Raspberry Pi Email Server Part 3: Squirrelmail

Squirrelmail Logo

This is the third part of a five part tutorial that will show you how to install a full featured email server on your Raspberry Pi. This tutorial covers how to set up Webmail with Squirrelmail.

The parts are:
The Introduction & Contents Page (read first)
Raspberry Pi Email Server Part 1: Postfix
Raspberry Pi Email Server Part 2: Dovecot
Raspberry Pi Email Server Part 3: Squirrelmail
Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin
Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve

Installing Apache

If you don't already have apache installed (you might if you've followed my wordpress tutorial), then install it now.

sudo apt-get update
sudo apt-get install apache2

Enable the SSL apache module so that you can use HTTPS:

sudo a2enmod ssl

There are some "pre-made" virtualhost configurations that come with apache. This command will enable the "default-ssl" virtualhost, by creating a symbolic link from /etc/apache2/sites-available/default-ssl to /etc/apache2/sites-enabled/default-ssl:

sudo a2ensite default-ssl

Now reload apache to make the changes take effect:

sudo service apache2 reload

If you type the IP address or hostname of the pi into a web browser now, you should see the default Apache test page:

apache2-test-page.png

If you try the https version, you'll get a certificate error because you are using a self-signed SSL certificate. If you like, you can follow my CAcert tutorial to get a free SSL certificate for your domain, or you can just store an exception for the certificate and generate a proper one later.

apache2-test-page-https.png

That's it for Apache. If you want to know more about setting up Apache for multiple websites, subdomains, and SSL configurations, I suggest you read my tutorial explaining Apache's VirtualHost files.

Installing Squirrelmail

Now we need to install squirrelmail:

sudo apt-get update
sudo apt-get install squirrelmail

The basic configuration for squirrelmail is really easy, and can be done with the setup script. To run the script, use this command:

sudo squirrelmail-configure

Squirrelmail configuration menu

Choose “D” for pre-defined settings

Choose pre-defined server configuration

Now type “dovecot” and hit enter

Accept pre-defined configuration for use with Dovecot

Press enter to continue, then save and quit (press Q and save when prompted, or press S then Q).

The configuration script creates a configuration file for apache in /etc/squirrelmail/apache.conf. You need to create a symbolic link so that Apache2 will load your Squirrelmail apache configuration file when it starts up.

On Raspbian Wheezy, the command is:

sudo ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf

On Raspbian Jessie, the apache configuration directory structure is more like ubuntu, with separate folders for configuration files that are available and files that are enabled. This command will create a symlink from the directory where enabled configuration is stored, to squirrelmail's apache configuration file:

sudo ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf-enabled/squirrelmail.conf

On a related note, there's a convenience command a2enconf that works similarly to a2ensite: it creates a symlink from the conf-available directory to the conf-enabled directory. You should use this in situations where config already exists in conf-available, e.g. sudo a2enconf squirrelmail would create a symlink for a file called squirrelmail.conf.

Now reload Apache one more time so that it reads the config file we just symlinked:

sudo service apache2 reload

Now visit the IP address or hostname of your Pi again, but add /squirrelmail to the path, e.g. 192.168.1.174/squirrelmail, you should see the login page:

squirrelmail-login_0.png

The squirrelmail configuration file just adds an alias that should affect every virtualhost, so if you install a wordpress site or something like that on your pi, you will be able to get to the squirrelmail login page by visiting yourdomain.com/squirrelmail.

Redirect http to https for secure login

Since you don't want to send your login details and confidential information over the internet without SSL, it's best to redirect all http URLs to https.

The default squirrelmail apache configuration file at /etc/squirrelmail/apache.conf contains some rewrite rules we can use, we just need to uncomment them. Open the file and uncomment the lines by removing the # at the start of each so that it looks like this:

<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /squirrelmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

This configuration makes sure that the rewrite and ssl modules are enabled, and does nothing if they aren't. We already enabled the ssl module earlier, so all we need to do now is enable the rewrite module:

sudo a2enmod rewrite

And reload Apache:

sudo service apache2 reload

Now if you visit the HTTP page, you should be redirected to HTTPS.

Optional: Configuring Apache to serve Squirrelmail on a subdomain

If you would like to move the login page to the root of your domain (i.e. so that yourdomain.com would serve the login page for squirrelmail), or if you would like to serve it on a subdomain like mail.yourdomain.com, you can edit the configuration file. If not, you can skip this section.

By default, this line in /etc/squirrelmail/apache.conf means that http://www.yourdomain.com/squirrelmail will load squirrelmail:

Alias /squirrelmail /usr/share/squirrelmail

If you would rather have webmail on a subdomain like mail.yourdomain.com then you could edit the /etc/squirrelmail/apache.conf file to look like this (comment out the rest):

<VirtualHost *:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName mail.yourdomain.com


<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
</VirtualHost>

Note that if you want to serve mail on a subdomain, then that subdomain needs a DNS record, so edit your records with your DNS provider accordingly.

