Ubuntu Mail Server (POSTFIX/DOVECOT) with SSL

Tuesday, June 9, 2020
There are many guides on internet to perform this setup. However, this is my version that includes DKIM, SPF, DMARC and SSL. Considering you have installed fresh Ubuntu, we start from there

POSTFIX


Install postfix
sudo apt-get install postfix
Simply accept the defaults when the installation process asks questions. The configuration will be done in greater detail in the next stage. 
sudo dpkg-reconfigure postfix

Insert the following details when asked (replacing server1.example.com with your domain name if you have one):
  • General type of mail configuration: Internet Site
  • NONE doesn't appear to be requested in current config
  • System mail name: example.com
  • Root and postmaster mail recipient: 
  • Other destinations for mail: server1.example.com, example.com, localhost.example.com, localhost
  • Force synchronous updates on mail queue?: No
  • Local networks: 127.0.0.0/8
  • Yes doesn't appear to be requested in current config
  • Mailbox size limit (bytes): 0
  • Local address extension character: +
  • Internet protocols to use: all
Configure Postfix Inbox 
sudo postconf -e 'home_mailbox = Maildir/'
sudo postconf -e 'mailbox_command ='
Configure Postfix SASL 
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'
Next edit /etc/postfix/sasl/smtpd.conf and add the following lines: 
pwcheck_method: saslauthd
mech_list: plain login
Generate certificates to be used for TLS encryption and/or certificate Authentication: 
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
Configure Postfix to do TLS encryption for both incoming and outgoing mail: 
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo postconf -e 'myhostname = server1.example.com'
Restart the postfix daemon like this: 
sudo /etc/init.d/postfix restart
Install SASL Libraries 
sudo apt-get install libsasl2-2 sasl2-bin libsasl2-modules
Configure /etc/default/saslauthd like below 
# This needs to be uncommented before saslauthd will be run automatically
START=yes

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c"

#make sure you set the options here otherwise it ignores params above and will not work
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Configure and start SASLAUTH 
sudo dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

sudo ln -s /etc/default/saslauthd /etc/saslauthd

sudo /etc/init.d/saslauthd start

Testing

telnet localhost 25
ehlo localhost
The data should have this 
250-STARTTLS
250-AUTH

DOVECOT


Install Dovecot
sudo apt-get install dovecot-common
1. yes
2. localhost
Open /etc/dovecot/conf.d/10-master.conf file and find # Postfix smtp-auth line ( line no:95 ) and add the below lines . 
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
Open /etc/dovecot/conf.d/10-auth.conf file and find (line no:100) 
auth_mechanisms = plain
and replace 
auth_mechanisms = plain login
Restart Service 
sudo service dovecot restart
Install protocols 
sudo apt-get install dovecot-imapd dovecot-pop3d
Now configure mailbox. Open /etc/dovecot/conf.d/10-mail.conf file and find (Line no:30 ) 
mail_location = mbox:~/mail:INBOX=/var/mail/%u
Replace with 
mail_location = maildir:~/Maildir
Now change pop3_uidl_format . Open /etc/dovecot/conf.d/20-pop3.conf file and find and uncomment the below line ( Line no : 50 ) 
pop3_uidl_format = %08Xu%08Xv
Now enable SSL . Open /etc/dovecot/conf.d/10-ssl.conf file and find and uncomment the below line ( Line no : 6 ) 
ssl = yes
Restart Service 
sudo service dovecot restart

Testing

telnet localhost 110
Test all ports 
netstat -nl4
Add user 
sudo useradd -m webmaster -s /sbin/nologin
sudo passwd webmaster
Test in thunderbird

ClamAV

Install ClamAV 
sudo apt-get install clamav clamav-daemon clamav-base amavisd-new clamav-freshclam clamav-docs
sudo apt-get install clamsmtp
Configure Postfix 
sudo postconf -e 'content_filter = scan:127.0.0.1:10026'

sudo postconf -e 'receive_override_options = no_address_mappings'
open /etc/postfix/master.cf and Add the codes: 
# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10025 inet  n -       n       -       16      smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

sudo adduser clamsmtp clamav
Restart Postfix, ClamSMTP, and ClamAV Daemon to make your changes effect: 
sudo /etc/init.d/postfix restart
sudo /etc/init.d/clamsmtp restart
sudo /etc/init.d/clamav-daemon restart

