Jump to content

Support Our Free and Open Source Software

Please support us financially so we may continue to keep our software free and best in class



Site Manager
  • Content Count

  • Joined

  • Last visited

  • Days Won


devCU last won the day on May 27

devCU had the most liked content!

Community Reputation

82 Excellent

1 Follower

About devCU

  • Rank
  • Birthday 02/08/1968

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    New York
  • Interests
    Everything code...

Recent Profile Visitors

3,072 profile views
  1. Beta testing at a private site begins Monday the 2nd of June. Those who contacted me to be a part of it will receive login details via email tomorrow
  2. Started work on the code refactoring for IP{S 4.4 compatibility. You can see the updates at the GitHub site https://github.com/GaalexxC/IPS-4.4-BitTracker
  3. With PayPal gone again I have just registered for Braintree (A PayPal company..lol) and Stripe, both have been approved and activated allowing for credit and debit cards, also ACH (bank transfers) and ApplePay/GPay as well. So we have the payment methods I just need to set up some kind of system for them. Best bet right now is if you have any type of Google account, IE G mail, then you have G Pay and can send funds to sales@exceptionalservers.com. Just login to Google and your account setting should have a section payments and subscriptions, thats G Pay. Send money to the email above and use a credit/debit card.
  4. PayPal is no longer a donation or payment option. So we are moving forward and adding better options to the site, Patreon (For those who want to support us every month) to one time donations via credit/debit cards. PayPal users can still use their PayPal to pay for some of these services. Become a devCU Patron Members can now support us year round by becoming a patron for as little as $2 a month. If we can get enough members to throw in a couple bucks a month we will never have to worry about the servers, software or licensing needs ever again. Will help me tremendously to be able to concentrate and spend more time on the site and its software development. PayPal users can use their PayPal account to become a Patron https://www.patreon.com/devcu I plan on adding rewards specifically for devCU Patrons as well in addition to those being offered on the site. All current donators and new Patorns will have exclusive first access to beta and new releases a week or two before the public. devCU patrons also have premium support as well as the opportunity to get suggested features added first. before the public.. There are 5 Tiers $2 - $4 $5 - $9 $10 - $19 $20 - $99 $100 + Corporate Sponsorships You can message me privately on Patreon once you pledge and let me know.of your patronage Thanks for all the support we get and if you have any questions please feel free.
  5. Step Ten: Dovecot-Sieve Already configured this when we did Dovecot configure. But now we want to add custom scripts to further lock down our mail server and make sure only good email gets in. For more info an additional filtering options https://p5r.uk/blog/2011/sieve-tutorial.html https://tools.ietf.org/html/rfc5228 https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples The first script is for individual email accounts, it is used to prevent spoofing email addresses on the server as wella s some additional filtering rules. So lets say you setup an account in Postfix Admin name support@domain.com Lets create a sieve script in supports mail directory # nano /var/vmail/domain.com/support/.dovecot.sieve Insert the following and save. require ["fileinto"]; if anyof (not address :all :contains ["To", "Cc", "Bcc"] "support@domain.com", header :matches "X-Spam-Status" ["T_DKIM_INVALID", "FORGED_HOTMAIL_RCVD2","MISSING_HEADERS"], header :matches "Authentication-Results" ["fail", "dkim=none", "header.d=none" ,"dmarc=none"], header :matches "Subject" ["*spam*","*Viagra*","*offshore*","*gambling*","*porno*","*capital*"]) { fileinto "Spam"; } The above does the following: if the address (To, Cc Bcc) doesn't contain support@domain.com it will go to Spam folder If the header contain invalid DKIM, or a forged Hotmail (very common) or Missing headers it will go to Spam folder If authentication says fail, dkim none, header none, or dmarc none it will go to Spam folder If subject matches the above keywords it will go to Spam folder You can remove or add filters. Every domains mail directory should have this unique file. Make sure the domain is correct in script. Now make it a readable database for Sieve (you must do this for scripts and every time you alter the script) # sievec -D /var/vmail/domain.com/support/.dovecot.sieve Example output More script examples, these are run before the user script above. # mkdir /var/lib/dovecot/sieve.d # nano /var/lib/dovecot/sieve.d/emails.sieve --Insert-- This is a list of emails you can send directly to spam require ["fileinto"]; if address :is "from" "godaddydesign@gmail.com, johnfrancisthestud@gmail.com, mayswihart3269@gmail.com, gilbertepxmaria@gmail.com, mlika@creativenetapp.com, aarohi.webconsultant@hotmail.com" { fileinto "Spam"; } # nano /var/lib/dovecot/sieve.d/general.sieve --Insert-- More header and body checks require ["regex", "body", "fileinto", "mailbox"]; if header :contains "X-Spam-Flag" "YES" { # move mail into Folder Spam, create folder if not exists fileinto :create "Spam"; stop; } if header :contains "X-Spam-Level" "**" { fileinto :create "Spam"; stop; } if allof ( not header :regex "Subject" "[[:graph:]]", body :regex "^[[:space:]]*http://[[:graph:]]+[[:space:]]*$" ) { fileinto "Spam"; } # nano /var/lib/dovecot/sieve.d/spam.sieve --Insert-- Spamtestplus require ["spamtestplus", "fileinto", "mailbox", "relational", "comparator-i;ascii-numeric"]; if spamtest :value "eq" :comparator "i;ascii-numeric" "0" { keep; } elsif spamtest :value "ge" :comparator "i;ascii-numeric" "2" { fileinto "Spam"; } # nano /var/lib/dovecot/sieve.d/virus.sieve --Insert-- Virustest require ["virustest", "fileinto", "mailbox", "relational", "comparator-i;ascii-numeric"]; /* Not scanned ? */ if virustest :value "eq" :comparator "i;ascii-numeric" "0" { keep; /* Infected with high probability (value range in 1-5) */ } if virustest :value "eq" :comparator "i;ascii-numeric" "4" { /* Quarantine it in special folder (still somewhat dangerous) */ fileinto :create "INBOX.Quarantine"; /* Definitely infected */ } elsif virustest :value "eq" :comparator "i;ascii-numeric" "5" { /* Just get rid of it */ discard; } Now don't forget to use sievec # sievec -D /var/lib/dovecot/sieve.d/emails.sieve # sievec -D /var/lib/dovecot/sieve.d/spam.sieve # sievec -D /var/lib/dovecot/sieve.d/general.sieve # sievec -D /var/lib/dovecot/sieve.d/virus.sieve There are many different filters you can add, please see more at https://p5r.uk/blog/2011/sieve-tutorial.html https://tools.ietf.org/html/rfc5228 https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples
  6. Step Nine: DCC | Pyzor | Razor2 (Updated 06/04/19) Easy and quick, lets go... DCC # wget https://www.dcc-servers.net/dcc/source/dcc.tar.Z # tar xfvz dcc.tar.Z # cd dcc-* # ./configure \ --bindir=$(PREFIX)/bin \ --libexecdir=$(PREFIX)/lib/dcc \ --mandir=$(PREFIX)/man \ --homedir=/var/lib/dcc # make # make install # chown -R postfix:postfix /var/lib/dcc --- Allow through Firewall --- # sudo ufw allow to any port 6277 proto udp # nano /var/lib/dcc/dcc_conf DCCUID=root --> DCCUID=postfix GREY_CLIENT_ARGS=on DNSBL_ARGS="'-Bset:rej-msg=5.7.1 550 mail %s from %s rejected; see http://www.spamhaus.org/xbl/' -Bsbl-xbl.spamhaus.org,any" DCCIFD_ENABLE=off --> DCCIFD_ENABLE=on Configure_DCCUID=root --> Configure_DCCUID=postfix Test, you should see a server list # cdcc info Restart # /lib/dcc/rcDCC start Result Razor2 Create # mkdir /var/lib/spamassassin/.razor Register # razor-admin -home=/var/lib/spamassassin/.razor -register # razor-admin -home=/var/lib/spamassassin/.razor -create # razor-admin -home=/var/lib/spamassassin/.razor -discover Pyzor Test, should be running out of the box # echo "test" | spamassassin -D pyzor 2>&1 | less Restart all services and check the /var/log/mail.log for any errors # /etc/init.d/postgrey restart # /etc/init.d/rcDCC restart # /etc/init.d/spamassassin restart # /etc/init.d/amavis restart # /etc/init.d/clamav-daemon restart # /etc/init.d/postfix restart # /etc/init.d/dovecot restart # /etc/init.d/opendkim restart
