Linux/Mailserver/Small Office Smarthost: Difference between revisions
< Linux | Mailserver
No edit summary |
|||
| (25 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Definitions == | == Definitions == | ||
* This configuration is based on Ubuntu 12.04 LTS | * This configuration is based on Ubuntu 12.04 LTS | ||
* verify that "hostname" gives your local hostname | |||
* verify that "hostname -d" gives your local domain(workgroup) | |||
| Line 6: | Line 10: | ||
<blockquote> | <blockquote> | ||
<pre> | <pre> | ||
groupadd -g 5000 vmail | groupadd -g 5000 vmail | ||
useradd -s /usr/sbin/nologin -u 5000 -g 5000 vmail | useradd -s /usr/sbin/nologin -u 5000 -g 5000 vmail | ||
id vmail | id vmail | ||
mkdir -p /srv/mail/virtual/$(hostname -d) | |||
chown -R vmail:vmail /srv/mail/virtual | |||
</pre> | </pre> | ||
</blockquote> | </blockquote> | ||
| Line 17: | Line 25: | ||
<blockquote> | <blockquote> | ||
<pre> | <pre> | ||
apt-get install postfix dovecot-core dovecot-imapd dovecot-pop3d dovecot-postfix dovecot-sieve dovecot- | apt-get install postfix dovecot-core dovecot-imapd dovecot-pop3d dovecot-postfix dovecot-sieve dovecot-managesieved mail-stack-delivery | ||
</pre> | </pre> | ||
</blockquote> | </blockquote> | ||
== postfix == | |||
* preparing | |||
<blockquote> | |||
<pre> | |||
touch /etc/postfix/canonical_recipients | |||
touch /etc/postfix/canonical_senders | |||
touch /etc/postfix/sender_relayhosts | |||
touch /etc/postfix/sasl_password | |||
chmod 600 /etc/postfix/sasl_password | |||
touch /etc/postfix/virtual_alias | |||
touch /etc/postfix/virtual_domains | |||
touch /etc/postfix/vmailbox | |||
touch /etc/postfix/reload.sh | |||
chmod 744 /etc/postfix/reload.sh | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/main.cf | * /etc/postfix/main.cf | ||
<blockquote> | <blockquote> | ||
| Line 39: | Line 63: | ||
alias_database = hash:/etc/aliases | alias_database = hash:/etc/aliases | ||
mynetworks = 127.0.0.0/8 | mynetworks = 127.0.0.0/8 | ||
mailbox_size_limit = 0 | mailbox_size_limit = 0 | ||
recipient_delimiter = + | recipient_delimiter = + | ||
| Line 55: | Line 76: | ||
virtual_uid_maps = static:5000 | virtual_uid_maps = static:5000 | ||
virtual_gid_maps = static:5000 | virtual_gid_maps = static:5000 | ||
mailbox_size_limit = 0 | mailbox_size_limit = 0 | ||
| Line 62: | Line 81: | ||
smtpd_sasl_auth_enable = yes | smtpd_sasl_auth_enable = yes | ||
smtpd_sasl_type = dovecot | smtpd_sasl_type = dovecot | ||
smtpd_sasl_path = private/auth | smtpd_sasl_path = private/dovecot-auth | ||
smtpd_sasl_security_options = noanonymous | smtpd_sasl_security_options = noanonymous | ||
smtpd_sasl_local_domain = $myhostname | smtpd_sasl_local_domain = $myhostname | ||
broken_sasl_auth_clients = no | broken_sasl_auth_clients = no | ||
smtpd_sasl_authenticated_header = yes | |||
# TLS parameters | # TLS parameters | ||
| Line 78: | Line 97: | ||
smtpd_tls_received_header = yes | smtpd_tls_received_header = yes | ||
tls_random_source = dev:/dev/urandom | tls_random_source = dev:/dev/urandom | ||
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org | smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org | ||
smtpd_sender_restrictions = reject_unknown_sender_domain | smtpd_sender_restrictions = reject_unknown_sender_domain | ||
| Line 86: | Line 104: | ||
smtpd_tls_mandatory_ciphers = medium | smtpd_tls_mandatory_ciphers = medium | ||
# outbound | |||
recipient_canonical_maps = hash:/etc/postfix/canonical_recipients | |||
sender_canonical_maps = hash:/etc/postfix/canonical_senders | |||
