This is the third part of a five part tutorial that will show you how to install a full featured email server on your Raspberry Pi. This tutorial covers how to set up Webmail with Squirrelmail.
The parts are:
The Introduction & Contents Page (read first)
Raspberry Pi Email Server Part 1: Postfix
Raspberry Pi Email Server Part 2: Dovecot
Raspberry Pi Email Server Part 3: Squirrelmail
Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin
Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve
Installing Apache
If you don't already have apache installed (you might if you've followed my wordpress tutorial), then install it now.
sudo apt-get update sudo apt-get install apache2
Enable the SSL apache module so that you can use HTTPS:
sudo a2enmod ssl
There are some "pre-made" virtualhost configurations that come with apache. This command will enable the "default-ssl" virtualhost, by creating a symbolic link from /etc/apache2/sites-available/default-ssl
to /etc/apache2/sites-enabled/default-ssl
:
sudo a2ensite default-ssl
Now reload apache to make the changes take effect:
sudo service apache2 reload
If you type the IP address or hostname of the pi into a web browser now, you should see the default Apache test page: If you try the https version, you'll get a certificate error because you are using a self-signed SSL certificate. If you like, you can follow my CAcert tutorial to get a free SSL certificate for your domain, or you can just store an exception for the certificate and generate a proper one later. That's it for Apache. If you want to know more about setting up Apache for multiple websites, subdomains, and SSL configurations, I suggest you read my tutorial explaining Apache's VirtualHost files.
Installing Squirrelmail
Now we need to install squirrelmail:
sudo apt-get update sudo apt-get install squirrelmail
The basic configuration for squirrelmail is really easy, and can be done with the setup script. To run the script, use this command:
sudo squirrelmail-configure
Choose “D” for pre-defined settings Now type “dovecot” and hit enter Press enter to continue, then save and quit (press Q and save when prompted, or press S then Q). The configuration script creates a configuration file for apache in /etc/squirrelmail/apache.conf
. You need to create a symbolic link so that Apache2 will load your Squirrelmail apache configuration file when it starts up. On Raspbian Wheezy, the command is:
sudo ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
On Raspbian Jessie, the apache configuration directory structure is more like ubuntu, with separate folders for configuration files that are available and files that are enabled. This command will create a symlink from the directory where enabled configuration is stored, to squirrelmail's apache configuration file:
sudo ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf-enabled/squirrelmail.conf
On a related note, there's a convenience command a2enconf
that works similarly to a2ensite
: it creates a symlink from the conf-available
directory to the conf-enabled
directory. You should use this in situations where config already exists in conf-available
, e.g. sudo a2enconf squirrelmail
would create a symlink for a file called squirrelmail.conf
. Now reload Apache one more time so that it reads the config file we just symlinked:
sudo service apache2 reload
Now visit the IP address or hostname of your Pi again, but add /squirrelmail
to the path, e.g. 192.168.1.174/squirrelmail, you should see the login page: The squirrelmail configuration file just adds an alias that should affect every virtualhost, so if you install a wordpress site or something like that on your pi, you will be able to get to the squirrelmail login page by visiting yourdomain.com/squirrelmail.
Redirect http to https for secure login
Since you don't want to send your login details and confidential information over the internet without SSL, it's best to redirect all http URLs to https. The default squirrelmail apache configuration file at /etc/squirrelmail/apache.conf
contains some rewrite rules we can use, we just need to uncomment them. Open the file and uncomment the lines by removing the # at the start of each so that it looks like this:
<IfModule mod_rewrite.c> <IfModule mod_ssl.c> <Location /squirrelmail> RewriteEngine on RewriteCond %{HTTPS} !^on$ [NC] RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] </Location> </IfModule> </IfModule>
This configuration makes sure that the rewrite and ssl modules are enabled, and does nothing if they aren't. We already enabled the ssl module earlier, so all we need to do now is enable the rewrite module:
sudo a2enmod rewrite
And reload Apache:
sudo service apache2 reload
Now if you visit the HTTP page, you should be redirected to HTTPS.