  7. Step Eight: Spamassassin # nano /etc/spamassassin/local.cf Replace with, make sure to add your main server IP #No user rules allow_user_rules 0 # Trusted clear_internal_networks trusted_networks 111.222.333.444 internal_networks 111.222.333.444 whitelist_from *@gmail.com # alter the mails subject rewrite_header Subject [***** SPAM _SCORE_ *****] # do not alter the body (0=do nothing, 1=add as attachment, 2=...) report_safe 0 # the required spam score is 2.0 points... lets start with that required_score 2.9 # Enable the Bayes system use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam -0.001 bayes_auto_learn_threshold_spam 2.9 bayes_path /var/lib/amavis/.spamassassin/bayes bayes_file_mode 0770 # Disable network checks skip_rbl_checks 0 skip_uribl_checks 0 # Enable razor2 and make use of it use_razor2 1 razor_config /var/lib/spamassassin/.razor/razor-agent.conf # Enable pyzor and make use of it ifplugin Mail::SpamAssassin::Plugin::Pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor pyzor_timeout 20 pyzor_options --homedir /var/lib/spamassassin/.pyzor endif # Enable DCC and make use of it loadplugin Mail::SpamAssassin::Plugin::DCC use_dcc 1 dcc_path /bin/dccproc dcc_dccifd_path /lib/dcc/dccifd dcc_home /var/lib/dcc dcc_learn_score 0 dcc_timeout 10 full DCC_CHECK eval:check_dcc() add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES(,)_ _DCCR_ _PYZOR_ _RBL_ autolearn=_AUTOLEARN_ version=_VERSION_ # Set headers which may provide inappropriate cues to the Bayesian classifier bayes_ignore_header X-Bogosity bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Stat ifplugin Mail::SpamAssassin::Plugin::Shortcircuit # # default: strongly-whitelisted mails are *really* whitelisted now, if the # shortcircuiting plugin is active, causing early exit to save CPU load. # Uncomment to turn this on # shortcircuit USER_IN_WHITELIST on shortcircuit USER_IN_DEF_WHITELIST on shortcircuit USER_IN_ALL_SPAM_TO on shortcircuit SUBJECT_IN_WHITELIST on # the opposite; blacklisted mails can also save CPU # shortcircuit USER_IN_BLACKLIST on shortcircuit USER_IN_BLACKLIST_TO on shortcircuit SUBJECT_IN_BLACKLIST on # if you have taken the time to correctly specify your "trusted_networks", # this is another good way to save CPU # shortcircuit ALL_TRUSTED on # and a well-trained bayes DB can save running rules, too # shortcircuit BAYES_99 spam shortcircuit BAYES_00 ham endif # Mail::SpamAssassin::Plugin::Shortcircuit # nano /etc/default/spamassassin Adjust ENABLED=1 CRON=1 restart # /etc/init.d/spamassassin restart Remember that deprecated warning during the Perl install? We will now we will fix it now. # nano -c /usr/local/share/perl/5.26.1/Mail/SpamAssassin/PerMsgStatus.pm Go to line 921 and change this $str =~ s/^(.{,200}).*$/$1/gs; to this $str =~ s/^(.\{,200}).*$/$1/gs; Now update Spamassassin rules # sa-update
  8. Step Seven: Postgrey Quick and simple # nano /etc/default/postgrey Copy and paste # postgrey startup options, created for Debian # you may want to set # --delay=N how long to greylist, seconds (default: 300) # --max-age=N delete old entries after N days (default: 35) # see also the postgrey(8) manpage POSTGREY_OPTS="--inet=10023 --delay=60 --privacy --x-greylist-header=Mail delayed %t seconds by postgrey-%v at %h; %d" # the --greylist-text commandline argument can not be easily passed through # POSTGREY_OPTS when it contains spaces. So, insert your text here: POSTGREY_TEXT="This email was rejected by our greylisting server" Restart Postgrey # /etc/init.d/postgrey restart result
