  Virtual email domain


  With the power of personal computers these days, the tasks done by
  several servers are now easily done with a single one. With the suc-
  cess of the Internet and the email system, we are pushed to manage
  more and more email domains. Here is a way to manage several indepen-
  dent email domains on the same machine: a Linux premiere!

  11..  PPrriinncciipplleess

  "Virtual email domains" is a way to manage independent lists of users
  on the same server. Each virtual domain has its own password, spool
  directory, and user aliases file.  For each virtual email domain,
  _l_i_n_u_x_c_o_n_f will setup


  +o  /etc/vmail/passwd.virtual_domain

  +o  /etc/vmail/shadow.virtual_domain

  +o  /etc/vmail/aliases.virtual_domain

  +o  /var/spool/vmail/virtual_domain/

  +o  /vhome/virtual_domain/

  where virtual_domain is one domain, such as foo.com.


  22..  VViirrttuuaall ddoommaaiinn ddeeffiinniittiioonn ddiiaalloogg

  To create a new virtual email domain, you must complete a single
  dialog. There are other tasks to do that are related to the DNS and IP
  aliases. They are described in other sections of this help tool.  We
  will describe here the main dialog.


  22..11..  AA nnaammee

  You must enter a domain name. This is all that is required.


  22..22..  BBaassiicc iinnffoorrmmaattiioonn

  You enter the most common options here.


  22..22..11..  FFaallll bbaacckk ddeessttiinnaattiioonn

  Normally, when an email message is sent to an account on a virtual
  email domain, the following processing is done:


  +o  Check for an alias of that name. If there is one, send the message
     to each member of the alias list. (Aliases may point to other
     aliases.)

  +o  If no alias is found, then the user list of the virtual domain is
     checked. The email is appended to the folder of the corresponding
     user if a match is found.

  +o  If no alias or username matches the intended recipient, the message
     is rejected and the sender will receive an error message.


  However, if the fallback field is defined, the email will be sent to
  the fallback address instead. This is also known as a "catch-all"
  address since it will catch any messages that don't have an alias or
  username match. The fallback address may be:


     EEmmppttyy
        This is the default case. The message is rejected and the sender
        will receive a 'bounced' message.


     aannootthheerr__uusseerr@@aannootthheerr__ddoommaaiinn
        The message is redirected to a specific user of another domain.


     @@aannootthheerr__ddoommaaiinn
        The message is redirected to the same target account in another
        domain.  For example, email sent to unknown@this_domain will be
        forward to unknown@another_domain.


     aaccccoouunntt
        The message is sent to another account of the same domain. This
        account may be an alias.


     || ssoommee ccoommmmaannddss aanndd aarrgguummeennttss
        The message is sent to the command. Token replacement is
        performed on the command. See below.


  22..22..22..  AAllllooccaattee UUIIDD ffrroomm

  Normally, user IDs for virtual email accounts start at 60,000 for all
  domains. You can control the start of the allocation range if you
  wish. This is mainly used for people wanting to play with disk quotas.
  Note that the vdeliver program can limit the size of the user inbox as
  well.


  22..22..33..  LLiimmiitt uusseerr iinnbbooxx ttoo ((kk))

  Enter the limit, in kilobytes, for the user's inbox. This is the
  default for the entire domain. You can override it user by user if
  needed.

  The default is no limit.


  22..33..  FFeeaattuurreess


  22..33..11..  MMaaxxiimmuumm nnuummbbeerr ooff uusseerrss

  You can limit the number of accounts in a domain. Co-administrators
  won't be allowed to create more than this number. By default, there is
  no limit.


  22..33..22..  MMaattcchh uusseerr ffuullll nnaammee

  When enabled, the delivery agent will try to match the user's full
  name.  It replaces the spaces in the full name by dots and tries to
  match against this. So, user joe, with full name "joe who" may receive
  email as joe@domain.com or joe.who@domain.com.
  22..33..33..  FFiilltteerr pprrooggrraamm ++ aarrggss ((oopptt))

  You can specify an optional program which will filter the messages
  when they are appended to the user inbox folder. The filtering may be
  used to check for some bad content (perhaps a virus?).

  The filtering program receives the message on its standard input and
  writes the modified message (or nothing) on its standard output.

  You can specify some arguments as well. Specify the full path of the
  filter.