smtp_sender_dependent_authentication = yes | |||
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relayhosts | |||
smtp_connection_cache_on_demand = no | |||
smtp_tls_note_starttls_offer = yes | |||
smtp_tls_security_level = encrypt | |||
smtp_tls_mandatory_ciphers = high | |||
smtp_sasl_auth_enable = yes | |||
smtp_sasl_security_options = noanonymous noplaintext | |||
smtp_sasl_tls_security_options = noanonymous noplaintext | |||
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password | smtp_sasl_password_maps = hash:/etc/postfix/sasl_password | ||
</pre> | |||
</blockquote> | |||
* /etc/postfix/master.cf | |||
<blockquote> | |||
<pre> | |||
smtp inet n - - - - smtpd -v # add -v for verbose | |||
#smtp inet n - - - 1 postscreen | |||
#smtpd pass - - - - - smtpd | |||
#dnsblog unix - - - - 0 dnsblog | |||
#tlsproxy unix - - - - 0 tlsproxy | |||
submission inet n - - - - smtpd -v # uncomment for starttls port | |||
-o syslog_name=postfix/submission # | |||
-o smtpd_tls_security_level=encrypt | |||
-o smtpd_sasl_auth_enable=yes | |||
-o smtpd_client_restrictions=permit_sasl_authenticated,reject | |||
-o milter_macro_daemon_name=ORIGINATING | |||
#smtps inet n - - - - smtpd -v # uncomment for ssl/tls port | |||
# -o syslog_name=postfix/smtps | |||
# -o smtpd_tls_wrappermode=yes | |||
# -o smtpd_sasl_auth_enable=yes | |||
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject | |||
# -o milter_macro_daemon_name=ORIGINATING | |||
#628 inet n - - - - qmqpd | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/canonical_recipients | |||
<blockquote> | |||
<pre> | |||
root server@domain.de | |||
postmaster root | |||
webmaster root | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/canonical_senders | |||
<blockquote> | |||
<pre> | |||
root hostname@domain.de | |||
postmaster root | |||
webmaster root | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/sasl_password | |||
<blockquote> | |||
<pre> | |||
smtp.domain.de username:password | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/sender_relayhosts | |||
<blockquote> | |||
<pre> | |||
mail@domain.de smtp.domain.de | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/virtual_alias | |||
<blockquote> | |||
<pre> | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/virtual_domains | |||
<blockquote> | |||
<pre> | |||
domain.de | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/vmailbox | |||
<blockquote> | |||
<pre> | |||
mail@domain.de localdomain/virtemailuser/ | |||
server@domain.de localdomain/server/ | |||
domain.de localdomain/virtemailuser/ | |||
</pre> | |||
</blockquote> | |||
* /etc/postfix/reload.sh | |||
<blockquote> | |||
<pre> | |||
#!/bin/bash | |||
newaliases | |||
postmap /etc/postfix/vmailbox | |||
postmap /etc/postfix/virtual_alias | |||
postmap /etc/postfix/sender_relayhosts | |||
postmap /etc/postfix/canonical_recipients | |||
postmap /etc/postfix/canonical_senders | |||
postmap /etc/postfix/sasl_password | |||
/etc/init.d/postfix restart | |||
</pre> | </pre> | ||
</blockquote> | </blockquote> | ||
== dovecot == | == dovecot == | ||
* preparing | |||
<blockquote> | |||
<pre> | |||
touch /var/log/dovecot | |||
chown vmail:vmail /var/log/dovecot | |||
chmod 660 /var/log/dovecot | |||
touch /etc/dovecot/userdb | |||
touch /etc/dovecot/passdb | |||
chown root:dovecot /etc/dovecot/userdb | |||
chown root:dovecot /etc/dovecot/passdb | |||
chmod 640 /etc/dovecot/userdb | |||
chmod 640 /etc/dovecot/passdb | |||
</pre> | |||
</blockquote> | |||
