit is /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
mail_gid = mail
first_valid_uid = 150
last_valid_uid = 150

The SSL configuration is in /etc/dovecot/conf.d/10-ssl.conf as follows:

ssl_cert = </home/acme/.acme.sh/mail.example.org_ecc/fullchain.cer
ssl_key = </home/acme/.acme.sh/mail.example.org_ecc/mail.example.org.key
ssl_min_protocol = TLSv1.1
ssl_cipher_list =  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA
ssl_curve_list = P-384
ssl_prefer_server_ciphers = yes

Let’s set up the file /etc/dovecot/conf.d/10-master.conf now. We need to uncomment the user, group, and mode lines in the unix_listener auth-userdb section of the service auth block in order to have Dovecot authenticate. Postfix will also need a unix_listener in the postfix spool directory so uncomment that section, and a unix_listener auth-master section too. Make sure to add postfix as the user and group. Don’t worry about creating them now, we’ll do that later. Set up the stats-writer as well. In the end the file should look somewhat like this

service auth {
  unix_listener auth-userdb {
    mode = 0666
    user = vmail
    group = mail
  }

  unix_listener auth-master {
    mode = 0660
    user = vmail
    group = mail
  }
  
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

}

service stats {
    unix_listener stats-reader {
        user = vmail
        group = mail
        mode = 0660
    }
    unix_listener stats-writer {
        user = vmail
        group = mail
        mode = 0660
    }
}

Dovecot Pigeonhole

A new addition to this guide is Dovecot Pigeonhole. This adds support for the Sieve language (RFC 5228) and the ManageSieve protocol (RFC 5804) to Dovecot. Coupled with a Roundcube plugin, this will allow us to filter email based on any number of factors. For example, you can create an rule in Roundcube that will automatically place email coming from @bank.com to a Bank Notifications folder.

After you install the SlackBuild, copy the following example configuration files into the /etc/dovecot/conf.d directory:

/usr/doc/dovecot-2.3.11.3/example-config/conf.d/90-sieve.conf
/usr/doc/dovecot-2.3.11.3/example-config/conf.d/90-sieve-extprograms.conf
/usr/doc/dovecot-2.3.11.3/example-config/conf.d/20-managesieve.conf

We will need to edit the following Dovecot configuration files now:

First, edit /etc/dovecot/conf.d/20-lmtp.conf, and add

protocol lmtp {
  postmaster_address = postmaster@example.org
  mail_plugins = $mail_plugins sieve quota
  log_path = /var/log/dovecot-lmtp-errors.log
  info_log_path = /var/log/dovecot-lmtp.log
}

For /etc/dovecot/conf.d/15-lda.conf, add

protocol lda {
  postmaster_address = postmaster@example.org
  mail_plugins = $mail_plugins sieve quota
  auth_socket_path = /var/run/dovecot/auth-master
  log_path = /var/log/dovecot-lda-errors.log
  info_log_path = /var/log/dovecot-lda.log
}

For /etc/dovecot/conf.d/10-mail.conf, add

mail_home = /var/vmail/%d/%n/sieve
mail_location = maildir:/var/vmail/%d/%n

In /etc/dovecot/conf.d/20-managesieve.conf, add

protocols = $protocols sieve
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
service managesieve {
  process_limit = 1024
}
protocol sieve {
  log_path = /var/log/dovecot-sieve-errors.log
  info_log_path = /var/log/dovecot-sieve.log
  managesieve_max_line_length = 65536
  managesieve_implementation_string = Dovecot Pigeonhole
}

Lastly, edit /etc/dovecot/conf.d/90-sieve.conf, and add

plugin {
    sieve = file:/var/vmail/%d/%n/sieve;active=/var/vmail/%d/%n/sieve/.dovecot.sieve
    sieve_default = /etc/dovecot/sieve/default.sieve
    sieve_global = /etc/dovecot/sieve/global/
}
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes

Now we need to create some files that are needed for our configuration to work:

mkdir -p /etc/dovecot/sieve/global
chown -R vmail:mail /etc/dovecot/sieve/
touch /var/log/{dovecot-lda-errors.log,dovecot-lda.log}
touch /var/log/{dovecot-sieve-errors.log,dovecot-sieve.log}
touch /var/log/{dovecot-lmtp-errors.log,dovecot-lmtp.log}
chown vmail:dovecot /var/log/dovecot-*

Add postfix to the dovecot group. This is needed by amavisd-new later.

usermod -G dovecot -a postfix

Postfix

Postfix is now the default MTA in Slackware as of November 2017. We no longer have to create users or compile anything so let’s just get to adding our database configuration.

Create a directory to hold these files

mkdir -p /etc/postfix/mysql

Now let’s create our MySQL map files

/etc/postfix/mysql/mysql_virtual_alias_domainaliases_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
query = SELECT goto FROM alias,alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND alias.address=concat('%u', '@', alias_domain.target_domain)
  AND alias.active = 1

/etc/postfix/mysql/mysql_virtual_alias_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'

/etc/postfix/mysql/mysql_virtual_domains_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

/etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
query = SELECT maildir FROM mailbox, alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
  AND mailbox.active = 1

/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'

Postfix Main Configuration

The only change between here and the past guide is that the append_dot_mydomain directive now defaults to no so we don’t need to include it. Here’s what should be in /etc/postfix/main.cf:

myhostname = mail.example.org
myorigin = $myhostname
inet_interfaces = all
mynetworks = 127.0.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP $mail_name
biff = no

Dovecot authentication section is still the same

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes

With newer versions of Postfix, you can now include both ECDSA and RSA certificates in your configuration. I’m disabling SSLv2, SSLv3, and TLSv1.0 in the configuration below. We’re excluding known insecure ciphers and setting the encryption level to may. You can set this to encrypt, if you want, but the Postfix documentation strongly advises against this for a public facing server.

lmtp_tls_ciphers = high
lmtp_tls_mandatory_ciphers = high
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_security_level = may
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file= /home/acme/.acme.sh/mail.example.org/fullchain.cer
smtpd_tls_eccert_file = /home/acme/.acme.sh/mail.example.org_ecc/fullchain.cer
smtpd_tls_eckey_file = /home/acme/.acme.sh/mail.example.org_ecc/mail.example.org.key
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file= /home/acme/.acme.sh/mail.example.org/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom

Feel free to set these parameters to whatever fits your needs

delay_warning_time = 4h
maximal_queue_lifetime = 5d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
message_size_limit = 20480000
smtp_helo_timeout = 60s
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12

Now we set up milters along with the Postgrey and OpenDKIM sockets

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client b.barracudacentral.org
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:/var/run/postgrey/postgrey.sock, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:/var/run/postgrey/postgrey.sock, permit
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
mailbox_size_limit = 0
recipient_delimiter = +
non_smtpd_milters=unix:/var/run/opendkim/opendkim.sock
smtpd_milters=unix:/var/run/opendkim/opendkim.sock

We need to point Postfix to our database map files. Use the same UID and GID that was used for vmail user and the existing mail group from /etc/group

virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cf
virtual_uid_maps = static:150
virtual_gid_maps = static:12
virtual_alias_maps = mysql:/etc/postfix/mysql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql/mysql_virtual_alias_domainaliases_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql/mysql_virtual_domains_maps.cf

The final part of the file will set up Dovecot and Amavis

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
content_filter = amavis-forward:unix:amavis/amavisd.sock

Postfix Master Configuration

In the file /etc/postfix/master.cf, we’ll set up SMTP with TLS on port 587. Most options can just be enabled by uncommenting them. Make sure you comment out the -o syslog_name=postfix/$service_name option right under relay.

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_tls_security_options=noanonymous
  -o cleanup_service_name=subcleanup
  -o tls_preempt_cipherlist=yes

subcleanup unix n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_checks

relay     unix  -       -       n       -       -       smtp
#       -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

dovecot      unix   -        n      n       -       -   pipe
  flags=DRXhu user=vmail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d $(recipient)

For Amavis, just make sure you set the max number of processes it’s allowed to run. In this example, it’s 4 (the same as the nginx configuration).

amavis-forward      unix    -       -       -       -       4       lmtp
  -o lmtp_data_done_timeout=1200
  -o lmtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
amavis/amavis-accept unix    n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o cleanup_service_name=cleanup
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Run the newaliases command to generate the aliases database file

cd /etc/postfix/
newaliases

Amavis with ClamAV and SpamAssassin

We are going to be using amavsid-new as the interface bewtween Postfix, ClamAV and SpamAssassin. We need a ton of things for Amavis and SpamAssassin. You can go the SlackBuilds route or just use CPAN. I’m going to just go with CPAN this time around. First, install the zeromq, pyzor, unrar, arj, cabextract, lzop, nomarch, p7zip, libmspack, and GeoIP dependencies. This allows SpamAssassin and ClamAV to handle different compressed files as well.

cpan install CPAN
cpan install App::cpanminus
cpanm -f -v Log::Log4perl
cpanm -f -v Test::Deep Test::Base Test::YAML YAML Module::Signature Module::Build Test::Pod Test::Pod::Coverage Test::Perl::Critic inc::latest Encode::Detect Image::Info TimeDate Net::LibIDN Net::SSLeay Socket6 IO::Socket::IP IO::Socket::SSL IO::Socket::INET6 Crypt::OpenSSL::Bignum Crypt::OpenSSL::Random Crypt::OpenSSL::RSA Geography::Countries IP::Country Digest::SHA Digest::SHA1 Digest::HMAC HTML::Tagset HTML::Parser Test::LeakTrace Authen::NTLM Data::Dump LWP Net::CIDR::Lite PAR::Dist ExtUtils::MakeMaker ExtUtils::Install Net::HTTP WWW::RobotRules HTTP::Date File::Listing IO::HTML Encode::Locale LWP::Protocol::https LWP::MediaTypes HTTP::Message HTTP::Negotiate HTTP::Cookies HTTP::Daemon Bundle::LWP NetAddr::IP Net::Server Net::Ident MailTools Net::IP Net::DNS Net::DNS::Resolver::Programmable Mail::SPF Mail::DKIM Geo::IP Net::Patricia Convert::TNEF Convert::UUlib Convert::BinHex Archive::Zip IO::Stringy MIME::Tools Unix::Syslog BerkeleyDB IO::Multiplex Net::LibIDN File::LibMagic

SpamAssassin

Get the SpamAssassin SlackBuild and build it.

After SpamAssassin is installed, edit the /etc/spamassassin.conf file and set the following options. You only really need ENABLED but the rest are a good idea.

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=1

The SpamAssassin source no longer includes rules, so you’ll have to download them. Run sa-update to do this.

ClamAV

You’ll need a user and group created first.

groupadd -g 210 clamav
useradd -u 210 -d /dev/null -s /bin/false -g clamav clamav

Now go ahead and grab the SlackBuild. After you install, make sure DatabaseMirror is set to the new database.clamav.net mirror in /etc/freshclam.conf. Next, edit the /etc/clamd.conf file and change theLocalSocket and LocalSocketGroup options

LocalSocket /var/run/clamav/clamd.sock
LocalSocketGroup amavis

Let’s install amavisd-new before we update the ClamAV virus definitions.

amavisd-new

Create a user and group before you run the script.

groupadd -g 225 amavis
useradd -m -d /var/lib/amavis -s /bin/bash -u 225 -g 225 amavis

While we’re at it, go ahead and add the amavis user to the clamav group and vice versa.

usermod -G clamav -a amavis
usermod -G amavis -a clamav

Run the SlackBuild to install the package. Afer you install, uncomment the lines @bypass_virus_checks_maps and @bypass_spam_checks_maps at the top of /etc/amavisd.conf and add the following

@bypass_virus_checks_maps = (
   %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);

Next, uncomment @lookup_sql_dsn and modify it to connect to your database using the Unix socket and the proper credentials. Amavis uses the DBD::mysql Perl module. The documentation states setting the host value to localhost will use the socket. This configuration will enable spam checking for the domains you’ve added to your database either manually or through Postfix Admin

@lookup_sql_dsn = (
    ['DBI:mysql:database=mail;host=localhost',
     'mail',
     'mailpassword']);
$sql_select_policy = 'SELECT domain from domain WHERE CONCAT("@",domain) IN (%k)';

There are a number of configuration options we can change in /etc/amavisd.conf. The only really important one is the unix socket configuration. My recommendations are:

Set $max_servers to the same number of processes we allowed Amavis to use in /etc/postfix/master.cf, which in my case is 4
Set the $sa_tag_level_deflt opton to a large negative number. This will ensure that spam headers are added to every single email
Change the user and group to amavis that we created earlier
Configure the home directory for configuraiton files and quarantine emails
Set the domain name (not the same as your hostname).
Uncomment the amavis section in @av_scanners. Leave the rest of this section as is.
Comment out the $inet_socket_port line
Set the Unix socket for Amavis in $unix_socketname
Comment out forward_method for DKIM signing since we’ll use OpenDKIM for that
Set the pid_file to /var/run/amavis/amavisd.pid

The end result should look something like:

$max_servers  = 4;
$sa_tag_level_deflt  = -9999;
$daemon_user  = 'amavis';
$daemon_group = 'amavis';
$mydomain = 'example.org';
$myhostname = 'mail.example.org';
$MYHOME = '/var/lib/amavis';
$QUARANTINEDIR = "$MYHOME/virusmails";
$unix_socketname = "/var/spool/postfix/amavis/amavisd.sock";
$unix_socket_mode = 0660;
$pid_file  = "/var/run/amavis/amavisd.pid";
$interface_policy{'SOCK'} = 'mysock';
$policy_bank{'mysock'} = {
   protocol => 'LMTP',
   auth_required_release => 0,
}
@av_scanners = (
 ['ClamAV-clamd',
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
);

Since we are putting the Amavis socket in the Postfix queue directory, we’ll need to create it and set the permissions

mkdir /var/spool/postfix/amavis/
chmod 770 /var/spool/postfix/amavis/
chown amavis:postfix /var/spool/postfix/amavis/
usermod -G amavis -a postfix

Use the following commands to let Postfix create the amavis-accept PID:

cd /var/spool/postfix/public
ln -s ../amavis amavis
cd /var/spool/postfix/pid
mkdir unix.amavis
chown root:root unix.amavis
chmod 700 unix.amavis

In order for the above to work, we need to set a $forward_method in /etc/amavisd.conf

$forward_method = 'smtp:/var/spool/postfix/amavis/amavis-accept';

If for any reason this is not working, you can edit the /usr/sbin/amavisd Perl script directly. Look around line 926 or search for 10025. Comment out the existing $forward_method and replace it with this:

$forward_method = $have_inet6 && !$have_inet4 ? 'smtp:[::1]:10025' : 'smtp:/var/spool/postfix/amavis/amavis-accept';

Go through the rest of /etc/amavisd.conf file and modify any settings you might want changed.

We also need to fix some permissions to get all three of these to play nicely.

chmod 775 /var/lib/spamassassin/
chown amavis:amavis /var/lib/spamassassin/
chown -R amavis:amavis /var/lib/spamassassin/
chown -R amavis:amavis /var/lib/amavis
chown -R clamav:amavis /var/lib/clamav

Now go ahead and update your virus database by running freshclam as root. Don’t worry if you get a message from freshclam saying clamd was not updated. This is because we have not started clamd yet.

Postgrey

Set up the user and group first, then run the SlackBuild to install Postgrey.

groupadd -g 301 postgrey
useradd -u 301 -d /var/lib/postgrey -s /bin/false -g postgrey postgrey

Go and edit the SlackBuild to set the values of POSTGREYUSR, POSTGREYGRP, POSTGREYUID and POSTGREYGID to the values you set earlier when you created them. After you install, you may want to get an updated version of postgrey_whitelist_clients from the Postgrey site and place it in /etc/postfix, replacing the one included with the SlackBuild.

We need to edit the /etc/postgrey.conf file and replace the PORT line with the path to the Unix socket we are going to set up. Set the correct HOST and make sure USER and GROUP are also correct.

SOCKET=/var/run/postgrey/postgrey.sock
PIDFILE=/var/run/postgrey/postgrey.pid
USER=postgrey
GROUP=postgrey
HOST=mail.example.org

In the /etc/rc.d/rc.postgrey script we are going to find the postgrey_start() function and edit the postgrey flags to make sure it uses a socket instead of TCP. We are basically changing --inet=$PORT to --unix=$SOCKET

postgrey_start() {
  echo "Starting postgrey milter:  /usr/bin/postgrey -d --inet=$PORT --pidfile=$PIDFILE --user=$USER --group=$GROUP --dbdir=/var/lib/postgrey --hostname=$HOST"
  mkdir -p $(dirname $PIDFILE)
  chown ${USER}:${GROUP} $(dirname $PIDFILE)

  /usr/bin/postgrey -d \
                    --inet=$PORT \
                    --pidfile=$PIDFILE \
                    --user=$USER --group=$GROUP \
                    --dbdir=/var/lib/postgrey \
                    --hostname=$HOST
}

The extracted source includes an init script, too. It’s in contrib/postgrey.init if you want to use it.

OpenDKIM, DNS and Building Trust

The setup up to this point should be pretty much complete and meet most people’s needs. Some mail servers are quite picky when it comes to receiving email. Gmail particularly doesn’t like when an email is not signed. The next section will walk you through signing your email with DomainKeys Identified Mail and setting up Sender Policy Framework. If you are using a hosting provider for your server, you will need to contact them and have them set up a PTR record for your IP address. This is also known as rDNS. Some mail servers will reject your email if the IP you are sending from does not point back to your domain name. In general, it should look something like this:

34.216.184.93.in-addr.arpa PTR 600 example.org

If you’re hosting at home, you can try asking your ISP to set this up for you but it is unlikely they’ll want to. They may be willing if you purchase a static IP. You’ll also need to add MX records to your domain’s DNS records. You can add something like this

example.org MX 600 10 mail.example.org

That’s assuming mail.example.org points to your mail sever’s IP and you want a priority of 10. You can ask your DNS provider to add these for you. Check that the record has propagated with host:

$ host -t MX example.org
example.org mail is handled by 10 mail.example.org.

OpenDKIM

Install (libbsd), (opendbx), then grab my SlackBuild and install OpenDKIM. Set up the user and group first:

groupadd -g 305 opendkim
useradd -r -u 305 -g opendkim -d /var/run/opendkim/ -s /sbin/nologin -c "OpenDKIM Milter" opendkim

We’ll need to create the run directory as well:

mkdir -p /var/run/opendkim
chown opendkim:opendkim /var/run/opendkim

Add this to the /etc/rc.d/rc.opendkim script to have it created automatically

mkdir -p $(dirname $PID_FILE)
chown ${USER}:${GROUP} $(dirname $PID_FILE)

We are using MariaDB here so set the USE_MYSQL variable to yes and run the SlackBuild. I used a modified version of CentOS’s init script for rc.opendkim, but feel free to grab the one included in the source in the contrib/init/generic/ directory.

Once it’s installed, we’ll need to set up a basic configuration file. You can copy the sample one from opendkim/opendkim.conf.simple in the extracted source to /etc/opendkim and add the user and group we created earlier. Note that the SlackBuild already does this for you:

UserID opendkim:opendkim
KeyFile /etc/opendkim/keys/default.private

The KeyFile is default.private since this is what’s set in /etc/rc.d/rc.opendkim. The string default is called the selector. Feel free to use any selector you want. The selector is used to differentiate between multiple DKIM records for your domain.

You’ll notice my init script will automatically create some default keys for you in /etc/opendkim/keys and it also creates the directory if it doesn’t exist. We’re using Unix sockets in this guide, so let’s change a line in /etc/opendkim.conf:

Socket local:/var/run/opendkim/opendkim.sock
Domain example.org
UMask 0002

We’ll generate a 2048 bit key with the opendkim-genkey command. You can try something stronger like 4096 bits, but RFC 6376 suggests it might not fit in a 512 byte DNS UDP response. See section 3.3.3 Key Sizes for more information.

opendkim-genkey -b 2048 -D /etc/opendkim/keys -s default -d example.org

The selector is set with the -s parameter. You’ll end up with two files inside /etc/opendkim/keys/, default.private, which is your key, and default.txt which has a nicely formatted record you’ll need to add to your DNS zone. If you don’t manage your own DNS or have access to your zone file, simply copy the text starting with v=DKIM1 as a TXT record in whatever control panel your DNS provider uses. For the example above, this is what I got (truncated for demonstration):

"v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m8F6p1AD"

You’ll need to wait a while before the DNS record propagates but once it does you can check it with dig

dig default._domainkey.example.org TXT

Sender Policy Framework

This basically consists of adding another TXT record to your DNS zone. There used to be an SPF type record but this was removed in RFC 7208. You’ll want to add something like this:

v=spf1 a mx ~all

MariaDB

We’ll set up MariaDB first (the scripts are still named rc.mysqld):

chmod +x /etc/rc.d/rc.mysqld
/usr/bin/mysql_install_db --user=mysql
/etc/rc.d/rc.mysqld start
/usr/bin/mysql_secure_installation

Now create the user and database we’ll be using for Roundcube, Postfix Admin, and all other components.

