Mailserver

Diffie-Hellman-Parameter täglich neu generieren.
Dies ist um die beste Sicherheit was TLS angeht herzustellen.
Erstmal den ersten Schlüssel erstellen
mkdir /etc/myssl

FILE=`mktemp` ; openssl dhparam -out $FILE 2048 > /dev/null 2>&1 && mv -f $FILE /etc/myssl/dh2048.pem

das ganze dann in der Crontab mit
crontab -e
und der Zeile
@daily FILE=`mktemp` ; openssl dhparam -out $FILE 2048 > /dev/null 2>&1 && mv -f $FILE /etc/myssl/dh2048.pem
automatisieren.

Die Zertifkate für den Mailserver einspielen. (Nicht wenn bei der Apacheinstallation schon die Mailzertifikate erstellt wurden)
sudo certbot -d mail.hostname.de -d imap.hostname.de -d smtp.hostname.de
Folgedes Skript für die automatische Aktualisierung in der Datei /etc/cron.monthly/certbot (Bei vorheriger Einrichtung des Apache bitte nur fehlendes ergänzen)
#!/bin/sh

# Datei /etc/cron.monthly/certbot


certbot renew


result=$(find /etc/letsencrypt/live/ -type l -mtime -1 )


if [ -n "$result" ]; then


systemctl restart postfix


systemctl restart dovecot


fi

Jetzt erstmal ein paar Progrämmchen installieren.
apt-get install mysql-server dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-sieve dovecot-managesieved dovecot-antispam postfix postfix-mysql spamassassin
damit wäre erstmal alles drauf was wir später benötigen.
nun mit
mysql -u root -p
in sql einsteigen.
Dort mit
create database vmail;
create database spammassassin;
die Datenbanken anlegen.
grant all on vmail.* to 'vmail'@'localhost' identified by 'vmaildbpass';
create database spamassassin;

grant all on spamassassin.* to 'spamassassin'@'localhost' identified by
'spamasspwd';
quit;

um den Benutzern vmail die Rechte an der Datenbank einzuräumen.
use database vmail;
um die Datenbank zu benutzen.
Nun die später benötigten Tabellen erstellen.
CREATE TABLE `domains` (`id` int unsigned NOT NULL AUTO_INCREMENT, `domain` varchar(255) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY (`domain`)) CHARSET=latin1;

CREATE TABLE `accounts` (`id` int unsigned NOT NULL AUTO_INCREMENT, `username` varchar(64) NOT NULL, `domain` varchar(255) NOT NULL, `password` varchar(255) NOT NULL, `quota` int unsigned DEFAULT '0', `enabled` boolean DEFAULT '0', `sendonly` boolean DEFAULT '0', PRIMARY KEY (id), UNIQUE KEY (`username`, `domain`), FOREIGN KEY (`domain`) REFERENCES `domains` (`domain`)) CHARSET=latin1;


CREATE TABLE `aliases` (`id` int unsigned NOT NULL AUTO_INCREMENT, `source_username` varchar(64) NOT NULL, `source_domain` varchar(255) NOT NULL, `destination_username` varchar(64) NOT NULL, `destination_domain` varchar(255) NOT NULL, `enabled` boolean DEFAULT '0', PRIMARY KEY (`id`), UNIQUE KEY (`source_username`, `source_domain`, `destination_username`, `destination_domain`), FOREIGN KEY (`source_domain`) REFERENCES `domains` (`domain`)) CHARSET=latin1;

Auf zum Postfix einrichten.
erstmal Postfix stoppen /etc/init.d/postfix stop.
dann mit rm -r /etc/postfix sasl master.cf die nicht benötigten Dateien aus Postfix entfernen.
nun nano /etc/postfix/main.cf und
mynetworks = 127.0.0.0/8
inet_interfaces = 127.0.0.1
myhostname = mail.mysystems.tld
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/myssl/dh2048.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/letsencrypt/live/
mail.mysystems.tld/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/
mail.mysystems.tld/privkey.pem
virtual_transport = lmtp:unix:private/dovecot-lmtp
milter_default_action = accept
milter_protocol = 2
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf
smtpd_client_restrictions = permit_mynetworks
check_client_access hash:/etc/postfix/without_ptr
reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_data_restrictions = reject_unauth_pipelining
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_greet_action = drop
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = dnsbl.sorbs.net*1, bl.spamcop.net*1, ix.dnsbl.manitu.net*2, zen.spamhaus.org*2
postscreen_dnsbl_action = drop
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
message_size_limit = 52428800
biff = no
append_dot_mydomain = no
recipient_delimiter = +

nun noch den Header cleanup erstellen. nano /etc/postfix/submission_header_cleanup dort bitte dann das rein.
/^Received:/ IGNORE

/^X-Originating-IP:/ IGNORE


/^X-Mailer:/ IGNORE


/^User-Agent:/ IGNORE

nun mit mkdir /etc/postfix/sql && cd /etc/postfix/sql/ den Ordner für die Sql-Konfiguration erstellen.
und in nano accounts.cf das einfügen:
user = vmail

password =
vmaildbpass
hosts = 127.0.0.1

dbname = vmail


query = select 1 as found from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;

und in nano aliases.cf das einfügen:
user = vmail

password =
vmaildbpass
hosts = 127.0.0.1

dbname = vmail


query = select concat(destination_username, '@', destination_domain) as destinations from aliases where source_username = '%u' and source_domain = '%d' and enabled = true;

und in nano domains.cf das einfügen:
user = vmail
password = vmaildbpass
hosts = 127.0.0.1
dbname = vmail
query = SELECT domain FROM domains WHERE domain=’%s’
und in: recpient-access.cf das einfügen:
user = vmail

password =
vmaildbpass
hosts = 127.0.0.1

dbname = vmail


query = select if(sendonly = true, 'REJECT', 'OK') AS access from accounts where username = '%u' and domain = '%d' and enabled = true LIMIT 1;

und in nano sender-login-maps.cf das einfügen.
user = vmail

password =
vmaildbpass
hosts = 127.0.0.1

dbname = vmail


query = select concat(username, '@', domain) as 'owns' from accounts where username = '%u' AND domain = '%d' and enabled = true union select concat(destination_username, '@', destination_domain) AS 'owns' from aliases where source_username = '%u' and source_domain = '%d' and enabled = true;

touch /etc/postfix/without_ptr

touch /etc/postfix/postscreen_access
damit noch fehlende Dateien erstellt werden.

