Arief Yudhawarman

Masih belajar buat blog

Backup Email Secara Live – 1

with one comment

Sebagai pengguna email tentu pernah mengalami kejadian tidak bisa baca email di Inbox MS Outlook karena file pst corrupt, email-email penting tidak sengaja terhapus, berkas email lama tidak bisa dibaca karena dengan sengaja dihapus oleh pemakai sebelumnya, dll. Selain itu perusahaan atau instansi mungkin ingin memiliki backup utuh terhadap seluruh trafik email staff atau karyawan baik email masuk maupun email keluar.

Untuk ini diperlukan strategi agar berkas email baik masuk maupun keluar selalu mempunyai backup agar kejadian-kejadian di atas tidak berulang kembali. Backup email yang bagus adalah dikerjakan oleh server mail itu sendiri sehingga tidak bisa dintervensi user.

Pada tulisan ini akan dibahas strategi backup email secara live dengan menggunakan MTA Postfix sebagai Mail Server Backup. Di tulisan selanjutnya akan dibahas backup email dengan menggunakan Zimbra Collaboration Open Source Edition. Secara garis besar langkah-langkahnya sebagai berikut:

  • Backup email user dilakukan secara transparent dengan membuat rule sender_bcc dan recipient_bcc di konfigurasi postfix Server Mail.
  • Setup MTA postfix di Server Mail Backup untuk menerima trafik backup email incoming dan outgoing dari Server Mail.
  • Setup MDA dengan procmail di postfix Server Mail Backup untuk meneruskan berkas incoming email ke folder INBOX dan outgoing email ke folder Sent.

Schema Live Email Backup

Schema Live Email Backup



Topologi

  • Server Mail
    • Hostname : server.domain.org
    • IP Address: 10.1.1.1
    • MTA : postfix zimbra
  • Server Mail Backup (MB)
    • Hostname: backup.domain.org
    • IP Address: 10.10.10.2
    • MTA : postfix

Server Mail menggunakan Zimbra dengan LDAP sebagai database user terpusar. Untuk instalasi software di Server Mail Backup maka diperlukan:

  • MTA dengan postfix-2.8.5 dan vda patch
  • IMAP dan POP3 dengan courier-imap-4.10
  • Authentication dengan courier-authlib-0.63
  • Webmail dengan squirrelmail-1.4.22

Agar system user password di Server Mail Backup terintegrasi dengan Server Mail maka edit file-file konfigurasi agar support LDAP:

  • /etc/hosts
  • /etc/ldap.conf
  • /etc/nsswitch.conf
  • /etc/pam.d/system-auth-ac


Instalasi

  • Postfix-2.8.5 (TLS+PCRE+SASL+LDAP) dengan postfix-vda-v10-2.8.5.patch
    $ tar zxf postfix-2.8.5.tgz
    $ cd postfix-2.8.5/
    $ patch -p1 < ../postfix-vda-v10-2.8.5.patch
    $ make makefiles CCARGS="-DUSE_TLS -DHAS_PCRE -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DHAS_LDAP -I/usr/include -I/usr/include -lldap -I/usr/include/sasl" AUXLIBS="-L/usr/lib64 -lsasl2 -lpcre -llber -lssl -lcrypto"
    $ make
    $ sudo su
    # make install
    


    Kemudian lanjutkan seting lainnya sebagai user root.

    
    # mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
    # mv /usr/bin/newaliases /usr/bin/newaliases.OFF
    # mv /usr/bin/mailq /usr/bin/mailq.OFF
    # chmod 755 /usr/sbin/sendmail.OFF
    # chmod 755 /usr/bin/newaliases.OFF
    # chmod 755 /usr/bin/mailq.OFF
    # useradd -r -d /var/spool/postfix -s /bin/false postfix
    # groupadd -r postdrop
    
    

  • Courier Authentication Library
    $ tar jxf courier-authlib-0.58.tar.bz2
    $ cd courier-authlib-0.58
    $ CFLAGS="-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer" ./configure --with-mailuser=root --with-mailgroup=root --without-authpam --with-authldap --without-authvchkpw --without-authpgsql --with-authshadow --without-authmysql
    $ make
    $ sudo su
    # make install
    # make install-configure
    

  • Courier-Imap-4.1.0
    $ tar jxf /SRC/courier-imap-4.1.0.tar.bz2
    $ cd courier-imap-4.1.0
    $ env COURIERAUTHCONFIG=/usr/local/bin/courierauthconfig ./configure --prefix=/usr/local/courier-imap –enable-unicode --mandir=/usr/local --with-trashquota --enable-workarounds-for-imap-client-bugs
    $ make
    $ sudo su
    # make install-strip
    # make install-configure
    