CREATE DATABASE mail;
GRANT ALL PRIVILEGES ON mail.* TO "mail"@"localhost" \
IDENTIFIED BY "password-here";
FLUSH PRIVILEGES;

Roundcube and Postfix Admin

The same advice from my previous post regarding web based interfaces applies.

Postfix Admin

Not many updates to Postfix Admin this time. We still set public/ as the root directory in our nginx configuration above so just proceed with the installation as normal:

cd /var/www/
wget https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.2.4.tar.gz
tar -xzf postfixadmin-3.2.4.tar.gz
ln -s postfixadmin-postfixadmin-3.2.4 postfixadmin
cd postfixadmin
mkdir templates_c
chown nginx:root templates_c

Make a copy of config.inc.php as config.local.php and make your changes there. The ones we need for this guide are

<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysqli';
$CONF['database_user'] = 'mail';
$CONF['database_password'] = "password-here";
$CONF['database_name'] = 'mail';
$CONF['database_socket'] = '/var/run/mysql/mysql.sock';
$CONF['admin_email'] = 'admin@example.org';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";
$CONF['default_aliases'] = array (
    'abuse' => 'admin@example.org',
    'hostmaster' => 'admin@example.org',
    'postmaster' => 'admin@example.org',
    'webmaster' => 'admin@example.org',
    'virusalert' => 'admin@example.org'
 );
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['footer_text'] = 'Return to example.org';
$CONF['footer_link'] = 'https://example.org;'
$CONF['emailcheck_resolve_domain']='NO';
$CONF['password_expiration'] = 'NO';
?>

Comment out the $CONF['database_host'] = 'localhost'; line because we are using sockets here.

This tells Postfix Admin to use Dovecot’s crypt() scheme for passwords and to connect to MariaDB using Unix sockets. Next, visit https://mail.example.org/postfixadmin/setup.php and complete the setup. Make sure you add your $CONF['setup_password'] obtained from setup.php to config.local.php. Do this before clicking on Add Admin.

Add Email Domains and Mailboxes

Log in to https://mail.example.org/postfixadmin and head over to Domain List > New Domain. Fill in whatever works for you here to add a new domain, then head to Virtual List > Add Mailbox and create your first user. I set up example.org as an email domain and admin@example.org as my first user. Doing this will generate the needed database schema that Postfix will use. Go ahead and play around with this and make sure your aliases are set up

Roundcube

The latest version of Roundcube is now 1.4.10. There is a cool new mobile friendly theme now, too. We’ve already set up the nginx configuration for Postfix Admin and Roundcube so now we just have to download their files and run the installers.

cd /var/www/
wget https://github.com/roundcube/roundcubemail/releases/download/1.4.10/roundcubemail-1.4.10-complete.tar.gz
tar -xvzf roundcubemail-1.4.10-complete.tar.gz
ln -s roundcubemail-1.4.10 roundcubemail
cd roundcubemail
chown nginx:root logs/ temp/

We’ll need to create a database for Roundcube to use. Log in to *8MariaDB** with mysql and create it. Make sure you use a strong password.

CREATE DATABASE roundcubemail CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON roundcubemail.* TO "roundcube"@"localhost" \
IDENTIFIED BY "password-here";
FLUSH PRIVILEGES;

Roundcube includes an SQL file that can create the necessary database structure for you

mysql -u roundcube roundcubemail -p < SQL/mysql.initial.sql

I recommend you check out the INSTALL file included in the source for a more complete guide on the installation. Now head over to https://mail.example.org/installer and make sure everything is OK in the Check environment section. You will probably need to temporarily comment out the location blocks in /etc/nginx/conf.d/mail.example.org.conf that block access to Roundcube URLs such as /installer.

My installation complained about the date.timezone setting in php.ini so I had to set that. Get a list of supported time zones from here. You may need to restart nginx and php-fpm for the changes to take effect.

Click Next when you’re done to move on to the Create config section. You can leave most of these settings alone. If you want to know what a specific setting does, check out Roundcube’s wiki. Fill in the Database setup section with the user and database you created earlier.

IMAP and SMTP Settings

Fill in your database information in the Database Setup section. Make sure you do not enable spellchecking support. If you do, Roundcube will connect to external services to check your spelling. Why would we go through all this trouble to have a third party see every word we type?

We’re going to set default_host to tls://localhost in the IMAP Settings section and leave the default port. In the SMTP Settings section, set smtp_server to tls://localhost , smtp_port to 587 and check the Use the current IMAP username and password for SMTP authentication option. In the Plugins section, enable managesieve.

Click on Create config.

After it’s done generating your configuraiton file, go through config/config.inc.php and see if you’d like to change anything. I recommend disabling SSL peer verification for IMAP and SMTP since we are using localhost and the SSL certificates likely won’t match the hostname. This is needed in PHP 5.6 or later and Slackware is on PHP 7.4 as of this writing.

$config['default_host'] = 'tls://localhost';
$config['imap_conn_options'] = array(
    'ssl' => array(
        'verify_peer'  => false,
        'verify_peer_name' => false,
    ),
);
$config['smtp_server'] = 'tls://localhost';
$config['smtp_conn_options'] = array(
    'ssl' => array(
        'verify_peer'      => false,
        'verify_peer_name' => false,
    ),
);
$config['log_dir'] = '/var/www/roundcubemail/logs/';
$config['temp_dir'] = '/var/www/roundcubemail/temp/';
$config['plugins'] = array('managesieve');
$config['enable_spellcheck'] = false;
$config['prefer_html'] = false;
$config['mime_param_folding'] = 0;

Start Up Email Services

Let’s start up the services we have so far in order to get all necessary files created properly. We’ll need the services running in order to set up Roundcube and Postfix Admin correctly. You can place your startup commands in /etc/rc.d/rc.local and the stop commands in /etc/rc.d/rc.local_shutdown.

Since now Dovecot and Postfix are part of Slackware, their start up scripts are run before /etc/rc.d/rc.local. My workaround here is just to issue restarts since Postfix depends on OpenDKIM to be running before starting. I didn’t think too much about how to solve this problem.

Make sure both scripts are executable and add this content

/etc/rc.d/rc.local

if [ -x /etc/rc.d/rc.php-fpm ]; then
        /etc/rc.d/rc.php-fpm start
fi

if [ -x /etc/rc.d/rc.nginx ]; then
        /etc/rc.d/rc.nginx start
fi

if [ -x /etc/rc.d/rc.postgrey ]; then
        /etc/rc.d/rc.postgrey start
fi

if [ -x /etc/rc.d/rc.clamav ]; then
        /etc/rc.d/rc.clamav start
fi

if [ -x /etc/rc.d/rc.spamd ]; then
        /etc/rc.d/rc.spamd start
fi

if [ -x /etc/rc.d/rc.amavisd-new ]; then
        /etc/rc.d/rc.amavisd-new start
fi

if [ -x /etc/rc.d/rc.opendkim ]; then
        /etc/rc.d/rc.opendkim start
fi

if [ -x /etc/rc.d/rc.postfix ]; then
        /etc/rc.d/rc.postfix restart
fi

if [ -x /etc/rc.d/rc.dovecot ]; then
        /etc/rc.d/rc.dovecot restart
fi

/etc/rc.d/rc.local_shutdown

if [ -x /etc/rc.d/rc.nginx ]; then
        /etc/rc.d/rc.nginx stop
fi

if [ -x /etc/rc.d/rc.php-fpm ]; then
        /etc/rc.d/rc.php-fpm stop
fi

if [ -x /etc/rc.d/rc.postgrey ]; then
        /etc/rc.d/rc.postgrey stop
fi

if [ -x /etc/rc.d/rc.amavisd-new ]; then
        /etc/rc.d/rc.amavisd-new stop
fi

if [ -x /etc/rc.d/rc.clamav ]; then
        /etc/rc.d/rc.clamav stop
fi

if [ -x /etc/rc.d/rc.spamd ]; then
        /etc/rc.d/rc.spamd stop
fi

if [ -x /etc/rc.d/rc.opendkim ]; then
        /etc/rc.d/rc.opendkim stop
fi

Finishing Up

Go ahead and create some filters in Roundcube and make sure emails are going to the right folders. Test sending email to and from your own domain as well as to external domains. Connect your email clients. They should automatically detect your sever’s open ports but you can use the following settings to set it up manually. You can substitute the hostname for example.org if that points to your server’s IP as well.

Username: testuser@example.org
Incoming (IMAP) server: mail.example.org
Port: 143
STARTTLS Enabled
Authentication: Plain (Normal Password)

Username: testuser@example.org
Outgoing (SMTP) server: mail.example.org
Port: 587
STARTTLS Enabled
Authentication: Plain (Normal Password)
Requires authentication

The first time you receive an email, it’ll be greylisted thanks to Postgrey. Check /var/log/maillog:

Apr 24 22:38:56 mail postgrey[945]: action=greylist, reason=new, client_name=mail.example.net, client_address=61.4.1.30, sender=testuser@example.net, recipient=testuser@example.org
Apr 24 22:38:56 mail postfix/smtpd[19527]: NOQUEUE: reject: RCPT from mail.example.net[63.4.1.30]: 450 4.2.0 <testuser@example.org>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/example.org.html; from=<testuser@example.net> to=<testuser@example.org> proto=ESMTP helo=<mail.example.net>

Most mail servers will try once more after some time and will be allowed the second time they send. Spammers generally only try once so this should stop some most of the common spam you could receive. Once the mail passes through, Amavis will check for viruses and other malware.

Apr 24 22:48:23 mail amavis[1078]: (01078-02) Passed CLEAN {RelayedInbound}, [63.4.1.30]:43126 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>

You can also test your anti-virus using the EICAR test file. Send yourself an email from another mail server with only the following string in the body:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

It will be detected as a virus and you’ll see this in the log as well:

Apr 24 23:05:25 mail postfix/qmgr[1060]: BF9D558771: from=<virusalert@example.org>, size=2092, nrcpt=1 (queue active)
Apr 24 23:05:25 mail amavis[21120]: (21120-01) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInbound,Quarantined}, [63.4.1.30]:36539 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>, quarantine: /var/lib/amavis/virusmails

In a similar fashion, you can test your spam filter using the GTUBE. Send a message from another mail server to yourself with only the following string in the body:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

It will be detected as spam and you’ll see this in the log as well:

Apr 24 23:13:44 mail amavis[21119]: (21119-01) Passed SPAM {RelayedTaggedInternal,Quarantined}, [63.4.1.30]:36539 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>, quarantine: /var/lib/amavis/virusmails

Other Considerations

You’ll notice in your /var/log/maillog file that there will be a ton of bots and compromised third party servers trying to relay using your server, trying to log in using common usernames (admin, support, test, etc) and generally just trying to wreak havoc on your mail server. The setup suggestions I described in this article should prevent most of those attacks. You may consider trying something like fail2ban to automatically ban these IPs. Get yourself a nice firewall using AlienBob’s Easy Firewall Generator and block anything you don’t need.

I tested this set up by following it step by step on a fresh server and it worked for me. I may have missed some things. Contact me if you have any comments. Encrypted email is strongly encouraged and preferred.

Slackware Mail Server with MariaDB, Postfix, and Dovecot

2019-01-21T00:00:00-06:00

Introduction

Nearly two years after the release of Slackware Linux 14.2 and three years after my original blog post, I’m glad to finally provide an update. Sorry for the delay. The core packages that make up the mail server have received lots of updates. Besides the version and configuration updates I’ve also added some information for setting up Dovecot Pigeonhole and configuring email filtering.

This post contains some suggestions for a mildly secure mail server running on a Slackware Linux host. The guide assumes a default, fresh installation of Slackware64 14.2 that includes at least the A/, AP/, D/, L/, and N/ package series. By the end of the tutorial, you will have:

Postfix for encrypted connections over SMTP
Dovecot for local mail directories and encrypted connections over POP and IMAP
MariaDB to store mailbox information
Postgrey which will require unknown senders to resend their mail, eliminating most spam
SpamAssassin for e-mail spam filtering based on content-matching rules
ClamAV to detect trojans, viruses, malware and other malicious threats in your email
amavisd-new to manage ClamAV and SpamAssasin
OpenDKIM a DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail
nginx as a webserver (optional)
Postfix Admin to manage mailboxes and domains using a TLS secured web user interface (optional)
Roundcube with some plugins as a TLS secured webmail client (optional)
Pigeonhole to add support for email filter rules (forwarding, placing in folders, etc)

Self-hosting Email

My previous post goes into more detail about why you would or wouldn’t want to host your own mail server. It also gives some advice about hosting providers and things to look out for.

Preparation

Hostname

Set up an FQDN as your hostname. We’ll use mail.example.org:

echo "mail.example.org" > /etc/HOSTNAME
hostname -F /etc/HOSTNAME

PHP + nginx

Install nginx

The nginx webserver is at version 1.14.2 as of this writing, up from 1.8.0 used in my previous guide. HTTP/2 is now natively supported instead of being provided by the SPDY module. You can still hide the server headers in the source using the patches from the previous post. This is in addition to the server_tokens configuration option. You can also compile nginx with the ngx_headers_more module. Keep in mind there are still many ways to detect which web server you’re running and tools like nmap are particularly good at doing it. It’s up to you to decide how much effort you want to put into this.

Create your user and use that to run the SlackBuild. For newer nginx versions, simply updating the version number in the nginx.SlackBuild file before running it usually does the trick.

useradd -r -M -U -c "User for nginx" -d /srv/httpd -s /bin/false nginx
NGINXUSER=nginx NGINXGROUP=nginx ./nginx.SlackBuild

Once again, if you want to enable syntax highlighlting for the nginx.conf file in vim, copy the contents of the contrib/vim directory from the extracted nginx source to ~/.vim.

SSL Certificates

In the previous post I talked about some SSL certificate providers and curves. We use ECDSA certificates and the secp384r1 curve here.

Configure nginx

user nginx;
worker_processes 4;
pid /var/run/nginx.pid;

events {

  worker_connections 1024;
}

http {

  map $sent_http_content_type $expires {

    default off;
    application/x-javascript 1d;
    text/css 1d;
    ~image/ 1d;
  }

  expires $expires;
  client_max_body_size 12m;
  default_type application/octet-stream;
  gzip on;
  gzip_vary on;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_min_length 10240;

  gzip_proxied expired no-cache no-store private auth;
  gzip_types text/plain text/css text/xml text/javascript text/json application/json application/x-javascript application/xml application/xml+rss;

  gzip_disable "MSIE [1-6]\.";
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;
  include /etc/nginx/mime.types;
  upstream php_workers {

    server unix:/var/run/php-fpm.sock;
  }
  sendfile on;
  # Hide Nginx version number
  server_tokens off;
  types_hash_max_size 2048;

  include /etc/nginx/conf.d/*.conf;
}

Create your /etc/nginx/conf.d/site.conf

# HTTP
server {

  # Listen on ipv4
  listen 80;

  server_name _;
  return 301 https://$host$request_uri;
}
# HTTPS
server {

  listen 443;
  server_name _;

  root /var/www/html;
  index index.php index.html;

  # Allow access to '^/.well-known/'
  location ~ ^/.well-known/ {

    allow all;
    access_log off;
    log_not_found off;
    autoindex off;
  }

  # Deny all attempts to access hidden files such as .htaccess.
  location ~ /\. {

    deny all;
  }

  # too many of these
  location = /favicon.ico {

    access_log off; log_not_found off;
  }
  location = /robots.txt {

    access_log off; log_not_found off;
  }

  # global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers
  # first. PFS ciphers are those which start with ECDHE which means (EC)DHE
  # which stands for (Elliptic Curve) Diffie-Hellman Ephemeral.
  ssl on;
  ssl_protocols TLSv1.2;

  # RSA ciphers
  # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA;

  # ECDSA ssl ciphers; google chrome prefered order, 128bit most prefered
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA;
  ssl_ecdh_curve secp384r1; # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash

  ssl_prefer_server_ciphers on;

  ssl_certificate /home/acme/.acme.sh/mail.example.org_ecc/fullchain.cer;
  ssl_certificate_key /home/acme/.acme.sh/mail.example.org_ecc/mail.example.org.key;


  #
  # Running Roundcube as a subfolder on an existing virtual host
  #
  # Block access to default directories and files under these directories
  location ~ /mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) {

    deny all;
  }

  # Block access to default files under top-directory and files start with same name.
  location ~ /mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) {

    deny all;
  }

  # Block plugin config files and sample config files.
  location ~ /mail/plugins/.*/config.inc.php.* {

    deny all;
  }

  # Block access to plugin data
  location ~ /mail/plugins/enigma/home($|/.*) {

    deny all;
  }

  # Redirect URI `/mail` to `/mail/`.
  location = /mail {

    return 301 /mail/;
  }

  location ~ ^/mail/(.*\.php)$ {

    # Use HTTP Strict Transport Security to force client to use secure
    # connections only. References:
    #
    # * RFC Document (6797): HTTP Strict Transport Security (HSTS)
    #   https://tools.ietf.org/html/rfc6797#section-6.1.2
    #
    # * Short tutorial from Mozilla:
    #   https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
    #
    # WARNING: According to RFC document, HSTS will fail with self-signed SSL
    #          certificate.
    #          https://tools.ietf.org/html/rfc6797#page-27
    #
    # Syntax:
    #
    #   Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
    add_header Strict-Transport-Security "max-age=31536000";

    #
    # Template used to handle PHP fastcgi applications
    #
    # You still need to define `SCRIPT_FILENAME` for your PHP application, and
    # probably `fastcgi_index` if your application use different index file.
    #
    include fastcgi_params;

    # Directory index file
    fastcgi_index index.php;

    # Handle PHP files with upstream handler
    fastcgi_pass php_workers;

    # Fix the HTTPROXY issue.
    # Reference: https://httpoxy.org/
    fastcgi_param HTTP_PROXY '';


    fastcgi_param SCRIPT_FILENAME /var/www/roundcubemail/$1;
  }

  location ~ ^/mail/(.*) {

    alias /var/www/roundcubemail/$1;
    index index.php;
  }


  #
  # Running Postfixadmin as a subfolder on an existing virtual host
  #
  # Block access to default directories and files under these directories
  location ~ /postfixadmin/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) {

    deny all;
  }

  # Block access to default files under top-directory and files start with same name.
  location ~ /postfixadmin/(CHANGELOG.txt|GPL-LICENSE.TXT|INSTALL.TXT|LICENSE.TXT|README.md|composer.json|composer.lock)($|.*) {

    deny all;
  }

  # Block plugin config files and sample config files.
  location ~ /postfixadmin/plugins/.*/config.inc.php.* {

    deny all;
  }

  # Block access to plugin data
  location ~ /postfixadmin/plugins/enigma/home($|/.*) {

    deny all;
  }

  # Redirect URI `/postfixadmin` to `/postfixadmin/`.
  location = /postfixadmin {

    return 301 /postfixadmin/;
  }

  location ~ ^/postfixadmin/(.*\.php)$ {

    # Use HTTP Strict Transport Security to force client to use secure
    # connections only. References:
    #
    # * RFC Document (6797): HTTP Strict Transport Security (HSTS)
    #   https://tools.ietf.org/html/rfc6797#section-6.1.2
    #
    # * Short tutorial from Mozilla:
    #   https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
    #
    # WARNING: According to RFC document, HSTS will fail with self-signed SSL
    #          certificate.
    #          https://tools.ietf.org/html/rfc6797#page-27
    #
    # Syntax:
    #
    #   Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
    add_header Strict-Transport-Security "max-age=31536000";


    #
    # Template used to handle PHP fastcgi applications
    #
    # You still need to define `SCRIPT_FILENAME` for your PHP application, and
    # probably `fastcgi_index` if your application use different index file.
    #
    include fastcgi_params;

    # Directory index file
    fastcgi_index index.php;

    # Handle PHP files with upstream handler
    fastcgi_pass php_workers;

    # Fix the HTTPROXY issue.
    # Reference: https://httpoxy.org/
    fastcgi_param HTTP_PROXY '';


    fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin/public/$1;
  }

  location ~ ^/postfixadmin/(.*) {

    alias /var/www/postfixadmin/public/$1;
    index index.php;
  }


  # Normal PHP scripts
  location ~ \.php$ {

    #
    # Template used to handle PHP fastcgi applications
    #
    # You still need to define `SCRIPT_FILENAME` for your PHP application, and
    # probably `fastcgi_index` if your application use different index file.
    #
    include fastcgi_params;

    # Directory index file
    fastcgi_index index.php;

    # Handle PHP files with upstream handler
    fastcgi_pass php_workers;

    # Fix the HTTPROXY issue.
    # Reference: https://httpoxy.org/
    fastcgi_param HTTP_PROXY '';


    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }


}

We’re going to skip setting up memcached for now. The newer versions are for PHP 7 which will not be a Slackware default until version 15 is out or so. Rerfer to my old guide for help setting up memcached.

