Installing a new mailserver: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
← Older edit
Visual
 
(23 intermediate revisions by the same user not shown)
Line 19: Line 19:


= Postfix and Procmail =
= Postfix and Procmail =
First install [[Postfix]] as the mail transport agent
First install [[Postfix]] as the mail transport agent, so it handles the sending of email


= Amavis-new + ClamAV =
= Amavis-new + ClamAV =
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. [[Amavis-new and ClamAV]]
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. [[Amavis-new and ClamAV]] Virus and spam checkers


= Spamassassin =
= Spamassassin =
Then configure [[Spamassassin]]
Then configure [[Spamassassin]] spam checker


= Dovecot =
= Dovecot =
Now install [[ Dovecot ]] as an IMAP / POP3 server
Now install [[ Dovecot ]] as an IMAP / POP3 server (to receive and view emails)


= Automx =
== Automx2 ==
[[ automx ]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings
[[Automx2]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings


= Roundcube webmail =
= Roundcube webmail =
And install [[ Roundcube ]] for webmail
And install [[ Roundcube]] for webmail


= Converting from mbox to maildir =
= Converting from mbox to maildir =
Line 45: Line 45:
package imaprowl implements push for Iphone and Gmail
package imaprowl implements push for Iphone and Gmail


= Mobile settings =
= Connection and Mobile settings =
Incoming:
Incoming:<pre>
<pre>
Hostname: mail.edgarbv.com
Security type: TLS (Accept all certificates)
Security type: TLS/SSL (Accept all certificates) / STARTTLS (TLS/SSL preferred)
Port: 143
Port: 993 / 143 (TLS/SSL preferred)
</pre>
</pre>


Line 55: Line 55:
<pre>
<pre>
Hostname: mail.edgarbv.com
Hostname: mail.edgarbv.com
Security Type: TLS (Accept all certificates)
Security Type: TLS / SSL (Accept all certificates) / STARTTLS
Port: 587
Port: 465 / 587 (465 is preferred)
Require sign in: on
Require sign in: on
</pre>
</pre>


Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
== Outlook 2016 and higher + Office 365 ==
If you are using SSL/TLS on port 993 and 465, in Outlook you can just use File -> Add Account.
For some cases for autodiscover to work (also see [[Automx2]]):
don’t do File – Add Account, but do: File – Account Settings – Manage Profiles – Email Accounts – New (also see https://talk.plesk.com/threads/autodiscover-not-working-properly-on-outlook.356682/page-2) - especially when using STARTTLS settings
== IOS / Apple Mobile devices ==
Visit the URL in Safari eg <pre>
autodiscover.edgarbv.com/mobileconfig/?emailaddress=user@edgarbv.com
</pre>It will ask you to download the profile and tell you to go to settings to install the profile (Click on Profile Downloaded and install)
To remove this account you need to go to Settings -> VPN & Device Management -> select the accounts and remove them here
The profile will be unsigned, but to sign you need to either use proprietary Apple distribution systems or https://stackoverflow.com/questions/53434631/how-to-sign-an-ios-configuration-profile-generated-programmatically and https://github.com/rseichter/automx2/issues/17#issuecomment-2773814736


= Spam protection =
= Spam protection =
Line 99: Line 114:
</pre>
</pre>


Generate the key
In /etc/postfix/main.cf
<pre>
#For opendkim
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
</pre>
 
Generate the key (nb probably don't use '.' in the selector)
<pre>
<pre>
sudo --user opendkim -D /etc/dkimkeys -s YYYY.domain.ext -d edgarbv.com
sudo --user opendkim opendkim-genkey -D /etc/dkimkeys -s YYYY_domain_ext -d edgarbv.com
<pre>
<pre>
or a longer version of this:
or a longer version of this:
<pre>
<pre>
sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025.edgarbv.com --nosubdomains --domain=edgarbv.com
sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025_edgarbv_com --nosubdomains --domain=edgarbv.com
</pre>
</pre>


In /etc/dkimkeys/keytable you need to add all your private keys in the format
In /etc/dkimkeys/keytable you need to add all your private keys in the format - this maps the domain txt entry to the keyfile.
<pre>
<pre>
mail._domainkey.domain.ext domain.ext:mail/etc/dkimkeys/selector.private
selector._domainkey.domain.ext domain.ext:selector:/etc/dkimkeys/selector.private
</pre>
</pre>


