Email server setup

Revision as of 12:37, 12 August 2014 by WikiFreak (talk | contribs)


Authors

All that follow is the sum of different how-to. I've based my research on Christoph Haas' how-to and FLURDY therefore a lot of commands are similar.


I'm not an expert of mail server, therefore most of the following content is not mine. I've just aggregate data to make it easier to work with. Please check out the #Sources if you want to know more.


This content is provided under the same license as my sources: GNU General Public License.



Requirements

An "email server" is the sum of the following components:

  • SMTP server to
  • Tools to check the email content against virus, spam
  • Tools to encrypt the communication
  • Database to manage users and emails
  • (optional) WebMail such as Horde, RoundCube or SquirrelMail


Server dependencies

Before starting you need to have:


Create Linux mail user

We need a dedicated to receive all emails and run an IMAP / POP3 server such as Devecot or Courier.

The delivery will be done by the IMAP / POP3 server using MySQL virtual domains & users.

# Server root folder, where all the mails will be stored
mkdir -p /var/spool/mail/virtualMail 

# New user
groupadd --system virtualMail -g 5000
useradd --system virtualMail -u 5000 -g 5000 -d /var/vmail -m
chown -R virtualMail:virtualMail /var/vmail
chmod u+w /var/vmail


  • It's a common good practice to create a dedicated user to send email. That's the user POSTFIX will use. As usual in Linux, that user should be UID > 1000 so it has more restrictions.
  • All the emails will be saved into "/var/vmail/"


Create mail server certificate

Since nothing is secure we'll use SSL to encrypt communications. Therefore, we need to create a server certificate.


!! Important !!

If your server is the same as your web-server then you've already created some certificates in the Apache2 section. So you don't need to create a new one.


2 options:

  1. Create a new server certificate using an external Authority of Certification (your own or a 3rd party)
  2. Create a self-signed certificate... Use that option only if there is no other choice...


Create server key and certificate request

Create the private key

cd /etc/ssl
# Encrypted private key
openssl genrsa -aes256 -out private/mail.daxiongmao.eu.key -rand ./ 4096
# Decipher it for Apache2 (will be used by the webmail)
openssl rsa -in private/mail.daxiongmao.eu.key -out private/mail.daxiongmao.eu.nopass.key


Generate server certificate's request

openssl req -config openssl.cnf -new -nodes -key private/mail.daxiongmao.eu.key -out certs/mail.daxiongmao.eu.req

!! Country, state and locality must match your AC !!

  • Country Name (2 letter code) [AU]: SE
  • State or Province Name (full name) [Some-State]:Vastra Goteland
  • Locality Name (eg, city) []:Goteborg
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daxiongmao.eu
  • Common Name (e.g. server FQDN or YOUR name) []:mail.daxiongmao.eu


Sign server certificate using your own AC

See SSL server#Server certificate for more details.


Send the .req file to the AC server, into /srv/ssl/certs/ then run:

cd /srv/ssl
openssl ca -config openssl.cnf \
-in certs/mail.daxiongmao.eu.req \
-out certs/mail.daxiongmao.eu.cert.pem \
-cert cacerts.pem \
-days 3600


Deploy server certificate

Copy the new certificate "mail.daxiongmao.cert.pem" to the mail server in "/etc/ssl/certs/"




MySQL database

Create and initialize a new database and user for email.


Create database

I assume that:

  • Database name: maildb
  • Db user: maildb


# log in as root 
mysql -u root -p 

# Create the mail database 
create database maildb; 

# Create a new user and grant rights upon mail database
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'maildb'@'localhost' IDENTIFIED by 'mailDbPASSWORD'; 
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON maildb.* TO 'maildb'@'%' IDENTIFIED by 'mailDbPASSWORD'; 
exit;


Schema

Create the following schema:

CREATE TABLE `domains` ( 
   `id` smallint(6) NOT NULL auto_increment, 
   `name` varchar(120) NOT NULL default '', 
   `enabled` tinyint(1) NOT NULL default '1', 
   PRIMARY KEY (`id`) 
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `users` ( 
   `id` varchar(128) NOT NULL default '', 
   `email` varchar(120) NOT NULL,
   `name` varchar(120) NOT NULL default '', 
   `password` varchar(32) NOT NULL,
   `domain_id`smallint(6) NOT NULL,
   `enabled` tinyint(3) unsigned NOT NULL default '1', 
   PRIMARY KEY (`id`),
   UNIQUE KEY `email` (`email`),
   FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `aliases` ( 
    `id` smallint(3) NOT NULL auto_increment, 
    `domain_id` smallint(6) NOT NULL, 
    `source` varchar(120) NOT NULL default '', 
    `destination` varchar(100) NOT NULL,
    `enabled` tinyint(1) NOT NULL default '1', 
    PRIMARY KEY (`id`), 
    FOREIGN KEY (domain_id) REFERENCES domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;



POSTFIX

POSTFIX is a SMTP server that is used to send/receive emails.