Change the permissions of /var/lib/php since we’re using nginx instead of httpd to run PHP:

chown root:nginx /var/lib/php/

If you’re getting any compilation errors for nginx, PHP, or any package regarding graphics, you’ll need some X11 libraries. These are most likely not installed if you’re working on a headless server. Get the needed dependencies from a Slackware mirror:

slackpkg install libX11 libXpm libxcb libXau libXdmcp

PHP-FPM with FastCGI in nginx

We’ll set up PHP-FPM a bit different this time around by putting its configuration in a separate file. First you’ll need to make sure the startup script is executable. Start php-fpm at least once to let it create its default configuration files:

chmod +x /etc/rc.d/rc.php-fpm
/etc/rc.d/rc.php-fpm start
/etc/rc.d/rc.php-fpm stop

We’ll add our own /etc/php-fpm.d/mailserver.conf with the following content:

[mailserver]
user = nginx
group = nginx
listen = /var/run/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 5
request_terminate_timeout = 10s
request_slowlog_timeout = 10s
access.log = /var/log/php-fpm/php-fpm.log
slowlog = /var/log/php-fpm/slow.log
security.limit_extensions = .php .php3 .php4 .php5 .html .htm

Make sure this file is included in /etc/php-fpm.conf. Edit the error_log to log/php-fpm/php-fpm.log to keep everything in place while you’re there.

Install the php-imagick extension too. This will come in handy for Roundcube later.

Dovecot

Lots of development has been done on Dovecot since my last guide. Dovecot is now on version 2.3.4 as of this writing, up from version 2.2.16 from my past guide. We are still going to use Postfix Admin to store the user information in this setup instead of creating a Unix account for each mailbox. The email will be stored in /var/vmail organized by domain and user, so the email for admin@example.org would be stored in /var/vmail/example.org/admin. We’ll create a single user to own the mailboxes on the system and let Dovecot manage them. Dovecot will also need its own user and group:

useradd -r -d /var/vmail -s /bin/false -u 150 -g 12 vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail
groupadd -g 202 dovecot
useradd -d /dev/null -s /bin/false -u 202 -g 202 dovecot
groupadd -g 248 dovenull
useradd -d /dev/null -s /bin/false -u 248 -g 248 dovenull

You can use whatever names and IDs you want but make sure it doesn’t interfere with what Slackware already uses. Copy over the sample configuration files and replace some of them

cp -r /usr/doc/dovecot-2.3.4/example-config/* /etc/dovecot/
chown -R vmail:dovecot /etc/dovecot
chmod -R o-rw /etc/dovecot

We’ll set up /etc/dovecot/dovecot-sql.conf.ext first with the database connection information

driver = mysql
connect = host=/var/run/mysql/mysql.sock dbname=mail user=mail password=password-here
default_pass_scheme = SHA512-CRYPT

Of course, set dbname, user, and password appropriately. These are the same credentials Postfix Admin will use, so keep that in mind. We’re not creating the database or user yet. That will come later. Now let’s add the password_query and user_query to /etc/dovecot/dovecot-sql.conf.ext:

password_query = \
  SELECT username as user, password, '/var/vmail/%d/%n' as \
  userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, \
  150 as userdb_uid, 12 as userdb_gid \
  FROM mailbox WHERE username = '%u' AND active = '1'

user_query = \
  SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' \
  as mail, 150 AS uid, 12 AS gid, \
  concat('dirsize:storage=', quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'

Edit /etc/dovecot/conf.d/10-auth.conf and enable the SQL configuration file we just modified. You will need to disable plaintext authentication unless it’s already encrypted through TLS. We’ll also disable the auth-system.conf.ext file that’s loaded by default. Don’t worry about authenticating with plain text; your connection will be secured with TLS so this is safe:

disable_plaintext_auth = yes
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-sql.conf.ext

Next, change the UIDs and mail location in /etc/dovecot/conf.d/10-mail.conf to whatever you set up earlier:

mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
mail_gid = mail
first_valid_uid = 150
last_valid_uid = 150

Dovecot has changed some of its TLS options. I use the secp384r1 curve for my ECDSA SSL certificates. My /etc/dovecot/conf.d/10-ssl.conf file will looks like this:

ssl_cert = </home/acme/.acme.sh/mail.example.org_ecc/fullchain.cer
ssl_key = </home/acme/.acme.sh/mail.example.org_ecc/mail.example.org.key
ssl_min_protocol = TLSv1
ssl_cipher_list =  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA
ssl_curve_list = P-384
ssl_prefer_server_ciphers = yes

In order to have Dovecot authenticate, uncomment the user, group, and mode lines in the unix_listener auth-userdb section of the service auth block in /etc/dovecot/conf.d/10-master.conf. Additionally, set up a unix listener for Postfix. Uncomment that section as well and add postfix as the user and group. We’ll create those later when we’re setting up Postfix. Set up the stats-writer permissions, too.

service auth {
  unix_listener auth-userdb {
    mode = 0666
    user = vmail
    group = mail
  }
}

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

service stats {
    unix_listener stats-reader {
        user = vmail
        group = mail
        mode = 0660
    }

    unix_listener stats-writer {
        user = vmail
        group = mail
        mode = 0660
    }
}

Dovecot Pigeonhole

Grab the SlackBuild and run it. The package will install some configuration files in the Dovecot documentation directory. Copy these to /etc/dovecot/conf.d:

/usr/doc/dovecot-2.3.4/example-config/conf.d/90-sieve.conf
/usr/doc/dovecot-2.3.4/example-config/conf.d/90-sieve-extprograms.conf
/usr/doc/dovecot-2.3.4/example-config/conf.d/20-managesieve.conf

Let’s make some changes to these files

First, edit /etc/dovecot/conf.d/20-lmtp.conf, and add

protocol lmtp {
  postmaster_address = postmaster@example.org
  mail_plugins = $mail_plugins sieve quota
  log_path = /var/log/dovecot-lmtp-errors.log
  info_log_path = /var/log/dovecot-lmtp.log
}

For /etc/dovecot/conf.d/15-lda.conf, add

protocol lda {
  postmaster_address = postmaster@example.org
  mail_plugins = $mail_plugins sieve quota
  auth_socket_path = /var/run/dovecot/auth-master
  log_path = /var/log/dovecot-lda-errors.log
  info_log_path = /var/log/dovecot-lda.log
}

For /etc/dovecot/conf.d/10-mail.conf, add

mail_home = /var/vmail/%d/%n/sieve
mail_location = maildir:/var/vmail/%d/%n

In /etc/dovecot/conf.d/20-managesieve.conf, add

protocols = $protocols sieve
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
service managesieve {
  process_limit = 1024
}
protocol sieve {
  log_path = /var/log/dovecot-sieve-errors.log
  info_log_path = /var/log/dovecot-sieve.log
  managesieve_max_line_length = 65536
  managesieve_implementation_string = Dovecot Pigeonhole
}

Lastly, edit /etc/dovecot/conf.d/90-sieve.conf, and add

plugin {
    sieve = file:/var/vmail/%d/%n/sieve;active=/var/vmail/%d/%n/sieve/.dovecot.sieve
    sieve_default = /etc/dovecot/sieve/default.sieve
    sieve_global = /etc/dovecot/sieve/global/
}
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes

Now we need to create some files that are needed for our configuration to work:

mkdir -p /etc/dovecot/sieve/global
chown -R vmail:mail /etc/dovecot/sieve/
touch /var/log/{dovecot-lda-errors.log,dovecot-lda.log}
touch /var/log/{dovecot-sieve-errors.log,dovecot-sieve.log}
touch /var/log/{dovecot-lmtp-errors.log,dovecot-lmtp.log}
chown vmail:dovecot /var/log/dovecot-*

Add postfix to the dovecot group. This is needed by amavisd-new later.

usermod -G dovecot -a postfix

Postfix

Postfix is now at version 3.3.2 instead of 3.0.3 we used in the last guide. There haven’t been any major configuration changes so we’ll just proceed as normal. Create the required user and group before going any further:

groupadd -g 200 postfix
groupadd -g 201 postdrop
useradd -u 200 -d /dev/null -s /bin/false -g postfix postfix

Run the SlackBuild with support for MySQL and install it

DATABASE=mysql ./postfix.SlackBuild

Let’s create our MySQL map files now

/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
query = SELECT goto FROM alias,alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND alias.address=concat('%u', '@', alias_domain.target_domain)
  AND alias.active = 1

/etc/postfix/mysql_virtual_alias_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'

/etc/postfix/mysql_virtual_domains_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
query = SELECT maildir FROM mailbox, alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
  AND mailbox.active = 1

/etc/postfix/mysql_virtual_mailbox_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'

We’re going to strip the email client and IP address of each mail you send. Remember this is just security through obscurity and you’ll be violating RFC 2045 if you remove the MIME-Version string. It’s still useful to prevent uninitiated recipients from figuring out where you are sending your mail from. Add these to the file /etc/postfix/header_checks for now. We’ll enable it in the Postfix configuration later.

/^Received:/                 IGNORE
/^User-Agent:/               IGNORE
/^X-Mailer:/                 IGNORE
/^X-Enigmail:/               IGNORE
/^X-Originating-IP:/         IGNORE
/^x-cr-[a-z]*:/              IGNORE
/^Thread-Index:/             IGNORE
/^\s*Mime-Version: 1.0.*/    REPLACE Mime-Version: 1.0

Postfix Main Configuration

We only need to make some minor adjustments to /etc/postfix/main.cf:

myhostname = mail.example.org
myorigin = $myhostname
inet_interfaces = all
mynetworks = 127.0.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no

The Dovecot authentication section will remain the same as in my previous guide too

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes

With newer versions of Postfix, you can now include both ECDSA and RSA certificates in your configuration. I’m disabling SSLv2, SSLv3, and TLSv1.0 in the configuration below. We’re excluding known insecure ciphers and setting the encryption level to may. You can set this to encrypt, if you want, but the Postfix documentation strongly advises against this for a public facing server.

lmtp_tls_ciphers = high
lmtp_tls_mandatory_ciphers = high
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_security_level = may
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file= /home/acme/.acme.sh/mail.example.org/fullchain.cer
smtpd_tls_eccert_file = /home/acme/.acme.sh/mail.example.org_ecc/fullchain.cer
smtpd_tls_eckey_file = /home/acme/.acme.sh/mail.example.org_ecc/mail.example.org.key
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file= /home/acme/.acme.sh/mail.example.org/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, 3DES, DES+MD5, LOW, DSS, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom

Feel free to set these parameters to whatever fits your needs

delay_warning_time = 4h
maximal_queue_lifetime = 5d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
message_size_limit = 20480000
smtp_helo_timeout = 60s
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12

Now we set up milters along with the Postgrey and OpenDKIM sockets

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client b.barracudacentral.org
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:/var/run/postgrey/postgrey.sock, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:/var/run/postgrey/postgrey.sock, permit
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
mailbox_size_limit = 0
recipient_delimiter = +
non_smtpd_milters=unix:/var/run/opendkim/opendkim.sock
smtpd_milters=unix:/var/run/opendkim/opendkim.sock

We need to point Postfix to our database map files. Use the same UID and GID that was used for the Dovecot

virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
virtual_uid_maps = static:150
virtual_gid_maps = static:12
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf

Last, set up Dovecot and Amavis

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
content_filter = amavis-forward:unix:amavis/amavisd.sock

Postfix Master Configuration

Moving on to /etc/postfix/master.cf, we’ll set up SMTP with TLS on port 587 and SMTPS on port 465. Most options can just be enabled by uncommenting them. Make sure you comment out the -o syslog_name=postfix/$service_name option right under relay.

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_tls_security_options=noanonymous
  -o cleanup_service_name=subcleanup
  -o tls_preempt_cipherlist=yes
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous

subcleanup unix n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_checks

relay     unix  -       -       n       -       -       smtp
#        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

dovecot      unix   -        n      n       -       -   pipe
  flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d $(recipient)

For Amavis, just make sure you set the max number of processes it’s allowed to run. In this example, it’s 4 (the same as the nginx configuration).

amavis-forward      unix    -       -       -       -       4       lmtp
  -o lmtp_data_done_timeout=1200
  -o lmtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
amavis/amavis-accept unix    n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o cleanup_service_name=cleanup
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Before you continue, make an /etc/aliases file and generate the database:

touch /etc/aliases
newaliases

Amavis with ClamAV and SpamAssassin

Let’s set up virus and spam checking. We are using amavisd-new here. It will be the interface bewtween Postfix, ClamAV and SpamAssassin.

We need a ton of things for Amavis and SpamAssassin. You can go the SlackBuilds route or just use CPAN. If you need to keep track of what you have installed with sbopkg, slackpkg or whatever Slackware “package manager” you use then go the SlackBuilds route. Before getting started you may want to install the re2c, zeromq, pyzor, unrar, arj, cabextract, lzop, nomarch, p7zip, libmspack, and GeoIPpackages to allow SpamAssassin and ClamAV to handle different compressed files and to satisfy some of their dependencies.

If you’re using CPAN, here’s what you need to install all the Perl modules:

cpan install CPAN
cpan install Log::Log4perl App::cpanminus
cpanm -f -v inc::latest Test::Pod Test::Pod::Coverage Encode::Detect Image::Info TimeDate Net::LibIDN Net::SSLeay Socket6 IO::Socket::IP IO::Socket::SSL IO::Socket::INET6 Crypt::OpenSSL::Bignum Crypt::OpenSSL::Random Crypt::OpenSSL::RSA Geography::Countries IP::Country Digest::SHA Digest::SHA1 Digest::HMAC HTML::Tagset HTML::Parser Test::LeakTrace Authen::NTLM Data::Dump LWP Net::CIDR::Lite PAR::Dist ExtUtils::MakeMaker ExtUtils::Install Net::HTTP WWW::RobotRules HTTP::Date File::Listing IO::HTML Encode::Locale LWP::Protocol::https LWP::MediaTypes HTTP::Message HTTP::Negotiate HTTP::Cookies HTTP::Daemon Bundle::LWP NetAddr::IP Net::Server Net::Ident MailTools Net::IP Net::DNS Net::DNS::Resolver::Programmable Mail::SPF Mail::DKIM Geo::IP Net::Patricia Convert::TNEF Convert::UUlib Convert::BinHex Archive::Zip IO::Stringy MIME::Tools Unix::Syslog BerkeleyDB IO::Multiplex Net::LibIDN File::LibMagic

SpamAssassin

Get the SpamAssassin SlackBuild and build it.

After SpamAssassin is installed, edit the /etc/spamassassin.conf file and set the following options. You only really need ENABLED but the rest are a good idea.

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=1

The SpamAssassin source no longer includes rules, so you’ll have to download them. Run sa-update to do this.

ClamAV

You’ll need a user and group created first.

groupadd -g 210 clamav
useradd -u 210 -d /dev/null -s /bin/false -g clamav clamav

Run the SlackBuild with the COUNTRY variable set to your country of choice.

Edit the /etc/clamd.conf file and change the LocalSocket and LocalSocketGroup options

LocalSocket /var/run/clamav/clamd.sock
LocalSocketGroup amavis

Let’s install amavisd-new before we update the ClamAV virus definitions.

amavisd-new

Create a user and group before you run the script.

groupadd -g 225 amavis
useradd -m -d /var/lib/amavis -s /bin/bash -u 225 -g 225 amavis

While we’re at it, go ahead and add the amavis user to the clamav group and vice versa.

usermod -G clamav -a amavis
usermod -G amavis -a clamav

Uncomment the lines @bypass_virus_checks_maps and @bypass_spam_checks_maps at the top of /etc/amavisd.conf and add the following

@bypass_virus_checks_maps = (
   %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);

Go down a bit further and uncomment @lookup_sql_dsn, then modify it to connect to your database using the Unix socket and the proper credentials. Amavis uses the DBD::mysql Perl module. The documentation states setting the host value to localhost will use the socket. This configuration will enable spam checking for the domains you’ve added to your database either manually or through Postfix Admin

@lookup_sql_dsn = (
    ['DBI:mysql:database=mail;host=localhost',
     'mail',
     'mailpassword']);
$sql_select_policy = 'SELECT domain from domain WHERE CONCAT("@",domain) IN (%k)';

There are a couple of other settings we can change. For instance, make sure you also set $max_servers to the same number of processes you allowed Amavis to use in /etc/postfix/master.cf. Setting the $sa_tag_level_deflt opton to a large negative number will ensure that spam headers are added to every single email. Change the user and group to the ones you created earlier, set up a home directory for configuration files and quarantine emails, and set your domain name (not the same as your hostname). Make sure you also uncomment the amavis section in @av_scanners. We are also setting the Unix socket for Amavis here too.

$max_servers  = 4;
$sa_tag_level_deflt  = -9999;
$daemon_user  = 'amavis';
$daemon_group = 'amavis';
$mydomain = 'example.org';
$myhostname = 'mail.example.org';
$MYHOME = '/var/lib/amavis';
$QUARANTINEDIR = "$MYHOME/virusmails";
$unix_socketname = "/var/spool/postfix/amavis/amavisd.sock";
$unix_socket_mode = 0660;
$interface_policy{'SOCK'} = 'mysock';
$policy_bank{'mysock'} = {
   protocol => 'LMTP',
   auth_required_release => 0,
}

Comment out $inet_socket_port and $interface_policy('10026'). There may already be an $interface_policy set up for AM.PDP-SOCK. Comment it out or modify it to what I have above. Notice we’re placing the socket in the Postfix queue directory, /var/spool/postfix. We’ll need to create the directory to hold the socket and assign some permissions as well.

mkdir /var/spool/postfix/amavis/
chmod 770 /var/spool/postfix/amavis/
chown amavis:postfix /var/spool/postfix/amavis/
usermod -G amavis -a postfix

Use the following commands to let Postfix create the amavis-accept PID:

cd /var/spool/postfix/public
ln -s ../amavis amavis
cd /var/spool/postfix/pid
mkdir unix.amavis
chown root:root unix.amavis
chmod 700 unix.amavis

In order for the above to work, we need to set a $forward_method in /etc/amavisd.conf. In my setup, amavisd-new would ignore that configuration option and insist on using TCP port 10025. I could not for the life of me figure out how to get it to use a socket no matter what value I tried. I ended up having to modify the /usr/sbin/amavisd Perl script directly. Look around line 926 or search for 10025. Comment out the existing $forward_method and replace it with this:

$forward_method = $have_inet6 && !$have_inet4 ? 'smtp:[::1]:10025' : 'smtp:/var/spool/postfix/amavis/amavis-accept';

Go through the rest of /etc/amavisd.conf file and modify any settings you might want changed.

Now go ahead and update your virus database by running freshclam as root. Don’t worry if you get a message from freshclam saying clamd was not updated. This is because we have not started clamd yet. We also need to fix some permissions to get all three to play nicely.

chmod 775 /var/lib/spamassassin/
chown amavis:amavis /var/lib/spamassassin/
chown -R amavis:amavis /var/lib/spamassassin/
chown -R amavis:amavis /var/lib/amavis
chown -R clamav:amavis /var/lib/clamav

Postgrey

Set up the user and group first, then run the SlackBuild.

groupadd -g 301 postgrey
useradd -u 301 -d /var/lib/postgrey -s /bin/false -g postgrey postgrey

Set POSTGREYUSR, POSTGREYGRP, POSTGREYUID and POSTGREYGID in the SlackBuild to the values you set earlier when you created them. You can get an updated version of postgrey_whitelist_clients from the Postgrey site and place it in /etc/postfix, replacing the one included with the SlackBuild.