However, the virtualhost code above only does HTTP. You also want an HTTPS virtualhost for the subdomain on port 443:

<IfModule mod_ssl.c>
<VirtualHost *:443>
  DocumentRoot /usr/share/squirrelmail
  ServerName mail.yourdomain.com

<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

SSLEngine on
SSLCertificateFile    /etc/ssl/certs/your-ssl-certificate.crt
SSLCertificateKeyFile /etc/ssl/private/your-ssl-certificate-keyfile.key


</VirtualHost>
</IfModule>

If you use this configuration, the rewrite rules from the "rewrite to HTTPS" section (the ones from the default config file) won't work. If you want an HTTPS-only solution, you can replace the virtualhost for port 80 with this:

<VirtualHost *:80>
ServerName mail.yourdomain.com
<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location />
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>
</VirtualHost>

As before, make sure you have the rewrite module enabled:

sudo a2enmod rewrite

Now reload apache:

sudo service apache2 restart

If you get an error like this:

[....] Restarting web server: apache2[Fri Dec 06 15:54:04 2013] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Then add NameVirtualHost *:443 to the start of the SSL VirtualHost block, i.e.:

NameVirtualHost *:443
<IfModule mod_ssl.c>
<VirtualHost *:443>
  DocumentRoot /usr/share/squirrelmail
  ServerName mail.yourdomain.com
...

For more info on HTTP and HTTPS VirtualHost configuration on Apache2, see this tutorial of mine.

If all went to plan then you can navigate to mail.yourdomain.com and you should see the squirrelmail login page (you might need to forward some ports on your router if you haven't already - see the next section):

Squirrelmail login page

Port Forwarding

Squirrelmail will log in to your IMAP server on port 143 to display your emails. It doesn’t need to authenticate because it’s in your network (remember the permit_mynetworks parameter from the previous tutorials?). You don’t need to worry about it being an unencrypted connection, because the data isn't actually travelling over any insecure networks (the connection is internal). Similarly, you don’t need to open port 143 (“plain” imap without SSL/TLS) on your router because the connection happens within the Pi, and the content is actually served to you, the user, on port 443 (https).

So you do need to open ports 80 and 443 for http and https like below:

Port forwarding rules

Testing

Before you start testing your webmail, make sure that the permit_mynetworks parameters are uncommented in your postfix confuguration file /etc/postfix/main.cf (in both your smtpd_recipient_restrictions and smtpd_helo_restrictions).

Now reload your postfix configuration:

sudo service postfix reload

Try sending and receiving emails from within Squirrelmail. You should have no problems, but if you do please post a comment and I’ll try to help you out.

Customising the Squirrelmail Login

To customise the login page, run the configuration wizard:

sudo squirrelmail-configure
  1. Select “1″ (organisation preferences)
  2. Select “7″ and change to your domain (e.g. http://www.samhobbs.co.uk)
  3. Select “8″ and change to you/your organisation’s name

Squirrelmail Plugins

There are loads of plugins available for Squirrelmail, for all kinds of things. On most systems, these plugins are installed by downloading a .zip file to your server, unzipping the plugin to the right location and then tinkering with the settings manually.

Thankfully, some of the most commonly used plugins are available from the Raspbian repositories, so installation is much simpler. Here is a list of the plugins in the repo:

  1. squirrelmail-compatibility
  2. squirrelmail-decode
  3. squirrelmail-locales
  4. squirrelmail-lockout
  5. squirrelmail-logger
  6. squirrelmail-quicksave
  7. squirrelmail-secure-login
  8. squirrelmail-sent-confirmation
  9. squirrelmail-spam-buttons
  10. squirrelmail-viewashtml

The one I think is most useful and the one I’m going to use as an example is lockout.

To use the lockout package, we need to install the compatibility package, which basically makes sure that plugins built for different versions of squirrelmail can still work with the version you are running.

sudo apt-get update
sudo apt-get install squirrelmail-compatibility

Now we need to enable the plugin:

sudo squirrelmail-configure
  1. select “8″
  2. select “compatibility”
  3. select “S” (to save)
  4. select “Q” (to quit)

That’s all you need to do for the compatibility plugin. Now we can install the lockout plugin:

sudo apt-get install squirrelmail-lockout

Now for the configuration:

sudo squirrelmail-configure

Make sure that lockout is enabled

Now we can manually edit some settings. Before starting, I like to back up the default config files for reference:

cd /etc/squirrelmail
sudo cp lockout-table.php lockout-table.php.BAK
sudo cp lockout-config.php lockout-config.php.BAK

Now edit the lockout-table.php file. Read the comments in the file for an explanation of how the table works. I wanted to disable logins for the user “admin”, so I commented out the examples at the end of the file and replaced them with this:

user:		admin		locked_out.php

Now edit lockout-config.php and set $use_lockout_rules = 1; to turn on lockouts.

