Tutorial: Debian Jessie Mailserver (postfix dovecot mysql)

Debian Jessie Mailserver Tutorial

(postfix, dovecot, mysql and postgrey)

apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql mysql-server git postfix-pcre postgrey

mysql datenbanken anlegen

mysqladmin -p create mailserver
mysql -p mailserver
GRANT SELECT ON mailserver.* TO ‚mailuser’@’127.0.0.1‘ IDENTIFIED BY ‚mailuserpass‘;
FLUSH PRIVILEGES;

CREATE TABLE `virtual_domains` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(50) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_users` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`password` varchar(106) NOT NULL,
`email` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `email` (`email`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_aliases` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`source` varchar(100) NOT NULL,
`destination` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

INSERT INTO `mailserver`.`virtual_domains`
(`id` ,`name`)
VALUES
(‚1‘, ‚mattionline.de‘);

INSERT INTO `mailserver`.`virtual_users`
(`id`, `domain_id`, `password` , `email`)
VALUES
(‚1‘, ‚1‘, ENCRYPT(‚password‘, CONCAT(‚$6$‘, SUBSTRING(SHA(RAND()), -16))), ‚info@mattionline.de‘),
(‚2‘, ‚1‘, ENCRYPT(‚password‘, CONCAT(‚$6$‘, SUBSTRING(SHA(RAND()), -16))), ‚user@mattionline.de‘);

#i configured a catchall for my domain

INSERT INTO `mailserver`.`virtual_aliases`
(`id`, `domain_id`, `source`, `destination`)
VALUES
(‚1‘, ‚1‘, ‚user@mattionline.de‘, ‚user@mattionline.de‘),
(‚2‘, ‚1‘, ‚@mattionline.de‘, ‚info@mattionline.de‘);

SELECT * FROM mailserver.virtual_domains;
SELECT * FROM mailserver.virtual_users;
SELECT * FROM mailserver.virtual_aliases;

postfix konfigurieren

nano /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_use_tls=yes
smtpd_tls_auth_only = yes

message_size_limit = 100240000

#hide sender/client local ip
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks

##### TLS settings ######

### Secure outgoing connections only ###
#smtp_tls_security_level=encrypt
smtp_tls_security_level=may
smtp_tls_cert_file=/etc/letsencrypt/live/pizza.mattionline.de/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/pizza.mattionline.de/privkey.pem
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers=high
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

### Secure incoming connections only ###
#smtpd_tls_security_level=encrypt
smtp_tls_security_level=may
smtpd_tls_cert_file=/etc/letsencrypt/live/pizza.mattionline.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/pizza.mattionline.de/privkey.pem
smtpd_tls_mandatory_protocols = TLSv1
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_delay_reject = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom 

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous 
smtpd_sasl_local_domain = 

#checkt den sender von der email / MAIL FROM:
smtpd_sender_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks, 
        reject_unauth_destination, 
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unknown_recipient_domain

#checkt RCPT TO:
smtpd_recipient_restrictions = 
    check_sender_access hash:/etc/postfix/blacklist,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service inet:127.0.0.1:10023,
    reject_unauth_pipelining,
        reject_unauth_destination

smtpd_helo_required = yes

#ich bin mattionline. hallo anderer mailserver
smtpd_helo_restrictions = 
    permit_mynetworks,
    #alle authentifizierten benutzer erlauben - permit lan und local domains
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_unknown_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_pipelining,
    reject_unknown_client_hostname

myhostname = pizza.mattionline.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, pizza.mattionline.de
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
nano /etc/postfix/mysql-virtual-mailbox-domains.cf
 user = mailuser
 password = mailuserpass
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT 1 FROM virtual_domains WHERE name='%s'
nano /etc/postfix/mysql-virtual-mailbox-maps.cf
 user = mailuser
 password = mailuserpass
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT 1 FROM virtual_users WHERE email='%s'
nano /etc/postfix/mysql-virtual-alias-maps.cf
 user = mailuser
 password = mailuserpass
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT destination FROM virtual_aliases WHERE source='%s'
nano /etc/postfix/mysql-virtual-email2email.cf
 user = mailuser
 password = mailuserpass
 hosts = 127.0.0.1
 dbname = mailserver
 query = SELECT email FROM virtual_users WHERE email='%s'
nano /etc/dovecot/dovecot.conf
 protocols = imaps lmtp
 mail_max_userip_connections = 40
nano /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/mail/vhosts/%d/%n
 mail_privileged_group = mail

mail gruppe anlegen und verzeichnisse

mkdir -p /var/mail/vhosts/mattionline.de
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail
chown -R vmail:vmail /var/mail

nano /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext
nano /etc/dovecot/conf.d/auth-sql.conf.ext
 passdb {
 driver = sql
 args = /etc/dovecot/dovecot-sql.conf.ext
 }
 userdb {
 driver = static
 args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
 }
nano /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host=127.0.0.1 dbname=mailserver user=mailuser password=mailuserpass
 default_pass_scheme = SHA512-CRYPT
 password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

chown -R vmail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot

nano /etc/dovecot/conf.d/10-master.conf
 #imap deaktivieren und nur imaps erlauben
 service imap-login {
 inet_listener imap {
 port = 0
 }
 inet_listener imaps {
 port = 993
 ssl = yes
 }

# Number of connections to handle before starting a new process. Typically
 # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
 # is faster. <doc/wiki/LoginProcess.txt>
 #service_count = 1