Edit the /etc/rc.d/rc.postgrey script and set USER, GROUP, and HOST to their proper values. Feel free to get rid of PORT. Find the postgrey_start() function and edit the postgrey flags to make sure it uses a socket instead of TCP.

postgrey_start() {
  echo "Starting postgrey milter:  /usr/bin/postgrey -d --unix=/var/run/postgrey/postgrey.sock --pidfile=$PIDFILE --user=$USER --group=$GROUP --dbdir=/var/lib/postgrey --hostname=$HOST"
  mkdir -p /var/run/postgrey
  /usr/bin/postgrey -d \
                    --unix=/var/run/postgrey/postgrey.sock \
                    --pidfile=/var/run/postgrey/postgrey.pid \
                    --user=$USER --group=$GROUP \
                    --dbdir=/var/lib/postgrey \
                    --hostname=$HOST
}

The extracted source includes an init script, too. It’s in contrib/postgrey.init if you want to use it.

OpenDKIM, DNS and Building Trust

The setup up to this point should be pretty much complete and meet most people’s needs. Some mail servers are quite picky when it comes to receiving email. Gmail particularly doesn’t like when an email is not signed. The next section will walk you through signing your email with DomainKeys Identified Mail and setting up Sender Policy Framework. If you are using a hosting provider for your server, you will need to contact them and have them set up a PTR record for your IP address. This is also known as rDNS. Some mail servers will reject your email if the IP you are sending from does not point back to your domain name. In general, it should look something like this:

34.216.184.93.in-addr.arpa PTR 600 example.org

example.org MX 600 10 mail.example.org

That’s assuming mail.example.org points to your mail sever’s IP and you want a priority of 10. You can ask your DNS provider to add these for you. Check that the record has propagated with host:

$ host -t MX example.org
example.org mail is handled by 10 mail.example.org.

OpenDKIM

Install (libbsd), (opendbx), then grab my SlackBuild and install OpenDKIM. Set up the user and group first:

groupadd -g 305 opendkim
useradd -r -u 305 -g opendkim -d /var/run/opendkim/ -s /sbin/nologin -c "OpenDKIM Milter" opendkim

We’ll need to create the run directory as well:

mkdir -p /var/run/opendkim
chown opendkim:opendkim /var/run/opendkim

We are using MariaDB here so set the USE_MYSQL variable to yes and run the SlackBuild. I used a modified version of CentOS’s init script for rc.opendkim, but feel free to grab the one included in the source in the contrib/init/generic/ directory.

Once it’s installed, we’ll need to set up a basic configuration file. You can copy the sample one from opendkim/opendkim.conf.simple in the extracted source to /etc/opendkim and add the user and group we created earlier. Note that the SlackBuild already does this for you:

UserID opendkim:opendkim
KeyFile /etc/opendkim/keys/default.private

You’ll notice my init script will automatically create some default keys for you in /etc/opendkim/keys and create the directory if it doesn’t exist. We’re using Unix sockets in this guide, so let’s change a line in /etc/opendkim.conf:

Socket local:/var/run/opendkim/opendkim.sock

We’ll generate a 2048 bit key with the opendkim-genkey command. You can try something stronger like 4096 bits, but RFC 6376 suggests it might not fit in a 512 byte DNS UDP response. See section 3.3.3 Key Sizes for more information.

opendkim-genkey -b 2048 -D /etc/opendkim/keys -s mailsvr -d example.org

The selector is simply something to tell your key apart once you add it to your DNS records. You’ll end up with two files, mailsvr.private, which is your key, and mailsvr.txt which has a nicely formatted record you’ll need to add to your DNS zone. If you don’t manage your own DNS or have access to your zone file, simply copy the text starting with v=DKIM1 as a TXT record in whatever control panel your DNS provider uses. For the example above, this is what I got (truncated for demonstration):

"v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m8F6p1AD"

You’ll need to wait a while before the DNS record propagates but once it does you can check it with dig

dig mailsvr._domainkey.example.org TXT

Sender Policy Framework

This basically consists of adding another TXT record to your DNS zone. There used to be an SPF type record but this was removed in RFC 7208. You’ll want to add something like this:

v=spf1 a mx ~all

MariaDB

We’ll set up MariaDB first (the scripts are still named rc.mysqld):

chmod +x /etc/rc.d/rc.mysqld
/usr/bin/mysql_install_db --user=mysql
/etc/rc.d/rc.mysqld start
/usr/bin/mysql_secure_installation

Now create the user and database we’ll be using for Roundcube, Postfix Admin, and all other components.

CREATE DATABASE mail;
GRANT ALL PRIVILEGES ON mail.* TO "mail"@"localhost" \
IDENTIFIED BY "password-here";
FLUSH PRIVILEGES;

Start Up Email

Let’s start up the services we have so far in order to get all necessary files created properly. We’ll need the services running in order to set up Roundcube and Postfix Admin correctly.

You can place your startup commands in /etc/rc.d/rc.local and the stop commands in /etc/rc.d/rc.local_shutdown. Make sure both are executable and add this content

/etc/rc.d/rc.local

if [ -x /etc/rc.d/rc.php-fpm ]; then
        /etc/rc.d/rc.php-fpm start
fi

if [ -x /etc/rc.d/rc.nginx ]; then
        /etc/rc.d/rc.nginx start
fi

if [ -x /etc/rc.d/rc.postgrey ]; then
        /etc/rc.d/rc.postgrey start
fi

if [ -x /etc/rc.d/rc.clamav ]; then
        /etc/rc.d/rc.clamav start
fi

if [ -x /etc/rc.d/rc.spamd ]; then
        /etc/rc.d/rc.spamd start
fi

if [ -x /etc/rc.d/rc.amavisd-new ]; then
        /etc/rc.d/rc.amavisd-new start
fi

if [ -x /etc/rc.d/rc.postfix ]; then
        /etc/rc.d/rc.postfix start
fi

if [ -x /etc/rc.d/rc.dovecot ]; then
        /etc/rc.d/rc.dovecot start
fi

if [ -x /etc/rc.d/rc.opendkim ]; then
        /etc/rc.d/rc.opendkim start
fi

/etc/rc.d/rc.local_shutdown

if [ -x /etc/rc.d/rc.nginx ]; then
        /etc/rc.d/rc.nginx stop
fi

if [ -x /etc/rc.d/rc.php-fpm ]; then
        /etc/rc.d/rc.php-fpm stop
fi

if [ -x /etc/rc.d/rc.opendkim ]; then
        /etc/rc.d/rc.opendkim stop
fi

if [ -x /etc/rc.d/rc.postfix ]; then
        /etc/rc.d/rc.postfix stop
fi

if [ -x /etc/rc.d/rc.dovecot ]; then
        /etc/rc.d/rc.dovecot stop
fi

if [ -x /etc/rc.d/rc.postgrey ]; then
        /etc/rc.d/rc.postgrey stop
fi

if [ -x /etc/rc.d/rc.amavisd-new ]; then
        /etc/rc.d/rc.amavisd-new stop
fi

if [ -x /etc/rc.d/rc.clamav ]; then
        /etc/rc.d/rc.clamav stop
fi

if [ -x /etc/rc.d/rc.spamd ]; then
        /etc/rc.d/rc.spamd stop
fi

Roundcube and Postfix Admin

The same advice from my previous post regarding web based interfaces applies.

Postfix Admin

The most notable change between the 2.92 version used in my previous guide 3.2.1 as of this writing are the ability to reset passwords via email/SMS and the move of most of the files to the public/ directory.

cd /var/www/
wget https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.2.1.tar.gz
tar -xzf postfixadmin-3.2.1.tar.gz
ln -s postfixadmin-postfixadmin-3.2.1 postfixadmin
cd postfixadmin
mkdir templates_c
chown nginx:root templates_c

Make a copy of config.inc.php as config.local.php and make your changes there. The ones we need for this guide are

<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysql';
$CONF['database_user'] = 'mail';
$CONF['database_password'] = "password-here";
$CONF['database_name'] = 'mail';
$CONF['database_socket'] = '/var/run/mysql/mysql.sock';
$CONF['admin_email'] = 'admin@example.org';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";
$CONF['default_aliases'] = array (
    'abuse' => 'abuse@example.org',
    'hostmaster' => 'hostmaster@example.org',
    'postmaster' => 'postmaster@example.org',
    'webmaster' => 'webmaster@example.org',
    'virusalert' => 'virusalert@example.org',
    'admin' => 'admin@example.org'
 );
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['footer_text'] = 'Return to example.org';
$CONF['footer_link'] = 'https://example.org';
$CONF['emailcheck_resolve_domain']='NO';
$CONF['password_expiration'] = 'NO';
?>

This tells Postfix Admin to use Dovecot’s crypt() scheme for passwords and to connect to MariaDB using Unix sockets. Next, visit https://mail.example.org/postfixadmin/setup.php and complete the setup. Make sure you add your $CONF['setup_password'] obtained from setup.php to config.local.php. Do this before clicking on Add Admin.

We will need to move all our Dovecot configuration to a single file in order to appease Postfix Admin. It seems it has trouble parsing the !include conf.d/*.conf line in /etc/dovecot/dovecot.conf

cp /etc/dovecot/dovecot.conf{,.bk}
doveconf -n > /etc/dovecot/dovecot.conf
chmod 644 /etc/dovecot/dovecot.conf
usermod -G dovecot -a nginx

Add Email Domains and Mailboxes

Log in to https://mail.example.org/postfixadmin and head over to Domain List > New Domain. Fill in whatever works for you here to add a new domain, then head to Virtual List > Add Mailbox and create your first user. I set up example.org as an email domain and admin@example.org as my first user. Doing this will generate the needed database schema that Postfix will use. Go ahead and play around with this and make sure your aliases are set up

Roundcube

The latest version of Roundcube is now 1.3.8, up from 1.1.1 used in my previous guide. We’ve already set up the nginx configuration for Postfix Admin and Roundcube so now we just have to download their files and run the installers.

cd /var/www/
wget https://github.com/roundcube/roundcubemail/releases/download/1.3.8/roundcubemail-1.3.8-complete.tar.gz
tar -xvzf roundcubemail-1.3.8-complete.tar.gz
ln -s roundcubemail-1.3.8 roundcubemail
cd roundcubemail

We’ll need to create a database for Roundcube to use. Log in to MariaDB with mysql -u root -p and create it. Make sure you use a strong password.

CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
GRANT ALL PRIVILEGES ON roundcubemail.* TO "roundcube"@"localhost" \
IDENTIFIED BY "password-here";
FLUSH PRIVILEGES;

Roundcube includes an SQL file that can create the necessary database structure for you

mysql -u roundcube roundcubemail -p < SQL/mysql.initial.sql

Make sure you do not enable spellchecking support. If you do, Roundcube will connect to external services to check your spelling. Why would we go through all this trouble to have a third party see every word we type?

IMAP and SMTP Settings

We’re going to set default_host to tls://mail.example.org in the IMAP Settings section. In the SMTP Settings section, set smtp_server to tls://mail.example.org , smtp_port to 587 and check the Use the current IMAP username and password for SMTP authentication option. Click on Create config.

After it’s done writing your configuraiton file, go through config/config.inc.php and see if you’d like to change anything.

Plugins

You can enable whichever plugins best fit your needs. The only one we really need to set up the email filtering we discussed is managesieve.

Finishing Up

Username: testuser@example.org
Incoming (IMAP) server: mail.example.org
Port: 993
SSL/TLS Enabled
Authentication: Plain (Normal Password)

Username: testuser@example.org
Outgoing (SMTP) server: mail.example.org
Port: 587
STARTTLS Enabled
Authentication: Plain (Normal Password)

The first time you receive an email, it’ll be greylisted thanks to Postgrey. Check /var/log/maillog:

Apr 24 22:38:56 mail postgrey[945]: action=greylist, reason=new, client_name=mail.example.net, client_address=61.4.1.30, sender=testuser@example.net, recipient=testuser@example.org
Apr 24 22:38:56 mail postfix/smtpd[19527]: NOQUEUE: reject: RCPT from mail.example.net[63.4.1.30]: 450 4.2.0 <testuser@example.org>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/example.org.html; from=<testuser@example.net> to=<testuser@example.org> proto=ESMTP helo=<mail.example.net>

Apr 24 22:48:23 mail amavis[1078]: (01078-02) Passed CLEAN {RelayedInbound}, [63.4.1.30]:43126 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>

You can also test your anti-virus using the EICAR test file. Send yourself an email from another mail server with only the following string in the body:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

It will be detected as a virus and you’ll see this in the log as well:

Apr 24 23:05:25 mail postfix/qmgr[1060]: BF9D558771: from=<virusalert@example.org>, size=2092, nrcpt=1 (queue active)
Apr 24 23:05:25 mail amavis[21120]: (21120-01) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInbound,Quarantined}, [63.4.1.30]:36539 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>, quarantine: /var/lib/amavis/virusmails

In a similar fashion, you can test your spam filter using the GTUBE. Send a message from another mail server to yourself with only the following string in the body:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

It will be detected as spam and you’ll see this in the log as well:

Apr 24 23:13:44 mail amavis[21119]: (21119-01) Passed SPAM {RelayedTaggedInternal,Quarantined}, [63.4.1.30]:36539 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>, quarantine: /var/lib/amavis/virusmails

Other Considerations

Slackware Mail Server with MySQL, Postfix, and Dovecot

2015-04-25T00:00:00-05:00

Introduction

This post contains some suggestions for a mildly secure mail server running on a Slackware Linux host. The guide assumes a default, fresh installation of Slackware64 14.1 that includes at least the A/, AP/, D/, L/, and N/ package series. By the end of the tutorial, you will have:

Postfix for encrypted connections over SMTP and removing identifying information from the email headers
Dovecot for local mail directories and encrypted connections over POP and IMAP
MariaDB a drop-in replacement for MySQL to store mailbox information
Postgrey which will require unknown senders to resend their mail, eliminating most spam
SpamAssassin for e-mail spam filtering based on content-matching rules
ClamAV to detect trojans, viruses, malware and other malicious threats in your email
amavisd-new to manage ClamAV and SpamAssasin
OpenDKIM a DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail
nginx as a webserver (optional)
Postfix Admin to manage mailboxes and domains using a TLS secured web user interface (optional)
Roundcube as a TLS secured webmail client (optional)

I based some of the Postfix and Dovecot configuration options on an existing mailserver guide by Reason.

Why?

There are a number of reasons you may want to host your own email. The Internet of today is not the Internet of yesterday. There is a movement to decentralize the internet and regain control of one’s data. You and others may want to distance yourself from “the stacks”: the internet companies that control a large portion of it. Think of the chaos that ensues whenever CloudFlare’s hardware fucks up and how much of the internet relies on providers like them and Akamai. Think of the companies that have presence in every aspect of your digital life. Today, you can be woken up by the alarm on your Google Nexus phone, running Google’s version of Android. You’ll check your email on Gmail and plan your day using Google Calendar on your Google Chromebook running Chrome OS, through your Google Fiber internet connection. They may even be your domain registrar. Watch your Google TV while you eat breakfast. You can put on Google Glass and get a quick bike route to work on Google Maps. Listen to Google Music while you drive. Go over your presentation and spreadsheets on Google Docs and save them on Google Drive. What if Google disappeared tomorrow? The infrastructure of the internet is just as fragile and people want to keep control of their data.

We also have hackers breaking into crypto currency exchanges and vendors bundling spyware with their PCs. Single points of failure are common, with the organizations in charge not even being able to trust each other:

Both the US commerce department and the Department of Homeland Security take a close interest, to differing degrees, in ICANN’s operations. In the wake of the ongoing revelations of NSA spying, and of undermined internet security, this does not sit well with many of ICANN’s overseas partners. Some, including Russia and Brazil – whose president has made such demands very public – are calling for a complete overhaul of how the internet is run, suggesting it should be put under UN auspices.

Read Ken Thompson’s Reflections on Trusting Trust and see why you can’t even trust your compiler. Trust is difficult. Email is horribly insecure.

A note about hosting providers

There are a number of hosting providers that offer Slackware images, mostly based in the U.K. Linode offers some cheap VPS plans and is based in the US. I got the folks at CloudSigma to build a Slackware image which I’m sure they’ll happily provide if you ask. The guys at LQ also offer some suggestions. In general, you want to keep these things in mind:

Where is the company based? If it’s a publicly traded company, who is involved?
Does the company own their data centers or are they colocated?
Where are the data centers located? Does the country have strong privacy laws?

You’ll also want to pay attention to any modifications they may make to the images they provide. Linode, for example, provide their own custom kernel and have the -current branch of Slackware selected in /etc/slackpkg/mirrors. They also have a very minimal system with only the absolute necessary packages necessary to run the OS installed. You’ll want to skip installing glibc-zoneinfo. It turns out if you set the date on the server and then proceed to install that package, your /etc/localtime file will become corrupted. I notified Linode about this issue but they didn’t seem to care too much. On the CloudSigma platform watch out for a script they add to /etc/rc.d/rc.local that creates a shell user for them and checks your host keys. There may be other caveats on other providers. Make sure you check the OS thoroughly. You’ll also have to make some changes if you roll your own image. Most of the time, you will have to chroot and create an initrd right after installation, before rebooting:

chroot /mnt
/usr/share/mkinitrd/mkinitrd_command_generator.sh | sh

You’ll need to edit /etc/lilo.conf and add some parameters to your global and partition sections. These were taken from a CloudSigma image. They should work on other KVM based cloud platforms that allow you to upload your own ISO, such as Vultr:

# Start LILO global section
lba32
append=" vt.default_utf8=0 elevator=deadline"
boot=/dev/vda
disk=/dev/vda bios=0x80 max-partitions=7
bitmap = /boot/slack.bmp
bmp-colors = 255,0,255,0,255,0
bmp-table = 60,6,1,16
bmp-timer = 65,27,0,255
prompt
timeout = 100
reset
vga = normal
# End LILO global section
# Linux bootable partition config begins
image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/vda2
label = Slackware64
read-only
# Linux bootable partition config ends

Adjust your root device accordingly or contact your provider for assistance. Don’t forget to run lilo -C /mnt/etc/lilo.conf before rebooting.

Self host

Another option you have is setting this up in a physical server in your home. Former secretary of state Hillary Clinton certainly thought it was a good idea:

[She] used a private email account rather than her official State.gov email address while serving in the State Department. And this was no Gmail or Yahoo! Mail account: On Wednesday the AP reported that Clinton actually ran a private mail server in her home during her entire tenure leading the State Department, hosting her email at the domain Clintonemail.com.

The article questions her use of a private domain registrar and a self-signed certificate. These are real concerns and unfortunate tradeoffs that have to be made for those of us who are unable to register a .gov domain or purchase a certificate from a “trusted” authority. Some argue a self-signed certificate is more secure than one purchased from a certificate authority (only trust yourself), but if you want to get rid of those pesky browser warnings you’ll need to had over some money to a certificate authority.

This setup will most likely involve some port forwarding being done on your modem or router. Preferably, you should also have a static IP. Most ISPs don’t allow residential customers to host mail servers using their service. Contact them if you have any doubts.

Now we’re ready to get started.

