Difference between revisions of "Email server setup"
Line 317: | Line 317: | ||
# require proper helo at connections | # require proper helo at connections | ||
smtpd_helo_required = yes | smtpd_helo_required = yes | ||
− | + | ||
# waste spammers time before rejecting them | # waste spammers time before rejecting them | ||
smtpd_delay_reject = yes | smtpd_delay_reject = yes | ||
Line 451: | Line 451: | ||
chmod u=rw,g=r,o= /etc/postfix/mysql*.cf | chmod u=rw,g=r,o= /etc/postfix/mysql*.cf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | ==Basic test== | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | echo "" > /var/log/syslog | ||
+ | service postfix restart | ||
+ | cat /var/log/syslog | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | You should see something like: ''daemon started -- version 2.11.0, configuration /etc/postfix'' | ||
+ | |||
Line 552: | Line 566: | ||
In that case we're gonna use the complete email address as login. | In that case we're gonna use the complete email address as login. | ||
+ | |||
+ | |||
+ | |||
+ | Adjust rights | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | chown root:root /etc/dovecot/dovecot-sql.conf.ext | ||
+ | chmod go= /etc/dovecot/dovecot-sql.conf.ext | ||
+ | </syntaxhighlight> | ||
+ | |||
Revision as of 12:49, 12 August 2014
Contents
Authors
All that follow is the sum of different how-to. I've based my research on Christoph Haas' how-to and FLURDY therefore a lot of commands are similar.
I'm not an expert of mail server, therefore most of the following content is not mine. I've just aggregate data to make it easier to work with. Please check out the #Sources if you want to know more.
This content is provided under the same license as my sources: GNU General Public License.
Requirements
An "email server" is the sum of the following components:
- SMTP server to
- Tools to check the email content against virus, spam
- Tools to encrypt the communication
- Database to manage users and emails
- (optional) WebMail such as Horde, RoundCube or SquirrelMail
Server dependencies
Before starting you need to have:
- MySQL server
- MySQL client such as MySQL workbench or Web app PhpMyAdmin
- Apache2 web server
- SSL server
Create Linux mail user
We need a dedicated to receive all emails and run an IMAP / POP3 server such as Devecot or Courier.
The delivery will be done by the IMAP / POP3 server using MySQL virtual domains & users.
# Server root folder, where all the mails will be stored
mkdir -p /var/spool/mail/virtualMail
# New user
groupadd --system virtualMail -g 5000
useradd --system virtualMail -u 5000 -g 5000 -d /var/vmail -m
chown -R virtualMail:virtualMail /var/vmail
chmod u+w /var/vmail
- It's a common good practice to create a dedicated user to send email. That's the user POSTFIX will use. As usual in Linux, that user should be UID > 1000 so it has more restrictions.
- All the emails will be saved into "/var/vmail/"
Create mail server certificate
Since nothing is secure we'll use SSL to encrypt communications. Therefore, we need to create a server certificate.
!! Important !!
If your server is the same as your web-server then you've already created some certificates in the Apache2 section. So you don't need to create a new one.
2 options:
- Create a new server certificate using an external Authority of Certification (your own or a 3rd party)
- Create a self-signed certificate... Use that option only if there is no other choice...
Create server key and certificate request
Create the private key
cd /etc/ssl
# Encrypted private key
openssl genrsa -aes256 -out private/mail.daxiongmao.eu.key -rand ./ 4096
# Decipher it for Apache2 (will be used by the webmail)
openssl rsa -in private/mail.daxiongmao.eu.key -out private/mail.daxiongmao.eu.nopass.key
Generate server certificate's request
openssl req -config openssl.cnf -new -nodes -key private/mail.daxiongmao.eu.key -out certs/mail.daxiongmao.eu.req
!! Country, state and locality must match your AC !!
- Country Name (2 letter code) [AU]: SE
- State or Province Name (full name) [Some-State]:Vastra Goteland
- Locality Name (eg, city) []:Goteborg
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daxiongmao.eu
- Common Name (e.g. server FQDN or YOUR name) []:mail.daxiongmao.eu
Sign server certificate using your own AC
See SSL server#Server certificate for more details.
Send the .req file to the AC server, into /srv/ssl/certs/ then run:
cd /srv/ssl
openssl ca -config openssl.cnf \
-in certs/mail.daxiongmao.eu.req \
-out certs/mail.daxiongmao.eu.cert.pem \
-cert cacerts.pem \
-days 3600
Deploy server certificate
Copy the new certificate "mail.daxiongmao.cert.pem" to the mail server in "/etc/ssl/certs/"
MySQL database
Create and initialize a new database and user for email.