  22..33..44..  IInnccoommiinngg mmaaiill aarree rreejjeecctteedd

  You can turn off incoming mail for the whole domain. Mail will be
  rejected and an error message will be returned to the sender.


  22..33..55..  UUsseerrss ccaann''tt rreettrriieevvee tthheeiirr mmeessssaaggeess

  This locks the POP-3 and IMAP services for this domain.


  22..44..  AAddmmiinniissttrraattoorr

  You can grant administrator privilege to any normal user (Linux users)
  of the server. Often, we do not want to create Linux accounts on the
  server at all.

  This section allows you to define a password allowing a pseudo-user
  called admin@the-domain to administer user accounts and aliases in
  this virtual email domain. This only works in WEB mode ( You need a
  linux account to use the other user interfaces anyway).

  So for a virtual email domain foo.com, the pseudo-account is
  admin@foo.com.


  22..44..11..  EEnnaabbllee ccoo--aaddmmiinniissttrraattiioonn

  You can turn on an off co-administration privilege. This only affects
  the pseudo-user. Other linuxconf privileges are not affected (The ones
  granted to linux users).


  22..44..22..  CCoo--aaddmmiinniissttrraattoorr ppaasssswwoorrdd

  You enter the password twice. If you leave the fields empty, the
  current password is preserved.


  22..55..  EExxttrraa aalliiaasseess ffiilleess

  Each virtual domain implicitly has an aliases file named
  /etc/vmail/aliases.domain where domain is the domain name. You can
  define two more, if needed. They will be used by the vdeliver program.
  The implicit one has the highest priority.  vdeliver looks in the
  first and then in the second until a match is found.

  Note that, like the normal aliases (/etc/aliases) processed by
  sendmail, alias definitions may point to another alias and so on.
  Mailing lists may be defined, etc...

  Alias files are maintained by the same dialog as normal sendmail
  aliases, and as such, offer the same capabilities.
  22..66..  AAlliiaasseess ffoorr tthhiiss ddoommaaiinn

  It is possible to provide several domain names pointing to the same
  user pool. You can add as many as needed. For example, one may define
  the virtual domain foo.net and later register foo.com. By using a
  domain alias, both domains will be equivalent.


  33..  AA nnoottee bbeeffoorree ssttaarrttiinngg

  Virtual email domains are a supplement to the normal email
  capabilities of your mail server. Normal email domains are still
  managed properly and the email is stored in /var/spool/mail.

  So if your machine is currently accepting email for domain foo.com and
  you wish to receive, separately, email for foo1.com and foo2.com, you
  just have to define those two domains as virtual email domains. The
  configuration for foo.com is unaffected.


  44..  HHooww ttoo sseettuupp vviirrttuuaall eemmaaiill ddoommaaiinnss

  Here is a step-by-step explanation.


  44..11..  HHooww ttoo aaddaapptt PPOOPP cclliieennttss

  There is nothing special to do on the POP user side, which is a good
  thing(tm): We want to merge several email servers into one box, we
  don't want to tell everyone about it :-)


  44..22..  HHooww ttoo iinnssttaallll tthhee sseerrvveerr

  The trick to reading the mail is exactly the same as with virtual WWW:
  you need IP addresses. Here is most of the setup.  Suppose we want to
  create three virtual email domains: va.foo.com, vb.foo.com,
  vc.foo.com. Think about it in the same way as you would do for
  installing three independent servers, each serving one single email
  domain. This is what we will describe here and at the end, we will
  show how these three servers can be merged into a single machine.


  44..22..11..  OOnn tthhee DDNNSS

  From a DNS standpoint, we have one email server per domain.  So the MX
  of each domain is


  +o  va.foo.com -> mailhost.va.foo.com

  +o  vb.foo.com -> mailhost.vb.foo.com

  +o  vc.foo.com -> mailhost.vc.foo.com

  With the DNS, this is what we are telling the world. This is also what
  we are telling to email users. Mostly va.foo.com users, get your mail
  at mailhost.va.foo.com, vb.foo.com users, get your mail at
  mailhost.vb.foo.com and so on.

  So far, with such a setup, we could very well have one server (the
  real one) per email domain (The current status quo before the virtual
  email domain is set up).


