Install Packages Via yum Command Using DVD / CD as Repo – CentOS (RHEL Based)

CentOS Linux comes with CentOS-Media.repo which is used to mount the default locations for a CDROM / DVD on CentOS-5.*. You can use this repo and yum to install items directly off the DVD ISO that we release.
Open /etc/yum.repos.d/CentOS-Media.repo file, enter:

# vi /etc/yum.repos.d/CentOS-Media.repo
Make sure enabled is set to 1:
enabled=1

Save and close the file. To use repo put your DVD and along with the other repos, enter:

# yum –enablerepo=c5-media install pacakge-name

To only use the DVDmedia repo, do this:

# yum –disablerepo=\* –enablerepo=c5-media install pacakge-name

OR use groupinstall command

# yum –disablerepo=\* –enablerepo=c5-media groupinstall ‘Virtualization’

Installing and configuring mod_security-Ubuntu 9.04

This how-to is reported to work in Ubuntu 8.04-10.10 as well.
What is mod_security you ask ?

Mod Security can significantly increase the security of your Apache installation.

What Is ModSecurity?

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

It is also an open source project that aims to make the web application firewall technology available to everyone.

Do not think you need this ? Follow along with the examples and decide for yourself (This tutorial assumes you already have Apache and php5 installed).

First, let us look at the default Apache behavior. I will use “ubuntuVPS” as the server of interest.

  • “Insecure” Example 1 – curl

Use curl to obtain information on the server (bodhi@home is a remote machine connecting to “ubutnuVPS”. You can test all this with any browser if you wish, simply use your server’s home page).

bodhi@home# curl -i ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:06:21 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: “50d4a-2d-468a44dadbe80”
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html

It works!

Looks like this in your browser (the famous It works! page)
It works!

See how with a single command we already know the server is Ubuntu running Apache 2.2.11 and PHP 5.2.6 ?

  • “Insecure” Example 2 – bad .php

For this I will ask you to create a file “/var/www/insecure.php”

Put the following code in the file :

< ? $secret_file = $_GET['secret_file'];

include ( $secret_file); ? >;

Note: I had to put a space at the front of the php tag “<; ?”, remove it.

Now what ? Open a browser and enter http://ubuntuVPS/insecure.php?secret_file=/etc/passwd
I shall use curl in this example:

bodhi@home# curl -i “http://ubuntuVPS/insecure.php?secret_file=/etc/passwd&#8221;
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:24:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4.1
Vary: Accept-Encoding
Content-Length: 860
Content-Type: text/html
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:104:107::/var/spool/postfix:/bin/false

YIKES !!!
Install and configure mod_secure

There was a time when installing mod_security was a bit difficult, now it is as easy as :

sudo apt-get -y install libapache-mod-security

The “hard part” is that we need to configure mod_security and obtain a few rules.

Configure mod_security

Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.

Include conf.d/modsecurity/*.conf

Note: I had to add a space at the front of the tag “” and “”, remove them.

By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs

sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs

Download and install rules

Download rules from here

As of this writing, the rule set was “modsecurity-core-rules_2.5-1.6.1.tar.gz”, you may need to adjust accordingly as new rules are released.

sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz

sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz

Enable mod_security:

sudo a2enmod mod-security

Now restart Apache

sudo /etc/init.d/apache2 restart

That’s it🙂

Testing mod_security

  • “Secure” Example 1 – curl

bodhi@home# curl -i http://ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:44:42 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: “50d4a-2d-468a44dadbe80”
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html

It works!

Look no more server or php information (Fedora apache 2.2.0 , LOL !!! )

  • “Secure” Example 2 – bad .php

bodhi@home# curl -i “http://ubuntuVPS/insecure.php?secret_file=/etc/passwd&#8221;
HTTP/1.1 501 Method Not Implemented
Date: Tue, 28 Apr 2009 22:47:38 GMT
Server: Apache/2.2.0 (Fedora)
Allow: TRACE
Vary: Accept-Encoding
Content-Length: 291
Connection: close
Content-Type: text/html; charset=iso-8859-1

501 Method Not Implemented

Method Not Implemented

GET to /insecure.php not supported.


Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80

Looks like this in your browser:

501 Method Not Implemented
Method Not Implemented

GET to /insecure.php not supported.Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80

Ah 501 Error looks much better then the contents of /etc/passwd🙂
Where to go from here ?