  • Untuk instalasi webmail dengan squirrelmail silahkan ikuti manual di Installing Squirrelmail Unix


Konfigurasi

  1. Courier Authentication Library
    Edit file /usr/local/etc/authlib/authdaemonrc

    authmodulelist="authshadow authldap"
    


    Edit file /usr/local/etc/authlib/authldaprc

    LDAP_URI		ldap://server.domain.org
    LDAP_BASEDN		dc=domain,dc=org
    LDAP_BINDDN		cn=config
    LDAP_BINDPW		y6vy99ap7
    LDAP_MAIL               mail
    LDAP_DOMAIN		domain.org
    LDAP_MAILDIR		maildir
    LDAP_DEFAULTDELIVERY	defaultDelivery
    LDAP_FULLNAME	        cn
    #LDAP_CLEARPW		clearPassword
    LDAP_CRYPTPW            userPassword
    LDAP_UID		uidNumber
    LDAP_GID		gidNumber
    LDAP_DEREF		never
    LDAP_TLS		0
    

  2. Courier IMAP
    Edit file /etc/courier-imap/pop3d

    POP3DSTART=YES
    


    Edit file /etc/courier-imap/imapd

    IMAPDSTART=YES
    


    Edit file /etc/courier-imap/imapd-ssl

    IMAPDSSLSTART=YES
    


    Edit file /etc/courier-imap/pop3d-ssl

    POP3DSSLSTART=YES
    

  3. Postfix
    • Postfix TLS
      Buat private key /etc/pki/CA/private/cakey.pem dan public key /etc/pki/CA/cacert.pem


      cd /etc/pki/tls/misc ./CA -newca


      Buat private key tidak berpassword untuk domain.org and unsigned public key certificate.


      cd /etc/pki/tls/misc openssl req -new -nodes -keyout key.pem -out req.pem -days 3650


      Sign public key certificate untuk backup.domain.org dengan CA (Certification Authority) private key.


      openssl ca -out cert.pem -infiles req.pem


      Copy certificate ke direktori /etc/postfix.


      cp /etc/pki/CA/cacert.pem dr-key.pem dr-cert.pem /etc/postfix chmod 644 /etc/postfix/dr-cert.pem /etc/postfix/cacert.pem chmod 400 /etc/postfix/dr-key.pem


      Tambahkan TLS support ke /etc/postfix/main.cf.

      smtp_tls_CAfile = /etc/postfix/cacert.pem
      smtp_tls_session_cache_database =  btree:/var/lib/postfix/smtp_tls_session_cache
      smtp_tls_security_level = may
      smtpd_tls_CAfile = /etc/postfix/cacert.pem
      smtpd_tls_cert_file = /etc/postfix/dr-cert.pem
      smtpd_tls_key_file = /etc/postfix/dr-key.pem
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_database =   btree:/var/lib/postfix/smtpd_tls_session_cache
      tls_random_source = dev:/dev/urandom
      smtpd_tls_security_level = may
      

    • Postfix SMTP AUTH
      Buat file /usr/lib64/sasl2/smtpd.conf.

      pwcheck_method: authdaemond
      log_level: 3
      mech_list: plain login
      authdaemond_path:/usr/local/var/spool/authdaemon/socket
      


      Edit file /etc/postfix/main.cf.

      broken_sasl_auth_clients = yes
      smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, ..., permit
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain =
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_exceptions_networks = $mynetworks
      smtpd_sasl_application_name = smtpd
      smtpd_sasl_authenticated_header = yes
      
  4. Webmail Squirrelmail
    Konfigurasi squirrelmail hasil eksekusi /usr/share/squirrelmail/config/conf.pl

    SquirrelMail Configuration : Read: config.php (1.4.0)
    ---------------------------------------------------------
    
    Organization Preferences
    1.  Organization Name      : Domain Org
    2.  Organization Logo      : ../images/sm_logo.png
    3.  Org. Logo Width/Height : (308/111)
    4.  Organization Title     : Domain Org
    5.  Signout Page           : 
    6.  Top Frame              : _top
    7.  Provider link          : http://www.domain.org
    8.  Provider name          : Domain Org
    
    Server Settings
    
    General
    -------
    1.  Domain                 : domain.org
    2.  Invert Time            : false
    3.  Sendmail or SMTP       : Sendmail
    
    IMAP Settings
    --------------
    4.  IMAP Server            : localhost
    5.  IMAP Port              : 143
    6.  Authentication type    : login
    7.  Secure IMAP (TLS)      : false
    8.  Server software        : courier
    9.  Delimiter              : .
    
