NEXT GENERATION TECHNOCOM PVT. LTD.

Mail Server
Configuration on
Redhat Linux
Mail Configuration
By Subrata Sarma Chowdhury

2014

Contents:
1. Postfix and Dovecot configuration.2

2. Active directory integration17

3. Troubleshooting..20

Page 2

Mail Server Configuration in

Redhat Linux Server using Mail
transfer agent (Postfix)

Postfix and Dovecot configuration :

This documentation describes the installation and configuration on Redhat

server using Postfix mail transfer agent where our mail delivery client is dovecot.
Here postfix used port number 25(default port for SMTP).The steps we follow to
configure the mail server are given below:

1) Install the MTA package postfix using the following command :

Yum install postfix y
2) Edit postfix main.cf file command for this: vi /etc/postfix/main.cf.
3) We need to edit following lines( 75, 97, 111, 116, 262, 424 ) in main.cf file.
Following screen shots are showing the edited format:

Page 3

Page 4

Page 5

4) Linux DNS server BIND configuration:

Following are the steps to configure Bind DNS:
I. Bind10 nameserver installation:
Install a bind nameserver with following command
Yum install bind dnsutils
II. Creating a DNS zone file:
At this stage we will need to create a new zone file for my domain.
Navigate to /etc/bind/ directory execute following sequence of
commands to navigate to zones/master/

cd /etc/bind
mkdir -p zones/master
cd zones/master/

/etc/bind/zones/master directory will contain a zone file for my

domain. This zone file db.linuxconfig.org will hold a DNS record to
assist a nameserver resolve a fully qualified domain name to an IP
address. Create and save db.linuxconfig.org with a following
content:

Page 6

;
; BIND data file for linuxconfig.org
;
$TTL

3h

IN

SOA

ns1.linuxconfig.org. admin.linuxconfig.org. (
1

; Serial

3h

; Refresh after 3 hours

1h

; Retry after 1 hour

1w

; Expire after 1 week

1h )

; Negative caching TTL of 1 day

;
@

IN

NS

ns1.linuxconfig.org.

IN

NS

ns2.linuxconfig.org.

linuxconfig.org.

IN

MX

10

mail.linuxconfig.org.

linuxconfig.org.

IN

192.168.0.10

ns1

IN

192.168.0.10

ns2

IN

192.168.0.11

www

IN

CNAME

linuxconfig.org.

mail

IN

192.168.0.10

ftp

IN

CNAME

linuxconfig.org.

Page 7

Here is just a quick review of some lines from the above bind DNS
zone file:
SOA record: nameserver authoritative for a zone
linuxconfig.org is ns1.linuxconfig.org and
admin.linuxconfig.org is an email address of a person
responsible for this DNS zone.
NS Records: two nameservers for a linuxconfig.org zone are
ns[1,2].linuxconfig.org
MX(Mail Exchange): linuxconfig.org mail exchange record.
Number 10 means a preference for discarding a records A : A
simply means address in another words in linuxconfig.orgss
zone a ns1 would have a A (address) 192.168.0.10.
CNAME record(canonical name record): restart the query
using the canonical name instead of the orginal name.
III.

Address-to-name mappings:
At this stage the bind DNS server can resolve an IP address mapped
to a linuxconfig.org host. But for address to name mapping edit the
file db.192.168.0 with a following content:

Page 8

;
; BIND reverse data file for 0.168.192.in-addr.arpa
;
$TTL

604800

0.168.192.in-addr.arpa.
admin.linuxconfig.org. (

IN

SOA

ns1.linuxconfig.org.

; Serial

3h

; Refresh after 3 hours

1h

; Retry after 1 hour

1w

; Expire after 1 week

1h )

; Negative caching TTL of 1 day

;
0.168.192.in-addr.arpa.

IN

NS

ns1.linuxconfig.org.

0.168.192.in-addr.arpa.

IN

NS

ns2.linuxconfig.org.

10.0.168.192.in-addr.arpa.

IV.

IN

PTR

linuxconfig.org.

Updating a BIND configuration file:

At this point we should have two files ready :
/etc/bind/zones/master/db.linuxconfig.org
/etc/bind/zones/master/db.192.168.0

All we need to do now is to insert both zone file names into a binds
configuration file named.conf.local. to do that add following lines into this file:

Page 9

zone "linuxconfig.org" {
type master;
file "/etc/bind/zones/master/db.linuxconfig.org";
};

zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/master/db.192.168.0";
};

Last thing before we go ahead to check a configuration is to add an ip address of

a stable DNS server to a named.conf.options file. This IP address is used in case
that a local DNS server does not know the answer of a name resolution query. In
IP address of a DNS server in many cases is provided by your Internet provider.
Alternatively if you are google fan use 8.8.8.8 or 8.8.4.4.
Replace a following blog of text withing a named.conf.options file:

// forwarders {
//

0.0.0.0;

// };

Page 10

with new stable DNS server IP address

forwarders {
8.8.4.4;
};

V.

