Mail Server: -
Building a Mail Server on Linux Machine using unlike packages that separately handgrip SMTP, POP too IMAP. Where you lot tin john create produce entire things including bundle installation configuration etc.
Our Goal: - - Postfix: sends too receives post service via the SMTP protocol. It volition alone relay post service on to other post service servers if the e-mail is sent past times an authenticated user, but anyone tin john send post service to this server for local delivery.
- Dovecot: Influenza A virus subtype H5N1 POP too IMAP server that manages local post service directories too allows users to log inward too download their mail. It also handles user authentication.
- Postgrey: Greylists incoming mail, requiring unfamiliar deliverers to hold off for a piece too so resend. This is ane of the improve tools for cutting downwardly on spam.
- Amavisd-new: a manager for organising diverse antivirus too spam checking content filters
- Clam Antivirus: A improve tool to Scan Emails
- SpamAssassin: for sniffing out spam inward emails.
- Postfix Admin: Influenza A virus subtype H5N1 proficient spider web interface to create produce Domain, Mailbox, Alias etc.
- RoundCube: Influenza A virus subtype H5N1 spider web post service customer tool.
Install too Configure E-mail server:
Step 1: - DNS Change
You convey to laid upwardly your DNS amongst an A tape that points to your post service server IP too an MX tape that points to the post service servers hostname.
A tony.in 192.168.102.10 MX mail.tony.in 192.168.102.10
Step 2: - Setup Hostname
We demand to setup hostname
Now laid the contents of /etc/hostname to live the hostname: echo "mail.tony.in" /etc/hostname
And add together your hostname to the showtime line of /etc/hosts: 127.0.0.1 mail.tony.in mail
Step 3: - Install LAMP Web Server:
We demand LAMP server to handgrip PostfixAdmin spider web interface too to create produce RoundCube spider web based e-mail client.
3A- Install Apache:-
root@mail:/home/amar# apt install apache2
3B- Install MySQL:
root@mail:/home/amar# apt install mysql-client mysql-server php-mysql
After installing Mysql let's perform post installation task, run mysql_secure_installlation ascendancy to setup initial setting.
root@mail:/home/amar# mysql_secure_installation
Press enter button when inquire for electrical flow password too follow the education for other changes you lot may require.
3C- Install PHP:
root@mail:/home/amar# apt install php7.0 php7.0-mcrypt php7.0-curl php7.0-gd php7.0-mbstring php-apcu libapache2-mod-php7.0
Step 4: - Allow required Port through Firewall
We demand to allow next ports inward the firewall to communicate our server amongst the world.
- 80 (HTTP)
- 25 (SMTP)
- 110 (POP3)
- 143 (IMAP)
- 465 (SMTPS)
- 993 (IMAPS)
- 995 (POPS)
Step 5: - Install Mail server
Please run the ascendancy below to install postfix too enter hostname mail.tony.in during installation procedure when asked.
5A- Postfix Install
root@mail:/home/amar# apt install postfix postfix-mysql
5B- DoveCot Install
root@mail:/home/amar# apt install dovecot-core dovecot-mysql dovecot-imapd dovecot-pop3d
5C- Install all other packages including postgrey, ClamAV Antivirus and SpamAssassin
root@mail:/home/amar# apt install \ > postgrey \ > amavis \ > clamav \ > clamav-daemon \ > spamassassin \ > libdbi-perl \ > libdbd-mysql-perl \ > php7.0-imap \ > postfix-policyd-spf-python
5D- Next, nosotros demand to install few optional packages that extend the abilities of the spam too virus detection, Use the ascendancy below.
root@mail:/home/amar# apt install \ > pyzor \ > razor \ > arj \ > cabextract \ > lzop \ > nomarch \ > p7zip-full \ > ripole \ > rpm2cpio \ > tnef \ > unzip \ > unrar-free \ > zip \ > zoo
5E- Use OpenSSL to Create a Unique Diffie-Helman Group openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 chmod 600 /etc/ssl/private/dhparams.pem
Step 6: - Configure MySQL
A few alterations to the default MySQL configuration in /etc/mysql/mariadb.conf.d/50-server.cnf are needed. Add the following:
root@mail:/home/amar# vi /etc/mysql/mariadb.conf.d/50-server.cnf
6A- Append next line relieve file too restart MySQL service.