Preparation

Hostname

Set up an FQDN as your hostname. We’ll use mail.example.org:

echo "mail.example.org" > /etc/HOSTNAME 
hostname -F /etc/HOSTNAME

PHP + nginx

Install nginx

I recently switched my site to nginx so I’ll be sticking with that for Postfix Admin and Roundcube. You’ll need to compile nginx with support for FastCGI and memcached to better support Roundcube so you’re probably better off using the build from SlackBuilds than the configure options I gave in the linked post. Create your webserver user:

useradd -r -M -U -c "User for nginx" -d /srv/httpd -s /bin/false nginx

If you choose to install from source, there is a handy modification you can make to the code before compiling. As of this writing, the most recent stable release of nginx is 1.8.0. Extract the source archive and change into the new directory:

tar -xvzf nginx-1.8.0.tar.gz
cd nginx-1.8.0

Next, we’ll edit two files to remove some identifying information. The first of these is the src/http/ngx_http_header_filter_module.c file in the extracted source. We are going to remove the Server: string of the host. You don’t really need to advertise this especially if you’ll be the only user on the server (or just a few friends). The Server: string is found in lines 49-50. You will also need to change lines 281-282:

--- a/src/http/ngx_http_header_filter_module.c    2015-04-10 08:33:35.000000000 -0600
+++ b/src/http/ngx_http_header_filter_module.c    2015-04-10 09:33:35.000000000 -0600
@@ -46,8 +46,8 @@
 };
 
 
-static char ngx_http_server_string[] = "Server: nginx" CRLF;
-static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
+static char ngx_http_server_string[] = "";
+static char ngx_http_server_full_string[] = "";
 
 
 static ngx_str_t ngx_http_status_lines[] = {
@@ -278,8 +278,8 @@
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     if (r->headers_out.server == NULL) {
- len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 1:
- sizeof(ngx_http_server_string) - 1;
+ len += clcf->server_tokens ? sizeof(ngx_http_server_full_string) - 0:
+ sizeof(ngx_http_server_string) - 0;
     }
 
     if (r->headers_out.date == NULL) {

The next edit will remove it from the auto generated error pages as well. This is done in the src/http/ngx_http_special_response.c file in lines 21 and 28. In this same file you can also change the HTML for each of the server error pages such as 301, 404, etc:

--- a/src/http/ngx_http_special_response.c        2015-04-10 08:33:35.000000000 -0600
+++ b/src/http/ngx_http_special_response.c        2015-04-10 09:33:35.000000000 -0600
@@ -18,18 +18,8 @@
 static ngx_int_t ngx_http_send_refresh(ngx_http_request_t *r);
 
 
-static u_char ngx_http_error_full_tail[] =
-"<hr><center>" NGINX_VER "</center>" CRLF
-"</body>" CRLF
-"</html>" CRLF
-;
-
-
-static u_char ngx_http_error_tail[] =
-"<hr><center>nginx</center>" CRLF
-"</body>" CRLF
-"</html>" CRLF
-;
+static u_char ngx_http_error_full_tail[] = "" CRLF;
+static u_char ngx_http_error_tail[] = "" CRLF;
 
 
 static u_char ngx_http_msie_padding[] =

Once you’ve made these changes, go ahead and compile. You can still use the SlackBuild if you tar up the sources, otherwise, just ./configure && make && make install. You’ll want to add the --with-http_spdy_module to add support for SPDY, the starting point for HTTP 2.0. If you use the SlackBuild don’t forget to change the VERSION, USER and GROUP variables in the script.

Unfortunately there is no init script included with the source, but you can use rc.nginx from the SlackBuild. If you want to enable syntax highlighlting for the nginx.conf file in vim, copy the contrib/vim directory from the extracted source to ~/.vim.

SSL Certificate

This is a tough one. The SHA-1 hash algorithm has been “sunsetting” since back in 2014 thanks to Google so stay away from that, not just because Google says so but because they have good reason to. You’ll hear everyone urging to move from RSA to ECDSA but then it turns out NIST curves are suspicious.. You can feel free to browse a list of Safe Curves but you’ll be hard pressed to find any Certificate Authority that offers any certificate using non-NIST curves. Browser vendors also tend to only support these as well. To that end, you can then refer to things like Mozilla’s Modern Compatibility ciphersuite selection for your nginx SSL configuration. The linked example will require modern browsers and mobile devices like Android 4.4+ in order to work properly. Let’s say you go with a relatively strong NIST curve like secp384r1 for compatibility (or the stronger secp521r1 if not). You’ll need to find a Certificate Authority that provides ECC SSL certificates such as Comodo or DigiCert. The suggested configuration below will include support for HSTS and PFS to completely get rid of plain HTTP access to the server. It will also provide support for SPDY.

Configure nginx

Let’s set up some Server Blocks (VirtualHosts if you’re coming from Apache) to serve content. Your nginx.conf file will need an events section which can be left blank to activate the defaults or modified depending on the load you’re expecting on the server.

events {
}

http {
	charset                   utf-8;
	default_type              application/octet-stream;
	ignore_invalid_headers    on;
	include                   /etc/nginx/mime.types;
	server_tokens             off;
	server_name_in_redirect   off;
	source_charset            utf-8;
	ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA;
	ssl_ecdh_curve secp384r1;
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	
	server {
		access_log  /var/log/nginx/access.log main buffer=32k;
		error_log   /var/log/nginx/error.log error;
		listen      80;
		server_name mail.example.org;
		root        /var/empty;
		return 301 https://mail.example.org$uri;
	}

	server {
		add_header  Strict-Transport-Security "max-age=315360000; includeSubdomains; preload";
		access_log  /var/log/nginx/access.log main;
		error_log   /var/log/nginx/error.log info;
		index       index.php;
		listen      443 ssl spdy;
		root        /var/www/html/mail.example.org;
		server_name mail.example.org;

		ssl on;
		ssl_session_cache shared:SSL:1m;
		ssl_certificate /ssl_keys/crt/mail.example.org.crt;
		ssl_certificate_key /ssl_keys/key/mail.example.org.key;
		
	}
}

You will notice I am only allowing TLS and disabling SSL. I used /var/www/html/mail.example.org as the site’s root for easier management, but you can use whatever you feel comfortable with. Make sure that whatever directory structure you choose allows the nginx user and group to write to it.

Configure PHP

Slackware’s default PHP installation is already compiled with support for GD, curl, mcrypt, and XML parsing. As mentioned before, you’ll probably want to install some extensions to increase performance. I’m going with memcached, which you can also obtain from SlackBuilds.

If you choose to install memcached, don’t forget to install the PHP extension as well. You can grab the older memcache extension from SlackBuilds, but it’s probably easier to install the newer (confusingly named) memcached extension through PECL:

pecl install memcached

This will require that you have libmemcached (SlackBuild) installed. Remember to add extension=memcached.so to your php.ini file or simply create a new /etc/php/memcached.ini file with that content. You’ll also want to change the user memcached runs as in the /etc/rc.d/rc.memcached init script to nginx if you went the SlackBuilds route. I also recommend giving it its own run directory, assigning it to the nginx user and group, and modifying the value of PID to /var/run/memcached/memcached.pid in /etc/rc.d/rc.memcached. In addition, add -s /var/run/memcached/memcached.sock to the memcached_start() function in the same file to use a socket instead of TCP:

mkdir /var/run/memcached
chown nginx:nginx /var/run/memcached

While we’re changing permissions, you’ll also need to change the permissions of /var/lib/php since we’re using nginx instead of Apache to run PHP:

chown root:nginx /var/lib/php/

Note that in order to make proper use of GD, you’ll need some X11 libraries. These are most likely not installed if you’re working on a headless server. Get the needed dependencies from a Slackware mirror:

slackpkg install libX11 libXpm libxcb libXau libXdmcp

PHP-FPM with FastCGI in nginx

The default Slackware install includes PHP-FPM so you’ll need to make sure the startup script is executable. Start PHP-FPM at least once to let it create its default configuration files:

chmod +x /etc/rc.d/rc.php-fpm
/etc/rc.d/rc.php-fpm start
/etc/rc.d/rc.php-fpm stop

We’ll be making some changes to the www pool in /etc/php-fpm/php-fpm.conf. First, change the user and group lines to nginx, with listen mode set to 0666. We’re going to be using Unix sockets throughout this guide so change listen to /var/run/php-fpm.sock . We also need to add .htm and .html files to the scripts FPM will allow to pass. The relevant lines should look like this:

[www]
user = nginx
group = nginx
listen = /var/run/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0666
security.limit_extensions = .php .php3 .php4 .php5 .html .htm

We’ll need to add a new location block inside the HTTPS server block in /etc/nginx/nginx.conf telling it to use the FastCGI server we set up previously for PHP files:

location ~ ^(.+?\.php)(/.*)?$ {
fastcgi_param HTTPS on;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}

Feel free to adjust those values to your needs. Pay attention to fastcgi_pass, which connects to the Unix socket.

Dovecot

We are going to be using Dovecot to handle secure IMAP and POP3 connections and for SMTP authentication. Postfix Admin will store the user information in this setup instead of creating a Unix account for each one. The email will be stored in /var/vmail organized by domain and user, so the email for admin@example.org would be stored in /var/vmail/example.org/admin. We’ll create a single user to own the mailboxes on the system and let Dovecot manage them. Dovecot will also need its own user and group:

useradd -r -d /var/vmail -s /bin/false -u 150 -g 12 vmail
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:mail /var/vmail
groupadd -g 202 dovecot
useradd -d /dev/null -s /bin/false -u 202 -g 202 dovecot
groupadd -g 248 dovenull
useradd -d /dev/null -s /bin/false -u 248 -g 248 dovenull

Make sure the GIDs and UIDs used above do not interfere with any of your current users and groups. You can compile Dovecot from source with a simple ./configure && make && make install or grab the SlackBuild. Edit the VERSION variable in the SlackBuild to build the latest version, which is 2.2.16 as of this writing. If you build from source on your own, make sure you compile with the --with-mysql flag to enable MariaDB support. You are also responsible for creating an init script to manage the service. There is one provided in the source in doc/dovecot-initd.sh which should work with Slackware after some minor adjustments. You can also use Alan Hick’s simplied version from the SlackBuild if you like. Make sure it’s executable as well.

Once you have Dovecot installed, copy over the example configuration files from /usr/doc/dovecot-2.2.16/example-config into /etc/dovecot and change its permissions while you’re there:

cp -r /usr/doc/dovecot-2.2.16/example-config/* /etc/dovecot/
chown -R vmail:dovecot /etc/dovecot
chmod -R o-rw /etc/dovecot

We are going to set up the database connection between Dovecot and MariaDB in the /etc/dovecot/dovecot-sql.conf.ext file. Edit that file and make sure you set the following options:

driver = mysql
connect = host=/var/run/mysql/mysql.sock dbname=mail user=mail password=password-here
default_pass_scheme = SHA512-CRYPT

You will also need to add two queries, password_query to retrieve passwords and user_query to get user information. This information will be obtained from the schema Postfix Admin will create. If you didn’t want to install the Postfix Admin web interface, you can still use it to generate schema for you so you can add users manually and still have Dovecot find them. Of course if you’re good with databases you can make up your own and tell Dovecot here how to find your users. See Dovecot’s SQL documentation for more. Either way, here’s what you need to add for Postfix Admin:

	
password_query = \
  SELECT username as user, password, '/var/vmail/%d/%n' as \
  userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, \
  150 as userdb_uid, 12 as userdb_gid \
  FROM mailbox WHERE username = '%u' AND active = '1'

user_query = \
  SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' \
  as mail, 150 AS uid, 12 AS gid, \
  concat('dirsize:storage=', quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'

The next file to edit is /etc/dovecot/conf.d/10-auth.conf. We will enable the SQL configuration file we just modified and disable plaintext authentication unless it’s already encrypted through TLS. We’ll also disable the auth-system.conf.ext file that’s loaded by default. Don’t worry about authenticating with plain text; your connection will be secured with TLS so this is safe:

	
disable_plaintext_auth = yes
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-sql.conf.ext

Now we’re going to tell Dovecot where the email is stored in the filesystem. Change the UID in the following lines in /etc/dovecot/conf.d/10-mail.conf to whatever you set it to when you created the vmail user:

	
mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
mail_gid = mail
first_valid_uid = 150
last_valid_uid = 150

You need to edit /etc/dovecot/conf.d/10-ssl.conf and set the path to the SSL certificate you obtained earlier for nginx. We are going to disable SSLv3 as we did with the web server. We can use the same SSL ciphers here

ssl = yes
ssl_cert = </ssl_keys/crt/mail.example.org.crt
ssl_key = </ssl_keys/key/mail.example.org.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list =  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA
ssl_prefer_server_ciphers = yes

Dovecot needs to know how to authenticate to the userdb so uncomment the user, group, and mode lines in the unix_listener auth-userdb section of the service auth block in /etc/dovecot/conf.d/10-master.conf. You also need to set up a unix listener for Postfix. Uncomment that section as well and add postfix as the user and group. We’ll create those later when we’re setting up Postfix.

service auth {
  unix_listener auth-userdb {
    mode = 0666
    user = vmail 
    group = mail
  }
}

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

Postfix

Installing Postfix is simple if you use Alan Hick’s excellent SlackBuild script. Set the DATABASE variable to mysql before running the script to enable MariaDB support. You have the option, of course, to compile from source yourself. In that case you will need to pay attention to the Postfix configuration parameters outlined in section 4.6.2 of the INSTALL file in Postfix’s official documentation . Whichever you choose, you will need to create a user and group for Postfix. Wietse suggests in the INSTALL file to create a postfix user with no login shell or home directory and a postdrop group with a group ID that is not used by any other account, even the postfix user. The SlackBuild script has the following, which is what I went with:

groupadd -g 200 postfix
groupadd -g 201 postdrop
useradd -u 200 -d /dev/null -s /bin/false -g postfix postfix

You’re also going to need a startup script. Alan’s rc.postfix script is good enough. We’re going to need the following configuration files to tell Postfix how to find your users in the database. These are lifted straight from Reason’s guide. Note in our setup, we’re using Unix sockets so that has been changed to localhost. This will cause Postfix to connect to the default domain socket. The username and password used here are the same we’ll use when we set up Postfix Admin.

/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
query = SELECT goto FROM alias,alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND alias.address=concat('%u', '@', alias_domain.target_domain)
  AND alias.active = 1

/etc/postfix/mysql_virtual_alias_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'

/etc/postfix/mysql_virtual_domains_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
query = SELECT maildir FROM mailbox, alias_domain
  WHERE alias_domain.alias_domain = '%d'
  AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
  AND mailbox.active = 1

/etc/postfix/mysql_virtual_mailbox_maps.cf

user = mail
password = mailpassword
hosts = localhost
dbname = mail
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'

	
/^Received:/                 IGNORE
/^User-Agent:/               IGNORE
/^X-Mailer:/                 IGNORE
/^X-Enigmail:/               IGNORE
/^X-Originating-IP:/         IGNORE
/^x-cr-[a-z]*:/              IGNORE
/^Thread-Index:/             IGNORE
/^\s*Mime-Version: 1.0.*/    REPLACE Mime-Version: 1.0

Postfix Main Configuration

There are way too many Postfix configuration options to be able to go through them all here. The default configuration file at /etc/postfix/main.cf should have some good defaults which you can make minor adjustments to. We are specifically adding header_checks and mime_header_checks to enable the /etc/postfix/header_checks file we created earlier.

myhostname = mail.example.org
myorigin = /etc/hostname
inet_interfaces = all
mynetworks = 127.0.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no

The next section is to use Dovecot for authentication. You’ll need to add these

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes

We’ll set up TLS next. We’re disabling the use of any SSL versions. The last two options are to force incoming and outgoing SMTP connections to use TLS. This may have some unwanted consquences. If a mail server you are trying to reach does not support this, you will not be able to communicate with it. You can change these options to may instead of encrypt to enable TLS but not enforce it. Check your logs frequently and if you see any incoming connections without TLS, you can suggest that server’s admin to enable this feature.

smtpd_tls_cert_file=/ssl_keys/crt/mail.example.org.crt
smtpd_tls_key_file=/ssl_keys/key/mail.example.org.key
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt

The SMTP parameters are below. You can tweak these to your tastes. These have to do with the amount of times server connections are retried if failed, how long you want to keep mail in your queue (in case the remote server is not reachable for some time), recipient limits, and so on.

delay_warning_time = 4h
maximal_queue_lifetime = 4d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
smtp_helo_timeout = 60s
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12

We need to add some restrictions regarding who can send and receive mail on this server. This also allows for checks against various DNSBLs to block spam. We’ll also need check_policy_service for Postgrey later on and we’ll set up the milters to use OpenDKIM. Use Unix sockets here.

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client b.barracudacentral.org
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:/var/run/postgrey/postgrey.sock, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:/var/run/postgrey/postgrey.sock, permit
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
mailbox_size_limit = 0
recipient_delimiter = +
non_smtpd_milters=unix:/var/run/opendkim/opendkim.sock
smtpd_milters=unix:/var/run/opendkim/opendkim.sock

The next section will use the MySQL configuration files we set up earlier and tell Postfix were the mail folders are located. Pay attention to the UID and GID used.

virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
virtual_uid_maps = static:150
virtual_gid_maps = static:12
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf

Finally, we’re going to integrate Postfix with Amavis and Dovecot.

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
content_filter = amavis-forward:unix:amavis/amavisd.sock

Postfix Master Configuration

That should take care of the /etc/postfix/main.cf file. Now let’s edit /etc/postfix/master.cf. Check the file out before editing to get a feel for the format and read the comments describing what the options do. Some of them you can edit and others you’ll have to add. First we’ll set up SMTP with TLS on port 587 and SMTPS on port 465

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_tls_security_options=noanonymous
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous

We’ll set up Amavis integration. Note the number 4 in the first line. This is the number of processes Amavis is allowed to run. Incrase this if you need more.

amavis-forward      unix    -       -       -       -       4       lmtp
  -o lmtp_data_done_timeout=1200
  -o lmtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
amavis/amavis-accept unix    n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o cleanup_service_name=cleanup
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Uncomment the other external delivery methods if you need them. Let’s not forget to set up the Dovecot for local delivery

dovecot      unix   -        n      n       -       -   pipe
  flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/dovecot-lda -d $(recipient)

MariaDB and Postfix Admin

A note about web based interfaces

Installing a web based user interface for any of these services is entirely optional. This makes some tasks easier, such as adding a new domain and mailbox to your Postfix database. A web based email client can be beneficial if you are in an unfamiliar environment and only have access to a browser. However, you are increasing the attack vectors to your server. Web based control panels have long been a favorite gateway for script kiddies to gain unauthorized access to servers due to their popularity. You can protect yourself against common attacks (bots looking for /roundcube, install.php, etc) by renaming the directory where the website files reside so they’re no longer accessible or changing the permissions. You can restrict access only to your home IP using your server’s firewall or through some file access rules in nginx.conf. You can also simply not install them at all and work through the command line. For the sake of completeness, this guide will assume you want them.

MariaDB Initial Setup

Slackware officially switched to MariaDB starting with 14.1 but the init scripts are still named rc.mysqld. It should be included in a default Slackware install as part of the AP/ series, but if you don’t have it just type slackpkg install mysql as root. Make sure the program starts at boot:

chmod +x /etc/rc.d/rc.mysqld

Now we need to perform the first time setup:

/usr/bin/mysql_install_db --user=mysql

Start MariaDB then perform the secure installation. Make sure to set up a secure password for MariaDB’s root user.

/etc/rc.d/rc.mysqld start
/usr/bin/mysql_secure_installation

Once that’s set up, log in as root using mysql -u root -p and create the user and database that we’ll use for Postfix Admin. Choose a secure password here.

CREATE DATABASE mail;
GRANT ALL PRIVILEGES ON mail.* TO "mail"@"localhost" \
IDENTIFIED BY "password-here";
FLUSH PRIVILEGES;

Postfix Admin

This one is a breeze to set up. You can create a new server block in nginx.conf to set it up as a subdomain, but I chose to install it as a subdirectory. Change into your main site’s root and download the latest Postfix Admin tarball. As of this writing, that’s 2.92:

cd /var/www/html/mail.example.org/
wget http://softlayer-dal.dl.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.92/postfixadmin-2.92.tar.gz
tar -xzf postfixadmin-2.92.tar.gz 
mv postfixadmin-2.92 postfixadmin     
chown -R nginx:nginx postfixadmin
cd postfixadmin

You can modify config.inc.php, but I recommend you create a new config.local.php and place your settings there. This has the advantage that whatever you don’t explicitly set is left at the default value in config.inc.php and whatever you change takes precedence. This way your changes won’t be overwritten if you decide to upgrade Postfix Admin. Now we’re going to add some lines to tell Postfix Admin how to connect to MariaDB. We are also going to set configured to true and tell it how to store its data. The passwords will be stored using Dovecot’s crypt scheme:

$CONF['configured'] = true;
$CONF['database_type'] = 'mysql';
$CONF['database_host'] = 'localhost:/var/run/mysql/mysql.sock';
$CONF['database_user'] = 'mail';
$CONF['database_password'] = 'password-here';
$CONF['database_name'] = 'mail';
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";

Again, note that we are connecting using the MariaDB Unix socket. Next, visit https://mail.example.org/postfixadmin/setup.php to generate a setup password to use in config.local.php. If you have been following this guide carefully, you should see everything OK. If you don’t see the setup page, check your nginx log files for any PHP errors or permission errors. I’ve found from experience that these PHP applications sometimes have difficulty parsing complex passwords in configuration files so if your database connection is failing, try removing some special characters from your password. Take it up with the developers, not me.

Before you continue, we’ll need to make a few changes to the Dovecot configuration files. We’ve made all the configuration changes in the /etc/dovecot/conf.d directory so far. It turns out Postfix Admin has some difficulty parsing the !include conf.d/*.conf line in /etc/dovecot/dovecot.conf, so we’ll need to move all our configuration to that file. This is simple enough with the doveconf utility. We’ll need to change the permissions of that file and add nginx to the dovecot group to give Postfix Admin access.

cp /etc/dovecot/dovecot.conf{,.bk}
doveconf -n > /etc/dovecot/dovecot.conf
chmod 644 /etc/dovecot/dovecot.conf
usermod -G dovecot -a nginx

Once you’ve got that sorted out and placed your setup password in config.local.php, the setup will ask you to create an admin user for Postfix Admin. You will need to provide the setup password you selected earlier. Use an email address for the admin user such as admin@example.org and choose a password for it. Please make sure it’s secure.