1. Monitor your logs :

tail /var/log/apache2/mod_security/modsec_audit.log

2. Learn / edit your mod_security rules : ModSecurity Reference Manual

3. Delete bad.php, LOL

sudo rm -rf /var/www/insecure.php

I hope you enjoyed and learned from this tutorial🙂

Reference:
“This is just a copy cat of the post from http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/
All credit should go to the respective author. I tried the method in Ubuntu 10.10 and it works fine.”

Note:-
Some of the rules may deny the access to you applications (eg: phpmyadmin/drupal etc). Test the rules well before you implement.

HowTo: 10 Steps to Configure tftpboot Server in UNIX / Linux (For installing Linux from Network using PXE)


In this article, let us discuss about how to setup tftpboot, including installation of necessary packages, and tftpboot configurations.
TFTP boot service is primarily used to perform OS installation on a remote machine for which you don’t have the physical access. In order to perform the OS installation successfully, there should be a way to reboot the remote server — either using wakeonlan or someone manually rebooting it or some other ways.
In those scenarios, you can setup the tftpboot services accordingly and the OS installation can be done remotely (you need to have the autoyast configuration file to automate the OS installation steps).

Step by step procedure is presented in this article for the SLES10-SP3 in 64bit architecture. However, these steps are pretty much similar to any other Linux distributions.

Required Packages

The following packages needs to be installed for the tftpboot setup.
  • dhcp services packages: dhcp-3.0.7-7.5.20.x86_64.rpm and dhcp-server-3.0.7-7.5.20.x86_64.rpm
  • tftpboot package: tftp-0.48-1.6.x86_64.rpm
  • pxeboot package: syslinux-3.11-20.14.26.x86_64.rpm

Package Installation

Install the packages for the dhcp server services:
$ rpm -ivh dhcp-3.0.7-7.5.20.x86_64.rpm
Preparing... ########################################### [100%]
1:dhcp ########################################### [100%]

$ rpm -ivh dhcp-server-3.0.7-7.5.20.x86_64.rpm
Preparing... ########################################### [100%]
1:dhcp ########################################### [100%]

$ rpm -ivh tftp-0.48-1.6.x86_64.rpm

$ rpm -ivh syslinux-3.11-20.14.26.x86_64.rpm
After installing the syslinux package, pxelinux.0 file will be created under /usr/share/pxelinux/ directory. This is required to load install kernel and initrd images on the client machine.
Verify that the packages are successfully installed.
$ rpm -qa | grep dhcp
$ rpm -qa | grep tftp
Download the appropriate tftpserver from the repository of your respective Linux distribution.

Steps to setup tftpboot

Step 1: Create /tftpboot directory

Create the tftpboot directory under root directory ( / ) as shown below.
# mkdir /tftpboot/

Step 2: Copy the pxelinux image

PXE Linux image will be available once you installed the syslinux package. Copy this to /tftpboot path as shown below.
# cp /usr/share/syslinux/pxelinux.0 /tftpboot

Step 3: Create the mount point for ISO and mount the ISO image

Let us assume that we are going to install the SLES10 SP3 Linux distribution on a remote server. If you have the SUSE10-SP3 DVD insert it in the drive or mount the ISO image which you have. Here, the iso image has been mounted as follows:
# mkdir /tftpboot/sles10_sp3

# mount -o loop SLES-10-SP3-DVD-x86_64.iso /tftpboot/sles10_sp3
Refer to our earlier article on How to mount and view ISO files.

Step 4: Copy the vmlinuz and initrd images into /tftpboot

Copy the initrd to the tftpboot directory as shown below.
# cd /tftpboot/sles10_sp3/boot/x86_64/loader

# cp initrd linux /tftpboot/

Step 5: Create pxelinux.cfg Directory

Create the directory pxelinux.cfg under /tftpboot and define the pxe boot definitions for the client.
# mkdir /tftpboot/pxelinux.cfg

# cat >/tftpboot/pxelinux.cfg/default
default linux
label linux
kernel linux
append initrd=initrd showopts instmode=nfs install=nfs://192.168.1.101/tftpboot/sles10_sp3/
The following options are used for,
  • kernel – specifies where to find the Linux install kernel on the TFTP server.
  • install – specifies boot arguments to pass to the install kernel.
As per the entries above, the nfs install mode is used for serving install RPMs and configuration files. So, have the nfs setup in this machine with the /tftpboot directory in the exported list. You can add the “autoyast” option with the autoyast configuration file to automate the OS installation steps otherwise you need to do run through the installation steps manually.

