diff options
Diffstat (limited to 'blog/src')
-rw-r--r-- | blog/src/a/mail_server_with_postfix.md | 259 |
1 files changed, 255 insertions, 4 deletions
diff --git a/blog/src/a/mail_server_with_postfix.md b/blog/src/a/mail_server_with_postfix.md index beff83f..a0cf526 100644 --- a/blog/src/a/mail_server_with_postfix.md +++ b/blog/src/a/mail_server_with_postfix.md @@ -4,19 +4,24 @@ The entry is going to be long because it's a *tedious* process. This is also bas This configuration works for local users (users that appear in `/etc/passwd`), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges. +More in depth configuration is detailed in the Arch Wiki for each package used here. + ## Prerequisites Basically the same as with the [website with Nginx and Certbot](https://blog.luevano.xyz/a/website_with_nginx.html): * A domain name. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). * Later we'll be adding some **MX** and **TXT** records. - * I also recommend to add a **CNAME** ("mail" and "www.mail") for SSL certificates. + * I also recommend to add a **CNAME** for "mail" and "www.mail", to get SSL certificates. * A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). * Also `ssh` configured. * Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use `ufw`). + * With `nginx` and `certbot` setup and running. ## Postfix +[Postfix](https://wiki.archlinux.org/index.php/Postfix) is a "mail transfer agent" which is the component of the mail server that receives and sends emails via SMTP. + Install the `postfix` package: ```sh @@ -125,11 +130,257 @@ smtps 465/tcp smtps 465/udp ``` -At this point you're done configuring `postfix` and you can already start/enable the service: +At this point you're done configuring `postfix` and you can already start/enable the `postfix` service: ```sh -systemctl start postfix -systemctl enable postfix +systemctl start postfix.service +systemctl enable postfix.service ``` ## Dovecot + +[Dovecot](https://wiki.archlinux.org/index.php/Dovecot) is an IMAP and POP3 server, which is what lets an email application retrieve the mail. + +Install the `dovecot` and `pigeonhole` (sieve for `dovecot`) packages: + +```sh +pacman -S dovecot pigeonhole +``` + +On arch, by default, there is no `/etc/dovecot` directory with default configurations set in place, but the package does provide the example configuration files. Create the `dovecot` directory under `/etc` and, optionally, copy the `dovecot.conf` file and `conf.d` directory under the just created `dovecot` directory: + +```sh +mkdir /etc/dovecot +cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf +cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot +``` + +As Luke stated, `dovecot` comes with a lot of "modules" (under `/etc/dovecot/conf.d/` if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edits/creates the whole `dovecot.conf` file; although, I would like to check each of the separate configuration files `dovecot` provides I think the options Luke provides are more than good enough. + +I'm working with an empty `dovecot.conf` file. Add the following lines for SSL and login configuration (also replace `{yourcertdir}` with the same certificate directory described in the Postfix section above, note that the `<` is required): + +```conf +ssl = required +ssl_cert = <{yourcertdir}/fullchain.pem +ssl_key = <{yourcertdir}/privkey.pem +ssl_min_protocol = TLSv1.2 +ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH +ssl_prefer_server_ciphers = yes +ssl_dh = </etc/dovecot/dh.pem + +auth_mechanisms = plain login +auth_username_format = %n +protocols = $protocols imap +``` + +You may notice we specify a file we don't have under `/etc/dovecot`: `dh.pem`. We need to create it with `openssl` (you should already have it installed if you've been following this entry and the one for `nginx`). Just run (might take a few minutes): + +```sh +openssl dhparam -out /etc/dovecot/dh.pem 4096 +``` + +After that, the next lines define what a "valid user is" (really just sets the database for users and passwords to be the local users with their password): + +```conf +userdb { + driver = passwd +} + +passdb { + driver = pam +} +``` + +Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the `LAYOUT` option is important so the boxes are `.Sent` instead of `Sent`. Add the next lines (plus any you like): + +```conf +mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs +namespace inbox { + inbox = yes + + mailbox Drafts { + special_use = \Drafts + auto = subscribe + } + + mailbox Junk { + special_use = \Junk + auto = subscribe + autoexpunge = 30d + } + + mailbox Sent { + special_use = \Sent + auto = subscribe + } + + mailbox Trash { + special_use = \Trash + } + + mailbox Archive { + special_use = \Archive + } +} +``` + +Also include this so Postfix can use Dovecot's authentication system: + +```conf +service auth { + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } +} +``` + +Lastly (for `dovecot` at least), the plugin configuration for `sieve` (`pigeonhole`): + +```conf +protocol lda { + mail_plugins = $mail_plugins sieve +} + +protocol lmtp { + mail_plugins = $mail_plugins sieve +} + +plugin { + sieve = ~/.dovecot.sieve + sieve_default = /var/lib/dovecot/sieve/default.sieve + sieve_dir = ~/.sieve + sieve_global_dir = /var/lib/dovecot/sieve/ +``` + +Where `/var/lib/dovecot/sieve/default.sieve` doesn't exist yet. Create the folders: + +```sh +mkdir -p /var/lib/dovecot/sieve +``` + +And create the file `default.sieve` inside that just created folder with the content: + +```conf +require ["fileinto", "mailbox"]; +if header :contains "X-Spam-Flag" "YES" { + fileinto "Junk"; +} +``` + +Now, if you don't have a `vmail` (virtual mail) user, create one and change the ownership of the `/var/lib/dovecot` directory to this user: + +```sh +grep -q "^vmail:" /etc/passwd || useradd vmail -s /usr/bin/nologin +chown -R vmail:vmail /var/lib/dovecot +``` + +Note that I also changed the shell for `vmail` to be `/usr/bin/nologin`. After that, run: + +```sh +sievec /var/lib/dovecot/sieve/default.sieve +``` + +To compile the configuration file (a `default.svbin` file will be created next to `default.sieve`). + +Next, add the following lines to `/etc/pam.d/dovecot` if not already present (shouldn't be there if you've been following these notes): + +```conf +auth required pam_unix.so nullok +account required pam_unix.so +``` + +That's it for `dovecot`, at this point you can start/enable the `dovecot` service: + +```sh +systemctl start dovecot.service +systemctl enable dovecot.service +``` + +# OpenDKIM + +[OpenDKIM](https://wiki.archlinux.org/index.php/OpenDKIM) is needed so services like G\*\*gle (we don't mention that name here \[\[\[this is a meme\]\]\]) don't throw the mail to the trash. DKIM stands for "DomainKeys Identified Mail". + +Install the `opendkim` package: + +```sh +pacman -S opendkim +``` + +Generate the keys for your domain: + +```sh +opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048 +``` + +Where you need to change `{yourdomain}` and `{yoursubdomain}` (doesn't really need to be the subdomain, could be anything that describes your key) accordingly, for me it's `luevano.xyz` and `mail`, respectively. After that, we need to create some files inside the `/etc/opendkim` directory. First, create the file `KeyTable` with the content: + +```conf +{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private +``` + +So, for me it would be: + +```conf +mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private +``` + +Next, create the file `SigningTable` with the content: + +```conf +*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain} +``` + +Again, for me it would be: + +```conf +*@luevano.xyz mail._domainkey.luevano.xyz +``` + +And, lastly create the file `TrustedHosts` with the content: + +```conf +127.0.0.1 +::1 +10.1.0.0/16 +1.2.3.4/24 +localhost +{yourserverip} +... +``` + +And more, make sure to include your server IP and something like `subdomain.domainname`. + +Finally, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents: + +```conf +Domain {yourdomain} +Selector {yoursubdomain} + +Syslog Yes +UserID opendkim + +KeyFile /etc/opendkim/{yoursubdomain}.private +Socket inet:8891@localhost +``` + +Now, change the permissions for all the files inside `/etc/opendkim`: + +```conf +chown -R root:opendkim /etc/opendkim +chmod g+r /etc/postfix/dkim/* +``` + +I'm using `root:opendkim` so `opendkim` doesn't complain about the `{yoursubdomani}.private` being insecure (you can change that by using the option `RequireSafeKeys False` in the `opendkim.conf` file, as stated [here](http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html)). + +That's it for the general configuration, but you could go more in depth and be more secure with some extra configuration as described in the [Arch Wiki entry for OpenDKIM](https://wiki.archlinux.org/index.php/OpenDKIM#Security). + +Now, just start/enable the `opendkim` service: + +```sh +systemctl start opendkim.service +systemctl enable opendkim.service +``` + +# Spamassassin |