summaryrefslogtreecommitdiff
path: root/blog/src
diff options
context:
space:
mode:
authorDavid Luevano Alvarado <david@luevano.xyz>2021-03-20 02:23:39 -0700
committerDavid Luevano Alvarado <david@luevano.xyz>2021-03-20 02:23:39 -0700
commit32d1f58c22c2de68c1ec7d8696777990c89c6e77 (patch)
tree8150e599b53db26a4150e401a111a8e329a363a5 /blog/src
parent2ecbe79eeb342692b13cb4ce9ca8ed4cdb86fcdf (diff)
Finish mail entry
Diffstat (limited to 'blog/src')
-rw-r--r--blog/src/a/mail_server_with_postfix.md152
1 files changed, 142 insertions, 10 deletions
diff --git a/blog/src/a/mail_server_with_postfix.md b/blog/src/a/mail_server_with_postfix.md
index a0cf526..017d716 100644
--- a/blog/src/a/mail_server_with_postfix.md
+++ b/blog/src/a/mail_server_with_postfix.md
@@ -1,6 +1,6 @@
-# Create a Mail server with Postfix, Dovecot, Spamassassin and OpenDKIM
+# Create a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM
-The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go, that will be hosted in [here](https://git.luevano.xyz/server_scripts.git).
+The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted [here](https://git.luevano.xyz/server_scripts.git).
This configuration works for local users (users that appear in `/etc/passwd`), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges.
@@ -12,7 +12,7 @@ Basically the same as with the [website with Nginx and Certbot](https://blog.lue
* A domain name. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw).
* Later we'll be adding some **MX** and **TXT** records.
- * I also recommend to add a **CNAME** for "mail" and "www.mail", to get SSL certificates.
+ * You also need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on `nginx` and `certbot`).
* A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link).
* Also `ssh` configured.
* Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use `ufw`).
@@ -37,13 +37,13 @@ Now, first locate where your website cert is, mine is at the default location `/
Certificates and ciphers to use for authentication and security:
```conf
-smtpd_tls_key_file={yourcertdir}/privkey.pem
-smtpd_tls_cert_file={yourcertdir}/fullchain.pem
+smtpd_tls_key_file = {yourcertdir}/privkey.pem
+smtpd_tls_cert_file = {yourcertdir}/fullchain.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
-smtp_tls_CAfile={yourcertdir}/cert.pem
+smtp_tls_CAfile = {yourcertdir}/cert.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
@@ -52,6 +52,10 @@ tls_preempt_cipherlist = yes
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
RSA+AES, eNULL
+
+smtp_tls_CApath = /etc/ssl/certs
+smtpd_tls_CApath = /etc/ssl/certs
+
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_unauth_destination
```
@@ -130,6 +134,13 @@ smtps 465/tcp
smtps 465/udp
```
+Before starting the `postfix` service, you need to run `newaliases` first (but you can do a bit of configuration beforehand). Edit the file `/etc/postfix/aliases` and edit accordingly. I only change the `root: you` line (where `you` is the account that will be receiving "root" mail). Check the Arch Wiki for more info and other alternatives/options. After you're done, run:
+
+```sh
+postalias /etc/postfix/aliases
+newaliases
+```
+
At this point you're done configuring `postfix` and you can already start/enable the `postfix` service:
```sh
@@ -272,7 +283,7 @@ if header :contains "X-Spam-Flag" "YES" {
Now, if you don't have a `vmail` (virtual mail) user, create one and change the ownership of the `/var/lib/dovecot` directory to this user:
```sh
-grep -q "^vmail:" /etc/passwd || useradd vmail -s /usr/bin/nologin
+grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin
chown -R vmail:vmail /var/lib/dovecot
```
@@ -314,7 +325,7 @@ Generate the keys for your domain:
opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048
```
-Where you need to change `{yourdomain}` and `{yoursubdomain}` (doesn't really need to be the subdomain, could be anything that describes your key) accordingly, for me it's `luevano.xyz` and `mail`, respectively. After that, we need to create some files inside the `/etc/opendkim` directory. First, create the file `KeyTable` with the content:
+Where you need to change `{yourdomain}` and `{yoursubdomain}` (doesn't really need to be the sub-domain, could be anything that describes your key) accordingly, for me it's `luevano.xyz` and `mail`, respectively. After that, we need to create some files inside the `/etc/opendkim` directory. First, create the file `KeyTable` with the content:
```conf
{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
@@ -352,7 +363,7 @@ localhost
And more, make sure to include your server IP and something like `subdomain.domainname`.