Create database
I assume that:
- Database name: maildb
- Db user: maildb
# log in as root
mysql -u root -p
# Create the mail database
create database maildb;
# Create a new user and grant rights upon mail database
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'maildb'@'localhost' IDENTIFIED by 'mailDbPASSWORD';
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'maildb'@'%' IDENTIFIED by 'mailDbPASSWORD';
exit;
Schema
Create the following schema:
CREATE TABLE `domains` (
`id` smallint(6) NOT NULL auto_increment,
`name` varchar(120) NOT NULL default '',
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `users` (
`id` varchar(128) NOT NULL default '',
`email` varchar(120) NOT NULL,
`name` varchar(120) NOT NULL default '',
`password` varchar(32) NOT NULL,
`domain_id`smallint(6) NOT NULL,
`enabled` tinyint(3) unsigned NOT NULL default '1',
PRIMARY KEY (`id`),
UNIQUE KEY `email` (`email`),
FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `aliases` (
`id` smallint(3) NOT NULL auto_increment,
`domain_id` smallint(6) NOT NULL,
`source` varchar(120) NOT NULL default '',
`destination` varchar(100) NOT NULL,
`enabled` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`id`),
FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
POSTFIX
POSTFIX is a SMTP server that is used to send/receive emails.
Installation
POSTFIX SMTP server:
apt-get install postfix postfix-mysql
mkdir -p /var/spool/mail/virtual
Basic configuration
vim /etc/postfix/main.cf
Put the following configuration:
##########################
# MISC settings #
##########################
# Server name
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# Use external SMTP relay?
relayhost =
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# Bind interfaces
inet_interfaces = all
# Restrict to IPv4 (= avoid IPv6 errors and log spam)
inet_protocols=ipv4
###########################
# Email global settings #
###########################
# Email server name
myhostname = mail.daxiongmao.eu
# Domain name for emails originated from this server
#myorigin = /etc/mailname
myorigin = daxiongmao.eu
# Local destination (= email server local alias)
mydestination = mail.daxiongmao.eu, localhost.daxiongmao.eu, , localhost
# Trusted senders (localhost + LAN + VPN)
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.50.0/24 172.16.60.0/24
##############################
# Commands #
##############################
mailbox_command = procmail -a "$EXTENSION"
###################################
# Email accounts / msg settings #
###################################
# Max mailbox size
mailbox_size_limit = 0
# Max number of mailboxes
virtual_mailbox_limit = 0
# Max message size
message_size_limit = 0
# Misc settings
recipient_delimiter = +
###########################
# Connection settings #
###########################
# how long to keep message on queue before return as failed
maximal_queue_lifetime = 1h
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 5m
maximal_backoff_time = 10m
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12
####################################
# Security: protocol enforcement #
####################################
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
# Requirements for the sender details
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
# Requirements for the connecting server
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl
# Requirement for the recipient address
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining
# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes
############################
# Email accounts #
############################
# Alias definitions
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Location of the virtual mailbox folder (= Global server mailbox)
# ... This must match the folder you created in [[#Create Linux mail user]]
virtual_mailbox_base = /var/vmail
## MySQL settings
# Domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# List of available mailboxes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailboxes.cf
# List of virtual mailboxes
virtual_alias_maps = mysql:/etc/postfix/mysql_aliases.cf,mysql:/etc/postfix/mysql_mailboxes.cf
############################
# Security #
############################
## Mail user / group
# Good practice: you should create a dedicated Linux user to send mails. That one is called "virtualMail"
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
## TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Don't forget to adjust:
- Email global settings
- myhostname
- myorigin mailserver
- mydestination
- mynetworks
MySQL domain config
How to find the domains.
vim /etc/postfix/mysql_domains.cf
Put the following content, replace mailDbPASSWORD by your own database password:
user = maildb
password = mailPASSWORD
hosts = 127.0.0.1
dbname = maildb
query = SELECT name FROM domains WHERE name='%s' AND enabled = 1
Notes:
- Do not use "localhost" instead of "127.0.0.1". Since Postfix and MySQL are chroot in different places Postfix must use network (127.0.0.1) communication instead of file (localhost).
- The '%s' will be replace dynamically on runtime by the requested domain
MySQL mailbox config
How to select a mailbox from MySQL.
vim /etc/postfix/mysql_mailboxes.cf
Put the following content, replace mailDbPASSWORD by your own database password:
user = maildb
password = mailDbPASSWORD
dbname = maildb
hosts = 127.0.0.1
query = SELECT email FROM users WHERE email = '%s' AND enabled = 1
MySQL alias config
How to find the email alias from MySQL
vim /etc/postfix/mysql_aliases.cf
Put the following content, replace mailDbPASSWORD by your own database password:
user = maildb
password = mailDbPASSWORD
dbname = maildb
hosts = 127.0.0.1
query = SELECT destination FROM aliases WHERE source='%s' AND enabled = 1
Trick:
In case of catch-all addresses such as @dev.daxiongmao.eu (to get everything) you need another file to allow (bob@dev.daxiongmao.eu).
In that case the Postfix "virtual_alias_map" will use 2 scripts.