Optional: Configuring Apache to serve Squirrelmail on a subdomain
If you would like to move the login page to the root of your domain (i.e. so that yourdomain.com would serve the login page for squirrelmail), or if you would like to serve it on a subdomain like mail.yourdomain.com, you can edit the configuration file. If not, you can skip this section. By default, this line in /etc/squirrelmail/apache.conf
means that http://www.yourdomain.com/squirrelmail will load squirrelmail:
Alias /squirrelmail /usr/share/squirrelmail
If you would rather have webmail on a subdomain like mail.yourdomain.com then you could edit the /etc/squirrelmail/apache.conf
file to look like this (comment out the rest):
<VirtualHost *:80> DocumentRoot /usr/share/squirrelmail ServerName mail.yourdomain.com <Directory /usr/share/squirrelmail> Options FollowSymLinks <IfModule mod_php5.c> php_flag register_globals off </IfModule> <IfModule mod_dir.c> DirectoryIndex index.php </IfModule> # access to configtest is limited by default to prevent information leak <Files configtest.php> order deny,allow deny from all allow from 127.0.0.1 </Files> </Directory> </VirtualHost>
Note that if you want to serve mail on a subdomain, then that subdomain needs a DNS record, so edit your records with your DNS provider accordingly. However, the virtualhost code above only does HTTP. You also want an HTTPS virtualhost for the subdomain on port 443:
<IfModule mod_ssl.c> <VirtualHost *:443> DocumentRoot /usr/share/squirrelmail ServerName mail.yourdomain.com <Directory /usr/share/squirrelmail> Options FollowSymLinks <IfModule mod_php5.c> php_flag register_globals off </IfModule> <IfModule mod_dir.c> DirectoryIndex index.php </IfModule> # access to configtest is limited by default to prevent information leak <Files configtest.php> order deny,allow deny from all allow from 127.0.0.1 </Files> </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/your-ssl-certificate.crt SSLCertificateKeyFile /etc/ssl/private/your-ssl-certificate-keyfile.key </VirtualHost> </IfModule>
If you use this configuration, the rewrite rules from the "rewrite to HTTPS" section (the ones from the default config file) won't work. If you want an HTTPS-only solution, you can replace the virtualhost for port 80 with this:
<VirtualHost *:80> ServerName mail.yourdomain.com <IfModule mod_rewrite.c> <IfModule mod_ssl.c> <Location /> RewriteEngine on RewriteCond %{HTTPS} !^on$ [NC] RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] </Location> </IfModule> </IfModule> </VirtualHost>
As before, make sure you have the rewrite module enabled:
sudo a2enmod rewrite
Now reload apache:
sudo service apache2 restart
If you get an error like this:
[....] Restarting web server: apache2[Fri Dec 06 15:54:04 2013] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Then add NameVirtualHost *:443 to the start of the SSL VirtualHost block, i.e.:
NameVirtualHost *:443 <IfModule mod_ssl.c> <VirtualHost *:443> DocumentRoot /usr/share/squirrelmail ServerName mail.yourdomain.com ...
For more info on HTTP and HTTPS VirtualHost configuration on Apache2, see this tutorial of mine. If all went to plan then you can navigate to mail.yourdomain.com and you should see the squirrelmail login page (you might need to forward some ports on your router if you haven't already - see the next section):
Port Forwarding
Squirrelmail will log in to your IMAP server on port 143 to display your emails. It doesn’t need to authenticate because it’s in your network (remember the permit_mynetworks
parameter from the previous tutorials?). You don’t need to worry about it being an unencrypted connection, because the data isn't actually travelling over any insecure networks (the connection is internal). Similarly, you don’t need to open port 143 (“plain” imap without SSL/TLS) on your router because the connection happens within the Pi, and the content is actually served to you, the user, on port 443 (https). So you do need to open ports 80 and 443 for http and https like below:
Testing
Before you start testing your webmail, make sure that the permit_mynetworks parameters are uncommented in your postfix confuguration file /etc/postfix/main.cf
(in both your smtpd_recipient_restrictions and smtpd_helo_restrictions). Now reload your postfix configuration:
sudo service postfix reload
Try sending and receiving emails from within Squirrelmail. You should have no problems, but if you do please post a comment and I’ll try to help you out.
