From 32d1f58c22c2de68c1ec7d8696777990c89c6e77 Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Sat, 20 Mar 2021 02:23:39 -0700 Subject: Finish mail entry --- blog/src/a/mail_server_with_postfix.md | 152 ++++++++++++++++++++++++++++++--- 1 file changed, 142 insertions(+), 10 deletions(-) (limited to 'blog/src/a/mail_server_with_postfix.md') diff --git a/blog/src/a/mail_server_with_postfix.md b/blog/src/a/mail_server_with_postfix.md index a0cf526..017d716 100644 --- a/blog/src/a/mail_server_with_postfix.md +++ b/blog/src/a/mail_server_with_postfix.md @@ -1,6 +1,6 @@ -# Create a Mail server with Postfix, Dovecot, Spamassassin and OpenDKIM +# Create a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM -The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go, that will be hosted in [here](https://git.luevano.xyz/server_scripts.git). +The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted [here](https://git.luevano.xyz/server_scripts.git). This configuration works for local users (users that appear in `/etc/passwd`), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges. @@ -12,7 +12,7 @@ Basically the same as with the [website with Nginx and Certbot](https://blog.lue * A domain name. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). * Later we'll be adding some **MX** and **TXT** records. - * I also recommend to add a **CNAME** for "mail" and "www.mail", to get SSL certificates. + * You also need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on `nginx` and `certbot`). * A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). * Also `ssh` configured. * Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use `ufw`). @@ -37,13 +37,13 @@ Now, first locate where your website cert is, mine is at the default location `/ Certificates and ciphers to use for authentication and security: ```conf -smtpd_tls_key_file={yourcertdir}/privkey.pem -smtpd_tls_cert_file={yourcertdir}/fullchain.pem +smtpd_tls_key_file = {yourcertdir}/privkey.pem +smtpd_tls_cert_file = {yourcertdir}/fullchain.pem smtpd_use_tls = yes smtpd_tls_auth_only = yes smtp_tls_security_level = may smtp_tls_loglevel = 1 -smtp_tls_CAfile={yourcertdir}/cert.pem +smtp_tls_CAfile = {yourcertdir}/cert.pem smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 @@ -52,6 +52,10 @@ tls_preempt_cipherlist = yes smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL + +smtp_tls_CApath = /etc/ssl/certs +smtpd_tls_CApath = /etc/ssl/certs + smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_unauth_destination ``` @@ -130,6 +134,13 @@ smtps 465/tcp smtps 465/udp ``` +Before starting the `postfix` service, you need to run `newaliases` first (but you can do a bit of configuration beforehand). Edit the file `/etc/postfix/aliases` and edit accordingly. I only change the `root: you` line (where `you` is the account that will be receiving "root" mail). Check the Arch Wiki for more info and other alternatives/options. After you're done, run: + +```sh +postalias /etc/postfix/aliases +newaliases +``` + At this point you're done configuring `postfix` and you can already start/enable the `postfix` service: ```sh @@ -272,7 +283,7 @@ if header :contains "X-Spam-Flag" "YES" { Now, if you don't have a `vmail` (virtual mail) user, create one and change the ownership of the `/var/lib/dovecot` directory to this user: ```sh -grep -q "^vmail:" /etc/passwd || useradd vmail -s /usr/bin/nologin +grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin chown -R vmail:vmail /var/lib/dovecot ``` @@ -314,7 +325,7 @@ Generate the keys for your domain: opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048 ``` -Where you need to change `{yourdomain}` and `{yoursubdomain}` (doesn't really need to be the subdomain, could be anything that describes your key) accordingly, for me it's `luevano.xyz` and `mail`, respectively. After that, we need to create some files inside the `/etc/opendkim` directory. First, create the file `KeyTable` with the content: +Where you need to change `{yourdomain}` and `{yoursubdomain}` (doesn't really need to be the sub-domain, could be anything that describes your key) accordingly, for me it's `luevano.xyz` and `mail`, respectively. After that, we need to create some files inside the `/etc/opendkim` directory. First, create the file `KeyTable` with the content: ```conf {yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private @@ -352,7 +363,7 @@ localhost And more, make sure to include your server IP and something like `subdomain.domainname`. -Finally, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents: +Next, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents: ```conf Domain {yourdomain} @@ -383,4 +394,125 @@ systemctl start opendkim.service systemctl enable opendkim.service ``` -# Spamassassin +And don't forget to add the following **TXT** records on your domain registrar (these examples are for Epik): + +1. *DKIM* entry: look up your `{yoursubdomain}.txt` file, it should look something like: + +```txt +{yoursubdomain}._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " + "p=..." + "..." ) ; ----- DKIM key mail for {yourdomain} +``` + +In the TXT record you will place `{yoursubdomain}._domainkey` as the "Host" and `"v=DKIM1; k=rsa; s=email; " "p=..." "..."