  9. Step Six: Amavis # nano /etc/amavis/conf.d/15-content_filter_mode Replace with use strict; # You can modify this file to re-enable SPAM checking through spamassassin # and to re-enable antivirus checking. # # Default antivirus checking mode # Uncomment the two lines below to enable it # @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # # Default SPAM checking mode # Uncomment the two lines below to enable it # @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # insure a defined return # nano /etc/amavis/conf.d/20-debian_defaults Find $final_spam_destiny = D_BOUNCE; Change to $final_spam_destiny = D_DISCARD; # nano /etc/amavis/conf.d/40-policy_banks Adjust to your liking # nano /etc/amavis/conf.d/50-user Replace with, be sure to update domain and database info use strict; # # Place your configuration directives here. They will override those in # earlier files. # # See /usr/share/doc/amavisd-new/ for documentation and examples of # the directives you can use in this file # $mydomain = 'domain.com'; $myhostname = 'mail.domain.com'; #@local_domains_acl = ( "domain.com", "domain2.com, "domain3.net" ); @local_domains_acl = qw(.); # Three concurrent processes. This should fit into the RAM available on an # AWS micro instance. This has to match the number of processes specified # for Amavis in /etc/postfix/master.cf. $max_servers = 3; # Add spam info headers if at or above that level - this ensures they # are always added. $sa_tag_level_deflt = -9999; # Check the database to see if mail is for local delivery, and thus # should be spam checked. @lookup_sql_dsn = ( ['DBI:mysql:database=mailservename;host=;port=3306', 'postfixuser', 'databasepassword']); $sql_select_policy = 'SELECT domain from domain WHERE CONCAT("@",domain) IN (%k)'; # Uncomment to bump up the log level when testing. $log_level = 2; $sa_debug = 1; #------------ Do not modify anything below this line ------------- 1; # ensure a defined return Add the clamav user to the amavis group in order for Amavisd-new to have the appropriate access to scan files: # adduser clamav amavis # adduser amavis clamav
  10. Step five: OpenDKIM | SPF | DMARC Now that mail is working we need to setup our filtering and security applications to make sure mail is marked clean from our server and to catch those marked dirty to our server. Lets start with the three settings that need to be part of your domains DNS. I am using bind here but for the most part the lines you need to add are the same for any DNS server. Open your domain DNS file and add the following. SPF change domain.com and IP to yours domain.com. IN TXT "v=spf1 include:domain.com ip4:111.222.333.444 ip6:fe80::a6bf:1ff:fe1d:ad5e ~all" DMARC change domain.com to yours _dmarc.domain.com. IN TXT "v=DMARC1; p=none; sp=reject; ruf=mailto:postmaster@domain.com; rua=mailto:postmaster@domain.com; aspf=r; rf=afrf; pct=20; ri=86400" OpenDKIM # mkdir -pv /etc/opendkim/domain.com/ # chown -R opendkim:opendkim /etc/opendkim # cd /etc/opendkim/domain.com # opendkim-genkey -r -h sha256 -d domain.com -s email # mv -v email.private email.key Now open the email.txt and copy the entire contents to you DNS, it will look something like this # nano /etc/opendkim/domain.com/email.txt email._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAA3f534x34IBCgKCAQEAxuVypsj0xLll8T2AMtt7Wl1O4d722oraaAx8XPmYhm4kLobe6xbzxTGEyOnoczSElfrcDFKGALXIWLYQSAul3kyrdaYAhNk0YzcXY/esfT53WlMuwZA04BsnKYQdn7hSlP7+vhMkNdpgXTxfdf6AXKbXlAiYdalM75zeF/Ukf435ffc/nzQ2W910Jf+zKdZZMQef2dyyehM5CWGFo" "MWNwZ2sPsd4voNq72Uo3xgf35gxx35gMMr6PDgsxR1gRJ87QZOBnIvTquH12K2cLanTFm6O93PrRhbmtiy+H3WnNu+mazajSFFsv0/xEW7QncromsvRsVlfEs4QfPMjNUtDHUMeB0LQwGwIDAQAB" ) ; ----- DKIM key email for domain.com All three of these should be pasted in consecutive lines in DNS zone file and before the mail entries Restart the DNS server and check the logs for errors in syntax. # /etc/init.d/bind9 restart More on OpneDKIM we are not done yet if we want it working properly Test Key # opendkim-testkey -vvv -d domain.com -s email -k /etc/opendkim/domain.com/email.key Now lets finish it up # cd /etc/opendkim/ # nano KeyTable Add #key_name domain:selector:/etc/opendkim/domain.com/email.key email._domainkey.domain.com domain.com:email:/etc/opendkim/domain.com/email.key # nano SigningTable Add #*@domain.com domain.com *@domain.com email._domainkey.domain.com # nano TrustedHosts Add your domain, hostname, mailserver name, local host, and server IPs domain.com servername.domain.com mail.domain.com 111.222.333.444/24 111.222.333.444/30 Permissions chown opendkim:opendkim /etc/opendkim/{KeyTable,SigningTable,TrustedHosts} Configure DKIM # nano /etc/opendkim.conf Copy and paste # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) OversignHeaders From,Subject SignatureAlgorithm rsa-sha256 AutoRestart Yes Canonicalization relaxed/relaxed ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes MinimumKeyBits 1024 Mode sv PidFile /var/run/opendkim/opendkim.pid SigningTable refile:/etc/opendkim/SigningTable Socket local:/var/run/opendkim/opendkim.sock Syslog Yes SyslogSuccess Yes LogWhy Yes TemporaryDirectory /var/tmp UMask 0002 UserID opendkim:opendkim TrustAnchorFile /usr/share/dns/root.key Run the following commands, replace domain.com with yours mkdir -p /var/run/opendkim/ chown opendkim:opendkim /var/run/opendkim/ chown opendkim:opendkim /var/run/opendkim/opendkim.sock chown opendkim:opendkim /etc/opendkim/domain.com/email.key chown opendkim:opendkim /etc/opendkim/domain.com/email.txt usermod -a -G opendkim postfix chmod 775 /var/run/opendkim/ Defualts # nano /etc/default/opendkim Copy and paste # Command-line options specified here will override the contents of # /etc/opendkim.conf. See opendkim(8) for a complete list of options. #DAEMON_OPTS="" # Change to /var/spool/postfix/var/run/opendkim to use a Unix socket with # postfix in a chroot: RUNDIR=/var/run/opendkim #RUNDIR=/var/run/opendkim # # Uncomment to specify an alternate socket # Note that setting this will override any Socket value in opendkim.conf # default: SOCKET="local:$RUNDIR/opendkim.sock" # SOCKET="local:/var/spool/postfix/var/run/opendkim/opendkim.sock" # listen on all interfaces on port 54321: #SOCKET=inet:54321 # listen on loopback on port 12345: #SOCKET=inet:12345@localhost # listen on on port 12345: #SOCKET=inet:12345@ USER=opendkim GROUP=opendkim PIDFILE=$RUNDIR/opendkim.pid EXTRAAFTER= Restart # /etc/init.d/opendkim restart We are now in the home stretch...
  11. Now we want to connect to the mail server from a client such as Outlook but first we need to take some security steps and create a new row in the mailserver database Create a new row in the mailboxes table allow_nets varchar(255) NOT Null This is where you can add you IP address block to connect from, it ensures no one else can access your email unless its from your own work station/machine In allow_nets for each mailbox add your public IP block like so 111.222.333.0/24 For convenience you can also add it from the mail admin submission form when editing or creating new account but we will need to alter the postfix admin code to achieve this. And upon each update it will need to be added in as it is over written. At the command line (Path to mymailadmin) # nano /usr/share/mymailadmin/model/MailboxHandler.php Find 'name' => pacol(1, 1, 1, 'text', 'name' , 'pCreate_mailbox_name_text' , '' ), Add underneath 'allow_nets' => pacol( 1, 1, 1, 'text', 'pCreate_allowed_nets' , 'pCreate_allow_nets' , '' ), # nano /usr/share/mymailadmin/templates/list-virtual_mailbox.tpl Find <td>{$item.modified}</td> Above it add <td>{$item.allow_nets}</td> Save the files and login to Postfix admin and see the fields available now.