Testing

tail /var/log/mail.log

DKIM

Install DKIM sudo apt-get install opendkim opendkim-tools Edit /etc/opendkim.conf as shown below 
# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
#UMask                  002
# dkim-milter (2.5.2.dfsg-1ubuntu1) hardy:
# Disable new umask option by default (not needed since Ubuntu default
# uses a TCP socket instead of a Unix socket).

# Attempt to become the specified userid before starting operations.
#UserID                 105 # 'id postfix' in your shell


# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain                  ubuntu.ro
KeyFile                 /etc/mail/dkim.key # See bellow how to generate and set up the key
Selector                mail

# Common settings. See dkim-filter.conf(5) for more information.
AutoRestart             yes
Background              yes
Canonicalization        relaxed/relaxed
DNSTimeout              5
Mode                    sv
SignatureAlgorithm      rsa-sha256
SubDomains              no
#UseASPDiscard          no
#Version                rfc4871
X-Header                no

#InternalHosts          /etc/mail/dkim-InternalHosts.txt
# The contents of /etc/mail/dkim-InternalHosts.txt should be
#   127.0.0.1/8
#   192.168.1.0/24
#   other.internal.host.domain.tld
# You need InternalHosts if you are signing e-mails on a gateway mail server
# for each of the computers on your LAN.


###############################################
# Other (less-standard) configuration options #
###############################################
#
# If enabled, log verification stats here
Statistics              /var/log/dkim-filter/dkim-stats
#
# KeyList is a file containing tuples of key information. Requires
# KeyFile to be unset. Each line of the file should be of the format:
#    sender glob:signing domain:signing key file
# Blank lines and lines beginning with # are ignored. Selector will be
# derived from the key's filename.
#KeyList                /etc/dkim-keys.conf
#
# If enabled, will generate verification failure reports for any messages
# that fail signature verification. These will be sent to the r= address
# in the policy record, if any.
#ReportInfo             yes
#
# If enabled, will issue a Sendmail QUARANTINE for any messages that fail
# signature verification, allowing them to be inspected later.
#Quarantine             yes
#
# If enabled, will check for required headers when processing messages.
# At a minimum, that means From: and Date: will be required. Messages not
# containing the required headers will not be signed or verified, but will
# be passed through
#RequiredHeaders        yes
Edit /etc/default/opendkim 
# Command-line options specified here will override the contents of
# /etc/dkim-filter.conf. See dkim-filter(8) for a complete list of options.
#DAEMON_OPTS=""
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in dkim-filter.conf
#SOCKET="local:/var/run/dkim-filter/dkim-filter.sock" # Debian default
#SOCKET="inet:54321" # listen on all interfaces on port 54321
SOCKET="inet:8891@localhost" # Ubuntu default - listen on loopback on port 8891
#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345
edit /etc/postfix/main.cf and add following lines 
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Generate Key 
opendkim-genkey -t -s mail -d example.com
mkdir /etc/mail
cp mail.private /etc/mail/dkim.key
Copy generated mail.txt value to DNS Host.

Testing

Once configuration above was done, the daemon can be started with: 
sudo service opendkim start
If it doesn't start, search the logs for problems and see what it requires more: 
grep -i dkim /var/log/mail.log

SPF

For the Python programs, installation is: 
sudo apt-get install postfix-policyd-spf-python
Add this section to /etc/postfix/master.cf for the Python script 
policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf
Add a line in /etc/postfix/main.cf 
policy-spf_time_limit = 3600s
Finally, you need to add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf 
smtpd_recipient_restrictions =
     ...
     permit_sasl_authenticated
     permit_mynetworks
     reject_unauth_destination
     check_policy_service unix:private/policy-spf
     ...
Reload Postfix 
sudo /etc/init.d/postfix reload

Testing

tail -f /var/log/mail.log
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)