Installing a new mailserver: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
← Older editNewer edit →
Visual
(44 intermediate revisions by the same user not shown)
Line 1: Line 1:
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d
You will need these for the mail server
 
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx


pdnsd - use resolvconf configuration
pdnsd - use resolvconf configuration


= Network =
= Network =
Set up networking in /etc/network/interfaces
[[Debian Network Setup]]
 
Ensure your PTR records are set in DNS
<pre>
<pre>
# The loopback network interface
TXT edgarbv.com v=spf1 mx-all
auto lo
AAAA edgarbv.com IPv6address
iface lo inet loopback
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address
</pre>


# The primary network interface
Certificates for mail.edgarbv.com - see postfix and dovecot
allow-hotplug eth0
#auto eth0
iface eth0 inet static
        address 192.168.0.112
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
#      gateway 192.168.0.1
        dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
#      dns-nameservers 192.168.0.1 192.168.0.2
#      dns-search tripnet.int internal.tripnet.int ops.tripnet.int


auto eth1
= Postfix and Procmail =
iface eth1 inet static
First install [[Postfix]] as the mail transport agent
        address 188.204.140.195
        netmask 255.255.255.224
        network 188.204.140.192
        broadcast 188.204.140.223
        gateway 188.204.140.193
        dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
</pre>


= Postfix and Procmail =
= Amavis-new + ClamAV =
First install [[Postfix]]
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. [[Amavis-new and ClamAV]]


= Spamassassin =
= Spamassassin =
Then install [[Spamassassin]]
Then configure [[Spamassassin]]


= Dovecot =
= Dovecot =
[[ Dovecot ]]
Now install [[ Dovecot ]] as an IMAP / POP3 server
 
= Automx =
[[ automx ]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings
 
= Roundcube webmail =
And install [[ Roundcube ]] for webmail
 
= Converting from mbox to maildir =
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
 
= Webmail performance =
package imapproxy implements UP-IMapProxy
 
= Iphone Push =
package imaprowl implements push for Iphone and Gmail


== after installation ==
= Mobile settings =
Logging:
Incoming:
<pre>
<pre>
log_path = /var/log/mail/dovecot.err
Security type: TLS (Accept all certificates)
info_log_path = /var/log/mail/dovecot.info
Port: 143
</pre>
</pre>
Outgoing:
<pre>
<pre>
touch /var/log/mail/dovecot.err
Hostname: mail.edgarbv.com
touch /var/log/mail/dovecot.info
Security Type: TLS (Accept all certificates)
Port: 587
Require sign in: on
</pre>
</pre>
in /etc/logrotate.d/rsyslog add
 
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
 
= Spam protection =
https://dmarcguide.globalcyberalliance.org/ tests your SPF / DKIM / DMARC / BIMI and TLS and has guides on how to implement them.
 
== SPF ==
This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server
http://www.openspf.org/Introduction
 
[[Sender Policy Framework / SPF]]
 
== DKIM ==
Another trust mechanism http://www.dkim.org/
 
/etc/opendkim.conf
<pre>
<pre>
/var/log/mail/dovecot.err
Syslog                  yes
/var/log/mail/dovecot.info
SyslogSuccess          yes
 
Mode                    sv
SubDomains              no
 
# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts
 
Socket                  inet:8891@localhost
</pre>
</pre>
to the rest of the mail lines


Create a maildir for www-data manually (dovecot has no permissions to create in /var/www)
/etc/dkimkeys/trustedhosts
<pre>
<pre>
mkdir /var/www/Maildir
127.0.0.1
chown www-data /var/www/Maildir
10.1.0.0/16
1.2.3.4/24
</pre>
</pre>


To test:
In /etc/postfix/main.cf
<pre>
<pre>
mutt -f imap://username@localhost
#For opendkim
mutt -f pop://username@localhost
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
</pre>


or to open a user's maildir:
Generate the key (nb probably don't use '.' in the selector)
mutt -m maildir -f ~user/Maildir
<pre>
sudo --user opendkim opendkim-genkey -D /etc/dkimkeys -s YYYY_domain_ext -d edgarbv.com
<pre>
or a longer version of this:
<pre>
sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025_edgarbv_com --nosubdomains --domain=edgarbv.com
</pre>
</pre>