* /etc/dovecot/conf.d/01-custom.conf | * /etc/dovecot/conf.d/01-custom.conf | ||
<blockquote> | <blockquote> | ||
<pre> | <pre> | ||
protocols = imap pop3 #imaps pop3s sieve | protocols = imap pop3 #imaps pop3s sieve | ||
# auth | # auth | ||
| Line 112: | Line 243: | ||
auth_mechanisms = plain login | auth_mechanisms = plain login | ||
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ | auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ | ||
# virtual user db | # virtual user db | ||
passdb { | passdb { | ||
driver = passwd-file | driver = passwd-file | ||
args = / | args = /etc/dovecot/passdb | ||
} | } | ||
userdb { | userdb { | ||
driver = passwd-file | driver = passwd-file | ||
args = / | args = /etc/dovecot/userdb | ||
} | } | ||
# ssl | # ssl | ||
| Line 130: | Line 259: | ||
#ssl_key = </etc/ssl/private/ssl-mail.key | #ssl_key = </etc/ssl/private/ssl-mail.key | ||
ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM | ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM | ||
# logging | # logging | ||
| Line 137: | Line 265: | ||
mail_debug = yes # | mail_debug = yes # | ||
verbose_ssl = yes # | verbose_ssl = yes # | ||
# mail | # mail | ||
mail_location = maildir:/srv/mail/virtual/%d/%n | mail_location = maildir:/srv/mail/virtual/%d/%n | ||
# master | # master | ||
| Line 151: | Line 277: | ||
} | } | ||
} | } | ||
# IMAP configuration | # IMAP configuration | ||
| Line 189: | Line 314: | ||
</blockquote> | </blockquote> | ||
== fetchmail == | |||
* /etc/defaults/fetchmail | |||
<blockquote> | <blockquote> | ||
<pre> | <pre> | ||
START_DAEMON=yes | |||
</pre> | |||
</blockquote> | |||
* /etc/fetchmailrc | |||
<blockquote> | |||
<pre> | |||
set postmaster "root" | |||
set bouncemail | |||
set no spambounce | |||
set properties "" | |||
set syslog | |||
set daemon 300 | |||
poll pop.gmail.com with proto POP3 | |||
user 'test@gmail.com' there with password '1234' is localuser here options ssl | |||
</pre> | </pre> | ||
</blockquote> | </blockquote> | ||
Latest revision as of 14:59, 1 December 2013
Definitions
- This configuration is based on Ubuntu 12.04 LTS
- verify that "hostname" gives your local hostname
- verify that "hostname -d" gives your local domain(workgroup)
preparing the system
groupadd -g 5000 vmail useradd -s /usr/sbin/nologin -u 5000 -g 5000 vmail id vmail mkdir -p /srv/mail/virtual/$(hostname -d) chown -R vmail:vmail /srv/mail/virtual
installation
apt-get install postfix dovecot-core dovecot-imapd dovecot-pop3d dovecot-postfix dovecot-sieve dovecot-managesieved mail-stack-delivery
postfix
- preparing
touch /etc/postfix/canonical_recipients touch /etc/postfix/canonical_senders touch /etc/postfix/sender_relayhosts touch /etc/postfix/sasl_password chmod 600 /etc/postfix/sasl_password touch /etc/postfix/virtual_alias touch /etc/postfix/virtual_domains touch /etc/postfix/vmailbox touch /etc/postfix/reload.sh chmod 744 /etc/postfix/reload.sh
- /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
#delay_warning_time = 4h
readme_directory = no
myhostname = localhostname.localdomain
mydomain = localdomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Virtual user settings
virtual_mailbox_domains = /etc/postfix/virtual_domains
virtual_mailbox_base = /srv/mail/virtual
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
mailbox_size_limit = 0
# Dovecot sasl
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = no
smtpd_sasl_authenticated_header = yes
# TLS parameters
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_limit = 250
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