In /etc/dkimkeys/keytable for each domain
In /etc/dkimkeys/signingtable you map senders (by default, taken from the
From: header field of a message passing through the filter) to which keys will be used to sign their mail.  Wildcards are allowed for each domain
<pre>
<pre>
# Domain yourdomain.org
# Domain yourdomain.org
*@edgarbv.com mail._domainkey.edgarbv.com
*@edgarbv.com 2025_edgarbv_com._domainkey.edgarbv.com
# You can specify multiple domains
# You can specify multiple domains
# Example.net www._domainkey.example.net
# Example.net www._domainkey.example.net
</pre>
</pre>


In /etc/postfix/main.cf
reload opendkim
 
Add it to your SOA from /etc/dkimkeys/selector.txt (get rid of all " and enters and everything in front of and after the () )
<pre>
selector._domainkey.domainext TXT v=DKIM1; h=sha256; k=rsa; t=s; v=DKIM1; h=sha256; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxx3VYFe6f/1aunjZHp4WinOmS29t1EV4VIIvKP7P2aVtlvGxghBluJAkdkhUr20o8Mu/bfyW57JZ0eTKkLS7B0aWVlZlVdb4Qi/gFze3f0fh2ly9SBHRe2FQj4eK4A9Bd+GDBBeS4gQMgeYe38+Pa9LxNQWzyeKv47Isbmk/ffboylhOSKgLO97GHZxl/6qAHUu57bviEtk17/jNRxeBvs7sAqO++3qX/ky5NMObw+sjNa/swD9uG6pIVFpQ7NZbz390UoHj95CuTxZMbtyELRxkcvl0Axq1WXW35M74x2DNOJA0YaJof1X3zbSVSAvwVZ4WvXs7XrZupZ704hVcQIDAQAB
</pre>
 
check this has gone right by
<pre>
dig selector._domainkey.domain.ext txt
</pre>
then
 
test by sending an email to check-auth@verifier.port25.com and it should respond with a report
 
and
<pre>
opendkim-testkey -v -v
 
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com secure
opendkim-testkey: 1 key checked; 1 pass, 0 fail
</pre>
 
If you get
<pre>
<pre>
#For opendkim
opendkim-testkey: using default configfile /etc/opendkim.conf
smtpd_milters = inet:localhost:8891
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
non_smtpd_milters = $smtpd_milters
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
milter_default_action = accept
opendkim-testkey: key mail._domainkey.edgarbv.com: keys do not match
opendkim-testkey: key mail._domainkey.edgarbv.com secure
</pre>
</pre>
It is saying that the key information in the key in /etc/dkimkeys is not the same as the DNS record TXT information.


[https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/]
[https://wiki.debian.org/opendkim Debian wiki opendkim]


[https://danq.me/2023/09/02/dkim-for-dummies/] really short
http://www.opendkim.org/opendkim-README


[https://www.frontline.ro/en/blog/how-to-configure-opendkim-with-postfix-on-debian-12-bookworm] includes a script to spit out the DNS record
[https://www.frontline.ro/en/blog/how-to-configure-opendkim-with-postfix-on-debian-12-bookworm] includes a script to spit out the DNS record


[https://www.server-world.info/en/note?os=Debian_12&p=mail&f=11] shows opendkim-testkey -d srv.world -s 20240712 -vvv use
[https://www.server-world.info/en/note?os=Debian_12&p=mail&f=11] shows opendkim-testkey -d srv.world -s 20240712 -vvv use
[https://wiki.debian.org/opendkim Debian wiki opendkim]


Permissions for keyfiles: 640
Permissions for keyfiles: 640
Line 160: Line 210:


[https://kb.iweb.com/hc/en-us/articles/230267648-Subscribing-to-Microsoft-JMRP-and-SNDS More information about enrolling]
[https://kb.iweb.com/hc/en-us/articles/230267648-Subscribing-to-Microsoft-JMRP-and-SNDS More information about enrolling]
= Shorewall firewall =
== Ports list ==
pop3 110
pop3s 995
imap 143
imaps 993
smtp 25
submission / mail submission agent 587
smtps / ssmtp / urd / submissions 465
== /etc/shorewall/rules ==
<pre>
# email server
POP3(ACCEPT)    net            $FW
POP3S(ACCEPT)  net            $FW
IMAP(ACCEPT)    net            $FW
IMAPS(ACCEPT)  net            $FW
SMTP(ACCEPT)    net            $FW
MSA(ACCEPT)    net            $FW
#MSA is also known as submission
SMTPS(ACCEPT)  net            $FW
#SMTPS is also known as submissions and also covers sstmp and urd
</pre>