  44..22..22..  IInnssttaalllliinngg tthhee sseerrvveerrss


  To continue the setup (be it real or virtual), we edit the DNS and
  allocate an IP number for each server (this is the key). Here I am
  using private IP numbers as an example. One will see that I have
  allocated IP numbers from the same network.


  +o  mailhost.va.foo.com -> 172.16.0.1

  +o  mailhost.vb.foo.com -> 172.16.0.2

  +o  mailhost.vc.foo.com -> 172.16.0.3

  Then we could install three Linux servers with these IPs and tell
  _s_e_n_d_m_a_i_l on each server to accept one of the three domains.


  44..22..33..  GGeettttiinngg vviirrttuuaall


  Instead of installing three Linux servers, we install a single one.
  For each virtual email domain, we must


  +o  Define it using _l_i_n_u_x_c_o_n_f, which involves only naming the domain.

  +o  Define an IP alias (again with _l_i_n_u_x_c_o_n_f) so the machine will
     answer queries for this IP number, too. This is done in
     em/linuxconf/ in the menu


               "networking/IP aliases for virtual hosts"


  +o  Install /usr/lib/linuxconf/lib/vpop3d as a replacement for
     /usr/sbin/in.pop3d in /etc/inetd.conf. vpop3d is a drop-in
     replacement for the standard pop3d even if you don't use virtual
     domains.

  The IP alias is the key. The POP protocol has no way to identify the
  target of a request, except with the IP destination number. This is
  why POP clients must use a different name (a different IP in fact) to
  read the messages from different email domains. From their point of
  view, this is expected anyway.

  If you must share an IP address for multiple email domains, the user
  would still set up their POP client to connect to mailhost.va.foo.com
  but their username login would no longer be "joe" but
  "joe@mailhost.va.foo.com". This workaround is a little confusing to
  some users, but will avoid requiring a separate IP address for every
  email domain.


  44..22..33..11..  HHooww ttoo iinnssttaallll vvppoopp33dd

  Is vpop3d a replacement for the standard POP daemon you are using on
  your distribution? Maybe not. Various distributions ship with
  different pop3d's, supporting NIS, PAM and other authentication
  features. The best way to support all these easily is to let the
  native pop3d daemon handle the _m_a_i_n email domain; vpop3d only manages
  the virtual ones.

  To get this result, simply pass, as an argument to vpop3d, the path of
  the native pop3 daemon. Vpop3d will give itself control when a POP
  request is made to the main domain. Here is an example of how to set
  /etc/inetd.conf:


               pop-3  stream  tcp  nowait  root   /usr/sbin/tcpd
                       /usr/lib/linuxconf/lib/vpop3d /usr/sbin/ipop3d


  So, to install it, do not replace the pop3d command, but simply insert
  /usr/lib/linuxconf/lib/vpop3d. The exact line varies a little from
  distribution to distribution.


  44..22..33..22..  HHooww ttoo iinnssttaallll vvppoopp33dd oonn xxiinneettdd ssyysstteemmss ((RReeddHHaatt 77))

  After installing the package imap, edit the file /etc/xinetd.d/ipop3
  and modify the line server and disable, and insert the line
  server_args.  The file will look like this:


               service pop3
               {
                       socket_type             = stream
                       wait                    = no
                       user                    = root
                       server                  = /usr/lib/linuxconf/lib/vpop3d
                       server_args             = /usr/sbin/ipop3d
                       log_on_success          += USERID
                       log_on_failure          += USERID
                       disable                 = no
               }


  55..  HHooww ttoo ddeebbuugg aa ccoonnffiigguurraattiioonn

  Most errors occur when virtual domain settings are related to the DNS.
  Here are some tests you can do to verify that your setup correct.

  One piece of advice: using a POP client (email program) is not that
  helpful to test this kind of setup. Those program are not informative
  for such a task. They either work or they don't.


  55..11..  CChheecckkiinngg tthhee DDNNSS

  For each virtual domain, you must perform some DNS work. We will use
  the va.foo.com domain as an example. Here are the steps:


  55..11..11..  TThhee MMXX

  The command


               nslookup -q=mx va.foo.com


  should print something useful. At least the name of the email server
  should be obtained with its IP address. This is either
  mailhost.va.foo.com, or the official name of the server. The name
  obtained need not be in the va.foo.com domain. However, it must point
  to the proper physical server.


