This is an old revision of the document!
- mailserver
- Jonathan Haack
- Haack's Networking
- webmaster@haacksnetworking.org
mailserver
This tutorial is for users of Debian GNU/Linux who want to set up a proper email server.. This tutorial assumes you know how to set up A, AAAA, SPF, DKIM, DMARC, MX, and PTR records. Set an A record for example.org and mail.example.org. If you don't know how, then learn up, and do not proceed. Thanks to LinuxBabe for a great jumping off point.
sudo nano /etc/hosts
Edit the second line and add a line to the bottom similar to:
<127.0.1.1 example.org example> <127.0.0.1 mail.example.org localhost>
Install postfix and mailutils
sudo apt-get install mailutils postfix -y <Internet Site> <example.org>
Install firewall, open common ports for front facing website, and for imap/smtp:
sudo apt install ufw sudo ufw allow 22/tcp sudo ufw allow 53/tcp sudo ufw allow 25/tcp sudo ufw allow 587/tcp sudo ufw allow 143/tcp sudo ufw allow 993/tcp sudo ufw allow 80 sudo ufw allow 443
Increase quota / message size:
sudo postconf -e message_size_limit=52428800
Set hostname and aliases
sudo nano /etc/postfix/main.cf
Make sure that the hostname, origin, destination, mailbox size, and quota are set. Also, in my case, I only have ipv4 support, so I explicitly sett that as well.
myhostname = mail.example.com myorigin = /etc/mailname mydestination = example.com, $myhostname, localhost.$mydomain, localhost mailbox_size_limit = 0 inet_protocols = ipv4 message_size_limit = 52428800
Let's also make sure that system emails are sent to the user we created above instead of root by sudo nano /etc/aliases and then:
postmaster: root root: user
Now, set up the server block for your mail server's website:
sudo nano /etc/apache2/sites-available/mail.example.com.conf sudo mkdir -p /usr/share/nginx/html/
The contents looking something like:
server {
listen 80;
#listen [::]:80;
server_name mail.example.com;
root /usr/share/nginx/html/;
location ~ /.well-known/acme-challenge {
allow all;
}
}
Once that is done, restart the service sudo systemctl reload nginx and then let's generate a cert:
sudo apt install certbot sudo apt install python3-certbot-nginx sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email email@email.com -d mail.example.com
Now, let's configure postfix to work together with Dovecot/submission on 587 and 465 and to use TLS by editing sudo nano /etc/postfix/master.cf as follows:
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_wrappermode=no -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
It's now time to configure postfix sudo nano /etc/postfix/main.cf to use TLS:
#Enable TLS Encryption when Postfix receives incoming emails
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#Enable TLS Encryption when Postfix sends outgoing emails
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
Now, we can install dovecot and configure it to use IMAP, change the default mailbox location, and add dovecot to the mail group:
sudo apt install dovecot-core dovecot-imapd sudo nano /etc/dovecot/dovecot.conf <protocols = imap> sudo nano /etc/dovecot/conf.d/10-mail.conf <mail_location = maildir:~/Maildir> sudo adduser dovecot mail
We will now configure dovecot to use lmtp and in so doing use spam sieve and other modules:
sudo apt install dovecot-lmtpd sudo nano /etc/dovecot/dovecot.conf <protocols = imap lmtp>
Now, we need to edit sudo nano /etc/dovecot/conf.d/10-master.conf and make sure that dovecot can leverage lmtp:
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
Similarly, we need to edit postfix for lmtp:
sudo nano /etc/postfix/main.cf <mailbox_transport = lmtp:unix:private/dovecot-lmtp> <smtputf8_enable = no>
Next, let's configure dovecot authorization:
sudo nano /etc/dovecot/conf.d/10-auth.conf <disable_plaintext_auth = yes> <auth_username_format = %n> <auth_mechanisms = plain login>
Now, configure SSL/TLS encryption in dovecot:
sudo nano /etc/dovecot/conf.d/10-ssl.conf <ssl = required> <ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem> <ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem> <ssl_prefer_server_ciphers = yes> <ssl_min_protocol = TLSv1.2>
SASL configuration by editing sudo nano /etc/dovecot/conf.d/10-master.conf and adding this block:
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
sds
Note that when upgrading postfix, please select “No configuration” as otherwise it will overwrite out configurations.
— oemb1905 2022/12/05 21:03