The installer will claim you don’t need to remove setup.php and it will recommend you block off access to it. You can do that or just delete the file. You can always get it back by downloading the source tarball again. Once you’re done, you can log in to Postfix Admin at https://mail.example.org/postfixadmin using the admin user you just created.

You should take this time to go back and read through config.inc.php. It is very well commented. There are some options you may want to set such as your default admin email and footer links. Remember to add your changes to config.local.php.

Add Email Domains and Mailboxes

Log in to https://mail.example.org/postfixadmin and head over to Domain List > New Domain. Fill in whatever works for you here to add a new domain, then head to Virtual List > Add Mailbox and create your first user. I set up example.org as an email domain and admin@example.org as my first user. Doing this will generate the needed database schema that Postfix will use. Go ahead and play around with this and make sure your aliases are set up

Amavis with ClamAV and SpamAssassin

Now that we’ve installed the major components, it’s time to add some virus and spam checking. We’ll be using Amavis for this. As is the case with several of the older open source projects, Amavis has gone through a few name and code base changes. The most recent, still maintained version is amavisd-new, with the name of the program being amavisd and the name of the project being Amavis. Most people use these interchangeably. Amavis will be the interface bewtween Postfix, ClamAV and SpamAssassin.

The Amavis and SpamAssassin packages are a pain to install manually mostly due to their long list of dependencies. They’re both written in Perl and need quite a few modules. These can be installed using CPAN but I would recommend you stick to the scripts provided by Nishant Limbachia at SlackBuilds.org. This makes it much easier to keep track of what you have installed with sbopkg, slackpkg or whatever Slackware “package manager” you use. Before getting started you may want to install the arj, unrar, cabextract, lzop, nomarch, and p7zip packages to allow SpamAssassin and ClamAV to handle different compressed files. These are all available on SlackBuilds.

amavisd-new

Stick with the SlackBuild for this one. The dependencies are listed thoroughly in Nishant’s README.SBo file, including the ones for SpamAssassin. Create a user and group before you run the script.

groupadd -g 225 amavis
useradd -m -d /var/lib/amavis -s /bin/bash -u 225 -g 225 amavis

Uncomment the lines @bypass_virus_checks_maps and @bypass_spam_checks_maps at the top of /etc/amavisd.conf and add the following

@bypass_virus_checks_maps = (
   %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);
 
@bypass_spam_checks_maps = (
   %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);

Go down a bit further and uncomment @lookup_sql_dsn, then modify it to connect to your database using the Unix socket and the proper credentials. Amavis uses the DBD::mysql Perl module. The documentation states setting the host value to localhost will use the socket. This configuration will enable spam checking for the domains you’ve added to your database either manually or through Postfix Admin

@lookup_sql_dsn = (
    ['DBI:mysql:database=mail;host=localhost',
     'mail',
     'mailpassword']);
$sql_select_policy = 'SELECT domain from domain WHERE CONCAT("@",domain) IN (%k)';

There are a couple of other settings we can change. For instance, make sure you also set $max_servers to the same number of processes you allowed Amavis to use in /etc/postfix/master.cf. Setting the $sa_tag_level_deflt opton to a large negative number will ensure that spam headers are added to every single email. Change the user and group to the ones you created earlier, set up a home directory for configuraiton files and quarantine emails, and set your domain name (not the same as your hostname). Make sure you also uncomment the amavis section in @av_scanners. We are also setting the Unix socket for Amavis here too

$max_servers  = 4;
$sa_tag_level_deflt  = -9999;
$daemon_user  = 'amavis';
$daemon_group = 'amavis';
$mydomain = 'example.org';
$myhostname = 'mail.example.org';
$MYHOME = '/var/lib/amavis';
$QUARANTINEDIR = "$MYHOME/virusmails";
$unix_socketname = "/var/spool/postfix/amavis/amavisd.sock"; 
$unix_socket_mode = 0660;
$interface_policy{'SOCK'} = 'mysock';
$policy_bank{'mysock'} = {
   protocol => 'LMTP',
   auth_required_release => 0,
}

mkdir /var/spool/postfix/amavis/
chmod 770 /var/spool/postfix/amavis/
chown amavis:postfix /var/spool/postfix/amavis/
usermod -G amavis -a postfix

Use the following commands to let Postfix create the amavis-accept PID:

cd /var/spool/postfix/public
ln -s ../amavis amavis
cd /var/spool/postfix/pid
mkdir unix.amavis
chown root:root unix.amavis
chmod 700 unix.amavis

$forward_method = $have_inet6 && !$have_inet4 ? 'smtp:[::1]:10025' : 'smtp:/var/spool/postfix/amavis/amavis-accept';

Go through the rest of /etc/amavisd.conf file and modify any settings you might want changed.

SpamAssassin

Get the SpamAssassin SlackBuild from here, or get the source files. You’ll notice one of the optional dependencies of SpamAssassin is perl-Geo-IP, which requires GeoIP (SlackBuild). If you decide to install that, I found that SpamAssassin’s sa-update script expects the IPv6 database to be in /usr/share/GeoIP/. You can get that file from MaxMind’s servers and place it where needed (as root):

wget -O - \
http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz \
| gunzip -c > /usr/share/GeoIP/GeoIPv6.dat

If you chose to install from source, you can grab a startup script from the extracted tarball. The guys at Apache were nice enough to include a Slackware-ready script in the spamd directory of the extracted source, named slackware-rc-script.sh. Once you have SpamAssassin installed, edit the /etc/spamassassin and set the following options. You only really need ENABLED but the rest are a good idea.

ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
CRON=1

The SpamAssassin source no longer includes rules, so you’ll have to download them. Run sa-update to do this.

ClamAV

This one is pretty straightforward as well. Download the SlackBuild and set the COUNTRY variable to your country’s two letter ISO code. Run the script to build automatically. You can also get the source directly and ./configure && make && make install. It doesn’t need anything outside a base Slackware installation. Grab the rc.clamav init script from the SlackBuild for easier management. Wether you’re using the SlackBuild or installing manually from source, you’ll need a user and group created first.

groupadd -g 210 clamav
useradd -u 210 -d /dev/null -s /bin/false -g clamav clamav

While we’re at it, go ahead and add the amavis user to the clamav group and vice versa

usermod -G clamav -a amavis
usermod -G amavis -a clamav

Edit the /etc/clamd.conf file and change the LocalSocket and LocalSocketGroup options

LocalSocket /var/run/clamav/clamd.sock
LocalSocketGroup amavis

chmod 775 /var/lib/spamassassin/
chown amavis:amavis /var/lib/spamassassin/
chown -R amavis:amavis /var/lib/spamassassin/
chown -R amavis:amavis /var/lib/amavis
chown -R clamav:amavis /var/lib/clamav

Postgrey

This one is simple so we might as well get it out of the way. As usual, create your user and group first

groupadd -g 301 postgrey
useradd -u 301 -d /var/lib/postgrey -s /bin/false -g postgrey postgrey

Since Postgrey is just a Perl script, feel free to copy over the needed files from the source tarball to /usr/bin, notably postgrey, policy-test, and contrib/postgrereport. Check the requirements to make sure you have the needed Perl modules. You can of course use the SlackBuild, too. If you install from source, grab the init script from contrib/postgrey.init and place it in /etc/rc.d/rc.postgrey. Make sure you also get a copy of postgrey_whitelist_recipients and postgrey_whitelist_clients and place them in /etc/postfix. The SlackBuild already does this for you. If you do choose the SlackBuild, you’ll need to set POSTGREYUSR, POSTGREYGRP, POSTGREYUID and POSTGREYGID in the script to the values you set earlier when you created them.

Whichever you choose, you’ll need to edit the init script and set USER, GROUP, and HOST to their proper values. Feel free to get rid of PORT. Find the postgrey_start() function and edit the postgrey flags to make sure it uses a socket instead of TCP.

postgrey_start() {
  echo "Starting postgrey milter:  /usr/bin/postgrey -d --unix=/var/run/postgrey/postgrey.sock --pidfile=$PIDFILE --user=$USER --group=$GROUP --dbdir=/var/lib/postgrey --hostname=$HOST"
  mkdir -p /var/run/postgrey
  /usr/bin/postgrey -d \
                    --unix=/var/run/postgrey/postgrey.sock \
                    --pidfile=/var/run/postgrey/postgrey.pid \
                    --user=$USER --group=$GROUP \
                    --dbdir=/var/lib/postgrey \
                    --hostname=$HOST
}

Roundcube

Setting up Roundcube is just like setting up any other PHP site. We’ve already configured nginx to use FastCGI so it’s a matter of downloading the files and placing them in a directory. As with Postfix Admin, feel free to create a new server block for this or just stick with using a subdirectory of your existing site. Since I placed Postfix Admin in /var/www/html/mail.example.org/postfixadmin I’ll place my Roundcube installation at the root, in /var/www/html/mail.example.org/. Get the sources (I recommend the “complete” version) and extract. As of this writing, that’s 1.1.1

cd /var/www/html/mail.example.org
wget http://downloads.sourceforge.net/project/roundcubemail/roundcubemail/1.1.1/roundcubemail-1.1.1-complete.tar.gz
tar --strip-components=1 -xvzf roundcubemail-1.1.1-complete.tar.gz
chown -R nginx:nginx .

We’ll need to create a database for Roundcube to use. Log in to MariaDB with mysql -u root -p and create it. Make sure you use a strong password.

CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
GRANT ALL PRIVILEGES ON roundcubemail.* TO "roundcube"@"localhost" \
IDENTIFIED BY "password-here";
FLUSH PRIVILEGES;

Roundcube includes an SQL file that can create the necessary database structure for you

mysql -u roundcube roundcubemail -p < SQL/mysql.initial.sql

I recommend you check out the INSTALL file included in the source for a more complete guide on the installation. Now head over to https://mail.example.org/installer and make sure everything is OK in the Check environment section. My installation complained about the date.timezone setting in php.ini so I had to set that. Get a list of supported time zones from here. You may need to restart nginx and php-fpm for the changes to take effect.

echo date.timezone = "America/Mexico_City" >> /etc/httpd/php.ini

Make sure you do not enable spellchecking support. If you do, Roundcube will connect to external services to check your spelling. Why would we go through all this trouble to have a third party see every word we type?

IMAP and SMTP Settings

We’re going to set default_host to tls://localhost and the default_port to 993 in the IMAP Settings section. In the SMTP Settings section, set smtp_server to tls://localhost , smtp_port to 587 and check the Use the current IMAP username and password for SMTP authentication option. Click on Create config.

After it’s done writing your configuraiton file, we’ll add support for memcached and make sure we only use HTTPS in config/config.inc.php :

$config['imap_cache'] = 'memcache';
$config['memcache_hosts'] = array( 'unix:/var/run/memcached/memcached.sock' );
$config['force_https]' = true;

Click on Continue in the browser to go to Step 3

OpenDKIM, DNS and Building Trust

The setup up to this point should be pretty much complete and meet most people’s needs. Some mail servers are quite picky when it comes to receiving email. Gmail particularly doesn’t like when an email is not signed. The next section will walk you through signing your email with DomainKeys Identified Mail and setting up Sender Policy Framework. If you are using a hosting provider for your server, you will need to contact them and have them set up a PTR record for your IP address. This is also known as rDNS. Some mail servers will reject your email if the IP you are sending from does not point back to your domain name. In general, it should look something like this:

34.216.184.93.in-addr.arpa PTR 600 example.org

example.org MX 600 10 mail.example.org

gzamudio@hades:~ $ host -t MX example.org
example.org mail is handled by 10 mail.example.org.

OpenDKIM

You’ll want to grab the latest sources, which correspond to version 2.10.1 as of this writing. I also wrote a handy SlackBuild which you can use. Note that you will need libbsd(SlackBuild) installed in order to be able to compile. Let’s make the user and group first:

groupadd -g 305 opendkim
useradd -r -u 305 -g opendkim -d /var/run/opendkim/ -s /sbin/nologin -c "OpenDKIM Milter" opendkim

We’ll need to create the run directory as well:

mkdir -p /var/run/opendkim
chown opendkim:opendkim /var/run/opendkim

If you’re building manually, you may want to add --prefix=/usr to the configure script or else it’ll place everything in /usr/local. We’ll need support for MariaDB, so pass --with-sql-backend to the configure script as well. If you’re using the SlackBuild set the USE_MYSQL variable to yes and run the script. I used a modified version of CentOS’s init script for mine, but feel free to grab the one included in the source in the contrib/init/generic/ directory.

Once it’s installed, we’ll need to set up a basic configuration file. You can copy the sample one from opendkim/opendkim.conf.simple to /etc/opendkim and add the user and group we created earlier. Note that the SlackBuild already does this for you:

UserID opendkim:opendkim
KeyFile /etc/opendkim/keys/default.private

Socket local:/var/run/opendkim/opendkim.sock

opendkim-genkey -b 2048 -D /etc/opendkim/keys -s mailsvr -d example.org

"v=DKIM1; k=rsa; 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m8F6p1AD"

You’ll need to wait a while before the DNS record propagates but once it does you can check it with dig

dig mailsvr._domainkey.example.org TXT

Sender Policy Framework

This basically consists of adding another TXT record to your DNS zone. There used to be an SPF type record but this was removed in RFC 7208. You’ll want to add something like this:

v=spf1 a mx ~all

Testing

We’ll need to start all the components we’ve installed and check their logs to make sure everything is running smoothly. You can place your startup commands in /etc/rc.d/rc.local and the stop commands in /etc/rc.d/rc.local_shutdown. Make sure both are executable and add this content

/etc/rc.d/rc.local

if [ -x /etc/rc.d/rc.php-fpm ]; then
        /etc/rc.d/rc.php-fpm start
fi

if [ -x /etc/rc.d/rc.memcached ]; then
        /etc/rc.d/rc.memcached start
fi

if [ -x /etc/rc.d/rc.nginx ]; then
        /etc/rc.d/rc.nginx start
fi

if [ -x /etc/rc.d/rc.postgrey ]; then
        /etc/rc.d/rc.postgrey start
fi

if [ -x /etc/rc.d/rc.clamav ]; then
        /etc/rc.d/rc.clamav start
fi

if [ -x /etc/rc.d/rc.spamd ]; then
        /etc/rc.d/rc.spamd start
fi

if [ -x /etc/rc.d/rc.amavisd-new ]; then
        /etc/rc.d/rc.amavisd-new start
fi

if [ -x /etc/rc.d/rc.postfix ]; then
        /etc/rc.d/rc.postfix start
fi

if [ -x /etc/rc.d/rc.dovecot ]; then
        /etc/rc.d/rc.dovecot start
fi

if [ -x /etc/rc.d/rc.opendkim ]; then
        /etc/rc.d/rc.opendkim start
fi

/etc/rc.d/rc.local_shutdown

if [ -x /etc/rc.d/rc.nginx ]; then
        /etc/rc.d/rc.nginx stop
fi

if [ -x /etc/rc.d/rc.php-fpm ]; then
        /etc/rc.d/rc.php-fpm stop
fi

if [ -x /etc/rc.d/rc.memcached ]; then
        /etc/rc.d/rc.memcached stop
fi

if [ -x /etc/rc.d/rc.opendkim ]; then
        /etc/rc.d/rc.opendkim stop
fi

if [ -x /etc/rc.d/rc.postfix ]; then
        /etc/rc.d/rc.postfix stop
fi

if [ -x /etc/rc.d/rc.dovecot ]; then
        /etc/rc.d/rc.dovecot stop
fi

if [ -x /etc/rc.d/rc.postgrey ]; then
        /etc/rc.d/rc.postgrey stop
fi

if [ -x /etc/rc.d/rc.amavisd-new ]; then
        /etc/rc.d/rc.amavisd-new stop
fi

if [ -x /etc/rc.d/rc.clamav ]; then
        /etc/rc.d/rc.clamav stop
fi

if [ -x /etc/rc.d/rc.spamd ]; then
        /etc/rc.d/rc.spamd stop
fi

Log in to your Roundcube webmail at https://mail.example.org and start sending email. Try sending to big providers like Gmail and Yahoo. You’ll note the first time you receive an email, it’ll be greylisted thanks to Postgrey. Check /var/log/maillog:

Apr 24 22:38:56 mail postgrey[945]: action=greylist, reason=new, client_name=mail.example.net, client_address=61.4.1.30, sender=testuser@example.net, recipient=testuser@example.org
Apr 24 22:38:56 mail postfix/smtpd[19527]: NOQUEUE: reject: RCPT from mail.example.net[63.4.1.30]: 450 4.2.0 <testuser@example.org>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/example.org.html; from=<testuser@example.net> to=<testuser@example.org> proto=ESMTP helo=<mail.example.net>

Apr 24 22:48:23 mail amavis[1078]: (01078-02) Passed CLEAN {RelayedInbound}, [63.4.1.30]:43126 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>

You can also test your anti-virus using the EICAR test file. Send yourself an email from another mail server with only the following string in the body:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

It will be detected as a virus and you’ll see this in the log as well:

Apr 24 23:05:25 mail postfix/qmgr[1060]: BF9D558771: from=<virusalert@example.org>, size=2092, nrcpt=1 (queue active)
Apr 24 23:05:25 mail amavis[21120]: (21120-01) Blocked INFECTED (Eicar-Test-Signature) {DiscardedInbound,Quarantined}, [63.4.1.30]:36539 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>, quarantine: /var/lib/amavis/virusmails

In a similar fashion, you can test your spam filter using the GTUBE. Send a message from another mail server to yourself with only the following string in the body:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

It will be detected as spam and you’ll see this in the log as well:

Apr 24 23:13:44 mail amavis[21119]: (21119-01) Passed SPAM {RelayedTaggedInternal,Quarantined}, [63.4.1.30]:36539 [63.4.1.30] <testuser@example.net> -> <testuser@example.org>, quarantine: /var/lib/amavis/virusmails

You’ll probably want to set up an email client such as Thunderbird or Claws Mail. They should automatically detect your sever’s open ports but you can use the following settings to set it up manually. You can substitute the hostname for example.org if that points to your server’s IP as well.

Username: testuser@example.org
Incoming (IMAP) server: mail.example.org
Port: 993
SSL/TLS Enabled
Authentication: Plain (Normal Password)

Username: testuser@example.org
Outgoing (SMTP) server: mail.example.org
Port: 587
STARTTLS Enabled
Authentication: Plain (Normal Password)

Other Considerations

I hope you found this guide useful. I tested this setup to the best of my ability but you may find certain things didn’t work for you. If that’s the case or you have any suggestions, comments, or just want to say hi, feel free to contact me. Encrypted email is strongly encouraged and preferred :)

24

2015-03-27T00:00:00-06:00

There is a line of a song I enjoy that says, “How come 24 hours sometimes seem to slip into days?” The song goes on about homesickness and being lonely on a trip. For the longest time, I identified with that line in regards to aging. The older we get, the faster time seems to pass us by. What are we doing with the limited time we have available?

This weekend while traveling I met a man who was spending his remaining years cycling for peace. He had a big banner strapped to the side of his bicycle with a peace message written in large, thick, block letters. I spent an afternoon walking downtown with him and hearing about his experiences. He was more than twice my age, has a academic degree, and had a stable income before he decided to start his cycling journey. He showed me photos of his travels including the time agents at the border helped him repair a tire and the time he got an infection on his foot while cycling through particularly wet area. After a quick lunch we parted ways.

A year ago today I was getting rid of my belongings and stuffing what few bags would fit in the cab that was to take me to start a new life in another city. I had no idea a year later I’d be typing this in a different country with the sound of a Norwegian woman playing “Gje meg handa din, venn” on the keyboard in the same room or that I’d be ruminating over an annoyingly candle lit dinner with a new friend through Earth Hour.

The song and that line have changed in meaning for me. I used to think experiences were for me alone - to be kept locked away and brought out only when I wanted to relive them. The people I’ve met over the last year have taught me it’s important to share them with others, to give something back to those who share with us. Hopefully those we share with will still remember after our hours stop turning into years and start turning into decades.

The man with the bike certainly thought so. But maybe he just wanted a free lunch.

3,962 m

2015-01-19T00:00:00-06:00

Celebrating life, 200km/h.

