Postfixadmin zur Verwaltung der Maildomains und der Nutzerkonten des Dovecot-IMAP-Servers unter CentOS 7.x

Betreibt man einen Mailserver mit vielen virtuellen Domains und hat auch noch mehrere Administratoren, die sich um die Neuanlage der Nutzerkonten und deren Pflege kümmern, wird es bei meist etwas komplizierter. Entweder man braucht ein mächtigen LDAP-Server und zugehörige versierte Administratoren, Admins mit Konsolen-Zugang zum IMAP- und Postfix-Server oder man greift auf eine einfache WEB-GUI zum Verwalten der Maildomänen und Postfächer zurück.

Wir werden nun in diesem Konfigurationsbeispiel auf eine mySQL-Datenbank als Datenbankbackendsystem und auf Postfixadmin als WEB-GUI für die Administratoren zurückgreifen.

Als erstes holen wir uns das aktuelle Programmarchiv von der Projektseite bei Sourceforge.

Wir wechseln als erstes in unser lokales Paketverzeichnis; falls wir dieses noch nicht angelegt haben, erstellen wir ggf. das fehlende Verzeichnis.

 # mkdir -p /usr/local/src/packages/

 # cd /usr/local/src/packages/

Dann laden wir das tar.gz-Archiv auf unseren Webserver herunter.

 wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.91/postfixadmin-2.91.tar.gz

Im nächsten Schritt entpacken wir das Verzeichnis in den Webseiten-Speicherbereiches unseres Apache-Webservers.

 # tar -zxf postfixadmin-2.91.tar.gz -C /var/www/

Die Datei und Nutzerrechte passen wir entsprechend an.

 # chown root.apache /var/www/postfixadmin-2.91/ -R

Wichtige Informationen zur Installation finden wir in der Datei INSTALL.TXT.

# less /var/www/postfixadmin-2.91/INSTALL.TXT

#
# Postfix Admin
# by Mischa Peters <mischa at high5 dot net>
# Copyright (c) 2002 - 2005 High5!
# Licensed under GPL for more info check GPL-LICENSE.TXT
#
 
REQUIRED!!
----------
- You are using Postfix 2.0 or higher.
- You are using Apache 1.3.27 / Lighttpd 1.3.15 or higher.
- You are using PHP 5.1.2 or higher.
- You are using MySQL 3.23 or higher (5.x recommended) OR PostgreSQL 7.4 (or higher)
 
 
READ THIS FIRST!
----------------
When this is an upgrade from a previous version of Postfix Admin, please read 
DOCUMENTS/UPGRADE.TXT also!
 
If you need to setup Postfix to be able to handle Virtual Domains and Virtual
Users check out:
 
  - the PostfixAdmin documentation in the DOCUMENTS/ directory
  - our wiki at http://sourceforge.net/apps/mediawiki/postfixadmin/
 
There are also lots of HOWTOs around the web. Be warned that many of them 
(even those listed below) may be outdated or incomplete. 
Please stick to the PostfixAdmin documentation, and use those HOWTOs only if
you need some additional information that is missing in the PostfixAdmin 
DOCUMENTS/ folder.
  - http://codepoets.co.uk/postfixadmin-postgresql-courier-squirrelmail-debian-etch-howto-tutorial (Debian+Courier+PostgreSQL+Postfix+Postfixadmin)
  - http://bliki.rimuhosting.com/space/knowledgebase/linux/mail/postfixadmin+on+debian+sarge (Postfix+MySQL+Postfixadmin+Dovecot)
  - http://en.gentoo-wiki.com/wiki/Virtual_mail_server_using_Postfix,_Courier_and_PostfixAdmin (Postfix+MySQL+Postfixadmin+Courier)
 
 
1. Unarchive new Postfix Admin
------------------------------
Make sure that you are in your WWW directory and then unarchive the
Postfix Admin archive (whatever the filename is):
 
  $ tar -zxvf postfixadmin-2.2.0.tgz
 
 
2. Setup a Database
-------------------
 
With your chosen/preferred database server (i.e. MySQL or PostgreSQL), 
you need to create a new database. A good name for this could be :
 
  postfix
 
The mechanics of creating the database vary depending on which server 
you are using. Most users will find using phpMyAdmin or phpPgAdmin the
easiest route.
 
If you wish to use the command line, you'll need to do something like :
 
For MySQL:
  CREATE DATABASE postfix;
  CREATE USER 'postfix'@'localhost' IDENTIFIED BY 'choose_a_password';
  GRANT ALL PRIVILEGES ON `postfix` . * TO 'postfix'@'localhost';
 
For PostgreSQL:
  CREATE USER postfix WITH PASSWORD 'whatever';
  CREATE DATABASE postfix OWNER postfix ENCODING 'unicode';
 
 
3. Configure PostfixAdmin so it can find the database
-----------------------------------------------------
 
Edit the config.inc.php file - or - create config.local.php and add your settings there.
 
The most important settings are those for your database server.
 
You must also change the line that says :
 
$CONF['configured'] = false;
 
to
 
$CONF['configured'] = true;
 
 
PostfixAdmin does not require write access to any files except the tempates_c 
directory (smarty cache). You can therefore leave the files owned as root (or
another user); as long as the web server user (e.g. www-data) can read them, it
will be fine.
For templates_c/, allow write access (only) for the web server user (e. g. www-data).
The easiest way to do this is   chown -R www-data templates_c
 
The next 'step', is optional. Only do it, if other non-trusted users have access 
to your user:
 
    Depending on your environment, you may want to protect the database username
    and password stored in config.inc.php - if so, you could move them into the 
    Apache configuration file (which can be set to be visible only by root) using 
    something like the following in your VirtualHost definition :
 
    SetEnv DB_USER "postfix"
    SetEnv DB_PASS "opensesame"
 
    config.inc.php would then be able to access these through :
 
    $CONF['database_user'] = $_SERVER['DB_USER']
 
 
4. Check settings, and create Admin user
----------------------------------------
 
Hit http://yourserver.tld/postfixadmin/setup.php in a web browser.
 
You should see a list of 'OK' messages. 
 
The setup.php script will attempt to create the database structure 
(or upgrade it if you're coming from a previous version). 
 
Assuming everything is OK you can specify a password (which you'll 
need to use setup.php again in the future); when you submit the form, 
the hashed value (which you need to enter into config.inc.php is echoed 
out - with appropriate instructions on what to do with it).
 
create the admin user using the form displayed.
 
5. Use PostfixAdmin
-------------------
 
This is all that is needed. Fire up your browser and go to the site that you
specified to host Postfix Admin.
 
6. Integration with Postfix, Dovecot etc.
-----------------------------------------
 
Now that PostfixAdmin is working, you need to do some configuration in Postfix,
Dovecot etc. so that they use the domains, mailboxes and aliases you setup in
PostfixAdmin.
 
The files in the DOCUMENTS/ directory explain which settings you need to
do/change.
 
7. XMLRPC Integration (OPTIONAL!)
--------------------------------
 
See ADDITIONS/squirrelmail-plugin
See xmlrpc.php - only a subset of Postfixadmin's functionality is currently exposed.
See config.inc.php - see xmlrpc_enabled key (defaults to off).
 
You'll need to install a copy of the Zend Framework within Postfixadmin (see header within xmlrpc.php)
You'll need to enable the xmlrpc link (see config.inc.php)
 
8. More information
-------------------
As of March 2007, PostfixAdmin moved to SourceForge.  For the
forum posts and source updates, see:
 
https://sourceforge.net/projects/postfixadmin
 
There is also #postfixadmin on irc.freenode.net.

Wie Eingangs erwähnt, nutzen wir für die Verwaltung unserer Maildomänen und deren Nutzerkonten sowie Aliasen eine mySQL-Datenbank.

Wir melden uns also als berechtigter Datenbankuser an der mySQL-Datenbank an.

