From 1d3d721229e060c70ee28848d8b8d227e764990a Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Sat, 20 Mar 2021 23:00:47 -0700 Subject: Add git server entry --- blog/dst/a/mail_server_with_postfix.html | 54 ++++++++++++++++---------------- 1 file changed, 27 insertions(+), 27 deletions(-) (limited to 'blog/dst/a') diff --git a/blog/dst/a/mail_server_with_postfix.html b/blog/dst/a/mail_server_with_postfix.html index eafb6bf..2d5c178 100644 --- a/blog/dst/a/mail_server_with_postfix.html +++ b/blog/dst/a/mail_server_with_postfix.html @@ -61,7 +61,7 @@ -

Create a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM

+

Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM

The entry is going to be long because it's a tedious process. This is also based on Luke Smith's script, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted here.

@@ -106,7 +106,7 @@

Certificates and ciphers to use for authentication and security:

-
smtpd_tls_key_file = {yourcertdir}/privkey.pem
+
smtpd_tls_key_file = {yourcertdir}/privkey.pem
 smtpd_tls_cert_file = {yourcertdir}/fullchain.pem
 smtpd_use_tls = yes
 smtpd_tls_auth_only = yes
@@ -130,7 +130,7 @@ smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_u
 
 
Also, for the connection with dovecot, append the next few lines (telling postfix that dovecot will use user/password for authentication):

 
-
smtpd_sasl_auth_enable = yes
+
smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noanonymous, noplaintext
@@ -139,12 +139,12 @@ smtpd_sasl_tls_security_options = noanonymous
 
 
Specify the mailbox home (this is going to be a directory inside your user's home):

 
-
home_mailbox = Mail/Inbox/
+
home_mailbox = Mail/Inbox/
 

 
 
Pre-configuration to work seamlessly with dovecot and opendkim:

 
-
myhostname = {yourdomainname}
+
myhostname = {yourdomainname}
 mydomain = localdomain
 mydestination = $myhostname, localhost.$mydomain, localhost
 
@@ -159,12 +159,12 @@ mailbox_command = /usr/lib/dovecot/deliver
 
 
Lastly, if you don't want the sender's IP and user agent (application used to send the mail), add the following line:

 
-
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
+
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
 

 
 
And create the /etc/postfix/smtp_header_checks file with the following content:

 
-
/^Received: .*/     IGNORE
+
/^Received: .*/     IGNORE
 /^User-Agent: .*/   IGNORE
 

 
@@ -174,7 +174,7 @@ mailbox_command = /usr/lib/dovecot/deliver
 
 
Lastly, append the following lines to complete postfix setup and pre-configure for spamassassin.

 
-
smtp unix - - n - - smtp
+
smtp unix - - n - - smtp
 smtp inet n - y - - smtpd
     -o content_filter=spamassassin
 submission inet n - y - - smtpd
@@ -192,7 +192,7 @@ spamassassin unix - n n - - pipe
 
 
Now, I ran into some problems with postfix, one being smtps: Servname not supported for ai_socktype, to fix it, as Till posted in that site, edit /etc/services and add:

 
-
smtps 465/tcp
+
smtps 465/tcp
 smtps 465/udp
 

 
@@ -228,7 +228,7 @@ cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
 
 
I'm working with an empty dovecot.conf file. Add the following lines for SSL and login configuration (also replace {yourcertdir} with the same certificate directory described in the Postfix section above, note that the < is required):

 
-
ssl = required
+
ssl = required
 ssl_cert = <{yourcertdir}/fullchain.pem
 ssl_key = <{yourcertdir}/privkey.pem
 ssl_min_protocol = TLSv1.2
@@ -248,7 +248,7 @@ protocols = $protocols imap
 
 
After that, the next lines define what a “valid user is” (really just sets the database for users and passwords to be the local users with their password):

 
-
userdb {
+
userdb {
     driver = passwd
 }
 
@@ -259,7 +259,7 @@ passdb {
 
 
Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the LAYOUT option is important so the boxes are .Sent instead of Sent. Add the next lines (plus any you like):

 
-
mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+
mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
 namespace inbox {
     inbox = yes
 