    Folder Defaults
    Folder Defaults
    1.  Default Folder Prefix         : INBOX.
    2.  Show Folder Prefix Option     : false
    3.  Trash Folder                  : Trash
    4.  Sent Folder                   : Sent
    5.  Drafts Folder                 : Drafts
    6.  By default, move to trash     : true
    7.  By default, move to sent      : true
    8.  By default, save as draft     : true
    9.  List Special Folders First    : true
    10. Show Special Folders Color    : true
    11. Auto Expunge                  : true
    12. Default Sub. of INBOX         : false
    13. Show 'Contain Sub.' Option    : false
    14. Default Unseen Notify         : 2
    15. Default Unseen Type           : 1
    16. Auto Create Special Folders   : true
    17. Folder Delete Bypasses Trash  : true
    18. Enable /NoSelect folder fix   : false
    
    General Options
    1.  Data Directory               : /var/lib/squirrelmail/prefs/
    2.  Attachment Directory         : /var/spool/squirrelmail/attach/
    3.  Directory Hash Level         : 0
    4.  Default Left Size            : 150
    5.  Usernames in Lowercase       : true
    6.  Allow use of priority        : true
    7.  Hide SM attributions         : true
    8.  Allow use of receipts        : true
    9.  Allow editing of identity    : true
        Allow editing of name        : true
        Remove username from header  : false
    10. Allow server thread sort     : true
    11. Allow server-side sorting    : true
    12. Allow server charset search  : true
    13. Enable UID support           : true
    14. PHP session name             : SQMSESSID
    15. Location base                : 
    16. Only secure cookies if poss. : true
    17. Disable secure forms         : false
    18. Page referal requirement     : 
    

  5. LDAP

    Edit file /etc/hosts.

    10.1.1.1   server.domain.org
    


    Edit file /etc/ldap.conf.

    binddn cn=config
    bindpw y6vy99ap7
    uri ldap://server.domain.org/
    base dc=domain,dc=org
    ssl no
    tls_cacertdir /etc/openldap/cacerts
    pam_password md5
    bind_policy soft
    timelimit 120
    bind_timelimit 120
    


    Edit file /etc/nsswitch.conf.

    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
    netgroup:   files ldap
    automount:  files ldap
    


    Edit file /etc/pam.d/system-auth.

    auth        sufficient    pam_ldap.so use_first_pass
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    password    sufficient    pam_ldap.so use_authtok
    session     optional      pam_ldap.so
    session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
    


Start Semua Services

  • Authdaemond

    /etc/init.d/authdaemond start

  • Courier-IMAP

    /etc/init.d/courier-imap start

  • Postfix

    /etc/init.d/postfix start


Test Services

  • Autentikasi LDAP dengan Courier Authentication Library
    $ authtest yudi1 passw0rd
    Authentication succeeded.
         Authenticated: yudi1  (uid 11001, gid 12002)
        Home Directory: /home/mail/yudi1
               Maildir: (none)
                 Quota: (none)
    Encrypted Password: {SSHA}PY/QEy6HJAauFhMqANpSSK5nTPBs8Fgz
    Cleartext Password: passw0rd
               Options: (none)
    

  • SMTP AUTH
    $ perl -MMIME::Base64 -e 'print encode_base64("yudi1yudi1passw0rd");'
    eXVkaTEAeXVkaTEAcGFzc3cwcmQ=
    $ telnet backup.domain.org 25
    Trying 10.10.10.2...
    Connected to backup.domain.org.
    Escape character is '^]'.
    220 backup.domain.org ESMTP Postfix
    ehlo yahoo.com
    250-backup.domain.org
    250-PIPELINING
    250-SIZE 25485760
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    auth plain eXVkaTEAeXVkaTEAcGFzc3cwcmQ=
    235 2.7.0 Authentication successful
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.
    

  • SMTP AUTH + SSL
    $ perl -MMIME::Base64 -e 'print encode_base64("yudi1yudi1passw0rd");'
    eXVkaTEAeXVkaTEAcGFzc3cwcmQ=
    $ openssl s_client -connect backup.domain.org:25 -starttls smtp
    CONNECTED(00000003)
    depth=0 /C=ID/ST=DKI/O=Domain ORG/OU=IT/CN=Server Mail Backup/emailAddress=admin@domain.org
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=ID/ST=DKI/O=Domain ORG/OU=IT/CN=Server Mail Backup/emailAddress=admin@domain.org
    verify error:num=21:unable to verify the first certificate
    verify return:1
    Certificate chain
     0 s:/C=ID/ST=DKI/O=Domain ORG/OU=IT/CN=Server Mail Backup/emailAddress=admin@domain.org
       i:/C=ID/ST=DKI/O=Domain ORG/OU=IT/CN=Server Mail Backup/emailAddress=admin@domain.org
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID:1D58BEF93FF784B763C71E4F7A17264FABBDBFE95FBC55AEB8EFA99AC81A590F
    <<....deleted...>>
    ehlo yahoo.com
    250-backup.domain.org
    250-PIPELINING
    250-SIZE 25485760
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    auth plain eXVkaTEAeXVkaTEAcGFzc3cwcmQ=
    235 2.7.0 Authentication successful
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.
    