Spamassassin konfigurieren
die Datenbank einspielen cat /usr/share/doc/spamassassin/sql/bayes_mysql.sql | mysql -u root -p spamassassin
Spamassassin auf Datenbank einstellen nano /etc/mail/spamassassin/local.cfdort folgendes einpflegen:
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL

bayes_sql_dsn DBI:mysql:spamassassin:localhost


bayes_sql_username spamassassin


bayes_sql_password spamasspwd


bayes_sql_override_username vmail

Dovecot
damit es sauber installiert wird erstmal alles unnötige entsorgen rm -r /etc/dovecot/* && cd /etc/dovecot
Benutzer vmail anlegenadduser --disabled-login --disabled-password --home /var/vmail vmail
Unterverzeichnisse erstellenmkdir /var/vmail/mailboxes

mkdir -p /var/vmail/sieve/global

Rechte einräumenchown -R vmail /var/vmail

chgrp -R vmail /var/vmail


chmod -R 770 /var/vmail

nano dovecot.conf
und das einfügen:
protocols = imap lmtp sieve

ssl = required


ssl_cert = </etc/letsencrypt/live/
mail.mysystems.tld/fullchain.pem

ssl_key = </etc/letsencrypt/live/
mail.mysystems.tld/privkey.pem
ssl_dh_parameters_length = 2048

ssl_protocols = !SSLv2 !SSLv3


ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA


ssl_prefer_server_ciphers = yes


service imap-login {


inet_listener imap {


port = 143


}


}


service managesieve-login {


inet_listener sieve {


port = 4190


}


}


service lmtp {


unix_listener /var/spool/postfix/private/dovecot-lmtp {


mode = 0660


group = postfix


user = postfix


}


user = vmail


}


service auth {


unix_listener /var/spool/postfix/private/auth {


mode = 0660


user = postfix


group = postfix


}


unix_listener auth-userdb {


mode = 0660


user = vmail


group = vmail


}


}


protocol imap {


mail_plugins = $mail_plugins quota imap_quota antispam


mail_max_userip_connections = 20


imap_idle_notify_interval = 29 mins


}


protocol lmtp {


postmaster_address = postmaster@mysystems.tld


mail_plugins = $mail_plugins sieve


}


disable_plaintext_auth = yes


auth_mechanisms = plain login


passdb {


driver = sql


args = /etc/dovecot/dovecot-sql.conf


}


userdb {


driver = sql


args = /etc/dovecot/dovecot-sql.conf


}


mail_uid = vmail


mail_gid = vmail


mail_privileged_group = vmail


mail_home = /var/vmail/mailboxes/%d/%n


mail_location = maildir:~/mail:LAYOUT=fs


namespace inbox {


inbox = yes


mailbox Spam {


auto = subscribe


special_use = \Junk


}


mailbox Trash {


auto = subscribe


special_use = \Trash


}


mailbox Drafts {


auto = subscribe


special_use = \Drafts


}


mailbox Sent {


auto = subscribe


special_use = \Sent


}


}


plugin {


sieve_before = /var/vmail/sieve/global/spam-global.sieve


sieve = /var/vmail/sieve/%d/%n/active-script.sieve


sieve_dir = /var/vmail/sieve/%d/%n/scripts


quota = maildir:User quota


quota_exceeded_message = Benutzer %u hat das Speichervolumen überschritten. / User %u has exhausted allowed storage space.


antispam_backend = pipe


antispam_spam = Spam


antispam_trash = Trash


antispam_pipe_program = /var/vmail/spampipe.sh


antispam_pipe_program_spam_arg = --spam


antispam_pipe_program_notspam_arg = --ham


}

dann noch Dovecot mit SQL versorgen nano dovecot-sql.conf
das das rein:
driver=mysql

connect = "host=127.0.0.1 dbname=vmail user=vmail password=
vmaildbpass"
default_pass_scheme = SHA512-CRYPT

password_query = SELECT username AS user, domain, password FROM accounts WHERE username = '%n' AND domain = '%d' and enabled = true; user_query = SELECT concat('*:storage=', quota, 'M') AS quota_rule FROM accounts WHERE username = '%n' AND domain = '%d' AND sendonly = false;


iterate_query = SELECT username, domain FROM accounts where sendonly = false;

Jetz noch nano /var/vmail/spampipe.sh mit:
#!/bin/bash
cat | sa-learn "$@" &
exit 0
und die Rechte anpassen:
chown vmail:vmail /var/vmail/spampipe.sh
chmod u+x /var/vmail/spampipe.sh

und unter nano /var/vmail/sieve/global/ das hier rein:
require "fileinto";

if header :contains "X-Spam-Flag" "YES" {


fileinto "Spam";


}

Nun am besten den Server neu starten reboot.
Anschließend einen Blick auf /var/log richten und testen.

Hoffentlich mit Erfolg

Schreibe einen Kommentar