# outbound
recipient_canonical_maps = hash:/etc/postfix/canonical_recipients
sender_canonical_maps = hash:/etc/postfix/canonical_senders
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relayhosts
smtp_connection_cache_on_demand = no
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous noplaintext
smtp_sasl_tls_security_options = noanonymous noplaintext
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
- /etc/postfix/master.cf
smtp inet n - - - - smtpd -v # add -v for verbose #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -v # uncomment for starttls port -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd -v # uncomment for ssl/tls port # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd
- /etc/postfix/canonical_recipients
root server@domain.de postmaster root webmaster root
- /etc/postfix/canonical_senders
root hostname@domain.de postmaster root webmaster root
- /etc/postfix/sasl_password
smtp.domain.de username:password
- /etc/postfix/sender_relayhosts
mail@domain.de smtp.domain.de
- /etc/postfix/virtual_alias
- /etc/postfix/virtual_domains
domain.de
- /etc/postfix/vmailbox
mail@domain.de localdomain/virtemailuser/ server@domain.de localdomain/server/ domain.de localdomain/virtemailuser/
- /etc/postfix/reload.sh
#!/bin/bash newaliases postmap /etc/postfix/vmailbox postmap /etc/postfix/virtual_alias postmap /etc/postfix/sender_relayhosts postmap /etc/postfix/canonical_recipients postmap /etc/postfix/canonical_senders postmap /etc/postfix/sasl_password /etc/init.d/postfix restart
dovecot
- preparing
touch /var/log/dovecot chown vmail:vmail /var/log/dovecot chmod 660 /var/log/dovecot touch /etc/dovecot/userdb touch /etc/dovecot/passdb chown root:dovecot /etc/dovecot/userdb chown root:dovecot /etc/dovecot/passdb chmod 640 /etc/dovecot/userdb chmod 640 /etc/dovecot/passdb
- /etc/dovecot/conf.d/01-custom.conf
protocols = imap pop3 #imaps pop3s sieve
# auth
#disable_plaintext_auth = yes
auth_mechanisms = plain login
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# virtual user db
passdb {
driver = passwd-file
args = /etc/dovecot/passdb
}
userdb {
driver = passwd-file
args = /etc/dovecot/userdb
}
# ssl
ssl = yes
#ssl_cert = </etc/ssl/certs/ssl-mail.pem
#ssl_key = </etc/ssl/private/ssl-mail.key
ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
# logging
log_path = /var/log/dovecot
auth_debug = yes # for debugging only
mail_debug = yes #
verbose_ssl = yes #
# mail
mail_location = maildir:/srv/mail/virtual/%d/%n
# master
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
mode = 0660
user = postfix
group = postfix
}
}
# IMAP configuration
#protocol imap {
# mail_max_userip_connections = 10
# imap_client_workarounds = delay-newmail
#}
# POP3 configuration
#protocol pop3 {
# mail_max_userip_connections = 10
# pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
#}
# LDA configuration
#protocol lda {
# postmaster_address = postmaster
# mail_plugins = sieve
# quota_full_tempfail = yes
# deliver_log_format = msgid=%m: %$
# rejection_reason = Your message to <%t> was automatically rejected:%n%r
#}
# Plugins configuration
#plugin {
# sieve=~/.dovecot.sieve
# sieve_dir=~/sieve
#}
- /etc/dovecot/conf.d/10-auth.conf
#!include auth-master.conf.ext # disable
fetchmail
- /etc/defaults/fetchmail
START_DAEMON=yes
- /etc/fetchmailrc
set postmaster "root"
set bouncemail
set no spambounce
set properties ""
set syslog
set daemon 300
poll pop.gmail.com with proto POP3
user 'test@gmail.com' there with password '1234' is localuser here options ssl