  55..11..22..  TThhee vviirrttuuaall mmaaiill sseerrvveerr

  The mailhost.va.foo.com must be defined in the DNS.  Here I am using
  mailhost. It could be pop.va.foo.com, or whatever.  The following
  command


               nslookup mailhost.va.foo.com


  should produce an IP number. Furthermore, the following command


               nslookup the_IP_number_you_got


  should print mailhost.va.foo.com. If you do not get this, then the
  virtual POP server won't work. Really! End of the game! You need to
  have proper reverse lookup on this IP number. Linuxconf does it
  magically if the special reverse lookup domain is defined on the same
  DNS as the virtual domain.

  So, if both queries (with nslookup) are successful, you have done the
  hardest part.


  55..11..33..  IIss tthheerree aa sseerrvveerr lliisstteenniinngg??

  Then you do the following command


               telnet mailhost.va.foo.com


  This should connect to the physical server. This proves that the IP
  alias is properly installed.


  55..11..44..  IIss tthheerree aa vviirrttuuaall PPOOPP sseerrvveerr lliisstteenniinngg??

  Execute the following command to see if vpop3d is properly installed.
  If this command is producing the proper greeting, not much can go
  wrong.


               telnet mailhost.va.foo.com pop-3


  You should get


               +OK Virtual va.foo.com POP3 Server (Version 1.004) ready.


  The "va.foo.com" is the key here. If you are not getting this, then
  the virtual domain is simply not defined, or vpop3d is not installed
  in /etc/inetd.conf or /etc/xinetd.d/ipop3.


  55..11..55..  AA ttooooll ttoo ddoo aa qquuiicckk cchheecckk

  The script

       /usr/lib/linuxconf/lib/checkvdomain


  may be used to do a quick check of the vpop3d installation for a vir-
  tual domain. Run it without arguments to learn more.

  The script

       /usr/lib/linuxconf/lib/testalldomain


  reads the file

       /etc/named.boot

  and extracts all domains defined in it. It then runs the script check-
  vdomain (assuming that there is a virtual host mail for each vdomain)
  on each domain. It reports if the domain is properly configured or
  not. This is useful for admins managing tons of vdomains.


  66..  OOnnccee ooppeerraattiioonnaall


  66..11..  HHooww ttoo aadddd PPOOPP uusseerrss

  Once a virtual email domain is working, you still have to add POP
  users to it. There is a menu entry in the User accounts menu called
  Virtual POP accounts (mail only) . It allows you to pick a virtual
  domain and add new accounts or edit accounts.


  66..22..  CCoo--aaddmmiinniissttrraattoorrss

  For each virtual email domain, a new privilege is added to linuxconf.
  You can grant this privilege to any normal user. He will be allowed to
  manage the user list (POP users only) of the virtual domain. This is
  fully operational using the HTML interface also.

  There is also a global privilege allowing one user to administer all
  virtual email domain.


  66..33..  HHooww ccaann aa uusseerr cchhaannggee hhiiss ppaasssswwoorrdd

  One problem with POP only users (and also PPP users) is that they
  don't have access to any shell account from which they can easily
  change their password.

  Linuxconf provides a neat solution to this problem. This is only
  available with the HTML interface, and it fully supports virtual email
  domains. If you point your browser to the following URL:


       http://your_server:98/htmlmod:userpass:


  you will access a simple screen allowing anyone to change their own
  password. "your_server" may be any one of the virtual POP servers or
  the normal name of your server. Linuxconf will manage the proper
  password file based on the IP number used to reach it.

  It is a good idea to _h_i_d_e this URL in one of the information pages of
  your server (it is a little bit odd to type).


  66..33..11..  HHooww ccaann aa uusseerr cchhaannggee hhiiss ppaasssswwoorrdd ffoorr IIPPlleessss ccoonnffiigguurraattiioonnss

  The above URL relies on proper reverse mapping to identify the target
  domain. The following URL works without any particular IP.  The target
  domain is encoded in the URL.


       http://your_server:98/htmlmod:vpass-THE_DOMAIN


  77..  SSoommee pprroobblleemmss


  77..11..  AAllll oouuttggooiinngg eemmaaiillss ffrroomm vviirrttuuaall ddoommaaiinnss aarree mmaassqquueerraaddeedd

  This is caused by a bad DNS configuration. Generally, any mail leaving
  the server and originating from a virtual domain is rewritten so it
  looks like it came from the main domain of the server.