Buat Direktori Email Untuk Account LDAP

Untuk ini akan dicreate folder email untuk account ldap yudi1.


mkdir -p /home/mail/yudi1


Setelah itu buat direktori maildir dan file log procmail.


maildirmake /home/mail/yudi1/Maildir touch /home/mail/yudi1/.procmail.log


Buat rule /home/mail/yudi1/.procmailrc

# Set on when debugging
VERBOSE=off

PATH=/bin:/usr/bin

# The log of procmail actions
LOGFILE=$HOME/.procmail.log
USER=`echo $HOME|cut -f4 -d'/'`

# sender bcc 
:0:
* $^Return-Path: .${USER}@domain.org.
Maildir/.Sent/

# default (recipient bcc)
:0:
Maildir/


Kemudian ubah kepemilikan direktori /home/mail/yudi1 dan set file permission untuk rule /home/mail/yudi1/.procmailrc.


chmod 600 /home/mail/yudi1/.procmailrc chown -R yudi1. /home/mail/yudi1


Edit konfigurasi postfix

Untuk contoh ini email dari dan ke yudi1@server.org akan dibackup.

  1. Di Server Mail edit beberapa file konfigurasi postfix.

    /opt/zimbra/postfix/conf/sender_bcc

    yudi1@server.org    yudi1@backup.server.org
    


    /opt/zimbra/postfix/conf/recipient_bcc

    yudi1@server.org    yudi1@backup.server.org
    


    /opt/zimbra/postfix/conf/transport

    backup.server.org  smtp:[10.10.10.2]
    


    Jalankan postmap.


    /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/sender_bcc /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/recipient_bcc /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/transport


    Setelah itu edit file /opt/zimbra/postfix/conf/main.cf

    sender_bcc_maps = hash:/opt/zimbra/postfix/conf/sender_bcc
    recipient_bcc_maps = hash:/opt/zimbra/postfix/conf/recipient_bcc
    


    Sebagai user zimbra tambahkan transport_maps di postfix menggunakan perintah zmlocalconfig. Kemudian reload postfix.


    su - zimbra zmlocalconfig -e postfix_transport_maps=proxy:ldap:/opt/zimbra/conf/ldap-transport.cf,hash:/opt/zimbra/postfix/conf/transport postfix reload

  2. Di Server Mail Backup edit konfigurasi postfix.

    /etc/postfix/main.cf

    myhostname = backup.domain.org
    mydomain = domain.org
    myorigin = domain.org
    net_interfaces = all
    mydestination = $myhostname, localhost.localdomain, localhost, $mydomain, backup
    mailbox_command = /usr/bin/procmail
    


    Reload postfix


    /etc/init.d/postfix reload


Testing Kirim dan Terima Email

Untuk keperluan testing ini user yudi1@domain.org akan mengirim email ke yuda@domain.org untuk menguji rule sender_bcc. Kemudian user yuda@domain akan mengirim email balik ke yudi1@domain.org untuk menguji rule recipient_bcc.

  1. Test sender_bcc

    Tes kirim email dari yudi1@domain.org ke yuda@domain.org.
    Test sender_bcc

    User yudi1 kirim email

    Login webmail sebagai user yudi1 di Server Mail Backup dan klik folder Sent untuk melihat email hasil eksekusi rule sender_bcc.

    Test sender_bcc

    Email yang dikirim user akan masuk ke folder Sent

  2. Test recipient_bcc

    Tes kirim email dari yuda@domain.org ke yudi1@domain.org.
    Test recipient_bcc

    Test recipient_bcc

    Login webmail sebagai user yudi1 di Server Mail Backup dan klik folder INBOX untuk melihat hasil eksekusi rule recipient_bcc.

    Test recipient_bcc

    Test recipient_bcc

Written by awarmanf

December 7, 2014 at 1:27 pm

Posted in Linux, postfix, zimbra

Tagged with , , ,

One Response

Subscribe to comments with RSS.

  1. Thanks for sharing your thoughts about business. Regards

    aldened

    September 28, 2016 at 4:54 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: