Installing a new mailserver: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
 
(32 intermediate revisions by the same user not shown)
Line 1: Line 1:
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d
You will need these for the mail server
 
apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx


pdnsd - use resolvconf configuration
pdnsd - use resolvconf configuration


= Network =
= Network =
Set up networking in /etc/network/interfaces
[[Debian Network Setup]]
 
Ensure your PTR records are set in DNS
<pre>
<pre>
# The loopback network interface
TXT edgarbv.com v=spf1 mx-all
auto lo
AAAA edgarbv.com IPv6address
iface lo inet loopback
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address
</pre>


# The primary network interface
Certificates for mail.edgarbv.com - see postfix and dovecot
allow-hotplug eth0
#auto eth0
iface eth0 inet static
        address 192.168.0.112
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
#      gateway 192.168.0.1
        dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
#      dns-nameservers 192.168.0.1 192.168.0.2
#      dns-search tripnet.int internal.tripnet.int ops.tripnet.int


auto eth1
= Postfix and Procmail =
iface eth1 inet static
First install [[Postfix]] as the mail transport agent
        address 188.204.140.195
        netmask 255.255.255.224
        network 188.204.140.192
        broadcast 188.204.140.223
        gateway 188.204.140.193
        dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
</pre>


= Postfix and Procmail =
= Amavis-new + ClamAV =
First install [[Postfix]]
Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. [[Amavis-new and ClamAV]]


= Spamassassin =
= Spamassassin =
Then install [[Spamassassin]]
Then configure [[Spamassassin]]


= Dovecot =
= Dovecot =
Check the following is set, or dovecot won't let people POP / IMAP in
Now install [[ Dovecot ]] as an IMAP / POP3 server
<pre>
 
protocols = imap imaps pop3 pop3s
= Automx =
</pre>
[[ automx ]] sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings


We need to set it to listen on all interfaces, so uncomment
= Roundcube webmail =
<pre>
And install [[ Roundcube ]] for webmail
listen = *
</pre>


Because we're allowing plaintext auth we need to change
= Converting from mbox to maildir =
<pre>
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
disable_plaintext_auth = no
</pre>


To set Dovecot to save files in Maildir format and then also use directories to store folders (instead of foldername.mail in one big folder), set NB the documentation says you should use an extra :layout=fs but that breaks just about everything and this way everything is put into subfolders starting with .
= Webmail performance =
<pre>
package imapproxy implements UP-IMapProxy
mail_location = maildir:~/Maildir
</pre>


Ensure the following is set for performance
= Iphone Push =
<pre>
package imaprowl implements push for Iphone and Gmail
maildir_copy_with_hardlinks = yes
</pre>


Because we're using NFS for mail storage we need to check:
= Mobile settings =
Incoming:
<pre>
<pre>
mmap_disable = yes
Security type: TLS (Accept all certificates)
dotlock_use_excl = yes # MUST CHECK THIS ONE
Port: 143
mail_nfs_storage = yes
mail_nfs_index = yes
</pre>
</pre>


Logging:
Outgoing:
<pre>
log_path = /var/log/mail/dovecot.err
info_log_path = /var/log/mail/dovecot.info
</pre>
<pre>
touch /var/log/mail/dovecot.err
touch /var/log/mail/dovecot.info
</pre>
in /etc/logrotate.d/rsyslog add
<pre>
<pre>
/var/log/mail/dovecot.err
Hostname: mail.edgarbv.com
/var/log/mail/dovecot.info
Security Type: TLS (Accept all certificates)
Port: 587
Require sign in: on
</pre>
</pre>
to the rest of the mail lines


Create a maildir for www-data manually (dovecot has no permissions to create in /var/www)
Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.
<pre>
mkdir /var/www/Maildir
chown www-data /var/www/Maildir
</pre>


To test:
= Spam protection =
<pre>
== SPF ==
mutt -f imap://username@localhost
This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server
mutt -f pop://username@localhost
http://www.openspf.org/Introduction


or to open a user's maildir:
[[Sender Policy Framework / SPF]]
mutt -m maildir -f ~user/Maildir
</pre>


= Roundcube webmail =
== DKIM ==
We're going to get the backport version as it's much much better
Another trust mechanism http://www.dkim.org/


so in /etc/apt/sources.list add
[https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/ Configure SPF and DKIM With Postfix on Debian 8]
<pre>
deb http://backports.debian.org/debian-backports squeeze-backports main
</pre>


and to install
[https://wiki.debian.org/opendkim Debian wiki opendkim]
<pre>
apt-get -t squeeze-backports install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra
</pre>


You will need mysql-server, apache2 and php5 as well.
Permissions for keyfiles: 640


then in /etc/roundcube/apache.conf
if you want multiple subdomains you need to create the keyfiles multiple times
<pre>
<pre>
uncomment:
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s mail
    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s smtp
    Alias /roundcube /var/lib/roundcube
</pre>https://dmarcguide.globalcyberalliance.org/dkim
</pre>
 
== DMARC ==
A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/  


in /etc/roundcube/main.inc.php change
_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; ruf=<nowiki>mailto:dmarc@edgarbv.com</nowiki>; sp=none; ri=86400"
<pre>
$rcmail_config['htmleditor'] = 0; to 1
$rcmail_config['preview_pane'] = 0; to 1
$rcmail_config['default_host'] = '127.0.0.1';
$rcmail_config['language'] = 'nl_NL';
</pre>


