Installing a new mailserver: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
Created page with "First install Postfix Then install Spamassassin Follow by installing Webmail Squirrelmail for Debian Which also installs Dovecot Because we want the system to ..."
 
 
(57 intermediate revisions by the same user not shown)
Line 1: Line 1:
First install [[Postfix]]
You will need these for the mail server


Then install [[Spamassassin]]
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx


Follow by installing [[Webmail Squirrelmail for Debian]]
pdnsd - use resolvconf configuration


Which also installs Dovecot
= Network =
[[Debian Network Setup]]


Ensure your PTR records are set in DNS
<pre>
TXT edgarbv.com v=spf1 mx-all
AAAA edgarbv.com IPv6address
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address
</pre>
Certificates for mail.edgarbv.com - see postfix and dovecot
= Postfix and Procmail =
First install [[Postfix]] as the mail transport agent
= Amavis-new + ClamAV =
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. [[Amavis-new and ClamAV]]
= Spamassassin =
Then configure [[Spamassassin]]
= Dovecot =
Now install [[ Dovecot ]] as an IMAP / POP3 server
= Automx =
[[ automx ]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings
= Roundcube webmail =
And install [[ Roundcube ]] for webmail
= Converting from mbox to maildir =
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
= Webmail performance =
package imapproxy implements UP-IMapProxy
= Iphone Push =
package imaprowl implements push for Iphone and Gmail
= Mobile settings =
Incoming:
<pre>
Security type: TLS (Accept all certificates)
Port: 143
</pre>
Outgoing:
<pre>
Hostname: mail.edgarbv.com
Security Type: TLS (Accept all certificates)
Port: 587
Require sign in: on
</pre>
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
= Spam protection =
== SPF ==
This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server
http://www.openspf.org/Introduction
[[Sender Policy Framework / SPF]]
== DKIM ==
Another trust mechanism http://www.dkim.org/
[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/ Configure SPF and DKIM With Postfix on Debian 8]
[https://wiki.debian.org/opendkim Debian wiki opendkim]
Permissions for keyfiles: 640
if you want multiple subdomains you need to create the keyfiles multiple times
<pre>
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s mail
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s smtp
</pre>https://dmarcguide.globalcyberalliance.org/dkim
== DMARC ==
A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/  https://dmarcguide.globalcyberalliance.org/#/dmarc/
_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; ruf=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; sp=none; ri=86400"
== Microsoft JMRP and SNDS ==
JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),
Enrol here:
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0
[https://kb.iweb.com/hc/en-us/articles/230267648-Subscribing-to-Microsoft-JMRP-and-SNDS More information about enrolling]
= fail2ban =
in /etc/fail2ban/jail.d/jail.local
<pre>
[DEFAULT]
ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 6000
[proftpd]
enabled  = true
[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info
[postfix]
enabled  = true
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s
[postfix-rbl]
enabled  = true
filter  = postfix[mode=rbl]
port    = smtp,465,submission
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1
[postfix-sasl]
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5
</pre>

Latest revision as of 13:51, 20 March 2024

You will need these for the mail server

apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx

pdnsd - use resolvconf configuration

Network

Debian Network Setup

Ensure your PTR records are set in DNS

TXT edgarbv.com v=spf1 mx-all
AAAA edgarbv.com IPv6address
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address

Certificates for mail.edgarbv.com - see postfix and dovecot

Postfix and Procmail

First install Postfix as the mail transport agent

Amavis-new + ClamAV

Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV

Spamassassin

Then configure Spamassassin

Dovecot

Now install Dovecot as an IMAP / POP3 server

Automx

automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Roundcube webmail

And install Roundcube for webmail

Converting from mbox to maildir

Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir

Webmail performance

package imapproxy implements UP-IMapProxy

Iphone Push

package imaprowl implements push for Iphone and Gmail

Mobile settings

Incoming:

Security type: TLS (Accept all certificates)
Port: 143

Outgoing:

Hostname: mail.edgarbv.com
Security Type: TLS (Accept all certificates)
Port: 587
Require sign in: on

Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.

Spam protection

SPF

This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction

Sender Policy Framework / SPF

DKIM

Another trust mechanism http://www.dkim.org/

Configure SPF and DKIM With Postfix on Debian 8

Debian wiki opendkim

Permissions for keyfiles: 640

if you want multiple subdomains you need to create the keyfiles multiple times

opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s mail 
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s smtp

https://dmarcguide.globalcyberalliance.org/dkim

DMARC

A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/

_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@edgarbv.com; ruf=mailto:dmarc@edgarbv.com; sp=none; ri=86400"

Microsoft JMRP and SNDS

JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),

Enrol here:

https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0

More information about enrolling

fail2ban

in /etc/fail2ban/jail.d/jail.local

[DEFAULT]

ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 6000

[proftpd]
enabled  = true

[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info

[postfix]
enabled  = true
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s

[postfix-rbl]
enabled  = true
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1

[postfix-sasl]
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5