  # mysql -h localhost -u root -p

Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 141459
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Dort legen wir als aller erst einmal eine Datenbank mit dem Namen postfix an.

 mysql> create database postfix;

 Query OK, 1 row affected (0.03 sec)

Anschließend legen wir uns einen oder mehrere Datenbankuser an, denen wir entsprechende Rechte an der Datenbank postfix einräumen. In diesem Anwendungsbeispiel gehen wir von drei Nutzern aus.

1. Postfix-Admin : Der Nutzer, der vom Webserver, also unserer WEB-GUI PostfixAdmin, aus Zugriffe vornehmen wird.
2. Postfix-Systemuser : technische User, der vom MTA¹⁾ also unserem Postfix-Server aus bei der Einlieferung der elektronischen Post die Datenbank befragen wird.
3. Dovecot-Systemuser : technische User, der vom MDA²⁾ also unserem Dovecot-IMAP Server beim Abholen der eMails durch die Nutzer die Authentifizierung und Autorisierung benötigt wird.

Also:

1. postfixadmin-user:
   Nutzer anlegen:

   mysql> CREATE USER 'pfadmin_user'@'10.0.0.97' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd';

   Query OK, 0 rows affected (0.00 sec)

   mysql> CREATE USER 'pfadmin_user'@'vml000090.dmz.nausch.org' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd';

   Query OK, 0 rows affected (0.00 sec)

   
   Nutzerberechtigungen setzen:

   mysql> GRANT ALL PRIVILEGES ON postfix.* TO 'pfadmin_user'@'10.0.0.97' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

   Query OK, 0 rows affected (0.00 sec)

   mysql> GRANT ALL PRIVILEGES ON postfix.* TO 'pfadmin_user'@'vml000090.dmz.nausch.org' IDENTIFIED BY 'rbgsDK39DeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

   Query OK, 0 rows affected (0.00 sec)

   
   Berechtigungen zuweisen:

   mysql> FLUSH PRIVILEGES;

   Query OK, 0 rows affected (0.00 sec)

2. postfix_user:
   Nutzer anlegen:

   mysql> CREATE USER 'postfix_user'@'10.0.0.87' IDENTIFIED BY 'rbBgeM2b2btx9iMHfzd';

   Query OK, 0 rows affected (0.00 sec)

   mysql> CREATE USER 'postfix_user'@'smtp.dmz.nausch.org' IDENTIFIED BY 'rbBgeM2b2btx9iMHfzd';

   Query OK, 0 rows affected (0.00 sec)

   
   Berechtigungen zuweisen:

   mysql> GRANT ALL PRIVILEGES ON postfix.* TO 'postfix_user'@'10.0.0.87' IDENTIFIED BY 'rbBgeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

   Query OK, 0 rows affected (0.00 sec)

   mysql> GRANT ALL PRIVILEGES ON postfix.* TO 'postfix_user'@'smtp.dmz.nausch.org' IDENTIFIED BY 'rbBgeM2b2btx9iMHfzd' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

   Query OK, 0 rows affected (0.00 sec)

   
   Berechtigungen zuweisen:

   mysql> FLUSH PRIVILEGES;

   Query OK, 0 rows affected (0.00 sec)

3. dovecot_user:
   Nutzer anlegen:

   mysql> CREATE USER 'dovecot_user'@'10.0.0.77' IDENTIFIED BY 'GOMrG7l1bD74Ez81sUO';

   Query OK, 0 rows affected (0.00 sec)

   mysql> CREATE USER 'dovecot_user'@'imap.dmz.nausch.org' IDENTIFIED BY 'GOMrG7l1bD74Ez81sUO';

   Query OK, 0 rows affected (0.00 sec)

   
   Nutzerberechtigungen setzen:

   mysql> GRANT ALL PRIVILEGES ON postfix.* TO 'dovecot_user'@'10.0.0.77' IDENTIFIED BY 'GOMrG7l1bD74Ez81sUO' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

