Tutorial: Debian Jessie Mailserver (postfix dovecot mysql)

Debian Jessie Mailserver Tutorial

(postfix, dovecot, mysql and postgrey)

apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql mysql-server git postfix-pcre postgrey

mysql datenbanken anlegen

mysqladmin -p create mailserver
mysql -p mailserver
GRANT SELECT ON mailserver.* TO ‚mailuser’@’‘ IDENTIFIED BY ‚mailuserpass‘;

CREATE TABLE `virtual_domains` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(50) NOT NULL,

CREATE TABLE `virtual_users` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`password` varchar(106) NOT NULL,
`email` varchar(100) NOT NULL,
UNIQUE KEY `email` (`email`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE

CREATE TABLE `virtual_aliases` (
`id` int(11) NOT NULL auto_increment,
`domain_id` int(11) NOT NULL,
`source` varchar(100) NOT NULL,
`destination` varchar(100) NOT NULL,
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE

INSERT INTO `mailserver`.`virtual_domains`
(`id` ,`name`)
(‚1‘, ‚mattionline.de‘);

INSERT INTO `mailserver`.`virtual_users`
(`id`, `domain_id`, `password` , `email`)
(‚1‘, ‚1‘, ENCRYPT(‚password‘, CONCAT(‚$6$‘, SUBSTRING(SHA(RAND()), -16))), ‚info@mattionline.de‘),
(‚2‘, ‚1‘, ENCRYPT(‚password‘, CONCAT(‚$6$‘, SUBSTRING(SHA(RAND()), -16))), ‚user@mattionline.de‘);

#i configured a catchall for my domain

INSERT INTO `mailserver`.`virtual_aliases`
(`id`, `domain_id`, `source`, `destination`)
(‚1‘, ‚1‘, ‚user@mattionline.de‘, ‚user@mattionline.de‘),
(‚2‘, ‚1‘, ‚@mattionline.de‘, ‚info@mattionline.de‘);

SELECT * FROM mailserver.virtual_domains;
SELECT * FROM mailserver.virtual_users;
SELECT * FROM mailserver.virtual_aliases;

postfix konfigurieren

nano /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_tls_auth_only = yes

message_size_limit = 100240000

#hide sender/client local ip
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks

##### TLS settings ######

### Secure outgoing connections only ###
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

### Secure incoming connections only ###
smtpd_tls_mandatory_protocols = TLSv1
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_delay_reject = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom 

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous 
smtpd_sasl_local_domain = 

#checkt den sender von der email / MAIL FROM:
smtpd_sender_restrictions =

#checkt RCPT TO:
smtpd_recipient_restrictions = 
    check_sender_access hash:/etc/postfix/blacklist,
    check_policy_service inet:,

smtpd_helo_required = yes

#ich bin mattionline. hallo anderer mailserver
smtpd_helo_restrictions = 
    #alle authentifizierten benutzer erlauben - permit lan und local domains

myhostname = pizza.mattionline.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, pizza.mattionline.de
relayhost = 
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
nano /etc/postfix/mysql-virtual-mailbox-domains.cf
 user = mailuser
 password = mailuserpass
 hosts =
 dbname = mailserver
 query = SELECT 1 FROM virtual_domains WHERE name='%s'
nano /etc/postfix/mysql-virtual-mailbox-maps.cf
 user = mailuser
 password = mailuserpass
 hosts =
 dbname = mailserver
 query = SELECT 1 FROM virtual_users WHERE email='%s'
nano /etc/postfix/mysql-virtual-alias-maps.cf
 user = mailuser
 password = mailuserpass
 hosts =
 dbname = mailserver
 query = SELECT destination FROM virtual_aliases WHERE source='%s'
nano /etc/postfix/mysql-virtual-email2email.cf
 user = mailuser
 password = mailuserpass
 hosts =
 dbname = mailserver
 query = SELECT email FROM virtual_users WHERE email='%s'
nano /etc/dovecot/dovecot.conf
 protocols = imaps lmtp
 mail_max_userip_connections = 40
nano /etc/dovecot/conf.d/10-mail.conf
 mail_location = maildir:/var/mail/vhosts/%d/%n
 mail_privileged_group = mail

mail gruppe anlegen und verzeichnisse

mkdir -p /var/mail/vhosts/mattionline.de
groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/mail
chown -R vmail:vmail /var/mail

nano /etc/dovecot/conf.d/10-auth.conf
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext
nano /etc/dovecot/conf.d/auth-sql.conf.ext
 passdb {
 driver = sql
 args = /etc/dovecot/dovecot-sql.conf.ext
 userdb {
 driver = static
 args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
nano /etc/dovecot/dovecot-sql.conf.ext
 driver = mysql
 connect = host= dbname=mailserver user=mailuser password=mailuserpass
 default_pass_scheme = SHA512-CRYPT
 password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

chown -R vmail:dovecot /etc/dovecot
chmod -R o-rwx /etc/dovecot

nano /etc/dovecot/conf.d/10-master.conf
 #imap deaktivieren und nur imaps erlauben
 service imap-login {
 inet_listener imap {
 port = 0
 inet_listener imaps {
 port = 993
 ssl = yes