= Roundcube webmail =
In /etc/dkimkeys/keytable you need to add all your private keys in the format - this maps the domain txt entry to the keyfile.
We're going to get the backport version as it's much much better
 
so in /etc/apt/sources.list add
<pre>
<pre>
deb http://backports.debian.org/debian-backports squeeze-backports main
selector._domainkey.domain.ext domain.ext:selector:/etc/dkimkeys/selector.private
</pre>
</pre>


and to install
In /etc/dkimkeys/signingtable you map senders (by default, taken from the
From: header field of a message passing through the filter) to which keys will be used to sign their mail.  Wildcards are allowed for each domain
<pre>
<pre>
apt-get -t squeeze-backports install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra
# Domain yourdomain.org
*@edgarbv.com 2025_edgarbv_com._domainkey.edgarbv.com
# You can specify multiple domains
# Example.net www._domainkey.example.net
</pre>
</pre>


You will need mysql-server, apache2 and php5 as well.
reload opendkim


then in /etc/roundcube/apache.conf
Add it to your SOA from /etc/dkimkeys/selector.txt (get rid of all " and enters and everything in front of and after the () )
<pre>
<pre>
uncomment:
selector._domainkey.domainext TXT v=DKIM1; h=sha256; k=rsa; t=s; v=DKIM1; h=sha256; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxx3VYFe6f/1aunjZHp4WinOmS29t1EV4VIIvKP7P2aVtlvGxghBluJAkdkhUr20o8Mu/bfyW57JZ0eTKkLS7B0aWVlZlVdb4Qi/gFze3f0fh2ly9SBHRe2FQj4eK4A9Bd+GDBBeS4gQMgeYe38+Pa9LxNQWzyeKv47Isbmk/ffboylhOSKgLO97GHZxl/6qAHUu57bviEtk17/jNRxeBvs7sAqO++3qX/ky5NMObw+sjNa/swD9uG6pIVFpQ7NZbz390UoHj95CuTxZMbtyELRxkcvl0Axq1WXW35M74x2DNOJA0YaJof1X3zbSVSAvwVZ4WvXs7XrZupZ704hVcQIDAQAB
    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
    Alias /roundcube /var/lib/roundcube
</pre>
</pre>


in /etc/roundcube/main.inc.php change
check this has gone right by
<pre>
<pre>
$rcmail_config['htmleditor'] = 0; to 1
dig selector._domainkey.domain.ext txt
$rcmail_config['preview_pane'] = 0; to 1
$rcmail_config['default_host'] = '127.0.0.1';
$rcmail_config['language'] = 'nl_NL';
</pre>
</pre>
then


Settings that need looking at and haven't been enabled yet!
test by sending an email to check-auth@verifier.port25.com and it should respond with a report
<pre>
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
</pre>


in /usr/local/etc/php.ini
and
<pre>
<pre>
upload_max_filesize = 5M</pre>
opendkim-testkey -v -v


== Plugins ==
opendkim-testkey: using default configfile /etc/opendkim.conf
=== virtuser_file ===
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
This comes with the roundcube-plugins package and makes roundcube read the identities (@domain.ext) from a file in the format:
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
 
opendkim-testkey: key mail._domainkey.edgarbv.com secure
email@domain.ext user
opendkim-testkey: 1 key checked; 1 pass, 0 fail
email2@domain2.ext user2
</pre>


If a user has multiple @domain.ext set in the file, then it makes multiple entries you can choose from as your from address.
If you get
 
Find in /etc/roundcube/main.inc.php
<pre>
<pre>
$rcmail_config['plugins'] = array('virtuser_file');
opendkim-testkey: using default configfile /etc/opendkim.conf
</pre>
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
To enable it. and then all the way at the bottom set
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
<pre>
opendkim-testkey: key mail._domainkey.edgarbv.com: keys do not match
$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';
opendkim-testkey: key mail._domainkey.edgarbv.com secure
</pre>
</pre>
It is saying that the key information in the key in /etc/dkimkeys is not the same as the DNS record TXT information.