Customising the Squirrelmail Login
To customise the login page, run the configuration wizard:
sudo squirrelmail-configure
- Select “1″ (organisation preferences)
- Select “7″ and change to your domain (e.g. http://www.samhobbs.co.uk)
- Select “8″ and change to you/your organisation’s name
Squirrelmail Plugins
There are loads of plugins available for Squirrelmail, for all kinds of things. On most systems, these plugins are installed by downloading a .zip file to your server, unzipping the plugin to the right location and then tinkering with the settings manually. Thankfully, some of the most commonly used plugins are available from the Raspbian repositories, so installation is much simpler. Here is a list of the plugins in the repo:
- squirrelmail-compatibility
- squirrelmail-decode
- squirrelmail-locales
- squirrelmail-lockout
- squirrelmail-logger
- squirrelmail-quicksave
- squirrelmail-secure-login
- squirrelmail-sent-confirmation
- squirrelmail-spam-buttons
- squirrelmail-viewashtml
The one I think is most useful and the one I’m going to use as an example is lockout. To use the lockout package, we need to install the compatibility package, which basically makes sure that plugins built for different versions of squirrelmail can still work with the version you are running.
sudo apt-get update sudo apt-get install squirrelmail-compatibility
Now we need to enable the plugin:
sudo squirrelmail-configure
- select “8″
- select “compatibility”
- select “S” (to save)
- select “Q” (to quit)
That’s all you need to do for the compatibility plugin. Now we can install the lockout plugin:
sudo apt-get install squirrelmail-lockout
Now for the configuration:
sudo squirrelmail-configure
Make sure that lockout is enabled Now we can manually edit some settings. Before starting, I like to back up the default config files for reference:
cd /etc/squirrelmail sudo cp lockout-table.php lockout-table.php.BAK sudo cp lockout-config.php lockout-config.php.BAK
Now edit the lockout-table.php
file. Read the comments in the file for an explanation of how the table works. I wanted to disable logins for the user “admin”, so I commented out the examples at the end of the file and replaced them with this:
user: admin locked_out.php
Now edit lockout-config.php
and set $use_lockout_rules = 1
; to turn on lockouts. Now try and log in as the user you locked out, and you should get this message: “Access Denied / Please contact your system administrator”. We can also lock out IP addresses of users who enter incorrect username/password combinations repeatedly. To do this, open lockout-config.php
and set $max_login_attempts_per_IP = '3:5:0'
. The first number in this parameter is the number of incorrect attempts that are allowed before a ban. The second number is the time frame for these incorrect attempts, and the last number is the amount of time the ban lasts for when activated (0 is forever). So, the setting I gave you above means that anyone who makes 3 incorrect attempts to authenticate in 5 minutes is permanently banned. When a successful login is made, the count is reset to 0. Data on current bad login attempts and bans is stored here: /var/lib/squirrelmail/data/lockout_plugin_login_failure_information
The plugin will add entries like this to keep track of bad logins:
999.999.99.99_login_failure_times=1386774015:1386774034:1386774053 999.999.99.99_TOO_MANY_FAILED_LOGIN_ATTEMPTS=PERMANENT
…where 999.999.99.99 is the offending IP address If you accidentally ban yourself, you’ll have to log in via SSH and edit this file to remove those lines. That’s it, you’re done! Have fun exploring the other plugins! The next two tutorials, Part 4 and Part 5 deal with spam detection and filtering.