  This problem originates from a new sendmail behavior. At startup,
  sendmail scans all network interfaces (and IP aliases) and retrieves
  the name associated with their IP number. It assumes, from now on,
  that all those names are equivalent to the main domain of the server.
  Any email originating from one of those names will be masqueraded as
  coming from the main domain.

  The DNS problem is simply that you have set the reverse mapping for an
  IP number so it points to a domain name instead of a host of this
  domain. Linuxconf will not allow this mistake to occur, as it never
  does a reverse mapping pointing to a domain name. Doing a DNS by hand
  does not prevent that though.

  So make sure that all IP numbers associated with IP aliases point to a
  host of a domain, not to a domain itself. Restart your DNS and your
  sendmail and all will be fine.


  77..22..  II ddoo nnoott ccoonnttrrooll tthhee DDNNSS zzoonnee ffoorr rreevveerrssee mmaappppiinngg

  Another solution is to enter the proper definition in /etc/hosts.
  vpop3d  looks there first anyway. So if you have mail.some-domain.com
  pointing to the IP x.y.z.w, just enter this line in the /etc/hosts
  file of the server running vpop3d:


               x.y.z.w    mail.some-domain.com


  77..33..  IIss tthheerree aann IIMMAAPP sseerrvveerr ssuuppppoorrttiinngg vviirrttuuaall eemmaaiill ddoommaaiinnss

  Yes. Check out http://vimap.sourceforge.net. It is a POP-3 and IMAP
  server derived from the imap package found on RedHat.


  88..  FFeeaattuurreess


  88..11..  AAuuttoo--rreessppoonnddeerr

  It is possible to create auto responders for virtual domains accounts.
  You do not need to create any accounts (but you are allowed to).  The
  auto-responder mechanism works in parallel with normal account
  delivery.  Whenever a message is sent to an auto-responder address, a
  file is returned to the sender. For a vdomain foo.com, if you create a
  file /var/spool/vmail/files/foo.com/somename.auto, it will be sent
  whenever a messages is directed to somename@foo.com.

  The file must contain a complete email messages including the header.
  Ideally, the header must contain a Subject: and Reply-To: entry.

  If the account somename exists, the messages will be also delivered.
  If somename is an alias, it will be resolved and the auto-responder
  mechanism will be executed. Using this, multiple email address may
  point to the same auto-reponder file.

  Bulk messages are ignored.


  88..22..  VVaaccaattiioonn

  It is possible to setup a per-user vacation mechanism. The vacation
  mechanism relies on one text file and an index. The index records the
  address having already received the vacation text, avoiding to send
  over and over the same message to the same people.

  The vacation text is a complete email message, including the header.
  It must contains a Subject: tag.


  The index file acts also as a control. If the file does not exist the
  vacation service is off. So to turn it on, you have to create it
  empty. The vacation mechanism will maintain it.

  The vacation files may be located either in the user home directory or
  in the directory /var/spool/vmail/files/the-domain. The later is
  generally used by the system administrator when the users do not have
  any access to the system beside the imap and pop-3 services.

  In /var/spool/vmail/files/the-domain directory, the files are called
  user.vacation and user.vacation.db (user is the user account ID).

  In the user home directory, they are called .vacation and
  .vacation.db.


  88..22..11..  AAlllloowwiinngg uusseerrss ttoo cchhaannggee tthheeiirr vvaaccaattiioonn mmeessssaaggee

  A special web entry allows any vdomain email user to control the
  vacation mechanism. It can be seen in the "Special entries to
  Linuxconf" page. The URL is "http://your_server:98/htmlmod:vacation:"


  99..  TTookkeenn rreeppllaacceemmeenntt iinn ffaallllbbaacckk

  A message may be piped through a command specified in the fallback
  destination. The command may be setup using special tokens. They are
  replaced before executing the command.  Here they are:


     %%dd is replaced by the target domain name.


     %%ff is replaced by the sender's address.


     %%uu is replaced by the user name.


  1100..  CCoonncclluussiioonn

  After setting the proper IP aliases, a POP user can't tell if there
  are three servers or a single one. This could become a key aspect. If
  the load on the server grows, you may want to distribute a few virtual
  email domains to another server. For everyone (the users, the DNS),
  this will be completely transparent.