=== DragnDrop Attachments ===
[https://wiki.debian.org/opendkim Debian wiki opendkim]
You can find that [https://github.com/strimpak/dragndrop_attachments here]


download, then unzip and mv to /var/lib/roundcube/plugins/dragndrop_attachments/
http://www.opendkim.org/opendkim-README


In main.inc.php
[https://www.frontline.ro/en/blog/how-to-configure-opendkim-with-postfix-on-debian-12-bookworm] includes a script to spit out the DNS record
<pre>
$rcmail_config['plugins'] = array('virtuser_file','vcard_attachments','show_additional_headers','emoticons','jqueryui','dragndrop_attachments', 'vacation');
</pre>


== Vacation autoresponder ==
[https://www.server-world.info/en/note?os=Debian_12&p=mail&f=11] shows opendkim-testkey -d srv.world -s 20240712 -vvv use
Download it from [http://sourceforge.net/projects/rcubevacation/files/ here]


unzip it to /var/lib/roundcube/plugins/vacation/
Permissions for keyfiles: 640


The config.ini should look like this:
if you want multiple subdomains you need to create the keyfiles multiple times
<pre>
<pre>
[default]
opendkim-genkey -D /etc/dkimkeys -d mail.example.com -s mail.example.com
driver = "ftp"
opendkim-genkey -D /etc/dkimkeys -d smtp.example.com -s smtp.example.com
subject = "Afwezig"
</pre>https://dmarcguide.globalcyberalliance.org/dkim
body = "default.txt"


[dotforward]
== DMARC ==
binary = "/usr/bin/vacation"
A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/  https://dmarcguide.globalcyberalliance.org/#/dmarc/  
flags = ""
message = ".vacation.msg"
database = ".vacation.db"
alias_identities = true
set_envelop_sender = false
always_keep_message = true
</pre>


in Roundcube 0.5 the page layout has changed and the plugin displays incorrectly. To fix this, edit
_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; ruf=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; sp=none; ri=86400"


plugins/vacation/skins/default/vacation.css
== Microsoft JMRP and SNDS ==
JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),


and add in some padding:
Enrol here:
<pre>
#pagecontent {
width: 800px;
padding-top:70px;
}
</pre>


Also edit plugins/vacation/default.txt
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0


Note that it won't save the autoresponder message and subject if you don't tick the checkbox on the top of the page (which we've moved down a bit above)
[https://kb.iweb.com/hc/en-us/articles/230267648-Subscribing-to-Microsoft-JMRP-and-SNDS More information about enrolling]


Finally, add 'vacation' to the $rcmail_config['plugins'] in roundcube main.inc.php
= fail2ban =
Also see [[Debian Standard Packages to install afterwards#fail2ban]]


You can find the auto reply in the settings
in /etc/fail2ban/jail.local
<pre>
[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info


NB. when testing, you may need to delete the users from the database to check if certain settings are being set before logging in.
[postfix]
enabled  = true


= Converting from mbox to maildir =
[postfix-rbl]
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
enabled  = true


= Webmail performance =
[postfix-sasl]
package imapproxy implements UP-IMapProxy
enabled = true
 
findtime = 1d
= Iphone Push =
maxretry = 3
package imaprowl implements push for Iphone and Gmail
bantime = 5d
</pre>

Revision as of 07:19, 30 March 2025

You will need these for the mail server

apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx

pdnsd - use resolvconf configuration

Network

Debian Network Setup

Ensure your PTR records are set in DNS 

TXT edgarbv.com v=spf1 mx-all
AAAA edgarbv.com IPv6address
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address

Certificates for mail.edgarbv.com - see postfix and dovecot

Postfix and Procmail

First install Postfix as the mail transport agent

Amavis-new + ClamAV

Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV

Spamassassin

Then configure Spamassassin

Dovecot

Now install Dovecot as an IMAP / POP3 server

Automx

automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Roundcube webmail

And install Roundcube for webmail

Converting from mbox to maildir

Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir

Webmail performance

package imapproxy implements UP-IMapProxy

Iphone Push

package imaprowl implements push for Iphone and Gmail

Mobile settings

Incoming: 

Security type: TLS (Accept all certificates)
Port: 143

Outgoing: 

Hostname: mail.edgarbv.com
Security Type: TLS (Accept all certificates)
Port: 587
Require sign in: on

Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.