Installation

POSTFIX SMTP server:

apt-get install postfix postfix-mysql 

mkdir -p /var/spool/mail/virtual


Basic configuration

vim /etc/postfix/mail.cf


Put the following configuration:


##########################
#      MISC settings     #
##########################
# Server name
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# Use external SMTP relay?
relayhost = 
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

# Bind interfaces
inet_interfaces = all
# Restrict to IPv4 (= avoid IPv6 errors and log spam)
inet_protocols=ipv4


###########################
#  Email global settings  #
###########################
# Email server name
myhostname = mail.daxiongmao.eu
# Domain name for emails originated from this server
#myorigin = /etc/mailname
myorigin = daxiongmao.eu
# Local destination (= email server local alias)
mydestination = mail.daxiongmao.eu, localhost.daxiongmao.eu, , localhost
# Trusted senders (localhost + LAN + VPN)
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.50.0/24 172.16.60.0/24


##############################
#          Commands          #
##############################
mailbox_command = procmail -a "$EXTENSION"


###################################
#  Email accounts / msg settings  #
###################################
# Max mailbox size
mailbox_size_limit = 0
# Max number of mailboxes 
virtual_mailbox_limit = 0
# Max message size
message_size_limit = 0
# Misc settings
recipient_delimiter = +


###########################
#   Connection settings   #
###########################
# how long to keep message on queue before return as failed
maximal_queue_lifetime = 1h
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 5m
maximal_backoff_time = 10m
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12


####################################
#  Security: protocol enforcement  #
####################################
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit

# Requirements for the sender details
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit

# Requirements for the connecting server 
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl

# Requirement for the recipient address
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining


# require proper helo at connections 
smtpd_helo_required = yes
mailserver
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes


############################
#      Email accounts      #
############################
# Alias definitions
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Location of the virtual mailbox folder (= Global server mailbox)
# ... This must match the folder you created in [[#Create Linux mail user]]
virtual_mailbox_base = /var/vmail

## MySQL settings
# Domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# List of available mailboxes
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailboxes.cf
# List of virtual mailboxes
virtual_alias_maps = mysql:/etc/postfix/mysql_aliases.cf,mysql:/etc/postfix/mysql_mailboxes.cf


############################
#         Security         #
############################
## Mail user / group
# Good practice: you should create a dedicated Linux user to send mails. That one is called "virtualMail"
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

## TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Don't forget to adjust:

  • Email global settings
    • myhostname
    • myorigin mailserver
    • mydestination
    • mynetworks


MySQL domain config

How to find the domains.

vim /etc/postfix/mysql_domains.cf


Put the following content, replace mailDbPASSWORD by your own database password:

user = maildb
password = mailPASSWORD 
hosts = 127.0.0.1
dbname = maildb 
query = SELECT name FROM domains WHERE name='%s' AND enabled = 1


Notes:

  • Do not use "localhost" instead of "127.0.0.1". Since Postfix and MySQL are chroot in different places Postfix must use network (127.0.0.1) communication instead of file (localhost).
  • The '%s' will be replace dynamically on runtime by the requested domain


MySQL mailbox config

How to select a mailbox from MySQL.

vim /etc/postfix/mysql_mailboxes.cf


Put the following content, replace mailDbPASSWORD by your own database password:

user = maildb
password = mailDbPASSWORD
dbname = maildb 
hosts = 127.0.0.1
query = SELECT email FROM users WHERE email = '%s' AND enabled = 1


MySQL alias config

How to find the email alias from MySQL

vim /etc/postfix/mysql_aliases.cf


Put the following content, replace mailDbPASSWORD by your own database password:

user = maildb 
password = mailDbPASSWORD
dbname = maildb 
hosts = 127.0.0.1
query = SELECT destination FROM aliases WHERE source='%s' AND enabled = 1




Trick:

In case of catch-all addresses such as @dev.daxiongmao.eu (to get everything) you need another file to allow (bob@dev.daxiongmao.eu).

In that case the Postfix "virtual_alias_map" will use 2 scripts.


Set rights

chgrp postfix /etc/postfix/mysql*.cf
​chmod u=rw,g=r,o= /etc/postfix/mysql*.cf



DOVECOT

Dovecot is an IMAP / POP3 server used to manage and deliver emails.