Now try and log in as the user you locked out, and you should get this message: “Access Denied / Please contact your system administrator”.

We can also lock out IP addresses of users who enter incorrect username/password combinations repeatedly. To do this, open lockout-config.php and set $max_login_attempts_per_IP = '3:5:0'.

The first number in this parameter is the number of incorrect attempts that are allowed before a ban. The second number is the time frame for these incorrect attempts, and the last number is the amount of time the ban lasts for when activated (0 is forever).

So, the setting I gave you above means that anyone who makes 3 incorrect attempts to authenticate in 5 minutes is permanently banned.

When a successful login is made, the count is reset to 0.

Data on current bad login attempts and bans is stored here: /var/lib/squirrelmail/data/lockout_plugin_login_failure_information

The plugin will add entries like this to keep track of bad logins:

999.999.99.99_login_failure_times=1386774015:1386774034:1386774053
999.999.99.99_TOO_MANY_FAILED_LOGIN_ATTEMPTS=PERMANENT

…where 999.999.99.99 is the offending IP address

If you accidentally ban yourself, you’ll have to log in via SSH and edit this file to remove those lines.

That’s it, you’re done! Have fun exploring the other plugins!

The next two tutorials, Part 4 and Part 5 deal with spam detection and filtering.

Type: 

Comments

Hi,

Sounds like you have the same error as Jeffpi above, I haven't had a chance to look into this yet. Not sure what changed, did you just upgrade one of the mail server packages?

Can you look in the mail log and see what happens when you send a message from squirrelmail please?

Sam

Hello Sam,

I didn't upgrade any mail package. I was trying to install the SpamAssassin but before the installation the system was already like this!

By the way, what is the command for the log you were talking about? I am really new to this, so I don't know! Sorry!

Thanks,
Mónica

The mail log is at /var/log/mail.log, it's a plain text file and you can read it with any text editor, e.g. less /var/log/mail.log or tail -f /var/log/mail.log if you want to print the last few lines to standard output (the terminal window) and have it update when new logs are written. CTRL+C to exit the tail command.

If you're using systemd and there isn't a mail log, you can use sudo journalctl -f -u postfix -u dovecot instead.

Sam

Hello Sam,

On the /var/log/mail.log there is only data from Mar 21 and I tried to send e-mails yesterday.

The last command I can't use it! The system says: sudo: journalctl: command not found

Thanks,
Mónica

Don't worry about the second command, you would only have a journal (binary log) if you are using systemd instead of traditional text logs.

I think maybe Postfix and/or Dovecot failed to start and aren't running. Try:

sudo service postfix status
sudo service dovecot status

And if they are stopped or not running, try:

sudo service postfix start
sudo service dovecot start

You'll probably get a useful error message that will tell you why it didn't start.

Sam

Hi Sam,

I used the command sudo service postfix status and I got:
[ ok ] postfix is not running.

So I used the command sudo service postfix start and I got:
[ ok ] Starting Postfix Mail Transport Agent: postfix.

But after another check with sudo service postfix status and I got:
[ ok ] postfix is not running.

What is happening?

Thanks,
Mónica

Does it really not give you any more information than that? That's weird. It looks like it tries to start and fails.

Check the log file again, it should write some messages in there when it tries to start up.

Sam

Sam,

Thanks for the tutorial! I've been working through this section, but have not been able to send or receive emails (logging in through squirrelmail). In addition, my squirrelmail login page is only accessible through my local network, even though my domain will show the default Apache landing page when I navigate to it on or off my LAN. (Setting up K9 Mail likewise fails unless I'm on my local network.)

Outbound emails from accounts on the server never arrive (and don't receive any bounceback messages), and emails sent to them from an external address (gmail) are delayed and eventually fail to be delivered after several days, according to error messages, which state (address details redacted):

"Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
[XXXXXX.com. 192.168.X.XXX: socket error]"

I've checked using nmap and my ports all appear to be forwarded correctly, and my DNS A, MX, and SPF records are set up as outlined by your tutorial on the subject. My server is connected by wifi rather than directly to my router, and I'm using a self-signed certificate for the moment until I get things working, not sure if those matter. Otherwise I've followed all the preceding steps in the Postfix and Dovecot sections. My first thought was that my ports weren't opened, but that doesn't appear to be the case. What are some things I could try or look at that might help?

Hi Dan,

I would check that you have a static LAN IP - if you're on wifi it's likely that you got your IP address via DHCP, in which case it may have changed since you set up the port forwarding rule (i.e. it's forwarded to the wrong IP address now, so you get a timeout). That would explain why you can't connect from WAN.

