Clarintux: Un Tux e' per sempre!
Benvenuti nel blog di Clarintux!
Configurazione del mio server (parte 4)
Server email con postfix, dovecot, spamassissin etc, 2 Giugno, 2023
Installare postfix e dovecot:
sudo apt install postfix postfix-policyd-spf-python dovecot-common dovecot-imapd dovecot-lmtpd dovecot-sieve telnet certbot spamassassin opendkim opendkim-toolsSelezionare "Internet Site" ed inserire il proprio dominio.
Inserire sul file /etc/postfix/main.cf:
home_mailbox = Maildir/
mailbox_command = Crere la struttura della directory Maildir:
sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Spam
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates
Copiare la struttura e assegnare i corretti permessi:
sudo cp -r /etc/skel/Maildir ~/
sudo chown -R $USER:$USER ~/Maildir
sudo chmod -R 700 ~/Maildir
sudo ufw allow 25,143/tcp
sudo systemctl restart postfix
(OPZIONALE) Testare il server con telnet:
telnet localhost 25
ehlo mio-dominio
mail from: user
rcpt to: indirizzo@email
data
Subject: Oggetto della email
Testo della email
.
quit
Prime misure anti-abuso su /etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
check_helo_access hash:/etc/postfix/helo_access
Creare il file /etc/postfix/helo_access col seguente contenuto:
mio-dominio REJECT Sorry, you're not allowed
mail.mio-dominio REJECT Sorry, you're not allowedMappare il nuovo file:
sudo postmap /etc/postfix/helo_access
sudo systemctl restart postfix
Editare il file /etc/dovecot/conf.d/10-mail.conf:
mail_location = maildir:~/MaildirDire a postfix di usare dovecot per autenticazione sasl (/etc/postfix/main.cf):
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
Editare /etc/dovecot/conf.d/10-master.conf:
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
Disabilitare l'autenticazione plain-text (/etc/dovecot/conf.d/10-auth.conf):
auth_mechanisms = plain login
disable_plaintext_auth = yes
sudo systemctl restart dovecot postfix
Testiamo il tutto mandando una mail dal nostro server al nostro server:
telnet localhost 25
ehlo mio-dominio
mail from: user@mio-dominio
rcpt to: user@mio-dominio
data
Subject: Oggetto della mail
Testo della mail
.
quit
telnet localhost 143
a login "user" "password"
b select inbox
c logout
Editare /etc/dovecot/conf.d/10-master.conf:
service imap-login {
inet_listener imap {
port = 143
}
}
Settare SSL come richiesto in /etc/dovecot/conf.d/10-ssl.conf:
ssl = required
Ottenere il certificato, dopo aver creato un A record per il subdomain mail.mio-dominio (DNS only):
sudo certbot certonly --standalone -d mail.mio-dominio
Configurare /etc/postfix/main.cf per usare il certificato:
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.mio-dominio/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.mio-dominio/privkey.pem
Configurare /etc/dovecot/conf.d/10-ssl.conf per usare il certificato:
ssl_cert = </etc/letsencrypt/live/mail.mio-dominio/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.mio-dominio/privkey.pem
Editare /etc/postfix/main.cf:
# Allow TLS encryption information in the email header
smtpd_tls_received_header = yes
smtpd_use_tls=yes
sudo systemctl restart postfix dovecot
Aprire la porta 25 e 143 del router e vediamo se STARTTLS funziona:
nc mail.mio-dominio 25
ehlo mio-dominio
STARTTLS ???
Aggiungere un A record per il subdomain smtp.mio-dominio e un MX record per mio-dominio: in Mail server inserire:
smtp.mio-dominio
(Priority = 10)
Testare un client email:
Username a piacere
Indirizzo email
Password dell'utente Linux
Incoming: IMAP mail.mio-dominio PORT=143 STARTTLS Autenticazione=normal password
Outgoing: SMTP mail.mio-dominio PORT=25 STARTTLS Autenticazione=normal password
Mandare una email al proprio indirizzo email e controllare che la crittografia sia utilizzata.
Provare a mandare email da un altro fornitore.
Email inviate ad altri fornitori finiranno in spam.
