Installing a new mailserver

From Edgar BV Wiki
Revision as of 12:41, 19 April 2022 by Unknown user (talk)
Jump to navigation Jump to search

You will need these for the mail server

apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx

pdnsd - use resolvconf configuration

Network

Debian Network Setup

Ensure your PTR records are set in DNS

TXT edgarbv.com v=spf1 mx-all
AAAA edgarbv.com IPv6address
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address

Certificates for mail.edgarbv.com - see postfix and dovecot

Postfix and Procmail

First install Postfix as the mail transport agent

Amavis-new + ClamAV

Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV

Spamassassin

Then configure Spamassassin

Dovecot

Now install Dovecot as an IMAP / POP3 server

Automx

automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Roundcube webmail

And install Roundcube for webmail

Converting from mbox to maildir

Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir

Webmail performance

package imapproxy implements UP-IMapProxy

Iphone Push

package imaprowl implements push for Iphone and Gmail

Mobile settings

Incoming:

Security type: TLS (Accept all certificates)
Port: 143

Outgoing:

Hostname: mail.edgarbv.com
Security Type: TLS (Accept all certificates)
Port: 587
Require sign in: on

Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.

Spam protection

SPF

This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction

Sender Policy Framework / SPF

DKIM

Another trust mechanism http://www.dkim.org/

Configure SPF and DKIM With Postfix on Debian 8

Debian wiki opendkim

Permissions for keyfiles: 640

if you want multiple subdomains you need to create the keyfiles multiple times

opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s mail 
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s smtp

DMARC

A system to tell you what to do with reply messages http://www.dmarc.org/overview.html

Microsoft JMRP and SNDS

JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),

Enrol here:

https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0

More information about enrolling

fail2ban

in /etc/fail2ban/jail.d/jail.local

[DEFAULT]

ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 6000

[proftpd]
enabled  = true

[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info

[postfix]
enabled  = true
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s

[postfix-rbl]
enabled  = true
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1

[postfix-sasl]
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5