sudo apt-get install vim STL/SSL certificat:
As we don’t want our login information to be plain on the network we are also going to use STL to secure the connection.
For this we need to create a self signed certificat with the following commands, or buy a commercial one.
Creating a self signed certificat:
sudo mkdir -p /etc/ssl/private/
sudo mkdir -p /etc/ssl/certs/
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mail.key -out /etc/ssl/certs/mailcert.pemCountry Name (2 letter code) [AU]: FR
State or Province Name (full name) [Some-State]: Rhone-Alpes
Locality Name (eg, city) []: LYON
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: modolo-dev.fr
Email Address []: postmaster@modolo-dev.frthe public certificat created is in /etc/ssl/certs/mailcert.pem and the private key that nobody should have access to is in /etc/ssl/private/mail.key.
Postfix
sudo apt-get update
sudo apt-get remove exim4
sudo apt-get install postfix # select internet site and enter your server name
sudo service postfix stopsudo vim /etc/postfix/master.cfuncomment the submission section and change it to:
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,rejectsudo vim /etc/postfix/main.cf We can comment every thing on this file and add the following:
myhostname = modolo-dev.fr
myorigin = /etc/mailname
mydestination = modolo-dev.fr, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
queue_directory = /var/spool/postfix
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destinationsudo vim /etc/aliasesmailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
root: laurentsudo newaliasesDovecot
sudo apt-get install dovecot-common
sudo vim /etc/dovecot/dovecot.confclear the file and add:
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = "imap"
mail_location = maildir:~/Maildir
namespace inbox {
separator = /
inbox = yes
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe # autocreate and autosubscribe the Sent mailbox
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = subscribe # autocreate Spam, but don't autosubscribe
special_use = \Junk
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
# Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:
auth_mechanisms = plain login
ssl=required
ssl_cert = </etc/ssl/certs/mailcert.pem
ssl_key = </etc/ssl/private/mail.keynewaliases
postfix start
service dovecot restart#
Tutorial to install mail server with postfix dspam and dovecot.
The server configuration uses a vmail user.
We need the following packages to be installed for debian:
sudo apt-get install postfix dspam libdspam7-drv-hash dovecot-antispam dovecot-managesieved dovecot-sieve dovecot-imapd dovecot-pop3d dovecot-lmtpd opendkim opendkim-toolsor for archlinux:
sudo pacman -S postfix dspam dovecot opendkimwe then need to create a virtual user called vmail
sudo addgroup --gid 5000 vmail
sudo adduser --home /home/mail/ --uid 5000 --gid 5000 --shell /bin/false vmailThe mails will be stored in /home/mail/ and we forbid connection to this user by setting `–shell /bin/false
Postfix configuration:
We can stop the postfix server before configuring it:
sudo service postfix stopwe have to edit the file /etc/postfix/main.cf to configure postfix
sudo mv /etc/postfix/main.cf /etc/postfix/main.cf.back
sudo vim /etc/postfix/main.cfand add the following content:
# general
myhostname = modolo-dev.fr
mydestination = modolo-dev.fr, mail.modolo-dev.fr, localhost
# we can send mails from anywhere
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
# other domains to handle
virtual_mailbox_domains = igmo.fr, mail.igmo.fr
# where to put the mails
virtual_mailbox_base = /home/mail/vhosts
# mapping between adress and mail folder
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_recipients
# only the vmail user with id 5000 handles things
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
# here we are going to set the alias (postmaster -> laurent)
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_recipients
# security
# we make use of our certificate and force tls connection
smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_tls_security_level = may
smtp_tls_security_level = may
# we don't want old unsecure SSL protocols
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_auth_only = yes
# we only wan't authenticated user
# we also reject mail flaged as spam from zen.spamhaus.org, bl.spamcop.net and cbl.abuseat.org
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unverified_recipient,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
# dovecot handle the sasl authentification
smtpd_sasl_type = dovecot
# authentification socket
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
# spam
# we give the mails to dspam
virtual_transport = lmtp:unix:dspam/dspam.sock
# DKIM (see below)
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301Then we have to edit the file /etc/postfix/master.cf to control how to connect to the mail server.
sudo mv /etc/postfix/master.cf /etc/postfix/master.cf.back
sudo vim /etc/postfix/master.cfWe enable the “submission” daemon with TLS to secure the outer connection, and dovecot-mediated SASL to check the username and password of connecting clients:
smtp inet n - n - - smtpd
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_wrappermode=no # we use starttls not TLS
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes # we force TLS
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
dspam unix - n n - 10 pipe
flags=Ru user=vmail argv=/usr/bin/dspam --deliver=innocent,spam --user $recipient -i -f $sender -- $recipient
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scacheWe edit the file /etc/postfix/virtual_mailbox_recipients:
sudo vim /etc/postfix/virtual_mailbox_recipientslaurent@modolo-dev.fr modolo-dev.fr/laurent
ignace@modolo-dev.fr modolo-dev.fr/ignace
adele@modolo-dev.fr modolo-dev.fr/adele
ines@modolo-dev.fr modolo-dev.fr/ines
juliette@modolo-dev.fr modolo-dev.fr/julietteWhich for example for the user laurent will correspond to the folder /home/mail/vhosts/modolo.fr/laurent.