Comments
Re: A list of things to check
Hi,
So after a good search I found out that the AUTH PLAIN is generated by the system and not for me but it doesn't appear to me! Shoud it appear?
I tried the rest of the process and it went great.
What can I do now?
Miguel
Refused to go out or accept in
Thanks, for informative tutorial and an excellent explanation but I have a problem, I can send emails to myself within the pi but whenever i want to send it to/from external email eg yahoo, icloud, or hotmail it failed so as vice versa.
I had included my mail.log for checking it out
root@muyaad:~# tail /var/log/mail.log
Oct 12 03:17:35 muyaad postfix/smtp[3078]: connect to mx2.mail.icloud.com[17.172.34.11]:25: Connection timed out
Oct 12 03:18:05 muyaad postfix/smtp[3078]: connect to mx6.mail.icloud.com[17.172.34.70]:25: Connection timed out
Oct 12 03:18:35 muyaad postfix/smtp[3078]: connect to mx1.mail.icloud.com[17.142.163.10]:25: Connection timed out
Oct 12 03:18:36 muyaad postfix/smtp[3078]: 8BE6C40618: to=, relay=none, delay=151, delays=1/0.01/150/0, dsn=4.4.1, status=deferred (connect to mx1.mail.icloud.com[17.142.163.10]:25: Connection timed out)
Oct 12 03:19:25 muyaad postfix/anvil[3086]: statistics: max connection rate 1/60s for (smtps:197.35.84.120) at Oct 12 03:16:03
Oct 12 03:19:25 muyaad postfix/anvil[3086]: statistics: max connection count 1 for (smtps:197.35.84.120) at Oct 12 03:16:03
Oct 12 03:19:25 muyaad postfix/anvil[3086]: statistics: max cache size 1 at Oct 12 03:16:03
Oct 12 03:22:22 muyaad dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3128, secured, session=
Oct 12 03:22:22 muyaad dovecot: imap(muyaad): Disconnected: Logged out in=79 out=712
Oct 12 03:22:30 muyaad postfix/qmgr[2827]: CA47240D2C: from=, size=788, nrcpt=1 (queue active)
root@muyaad:~#
outbound port blocking
Can't create symbolic link - no conf.d directory
Hi Sam,
I tried to create the symbolic link, but no success because I don't seem to have the conf.d directory in the apache2 directory:
pi@raspberrypi ~ $ sudo ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
ln: failed to create symbolic link ‘/etc/apache2/conf.d/squirrelmail.conf’: No such file or directory
pi@raspberrypi ~ $ cd /etc/apache2/
pi@raspberrypi /etc/apache2 $ ls
apache2.conf conf-enabled magic mods-enabled sites-available
conf-available envvars mods-available ports.conf sites-enabled
pi@raspberrypi /etc/apache2 $
Any ideas?
Regards,
Jo
Hi Jo,
Symbolic link success!
Hi Sam,
Great that worked perfectly!
Jo
Jessie change.
Sam,
The syslink for apache needs an update with the chance to Jessie. /etc/apache2/conf.d/squirrelmail.conf no longer exists.
sudo ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf-enabled/squirrelmail.conf seems to work.
The set-up is all working :-) up to creating the webmail subdomain, still working on that.
Thanks again.
Mark
Attachment size larger than 2MB
Hi Sam,
How do I increase the attachment size to greater than 2MB?
Jo
message_size_limit
/etc/postfix/main.cf
, changemessage_size_limit
to whatever you like. The number is the number of bytes... SamSymbolic links
Hi Sam,
Glad to say that thanks to you I am up and running my own Pi email server. I have now moved onto SquirrelMail, but am having issues with creating the symbolic links. After copying and pasting your command: sudo ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
I get this error:
ln: failed to create symbolic link ‘/etc/apache2/conf.d/squirrelmail.conf’: No such file or directory
I have looked into the /etc/apache2 directory and there is no conf.d subdirectory. Is it hidden or have i missed something? I have enabled all the modules discussed above.
