Linux/Mailserver/Small Office Smarthost

From Wiki

Definitions

  • This configuration is based on Ubuntu 12.04 LTS
  • verify that "hostname" gives your local hostname
  • verify that "hostname -d" gives your local domain(workgroup)



preparing the system

groupadd -g 5000 vmail
useradd -s /usr/sbin/nologin -u 5000 -g 5000 vmail
id vmail

mkdir -p /srv/mail/virtual/$(hostname -d)
chown -R vmail:vmail /srv/mail/virtual



installation

apt-get install postfix dovecot-core dovecot-imapd dovecot-pop3d dovecot-postfix dovecot-sieve dovecot-managedsieved mail-stack-delivery



postfix

  • preparing
touch /etc/postfix/canonical_recipients
touch /etc/postfix/canonical_senders
touch /etc/postfix/sender_relayhosts
touch /etc/postfix/sasl_password
chmod 600 /etc/postfix/sasl_password
touch /etc/postfix/virtual_alias
touch /etc/postfix/virtual_domains
touch /etc/postfix/vmailbox

touch /etc/postfix/reload.sh
chmod 744 /etc/postfix/reload.sh
  • /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

append_dot_mydomain = no
#delay_warning_time = 4h
readme_directory = no


myhostname = localhostname.localdomain
mydomain = localdomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# Virtual user settings
virtual_mailbox_domains = /etc/postfix/virtual_domains
virtual_mailbox_base = /srv/mail/virtual
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
mailbox_size_limit = 0

# Dovecot sasl
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = no
smtpd_sasl_authenticated_header = yes

# TLS parameters
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_recipient_limit = 250
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium

# outbound
recipient_canonical_maps = hash:/etc/postfix/canonical_recipients
sender_canonical_maps = hash:/etc/postfix/canonical_senders

smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relayhosts
smtp_connection_cache_on_demand = no

smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous noplaintext
smtp_sasl_tls_security_options = noanonymous noplaintext
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
  • /etc/postfix/master.cf
smtp      inet  n       -       -       -       -       smtpd -v               # add -v for verbose
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd -v               # uncomment for starttls port
  -o syslog_name=postfix/submission                                            # 
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd -v              # uncomment for ssl/tls port
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
  • /etc/postfix/canonical_recipients
root server@domain.de
postmaster root
webmaster root
  • /etc/postfix/canonical_senders
root hostname@domain.de
postmaster root
webmaster root
  • /etc/postfix/sasl_password
smtp.domain.de username:password
  • /etc/postfix/sender_relayhosts
mail@domain.de  smtp.domain.de
  • /etc/postfix/virtual_alias

  • /etc/postfix/virtual_domains
domain.de
  • /etc/postfix/vmailbox
mail@domain.de     localdomain/virtemailuser/
server@domain.de   localdomain/server/
domain.de          localdomain/virtemailuser/
  • /etc/postfix/reload.sh
#!/bin/bash
newaliases
postmap /etc/postfix/vmailbox
postmap /etc/postfix/virtual_alias
postmap /etc/postfix/sender_relayhosts
postmap /etc/postfix/canonical_recipients
postmap /etc/postfix/canonical_senders
postmap /etc/postfix/sasl_password 
/etc/init.d/postfix restart

dovecot

  • preparing
touch /var/log/dovecot
chown vmail:vmail /var/log/dovecot
chmod 660 /var/log/dovecot

touch /etc/dovecot/userdb
touch /etc/dovecot/passdb
chown root:dovecot /etc/dovecot/userdb
chown root:dovecot /etc/dovecot/passdb
chmod 640 /etc/dovecot/userdb
chmod 640 /etc/dovecot/passdb
  • /etc/dovecot/conf.d/01-custom.conf
protocols = imap  pop3            #imaps pop3s sieve

# auth
#disable_plaintext_auth = yes
auth_mechanisms = plain login
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# virtual user db
passdb {
  driver = passwd-file
  args = /etc/dovecot/passdb
}
userdb {
  driver = passwd-file
  args = /etc/dovecot/userdb
}

# ssl
ssl = yes
#ssl_cert = </etc/ssl/certs/ssl-mail.pem
#ssl_key = </etc/ssl/private/ssl-mail.key
ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM

# logging 
log_path = /var/log/dovecot
auth_debug = yes    # for debugging only
mail_debug = yes    #
verbose_ssl = yes   #

# mail
mail_location = maildir:/srv/mail/virtual/%d/%n

# master
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

# IMAP configuration
#protocol imap {
#        mail_max_userip_connections = 10
#        imap_client_workarounds = delay-newmail
#}

# POP3 configuration
#protocol pop3 {
#        mail_max_userip_connections = 10
#        pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
#}

# LDA configuration
#protocol lda {
#        postmaster_address = postmaster
#        mail_plugins = sieve
#        quota_full_tempfail = yes
#        deliver_log_format = msgid=%m: %$
#        rejection_reason = Your message to <%t> was automatically rejected:%n%r
#}

# Plugins configuration
#plugin {
#        sieve=~/.dovecot.sieve
#        sieve_dir=~/sieve
#}
  • /etc/dovecot/conf.d/10-auth.conf
#!include auth-master.conf.ext     # disable