@@ -291,7 +291,7 @@ namespace inbox {
 
 
Also include this so Postfix can use Dovecot's authentication system:

 
-
service auth {
+
service auth {
     unix_listener /var/spool/postfix/private/auth {
         mode = 0660
         user = postfix
@@ -302,7 +302,7 @@ namespace inbox {
 
 
Lastly (for dovecot at least), the plugin configuration for sieve (pigeonhole):

 
-
protocol lda {
+
protocol lda {
     mail_plugins = $mail_plugins sieve
 }
 
@@ -324,7 +324,7 @@ plugin {
 
 
And create the file default.sieve inside that just created folder with the content:

 
-
require ["fileinto", "mailbox"];
+
require ["fileinto", "mailbox"];
 if header :contains "X-Spam-Flag" "YES" {
     fileinto "Junk";
 }
@@ -345,7 +345,7 @@ chown -R vmail:vmail /var/lib/dovecot
 
 
Next, add the following lines to /etc/pam.d/dovecot if not already present (shouldn't be there if you've been following these notes):

 
-
auth required pam_unix.so nullok
+
auth required pam_unix.so nullok
 account required pam_unix.so
 

 
@@ -371,27 +371,27 @@ systemctl enable dovecot.service
 
 
Where you need to change {yourdomain} and {yoursubdomain} (doesn't really need to be the sub-domain, could be anything that describes your key) accordingly, for me it's luevano.xyz and mail, respectively. After that, we need to create some files inside the /etc/opendkim directory. First, create the file KeyTable with the content:

 
-
{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
+
{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
 

 
 
So, for me it would be:

 
-
mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private
+
mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private
 

 
 
Next, create the file SigningTable with the content:

 
-
*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain}
+
*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain}
 

 
 
Again, for me it would be:

 
-
*@luevano.xyz mail._domainkey.luevano.xyz
+
*@luevano.xyz mail._domainkey.luevano.xyz
 

 
 
And, lastly create the file TrustedHosts with the content:

 
-
127.0.0.1
+
127.0.0.1
 ::1
 10.1.0.0/16
 1.2.3.4/24
@@ -404,7 +404,7 @@ localhost
 
 
Next, edit /etc/opendkim/opendkim.conf to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at /usr/share/doc/opendkim/opendkim.conf.sample, but I'm creating a blank one with the contents:

 
-
Domain {yourdomain}
+
Domain {yourdomain}
 Selector {yoursubdomain}
 
 Syslog Yes
@@ -416,7 +416,7 @@ Socket inet:8891@localhost
 
 
Now, change the permissions for all the files inside /etc/opendkim:

 
-
chown -R root:opendkim /etc/opendkim
+
chown -R root:opendkim /etc/opendkim
 chmod g+r /etc/postfix/dkim/*
 

 
@@ -474,7 +474,7 @@ sudo -u spamd sa-compile
 
 
And since this should be run periodically, create the service spamassassin-update.service under /etc/systemd/system with the following content:

 
-
[Unit]
+
[Unit]
 Description=SpamAssassin housekeeping
 After=network.target
 
@@ -491,7 +491,7 @@ ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service
 
 
And you could also execute sa-learn to train spamassassin's bayes filter, but this works for me. Then create the timer spamassassin-update.timer under the same directory, with the content:

 
-
[Unit]
+
[Unit]
 Description=SpamAssassin housekeeping
 
 [Timer]
@@ -510,7 +510,7 @@ systemctl enable spamassassin-update.timer
 
 
Next, you may want to edit the spamassassin service before starting and enabling it, because by default, it could spawn a lot of “childs” eating a lot of resources and you really only need one child. Append --max-children=1 to the line ExecStart=... in /usr/bin/systemd/system/spamassassin.service:

 
-
...
+
...
 ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1
 ...
 

@@ -551,7 +551,7 @@ systemctl enable spamassassin.service
 
 

 

-
Created: Sat, Mar 20, 2021 @ 02:23 MST

+
Created: Sat, Mar 20, 2021 @ 02:54 MST; modified: Sat, Mar 20, 2021 @ 03:06 MST