ubuntu:email:install_postfix_mail_server_with_dovecot
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ubuntu:email:install_postfix_mail_server_with_dovecot [2020/12/06 12:52] – peter | ubuntu:email:install_postfix_mail_server_with_dovecot [2020/12/06 13:07] (current) – removed peter | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Ubuntu - Email - Install Postfix Mail Server with Dovecot ====== | ||
- | |||
- | **Postfix** is responsible for interacting with the other email servers in the world. | ||
- | |||
- | Postfix is used to either send mail to, or receive mail from, other servers. | ||
- | |||
- | **Dovecot** interacts with your email client (Thunderbird, | ||
- | |||
- | ---- | ||
- | |||
- | ====== Install Postfix ====== | ||
- | |||
- | <code bash> | ||
- | sudo apt install postfix | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Virtual Mailboxes ===== | ||
- | |||
- | Create a user that will actually own all the virtual mailboxes. | ||
- | |||
- | <code bash> | ||
- | useradd -m -r -s / | ||
- | </ | ||
- | |||
- | <WRAP info> | ||
- | **NOTE: | ||
- | |||
- | The virtual mailboxes will be placed in this directory. | ||
- | |||
- | Virtual mailboxes allow us to unlink the users of the email system from the users on the underlying operating system. | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Configuring Postfix ===== | ||
- | |||
- | The configuration files for Postfix are usually found in **/ | ||
- | |||
- | The two most important files are **main.cf** and **master.cf**. | ||
- | |||
- | ---- | ||
- | |||
- | ==== Basic Configuration ==== | ||
- | |||
- | The file **main.cf** will be completely replaced. | ||
- | |||
- | It should start with the basic configuration: | ||
- | |||
- | <file bash / | ||
- | mydomain = sharewiz.net | ||
- | myhostname = mail2.$mydomain | ||
- | myorigin = $mydomain | ||
- | mydestination = $myhostname, | ||
- | mynetworks = 127.0.0.0/8 [:: | ||
- | inet_interfaces = all | ||
- | mailbox_size_limit = 0 | ||
- | home_mailbox = mail/ | ||
- | |||
- | # Prevent bad guys from querying for valid email addresses. | ||
- | disable_vrfy_command = yes | ||
- | </ | ||
- | |||
- | <WRAP info> | ||
- | **NOTE: | ||
- | |||
- | * **myorigin** defines the domain used for outgoing messages. | ||
- | * **mydestination** gives the non-virtual domains for which mail will be accepted. | ||
- | * $mydomain is not contained in mydestination. That is intentional. | ||
- | |||
- | Postfix will reject any mail that it receives that is not destined for a domain or machine that is not listed in **mydestination** (or in the virtual mail domains defined later) unless it comes from a machine on the local network. | ||
- | |||
- | * **mynetworks** defines the local network. | ||
- | * **mailbox_size_limit = 0** is used to disable limits on the size of the mail that can be received into a mailbox. | ||
- | * **home_mailbox** define the name of the mailbox used for local users. | ||
- | |||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Local Aliases ==== | ||
- | |||
- | <file bash / | ||
- | alias_maps = hash:/ | ||
- | alias_database = hash:/ | ||
- | |||
- | # Configure list of users/ | ||
- | local_recipient_maps = proxy: | ||
- | </ | ||
- | |||
- | <WRAP info> | ||
- | **NOTE: | ||
- | |||
- | You should not have to create this file nor change it, but if you do change it, you will need to run the following before the changes will take effect: | ||
- | |||
- | <code bash> | ||
- | postalias / | ||
- | </ | ||
- | |||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Virtual Mailboxes ===== | ||
- | |||
- | How should local delivery be performed? | ||
- | |||
- | Local delivery is that act of moving a piece of email from Postfix to the users mailbox. | ||
- | |||
- | For Local Delivery, we could use: | ||
- | |||
- | * **Postfix**: | ||
- | * **Dovecot**: | ||
- | |||
- | ---- | ||
- | |||
- | ==== Using the Postfix LDA ==== | ||
- | |||
- | To configure the Postfix local delivery agent for virtual mailboxes, add the following to main.cf: | ||
- | |||
- | <file bash / | ||
- | virtual_mailbox_domains = sharewiz.net abcd.com | ||
- | virtual_mailbox_maps = hash:/ | ||
- | virtual_alias_maps = hash:/ | ||
- | virtual_mailbox_base=/ | ||
- | virtual_uid_maps = static:997 | ||
- | virtual_gid_maps = static:997 | ||
- | virtual_minimum_uid = 997 | ||
- | </ | ||
- | |||
- | <WRAP info> | ||
- | **NOTE:** | ||
- | |||
- | * **virtual_mailbox_domains** defines the virtual mail domains for which Postfix will accept mail. | ||
- | * **virtual_mailbox_maps** defines where the actual virtual mailboxes are defined. | ||
- | peter@sharewiz.net | ||
- | peter@abcd.net | ||
- | admin@sharewiz.net | ||
- | </ | ||
- | * Each line defines a virtual mailbox and consists of two items. | ||
- | * The first item is the email address of the virtual mailbox (should be lowercase). | ||
- | * The second item is the physical address on disk. | ||
- | * Each of the second entries ends with a slash. | ||
- | * The mail directory for **peter@sharewiz.net** would be **/ | ||
- | * Whenever you modify this file you must run **postmap** in order to Postfix to be aware of the changes: <code bash> | ||
- | postmap / | ||
- | </ | ||
- | |||
- | * **virtual_uid_maps** defines the user of the owner of the mail files. | ||
- | * **virtual_gid_maps** defines the group of the owner of the mail files. | ||
- | * **virtual_minimum_uid** must be equal to or smaller than the UID specified in **virtual_uid_maps**. | ||
- | |||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Virtual Aliases ==== | ||
- | |||
- | **virtual_alias_maps** is a file that contains aliases for the virtual mailboxes. | ||
- | |||
- | An example file is: | ||
- | |||
- | <file bash / | ||
- | admin@abcd.com | ||
- | admin@mail2.abcd.com | ||
- | admin@mail2.sharewiz.net | ||
- | peter@mail2.abcd.com | ||
- | peter@mail2.sharewiz.net | ||
- | </ | ||
- | |||
- | **NOTE: | ||
- | |||
- | The first is the address that represents the alias and the second is the destination, | ||
- | |||
- | ---- | ||
- | |||
- | ===== Using the Dovecot LDA ===== | ||
- | |||
- | <file bash / | ||
- | .... | ||
- | mailbox_command = / | ||
- | |||
- | virtual_alias_maps = hash:/ | ||
- | virtual_mailbox_maps = hash:/ | ||
- | virtual_mailbox_domains = sharewiz.net abcd.com | ||
- | virtual_transport=dovecot | ||
- | |||
- | # Uncomment the following if dovecot-lda seems to hang. | ||
- | # | ||
- | </ | ||
- | |||
- | **NOTE:** | ||
- | |||
- | * ***mailbox_command** indicates that dovecot-lda should be used for delivering mail to local (not virtual) mailboxes. | ||
- | * **virtual_mailbox_maps** is the same file as given above in the Postfix LDA, but the value given for the second entry is ignored (it must still be present, but the actual value has no effect). <file bash / | ||
- | peter@sharewiz.net | ||
- | peter@abcd.net | ||
- | admin@sharewiz.net | ||
- | </ | ||
- | * **virtual_transport** gives the name of the process entry in the **master.cf** file that is used to deliver mail to the virtual mailboxes. | ||
- | dovecot | ||
- | flags=DRhu | ||
- | user=vmail: | ||
- | argv=/ | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Transport Layer Security (SSL) ===== | ||
- | |||
- | This assumes that you have already created an certificate using OpenSSL. | ||
- | |||
- | The one I am using is named ssl-cert-mail. | ||
- | |||
- | <file bash> | ||
- | # Configure TLS. | ||
- | tls_random_source=dev:/ | ||
- | |||
- | # Settings that control how email is received when using TLS. | ||
- | smtpd_tls_cert_file=/ | ||
- | smtpd_tls_key_file=/ | ||
- | smtpd_tls_session_cache_database = btree: | ||
- | smtpd_use_tls=yes | ||
- | smtpd_tls_security_level=may | ||
- | smtpd_tls_protocols = !SSLv2, !SSLv3 | ||
- | smtpd_tls_eecdh_grade = strong | ||
- | |||
- | # Settings that control how email is sent when using TLS. | ||
- | smtp_tls_cert_file=/ | ||
- | smtp_tls_key_file=/ | ||
- | smtp_tls_session_cache_database = btree: | ||
- | smtp_use_tls=yes | ||
- | |||
- | # Settings that control authentication. | ||
- | smtpd_sasl_type=dovecot | ||
- | smtpd_sasl_path=private/ | ||
- | smtpd_sasl_security_options=noanonymous | ||
- | </ | ||
- | |||
- | <WRAP info> | ||
- | **NOTE: | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | Normally, Postfix listens for email on port 25 (smtp). | ||
- | |||
- | This email may either be sent in plain text or may be encrypted (with STARTTLS). | ||
- | |||
- | In addition, two other ports can be observed if desired. | ||
- | |||