  12. Step four: Dovecot Configure Dovecot is a bit easier than Postfix, we just have to change a few config files to get it up and running properly. If config is not in the list, leave as is! # cd /etc/dovecot/conf.d # nano 10-auth.conf Uncomemnt -Enable disable_plaintext_auth = yes Adjust - Add login auth_mechanisms = plain login Switch - Comment all others !include auth-sql.conf.ext # nano 10-logging.conf Uncomment log_path = syslog auth_verbose = yes auth_verbose_passwords = plain auth_debug = yes auth_debug_passwords = yes mail_debug = yes verbose_ssl = yes log_timestamp = "%b %d %H:%M:%S " login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k # nano 10-mail.conf Adjust mail_location = maildir:/var/vmail/%d/%n Uncomment type = private Uncomment mail_uid = vmail mail_gid = mail Comment #mail_privileged_group = mail Uncomment first_valid_uid = 150 last_valid_uid = 150 Uncomment mail_plugin_dir = /usr/lib/dovecot/modules # nano 10-master.conf Copy and paste #default_process_limit = 100 #default_client_limit = 1000 # Default VSZ (virtual memory size) limit for service processes. This is mainly # intended to catch and kill processes that leak memory before they eat up # everything. #default_vsz_limit = 256M # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn't have access to anything at all. #default_login_user = dovenull # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can't disturb other processes. #default_internal_user = dovecot service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. <doc/wiki/LoginProcess.txt> service_count = 1 # Number of processes to always keep waiting for more connections. process_min_avail = 4 # If you set service_count=0, you probably need to grow this. #vsz_limit = $default_vsz_limit } service pop3-login { service_count = 1 inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener lmtp { #mode = 0666 } # Create inet listener only if you can't use the above UNIX socket #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = #port = #} } service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = $default_vsz_limit # Max. number of IMAP processes (connections) #process_limit = 1024 } service pop3 { # Max. number of POP3 processes (connections) #process_limit = 1024 } service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { mode = 0666 user = vmail group = mail } unix_listener /var/spool/postfix/private/auth { mode = 0666 # Assuming the default Postfix user and group user = postfix group = postfix } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 } # Auth process is run as this user. user = root } service auth-worker { # Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn't necessary, the user should be changed to # $default_internal_user. user = root } service dict { # If dict proxy is used, mail processes should have access to its socket. # For example: mode=0660, group=vmail and global mail_access_groups=vmail unix_listener dict { #mode = 0600 #user = #group = } } # nano 10-ssl.conf Copy and paste, make sure you update all SSL paths! ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) ssl_ca = </etc/letsencrypt/live/mail.domain.com/chain.pem # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based systems. ssl_client_ca_dir = /etc/ssl/certs #ssl_client_ca_file = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName # DH parameters length to use. ssl_dh_parameters_length = 2048 # SSL protocols to use #ssl_protocols = !SSLv2 !SSLv3 # SSL ciphers to use ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM # Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # no_compression - Disable compression. # no_ticket - Disable SSL session tickets. #ssl_options = # nano 15-mailboxes.conf Copy and paste ## ## Mailbox definitions ## # Each mailbox is specified in a separate mailbox section. The section name # specifies the mailbox name. If it has spaces, you can put the name # "in quotes". These sections can contain the following mailbox settings: # # auto: # Indicates whether the mailbox with this name is automatically created # implicitly when it is first accessed. The user can also be automatically # subscribed to the mailbox after creation. The following values are # defined for this setting: # # no - Never created automatically. # create - Automatically created, but