Step 6: Change the owner and permission for /tftpboot directory

Assign nobody:nobody to /tftpboot directory.
# chown nobody:nobody /tftpboot

# chmod 777 /tftpboot

Step 7: Modify /etc/dhcpd.conf

Modify the /etc/dhcpd.conf as shown below.
# cat /etc/dhcpd.conf

ddns-update-style none;
default-lease-time 14400;
filename "pxelinux.0";

# IP address of the dhcp server nothing but this machine.
next-server 192.168.1.101;
subnet 192.168.1.0 netmask 255.255.255.0 {
# ip distribution range between 192.168.1.1 to 192.168.1.100
range 192.168.1.1 192.168.1.100;
default-lease-time 10;
max-lease-time 10;
}
Specify the interface in /etc/syslinux/dhcpd to listen dhcp requests coming from clients.
# cat /etc/syslinux/dhcpd | grep DHCPD_INTERFACE
DHCPD_INTERFACE=”eth1”;
Here, this machine has the ip address of 192.168.1.101 on the eth1 device. So, specify eth1 for the DHCPD_INTERFACE as shown above.
On a related note, refer to our earlier article about 7 examples to configure network interface using ifconfig.

Step 8: Modify /etc/xinetd.d/tftp

Modify the /etc/xinetd.d/tftp file to reflect the following. By default the value for disable parameter is “yes”, please make sure you modify it to “no” and you need to change the server_args entry to -s /tftpboot.
# cat /etc/xinetd.d/tftp
service tftp {
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
disable = no
}

Step 9: No changes in /etc/xinetd.conf

There is no need to modify the etc/xinetd.conf file. Use the default values specified in the xinetd.conf file.

Step 10: Restart xinetd, dhcpd and nfs services

Restart these services as shown below.
# /etc/init.d/xinetd restart

# /etc/init.d/dhcpd restart

# /etc/init.d/nfsserver restart
After restarting the nfs services, you can view the exported directory list(/tftpboot) by the following command,
# showmount -e
Finally, the tftpboot setup is ready and now the client machine can be booted after changing the first boot device as “network” in the BIOS settings.
If you encounter any tftp error, you can do the troubleshooting by retrieving some files through tftpd service.
Retrieve some file from the tftpserver to make sure tftp service is working properly using the tftp client. Let us that assume that sample.txt file is present under /tftpboot directory.
$ tftp -v 192.168.1.101 -c get sample.txt

12. Postfix Installing and configuring Courier-Auth Libs, Courier-IMAP and POP3


    The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. Courier provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single, consistent, framework. Individual components can be enabled or disabled at will. The Courier mail server now implements basic web-based calendaring and scheduling services integrated in the webmail module.
Installing Courier Auth Lib:
    The Courier Authentication Library is a generic authentication API that encapsulates the process of validating account passwords. In addition to reading the traditional account passwords from /etc/passwd, the account information can alternatively be obtained from an LDAP directory; a MySQL or a PostgreSQL database; or a GDBM or a DB file. The Courier authentication library must be installed before building any Courier packages that needs direct access to mailboxes (in other words, all packages except for courier-sox  and courier-analog).
    Here we will download compile and install the courier-authlib source code for authentication daemon. This will provides the backend authentication that is required by both POP3 and IMAP. The source code can be  downloaded from http://www.courier-mta.org/. The courier can be used with Sendmail, Qmail or Postfix. The courier-mta supports the retrieval of mail from Maildir format and it doesn’t support the old MBOX format. Authentication mechanism using courier authlib:
    MUA sends the authentication to IMAP/POP3. The IMPA/POP3 hands over the request to courier-auth libs. Now the courier auth libs quires the user database (/etc/passwd, LDAP, MySQL)

MUA -> IMPA/POP3 -> Courier authlib -> userdb

Installing courier auth libs
    Here we are interested in installing the courier IMAP and POP3 servers. to accomplish this initially we have to install the courier-auth libraries.
So download the authlib seperately and install it.