I think I might have had this issue in step 1 or 2, but it does;t seem to have stopped me....
Great tutorial.
Spencer
directory structure has changed
When I try to send email from
When I try to send email from Squirrel I get this error:
Message not sent. Server replied:
Transaction failed
554 5.7.1 : Relay access denied
permit_mynetworks
permit_mynetworks
in the restriction lists? SamThanks!
Thanks for this tutorial
Cheers.
Can't send email using Squirrelmail
Hi Sam I hit issue with this section, I can not send any email using Squirrelmail. So far all was working, but not this part3
Jan 7 10:20:51 crystalnet postfix/qmgr[32266]: 0CD3720A03: from=, size=1036, nrcpt=1 (queue active)
Jan 7 10:20:52 crystalnet postfix/smtp[32492]: 0CD3720A03: to=, relay=mx4.hotmail.com[65.55.33.119]:25, delay=1.2, delays=0.46/0.03/0.51/0.16, dsn=5.0.0, status=bounced (host mx4.hotmail.com[65.55.33.119] said: 550 DY-001 (COL004-MC5F35) Unfortunately, messages from 188.141.47.233 weren't sent. Please contact your Internet service provider. You can tell them that Hotmail does not relay dynamically-assigned IP ranges. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Jan 7 10:20:52 crystalnet postfix/smtp[32492]: 0CD3720A03: lost connection with mx4.hotmail.com[65.55.33.119] while sending RCPT TO
Jan 7 10:20:52 crystalnet postfix/cleanup[32471]: 32662209D8: message-id=<20160107102052.32662209D8@crystalnet.site>
Jan 7 10:20:52 crystalnet postfix/bounce[32493]: 0CD3720A03: sender non-delivery notification: 32662209D8
Jan 7 10:20:52 crystalnet postfix/qmgr[32266]: 32662209D8: from=<>, size=3531, nrcpt=1 (queue active)
Jan 7 10:20:52 crystalnet postfix/qmgr[32266]: 0CD3720A03: removed
Jan 7 10:20:52 crystalnet postfix/local[32494]: 32662209D8: to=, relay=local, delay=0.06, delays=0.02/0.03/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Jan 7 10:20:52 crystalnet postfix/qmgr[32266]: 32662209D8: removed
am I missing something?
Hotmail does not relay dynamically-assigned IP ranges
Hi Sam, thank you for that, I
Hi Sam, thank you for that, I can send mails now, but not to every. Usually I'm blocked using zen.spamhaus.org. How did you manage this problem. Did you hit this problem?
Looks like my ip (dynamic) is listed in the PBL,
I have found one hint on https://www.spamhaus.org/faq/section/Spamhaus%20PBL#253
Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)
I think in your tutorial we r using 465 should I change this port to 587 ?
How can I have 'SMTP Authentication' switched on
Looks like if we want use something independent we hit so many issue :(
Get a static IP address if you can
Hi Sam
Hi Sam
Thank you very much for explanation. I was talking to my provider and I can not get static IP for free:(
I can have static IP if I switch from normal user to business user. I need to pay more for this service (lot more) so this is not good solution for me to have "cheaper and more private" email service. Anyway all from your tutorial works fine.
Thank you very much for this tutorial,
PS, I have dynamic IP maybe one day it will change to not blocked IP :/
Who knows :)
Outgoing mail
Hi Sam,
You make awesome tutorials!
But my internet service provider blocks outgoing mail which don't go through the server they provide, which is not really a problem if I configure my own mail in an email client. I just add their outgoing mail server. But squirrelmail will automaticly send mail through my outgoing mail server, which will get blocked. Is there any way to configure squirrelmail to send outgoing mail though an other server?
Best regard,
Emiel
Hi,
501 5.1.7 Bad sender address syntax
Hello Sam,
first of all thank for the amazing guides. They're very clear and easy to follow! Will surely recommend them further!
