Professional Documents
Culture Documents
Mail Configuration On Redhat Server
Mail Configuration On Redhat Server
Mail Configuration On Redhat Server
Mail Server
Configuration on
Redhat Linux
Mail Configuration
By Subrata Sarma Chowdhury
2014
Contents:
1. Postfix and Dovecot configuration.2
3. Troubleshooting..20
Page 2
Page 3
Page 4
Page 5
cd /etc/bind
mkdir -p zones/master
cd zones/master/
Page 6
;
; BIND data file for linuxconfig.org
;
$TTL
3h
IN
SOA
ns1.linuxconfig.org. admin.linuxconfig.org. (
1
; Serial
3h
1h
1w
1h )
;
@
IN
NS
ns1.linuxconfig.org.
IN
NS
ns2.linuxconfig.org.
linuxconfig.org.
IN
MX
10
mail.linuxconfig.org.
linuxconfig.org.
IN
192.168.0.10
ns1
IN
192.168.0.10
ns2
IN
192.168.0.11
www
IN
CNAME
linuxconfig.org.
IN
192.168.0.10
ftp
IN
CNAME
linuxconfig.org.
Page 7
Here is just a quick review of some lines from the above bind DNS
zone file:
SOA record: nameserver authoritative for a zone
linuxconfig.org is ns1.linuxconfig.org and
admin.linuxconfig.org is an email address of a person
responsible for this DNS zone.
NS Records: two nameservers for a linuxconfig.org zone are
ns[1,2].linuxconfig.org
MX(Mail Exchange): linuxconfig.org mail exchange record.
Number 10 means a preference for discarding a records A : A
simply means address in another words in linuxconfig.orgss
zone a ns1 would have a A (address) 192.168.0.10.
CNAME record(canonical name record): restart the query
using the canonical name instead of the orginal name.
III.
Address-to-name mappings:
At this stage the bind DNS server can resolve an IP address mapped
to a linuxconfig.org host. But for address to name mapping edit the
file db.192.168.0 with a following content:
Page 8
;
; BIND reverse data file for 0.168.192.in-addr.arpa
;
$TTL
604800
0.168.192.in-addr.arpa.
admin.linuxconfig.org. (
IN
SOA
ns1.linuxconfig.org.
; Serial
3h
1h
1w
1h )
;
0.168.192.in-addr.arpa.
IN
NS
ns1.linuxconfig.org.
0.168.192.in-addr.arpa.
IN
NS
ns2.linuxconfig.org.
10.0.168.192.in-addr.arpa.
IV.
IN
PTR
linuxconfig.org.
All we need to do now is to insert both zone file names into a binds
configuration file named.conf.local. to do that add following lines into this file:
Page 9
zone "linuxconfig.org" {
type master;
file "/etc/bind/zones/master/db.linuxconfig.org";
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/master/db.192.168.0";
};
// forwarders {
//
0.0.0.0;
// };
Page 10
V.
named-checkconf
Page 11
VI.
/etc/init.d/bind9 start
Starting domain name service...: bind9.
Alternatively, if your bind server is already running use a following command to to assist
you with its restart:
/etc/init.d/bind9 restart
Stopping domain name service...: bind9.
Starting domain name service...: bind9.
VII.
Page 12
;; QUESTION SECTION:
;www.linuxconfig.org.
IN
;; ANSWER SECTION:
www.linuxconfig.org.
10800
IN
CNAME
linuxconfig.org.
linuxconfig.org.
10800
IN
192.168.0.10
linuxconfig.org.
10800
IN
NS
ns2.linuxconfig.org.
linuxconfig.org.
10800
IN
NS
ns1.linuxconfig.org.
ns1.linuxconfig.org.
10800
IN
192.168.0.10
ns2.linuxconfig.org.
10800
IN
192.168.0.11
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
5 18:50:48 2010
Page 13
;; MSG SIZE
rcvd: 135
;; QUESTION SECTION:
;10.0.168.192.in-addr.arpa.
IN
PTR
;; ANSWER SECTION:
10.0.168.192.in-addr.arpa. 604800 IN
PTR
linuxconfig.org.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 604800
IN
NS
ns2.linuxconfig.org.
0.168.192.in-addr.arpa. 604800
IN
NS
ns1.linuxconfig.org.
;; ADDITIONAL SECTION:
ns1.linuxconfig.org.