# Number of processes to always keep waiting for more connections.
 #process_min_avail = 0

# If you set service_count=0, you probably need to grow this.
 #vsz_limit = $default_vsz_limit
 }

service pop3-login {
 inet_listener pop3 {
 port = 0
 }
 inet_listener pop3s {
 port = 0
 #ssl = yes
 }
 }

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
 mode = 0600
 user = postfix
 group = postfix
 }
 # Create inet listener only if you can't use the above UNIX socket
 #inet_listener lmtp {
 # Avoid making LMTP visible for the entire internet
 #address =
 #port =
 #}
 }

service auth {
 # auth_socket_path points to this userdb socket by default. It's typically
 # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
 # permissions make it readable only by root, but you may need to relax these
 # permissions. Users that have access to this socket are able to get a list
 # of all usernames and get results of everyone's userdb lookups.
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
 }

unix_listener auth-userdb {
 mode = 0600
 user = vmail
 #group =
 }

# Postfix smtp-auth
 #unix_listener /var/spool/postfix/private/auth {
 #  mode = 0666
 #}

# Auth process is run as this user.
 user = dovecot
 }

service auth-worker {
 # Auth worker process is run as root by default, so that it can access
 # /etc/shadow. If this isn't necessary, the user should be changed to
 # $default_internal_user.
 user = vmail
 }

durch letsencrypt ssl zertifikate erstellen

cd /root/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto –help
./letsencrypt-auto certonly –rsa-key-size 4096 -d mattionline.de -d www.mattionline.de

nano /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = </etc/letsencrypt/live/mail.mattionline.de/fullchain.pem
 ssl_key = </etc/letsencrypt/live/mail.mattionline.de/privkey.pem

blacklists anlegen um mailserver/adressen zu sperren

nano /etc/postfix/blacklist
 #postmap

example.com     REJECT
 foobar.com      REJECT

postmap /etc/postfix/blacklist

nano /etc/postfix/body_check
 /^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed
nano /etc/dovecot/conf.d/20-lmtp.conf
 protocol lmtp {
 # Space separated list of plugins to load (default is global mail_plugins).
 #mail_plugins = $mail_plugins
 postmaster_address = postmaster@mattionline.de
 }
nano /etc/default/postgrey

POSTGREY_OPTS="--inet=10023 --delay=50"

Thunderbird Einstellungen:

debian-jessie-mailserver-tutorial

debian postfix dovecot mysql

Mehrere Domains auf einem Host:

In der mysql Tabelle virtual_aliases einfügen: (am Beispiel von einem catchall)

“, ‚DOMAINID‘, ‚@neuedomain.tld‘, ‚des@tina.tion‘

z.B. “, ‚2‘, ‚@neuedomain.tld‘, ‚info@mattionline.de‘

In virtual_domains:

“, ’neuedomain.tld‘

In virtual_users den Benutzer anlegen wie oben erwähnt.

Einstellungen für den neuen Benutzer genau wie die obigen, nur dass bei Server Name dann nicht „neuedomain.tld“ steht sondern die Hauptdomain („mattionline.de“)

Troubleshooting:

May 25 16:59:04 mattionline dovecot: auth-worker(4624): Warning: mysql: Query failed, retrying: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‚��info@mattionline.de’‘ at line 1

#copy und pasta fehler bei ‚%u‘

nano /etc/dovecot/dovecot-sql.conf.ext

password_query = SELECT email as user, password FROM virtual_users WHERE email=’%u‘;

Beispiele für rejects:

May 24 12:13:37 mattionline postfix/smtpd[30700]: NOQUEUE: reject: RCPT from 220-135-220-150.HINET-IP.hinet.net[220.135.220.150]: 554 5.7.1 <support@microsoft.com>: Relay access denied; from=<support@microsoft.com> to=<support@microsoft.com> proto=SMTP helo=<89.238.67.249>

hinet.net Adresse versucht über meinen Mailserver von support@microsoft.com eine Nachricht an support@microsoft.com zu senden (als relay)
May 24 13:50:27 mattionline postfix/smtpd[3598]: NOQUEUE: reject: RCPT from github-smtp2-ext5.iad.github.net[192.30.252.196]: 450 4.2.0 <info@mattionline.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/mattionline.de.html; from=<noreply@github.com> to=<info@mattionline.de> proto=ESMTP helo=<github-smtp2a-ext-cp1-prd.iad.github.net>

eMail wird standardmäßig abgelehnt und beim zweiten Versuch wird die Anfrage durchgestellt (greylisting prinzip)
May 24 17:02:15 mattionline postfix/smtpd[21500]: NOQUEUE: reject: RCPT from unknown[112.213.99.112]: 554 5.7.1 RBLTRAP: You can’t send us a E-mail today!!!; from=<EDU.Links@mg-dot.cn> to=<info@mattionline.de> proto=ESMTP helo=<mg-dot.cn>

rbl – realtime blacklist blockierung von den rbl servern in der main.cf
May 24 18:39:24 mattionline postfix/smtpd[11360]: NOQUEUE: reject: RCPT from XXX: 554 5.7.1 <XXX>: Sender address rejected: Access denied; from=<XXX> to=<info@mattionline.de> proto=ESMTP helo=<XXX>

blacklist block auf meinem server nano /etc/postfix/blacklist – name@foobar.tld REJECT

  •  
  •  
  •  
  •  

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.