# wget http://sourceforge.net/projects/courier/files/authlib/0.63.0/courier-authlib-0.63.0.tar.bz2/download
# tar -jxvf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib
# su user
$ ./configure
$ make
$ su root
# make install
# make install-configure

    The entire process installs the binaries and configuration files. Binary named “authdaemond” under “/usr/local/sbin” directory is executing as the authlib daemon. This consults the /usr/local/etc/authlib/authdaemonrc configuration file.
Starting the authlib daemon

# /usr/local/sbin/authdaemond start
# ps -ef |grep authdaemond

    Auth daemon is not bounded to any tcp or udp ports. But it is ready to accept any of authentication requests from IMAP or POP3. “If the auth daemon is not running the authentication process in IMAP and POP3 will not work”.
Installing courier imap (Installs the IMAP and POP3 service)
    Both the pop3 and imap service is installed with the package courier-imap. 
Download the package from http://www.courier-mta.org/download.php#imap and install the package

# wget https://sourceforge.net/projects/courier/files/imap/4.7.0/courier-imap-4.7.0.tar.bz2/download
# tar -jxvf courier-imap-4.7.0.tar.bz2
# cd courier-imap
# su user

If we need to have the SSL support, we need to have installed the openssl and openssl-devel packages installed.

$ ./configure
$ make
$ su root
# make install
# make install-configure

    These steps finishes courier-imap installaion. “/usr/lib/courier-imap” is the directory location of the courier-imap installation. “/usr/lib/courier-imap” contains binaries, libraries, shared libraries and configuration files.
    Note: The default facility in syslog used by courier-imap is “mail”. This can be chaged while compiling the binary

Configuring and Running Courier-POP3
    Now we will configure the Courier-pop3 for retrieval of mail.
Inside “/usr/lib/courier-imap/libexec” directory has the startup script named pop3.rc and pop3-ssl.rc to start  the pop3 and  pop3 ssl services respectively.
Starting the pop3 service

# cd /usr/lib/courier-imap/libexec
# ./pop3.rc start

    This will start the pop3 service and bind to 110. Now check the service runs by the following command

# netstat -ntlp | grep 110

    Now test the retrieval of msg using any MUA from outside using the pop3 protocol. By default courier will retrieve the msgs from user mailbox (Maildir). Usually pop3 retrieves the mails from the “new” directory of Maildir struchure.

Implementing pop3-ssl
    Normal pop3 transmits the msg in clear text format over the wire.In order to implemented the secured transfer of mails (encrypted) we have to run pop3-ssl.To Inorder to accomplish this we have to generate the self  signed certificate or purchase a signed certificate from a trusted certificate authority that our email client trust.

Generating own self signed certificate:
    Courier-mta includes the scripts to generate self signed certificate using openssl.

# cd /usr/lib/courier-imap/etc

    In this directory we have a file called pop3d.cnf which contains the answers to the questions usually asked while attempt to generate the self signed certificate using the script inbuilt in courier-mta

# vim pop3d.cnf

    Change the parameters to suite our enviornment. eg:- Locality, organization, organization unit, host, email address etc Save the file and navigate to the folder which contains the script to generate the certificate.

# cd ../share
# ./mkpop3dcert

# ls pop3.pem

    This will generate the certificate with respect to the pop3d.cnf created before in current location.
Now navigate to libexec folder and start the pop3d-ssl script to start pop3 in secure mode. This will bind the port 995

# cd /usr/lib/courier-imap/libexec
# ./pop3d-ssl.rc start
# netstat -tulpn |grep 995

    Now we can see that the pop3s server started and running on port 995.
Test it in MUA by changing the incoming mail pop3 to use a secure connection (ssl).Now send and receive mails by accepting the certificate.

Making the pop3 and pop3s service available at startup
Make a symbolic link to /etc/init.d.

# ln -s /usr/lib/courier-imap/libexec/pop3d.rc    /etc/init.d/
# ln -s /usr/lib/courier-imap/libexec/pop3d-ssl.rc    /etc/init.d/
# cd /etc/init.d

Now point to the runlevel where to start the script. To start in runlevel 3

# cd /etc/init.d/rc3.d
# ln -s ../pop3d.rc S20pop3d
# ln -s ../pop3d-ssl.rc S20pop3-ssld

    This will create a startup script for the given runlevel. Make sure that we will create a Kill script in same method to kill/stop the service when system changes its runlevel.