` in the "TXT Value" (replace the dots with the actual value you see in your file). + +2. *DMARC* entry: just `_dmarc.{yourdomain}` as the "Host" and `"v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1"` as the "TXT Value". + +3. *SPF* entry: just `@` as the "Host" and `"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"` as the "TXT Value". + +And at this point you could test your mail for spoofing and more, but you don't know -yet- how to login (it's really easy, but I'm gonna state that at the end of this entry). + +## SpamAssassin + +[SpamAssassin](https://wiki.archlinux.org/index.php/SpamAssassin) is just *a mail filter to identify spam*. + +Install the `spamassassin` package (which will install a bunch of ugly `perl` packages...): + +```sh +pacman -S spamassassin +``` + +For some reason, the permissions on all `spamassassin` stuff are all over the place. First, change owner of the executables, and directories: + +```sh +chown spamd:spamd /usr/bin/vendor_perl/sa-* +chown spamd:spamd /usr/bin/vendor_perl/spam* +chwown -R spamd:spamd /etc/mail/spamassassin +``` + +Then, you can edit `local.cf` (located in `/etc/mail/spamassassin`) to fit your needs (I only uncommented the `rewrite_header Subject ...` line). And then you can run the following command to update the patterns and compile them: + +```sh +sudo -u spamd sa-update +sudo -u spamd sa-compile +``` + +And since this should be run periodically, create the service `spamassassin-update.service` under `/etc/systemd/system` with the following content: + +```conf +[Unit] +Description=SpamAssassin housekeeping +After=network.target + +[Service] +User=spamd +Group=spamd +Type=oneshot + +ExecStart=/usr/bin/vendor_perl/sa-update --allowplugins +SuccessExitStatus=1 +ExecStart=/usr/bin/vendor_perl/sa-compile +ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service +``` + +And you could also execute `sa-learn` to train `spamassassin`'s bayes filter, but this works for me. Then create the timer `spamassassin-update.timer` under the same directory, with the content: + +```conf +[Unit] +Description=SpamAssassin housekeeping + +[Timer] +OnCalendar=daily +Persistent=true + +[Install] +WantedBy=timers.target +``` + +You can now start/enable the `spamassassin-update` timer: + +```sh +systemctl start spamassassin-update.timer +systemctl enable spamassassin-update.timer +``` + +Next, you may want to edit the `spamassassin` service before starting and enabling it, because by default, it could [spawn a lot of "childs"](https://rimuhosting.com/howto/memory.jsp) eating a lot of resources and you really only need one child. Append `--max-children=1` to the line `ExecStart=...` in `/usr/bin/systemd/system/spamassassin.service`: + +```conf +... +ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1 +... +``` + +Finally, start and enable the `spamassassin` service: + +```sh +systemctl start spamassassin.service +systemctl enable spamassassin.service +``` + +## Wrapping up + +We should have a working mail server by now. Before continuing check your journal logs (`journalctl -xe --unit={unit}`, where `{unit}` could be `spamassassin.service`for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked *(((it just werks on my machine)))*. + +Now, to actually use the mail service: first of all, you need a *normal* account (don't use root) that belongs to the `mail` group (`gpasswd -a user group` to add a user `user` to group `group`) and that has a password. + +Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for `thunderdbird`(I tested in windows default mail app and you don't need a lot of settings): + +* \* server: subdomain.domain (mail.luevano.xyz in my case) +* **SMTP** port: 587 +* **SMTPS** port: 465 (I use this one) +* **IMAP** port: 143 +* **IMAPS** port: 993 (again, I use this one) +* Connection/security: SSL/TLS +* Authentication method: Normal password +* Username: just your `user`, not the whole email (`david` in my case) +* Password: your `user` password (as in the password you use to login to the server with that user) + +All that's left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to [DKIM Test](https://www.appmaildev.com/en/dkim) and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like: + +![DKIM Test successful](https://static.luevano.xyz/images/b/notes/mail/dkim_test_successful.png) + +(Yes, I blurred a lot in the picture just to be sure, either way what's important is the list on the bottom part of the image) + +Finally, that's actually it for this entry, if you have any problem whatsoever you have my info down below. -- cgit v1.2.3-54-g00ecf