10800
IN
192.168.0.10
ns2.linuxconfig.org.
10800
IN
192.168.0.11
Page 14
5 18:52:06 2010
rcvd: 140
5) Now install Dovecot mail delivery agent in Redhat server. After installation
one should configure dovecot.conf file as shown in the screen shot.
Uncomment the following lines i.e. 24 and 30. Also configure 10auth.conf, 10-mail.conf and 10-master.conf for authentication ,
mail_location and smtp authentication respectively.
Page 15
6) If ssl is not required, write ssl= no in 10-ssl.conf file. Start and enable
dovecot service using following comment.
Page 16
Joining an Active Directory domain couldnt be simpler in Fedora 20. First, install the
dependencies.
#yum install oddjob oddjob-mkhomedir sssd adcli samba-common
Once that is done, you can join the domain with the following command.
#realm join -U username.da corp.mydomain.com
Now reboot your machine or manually start all the services you just installed and you
will be able to login to your Fedora machine using an Active Directory account. If you
were to look one of your domain controllers in the Active Directory Users and
Computers applet you would see a new machine account for your Fedora machine.
This means that you dont have to manually create service accounts and passwords for
your Fedora machine to make LDAP queries and perform kerberos authentication.
You can see information about the domain now using
#realm list
Configuration
Now that you are joined to the domain, there are some security considerations and
other configuration details you should probably take care of. First, decide what login
format you want to use. Would you prefer to type in your full username in the
format username@corp.mydomain.com? If so, there is nothing to be done. If you
would rather just login with username, then edit the sssd configuration file and do not
require fully qualified names. In our examples, we will not be allowing any local
accounts on the Linux machine, so there is no worry about duplicate usernames.
#vi /etc/sssd/sssd.conf
Update the variable to
use_fully_qualified_names = True
Domain administrators do not automatically have any special privileges on the Fedora
machine, so it is a good idea to allow them to sudo so they can perform system
administration tasks. In the sudoers file the % sign indicates group and the \ character
allows you to use spaces in the group names.
#visudo
Add the following line
%Domain\ Admins@corp.mydomain.com ALL=(ALL)
Security
ALL
Page 17
If regular users are not required to login to this server at all through ssh or any installed
application, we can restrict logins to domain administrators at the sssd level.
#realm permit -g Domain\ Admins@corp.mydomain.com
If regular users will need to authenticate to an installed application (like apache) using
their active directory accounts, but will not need ssh access, skip the above line and
instead we can use PAM to restrict just SSH
#vi /etc/pam.d/sshd
Add the following line to the auth section. The square brackets allow us to use the
space in the group name.
auth
Admins]
required
Since the sshd can also allow GSSAPI authentication by default, which is not part of the
PAM stack, we will want to turn it off or anyone who is logged into a windows machine
using their domain account and putty could login to the server without a password.
#vi /etc/ssh/sshd_config
Update the following line.
GSSAPIAuthentication no
Timekeeping
Since Active Directory logins rely on good timekeeping and Active Directory servers are
already ntp servers, we might as well make sure our clock stays in synch.
#yum install chrony
#vi /etc/chrony.conf
Assuming, you have created a dns cname called ntp that points to dc1 or dc2update
the following lines
# Please consider joining the pool
(http://www.pool.ntp.org/join.html).
#server 0.fedora.pool.ntp.org iburst
#server 1.fedora.pool.ntp.org iburst
#server 2.fedora.pool.ntp.org iburst
#server 3.fedora.pool.ntp.org iburst
server ntp
Page 18
Troubleshooting :
Check that Dovecot is listening for connections:
telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
If you got "connection refused", check that pop3 is included in protocols setting
in dovecot.conf. Also check that listen setting is *.
Next check that it also works from remote host:
# telnet imap.example.com 110
Trying 1.2.3.4...
Connected to imap.example.com.
Escape character is '^]'.
+OK Dovecot ready.
Replace the username and password with the ones you added
to passwd.dovecot in BasicConfiguration.
You should get an "+OK Logged in." reply. If you get "Authentication failed" error,
set auth_verbose = yes and auth_debug = yes in dovecot.conf, restart Dovecot and try
again. The log file should now show enough information to help you fix the problem.
Page 19
Page 20
Many POP3 clients have been tested with Dovecot and they work.
Page 21