# Number of connections to handle before starting a new process. Typically
 # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
 # is faster. <doc/wiki/LoginProcess.txt>
 #service_count = 1

# Number of processes to always keep waiting for more connections.
 #process_min_avail = 0

# If you set service_count=0, you probably need to grow this.
 #vsz_limit = $default_vsz_limit

service pop3-login {
 inet_listener pop3 {
 port = 0
 inet_listener pop3s {
 port = 0
 #ssl = yes

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
 mode = 0600
 user = postfix
 group = postfix
 # Create inet listener only if you can't use the above UNIX socket
 #inet_listener lmtp {
 # Avoid making LMTP visible for the entire internet
 #address =
 #port =

service auth {
 # auth_socket_path points to this userdb socket by default. It's typically
 # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
 # permissions make it readable only by root, but you may need to relax these
 # permissions. Users that have access to this socket are able to get a list
 # of all usernames and get results of everyone's userdb lookups.
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix

unix_listener auth-userdb {
 mode = 0600
 user = vmail
 #group =

# Postfix smtp-auth
 #unix_listener /var/spool/postfix/private/auth {
 #  mode = 0666

# Auth process is run as this user.
 user = dovecot

service auth-worker {
 # Auth worker process is run as root by default, so that it can access
 # /etc/shadow. If this isn't necessary, the user should be changed to
 # $default_internal_user.
 user = vmail

durch letsencrypt ssl zertifikate erstellen

cd /root/
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto –help
./letsencrypt-auto certonly –rsa-key-size 4096 -d mattionline.de -d www.mattionline.de

nano /etc/dovecot/conf.d/10-ssl.conf
 ssl = required
 ssl_cert = </etc/letsencrypt/live/mail.mattionline.de/fullchain.pem
 ssl_key = </etc/letsencrypt/live/mail.mattionline.de/privkey.pem

blacklists anlegen um mailserver/adressen zu sperren

nano /etc/postfix/blacklist

example.com     REJECT
 foobar.com      REJECT

postmap /etc/postfix/blacklist

nano /etc/postfix/body_check
 /^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed
nano /etc/dovecot/conf.d/20-lmtp.conf
 protocol lmtp {
 # Space separated list of plugins to load (default is global mail_plugins).
 #mail_plugins = $mail_plugins
 postmaster_address = postmaster@mattionline.de
nano /etc/default/postgrey

POSTGREY_OPTS="--inet=10023 --delay=50"

Thunderbird Einstellungen:


debian postfix dovecot mysql

Mehrere Domains auf einem Host:

In der mysql Tabelle virtual_aliases einfügen: (am Beispiel von einem catchall)

“, ‚DOMAINID‘, ‚@neuedomain.tld‘, ‚des@tina.tion‘

z.B. “, ‚2‘, ‚@neuedomain.tld‘, ‚info@mattionline.de‘

In virtual_domains:

“, ’neuedomain.tld‘

In virtual_users den Benutzer anlegen wie oben erwähnt.

Einstellungen für den neuen Benutzer genau wie die obigen, nur dass bei Server Name dann nicht „neuedomain.tld“ steht sondern die Hauptdomain („mattionline.de“)


May 25 16:59:04 mattionline dovecot: auth-worker(4624): Warning: mysql: Query failed, retrying: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‚��info@mattionline.de’‘ at line 1

#copy und pasta fehler bei ‚%u‘

nano /etc/dovecot/dovecot-sql.conf.ext

password_query = SELECT email as user, password FROM virtual_users WHERE email=’%u‘;

Beispiele für rejects:

May 24 12:13:37 mattionline postfix/smtpd[30700]: NOQUEUE: reject: RCPT from 220-135-220-150.HINET-IP.hinet.net[]: 554 5.7.1 <support@microsoft.com>: Relay access denied; from=<support@microsoft.com> to=<support@microsoft.com> proto=SMTP helo=<>

hinet.net Adresse versucht über meinen Mailserver von support@microsoft.com eine Nachricht an support@microsoft.com zu senden (als relay)
May 24 13:50:27 mattionline postfix/smtpd[3598]: NOQUEUE: reject: RCPT from github-smtp2-ext5.iad.github.net[]: 450 4.2.0 <info@mattionline.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/mattionline.de.html; from=<noreply@github.com> to=<info@mattionline.de> proto=ESMTP helo=<github-smtp2a-ext-cp1-prd.iad.github.net>

eMail wird standardmäßig abgelehnt und beim zweiten Versuch wird die Anfrage durchgestellt (greylisting prinzip)
May 24 17:02:15 mattionline postfix/smtpd[21500]: NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 RBLTRAP: You can’t send us a E-mail today!!!; from=<EDU.Links@mg-dot.cn> to=<info@mattionline.de> proto=ESMTP helo=<mg-dot.cn>

rbl – realtime blacklist blockierung von den rbl servern in der main.cf
May 24 18:39:24 mattionline postfix/smtpd[11360]: NOQUEUE: reject: RCPT from XXX: 554 5.7.1 <XXX>: Sender address rejected: Access denied; from=<XXX> to=<info@mattionline.de> proto=ESMTP helo=<XXX>

blacklist block auf meinem server nano /etc/postfix/blacklist – name@foobar.tld REJECT


Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.