Editare /etc/spamassassin/local.cf:
rewrite_header Subject *****SPAM*****
report_safe 0
use_bayes 1
bayes_auto_learn 1
sudo update-rc.d spamassassin enable
sudo systemctl start spamassassin
Dire a /etc/postfix/master.cf di usare spamassassin:
smtp inet n - - - - smtpd
-o content_filter=spamassassin
spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
sudo systemctl restart postfix
Usare lmtp in /etc/dovecot/dovecot.conf per spostare email in spam:
protocols = imap lmtp
Editare quindi /etc/dovecot/conf.d/20-lmtp.conf:
lmtp_save_to_detail_mailbox = yes
protocol lmtp {
mail_plugins = $mail_plugins sieve
postmaster_address = postmaster@mio-dominio
}
Editare /etc/dovecot/conf.d/10-master.conf:
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0666
}
}
Editare /etc/dovecot/conf.d/10-auth.conf:
auth_username_format = %Ln
Editare /etc/postfix/main.cf:
#mailbox_command =
mailbox_transport = lmtp:unix:private/dovecot-lmtp
Editare /etc/dovecot/conf.d/90-sieve.conf:
recipient_delimiter = +
sudo systemctl restart postfix dovecot
Creare il file ~/.dovecot.sieve (per ogni utente...):
require ["fileinto"];
# Move the spam to the spam folder
if header :contains "X-Spam-Flag" "YES" {
fileinto "Spam";
stop;
}
Testare se lo spam va nella cartella spam con una mail col seguente contenuto:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Editare /etc/postfix/main.cf per avere un fqdn:
myhostname = mail.mio-dominio
smtpd_banner = $myhostname
sudo systemctl restart postfix
Creare un TXT record:
Name: @
Content: v=spf1 mx ~all
Dire a /etc/postfix/master.cf di usare spf:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Editare /etc/postfix/main.cf:
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf
sudo systemctl restart postfix
Vedere lo score su mail-tester.
Aggiungere postfix al gruppo opendkim.
sudo gpasswd -a postfix opendkim
Editare /etc/opendkim.conf:
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain example.com
#KeyFile /etc/dkimkeys/dkim.key
#Selector 2007
# Commonly-used options; the commented-out versions show the defaults.
Canonicalization simple
Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
# Socket smtp://localhost
#
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
#Socket inet:8892@localhost
Socket local:/var/spool/postfix/opendkim/opendkim.sock
## PidFile filename
### default (none)
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /var/run/opendkim/opendkim.pid
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at unbound.net/ for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at unbound.net/ for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
# Map domains in From addresses to keys used to sign messages
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
# Hosts to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts
# A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts
Creare la directory opendkim e sottodirectory keys e cambiare proprietario:
sudo mkdir /etc/opendkim
sudo mkdir /etc/opendkim/keys
sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys
Creare il file /etc/opendkim/signing.table:
*@mio-dominio default._domainkey.mio-dominio
Creare il file /etc/opendkim/key.table:
default._domainkey.mio-dominio mio-dominio:default:/etc/opendkim/keys/mio-dominio/default.private
Creare il file /etc/opendkim/trusted.hosts:
127.0.0.1
localhost
*.mio-dominio
Creare la directory:
sudo mkdir /etc/opendkim/keys/mio-dominio
Generare la chiave:
sudo opendkim-genkey -b 2048 -d mio-dominio -D /etc/opendkim/keys/mio-dominio -s default -v
sudo chown opendkim:opendkim /etc/opendkim/keys/mio-dominio/default.private
Creare un TXT record col contenuto di:
sudo cat /etc/opendkim/keys/mio-dominio/default.txt
Prendere l'output a partire da v=DKIM1
Togliere spazi vuoti e apici
Combinare le due righe.
Name=default._domainkey
Content: Le due righe...
sudo opendkim-testkey -d mio-dominio -s default -vvv
sudo mkdir /var/spool/postfix/opendkim
sudo chown opendkim:postfix /var/spool/postfix/opendkim
Editare il file /etc/default/opendkim:
SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
Editare il file /etc/postfix/main.cf:
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
sudo systemctl restart opendkim postfix
Settare un PTR record (chiedere al proprio provider) per mail.mio-dominio:
Creare un TXT record per DMARC:
Name=_DMARC.mio-dominio
Content=v=DMARC1; p=none; rua=mailto:user@mio-dominio; ruf=mailto:user@mio-dominio; fo=1;
Post popolari
-
Linux
Sistema operativo -
Ipsum
Praes tinci sed -
Dorum
Ultricies congue
Tags
Linux GNU Server Internet NORWAY DIY YouTube Sistema operativo Bla News Clothing Bla Bla Games