Installing a new mailserver: Difference between revisions
No edit summary |
|||
(55 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
You will need these for the mail server | |||
pdnsd - use resolvconf | apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx | ||
pdnsd - use resolvconf configuration | |||
= Network = | |||
[[Debian Network Setup]] | |||
Ensure your PTR records are set in DNS | |||
<pre> | <pre> | ||
TXT edgarbv.com v=spf1 mx-all | |||
AAAA edgarbv.com IPv6address | |||
MX 10 mail.edgarbv.com edgarbv.com | |||
A edgarbv.com IPv4address | |||
</pre> | |||
Certificates for mail.edgarbv.com - see postfix and dovecot | |||
= Postfix and Procmail = | |||
First install [[Postfix]] as the mail transport agent | |||
= Amavis-new + ClamAV = | |||
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. [[Amavis-new and ClamAV]] | |||
= Spamassassin = | |||
Then configure [[Spamassassin]] | |||
= Dovecot = | |||
Now install [[ Dovecot ]] as an IMAP / POP3 server | |||
= Automx = | |||
[[ automx ]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings | |||
= Roundcube webmail = | |||
And install [[ Roundcube ]] for webmail | |||
= Converting from mbox to maildir = | |||
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]] | |||
= Webmail performance = | |||
package imapproxy implements UP-IMapProxy | |||
= Iphone Push = | |||
package imaprowl implements push for Iphone and Gmail | |||
= Mobile settings = | |||
Incoming: | |||
<pre> | |||
Security type: TLS (Accept all certificates) | |||
Port: 143 | |||
</pre> | </pre> | ||
Outgoing: | |||
<pre> | |||
Hostname: mail.edgarbv.com | |||
Security Type: TLS (Accept all certificates) | |||
Port: 587 | |||
Require sign in: on | |||
</pre> | |||
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres. | |||
= Spam protection = | |||
== SPF == | |||
This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server | |||
http://www.openspf.org/Introduction | |||
[[Sender Policy Framework / SPF]] | |||
== DKIM == | |||
Another trust mechanism http://www.dkim.org/ | |||
[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/ Configure SPF and DKIM With Postfix on Debian 8] | |||
[https://wiki.debian.org/opendkim Debian wiki opendkim] | |||
Permissions for keyfiles: 640 | |||
if you want multiple subdomains you need to create the keyfiles multiple times | |||
<pre> | |||
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s mail | |||
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s smtp | |||
</pre>https://dmarcguide.globalcyberalliance.org/dkim | |||
== DMARC == | |||
A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/ | |||
_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; ruf=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; sp=none; ri=86400" | |||
== Microsoft JMRP and SNDS == | |||
JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services), | |||
Enrol here: | |||
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0 | |||
[https://kb.iweb.com/hc/en-us/articles/230267648-Subscribing-to-Microsoft-JMRP-and-SNDS More information about enrolling] | |||
= fail2ban = | |||
in /etc/fail2ban/jail.d/jail.local | |||
<pre> | |||
[DEFAULT] | |||
ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24 | |||
bantime = 6000 | |||
[proftpd] | |||
enabled = true | |||
[dovecot] | |||
enabled = true | |||
logpath = /var/log/mail/dovecot.info | |||
[postfix] | |||
enabled = true | |||
# To use another modes set filter parameter "mode" in jail.local: | |||
mode = more | |||
port = smtp,465,submission | |||
logpath = /var/log/mail/mail.log | |||
maxretry = 5 | |||
#backend = %(postfix_backend)s | |||
[postfix-rbl] | |||
enabled = true | |||
filter = postfix[mode=rbl] | |||
port = smtp,465,submission | |||
logpath = /var/log/mail/mail.log | |||
#backend = %(postfix_backend)s | |||
maxretry = 1 | |||
[postfix-sasl] | |||
enabled = true | |||
port = smtp | |||
filter = postfix-sasl | |||
logpath = /var/log/mail/mail.log | |||
maxretry = 5 | |||
</pre> |
Latest revision as of 13:51, 20 March 2024
You will need these for the mail server
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx
pdnsd - use resolvconf configuration
Network
Ensure your PTR records are set in DNS
TXT edgarbv.com v=spf1 mx-all AAAA edgarbv.com IPv6address MX 10 mail.edgarbv.com edgarbv.com A edgarbv.com IPv4address
Certificates for mail.edgarbv.com - see postfix and dovecot
Postfix and Procmail
First install Postfix as the mail transport agent
Amavis-new + ClamAV
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV
Spamassassin
Then configure Spamassassin
Dovecot
Now install Dovecot as an IMAP / POP3 server
Automx
automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings
Roundcube webmail
And install Roundcube for webmail
Converting from mbox to maildir
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir
Webmail performance
package imapproxy implements UP-IMapProxy
Iphone Push
package imaprowl implements push for Iphone and Gmail
Mobile settings
Incoming:
Security type: TLS (Accept all certificates) Port: 143
Outgoing:
Hostname: mail.edgarbv.com Security Type: TLS (Accept all certificates) Port: 587 Require sign in: on
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
Spam protection
SPF
This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction
DKIM
Another trust mechanism http://www.dkim.org/
Configure SPF and DKIM With Postfix on Debian 8
Permissions for keyfiles: 640
if you want multiple subdomains you need to create the keyfiles multiple times
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s mail opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s smtp
https://dmarcguide.globalcyberalliance.org/dkim
DMARC
A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/
_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@edgarbv.com; ruf=mailto:dmarc@edgarbv.com; sp=none; ri=86400"
Microsoft JMRP and SNDS
JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),
Enrol here:
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0
More information about enrolling
fail2ban
in /etc/fail2ban/jail.d/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24 bantime = 6000 [proftpd] enabled = true [dovecot] enabled = true logpath = /var/log/mail/dovecot.info [postfix] enabled = true # To use another modes set filter parameter "mode" in jail.local: mode = more port = smtp,465,submission logpath = /var/log/mail/mail.log maxretry = 5 #backend = %(postfix_backend)s [postfix-rbl] enabled = true filter = postfix[mode=rbl] port = smtp,465,submission logpath = /var/log/mail/mail.log #backend = %(postfix_backend)s maxretry = 1 [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail/mail.log maxretry = 5