= fail2ban =
= fail2ban =
Line 172: Line 256:
[postfix]
[postfix]
enabled  = true
enabled  = true
maxretry = 5


[postfix-rbl]
[postfix-rbl]
enabled  = true
enabled  = true
maxretry = 1


[postfix-sasl]
[postfix-sasl]
enabled = true
enabled = true
findtime = 10h
findtime = 1d
maxretry = 3
maxretry = 3
bantime = 48h
bantime = 5d
</pre>
</pre>
= Deprecated - Automx =
[[ automx ]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Latest revision as of 12:02, 4 April 2025

You will need these for the mail server

apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx

pdnsd - use resolvconf configuration

Network

Debian Network Setup

Ensure your PTR records are set in DNS 

TXT edgarbv.com v=spf1 mx-all
AAAA edgarbv.com IPv6address
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address

Certificates for mail.edgarbv.com - see postfix and dovecot

Postfix and Procmail

First install Postfix as the mail transport agent, so it handles the sending of email

Amavis-new + ClamAV

Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV Virus and spam checkers

Spamassassin

Then configure Spamassassin spam checker

Dovecot

Now install Dovecot as an IMAP / POP3 server (to receive and view emails)

Automx2

Automx2 sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Roundcube webmail

And install Roundcube for webmail

Converting from mbox to maildir

Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir

Webmail performance

package imapproxy implements UP-IMapProxy

Iphone Push

package imaprowl implements push for Iphone and Gmail

Connection and Mobile settings

Incoming:

Hostname: mail.edgarbv.com
Security type: TLS/SSL (Accept all certificates) / STARTTLS (TLS/SSL preferred)
Port: 993 / 143 (TLS/SSL preferred)

Outgoing: 

Hostname: mail.edgarbv.com
Security Type: TLS / SSL (Accept all certificates) / STARTTLS
Port: 465 / 587 (465 is preferred)
Require sign in: on

Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.

Outlook 2016 and higher + Office 365

If you are using SSL/TLS on port 993 and 465, in Outlook you can just use File -> Add Account.

For some cases for autodiscover to work (also see Automx2): don’t do File – Add Account, but do: File – Account Settings – Manage Profiles – Email Accounts – New (also see https://talk.plesk.com/threads/autodiscover-not-working-properly-on-outlook.356682/page-2) - especially when using STARTTLS settings

IOS / Apple Mobile devices

Visit the URL in Safari eg 

autodiscover.edgarbv.com/mobileconfig/?emailaddress=user@edgarbv.com

It will ask you to download the profile and tell you to go to settings to install the profile (Click on Profile Downloaded and install)

To remove this account you need to go to Settings -> VPN & Device Management -> select the accounts and remove them here

The profile will be unsigned, but to sign you need to either use proprietary Apple distribution systems or https://stackoverflow.com/questions/53434631/how-to-sign-an-ios-configuration-profile-generated-programmatically and https://github.com/rseichter/automx2/issues/17#issuecomment-2773814736

Spam protection

https://dmarcguide.globalcyberalliance.org/ tests your SPF / DKIM / DMARC / BIMI and TLS and has guides on how to implement them.

SPF

This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction

Sender Policy Framework / SPF

DKIM

Another trust mechanism http://www.dkim.org/

/etc/opendkim.conf 

Syslog                  yes
SyslogSuccess           yes

Mode                    sv
SubDomains              no

# Specify the list of keys
KeyTable file:/etc/dkimkeys/keytable
# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
SigningTable refile:/etc/dkimkeys/signingtable 
# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
InternalHosts refile:/etc/dkimkeys/trustedhosts

Socket                  inet:8891@localhost

/etc/dkimkeys/trustedhosts 

127.0.0.1
10.1.0.0/16
1.2.3.4/24

In /etc/postfix/main.cf 

#For opendkim
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Generate the key (nb probably don't use '.' in the selector) 

sudo --user opendkim opendkim-genkey -D /etc/dkimkeys -s YYYY_domain_ext -d edgarbv.com
<pre>
or a longer version of this:
<pre>
sudo --user opendkim opendkim-genkey --directory=/etc/dkimkeys --selector 2025_edgarbv_com --nosubdomains --domain=edgarbv.com