Checking binds zone files and configuration:

Before we start a bind nameserver with a new zone and
configuration here are some tools to check if we have not done
some type or misconfiguration. To check a configuration files run a
following command:

named-checkconf

To check a DNS zone files we can use named-checkzone command:

named-checkzone linuxconfig.org /etc/bind/zones/master/db.linuxconfig.org

zone linuxconfig.org/IN: loaded serial 1
OK

Page 11

Reverse zone file check:

named-checkzone 0.168.192.in-addr.arpa /etc/bind/zones/master/db.192.168.0
zone 0.168.192.in-addr.arpa/IN: loaded serial 2
OK

VI.

Start / restart bind server:

At this point nothing can stop us to run bind9 dns server:

/etc/init.d/bind9 start
Starting domain name service...: bind9.

Alternatively, if your bind server is already running use a following command to to assist
you with its restart:
/etc/init.d/bind9 restart
Stopping domain name service...: bind9.
Starting domain name service...: bind9.

VII.

Testing a bind server configuration

A dig command from dnsutils package will become handy to help us to
test a new configuration of bind nameserver.
dig command can be used from any PC which has a network access the
your DNS server but preferably your should start your testing from a
localhost. In our this case the IP address of our name server is
192.168.135.130. First we will test host-to-IP resolution:

Page 12

dig @192.168.135.130 www.linuxconfig.org

; <<>> DiG 9.6-ESV-R1 <<>> @192.168.135.130 www.linuxconfig.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60863
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.linuxconfig.org.

IN

;; ANSWER SECTION:
www.linuxconfig.org.

10800

IN

CNAME

linuxconfig.org.

linuxconfig.org.

10800

IN

192.168.0.10

linuxconfig.org.

10800

IN

NS

ns2.linuxconfig.org.

linuxconfig.org.

10800

IN

NS

ns1.linuxconfig.org.

ns1.linuxconfig.org.

10800

IN

192.168.0.10

ns2.linuxconfig.org.

10800

IN

192.168.0.11

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec

;; SERVER: 192.168.135.130#53(192.168.135.130)
;; WHEN: Thu Aug

5 18:50:48 2010

Page 13

;; MSG SIZE

rcvd: 135

Next we test IP-to-host resolution:

dig @192.168.135.130 -x 192.168.0.10

; <<>> DiG 9.6-ESV-R1 <<>> @192.168.135.130 -x 192.168.0.10

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10810
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;10.0.168.192.in-addr.arpa.

IN

PTR

;; ANSWER SECTION:
10.0.168.192.in-addr.arpa. 604800 IN

PTR

linuxconfig.org.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 604800

IN

NS

ns2.linuxconfig.org.

0.168.192.in-addr.arpa. 604800

IN

NS

ns1.linuxconfig.org.

;; ADDITIONAL SECTION:
ns1.linuxconfig.org.

10800

IN

192.168.0.10

ns2.linuxconfig.org.

10800

IN

192.168.0.11

Page 14

;; Query time: 0 msec

;; SERVER: 192.168.135.130#53(192.168.135.130)
;; WHEN: Thu Aug
;; MSG SIZE

5 18:52:06 2010

rcvd: 140

5) Now install Dovecot mail delivery agent in Redhat server. After installation
one should configure dovecot.conf file as shown in the screen shot.
Uncomment the following lines i.e. 24 and 30. Also configure 10auth.conf, 10-mail.conf and 10-master.conf for authentication ,
mail_location and smtp authentication respectively.

Page 15

6) If ssl is not required, write ssl= no in 10-ssl.conf file. Start and enable
dovecot service using following comment.

