Print Story Ask Husi - Email Server
Diary
By priestess (Fri Feb 29, 2008 at 02:40:31 AM EST) email, help, ask husi, unix (all tags)
I'm migrating all our servers to a new host, which seems like a good opportunity to fix some annoying things.

In particular email: At the moment we're using exim4 and some pop3 server or another and squirrel-mail.

Whenever they ask me to create a new email account, I have to add a new user account for the whole machine. Making an /etc/passwd entry, giving shell access (which I then take away again), making a home directory etc. All just so they can collect email.

This seems inefficent



They also have to ask me explicitly to set up a .vacation message for 'em, and they can't change their passwords.

Be nice if there was just some (free software) code that I could install which would keep email accounts separate from the machine's user accounts, allow 'em web ways to change passwords, set up forwarding and auto-reply systems, and ideally give both pop3 access AND a web front-end to all these mail accounts.

Anyone know of a system like that?

I'm running Debian on all the servers.

< Leave this city | BBC White season: 'Rivers of Blood' >
Ask Husi - Email Server | 17 comments (17 topical, 0 hidden) | Trackback
Courier does a lot of that, IIRC. by yicky yacky (4.00 / 1) #1 Fri Feb 29, 2008 at 03:04:06 AM EST

But I only set it up once, several years ago now, and I seem to recall that the initial config was a bit fiddly. Qmail does the virtual user account thing as well, I think, but don't know about the rest. Postfix definitely does virtual accounts and is the one I use personally; I'm pretty sure that putting the other stuff on it is possible, but suspect it might be a chore.


----
Vacuity abhors a vacuum.
MySQL? by Vulch (4.00 / 1) #2 Fri Feb 29, 2008 at 03:05:07 AM EST

I've got all my users and aliases in a MySQL database backend. There are various guides for doing it, the usual problem bit comes with hooking the pop3/imap thingy in though if you pick one that can use pam and sasl authentication it gets a lot easier. There doesn't seem to be a ready made thing around to do it, but there are plenty of guides. I'm using Exim, Cyrus and Squirrelmail with MySQL, I've got a half finished vacation handler that I've not told anyone about and there's currently no way for them to change their passwords as I need to overhaul our entire authorisation system at some point and I'll add that then.

Write a perl script. by Breaker (4.00 / 1) #3 Fri Feb 29, 2008 at 03:36:58 AM EST
Or do it with a Lisp macro in Emacs?


LDAP by thunderbee (4.00 / 2) #4 Fri Feb 29, 2008 at 04:08:32 AM EST
I won't provide detailed instructions as it's actually my job to do this; but the answer is LDAP or some SQL database. I work with LDAP for email because that's just what LDAP is made for.

I run exim + Courier IMAP in Maildir delivery mode. Both can use LDAP without effort to handle the accounts. exim is able to handle the auto-response from data in the LDAP directory.

You'll find plenty of documentation with google on exim + LDAP.
Courier POP/IMAP is trivial to setup with LDAP.
Quota support from exim and Courier works well.

Horde / IMP is ok as a webmail, and includes the ability to change password in the LDAP directory.

I use a slightly unusual auto-responder setup (I have start/stop dates along with the text) so I have a simple PHP interface to the responder.

This setup is also very scalable if you serve the Maildirs from a NAS or SAN. You can just drop additional front-ends to increase capacity. There may be out-of the box system that provide all of this (such as Zimbra, with calendaring thrown in), but they rarely scale easily (ie. require direct access to the disk).

And finally, it's quite easy to write PHP (or Perl) front-ends for the LDAP system. Since you never require access to the server disk, it all works beautifully.

You can easily throw in clamAV for anti-virus, spam assasin for a simple anti-spam.

Humm. Sounds complicated by priestess (2.00 / 0) #7 Fri Feb 29, 2008 at 04:55:18 AM EST
Ain't gonna be able to devote a huge amount of time to it really. Was vaguely hoping there'd just be some app I could install that'd do it all and let me admin it with a nice web interface.

Maybe I should write one some day if there isn't. Would think there'd be enough demand to make it worthwhile. Or perhaps everyone just using gmail these days. Perhaps I'll talk to the boss about doing that even.

Still, I'll spend a couple of hours reading about LDAP and database stuff first.

Thanks for the help everyone.

Pre........
---------
Chat to the virtual me...

[ Parent ]
Have a look at Zimbra then by thunderbee (1.00 / 1) #15 Sat Mar 01, 2008 at 05:33:39 AM EST
All-in-one solution.
I never tried it because it would be a pain to integrate in an existing system; but in a complete overhaul, it might be worth investigating.