user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp lc-messages-dir = /usr/share/mysql sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
6B- Create a database:
Use ascendancy below to create a database too assign permission
root@mail:/home/amar# mysql -u root -p Enter password: ******* MariaDB [(none)]> create database mail; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all on mail.* to 'mail'@'localhost' identified past times 'mailpassword'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec)
6C- Now Restart MySQL service
root@mail:/home/amar# systemctl restart mysql
Step 7: - Install and Configure Postfix Admin:
Postfix Admin is installed equally follows. To start things off, download the bundle from Sourceforge, unpack it, displace it into a subdirectory of your webroot, too alter ownership to the www-data user: root@mail:/home/amar# wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.0.2/postfixadmin-3.0.2.tar.gz root@mail:/home/amar# tar -xf postfixadmin-3.0.2.tar.gz root@mail:/home/amar# rm -f postfixadmin-3.0.2.tar.gz root@mail:/home/amar# mv postfixadmin-3.0.2 /var/www/html/postfixadmin root@mail:/home/amar# chown -R www-data:www-data /var/www/html/postfixadmin
7A- Let's brand the changes into config.inc.php root@mail:/home/amar# vi /var/www/html/postfixadmin/config.inc.php
Make the highlighted changes inward the config.inc.php
<?php // Configuration options hither override those inward config.inc.php. // You convey to laid $CONF['configured'] = true; before the // application volition run. $CONF['configured'] = true; // Database connectedness details. $CONF['database_type'] = 'mysqli'; $CONF['database_host'] = 'localhost'; $CONF['database_user'] = 'mail'; $CONF['database_password'] = 'mailpassword'; $CONF['database_name'] = 'mail'; // Site Admin // Define the Site Admin's e-mail address below. // This volition live used to send emails from to create mailboxes too // from Send Email / Broadcast message pages. // Leave blank to send e-mail from the logged-in Admin's Email address. $CONF['admin_email'] = '';
Save too Exit from File 7B- Now start browser too opened upwardly this URL: http://mail.tony.in/postfixadmin/setup.php Troubleshooting: -You may get error:- Invalid query: Specified fundamental was likewise long; max fundamental length is one m bytes
7C- To cook higher upwardly mistake nosotros demand to brand changes into upgrade.php file Open upgrade.php file using vi editor. root@mail:/home/amar# vi /var/www/html/postfixadmin/upgrade.php
type syntax below too hitting enter- :%s/255/100/g it disclose give-and-take 500 inward the file too supercede it amongst 100
7D- After making alter inward the file refresh url, if things goes weill you lot teach output equally follow
7E- Now displace into Setup password, what ever you lot demand too it volition give us Hash password that nosotros demand to relieve inward config.inc.php file
You volition run across Hash password equally inward higher upwardly icon demand to re-create it too add together inward confi.inc.php file
7F- Open confi.inc.php too add together this hash password inward forepart of $conf['setup_password'] line equally below root@mail:/home/amar# vi /var/www/html/postfixadmin/config.inc.php
$CONF['setup_password'] = '29bef8ab87cb037af7efb8257a116469:e05ed5e6eecfa387324c4ba30f40e4d316a77685';
Save too Exit from the file. 7G- Create PostfixAdmin superAdmin login account
Super Admin concern human relationship has been setup successfully. Troubleshooting: - You may teach an error "Admin is non a valid e-mail address!Email address" during admin concern human relationship setup This mistake volition hap when our domain is non getting resolved, To solve it let's brand too alter in config.inc.php file Open config.inc.php file and alter line equally below $CONF['emailcheck_resolve_domain']='NO'
Save too Exit from file. Step 8: - Create Domain too add together mailbox: Let's Use created an admin user to login into postfix admin console: User- admin@tony.in password- created password above 8A- Add Domain: Let's add domain using steps below 8B- Add Domain: Add User mailbox Follow the steps 1 -8 to add together mailbox One mailbox amongst cite chinu@tony.in has been added successfully. Step 8: - Create a User to Handle Virtual Mail Directories We demand a User concern human relationship who tin john handgrip Virtual post service directories, So let's create a user using the ascendancy below: root@mail:/home/amar# useradd -r -u 150 -g post service -d /var/vmail -s /sbin/nologin -c "Virtual maildir handler" vmail root@mail:/home/amar# mkdir /var/vmail root@mail:/home/amar# chmod 770 /var/vmail root@mail:/home/amar# chown vmail:mail /var/vmail
Virtual Mail Directory "/var/vmail" using Group "mail" to allow other system's user to create produce the content.