Page 16

 Active directory integration :

Joining the Domain

Joining an Active Directory domain couldnt be simpler in Fedora 20. First, install the
dependencies.
#yum install oddjob oddjob-mkhomedir sssd adcli samba-common
Once that is done, you can join the domain with the following command.
#realm join -U username.da corp.mydomain.com
Now reboot your machine or manually start all the services you just installed and you
will be able to login to your Fedora machine using an Active Directory account. If you
were to look one of your domain controllers in the Active Directory Users and
Computers applet you would see a new machine account for your Fedora machine.
This means that you dont have to manually create service accounts and passwords for
your Fedora machine to make LDAP queries and perform kerberos authentication.
You can see information about the domain now using
#realm list

Configuration

Now that you are joined to the domain, there are some security considerations and
other configuration details you should probably take care of. First, decide what login
format you want to use. Would you prefer to type in your full username in the
format username@corp.mydomain.com? If so, there is nothing to be done. If you
would rather just login with username, then edit the sssd configuration file and do not
require fully qualified names. In our examples, we will not be allowing any local
accounts on the Linux machine, so there is no worry about duplicate usernames.
#vi /etc/sssd/sssd.conf
Update the variable to
use_fully_qualified_names = True
Domain administrators do not automatically have any special privileges on the Fedora
machine, so it is a good idea to allow them to sudo so they can perform system
administration tasks. In the sudoers file the % sign indicates group and the \ character
allows you to use spaces in the group names.
#visudo
Add the following line
%Domain\ Admins@corp.mydomain.com ALL=(ALL)
Security

ALL

Page 17

If regular users are not required to login to this server at all through ssh or any installed
application, we can restrict logins to domain administrators at the sssd level.
#realm permit -g Domain\ Admins@corp.mydomain.com
If regular users will need to authenticate to an installed application (like apache) using
their active directory accounts, but will not need ssh access, skip the above line and
instead we can use PAM to restrict just SSH
#vi /etc/pam.d/sshd
Add the following line to the auth section. The square brackets allow us to use the
space in the group name.
auth
Admins]

required

pam_succeed_if.so user ingroup [Domain

Since the sshd can also allow GSSAPI authentication by default, which is not part of the
PAM stack, we will want to turn it off or anyone who is logged into a windows machine
using their domain account and putty could login to the server without a password.
#vi /etc/ssh/sshd_config
Update the following line.
GSSAPIAuthentication no

Timekeeping

Since Active Directory logins rely on good timekeeping and Active Directory servers are
already ntp servers, we might as well make sure our clock stays in synch.
#yum install chrony
#vi /etc/chrony.conf
Assuming, you have created a dns cname called ntp that points to dc1 or dc2update
the following lines
# Please consider joining the pool
(http://www.pool.ntp.org/join.html).
#server 0.fedora.pool.ntp.org iburst
#server 1.fedora.pool.ntp.org iburst
#server 2.fedora.pool.ntp.org iburst
#server 3.fedora.pool.ntp.org iburst
server ntp

Page 18

 Troubleshooting :
Check that Dovecot is listening for connections:
telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.

If you got "connection refused", check that pop3 is included in protocols setting
in dovecot.conf. Also check that listen setting is *.
Next check that it also works from remote host:
# telnet imap.example.com 110
Trying 1.2.3.4...
Connected to imap.example.com.
Escape character is '^]'.
+OK Dovecot ready.

Check that it's allowing logins

# telnet localhost 110
user username
pass password

Replace the username and password with the ones you added
to passwd.dovecot in BasicConfiguration.
You should get an "+OK Logged in." reply. If you get "Authentication failed" error,
set auth_verbose = yes and auth_debug = yes in dovecot.conf, restart Dovecot and try
again. The log file should now show enough information to help you fix the problem.

Page 19

Check that it's allowing remote logins

You'll need to try this from another computer, since all local IPs are treated as secure:
# telnet imap.example.com 110
user username
pass password
If the connection is hanging instead of giving +OK Dovecot ready, you have a firewall
that's preventing the connections.
Otherwise, the only difference here compared to step above is that you might get:
-ERR Plaintext authentication disabled.
If this is the case, you didn't set disable_plaintext_auth = no. You could alternatively
use OpenSSL to test that the server works with SSL (assuming you've already set it up):
# openssl s_client -connect imap.example.com:995
+OK Dovecot ready.

Check that it finds the mails

After logging in, check that it sees mails:
stat
+OK 1 1532
retr 1
+OK 1532 octets
<the mail's contents>
.
It should contain the mail that you sent to yourself in FindMailLocation step.
If anything goes wrong, set mail_debug = yes and try again. The log file should now
contain debugging information of where Dovecot is trying to find the mails.
Fix mail_location setting and try again.

Page 20

 Check that real mail clients work:

Since mail clients can be configured in various ways, please check first if the problem is
with Dovecot configuration or with the client's configuration. You can rule out it being
Dovecot's problem with the "telnet" methods described above.
If you can't log in,

Make sure SSL/TLS settings are correct.

Make sure the client uses plaintext authentication method, unless you've
specifically configured Dovecot to accept others.

Many POP3 clients have been tested with Dovecot and they work.

Make a graceful exit:

To close the connection to Dovecot issue a logout:
quit
+OK Logging out.

Page 21