   Query OK, 0 rows affected (0.00 sec)

   mysql> GRANT ALL PRIVILEGES ON postfix.* TO 'dovecot_user'@'imap.dmz.nausch.org' IDENTIFIED BY 'GOMrG7l1bD74Ez81sUO' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;

   Query OK, 0 rows affected (0.00 sec)

   
   Berechtigungen zuweisen:

   mysql> FLUSH PRIVILEGES;

   Query OK, 0 rows affected (0.00 sec)

Abschließend melden wir uns wieder von unserem Datenbankhost ab.

 mysql> quit

 Bye

Bevor wir uns auf unserem Webserver einen vHost anlegen, überprüpfen wir noch, ob das Paket php-mbstring sowie php-mysql bereits im System installiert wurden.

 # yum list php-mbstring php-mysql

Sofern eins der Pakete noch nicht installiert wurde, holen wir dies jetzt nach.

 # yum install php-mbstring php-mysql -y

Da wir später personenbezogene Daten verarbeiten werden, setzen wir einen SSL geschützten vHOST ein. Die Definition dieses vHOSTs nehmen wir nun als nächstes vor. Wir legen uns eine passende Konfigurationsdatei im Verzeichnis /etc/httpd/conf.d/ an.

 # vim /etc/httpd/conf.d/vhost_443_postfixadmin.conf

/etc/httpd/conf.d/vhost_443_postfixadmin.conf

#
# postfixadmin.nausch.org
#                                                                                                                                                                                
<VirtualHost *:80>
        ServerAdmin webmaster@nausch.org
        ServerName postfixadmin.nausch.org
        ServerPath /
 
        <Location />
                Options -Indexes +FollowSymLinks
                Require all granted
        </Location>
 
        RewriteEngine on
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
        DirectoryIndex index.php
 
        ErrorLog logs/postfixadmin_error.log
        CustomLog logs/postfixadmin_access.log combined
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin webmaster@nausch.org
        ServerName postfixadmin.nausch.org
        ServerPath /
        DocumentRoot "/var/www/postfixadmin-2.91"
 
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite EECDH+AES256:DHE+AES256:EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
        SSLHonorCipherOrder on
        SSLCertificateFile /etc/pki/tls/private/CAcert-class3.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        SSLCertificateChainFile /etc/pki/tls/private/CAcert_chain.crt
 
       <Files "config.php">
                Options +FollowSymLinks
                Require host nausch.org
       </Files>
 
        DirectoryIndex index.php
        ErrorLog logs/postfixadmin_error.log
        CustomLog logs/postfixadmin_access.log combined
</VirtualHost>

Bevor wir unseren neuen vHOST am Webserver zum Ausliefern der dynamisch generierten PHP-Webseiten durch einen Reload des Daemon bewegen, führen wir noch einen syntakischen Test der Konfigurationsdateien durch. Hierzu verwenden wir das Tool apachectl.

 # apachectl -t

 Syntax OK

Ist alles O.K. dann steht einem Reload des Apache httpd nichts mehr im Wege.

 # systemctl reload httpd.service

Wollen wir den Restart kontrollieren, fragen wir den Status des Webservers ab.

 # systemctl status httpd.service

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Mon 2014-08-07 18:25:16 CEST; 31 days ago
  Process: 18501 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 18515 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
 Main PID: 18506 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─18506 /usr/sbin/httpd -DFOREGROUND
           ├─18518 /usr/sbin/httpd -DFOREGROUND
           ├─18519 /usr/sbin/httpd -DFOREGROUND
           ├─18520 /usr/sbin/httpd -DFOREGROUND
           ├─18521 /usr/sbin/httpd -DFOREGROUND
           └─18522 /usr/sbin/httpd -DFOREGROUND

Sep 08 18:25:25 vml000097.dmz.nausch.org systemd[1]: Reloading The Apache HTTP Server.
Sep 08 18:25:25 vml000097.dmz.nausch.org systemd[1]: Reloaded The Apache HTTP Server.