-Finally, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents:
+Next, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents:
```conf
Domain {yourdomain}
@@ -383,4 +394,125 @@ systemctl start opendkim.service
systemctl enable opendkim.service
```
-# Spamassassin
+And don't forget to add the following **TXT** records on your domain registrar (these examples are for Epik):
+
+1. *DKIM* entry: look up your `{yoursubdomain}.txt` file, it should look something like:
+
+```txt
+{yoursubdomain}._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
+ "p=..."
+ "..." ) ; ----- DKIM key mail for {yourdomain}
+```
+
+In the TXT record you will place `{yoursubdomain}._domainkey` as the "Host" and `"v=DKIM1; k=rsa; s=email; " "p=..." "..."` in the "TXT Value" (replace the dots with the actual value you see in your file).
+
+2. *DMARC* entry: just `_dmarc.{yourdomain}` as the "Host" and `"v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1"` as the "TXT Value".
+
+3. *SPF* entry: just `@` as the "Host" and `"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"` as the "TXT Value".
+
+And at this point you could test your mail for spoofing and more, but you don't know -yet- how to login (it's really easy, but I'm gonna state that at the end of this entry).
+
+## SpamAssassin
+
+[SpamAssassin](https://wiki.archlinux.org/index.php/SpamAssassin) is just *a mail filter to identify spam*.
+
+Install the `spamassassin` package (which will install a bunch of ugly `perl` packages...):
+
+```sh
+pacman -S spamassassin
+```
+
+For some reason, the permissions on all `spamassassin` stuff are all over the place. First, change owner of the executables, and directories:
+
+```sh
+chown spamd:spamd /usr/bin/vendor_perl/sa-*
+chown spamd:spamd /usr/bin/vendor_perl/spam*
+chwown -R spamd:spamd /etc/mail/spamassassin
+```
+
+Then, you can edit `local.cf` (located in `/etc/mail/spamassassin`) to fit your needs (I only uncommented the `rewrite_header Subject ...` line). And then you can run the following command to update the patterns and compile them:
+
+```sh
+sudo -u spamd sa-update
+sudo -u spamd sa-compile
+```
+
+And since this should be run periodically, create the service `spamassassin-update.service` under `/etc/systemd/system` with the following content:
+
+```conf
+[Unit]
+Description=SpamAssassin housekeeping
+After=network.target
+
+[Service]
+User=spamd
+Group=spamd
+Type=oneshot
+
+ExecStart=/usr/bin/vendor_perl/sa-update --allowplugins
+SuccessExitStatus=1
+ExecStart=/usr/bin/vendor_perl/sa-compile
+ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service
+```
+
+And you could also execute `sa-learn` to train `spamassassin`'s bayes filter, but this works for me. Then create the timer `spamassassin-update.timer` under the same directory, with the content:
+
+```conf
+[Unit]
+Description=SpamAssassin housekeeping
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+```
+
+You can now start/enable the `spamassassin-update` timer:
+
+```sh
+systemctl start spamassassin-update.timer
+systemctl enable spamassassin-update.timer
+```
+
+Next, you may want to edit the `spamassassin` service before starting and enabling it, because by default, it could [spawn a lot of "childs"](https://rimuhosting.com/howto/memory.jsp) eating a lot of resources and you really only need one child. Append `--max-children=1` to the line `ExecStart=...` in `/usr/bin/systemd/system/spamassassin.service`:
+
+```conf
+...
+ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1
+...
+```
+
+Finally, start and enable the `spamassassin` service:
+
+```sh
+systemctl start spamassassin.service
+systemctl enable spamassassin.service
+```
+
+## Wrapping up
+
+We should have a working mail server by now. Before continuing check your journal logs (`journalctl -xe --unit={unit}`, where `{unit}` could be `spamassassin.service`for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked *(((it just werks on my machine)))*.
+
+Now, to actually use the mail service: first of all, you need a *normal* account (don't use root) that belongs to the `mail` group (`gpasswd -a user group` to add a user `user` to group `group`) and that has a password.
+
+Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for `thunderdbird`(I tested in windows default mail app and you don't need a lot of settings):
+
+* \* server: subdomain.domain (mail.luevano.xyz in my case)
+* **SMTP** port: 587
+* **SMTPS** port: 465 (I use this one)
+* **IMAP** port: 143
+* **IMAPS** port: 993 (again, I use this one)
+* Connection/security: SSL/TLS
+* Authentication method: Normal password
+* Username: just your `user`, not the whole email (`david` in my case)
+* Password: your `user` password (as in the password you use to login to the server with that user)
+
+All that's left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to [DKIM Test](https://www.appmaildev.com/en/dkim) and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:
+
+![DKIM Test successful](https://static.luevano.xyz/images/b/notes/mail/dkim_test_successful.png)
+
+(Yes, I blurred a lot in the picture just to be sure, either way what's important is the list on the bottom part of the image)
+
+Finally, that's actually it for this entry, if you have any problem whatsoever you have my info down below.