In /etc/dkimkeys/keytable you need to add all your private keys in the format - this maps the domain txt entry to the keyfile. 

selector._domainkey.domain.ext domain.ext:selector:/etc/dkimkeys/selector.private

In /etc/dkimkeys/signingtable you map senders (by default, taken from the From: header field of a message passing through the filter) to which keys will be used to sign their mail. Wildcards are allowed for each domain 

# Domain yourdomain.org
*@edgarbv.com 2025_edgarbv_com._domainkey.edgarbv.com
# You can specify multiple domains
# Example.net www._domainkey.example.net

reload opendkim

Add it to your SOA from /etc/dkimkeys/selector.txt (get rid of all " and enters and everything in front of and after the () ) 

selector._domainkey.domainext TXT v=DKIM1; h=sha256; k=rsa; t=s; v=DKIM1; h=sha256; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxx3VYFe6f/1aunjZHp4WinOmS29t1EV4VIIvKP7P2aVtlvGxghBluJAkdkhUr20o8Mu/bfyW57JZ0eTKkLS7B0aWVlZlVdb4Qi/gFze3f0fh2ly9SBHRe2FQj4eK4A9Bd+GDBBeS4gQMgeYe38+Pa9LxNQWzyeKv47Isbmk/ffboylhOSKgLO97GHZxl/6qAHUu57bviEtk17/jNRxeBvs7sAqO++3qX/ky5NMObw+sjNa/swD9uG6pIVFpQ7NZbz390UoHj95CuTxZMbtyELRxkcvl0Axq1WXW35M74x2DNOJA0YaJof1X3zbSVSAvwVZ4WvXs7XrZupZ704hVcQIDAQAB

check this has gone right by 

dig selector._domainkey.domain.ext txt

then

test by sending an email to check-auth@verifier.port25.com and it should respond with a report

and 

opendkim-testkey -v -v

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com secure
opendkim-testkey: 1 key checked; 1 pass, 0 fail

If you get 

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: record 0 for 'mail._domainkey.edgarbv.com' retrieved
opendkim-testkey: checking key 'mail._domainkey.edgarbv.com'
opendkim-testkey: key mail._domainkey.edgarbv.com: keys do not match
opendkim-testkey: key mail._domainkey.edgarbv.com secure

It is saying that the key information in the key in /etc/dkimkeys is not the same as the DNS record TXT information.

Debian wiki opendkim

http://www.opendkim.org/opendkim-README

[1] includes a script to spit out the DNS record

[2] shows opendkim-testkey -d srv.world -s 20240712 -vvv use

Permissions for keyfiles: 640

if you want multiple subdomains you need to create the keyfiles multiple times 

opendkim-genkey -D /etc/dkimkeys -d mail.example.com -s mail.example.com
opendkim-genkey -D /etc/dkimkeys -d smtp.example.com -s smtp.example.com

https://dmarcguide.globalcyberalliance.org/dkim

DMARC

A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/

_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@edgarbv.com; ruf=mailto:dmarc@edgarbv.com; sp=none; ri=86400"

Microsoft JMRP and SNDS

JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),

Enrol here:

https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0

More information about enrolling

Shorewall firewall

Ports list

pop3 110

pop3s 995

imap 143

imaps 993

smtp 25

submission / mail submission agent 587

smtps / ssmtp / urd / submissions 465

/etc/shorewall/rules

# email server

POP3(ACCEPT)    net             $FW
POP3S(ACCEPT)   net             $FW
IMAP(ACCEPT)    net             $FW
IMAPS(ACCEPT)   net             $FW
SMTP(ACCEPT)    net             $FW
MSA(ACCEPT)     net             $FW
#MSA is also known as submission
SMTPS(ACCEPT)   net             $FW
#SMTPS is also known as submissions and also covers sstmp and urd

fail2ban

Also see Debian Standard Packages to install afterwards#fail2ban

in /etc/fail2ban/jail.local 

[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info

[postfix]
enabled  = true

[postfix-rbl]
enabled  = true

[postfix-sasl]
enabled = true
findtime = 1d
maxretry = 3
bantime = 5d

Deprecated - Automx

automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Retrieved from "http://wiki.edgarbv.com/index.php?title=Installing_a_new_mailserver&oldid=37961"