New Blog

2014-09-30T00:00:00-05:00

After a week of testing and development, I’ve finally switched my site over to Jekyll, the static site generator. This allowed me to get rid of PHP and MySQL, which I feel cause too much overhead for a simple site like mine. I also felt Apache had too many features I did not use so I got rid of that and switched to nginx instead. Also note the TLD change, gerardozamudio.mx

Jekyll

The great thing about Jekyll is it’s easy to use and configure. There’s a great installation guide at the official Jekyll site already so I won’t go over that again. Just note you’ll need Node.js and Ruby installed in order for it to work.

First, I created the directory that will hold my new site in my shell user’s home directory:

jekyll new ~/gerardozamudio.mx
cd ~/gerardozamudio.mx

My site used to run on WordPress so most of the content was stored in the MySQL database. I ran the Jekyll WordPress importer with the following options:

ruby -rubygems -e 'require "jekyll-import";
    JekyllImport::Importers::WordPress.run({
      "dbname"   => "wordpress-db",
      "user"     => "wordpress-user",
      "password" => "password",
      "host"     => "localhost",
      "socket"   => "/var/run/mysql/mysql.pid",
      "table_prefix"   => "wp_",
      "clean_entities" => true,
      "comments"       => true,
      "categories"     => true,
      "tags"           => true,
      "more_excerpt"   => true,
      "more_anchor"    => true,
      "status"         => ["publish"]
    })'

Note that Slackware uses the default PID location of /var/run/mysql/mysql.pid for MySQL so you’ll have to set that. This gave me a nice structured directory with all my posts converted to Markdown complete with YAML Front Matter containing the author, comments, tags, etc. WordPress keeps images in /wp-content/uploads by default, but I made an images directory in the root of my site for simpler management, so a little sed magic fixed that:

find ./ -type f -exec sed -i -e 's|https://gerardozamudio.net/wp-content/uploads/|/images/|g' {} \;

I also noticed the posts had been saved with a .markdown extension. Those are not really important in Linux, but I wanted to fix them for my own sanity:

for file in *.markdown ; do mv "$file" "$(echo "$file" | sed 's/\(.*\.\)markdown/\1md/')" ; done

Then it was just a matter of downloading the uploads directory from wp-content in my WordPress site’s root directory into my new Jekyll site’s root directory and renaming it to images.

WordPress Features

There are some features of WordPress that Jekyll, being a static site generator, does not implement by default. Luckily I future proofed my site so it was easy to port images as well as HTML used in the posts. I didn’t have many posts that used a featured image so it was simply a matter of adding a new ![Alt text](/images/leading-image.jpg) line to the top of each post.

Captions

Speaking of images, I am using the captionss CSS library to easily add a nice looking caption to my images. Again, Jekyll does not offer this out of the box but it was a good excuse to get familiar with Liquid and write my own tag. I didn’t want to bother with surrounding my images with HTML every time I wanted to add a caption so I created a cap.html file in my _includes folder inside my Jekyll site directory with the following contents:

<div class="center">
<figure class="embed">
	<a href="{{ include.url }}"><img src="{{ include.url }}" alt="{{ include.alt }}"></a>
	<figcaption>
	{{ include.cap }}
	</figcaption>
</figure>
</div>

Whenever I want to use an image with a caption, I can just use the following:

{% include cap.html url="/images/image.jpg" alt="Alt text" cap="Caption" %}

Post Excerpts

WordPress uses the  tag to signal post excerpts, and automatically generates a Read more… link. Jekyll does not have this by default, but it can easily be implemented using a loop in the site’s posts index with the split Liquid filter:

{% if post.content contains '<!--more-->' %}

    {{ post.content | split:'<!--more-->' | first }}

    <p><a href="{{ post.url }}">Read more &raquo;</a></p>

{% else %}

    {{ post.content }}

{% endif %}

nginx

Good old nginx. It’s hard to believe it’s been a decade since this web server came about and it’s certainly matured a lot since then. Development is fast and looks to be stable, so I decided to go with the mainline releases. My main goal was serving plain static content so I did not need any of the extra modules that are built in by default. I created a system user to run the daemon:

useradd -r -M -U -c "User for nginx" -d /srv/httpd -s /bin/false nginx

Then I built my package using only 3 modules: http_ssl_module, http_spdy_module, and http_gzip_static_module

./configure \
  --with-http_ssl_module \
  --with-http_spdy_module \
  --with-http_gzip_static_module \
  --with-file-aio \
  --without-http_autoindex_module \
  --without-http_browser_module \
  --without-http_fastcgi_module \
  --without-http_geo_module \
  --without-http_empty_gif_module \
  --without-http_map_module \
  --without-http_proxy_module \
  --without-http_memcached_module \
  --without-http_ssi_module \
  --without-http_userid_module \
  --without-mail_pop3_module \
  --without-mail_imap_module \
  --without-mail_smtp_module \
  --without-http_split_clients_module \
  --without-http_uwsgi_module \
  --without-http_scgi_module \
  --without-http_limit_conn_module \
  --without-http_referer_module \
  --without-http-cache \
  --without-http_upstream_ip_hash_module

SSL

I talked about adding a certificate in a previous post, but I decided to take that a step further and switch to ECDSA for my SSL certificate. Unfortunately Gandi does not offer such certificates so I had to move to Comodo in order to get one. I also set up HSTS and PFS to completely get rid of plain HTTP access to the server. At least Qualys seems to think I did a good job. If you look closely at the configure options above you’ll notice I also enabled SPDY, the starting point for HTTP 2.0. Feel free to check it out.

Opera Developer 24 on Slackware64 14.1

2014-06-26T12:00:11-05:00

Opera 24 for Linux is finally out! This new version, which is the development build and not stable, includes some new features like Discover, Stash, and an improved Speed Dial and Opera Turbo. You can get a full rundown of the changes by checking the change log.

I haven’t been a fan of Opera since they switched to WebKit (and eventually dumped that for Blink) but I keep the [old 12.16 version from SlackBuilds](http://slackbuilds.org/repository/14.1/network/opera/ “Opera 12.16

SlackBuilds”) around as a third browser just in case.

The build is supposed to be for Ubuntu 64bit but you can follow Ruarí’s installation instructions for other platforms to install it on Slackware. If you’re really impatient, user Vladislav Borisov has already written SlackBuild for it. Grab the tarball directly from here, then install as you normally would:

root@slack-vbox:~# wget http://blog.t-rg.ws/uploads/opera-developer.tar.gz
root@slack-vbox:~# tar -xvzf opera-developer.tar.gz
root@slack-vbox:~# cd opera-developer
root@slack-vbox:~/opera-developer# source opera-developer.info
root@slack-vbox:~/opera-developer# wget $DOWNLOAD_x86_64
root@slack-vbox:~/opera-developer# ./opera-developer.SlackBuild
root@slack-vbox:~/opera-developer# installpkg /tmp/opera-developer-24.0.1537.0-x86_64-1fsleg.txz

I fired up a Slackware64 14.1 virtual machine for some quick testing. Remember if you want Flash support you’ll need AlienBOB’s chromium-pepperflash-plugin package.

The browser's window looks out of place in a KDE environment.

You can follow the development at Opera’s developer site.

Site Now Served Over HTTPS

2014-03-05T20:00:05-06:00

In the interest of security for readers, I’m glad to announce my site now supports SSL. You should be automatically redirected. For enhanced security around the web, I recommend the EFF’s excellent add-on [HTTPS Everywhere](https://www.eff.org/https-everywhere “HTTPS Everywhere

Electronic Frontier Foundation”).

Xbox 360 Controller on Slackware

2014-02-07T14:30:45-06:00

Steam for Linux has been available for a while now and it’s coming along nicely. It’s easy enough to set up for Slackware using Alien Bob’s steamclient packages. Big Picture Mode is available which means more people are going to want to use a gamepad. I have a wired Xbox 360 controller that I purchased to use with my emulators. Slackware’s kernel already includes the xpad gamepad module so the controller is detected as soon as it’s plugged in.

[ 6.513624] usb 2-1.6: new full-speed USB device number 3 using ehci-pci
[ 6.604012] usb 2-1.6: New USB device found, idVendor=045e, idProduct=028e
[ 6.604014] usb 2-1.6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 6.604016] usb 2-1.6: Product: Controller
[ 6.604017] usb 2-1.6: Manufacturer: ©Microsoft Corporation
[ 6.604018] usb 2-1.6: SerialNumber: 199BF1B
[ 6.870036] input: Microsoft X-Box 360 pad as /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.6/2-1.6:1.0/input/input10
[ 6.870078] usbcore: registered new interface driver xpad

Make sure the xpad module is loaded:

root@hades:~ # lsmod | grep xpad
xpad                   11426  0

If it’s not, then load it:

root@hades:~ # modprobe xpad

Unfortunately, I had some issues with the gamepad not being recognized by Steam or emulators such as Dolphin.

This can be fixed by creating a udev rule to set the correct permissions for the input device. Stick the rules below in /etc/udev/rules.d/, inside something like 99-joystick.rules:

KERNEL=="event[0-9]*", ENV{ID_BUS}=="?*", ENV{ID_INPUT_JOYSTICK}=="?*", GROUP="games", MODE="0660"
KERNEL=="js[0-9]*", ENV{ID_BUS}=="?*", ENV{ID_INPUT_JOYSTICK}=="?*", GROUP="games", MODE="0664"

Add your user to the games group:

root@hades:~ # usermod -G games -a gerardozamudio

The Xbox 360 controller should now be assigned to the games group with read-write access.

root@hades:~ # ls -l /dev/input/
total 0
drwxr-xr-x 2 root root     180 Feb  7 03:10 by-id/
drwxr-xr-x 2 root root     180 Feb  7 03:10 by-path/
crw-r----- 1 root root  13, 64 Feb  7 09:11 event0
crw-r----- 1 root root  13, 65 Feb  7 09:11 event1
crw-rw---- 1 root games 13, 74 Feb  7 09:11 event10
crw-r----- 1 root root  13, 75 Feb  7 09:11 event11
crw-r----- 1 root root  13, 76 Feb  7 09:11 event12
crw-r----- 1 root root  13, 77 Feb  7 09:11 event13
crw-r----- 1 root root  13, 78 Feb  7 09:11 event14
crw-r----- 1 root root  13, 79 Feb  7 09:11 event15
crw-r----- 1 root root  13, 80 Feb  7 09:11 event16
crw-r----- 1 root root  13, 81 Feb  7 09:11 event17
crw-r----- 1 root root  13, 82 Feb  7 09:11 event18
crw-r----- 1 root root  13, 66 Feb  7 09:11 event2
crw-r----- 1 root root  13, 67 Feb  7 09:11 event3
crw-r----- 1 root root  13, 68 Feb  7 09:11 event4
crw-r----- 1 root root  13, 69 Feb  7 09:11 event5
crw-r----- 1 root root  13, 70 Feb  7 09:11 event6
crw-r----- 1 root root  13, 71 Feb  7 09:11 event7
crw-r----- 1 root root  13, 72 Feb  7 09:11 event8
crw-r----- 1 root root  13, 73 Feb  7 09:11 event9
crw-rw-r-- 1 root games 13,  0 Feb  7 09:11 js0
crw-r----- 1 root root  13, 63 Feb  7 09:11 mice
crw-r----- 1 root root  13, 32 Feb  7 09:11 mouse0
crw-r----- 1 root root  13, 33 Feb  7 09:11 mouse1

This should cause Steam and your emulators to detect the controller properly and allow you to configure it using each application’s settings.

eBooks

2013-09-12T10:30:17-05:00

<zam> what file naming convention would you use for a bunch of books in pdf format?
<Soul_keeper> I usually choose a dir name like “junk” and just cp them in there
<adaptr> and not even check the exit status of cp
<Soul_keeper> exactly
<Soul_keeper> nearly impossible to locate/search for one when you need it anyways
<adaptr> I always use the sha256 hash of (ISBN, year, publisher, random page from book)

Firefox Updates Break Search and Other Settings

2013-08-18T12:00:36-05:00

This morning I woke up and decided to check the latest tech news, so I opened up Firefox. It seems Firefox had downloaded an update during my last browsing session and was just waiting for me to restart so it can apply it. Not surprising, since I’ve gotten used to the ridiculously annoying constant updates from Mozilla. After the update was applied, I tried to search using the location bar and was surprised to find my searches were being redirected to my local Google site, https://www.google.com.mx/.

I remember I had specifically set the keyword.URL preference in about:config to use Google’s encrypted search and not pass any extra parameters (browser being used, language encoding, etc). I checked my about:config settings and sure enough, it was still there. I figured it might a bug so I searched around and discovered Mozilla thought it was a good idea to disable that feature starting with Firefox 23 in order to stop “search hijacking”. This has in turn disabled Google’s Browse By Name (I don’t personally use this, but loads of people do) and any third party search providers a user may have added without using the Manage Search Engines option.

My now useless keyword.URL preference was still there.

I’m not the only one upset about this and it’ saddening to see the only possible workaround is to install an add-on or just [write your own plugin](https://developer.mozilla.org/en-US/docs/Creating_OpenSearch_plugins_for_Firefox “Creating OpenSearch plugins for Firefox

MDN”). Thanks to cor-el from the Mozilla forums, I learned about the Mycroft project. I quickly found the encrypted.google.com search provider, added it to my search engines, and promptly had Google’s encrypted search working again from my location bar.

Another thing I noticed is that Mozilla thought it was a good idea to change my location bar setting in the Options window to suggest URLs from my history and bookmarks. I had this set to suggest nothing. Why don’t they ask for my permission to change my settings?

I’m upset Mozilla would remove an option that I’ve always felt gave me more freedom to set up. I had to live with the new download manager until I found out I could revert to the old one. Keeping downloads in a separate window allows me to close my main Firefox window without interrupting my downloads, something the new manager does not support.

I hope Mozilla doesn’t start alienating more users. I’ve been a Firefox user since version 2, and with everyone and their mother switching to WebKit/Blink I feel it’s a matter of time before Firefox does too. It’s a shame such a good browser is quickly going down the drain.

Directory Names

2013-05-07T12:00:51-05:00

Kids these days grow up with the idea that they can have spaces and lots of other funny characters in their directory names.

— 8jean

Mailbox Is Nothing New

2013-02-14T12:00:02-06:00

A few days ago, a friend of mine posted a video ad for an email program that can be run on an iPhone. I Googled this Mailbox “app” to find out more about it. The press seems to be extremely excited for this thing, but I honestly don’t see why.

Their home page is filled with modern web clichés: lots of white space, a huge 1,000-pixel vertical length video, and short paragraphs describing their product.

We redesigned the inbox to make email light, fast, and mobile-friendly. Quickly swipe messages to your archive or trash. Scan an entire conversation at once with chat-like organization. Snooze emails until later with the tap of a button.

I don’t understand exactly how they “redesigned the inbox”. It looks nearly identical to the Gmail application. It even has the same swipe-to-archive functionality. Chat-like organization? Oh, they mean Gmail’s conversation view.

Designed 30 years ago, traditional email transmission is clunky and slow. To make delivery as fast as possible, Mailbox checks your email from the cloud, then delivers it to your phone securely. You can even get push notifications for new messages.

This one made me laugh. Email is just text, so I have no idea what they mean by it being clunky and slow. I’m also a bit confused by their claim that they speed up delivery by “checking email from the cloud”. Where the hell else are you going to check email from?

Stop staring at emails you can’t deal with now. Mailbox lets you put off messages until later with a swipe and a tap. Snoozed emails return to your inbox automatically, so you can focus on what’s important now.

Isn’t this called “flag for follow-up” in most other email clients?

When your inbox holds just the stuff you need to address now, email feels lighter and faster. Mailbox makes getting to zero — and staying there — a breeze. After you experience a clean inbox, you’ll wonder how you ever lived without it.

This one is really up to the user, I think. Many people simply don’t like deleting emails so they can search for attachments and other information. Personally, I keep a clean inbox.

At the very bottom of the page I’m supposed to get in line and wait for them to allow me to use their program. As if it was some huge privilege and some exclusive group. No, thanks.

Deception

2013-02-13T10:00:20-06:00

You cannot expect normal human beings to question all their assumptions 24/7. Every time you blinked you’d have to prove to yourself that the whole universe hadn’t just been switched off and then instantaneously recreated itself.

— tehcyder

Secure Banking

2013-01-10T17:30:51-06:00

Earlier this week I tried to sign up for my local bank’s online banking feature. I put aside the fact that they charge you for using it and proceeded to fill in the required information. The problem came when I tried to set a password.

Estimado cliente:

La clave de acceso debe ser alfanumérica, no se permiten acentos, o símbolos especiales (#, &, ?, etc.) ni más de 2 caracteres consecutivos (123 o abc), tampoco más de 2 caracteres idénticos consecutivos (111 o aaa).

Estimado cliente, en su pregunta no se permiten caracteres especiales ni la letra ñ.

The text says that I’m not allowed to use any special characters. This also applies to the secret question I was trying to set (this means I cannot end the question with ‘?’). The passwords are also limited to 10 characters. Way to go, Mexican banks.

Steam Big Picture Mode

2012-12-04T00:00:27-06:00

Today Steam added a new feature to their Windows client called Big Picture. This is a new interface designed with game pads and a TV in mind. The first thing I noticed was that it resembles the Xbox 360 dashboard. You even access it by pressing the guide button on an Xbox 360 controller while playing a game.

The first screen after starting Steam's Big Picture mode.

The store view looks pretty good. It’s a nice way to highlight which games are on sale at the time. It includes the same categories the regular Steam client has such as Daily Deals, Specials, and New Releases.

The Steam Big Picture store view includes familiar categories found in the regular Steam client.

If you click through to see the games available for purchase, their display resembles the way games are displayed in the Xbox 360 dashboard. I found it annoying that the currently selected game is left aligned. I wish there was an option to make it the center game. You can click through to view the game’s details, full screen trailers, and screenshots.

In an annoying move, the currently selected game is aligned to the left.

I liked the way games in my library were displayed. There’s an option to view all your games, but I don’t recommend this because if you have items in your library that are not actual games, such as “Counter-Strike: Source Beta” Steam will just display an ugly generic banner for the game’s image.

Steam's Big Picture library view makes your games look pretty.

There are also a few other annoyances. For example, if you go back to a previous screen the client doesn’t save where you were. This means if you’re looking at the 10th game on a list, click on it to view its details, then go back, the client will take you back to the first game on the list (instead of the one you were on). Hopefully they get that fixed for the next update.

Tiling Window Managers

2012-09-04T16:00:09-05:00

Everybody knows that tiling window managers are the cure to all the world’s problems.

— Marcin Herda

Computer Love

2012-08-16T16:30:00-05:00

Me too. I love downloading and uploading and updating and transferring and virus scanning and defragging and registry cleaning and installing and encoding and rendering and unzipping and compiling, as much as possible at the same time. I imagine all these massive bit streams flowing in and out, the heart rate of the computer going up, my quad core maximizing its potential and hacking through millions of operations in a harmonic way of perfection, leaving a trail structure and cleanliness behind. It’s so refreshing.

— AlphaCunt

DayZ Olympics

2012-08-01T17:00:56-05:00

The players of DayZ would have a fair chance of winning first place in the Olympics if crawling on all fours was included in the games.

— Donncha O Caoimh

A Programming Language's Success

2012-06-07T14:30:16-05:00

The main factor in determining whether or not a [programming] language succeeds is the quality of its creator’s beard

— llamalad

Google Chrome Becomes World's No. 1 Browser

2012-05-22T18:30:58-05:00

Chrome has now “sold out”, and may only be used “ironically”. The current “hip” browser is now Lynx in an xterm window set to use Helvetica (it’s “vintage”). Please adjust your usage accordingly.

— gman003

iTunes Follows the Emacs Philosophy

2012-04-18T09:00:12-05:00

iTunes is a nice OS, it just needs a good media player.

— AmiMoJo

#9501

2012-03-15T10:00:33-06:00

<Randerson> LMAO OMFG where’s the phone, I have to tell Dean about this
<AgentSmith> How can you use the phone when you cannot…speak?
*** AgentSmith sets mode: +m

I Just Live On The Edge

2012-03-15T09:00:43-06:00

I feel like such a fearless badman for running arch linux before the packages were signed

— mshenrick

SimCity Is Back!

2012-03-07T07:30:25-06:00

Woo! SimCity is back! I can’t wait!