I've had a few problems along the way which I managed to fix myself. First of my ISP blocked port 25, so I set
587 inet n - - - - smtpd
in /etc/postfix/master.cf . Then while testing squirrelmail and trying to send a test e-mail to my hotmail account, it first gave me a STARTTLS error. This I fixed by changing-o smtpd_tls_security_level=encrypt
to-o smtpd_tls_security_level=may
(I hope this won't give any security issues?).Finally, the error I get from squirrelmail on sending a test e-mail to my hotmail is 501 5.1.7 Bad sender address syntax. I can't find how to solve this, could you kindly help me?
Much appreciated.
relay
Login trouble with root user
Hi, Sam, thanks for your webpage, I'm learning so much.
I hve DietPi on my RPI 1 and I've followed all the steps and I cannot go into Squirrelmail. I've tried with user "root" and with user "root@xxxx.ddns.net" (being xxxx my domain) with password (in plain text) and it says "ERROR. Unknown user or password incorrect." After a few atempts I get "ERROR: Connection dropped by IMAP server." Trying to go into login with a user that doesn't exist says "ERROR. Unknown user or password incorrect." but IMAP server seems to drop root user.
So, how can I have to go into Squirrelmail?
Note: I'm trying to go into Squirrelmail with "root" user because this is the default user on DietPi and there's not "pi" user.
Thank you very much,
Oscar
Hi Oscar,
Thank you very, very, much,
Thank you very, very, much,
It's done, new user created, I can go into Squirrelmail. Now, I'll have to fight with MX records of No-IP, because I have a xxx.ddns.net domain, and my ISP gives me a dynamic IP. I say this because I can send e-mails from Squirrel, but they don't reach my gmail account I'm writing to, and I can send emails from my gmail account, and I don't get any error message, but they don't reach Squirrel.
It's strange because I can send e-mails from telnet doing SSH to my RPI. I'll research on this issue.
Thanks again!
Oscar
Solved automatically, after
Solved automatically, after going into SM several times.
But in the left side I have:
Folders
Last Refresh:
Fri, 11:48 am
(Check mail)
Drafts
Maildir/Drafts
Maildir/Sent
Maildir/Trash
So, I don't know how to get to the "Inbox" unless I use the "Back button" of Firefox. And there's nothing under Maildir/Sent...
I'm going from one mistery to another one!
I wonder if I could use Roundcube better than Squirrelmail... the reality if you compare SM to Roundcube, roundcube is much more user-friendly, much more like Thunderbird (that is giving me some troubles under my Mac OS X), and SM has a very outdated look.
Partially solved...
I have done again your tutorial, 3 first parts, now Thunderbird (TB) finally works. It sents e-mails, that are received by Gmail, but TB gets like hung in that part when it says something like "saving the e-mail to Sent folder". It can receive e-mails, too, from TB. It's saying the SSL certificate is not trusted, because I'm using a seof-signed one (now I'll try to improve this).
When using Squirrelmail (SM), I always get the message:
"ERROR:
ERROR: Could not complete request.
Query: CREATE "Maildir/Sent"
Reason Given: [ALREADYEXISTS] Mailbox already exists" on the left of the webpage.
I suppose I've been something wrong, but don't know what or where, because I've repeated some parts of your tutorial, created a new user...
Just for information, I'm using Jessie on a RPI 1 B (512 MB RAM).
Thank you very much for this great tutorial!!
https force?
Hi Sam,
I think I followed the tutorial closelu, but when I go for http://192.168.1.100/squirrelmail it tries to 'force' https, but crosses the https out and gives the following message:
Your connection is not private
Attackers might be trying to steal your information from 192.168.1.100 (for example, passwords, messages or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
I can click the 'unsafe' option and go to squirrelmail...
I have the CAcert in place and I think it is in all the right places.
Any ideas?
Regards,
Jo
install root cert on client
Add new comment