Spam protection

https://dmarcguide.globalcyberalliance.org/ tests your SPF / DKIM / DMARC / BIMI and TLS and has guides on how to implement them.

SPF

This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction

Sender Policy Framework / SPF

DKIM

Another trust mechanism http://www.dkim.org/

/etc/opendkim.conf 

Syslog                  yes
SyslogSuccess           yes

Mode                    sv
SubDomains              no

# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable 
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

Socket                  inet:8891@localhost

/etc/dkimkeys/trustedhosts 

127.0.0.1
10.1.0.0/16
1.2.3.4/24

In /etc/postfix/main.cf 

#For opendkim
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Generate the key (nb probably don't use '.' in the selector) 

sudo --user opendkim opendkim-genkey -D /etc/dkimkeys -s YYYY_domain_ext -d edgarbv.com
<pre>
or a longer version of this:
<pre>
sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025_edgarbv_com --nosubdomains --domain=edgarbv.com

In /etc/dkimkeys/keytable you need to add all your private keys in the format - this maps the domain txt entry to the keyfile. 

selector._domainkey.domain.ext domain.ext:selector:/etc/dkimkeys/selector.private

In /etc/dkimkeys/signingtable you map senders (by default, taken from the From: header field of a message passing through the filter) to which keys will be used to sign their mail. Wildcards are allowed for each domain 

# Domain yourdomain.org
*@edgarbv.com 2025_edgarbv_com._domainkey.edgarbv.com
# You can specify multiple domains
# Example.net www._domainkey.example.net

reload opendkim

Add it to your SOA from /etc/dkimkeys/selector.txt (get rid of all " and enters and everything in front of and after the () ) 

selector._domainkey.domainext TXT v=DKIM1; h=sha256; k=rsa; t=s; v=DKIM1; h=sha256; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxx3VYFe6f/1aunjZHp4WinOmS29t1EV4VIIvKP7P2aVtlvGxghBluJAkdkhUr20o8Mu/bfyW57JZ0eTKkLS7B0aWVlZlVdb4Qi/gFze3f0fh2ly9SBHRe2FQj4eK4A9Bd+GDBBeS4gQMgeYe38+Pa9LxNQWzyeKv47Isbmk/ffboylhOSKgLO97GHZxl/6qAHUu57bviEtk17/jNRxeBvs7sAqO++3qX/ky5NMObw+sjNa/swD9uG6pIVFpQ7NZbz390UoHj95CuTxZMbtyELRxkcvl0Axq1WXW35M74x2DNOJA0YaJof1X3zbSVSAvwVZ4WvXs7XrZupZ704hVcQIDAQAB

check this has gone right by 

dig selector._domainkey.domain.ext txt

then

test by sending an email to check-auth@verifier.port25.com and it should respond with a report

and 

opendkim-testkey -v -v

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com secure
opendkim-testkey: 1 key checked; 1 pass, 0 fail

If you get 

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com: keys do not match
opendkim-testkey: key mail._domainkey.edgarbv.com secure

It is saying that the key information in the key in /etc/dkimkeys is not the same as the DNS record TXT information.

Debian wiki opendkim

http://www.opendkim.org/opendkim-README

[1] includes a script to spit out the DNS record

[2] shows opendkim-testkey -d srv.world -s 20240712 -vvv use

Permissions for keyfiles: 640

if you want multiple subdomains you need to create the keyfiles multiple times 

opendkim-genkey -D /etc/dkimkeys -d mail.example.com -s mail.example.com
opendkim-genkey -D /etc/dkimkeys -d smtp.example.com -s smtp.example.com

https://dmarcguide.globalcyberalliance.org/dkim

DMARC

A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/

_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@edgarbv.com; ruf=mailto:dmarc@edgarbv.com; sp=none; ri=86400"

Microsoft JMRP and SNDS

JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),

Enrol here:

https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0

More information about enrolling

fail2ban

Also see Debian Standard Packages to install afterwards#fail2ban

in /etc/fail2ban/jail.local 

[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info

[postfix]
enabled  = true

[postfix-rbl]
enabled  = true

[postfix-sasl]
enabled = true
findtime = 1d
maxretry = 3
bantime = 5d
Retrieved from "http://wiki.edgarbv.com/index.php?title=Installing_a_new_mailserver&oldid=37893"