We set the alias in the file /etc/postfix/virtual_alias_recipients:
sudo vim /etc/postfix/virtual_alias_recipientspostmaster@modolo-dev.fr laurent@modolo-dev.fr
admin@modolo-dev.fr laurent@modolo-dev.fr
root@modolo-dev.fr laurent@modolo-dev.frThen we compile those two file for postfix:
sudo touch /etc/aliases
sudo newaliases
sudo postmap /etc/postfix/virtual_mailbox_recipients
sudo postmap /etc/postfix/virtual_alias_recipientsdspam configuration
We set postfix to send the mail to dspam/dspam.sock.
By default this is in the chroot of postfix which is in /var/spool/postfix/.
we need to create a folder for dspam there:
sudo mkdir -p /var/spool/postfix/dspam
sudo chown dspam: /var/spool/postfix/dspam
sudo mkdir /var/log/dspam/
sudo chown -R dspam /var/log/dspamTo configure dspam we need to edit the file /etc/default/dspam:
sudo mv /etc/default/dspam /etc/default/dspam.back
sudo vim /etc/default/dspamSTART=yesand the file /etc/dspam/dspam.conf:
sudo mv /etc/default/dspam.conf /etc/default/dspam.conf.back
sudo vim /etc/default/dspam.confDeliveryHost /var/run/dovecot/lmtp # we pass the mail to dovecot after filtering
DeliveryPort 4190
DeliveryIdent localhost
DeliveryProto LMTP
Trust vmail # vmail user move the mail according to sieve rules
Preference "tagSpam=on" # we flag the spam
Preference "spamAction=deliver" # we deliver the spam
ServerMode auto
ServerParameters "--deliver=innocent,spam" # we also deliver the mails flaged as spam, which will be send to the junk folder by sieve
ServerDomainSocketPath "/var/spool/postfix/dspam/dspam.sock" # the path of the posfix socketAt last we need to edit the file /etc/dspam/default.prefs:
sudo mv /etc/dspam/default.prefs /etc/dspam/default.prefs.back
sudo vim /etc/dspam/default.prefsspamAction=deliver # we deliver the spamDovecot configuration
In debian the dovecot configuration is split accross many files in the /etc/dovecot/conf.d/ folder.
We are going to edit many of them.
sudo mv /etc/dovecot/conf.d /etc/dovecot/conf.d.back
sudo mkdir /etc/dovecot/conf.d/
sudo cp /etc/dovecot/conf.d.back/* /etc/dovecot/conf.d/
sudo cp /etc/dovecot/dovecot.conf.sample /etc/dovecot/dovecot.conf
sudo touch /var/log/dovecot.log
sudo touch /var/log/dovecot-info.log
sudo chown vmail:vmail /var/log/dovecot.log /var/log/dovecot-info.logsudo vim /etc/dovecot/dovecot.conf!include conf.d/*.conf
protocols = imap pop3 lmtpsudo vim /etc/dovecot/conf.d/10-auth.confdisable_plaintext_auth = yes
auth_mechanisms = plain login
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
}
userdb {
args = uid=vmail gid=vmail home=/home/mail/vhosts/%d/%n allow_all_users=yes
driver = static
}sudo vim /etc/dovecot/conf.d/10-mail.conf# %d = domaine %n = user
mail_location = maildir:~/Maildir
namespace inbox {
separator = /
inbox = yes
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe # autocreate and autosubscribe the Sent mailbox
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = subscribe # autocreate Spam, but don't autosubscribe
special_use = \Junk
}
}
# vmail user
mail_uid = 5000
mail_gid = 5000sudo vim /etc/dovecot/conf.d/10-master.confservice lmtp {
unix_listener lmtp {
user = vmail # the vmail user handle every things
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}sudo vim /etc/dovecot/conf.d/10-ssl.confssl = required
ssl_cert = </etc/ssl/certs/mailcert.pem
ssl_key = </etc/ssl/private/mail.keysudo vim /etc/dovecot/conf.d/15-lda.confpostmaster_address = root@modolo-dev.fr
protocol lda {
auth_socket_path = /var/spool/postfix/private/auth
}sudo vim /etc/dovecot/conf.d/20-imap.confprotocol imap {
mail_plugins = $mail_plugins antispam # we load the antispam plugin
}sudo vim /etc/dovecot/conf.d/10-director.confprotocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve # we load seive to sort mail