no automatic subscription. # subscribe - Automatically created and subscribed. # # special_use: # A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the # mailbox. There are no validity checks, so you could specify anything # you want in here, but it's not a good idea to use flags other than the # standard ones specified in the RFC: # # \All - This (virtual) mailbox presents all messages in the # user's message store. # \Archive - This mailbox is used to archive messages. # \Drafts - This mailbox is used to hold draft messages. # \Flagged - This (virtual) mailbox presents all messages in the # user's message store marked with the IMAP \Flagged flag. # \Junk - This mailbox is where messages deemed to be junk mail # are held. # \Sent - This mailbox is used to hold copies of messages that # have been sent. # \Trash - This mailbox is used to hold messages that have been # deleted. # # comment: # Defines a default comment or note associated with the mailbox. This # value is accessible through the IMAP METADATA mailbox entries # "/shared/comment" and "/private/comment". Users with sufficient # privileges can override the default value for entries with a custom # value. # NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. namespace inbox { # These mailboxes are widely used and could perhaps be created automatically: mailbox Trash { auto = no special_use = \Trash } mailbox Junk { auto = no special_use = \Junk } mailbox Drafts { auto = no special_use = \Drafts } mailbox Sent { auto = subscribe # autocreate and autosubscribe the Sent mailbox special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = create # autocreate Spam, but don't autosubscribe special_use = \Junk } # If you have a virtual "All messages" mailbox: #mailbox virtual/All { # special_use = \All # comment = All my messages #} # If you have a virtual "Flagged" mailbox: #mailbox virtual/Flagged { # special_use = \Flagged # comment = All my flagged messages #} } # nano 20-imap.conf Replace at bottom protocol imap { mail_max_userip_connections = 512 imap_idle_notify_interval = 24 mins mail_plugins = $mail_plugins antispam } # nano 20-pop3.conf Replace at bottom protocol pop3 { mail_max_userip_connections = 512 #mail_plugins = $mail_plugins sieve } # nano 90-plugin.conf Copy and paste ## ## Plugin settings ## # All wanted plugins must be listed in mail_plugins setting before any of the # settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and # their configuration. Note that %variable expansion is done for all values. plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /var/lib/dovecot/sieve.d/ sieve_global_path = /var/lib/dovecot/sieve.d/default.sieve } plugin { antispam_backend = pipe antispam_signature = X-Spam-Flag antispam_signature_missing = move antispam_trash = trash;Trash;Deleted Items;Deleted Messages antispam_trash_pattern = trash;Trash;Deleted * antispam_trash_pattern_ignorecase = TRASH antispam_spam = Spam;Junk antispam_spam_pattern = spam;Spam;junk;Junk antispam_spam_pattern_ignorecase = SPAM;JUNK antispam_pipe_tmpdir = /var/tmp antispam_pipe_program = /usr/bin/spamc antispam_pipe_program_args = --username;debian-spamd antispam_pipe_program_spam_arg = --learntype=spam antispam_pipe_program_notspam_arg = --learntype=ham antispam_debug_target = syslog antispam_verbose_debug = 1 } # nano 90-sieve.conf Uncomment sieve_before = /var/lib/dovecot/sieve.d/ sieve_extensions = +notify +imapflags +fileinto +mailbox +variables sieve_global_extensions = +spamtest +spamtestplus +virustest +relational +comparator-i;ascii-numeric +reject +regex +body sieve_max_script_size = 1M And finally connect to the database # nano /etc/dovecot/dovecot-sql.conf.ext Uncomment driver = mysql connect = host=localhost dbname=mailservename user=postfixuser password=databasepassword password_query = \ SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \ 'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, \ 8 as userdb_gid, allow_nets \ FROM mailbox WHERE username = '%u' AND