In our case:

  • All the emails files will be owned by the "local user" VirtualMail [= linux user]
  • Emails will be delivered to the "virtual domains & users" using MySQL database


Installation

apt-get install dovecot-mysql dovecot-pop3d dovecot-imapd dovecot-managesieved


Configuration

All the configuration is available in "/etc/dovecot/conf.d".


Authentication

Overall behavior

Enable MySQL + Microsoft Outlook support.

vim /etc/dovecot/conf.d/10-auth.conf


Edit the configuration:

  • Add "login" authentication mechanism to support MS Outlook
  • At the end of the file, comment "auth-system" in favor of "auth-sql"
auth_mechanisms = plain login

[...]

#!include auth-system.conf.ext
!include auth-sql.conf.ext


Configure email mailbox folder

vim /etc/dovecot/conf.d/auth-sql.conf.ext


Comment out all "userdb" section in favor of the following:

userdb {
  driver = static
  args = uid=virtualMail gid=virtualMail home=/var/vmail/%d/%n
}

!! Important, they can only be 1 "userdb" section


Configure DB access

Now you need to configure how Devecot will access the database:

vim /etc/dovecot/dovecot-sql.conf.ext

-- Actually this file should already exists, you just have to complete it!


Put the following (adjust to your own settings and replace MailDbPassword):

driver = mysql
connect = host=127.0.0.1 dbname=maildb user=maildb password=MailDbPassword
default_pass_scheme = PLAIN-MD5
password_query = SELECT email AS user, password FROM users WHERE email = '%u' AND enabled = 1;

Reminder:

  •  %u = entire user@domain
  •  %n = user part of user@domain
  •  %d = domain part of user@domain

In that case we're gonna use the complete email address as login.


Mail location

vim /etc/dovecot/conf.d/10-mail


Adjust the mailbox_location:

mail_location = maildir:/var/vmail/%d/%n/Maildir


Network and service security (ports and rights)

vim /etc/dovecot/conf.d/10-master.conf


For Postfix to allow Dovecot as an authentication service you must uncomment and adjust:

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
}


SSL configuration

vim /etc/dovecot/conf.d/10-ssl.conf


Earlier you created both a key and a certificate file to encrypt the communication. You need to use it:

ssl_cert = </etc/ssl/certs/mail.daxiongmao.eu.cert.pem
ssl_key = </etc/ssl/private/mail.daxiongmao.eu.key
ssl_key_password = </etc/dovecot/ssl_cert_pwd.cf


Create the password file (only root can access it, on service's startup):

touch /etc/dovecot/ssl_cert_pwd.cf
echo "myKeyPassword" > /etc/dovecot/ssl_cert_pwd.cf
chmod 0600 /etc/dovecot/ssl_cert_pwd.cf
chown root:root /etc/dovecot/ssl_cert_pwd.cf


Enable emails rules

To enable emails rules you need to use the "SIEVE" plugin.

vim /etc/dovecot/conf.d/15-lda.conf


protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}



RoundCube WebMail

There are many webmail clients available: horde, squirrelMail, roundCube, etc.


Installation

apt-get install roundcube roundcube-plugins


Reply to the following questions:

  • Use dbconfig-common? YES
  • Database type? mysql
  • Database's administrative user's password? root password
  • Application's password? new password


Security

Apache2 Virtual host

Create a new VHost

Create a new vHost:

vim /etc/apache2/sites-available/mail.daxiongmao.eu.conf


Put the following content:


Disable the default VHOST

a2dissite 000-default


Enable the new VHOST

a2ensite mail.daxiongmao.eu


Enable Apache2 modules

a2enmod ssl rewrite


Restart and test

service apache2 restart


Go to: https://mail.daxiongmao.eu



Other

## Security libraries
# SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.
apt-get install libsasl2-modules libsasl2-modules-sql libgsasl7 libauthen-sasl-cyrus-perl sasl2-bin

# Authentication using MySQL
apt-get install libpam-mysql

## Anti-virus
apt-get install clamav-base libclamav6 clamav-daemon clamav-freshclam

## SPAM killer
apt-get install  spamassassin spamc

## Interface to scan emails for virus & spam
apt-get install amavisd-new

## Utility to SEND emails
apt-get install postfix postfix-mysql 

## Utility to RECEIVE emails
apt-get install courier-base courier-authdaemon courier-authlib-mysql courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl



Sources

Fabulous guide from Christoph Haas: https://workaround.org/ispmail/wheezy .This also explain each step in detail: WHY and HOW do to it.