Set rights
chgrp postfix /etc/postfix/mysql*.cf
chmod u=rw,g=r,o= /etc/postfix/mysql*.cf
Basic test
echo "" > /var/log/syslog
service postfix restart
cat /var/log/syslog
You should see something like: daemon started -- version 2.11.0, configuration /etc/postfix
DOVECOT
Dovecot is an IMAP / POP3 server used to manage and deliver emails.
In our case:
- All the emails files will be owned by the "local user" VirtualMail [= linux user]
- Emails will be delivered to the "virtual domains & users" using MySQL database
Installation
apt-get install dovecot-mysql dovecot-pop3d dovecot-imapd dovecot-managesieved
Configuration
All the configuration is available in "/etc/dovecot/conf.d".
Authentication
Overall behavior
Enable MySQL + Microsoft Outlook support.
vim /etc/dovecot/conf.d/10-auth.conf
Edit the configuration:
- Add "login" authentication mechanism to support MS Outlook
- At the end of the file, comment "auth-system" in favor of "auth-sql"
auth_mechanisms = plain login
[...]
#!include auth-system.conf.ext
!include auth-sql.conf.ext
Configure email mailbox folder
vim /etc/dovecot/conf.d/auth-sql.conf.ext
Comment out all "userdb" section in favor of the following:
userdb {
driver = static
args = uid=virtualMail gid=virtualMail home=/var/vmail/%d/%n
}
!! Important, they can only be 1 "userdb" section
Configure DB access
Now you need to configure how Devecot will access the database:
vim /etc/dovecot/dovecot-sql.conf.ext
-- Actually this file should already exists, you just have to complete it!
Put the following (adjust to your own settings and replace MailDbPassword):
driver = mysql
connect = host=127.0.0.1 dbname=maildb user=maildb password=MailDbPassword
default_pass_scheme = PLAIN-MD5
password_query = SELECT email AS user, password FROM users WHERE email = '%u' AND enabled = 1;
Reminder:
- %u = entire user@domain
- %n = user part of user@domain
- %d = domain part of user@domain
In that case we're gonna use the complete email address as login.
Adjust rights
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod go= /etc/dovecot/dovecot-sql.conf.ext
Mail location
vim /etc/dovecot/conf.d/10-mail
Adjust the mailbox_location:
mail_location = maildir:/var/vmail/%d/%n/Maildir
Network and service security (ports and rights)
vim /etc/dovecot/conf.d/10-master.conf
For Postfix to allow Dovecot as an authentication service you must uncomment and adjust:
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
SSL configuration
vim /etc/dovecot/conf.d/10-ssl.conf
Earlier you created both a key and a certificate file to encrypt the communication. You need to use it:
ssl_cert = </etc/ssl/certs/mail.daxiongmao.eu.cert.pem
ssl_key = </etc/ssl/private/mail.daxiongmao.eu.key
ssl_key_password = </etc/dovecot/ssl_cert_pwd.cf
Create the password file (only root can access it, on service's startup):
touch /etc/dovecot/ssl_cert_pwd.cf
echo "myKeyPassword" > /etc/dovecot/ssl_cert_pwd.cf
chmod 0600 /etc/dovecot/ssl_cert_pwd.cf
chown root:root /etc/dovecot/ssl_cert_pwd.cf
Enable emails rules
To enable emails rules you need to use the "SIEVE" plugin.
vim /etc/dovecot/conf.d/15-lda.conf
protocol lda {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
}
RoundCube WebMail
There are many webmail clients available: horde, squirrelMail, roundCube, etc.
Installation
apt-get install roundcube roundcube-plugins
Reply to the following questions:
- Use dbconfig-common? YES
- Database type? mysql
- Database's administrative user's password? root password
- Application's password? new password
Security
Apache2 Virtual host
Create a new VHost
Create a new vHost:
vim /etc/apache2/sites-available/mail.daxiongmao.eu.conf
Put the following content:
Disable the default VHOST
a2dissite 000-default
Enable the new VHOST
a2ensite mail.daxiongmao.eu
Enable Apache2 modules
a2enmod ssl rewrite
Restart and test
service apache2 restart
Go to: https://mail.daxiongmao.eu
Other
## Security libraries
# SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.
apt-get install libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin
# Authentication using MySQL
apt-get install libpam-mysql
## Anti-virus
apt-get install clamav-base libclamav6 clamav-daemon clamav-freshclam
## SPAM killer
apt-get install spamassassin spamc
## Interface to scan emails for virus & spam
apt-get install amavisd-new
## Utility to SEND emails
apt-get install postfix postfix-mysql
## Utility to RECEIVE emails
apt-get install courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl
Sources
Fabulous guide from Christoph Haas: https://workaround.org/ispmail/wheezy .This also explain each step in detail: WHY and HOW do to it.
- Complete how-to, quite technical: http://flurdy.com/docs/postfix/
- http://xmodulo.com/2014/01/mail-server-ubuntu-debian.html
- http://www.pixelinx.com/2013/09/creating-a-mail-server-on-ubuntu-postfix-courier-ssltls-spamassassin-clamav-amavis/
- Postfix how-to: