From 5415f37e8da7615b524173f2bb6968be46128d20 Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Tue, 8 Jun 2021 00:58:33 -0600 Subject: add 404 pages, edit entries and start skeleton for xmpp server entry --- blog/dst/a/mail_server_with_postfix.html | 61 ++++++++++++++------------------ 1 file changed, 27 insertions(+), 34 deletions(-) (limited to 'blog/dst/a/mail_server_with_postfix.html') diff --git a/blog/dst/a/mail_server_with_postfix.html b/blog/dst/a/mail_server_with_postfix.html index e44d4d2..04a1b54 100644 --- a/blog/dst/a/mail_server_with_postfix.html +++ b/blog/dst/a/mail_server_with_postfix.html @@ -79,25 +79,16 @@

Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM

The entry is going to be long because it’s a tedious process. This is also based on Luke Smith’s script, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted here.

-

This configuration works for local users (users that appear in /etc/passwd), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges.

-

More in depth configuration is detailed in the Arch Wiki for each package used here.

+

This configuration works for local users (users that appear in /etc/passwd), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges.

Prerequisites

-

Basically the same as with the website with Nginx and Certbot:

+

Basically the same as with the website with Nginx and Certbot, with the extras:

Postfix

-

Postfix is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.

+

Postfix is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.

Install the postfix package:

pacman -S postfix
@@ -133,7 +124,7 @@ smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous -

Specify the mailbox home (this is going to be a directory inside your user’s home):

+

Specify the mailbox home (this is going to be a directory inside your user’s home containing the actual mail files):

home_mailbox = Mail/Inbox/

Pre-configuration to work seamlessly with dovecot and opendkim:

@@ -177,7 +168,7 @@ spamassassin unix - n n - - pipe 
smtps 465/tcp
 smtps 465/udp
-

Before starting the postfix service, you need to run newaliases first (but you can do a bit of configuration beforehand). Edit the file /etc/postfix/aliases and edit accordingly. I only change the root: you line (where you is the account that will be receiving “root” mail). Check the Arch Wiki for more info and other alternatives/options. After you’re done, run:

+

Before starting the postfix service, you need to run newaliases first, but you can do a bit of configuration beforehand editing the file /etc/postfix/aliases. I only change the root: you line (where you is the account that will be receiving “root” mail). After you’re done, run:

postalias /etc/postfix/aliases
 newaliases
@@ -186,7 +177,7 @@ newaliases systemctl enable postfix.service

Dovecot

-

Dovecot is an IMAP and POP3 server, which is what lets an email application retrieve the mail.

+

Dovecot is an IMAP and POP3 server, which is what lets an email application retrieve the mail.

Install the dovecot and pigeonhole (sieve for dovecot) packages:

pacman -S dovecot pigeonhole
@@ -195,8 +186,8 @@ systemctl enable postfix.service cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot -

As Luke stated, dovecot comes with a lot of “modules” (under /etc/dovecot/conf.d/ if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edits/creates the whole dovecot.conf file; although, I would like to check each of the separate configuration files dovecot provides I think the options Luke provides are more than good enough.

-

I’m working with an empty dovecot.conf file. Add the following lines for SSL and login configuration (also replace {yourcertdir} with the same certificate directory described in the Postfix section above, note that the < is required):

+

As Luke stated, dovecot comes with a lot of “modules” (under /etc/dovecot/conf.d/ if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edit/create the whole dovecot.conf file; although, I would like to check each of the separate configuration files dovecot provides I think the options Luke provides are more than good enough.

+

I’m working with an empty dovecot.conf file. Add the following lines for SSL and login configuration (also replace {yourcertdir} with the same certificate directory described in the Postfix section above, note that the < is required):

ssl = required
 ssl_cert = <{yourcertdir}/fullchain.pem
 ssl_key = <{yourcertdir}/privkey.pem
@@ -260,7 +251,7 @@ namespace inbox {
         }
 }
-

Lastly (for dovecot at least), the plugin configuration for sieve (pigeonhole):

+

Lastly (for Dovecot at least), the plugin configuration for sieve (pigeonhole):

protocol lda {
     mail_plugins = $mail_plugins sieve
 }
@@ -288,20 +279,20 @@ if header :contains "X-Spam-Flag" "YES" {
 
grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin
 chown -R vmail:vmail /var/lib/dovecot
 

-
Note that I also changed the shell for vmail to be /usr/bin/nologin. After that, run:

+
Note that I also changed the shell for vmail to be /usr/bin/nologin. After that, to compile the configuration file run:

 
sievec /var/lib/dovecot/sieve/default.sieve
 

-
To compile the configuration file (a default.svbin file will be created next to default.sieve).

+
A default.svbin file will be created next to default.sieve.

 
Next, add the following lines to /etc/pam.d/dovecot if not already present (shouldn’t be there if you’ve been following these notes):

 
auth required pam_unix.so nullok
 account required pam_unix.so
 

-
That’s it for dovecot, at this point you can start/enable the dovecot service:

+
That’s it for Dovecot, at this point you can start/enable the dovecot service:

 
systemctl start dovecot.service
 systemctl enable dovecot.service
 

 
OpenDKIM

-
OpenDKIM is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.

+
OpenDKIM is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.

 
Install the opendkim package:

 
pacman -S opendkim
 

@@ -330,7 +321,7 @@ localhost
 ...

And more, make sure to include your server IP and something like subdomain.domainname.

-

Next, edit /etc/opendkim/opendkim.conf to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at /usr/share/doc/opendkim/opendkim.conf.sample, but I’m creating a blank one with the contents:

+

Next, edit /etc/opendkim/opendkim.conf to reflect the changes (or rather, addition) of these files, as well as some other configuration. You can look up the example configuration file located at /usr/share/doc/opendkim/opendkim.conf.sample, but I’m creating a blank one with the contents:

Domain {yourdomain}
 Selector {yoursubdomain}
 
@@ -345,7 +336,7 @@ Socket inet:8891@localhost
 chmod g+r /etc/postfix/dkim/*

I’m using root:opendkim so opendkim doesn’t complain about the {yoursubdomani}.private being insecure (you can change that by using the option RequireSafeKeys False in the opendkim.conf file, as stated here).

-

That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration as described in the Arch Wiki entry for OpenDKIM.

+

That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration.

Now, just start/enable the opendkim service:

systemctl start opendkim.service
 systemctl enable opendkim.service
@@ -367,9 +358,9 @@ systemctl enable opendkim.service
 
SPF entry: just @ as the “Host” and "v=spf1 mx a:{yoursubdomain}.{yourdomain} - all" as the “TXT Value”.

 
 
-
And at this point you could test your mail for spoofing and more, but you don’t know -yet- how to login (it’s really easy, but I’m gonna state that at the end of this entry).

+
And at this point you could test your mail for spoofing and more.

 
SpamAssassin

-
SpamAssassin is just a mail filter to identify spam.

+
SpamAssassin is just a mail filter to identify spam.

 
Install the spamassassin package (which will install a bunch of ugly perl packages…):

 
pacman -S spamassassin
 

@@ -422,7 +413,7 @@ ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/sp
 systemctl enable spamassassin.service

Wrapping up

-

We should have a working mail server by now. Before continuing check your journal logs (journalctl -xe --unit={unit}, where {unit} could be spamassassin.servicefor example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked (((it just werks on my machine))).

+

We should have a working mail server by now. Before continuing check your journal logs (journalctl -xe --unit={unit}, where {unit} could be spamassassin.service for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked (((it just werks on my machine))).

Now, to actually use the mail service: first of all, you need a normal account (don’t use root) that belongs to the mail group (gpasswd -a user group to add a user user to group group) and that has a password.

Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for thunderdbird(I tested in windows default mail app and you don’t need a lot of settings):

All that’s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to DKIM Test and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:

-

DKIM Test successful

-

(Yes, I blurred a lot in the picture just to be sure, either way what’s important is the list on the bottom part of the image)

-

Finally, that’s actually it for this entry, if you have any problem whatsoever you have my info down below.

+
+DKIM Test successful +
DKIM Test successful
+
+

Finally, that’s actually it for this entry, if you have any problem whatsoever you can contact me.

By David Luévano

Created: Sun, Mar 21, 2021 @ 04:05 UTC

-

Modified: Sun, Jun 06, 2021 @ 00:24 UTC

+

Modified: Tue, Jun 08, 2021 @ 06:27 UTC

Tags: english, server, tools, tutorial

-- cgit v1.2.3-54-g00ecf