}sudo vim /etc/dovecot/conf.d/20-managesieve.confservice managesieve-login {
inet_listener sieve {
port = 4190
}
}
service managesieve {
}
protocol sieve {
}sudo vim /etc/dovecot/conf.d/90-plugin.confplugin {
autocreate = Trash
autocreate2 = Sent
autocreate3 = Junk
autosubscribe = Trash
autosubscribe2 = Sent
autosubscribe3 = Junk
antispam_backend = dspam
antispam_dspam_binary = /usr/bin/dspam
antispam_dspam_args = --deliver;--user;%u
antispam_spam = Junk
antispam_trash = Trash
antispam_unsure = Trash
antispam_signature = X-DSPAM-Signature
}sudo vim /etc/dovecot/conf.d/90-sieve.confplugin {
# The path to the user's main active script. If ManageSieve is used, this the
# location of the symbolic link controlled by ManageSieve.
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_before = /home/mail/sieve/before/ # we apply this rule to all the mails
}We add the rule for seive to move mails tagged as spam in the junk folder
sudo mkdir -p /home/mail/sieve/before/
sudo vim /home/mail/sieve/before/spam.sieverequire ["fileinto"];
# rule:[SPAM]
if anyof (header :contains "X-DSPAM-Result" "Spam")
{
fileinto "Junk";
stop;
}then we compile this rule for sieve:
sudo sievec /home/mail/sieve/before/spam.sieveWe can then add new user to dovecot with the following command:
doveadm pw -s CRYPT
sudo vim /etc/dovecot/users laurent@modolo-dev.fr:PASSWDwe set the rights right:
sudo chown -R vmail:vmail /home/mailDKIM configuration
Configure DKIM:
sudo mv /etc/opendkim/opendkim.conf /etc/opendkim/opendkim.conf.back
sudo mkdir -p /var/run/opendkim/
sudo mkdir -p /etc/opendkim/
sudo chown -R opendkim /var/run/opendkim/
sudo chown -R opendkim /etc/opendkim/
sudo vim /etc/opendkim.confAutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim
Socket inet:12301@localhostWe connect DKIM to postfix:
sudo vim /etc/default/opendkimSOCKET="inet:12301@localhost"We configure the trusted host allowed to send mails:
sudo vim /etc/opendkim/TrustedHosts127.0.0.1
localhost
192.168.0.1/24
modolo-dev.fr
*.modolo-dev.frCreate folders for the keys:
sudo mkdir -p /etc/opendkim/keysand then we configure the keys table:
sudo vim /etc/opendkim/KeyTablemail._domainkey.modolo-dev.fr modolo-dev.fr:mail:/etc/opendkim/keys/modolo-dev.fr/mail.privateWe configure the signing table:
sudo vim /etc/opendkim/SigningTable*@emodolo-dev.fr mail._domainkey.modolo-dev.frWe then have to generate the keys with mail.private the private key and mail.txt the public key
sudo mkdir -p /etc/opendkim/keys/modolo-dev.fr/
cd /etc/opendkim/keys/modolo-dev.fr/
sudo opendkim-genkey -s mail -d modolo-dev.fr
sudo chown opendkim mail.private
sudo mkdir -p /var/run/opendkim/
sudo chown -R opendkim /var/run/opendkim/
sudo service opendkim startDNS configuation:
We also need to be sure that we DNS configuration for the mail server is correct:
verify DNS configuration
dig MX modolo-dev.frmodolo-dev.fr. 1800 IN MX 0 modolo-dev.fr.
host mail.modolo-dev.frmail.modolo-dev.fr is an alias for modolo-dev.fr.
modolo-dev.fr has address 88.174.17.217
modolo-dev.fr mail is handled by 0 modolo-dev.fr.
We then need to edit the DNS configuration to add the key to it
cat /etc/opendkim/keys/modolo-dev.fr/mail.txtThe public key is defined under the -p parameter
Add the following TXT entry to your DNS configuration:
Name: mail._domainkey.modolo-dev.fr.
Text: "v=DKIM1; k=rsa; p=Your_public_key"To finish :
sudo service postfix restart
sudo service dovecot restart