active = '1' user_query = \ SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \ 150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \ FROM mailbox WHERE username = '%u' AND active = '1' Enabling Sieve # nano 15-lda.conf Uncomment postmaster_address = postmaster@domain.com hostname = mail.domain.com Adjust protocol lda { log_path = syslog mail_plugins = $mail_plugins sieve mail_fsync = optimized } Restart Dovecot # /etc/init.d/dovecot restart Should start with no problems. I have verbose debugging enabled for testing and correcting. You can alter this in the logging.conf when all is well. Most common error is path to SSL, make sure it is correct or server wont start. Now we want to connect to the mail server from a client such as Outlook but first we need to take some security steps and create a new row in the mailserver database Create a new row in the mailboxes table allow_nets varchar(255) NOT Null This is where you can add you IP address block to connect from, it ensures no one else can access your email unless its from your own work station/machine In allow_nets for each mailbox add your public IP block like so 111.222.333.0/24 For convenience you can also add it from the mail admin submission form when editing or creating new account but we will need to alter the postfix admin code to achieve this. And upon each update it will need to be added in as it is over written. At the command line (Path to mymailadmin) # nano /usr/share/mymailadmin/model/MailboxHandler.php Find 'name' => pacol(1, 1, 1, 'text', 'name' , 'pCreate_mailbox_name_text' , '' ), Add underneath 'allow_nets' => pacol( 1, 1, 1, 'text', 'pCreate_allowed_nets' , 'pCreate_allow_nets' , '' ), # nano /usr/share/mymailadmin/templates/list-virtual_mailbox.tpl Find <td>{$item.modified}</td> Above it add <td>{$item.allow_nets}</td> # nano /usr/share/mymailadmin/languages/en.lang Adjust for your own language Add at top $PALANG['allownet'] = 'Allowed Nets'; $PALANG['pCreate_allowed_nets'] = 'Allowed IP Nets (comma separated list)'; Save the files and login to Postfix admin and see the fields available now. Moving on...
  13. Now lets connect Postfix to the database. Use the database name, user, and pass we created for postfix admin. # cd /etc/postfix # nano mysql_virtual_alias_domainaliases_maps.cf user = postfixuser password = databasepassword hosts = dbname = mailservename query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address=concat('%u', '@', alias_domain.target_domain) AND alias.active = 1 # nano mysql_virtual_alias_maps.cf user = postfixuser password = databasepassword hosts = dbname = mailservename table = alias select_field = goto where_field = address additional_conditions = and active = '1' # nano mysql_virtual_domains_maps.cf user = postfixuser password = databasepassword hosts = dbname = mailservename table = domain select_field = domain where_field = domain additional_conditions = and backupmx = '0' and active = '1' # nano mysql_virtual_mailbox_domainaliases_maps.cf user = postfixuser password = databasepassword hosts = dbname = mailservename query = SELECT maildir FROM mailbox, alias_domain WHERE alias_domain.alias_domain = '%d' AND mailbox.username=concat('%u', '@', alias_domain.target_domain ) AND mailbox.active = 1 # nano mysql_virtual_mailbox_maps.cf user = postfixuser password = databasepassword hosts = dbname = mailservename table = mailbox select_field = CONCAT(domain, '/', local_part) where_field = username additional_conditions = and active = '1' If enabled, open ports in ufw or your preferred firewall # sudo ufw allow to any port 465 # sudo ufw allow to any port 110 # sudo ufw allow to any port 25 # sudo ufw allow to any port 143 # sudo ufw allow to any port 993 # sudo ufw allow to any port 995 Now restart Postifx # /etc/init.d/postfix restart And the result should be flawless; 0 errors Check logs for errors /var/log/mail.log && /var/log/mail.err Thats it for now with Postfix get some coffee we now move to Dovecot...
  • Create New...