Sam

I had actually used dhcp reservation on my router to assign a static address to the Pi, but I assigned a static LAN IP through /etc/network/interfaces just in case, and I still have the same symptoms described earlier. Are there other likely points of failure, or things that may have changed in more recent Raspbian Jessie distributions? I'm stumped at the moment.

Well, what do you see in the logs?

Can you send mail from your email client?

Can you send mail between local accounts?

Have you checked your spam folder?

"It doesn't work" isn't much to go on!

Sam

i can send mail, but not recieve

i sent mail with GMail but i get an error email from their mail deamon

Hi,
I have installed Postfix / Dovecot according to your tutorials on a Raspberry Pi 3 in a Mesh network. It is set up for Amateur Radio RAYNET (emergency communications) use and I have 3 users, g4mcf (me), g7aor (my brother) and g8eia (our RAYNET Group Controller). Since I set up the accounts, I know the passwords. The mail server domain is g4mcf-app.local.mesh, so email addresses are like g4mcf@g4mcf-app.local.mesh or g7aor@g4mcf-app.local.mesh.

When testing SquirredMail, I logged into SquirrelMail as g7aor (my brother as a user) and tried to send a message to me (another user, but also aliased to root, postmaster etc.) and received a mail back to g7aor's inbox with the subject Undelivered Mail Returned to Sender. The reason given is: : mail for g4mcf-app.local.mesh loops back on itself. What does that mean?

Regards,
Colin Begg

You shouldn't normally see that if your pi isn't an MX backup, and even then you normally get deferrals instead of undeliverable messages... weird. Do you see deferral messages in your log? Is your doman name in mydestinations? Check for typos.

If it is, follow the part of my MX backup tutorial under the heading "tell postfix your WAN IP" and see if that helps at all.

Sam

My Pi domain isn't even on the public internet. The Pi has an internet connection to pick up packages etc. But all the mail resides within the local domain local.mesh.

I've put the fqdn, rather than just g4mcf-app into the my destinations (in Postfix?) in case that helps.

Colin Begg

Ah, maybe it was due to a lack of DNS records then?

Glad you fixed it, sounds like an interesting project.

Sam

That fqdn seems to have fixed the problem. I now have successfully sent emails to my brother's local account not the server and read them in SquirrelMail. I've also tried sending one to his Internet email address, but don't expect a reply to work!

Thanks Colin

Yes, we're using Pi's with wifi dongles and Linksys routers with modified firmware to create a Mesh network. The mail server is part of a Pi app server with email, Asterisk VOIP, IRC and Kloudspeaker file sharing, with maybe more to add later. The modification to the Linksys and the programming of the PI's with dongles, puts the wifi on the channels shared with Amateur Radio 2.4GHz, so we can up the power, and use fancy high gain antennae, thus increasing the range of the wifi. A system in Scotland (FEEDNET.org) manages distances of 20km over the Forth Estuary.

Cheers, Colin

Hi Sam, yes, we plan to write it up and I'll send you a link when we do. The Mesh Node modifications will be offered back to the developer of the original code (its Open Source), but the FEEDNET group are interested in a write up on our Mesh Node App Server.

Regards,
Colin

I have followed this tutorial and its amazing. could have done with a few hints for when errors accur.

one such error is that i seem to be able to sent email and i received the test telnet email but i cant seem to receive them when sent from my other mail account.

Simon,

Bit vague - what do you mean you "seem to be able to send email"? Did you successfully send email to an external server that arrived?

If you have tried to send an email to your pi from a freemail provider and it hasn't arrived, you probably have either a DNS problem (did you read the DNS tutorial?) or a firewall problem (did you forward the ports to your pi?).

There are plenty of hints in the comments ;)

Sam

That's annoying. Consider switching to PlusNet if you can, they're a subsidiary of BT but they have much more server friendly policies (static IP address is a one-off £5 admin fee), they let you control the firewall at their end through the control panel etc.

Sam

Im currently 3 months into the year contract with BT but will likely look elsewhere when this is up.

Thanks for all your help

Hi Sam,

I am falling at the first hurdles.

a) First step after loading squirrelmail. www.mymail.co.uk/squirrelmail brings up the squirrelmail login panel. Good. Then enter user name and password: response: ERROR you must be logged in to access this page: Go to the login page.

b) Try the next step: remove comments on mod_rewrite etc and a2enmod rewrite. Try again: now have https page but with message:
"You don't have permission to access /squirrelmail/ on this server."

Please advise....Thanks

John

The first error may be a failed login with IMAP/Dovecot. Can you revert the changes in b) - best to do one thing at a time - and see what turns up in /var/log/mail.log when you log in.

You can also check /var/log/apache2/access.log (for http) and /var/log/apache2/ssl_access.log (for https) to see if apache spits out any interesting errors.

Sam

Pages

Add new comment