Zimbra

[ Parent ]
Looks great by priestess (2.00 / 0) #17 Mon Mar 03, 2008 at 05:57:29 AM EST
That's exactly the kinda thing I was looking for. Started to install it to give it a check, only to find that the server is an AMD64 machine and their pre-compiled stuff is i386 of course.

Installing from source looks as complicated as setting it all up by hand.

Oh well. Google apps it is I reckon.

Pre..........
---------
Chat to the virtual me...

[ Parent ]
WIPO by sasquatchan (4.00 / 1) #5 Fri Feb 29, 2008 at 04:18:28 AM EST
Outlook has web access, and lets everyone set those things themselves..

Granted, it's not free, and I doubt it runs on Debian.

What's the account management for all the users, if the mail account is a nullo ? Why aren't mail accounts tied to logins ? Or do the work machines not have any login ?

Heck, there's gmail for business too..

Outlook? by priestess (2.00 / 0) #6 Fri Feb 29, 2008 at 04:49:33 AM EST
Outlook is a mail client isn't it? I thought MS's mail-server was Exchange or something. Don't really know, tend to avoid MS.

The coders need to have login accounts, but most of the email accounts are just going to interns who are here for a couple of months doing admin work and then gone. Giving them server-logins is certainly a little pointless at least, possibly even a security risk at worst. The desktop machines are all hot-desked, the interns don't have a particular machine or login other than  for their email account. They do have access to our CRM what I wrote, but that doesn't have email caps.

Pre..........

---------
Chat to the virtual me...

[ Parent ]
I run Qmail + Courier imap etc by Dr Thrustgood (4.00 / 2) #8 Fri Feb 29, 2008 at 04:59:07 AM EST
Think the package I ended up installing was called Qmail Toaster. Can be a pain to set up initially, but now that it's all working, it's a piece of piss.

FYI: You might have to apply a patch to Qmail for the .vacation stuff, but all should be fine from there.



Ta by priestess (2.00 / 0) #9 Fri Feb 29, 2008 at 05:50:04 AM EST
And even with Debian notes. Nice one Doc, I shall look into it...

Pre..........
---------
Chat to the virtual me...

[ Parent ]
Postfix, Virtual User accounts by haplopeart (4.00 / 1) #10 Fri Feb 29, 2008 at 07:09:03 AM EST
Why not Postfix, and Virtual user accounts.

gmail by 256 (4.00 / 1) #11 Fri Feb 29, 2008 at 08:28:55 AM EST
i'm serious.
---
I don't think anyone's ever really died from smoking. --ni
What 256 said. by chuckles (4.00 / 1) #12 Fri Feb 29, 2008 at 09:08:12 AM EST
Specifically, Google Apps for Your Domain.

"The one absolutely certain way of bringing this nation to ruin [...] would be to permit it to become a tangle of squabbling nationalities"
[ Parent ]
Ive got this by LinDze (4.00 / 1) #13 Fri Feb 29, 2008 at 11:13:38 AM EST
for a domain i share with a bunch of peeps. Works pretty well as long as you dont mind google reading all your mail.

-Lin Dze
Arbeit Macht Frei
[ Parent ]
Probably we'll do that by priestess (2.00 / 0) #16 Mon Mar 03, 2008 at 05:56:13 AM EST
Looks about as simple as possible. I'll have to check with the boss though.

Cheers,

Pre.........
---------
Chat to the virtual me...

[ Parent ]
Plenty of options by LinDze (4.00 / 1) #14 Fri Feb 29, 2008 at 11:35:30 AM EST
I ran some mail services for an ISP for the last few years. Used qmail + vpopmail + courier and then qmail + vpopmail + dovecot more recently.

If you want to use your existing installation it shouldnt be a problem. Both exim and courier should run off of SQL LDAP or virtual user flat file. I believe both can also do a mixed mode while you transition over, theyll query auth methods in order of preference.

For an MTA qmail is nice once you know it. Personally if youre already on exim I dont see any great reason to change as long as you use maildir+. Both have plenty of chaining options, filter support, and can run over NFS. Courier, like people mentioned, can be a picky bitch some times. We ended up switching to Dovecot and I can wholeheartedly recomend it. Nice plugin type architecture and a sane apache style configuration are the biggest selling points to me. If courier gives you any lip at least give dovecot a try.

For the .vacation and password changes I dont know the exim options. Qmail has a web based account manager called QmailAdmin. You can use that stand alone or it has plugins for Squirrelmail to tie it into the Options area.

If youre not adverse to a major change QmailToaster is a nice setup. The guy who packages it all up also does installs, support, and consulting. If you have any questions about setup/maintenance/performance the qmailtoaster mailing list and forums are great. Its a smaller community so when you ask a question youll get an actual factual answer.


-Lin Dze
Arbeit Macht Frei

Ask Husi - Email Server | 17 comments (17 topical, 0 hidden) | Trackback