Setting up an IMAP server on Fedora Core 5
With an increasing amount of spam reaching my inbox and the need
to have my email accessible from multiple computers, I decided to
setup a personal IMAP server running on Fedora Core 5. Specifically
I chose the dovecot IMAP package, Maildir formatted mailboxes,
postfix as a Mail Transfer Agent, Spamassassin running through procmail,
and POP3 accounts polled using fetchmail. What follows is a very terse
setup guide, mostly just notes to help me with future installations, but others may find it useful.
Switch MTA and configure postfix
Fedora Core 5 comes with the sendmail program installed as a default MTA.
Although Fedora ships with an utility to switch MTAs for you, I chose the more
traditional approach. I used yum to directly uninstall sendmail and install
postfix.
The following changes are made to /etc/postfix/main.cf. First set the myhostname and inet_interfaces variables for your system. Next instruct postfix to use qmail style Maildir mailboxes.
#home_mailbox = Mailbox
home_mailbox = Maildir/
Configure postfix to use procmail is to deliver mail to user's accounts. This is the one of the easiest ways to use Spamassassin.
#mailbox_command = /some/where/procmail
mailbox_command = /usr/bin/procmail -a "$EXTENSION" \
DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
At this point, make sure SELinux is disabled. I was not able to get SELinux to work with the qmail-style Maildir format. Additionally check to ensure that the postfix service is setup to run on startup. Modify the /etc/aliases file to deliver mail intended for root to a local user account.
Procmail configuration
Ensure that both procmail and spamassassin are installed.
For each user on the system I used the following $HOME/.procmailrc file
# SpamAssassin sample procmailrc
# ==============================
DROPPRIVS=yes
:0fw: spamassassin.lock
* < 256000
| spamassassin
# All mail tagged as spam (eg. with a score higher than the set
# threshold)
# is moved to "probably-spam".
:0:
* ^X-Spam-Status: Yes
$HOME/Maildir/.INBOX.Spam/
# Work around procmail bug: any output on stderr will cause the "F"
# in "From" to be dropped. This will re-add it.
# NOTE: This is probably NOT needed in recent versions of procmail
:0
* ^^rom[ ]
{
LOG="*** Dropped F off From_ header! Fixing up. "
:0 fhw
| sed -e '1s/^/F/'
}
At this point, mail sent to user@localhost should be ending up in the user's $HOME/Maildir directory, with the proper header added by Spamassassin:
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on dion
X-Spam-Level:
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00
autolearn=ham version=3.1.3
Dovecot setup
The dovecot package can now be installed and the configuration file /etc/dovecot.conf modified to your preference. One slightly awkward step is the generation of a self-signed certificate for the IMAPS protocol (I disabled plain-text IMAP). After making the necessary changes to dovecot-openssl.cnf, I used the following, slightly modified mkcert command
#!/bin/sh
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/usr/share/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
CERTFILE=$SSLDIR/certs/dovecot.pem
KEYFILE=$SSLDIR/private/dovecot.pem
if [ ! -d $SSLDIR/certs ]; then
echo $SSLDIR/certs directory doesn't exist
fi
if [ ! -d $SSLDIR/private ]; then
echo $SSLDIR/private directory doesn't exist
fi
if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi
if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi
$OPENSSL req -new -x509 -days 9999 -nodes -config $OPENSSLCONFIG \
-out $CERTFILE -keyout $KEYFILE || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
With a properly configured firewall, you should be able to logon to the local user's accounts via an IMAP/IMAPS client. Additionally, mail sent from the local computer to each user's account should be delivered properly with the appropriate Spamassassin headers.
Fetchmail setup and bayesian filtering
Setup fetchmail ($HOME/.fetchmailrc) to poll email accounts via the POP3/SSL protocol. Add an entry to each user's crontab to check for new mail every 15 minutes:
*/15 * * * * fetchmail -s &>/dev/null
To automate training of the Bayesian filter with Spamassassin, I created the following utilitiy to train the filter on messages from two specials folders, "TrainSpam" and "TrainHam" created as subfolders under Inbox.
#!/bin/sh
/usr/bin/sa-learn --spam $HOME/Maildir/.TrainSpam/cur/*
/usr/bin/sa-learn --spam $HOME/Maildir/.TrainSpam/tmp/*
/usr/bin/sa-learn --spam $HOME/Maildir/.TrainSpam/new/*
rm $HOME/Maildir/.TrainSpam/cur/*
rm $HOME/Maildir/.TrainSpam/tmp/*
rm $HOME/Maildir/.TrainSpam/new/*
/usr/bin/sa-learn --ham $HOME/Maildir/.TrainHam/cur/*
/usr/bin/sa-learn --ham $HOME/Maildir/.TrainHam/tmp/*
/usr/bin/sa-learn --ham $HOME/Maildir/.TrainHam/new/*
rm $HOME/Maildir/.TrainHam/cur/*
rm $HOME/Maildir/.TrainHam/tmp/*
rm $HOME/Maildir/.TrainHam/new/*
There is also an entry in the crontab to run this program once an hour.
Additional Spamassassin setup
For non-commercial use, some additional features can be enabled in Spamassassin. In the file $HOME/.spamassassin/user_prefs
score RCVD_IN_MAPS_RBL 2.0
score RCVD_IN_MAPS_DUL 1.0
score RCVD_IN_MAPS_RSS 2.0
score RCVD_IN_MAPS_NML 2.0
Pyzor and Razor can be installed:
yum install perl-Razor-Agent
yum install pyzor
pyzor discover
You can check the installation of these additional anti-spam measures by running Spamassassin on a test piece of spam:
spamassassin -t -D < /tmp/spam &> out.txt
Searching this output file for "razor" and "pyzor" should reveal some activity.
Email backup
I manually perform backups every Friday. In additional to the $HOME/Maildir folder, be sure to backup $HOME/.spamassassin, since this directory contains the results of Bayesian filter training. I am comfortable with weekly backups since I have my IMAP client setup to download all messages locally, so at most I would lose the messages between the
times I check my email. If this is unacceptable, I suggest deployment of an alternate backup scheme
|