Settings that need looking at and haven't been enabled yet!
== Microsoft JMRP and SNDS ==
<pre>
JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
</pre>


== Plugins ==
Enrol here:
=== virtuser_file ===
This comes with the roundcube-plugins package and makes roundcube read the identities (@domain.ext) from a file in the format:


email@domain.ext user
https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0
email2@domain2.ext user2


If a user has multiple @domain.ext set in the file, then it makes multiple entries you can choose from as your from address.
[https://kb.iweb.com/hc/en-us/articles/230267648-Subscribing-to-Microsoft-JMRP-and-SNDS More information about enrolling]


Find in /etc/roundcube/main.inc.php
= fail2ban =
in /etc/fail2ban/jail.d/jail.local
<pre>
<pre>
$rcmail_config['plugins'] = array('virtuser_file');
[DEFAULT]
</pre>
 
To enable it. and then all the way at the bottom set
ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
<pre>
bantime  = 6000
$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';
</pre>


=== DragnDrop Attachments ===
[proftpd]
You can find that [https://github.com/strimpak/dragndrop_attachments here]
enabled  = true


download, then unzip and mv to /var/lib/roundcube/plugins/dragndrop_attachments/
[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info


In main.inc.php
[postfix]
<pre>
enabled  = true
$rcmail_config['plugins'] = array('virtuser_file','vcard_attachments','show_additional_headers','emoticons','jqueryui','dragndrop_attachments');
# To use another modes set filter parameter "mode" in jail.local:
</pre>
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s


NB. when testing, you may need to delete the users from the database to check if certain settings are being set before logging in.
[postfix-rbl]
enabled  = true
filter  = postfix[mode=rbl]
port    = smtp,465,submission
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1


= Converting from mbox to maildir =
[postfix-sasl]
Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at [[Converting from mbox to maildir]]
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5
</pre>

Latest revision as of 13:51, 20 March 2024

You will need these for the mail server

apt-get install openssh-server proftpd snmpd iotop iptstate atsar postfix shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync quota ntpdate ntp vacation pdnsd dovecot-common dovecot-imapd dovecot-pop3d automx

pdnsd - use resolvconf configuration

Network

Debian Network Setup

Ensure your PTR records are set in DNS 

TXT edgarbv.com v=spf1 mx-all
AAAA edgarbv.com IPv6address
MX 10 mail.edgarbv.com edgarbv.com
A edgarbv.com IPv4address

Certificates for mail.edgarbv.com - see postfix and dovecot

Postfix and Procmail

First install Postfix as the mail transport agent

Amavis-new + ClamAV

Amavis functions as a postfix addon that filters mail through ClamAV and Spamassassin. Amavis-new and ClamAV

Spamassassin

Then configure Spamassassin

Dovecot

Now install Dovecot as an IMAP / POP3 server

Automx

automx sets up a webservice that tells Outlook, Thunderbird and mobile clients how to autodetect the right mailserver settings

Roundcube webmail

And install Roundcube for webmail

Converting from mbox to maildir

Because we want the system to support IMAP functionality fully, there are some changes to to be made which will be documented further. For now, look at Converting from mbox to maildir

Webmail performance

package imapproxy implements UP-IMapProxy

Iphone Push

package imaprowl implements push for Iphone and Gmail

Mobile settings

Incoming: 

Security type: TLS (Accept all certificates)
Port: 143

Outgoing: 

Hostname: mail.edgarbv.com
Security Type: TLS (Accept all certificates)
Port: 587
Require sign in: on

Note, TLS will only work for 1 IP adres per hostname. It only gets 1 certificate per IP adres.

Spam protection

SPF

This implements Sender Policy Framework, a method to check if an email's From comes from an authorised server http://www.openspf.org/Introduction

Sender Policy Framework / SPF

DKIM

Another trust mechanism http://www.dkim.org/

Configure SPF and DKIM With Postfix on Debian 8

Debian wiki opendkim

Permissions for keyfiles: 640

if you want multiple subdomains you need to create the keyfiles multiple times 

opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s mail 
opendkim-genkey -D /etc/postfix/dkim/keys/ -d example.com -s smtp

https://dmarcguide.globalcyberalliance.org/dkim

DMARC

A system to tell you what to do with reply messages http://www.dmarc.org/overview.html https://www.sonicwall.com/support/knowledge-base/what-is-a-dmarc-record-and-how-do-i-create-it-on-dns-server/170504796167071/ https://dmarcguide.globalcyberalliance.org/#/dmarc/

_dmarc.edgarbv.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@edgarbv.com; ruf=mailto:dmarc@edgarbv.com; sp=none; ri=86400"

Microsoft JMRP and SNDS

JMRP (Junk Mail Reporting Partner Program) and SNDS (Smart Network Data Services),

Enrol here:

https://postmaster.live.com/snds/JMRP.aspx?wa=wsignin1.0

More information about enrolling

fail2ban

in /etc/fail2ban/jail.d/jail.local 

[DEFAULT]

ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 6000

[proftpd]
enabled  = true

[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info

[postfix]
enabled  = true
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s

[postfix-rbl]
enabled  = true
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1

[postfix-sasl]
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5
Retrieved from "http://wiki.edgarbv.com/index.php?title=Installing_a_new_mailserver&oldid=37741"