Configuring and running Courier-imap service
    The Courier-imap service startup script reside at the same location, where courier-pop3 locates
Starting the imap service

# cd /usr/lib/courier-imap/libexec
# ./impad.rc start
# netstat -ntlp | grep 143

    This will show the imap service running and listening to the port 143
Configuring Courier-imap
    The configuration file is located at “/usr/lib/courier-imap/etc” named “imapd”

# vim /usr/lib/courier-imap/etc/imapd

    All derivatives are self explanatory. This file used to configure the listening address, port and number of daemons to start upon the binary starts etc.
    Test the mail retrievel by configuring the MUA with IMAP. The credentials given is matched by the server with the /etc/passwd by default. And /etc/passwd is the file that tells where the Maildir resides (Courier checks the mails in the  Maildir of users mail directory). IMAP communicates with clear text format by default.

Configuring Courier-imaps
    This enables the communication by encryption with the help of SSL.

# vim /usr/lib/courier-imap/etc/imapd.cnf

    Edit the above file for generate the certificate properly. Change the Country, State, Locality, Organization unit, Common name email address etc. Now generate the certificate

# ./usr/lib/courier-imap/share/mkimapdcert

    This will create a certificate named imapd.pem.
Now start the imapd-ssl service

# ./usr/lib/courier-imap/libexec/imap-ssl.rc start
# netstat -ntlp |grep 993

    Most client that support Imap with ssl will connect default to the port 993. This port is configurable in “courier-imap/etc/imapd-ssl” . Test the configuration by changing the Incoming mail server as imap with ssl. Restart the application and this will prompt to accept the certification for further communication.

11. Postfix MailBox


Postfix supports 2 types of Mail Box formats
1. MBOX Format
2. MailDir Format

MBOX (/var/spool/mail/$user)
    MBOX is the default storage method used in the Postfix. This is also the traditional Unix format to store the msgs. This appends the mails to a single file in sequential fashion. This file needs to be locked by any application for writing into it. In a high utilized servers there may be issues of locking and performance if you are using the MBOX format. Because only one application at a time is able to read and write the file same time. By default postfix delivers mail to the file object in the spool directory. (For Eg: For user root the  MBOX file is /var/spool/mail/root). Most of the mail retrieving technologies such as imap and pop3 base servers are following this directory structure by default.
Spooling mails in same MBOX format to users home directory.
    This will results the mail delivery in users home directory. There is a MAIL variable in users shell that defines the default location of the mails for the MUA. The following command shows the mail variable.

# echo $MAIL
# set |grep -i mail

Moving the MBOX to users home

# vim  /etc/postfix/main.cf
home_mailbox = Mailbox
# postfix reload

    The default behavior of postfix is to spool the mail to the /var/spool/mail directory. By defining the home_mailbox postfix will delivers the mail to the users home directory. The file named “Mailbox” will be created by the Postfix daemon.
Now change the mail variable for the user(recommended when localy installed MUA such as mutt, mail etc used).

# export MAIL=~/Mailbox

Make it permanent (following shows for bash shell)

# vim /etc/bashrc
export MAIL=~/Mailbox

Now source the file and check the mail variable

# .   /etc/bashrc
# echo $MAIL

    Now the MUA will be able to get the mail from exact location.

Maildir
    This is newer Unix standard to route the mail to a directory struchure. Maildir provides the superior scaling as well as “no locking issues”.
Implementing Maildir

# vim /etc/postfix/main.cf
home_mailbox = Maildir/
# postfix reload

     The above process will create a sub-directory in each users home directory called Maildir. Beneath this directory contains the structure that contains the msgs. Maildir is introduced by Qmail and recognized and supported by almost all the MUAs. Test sending a mail to any user in the system and trace the newly created directory inside the home.