- | * Port 587 (submission) is generally used by authorized users to send email. As such, it requires authentication. | ||
- | * Port 465 (smpts) is used as an alternative to port 25 by older clients (such as Outlook) for sending unwrapped encrypted mail (without the STARTTLS). | ||
- | |||
- | These three ports are configured in master.cf with: | ||
- | |||
- | <file bash / | ||
- | smtp inet n | ||
- | submission inet n | ||
- | -o smtpd_tls_wrappermode=no | ||
- | -o smtpd_tls_security_level=encrypt | ||
- | -o smtpd_sasl_auth_enable=yes | ||
- | -o smtpd_recipient_restrictions=permit_mynetworks, | ||
- | smtps | ||
- | -o smtpd_tls_wrappermode=yes | ||
- | -o smtpd_sasl_auth_enable=yes | ||
- | </ | ||
- | |||
- | <WRAP info> | ||
- | **NOTE: | ||
- | |||
- | In the **Received** field, if it says **with ESMTPS** then TLS was used. | ||
- | |||
- | Remember that for TLS to be used both the source and the destination must support it, and many email servers still do not; Gmail does, so you can use that to send your test message. | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Header Checks ===== | ||
- | |||
- | The following settings define restrictions that are applied to the email header information to determine whether the email should be permitted or rejected. | ||
- | |||
- | They are chosen to provide a reasonable level of security: | ||
- | |||
- | <file bash / | ||
- | smtpd_helo_restrictions = | ||
- | permit_mynetworks, | ||
- | permit_sasl_authenticated, | ||
- | reject_non_fqdn_hostname, | ||
- | reject_invalid_hostname, | ||
- | permit | ||
- | |||
- | smtpd_client_restrictions = | ||
- | permit_mynetworks, | ||
- | permit_sasl_authenticated, | ||
- | warn_if_reject reject_unknown_client, | ||
- | permit | ||
- | |||
- | smtpd_sender_restrictions = | ||
- | permit_mynetworks, | ||
- | reject_non_fqdn_sender, | ||
- | warn_if_reject reject_unknown_sender_domain, | ||
- | permit | ||
- | |||
- | smtpd_recipient_restrictions = | ||
- | permit_mynetworks, | ||
- | permit_sasl_authenticated, | ||
- | reject_unauth_pipelining, | ||
- | reject_non_fqdn_recipient, | ||
- | reject_non_fqdn_sender, | ||
- | warn_if_reject reject_unknown_recipient_domain, | ||
- | warn_if_reject reject_unknown_sender_domain, | ||
- | reject_unauth_destination, | ||
- | reject_rbl_client zen.spamhaus.org, | ||
- | reject_rbl_client dnsbl.njabl.org, | ||
- | reject_rbl_client cbl.abuseat.org, | ||
- | permit | ||
- | |||
- | smtpd_data_restrictions = | ||
- | reject_unauth_pipelining, | ||
- | permit | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Firewall Configuration ===== | ||
- | |||
- | In order for Postfix to operate some firewall ports need to be opened: | ||
- | |||
- | * Port 25 (smtp) | ||
- | * Port 587 (submission) | ||
- | * Port 465 (smtps) | ||
- | |||
- | ---- | ||
- | |||
- | ===== Running Postfix ===== | ||
- | |||
- | Before starting Postfix you should make sure that you have run postmap on all appropriate files; in this case on virtual_mailbox_maps and virtual_alias_maps: | ||
- | |||
- | <code bash> | ||
- | postmap virtual_mailbox_maps | ||
- | postmap virtual_alias_maps | ||
- | </ | ||
- | |||
- | <WRAP info> | ||
- | **NOTE: | ||
- | </ | ||
- | |||
- | |||
- | Start Postfix using: | ||
- | |||
- | <code bash> | ||
- | systemctl start postfix | ||
- | </ | ||
- | |||
- | If Postfix is already running, and you have changed a configuration file, you can get Postfix to reread these files using: | ||
- | |||
- | <code bash> | ||
- | systemctl reload postfix | ||
- | </ | ||
- | |||
- | You can stop Postfix with: | ||
- | |||
- | <code bash> | ||
- | systemctl stop postfix | ||
- | </ | ||
- | |||
- | You can get Postfix status with: | ||
- | |||
- | <code bash> | ||
- | systemctl status postfix | ||
- | </ | ||
- | |||
- | Once Postfix is running, you should verify that it is capable of receiving email and storing it into the appropriate virtual mailbox. | ||
- | |||
- | * Look in / | ||
- | |||
- | Once Postfix is running properly, you can enable it so that it starts automatically when the server starts using: | ||
- | |||
- | <code bash> | ||
- | systemctl enable postfix | ||
- | </ | ||
ubuntu/email/install_postfix_mail_server_with_dovecot.1607259162.txt.gz · Last modified: 2020/12/06 12:52 by peter