X Server on Android and the Gate One

2012-03-07T07:00:54-06:00

I don’t know what’s sexier: X Server coming to Android or the [Gate One](http://liftoffsoftware.com/Products/GateOne “Liftoff Software

Gate One “) Quake-style web terminal emulator and SSH client

Google's New Privacy Policy In Effect

2012-03-02T08:30:00-06:00

It’s March 2nd! Google will finally quit bugging me about their new privacy.

Linode Security Flaw Causes Theft

2012-03-02T08:00:05-06:00

Just when I was thinking about finally signing up for Linode, they go and get hacked.

Raspberry Pi Possible Release Date

2012-02-28T11:00:35-06:00

The Raspberry Pi (an ARM GNU/Linux box for $25) might be released at 00:00:00 CST on February 29th!

Boot to Gecko Demo

2012-02-28T10:30:31-06:00

Mozilla released a video demo of their Boot to Gecko project yesterday. I’m usually against mobile computing (iPad/tablets, browsing on a mobile phone, etc) simply because I believe computing should be done on a desktop with a nice full keyboard and optional mouse. This time, however, Mozilla has managed to spark my interest. I’m excited to see what a web standards-based phone will be capable of. I’m also happy that it won’t be yet another platform for developers to support - any web app should work automatically.

Mozilla Boot to Gecko OWD home screen.

Head over to Arstechnica for more screenshots!

Chinese Internet Users Flood Obama's Google+ Page

2012-02-27T09:00:03-06:00

Chinese internet users [began flooding](http://www.ctv.ca/CTVNews/SciTech/20120226/chinese-flood-obama-site-after-googleplus-clock-lifted-120226/ “Chinese flood Obama site after Google Plus block lifted

Sci-Tech”) Barack Obama’s Google+ page with comments following an unblocking by their government. Most of the comments were in Chinese were political in nature, while others were just people ranting. This specific comment made me laugh (all the comments were being posted in Obama’s latest update, which was regarding bumper stickers):

Engrish translation of a comment by a Chinese user.

UPDATE: It looks like our friend found the answer.

Kerning In Google Search Results

2012-02-26T08:00:42-06:00

Is it just me, or does doing a Google search for “kerning” come up with examples of kerning?

Anonymous Coward

2012-02-24T15:00:04-06:00

Developers at Gnome have reduced the entire UI to a single button and they’re even trying to get rid of that.

— Anonymous Coward

How To: Change Welcome Screen Language in Windows 7

2011-08-14T20:03:18-05:00

After 10 years of use, I’ve finally said goodbye to Windows XP and upgraded to Windows 7. Everything is nice and dandy, except for the fact that my operating system is in Spanish.

Spanish is the primary language where I live, so any operating system acquired here is also in Spanish. I tried contacting Microsoft about buying a Windows 7 install disc from the U.S. or downloading it from their U.S online store, but they were not very helpful.

I ended up buying Windows 7 Ultimate because it’s the only one that allows me to change the display language. To change the display language simply open up Windows Update (it has the same name in Spanish) and let it search for updates.

As soon as it’s done it will show a list of available language packs under Optional Updates. In this case, I chose English because it’s the one I needed.

After it’s done downloading, head on over to the Control Panel and click on Region and Language. If you’re having trouble locating it, it’s the one that has an icon of a globe and a clock. Once there, you can change the display language by selecting the language pack you just downloaded.

Here’s the tricky part: when you log off or your computer decides to finish an update before being shutdown you will notice the progress prompts are in whatever language the operating system was originally installed with.

To change the display language of the Welcome Screen, go back to the Region and Language options and click on the Administrative tab. Click on the Copy settings button and make sure you check Welcome screen and system accounts and New user accounts under Copy your current settings to.

That’s it! Now almost the entire system is in English. I say almost because there’s still some drivers and device names here and there that are named in Spanish, such as my network interface card.

I still need to get my 5.1 sound speakers working, so I’ll post about that another time.

New Journey Into Coding

2010-12-05T17:36:48-06:00

It’s been almost two months since my last update. It’s not that I’ve been busy, I just didn’t have anything interesting to talk about.

Due to private matters, I’ve come across quite a bit of free time during these past two months. I’ve used this time to begin learning how to program properly. Sure, I’ve delved into HTML, CSS, PHP and the like (hence the “amateur coder” in the bio) but I want to get into something that isn’t a scripting language. The perfect chance to start came a while ago during a meeting at work. A few coworkers complained that the template to file their trouble tickets was inconsistent and a few claimed it was hard to implement. I thought I could make some sort of program that displayed the template in a way that all the user had to do was fill in required information, click a button, and have it instantly formatted and ready to paste into a ticket.

Unfortunately, I turned to a scripting language such as AutoHotKey to accomplish this. I say “unfortunately” because it went against my original plan to learn a proper language. It was something I needed to get done quickly without too much hassle, so I figured it’d be fine. I had never even seen an AutoHotKey script before let alone write one, so you could say this was my first time.

It didn’t take long. The documentation is easy enough to understand. I browsed the forums to see what types of things people were doing (I believe there was a 911 dispatcher that used it for calls) and I got an idea of things I could and could not do.

Anyway, I fired up AutoHotKey, typed away for a combined total of 9 hours, used Paint.NET to make some basic graphics, and compiled the script into a .exe using the included compiler. Here’s a detail of a screenshot I took of the finished program:

I just realized the alignment of the input fields is a bit off

Obviously, I took out all styling and logos that could reference my employer. It’s nothing too fancy. I’m really proud of what I could make if I had a purpose. I’ve always found it difficult to make something from scratch so it was nice to know exactly what I wanted to accomplish before I even started.

I sent this out to my coworkers to use in their tickets. They loved it and of course immediately sent tons of feature requests and bug reports. Actually, I wouldn’t really call them bugs… most of them were because of sloppy code or typos I’d made. This experience also served as great practice for developing for a specific audience. For instance, I can’t believe I forgot to add a “clear all fields” button in the first version. They immediately let me know it was needed so I added one.

This is the only AutoHotKey script I plan on developing and maintaining. Once I decide what language I want to get into, I’ll post about it and make my first program available to download.

New Internet Meme: Cigar Guy

2010-10-07T00:48:02-05:00

A stunning picture of Tiger Woods was taken at the Ryder Cup as he swung his club and hit the ball directly into the photographer’s camera. This was an amazing feat in itself, but what actually made the picture famous was the quirky mustachioed man smoking a cigar to Tiger’s left.

The man has become an overnight internet sensation and his image has been photoshopped into a number of iconic pictures. Here are some for your viewing pleasure.

The cigar guy on an island.

The cigar guy on the moon

The cigar guy on a Bob Dylan album

I honestly don’t know what it is about this guy, but it had me laughing all day at work. Here’s the original photo.

I'm on a lag

2010-10-01T11:44:04-05:00

That xkcd comic reminds me an awful lot of myself. I still haven’t finished Half-life, I’ve yet to play Half-life 2 and all other expansion packs, and I’ve yet to play Portal. By the time I get done with these games everyone else will be enjoying Half-life 3 and Portal 2…along with whatever next generation system is out at the time.

Not to say I haven’t been trying. I’m almost done with the first game. Since I have internet now, I’ve been trying to catch up on lost time with all my Steam games. I even purched Garry’s Mod yesterday since it was their last day of the $4.99USD deal. I tried hopping on some Counter-Strike servers but it doesn’t seem to be working. It might have something to do with my download speed. Let us compare…

Where I was before...

Where I am now

Seriously.

Telmex is now my ISP

2010-09-22T15:00:01-05:00

It feels good to be able to update from the comfort of my bedroom! A Telmex technician showed up at our house Monday morning to set up the land line and do the wall jack installation. I was pleased when they called my cell phone first to confirm that they would be there in about an hour and asked if I would prefer another time.

Once everything was good to go, I was told I had to go to the nearest Telmex dealer and pick up my modem. That day my shift ended at 6:00pm, so I tried really hard to make it to the nearest store on time to pick it up. It turns out all Telmex stores close at 6:00pm, so I had to wait yet another day to pick it up. I wasn’t going to take a half-day from work just go pick this thing up, so I called and asked if anyone else could do it for me. They said someone else could pick it up as long as they provided a copy of my ID card. Luckily, I keep a spare at home. I called my wife and she promptly went to go pick up the modem.

I was surprised by the packaging of the modem once I got home. The box itself was sturdy and the inside was padded well. The modem is an ADSL2+ Thomson TG585V7. It came with an Ethernet cable, phone cable, power adapter, user’s guide, installation disc (?), and a quick start guide. There was also a small card where I’m supposed to write down my Telmex email user name and password. How cute.

The Thomson TG585V7 ADSL2+ modem from Telmex

I didn’t bother with the installation disc and didn’t bother to check what it is for. It’s supposed to set up the internet connection for you and install some sort of anti virus software with parental controls, I think. I don’t really need any of that stuff so I just plugged in the modem and waited for the DSL light to be solid green. Everything worked right out of the box - no additional configuration needed.

The Windows installation disc I have is slightly out of date. Like, from 2002 out of date. Believe me, installing Service Pack 3 and all the security updates on a 1MB connection is not enjoyable. I did get a kick out of Windows nagging me every two seconds that my computer was out of date. It made me wonder how there are still people out there that run out of date software.

I found myself staring at this update screen almost all night

It might sound weird that I’m installing Windows XP on a brand new computer, but there’s really no other option. I didn’t actually pay for my Windows disc (someone gave it to me) and if I want to buy Windows 7 I’d have to shell out $199.99USD, which is money I don’t have right now. Sure, I could install any Linux distribution but I’m not too keen on the dual-booting configuration. I’ll slap Arch Linux on that old machine I have lying around as soon as I get a monitor and keyboard for it. I’ll update when I get around to that.

The troubles of finding a decent ISP

2010-09-20T16:21:03-05:00

By the end of September, I will have gone one year without having internet access at home. During this year, I’ve switched homes three times and switched jobs four times. I think I’m finally at a stable point in my life - at least stable enough to commit to a 1-year rental lease.

A while back I briefly [mentioned](http://gerardozamudio.net/2010/08/27/questionable-content-and-indie-girls/ “gerardozamudio.net

Questionable Content and Indie Girls”) that I finally got around to buying a desktop PC. Sure, everyone’s buying netbooks and those pad things but I know I’m not the only one that thinks the notebook is dead. Nothing beats a good ol’ desktop PC with a keyboard and mouse. I’m still planning on posting a brief overview of the computer specs and what it’s been like so far, don’t think I forgot.

Getting the computer was the first step. Living in an “emerging and developing” country makes it rather difficult to come by a reliable Internet Service Provider, so my choices were limited. I could’ve easily gone the easy way and signed up for Carlos Slim’s telephone/internet monopoly, Telmex. But where’s the fun in that? Instead, I hopped online and looked for some alternatives. The one I already had in mind was Cablevision, a newcomer to online services in the area. They offer a 2MB download speed through cable (6MB in some areas). Unfortunately, when I called them they informed me their services were not available in my area because the infrastructure wasn’t fully developed. I did a bit more research and the only other ISP in my area was Axtel. They were quite friendly. I called them and the sales representative curteously gave me a rundown of all their bundles. I signed up for their 2MB DSL service with a landline that includes 200 local calls. Yes, there’s no such thing as unlimited of anything here. Yes, I did ask. I thought it was pretty good considering Telmex was giving me the same thing for $16.44USD more. They said there was a $15.66USD “contract fee” and if I payed it by 4:00pm that day, the installation people would be at my house in two days. These guys really want my business, don’t they? I took a quick break from work and walked over to the nearest bank to make the deposit. Sure enough, within two days there was Axtel at my front door ready to do all the cabling that was needed.

Here’s where it gets kind of disappointing. They fooled around a bit on the roof of my house and proceeded to inform me that they could not get a signal because the house is located near the bottom of a hill. I know the technicians are just outsourced contractors that don’t really work for Axtel, but they were nice about it. They said I should call and ask for my deposit back, which I did. The original sales representative was also thoughtful enough to give me his direct extension so I didn’t have to wait in the call queue for someone to pick up the phone. The guy informed me that I would have to wait 5 business days for the refund to go through and that I would have to go to one of their offices and pick it up myself. That part was not pleasant considering the fact that the next three days were holidays, plus the weekend. I’d have to wait 11 regular days for my refund.

The next day I gave in and called Telmex. I gave them my address and they said they could not find my interior number in their system, which meant I would have to go to a Telmex office and order it in person. They were not open to suggestions, either. I asked if I could just put down my neighbor’s interior number, they said no. I asked if they could send the technicians to the house and I’d show them which was the correct one, and they said no. After all, they’ve got 80% of the country in their back pocket. It’s not like they need my business. I had to ignore all this and just show up in person. The lady at the counter hardly even looked at me and spoke so fast I couldn’t understand what she was saying. I must have done something right, though, because she informed me a technician would be at my home within 8 business days.

I’m (reluctantly) happy to say that today in the morning a Telmex technician showed up and took no more than 20 minutes to set up the phone line. I don’t own a house phone so I couldn’t verify if there was dial tone, but he said it should work just fine. I’ve also been told I can go pick up my modem from the Telmex office I ordered the service from. How fun.

I really wish I could have gone with Axtel. Minus the refund thing, they were pretty attentive whenever I spoke with them. I worked as a Technical Support Specialist for a major American ISP a few months ago and these people’s service is a thousand times better as far as I’m concerned. I’m really excited to get home today and set everything up. I’ll be posting soon about how that goes, hopefully from the comfort of my bedroom :)

Questionable Content and Indie Girls

2010-08-27T15:09:46-05:00

While reading the latest XKCD, I started looking all over the site for the link to the unixkcd that was featured on April 1st (I eventually found it). I’ve always been aware of the “Comics I Enjoy” links toward the bottom of the page but I’ve never actually clicked on any. I went through a couple and the one that caught my interest was Questionable Content by Jeph Jacques.

The last comic put up is #1740. Yep, over one thousand strips. I decided to start reading the comic from the beginning and I’ve got to say I love it so far. I got up to #38 and stopped abruptly. Nearly every comic up to that point contains a few paragraphs below it with some updates from the artist regarding the site, the comic itself and other bits of information. In this particular one, Jeph links to that End of the World flash animation that was so popular back in the early 2000’s and was most likely one of the first internet videos I saw.

It made me think back at all the stuff that was cool amongst the internet in 2003 how much things have changed. It’s enough to mention that the first time I saw that video it took about a half hour to load, I had an old eMachines with 256mb RAM and dial-up service with AOL software bundled. In the comics before that, the artist made references to installing iTunes for the first time and wanting a Power Mac G5. I remember getting my first and only iPod around that time. Looking at it now, it weighs a ton, doesn’t have color, and I can’t believe I thought 20GB was a lot. How could they not make an MP3 player with a color screen in 2003?!

Anyway, another thing the comic mentions a lot are indie girls! According to Urban Dictionary:

They listen to music that you’ve probably never heard of, wear what they want and are usually in touch with subjects that allow them to express themselves such as textiles,art,media,music and photography. That made me laugh out loud. I’ve never really thought about the term a lot but if an indie girl is anything like Faye (or Zooey Deschanel), then I’m all for it. Incidentally, a picture of Zooey is one of the first things that popped up when I Googled “indie girl” and is the subject on a blog post on Indie Girls Deconstructed.

Is this what an indie girl looks like?

I loved her in Eulogy and it remains one of my favorite movies. It was also released in 2004, so it totally goes with the theme of this post.

I should also mention that I finally bought a computer. Upcoming post about that, so stay tuned.

Project Upstream

2010-08-09T20:01:21-05:00

Earlier today I received a rather simple yet strange instant message on AIM. The strange thing about it was that the other person’s screen name was in the form of a 9-digit number. I really didn’t think it was an ICQ number and it was one digit too short to be a U.S phone number. I Googled the first three digits just to make sure it wasn’t a phone number and it turns out 614 is the area code for Columbus, OH. I don’t know anybody from Ohio, so I responded.

me: Hey

614929371: hi?

me: You said hi first.

614929371: haha who are you?

me: You said hi first.. who are YOU?

614929371: hmm i think youre project upstream?

A quick Google search took me to the Project Upstream website. Upon reading their website description, I remembered what this was all about. It turns out Project Upstream is the new name for a project that used Salmon-themed screen names (FlavoredSalmon, SenileSalmon, CannedSalmon, etc ) to get two strangers to talk to each other. Both users would receive a message and would be connected if they responded. The screen names have also been known to end in -Coho or -Trout. This project also used to be called “The Great Hatsby”. This is the description from an archived Wikipedia page, since the current one has been deleted:

The Great Hatsby is the name of an AIM Bot that instigates conversation between two totally unrelated people. Its name is a play on words from the book The Great Gatsby. It is a relay bot that retrieves the most recently updated LiveJournal posts and obtains the AIM screenname of the posting user. It then sends the user the message “I say, old bean, have you seen my hat?” Responses from users are then forwarded by the bot to another one of the users similarly contacted. From this both users are typically confused insisting the other messaged them first and try to figure out what is going on

If you find it annoying, there’s a way to opt out from these messages. When you get a message from a screen name ending in Trout, Coho, or Salmon simply type $optout and it will respond with OPERATOR: Are you sure you want to opt-out? If you do, you will *never* be contacted again on the account. There is *no way* to opt back in and undo this. If you are sure, type $optout DADD. Remember, this is permanent and irreversible!

Once you type $optout DADD to verify you are sure, you will see OPERATOR: You have opted out. The account will *never* be contacted again. Good bye! and you will never be contacted again - in theory.

Personally, I think it’s a neat social experiment to connect strangers online. I remember posting a some conversations on the themissinghat LiveJournal community a few years back when I first received one of these messages. Based on the most recent posts, it seems the bot screen names have now shifted to variants with numbers. If you want to opt-in and receive these messages, head over to the Project Upstream website, type in your screen name, and wait!

Edit Google Docs In Nautilus

2010-07-21T14:41:34-05:00

If you’ve ever needed a way to edit your Google Docs files from your Ubuntu Linux desktop, DoctorMo’s Google Doc Mount is just for you. Once installed, this nifty piece of software will do just that - mount your Google Docs files as a drive on your desktop.

You can open up a document in a word processor to edit it and any changes you make will also show up on Google Docs. To store them locally, simply drag and drop from the Nautilus window to the desktop. From DoctorMo:

If you try this, remember that it’s not a supported piece of software, bugs aren’t likely to be fixed (unless you fix them of course) the code is available and it should work on Lucid. It won’t be ported to any other versions (at least by me) but it should be easy to recompile everything for other versions anyway

Keep in mind that you are required to type in your username and password every time you use it.

New Google Image Search Results Page

2010-07-20T21:24:54-05:00

I realize I’m a little late on this, but it’s difficult to do a small write up during a busy workday. Well, today Google announced the release of a revamped Google Image Search results page. The new results page features more focus on the images than before.

Another change that has taken place is the new landing page. When you click on an image, you will no longer be taken to the destination website inside a Google frame. Instead, you will get the image in full size on top of the website where it is located.

The new results page puts more focus on the imgages

Here’s a rundown of the new features:

Dense tiled layout designed to make it easy to look at lots of images at once. We want to get the app out of the way so you can find what you’re really looking for.
Instant scrolling between pages, without letting you get lost in the images. You can now get up to 1,000 images, all in one scrolling page. And we’ll show small, unobtrusive page numbers so you don’t lose track of where you are.
Larger thumbnail previews on the results page, designed for modern browsers and high-res screens.
A hover pane that appears when you mouse over a given thumbnail image, giving you a larger preview, more info about the image and other image-specific features such as “Similar images.”
Once you click on an image, you’re taken to a new landing page that displays a large image in context, with the website it’s hosted on visible right behind it. Click anywhere outside the image, and you’re right in the original page where you can learn more about the source and context.
Optimized keyboard navigation for faster scrolling through many pages, taking advantage of standard web keyboard shortcuts such as Page Up / Page Down. It’s all about getting you to the info you need quickly, so you can get on with actually building that treehouse or buying those flowers.

I particularly like the web keyboard shortcuts part. They should really adopt this for their search results, too. It’s a pain having to keep clicking and navigating page after page to find the result I want. Hitting the spacebar or just tapping the Page Down button would be far quicker. Some people say the new results page looks a lot like Bing’s image search. This wouldn’t be the first time Google is accused of copying Bing. When they gave users the ability to change the Google homepage background image last month, many felt frustrated at how much it resembled Bing’s homepage. I hope they don’t keep releasing similar features to Bing. I come to Google for their minimalism and accurate search results. If I wanted to be distracted by as many things as possible I’d use Yahoo or Bing.

My New Home

2010-07-19T21:26:59-05:00

This is going to be my new home on the net. I look forward to updating quite often.