# ls ~/Maildir
cur
new
tmp

    These are the three sub directories created by postfix. When a msg is spooled typically copied in to the “tmp” directory. “new” directory contains the unread mails. The mails containing in the directory “new”  has a typical nomenclature for the identification of the msgs.
Eg:- 2214525412.v80osui654.destinedhost.
    In the above file name the initial prefix (2214525412) is the unique identified that corresponds to the time after the epoc time 1970 (command “date +%s” shows the current epoc time). “v80osui654” is the identified added by postfix and followed by the destination host name of the mailbox.cur” (current) directory contains the read mails
The MAILDIR variable has to be set and MAIL variable has to be unset

# unset MAIL
# export MAILDIR=~/Maildir

    The variable change need to be specified globally. if we are using any MUAs depends upon this variable, else the mails wont be able to process by MUAs.
Set the variables globally

# vim /etc/bashrc
unset MAIL
export MAILDIR=~/Maildir
# . /etc/bashrc

10. Postfix Virtual Domains


    By default postfix has setup to handle few domains, defined by $mydestination. The idea of the virtual domain is to  map the multiple domains to the same server. hostname -f ” shows the FQDN also known as canonical domain used by Postfix.
Note: The IP address also considers as domain. For eg:- A message To: user@[10.0.0.1] (The “[]” is must). So in this case the IP address is also considered as the domain. This domain is also considered as a part of the canonical domain.

Basic Virtual Domain Configuration

# vim /etc/postfix/main.cf
mydestination = $myhostname, localhost, $mydomain, anewdomain.com, someotherdomain.com
relay_domains = $mydestination
# postfix reload

    Now the messages that destined to the domains listed in the $mydestination will be handled by the server. So messages send to a user at domain that defined at $mydestination will be delivered locally.
For Eg:- Mail send to kiran@anewdomain.com and kiran@someotherdomain.com will get deliver to the same user in the host. In other words the list of domains that defined in the $mydestination will be considered to be local and delivers the mail locally.

Virtual Domains Using Maps For Single Domain
    This scenario is used ideally in a Linux mail server where the local users need to share the different domains, (used in ISP environment).
Splitting Local users in to separate domains
    To do so we have to setup the virtual aliases maps

# vim /etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual

     virtual_alias_domains tells what domains are needed to be supported by virtaul alias maps

# vim /etc/postfix/virtual
userdd@example.com    kiran
dduser@example.com    jam
# postmap /etc/postfix/virtual

   The format is as same as in the transport table. In the Left Hand Side we mention the address that need to be mapped and in Right Hand Side we mention the local or remote user mail address to which mail has to be delivered.

# postfix reload

Reload the postfix service

# postconf  | grep virtual_alias_

    Now test the setting by composing the msg to the user userdd@example.com and dduser@example.com. The msg will be delivered to the local user kiran and jam respectively.

Virtual Domains Using catch all features.
    In a virtual alias map environment if mail is send to a non-existing Local user in a postfix server the mail will be rejected with the error “recipient address rejected” in log file. This situation could be overcome by defining the catchall address for the domain. But these feature will be subjected to catch all the mails that coming to the domain and obviously the server will be filled up with spam mails. So it is not at all considered to be used at production environment.
Defining the catch all

# vim /etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
 # vim /etc/postfix/virtual
@example.com    kiran
# postmap /etc/postfix/virtual

    Here all the mails that comes to the domain example.com will be routed to user kiran.

The following virtual map file will send the all mails coming to the domain example.com to multiple recipients.

# vim /etc/postfix/virtual
@example.com    kiran, user1, user2, user3

The following virtual map will send the mails coming to user kiran@example.com to remote domain kiran@secureserver.com.

# vim /etc/postfix/virtual
kiran@example.com        kiran@secureserver.com

   
Virtual alias Maps For Multiple Domains
    The following example shows the configuration of the multiple domains

# vim  /etc/postfix/main.cf
virtual_alias_domains = firstdomain.com, seconddomain.net, thirddomain.org, fourthdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual


# vim /etc/postfix/virtual
sales@firstdomain.com             kiran
hr@seconddomain.net               jam
finance@thirddomain.org        jeo
project@fourthdomain.com      paul
abuse@seconddomain.net        abuse

# postmap /etc/postfix/virtual

    This finishes the configuration of the Virtual alias maps

#postmap -q abuse@seconddomain.net /etc/postfix/virtual

    The above command will query the virtual map file for the mapped address.

# postfix reload

    Test the settings by sending mails to each and every users in the new domains.
While testing this configuration make sure that the proper DNS entry in place.