Linux/Mailserver/Small Office Smarthost: Difference between revisions

Definitions

• This configuration is based on Ubuntu 12.04 LTS

preparing the system

mkdir /srv/mail/virtual
groupadd -g 5000 vmail
useradd -s /usr/sbin/nologin -u 5000 -g 5000 vmail
id vmail

postfix

• /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

append_dot_mydomain = no
#delay_warning_time = 4h
readme_directory = no


myhostname = vm-mailserver.mlnet
mydomain = mlnet
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

relayhost = smtp.marcluerssen.de
mynetworks = 127.0.0.0/8
#, 192.168.111.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# Virtual user settings
virtual_mailbox_domains = /etc/postfix/virtual_domains
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = dovecot
#dovecot_destination_recipient_limit = 1
mailbox_size_limit = 0

# Dovecot sasl
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = no

# TLS parameters
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
#smtpd_require_helo = yes
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_limit = 250
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium



#smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
#smtp_use_tls = yes
#sender_canonical_maps = hash:/etc/postfix/sender_canonical
#inet_protocols = all
#home_mailbox = Maildir/
#smtpd_sasl_authenticated_header = yes
#mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
#smtp_use_tls = yes

smtpd_sasl_type = dovecot

# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth

# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

dovecot

• /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain            # optional: login

#!include auth-master.conf.ext     # disable
!include auth-passwdfile.conf.ext

• /etc/dovecot/conf.d/10-logging.conf

log_path = /var/log/dovecot

auth_debug = yes    # for debugging only
mail_debug = yes    #
verbose_ssl = yes   #

• /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/srv/mail/virtual/%d/%n

• /etc/dovecot/conf.d/10-master.conf

service auth {
...
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix        
  }
  ...
}

• /etc/dovecot/conf.d/auth-passwdfile.conf.ext

passdb {
  driver = passwd-file
  args = /srv/mail/virtual/%d/passdb
}
userdb {
  driver = passwd-file
  args = /srv/mail/virtual/%d/userdb
}

touch /var/log/dovecot
chown vmail:vmail /var/log/dovecot
chmod 660