Step 9: - Configure Dovecot
Dovecot volition create produce all the connectedness for POP too IMAP, local post service directory too have all incoming emails. Dovecot operate to handgrip authentication for SMTP connection. We also define MySQL database connectedness string so Dovecot tin john access all the information from MySQL Database-
9A- Enable Dovecote access to MySQL database
Dovecot volition access all the mailbox information including user authentication from Database, Let's brand changes inward the file - /etc/dovecot/dovecot-sql.conf.ext
Open dovecot-sql.conf.ext file too add together database access equally follow
root@mail:/home/amar# vi /etc/dovecot/dovecot-sql.conf.ext
Make the next changes equally highlighted below inward RED # Database driver: mysql, pgsql, sqlite driver = mysql
# Examples: # connect = host=192.168.1.1 dbname=users # connect = host=sql.example.com dbname=virtual user=virtual password=blarg # connect = /etc/dovecot/authdb.sqlite # connect = host=localhost dbname=mail user=mail password=mailpassword
# Default password scheme. # # List of supported schemes is inward # http://wiki2.dovecot.org/Authentication/PasswordSchemes # default_pass_scheme = MD5-CRYPT
# Define the enquiry to obtain a user password. # # Note that uid 150 is the "vmail" user too gid 8 is the "mail" group. # password_query = \ SELECT username equally user, password, '/var/vmail/%d/%n' equally userdb_home, \ 'maildir:/var/vmail/%d/%n' equally userdb_mail, 150 equally userdb_uid, 8 equally userdb_gid \ FROM mailbox WHERE username = '%u' AND active = '1'
# Define the enquiry to obtain user information. # # Note that uid 150 is the "vmail" user too gid 8 is the "mail" group. # user_query = \ SELECT '/var/vmail/%d/%n' equally home, 'maildir:/var/vmail/%d/%n' equally mail, \ 150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \ FROM mailbox WHERE username = '%u' AND active = '1' Save too Exit from File. 9B- Make changes inward 10-auth.conf file
Dovecot volition read the SQL configuration files, nosotros demand to enable inward 10-auth.conf file lets brand changes using below command. Open 10-auth.conf file and brand the changes equally follow
root@mail:/home/amar# vi /etc/dovecot/conf.d/10-auth.conf
Changes are equally follows:
# Disable LOGIN ascendancy too all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connectedness is considered secure too plaintext authentication is allowed. disable_plaintext_auth = yes
# Space separated listing of wanted authentication mechanisms: # evidently login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = evidently login
# User database specifies where mails are located too what user/group IDs # ain them. For single-UID configuration operate "static" userdb. # # <doc/wiki/UserDatabase.txt> #!include auth-deny.conf.ext #!include auth-master.conf.ext #!include auth-system.conf.ext # Use the SQL database configuration for authentication rather than # whatever of these others. !include auth-sql.conf.ext #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext
Save too Exit from the Files 9C- Tell Dovecot where demand to shop user's post service directory Open 10-mail.conf file too brand the changes equally follows: root@mail:/home/amar# vi /etc/dovecot/conf.d/10-mail.conf
Changes are equally follows: # See doc/wiki/Variables.txt for total list. Some examples: # # mail_location = maildir: /Maildir # mail_location = mbox: /mail:INBOX=/var/mail/%u # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n # # <doc/wiki/MailLocation.txt> # mail_location = maildir:/var/vmail/%d/%n
# System user too grouping used to access mails. If you lot operate multiple, userdb # tin john override these past times returning uid or gid fields. You tin john operate either numbers # or names. <doc/wiki/UserIds.txt> mail_uid = vmail mail_gid = mail
# Valid UID hit for users, defaults to 500 too above. This is mostly # to brand certain that users can't log inward equally daemons or other organization users. # Note that denying root logins is hardcoded to dovecot binary too can't # live done fifty-fifty if first_valid_uid is laid to 0. # # Use the vmail user uid here. first_valid_uid = 150 last_valid_uid = 150
Save too Exit From the file 9D- Change Certificates file path Open 10-ssl.conf file too brand the changes equally follows:
root@mail:/home/amar# vi /etc/dovecot/conf.d/10-ssl.conf
Make the changes equally follows: # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = yes
# The generated snakeoil certificate: #ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem #ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key # Purchased certificate: ssl_cert = </etc/ssl/certs/tony.in.crt ssl_key = </etc/ssl/private/tony.in.key
Save too Exit From the file 9E-Modify 10-master.conf root@mail:/home/amar# vi /etc/dovecot/conf.d/10-master.conf
Make the changes equally follows: service auth { # auth_socket_path points to this userdb socket past times default. It's typically # used past times dovecot-lda, doveadm, maybe imap process, etc. Users that convey # total permissions to this socket are able to teach a listing of all usernames too # teach the results of everyone's userdb lookups. # # The default 0666 agency allows anyone to connect to the socket, but the # userdb lookups volition succeed alone if the userdb returns an "uid" acre that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller total permissions to lookup all users, laid the agency to # something else than 0666 too Dovecot lets the essence enforce the # permissions (e.g. 0777 allows everyone total permissions). unix_listener auth-userdb { agency = 0666 user = vmail grouping = post service } unix_listener /var/spool/postfix/private/auth { agency = 0666 # Assuming the default Postfix user too grouping user = postfix grouping = postfix } Save too Exit From the file 9F- Change postmaster setting root@mail:/home/amar# vi /etc/dovecot/conf.d/15-lda.conf
Changes equally follows: # Address to operate when sending rejection mails. # Default is postmaster@<your domain>. postmaster_address = postmaster@tony.in
Save too Exit From the file 9G- Change mailbox directory permission root@mail:/home/amar# chown -R vmail:dovecot /etc/dovecot root@mail:/home/amar# chmod -R o-rwx /etc/dovecot
Step 10: - Configure Antivirus scan too SpamAssassin scan
Amavis, ClamAV, too SpamAssassin are the best tool to scan email, allow brand the changes equally follow to integrate these tools.
10A- Add Users root@mail:/home/amar# adduser clamav amavis Adding user `clamav' to grouping `amavis' ... Adding user clamav to grouping amavis Done. root@mail:/home/amar# adduser amavis clamav Adding user `amavis' to grouping `clamav' ... Adding user amavis to grouping clamav Done.
10B- Modify configuration file
root@mail:/home/amar# vi /etc/clamav/clamd.conf
Changes equally follows:
# Needed to allow things to piece of work amongst Amavis, when both amavis too clamav # users are added to ane another's groups. AllowSupplementaryGroups true
10C- Turn on Amavis root@mail:/home/amar# vi /etc/amavis/conf.d/15-content_filter_mode
Changes equally follow use strict; # You tin john modify this file to re-enable SPAM checking through spamassassin # too to re-enable antivirus checking. # # Default antivirus checking agency # Please note, that anti-virus checking is DISABLED past times # default. # If You wishing to enable it, delight uncomment the next lines: @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); # # Default SPAM checking agency # Please note, that anti-spam checking is DISABLED past times # default. # If You wishing to enable it, delight uncomment the next lines: @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; # ensure a defined return
Save too Exit From file 10D- Enable SpamAssassin root@mail:/home/amar# vi /etc/default/spamassassin
Changes equally follow
# Change to ane to enable spamd ENABLED=1 # Cronjob # Set to anything but 0 to enable the cron task to automatically update # spamassassin's rules on a nightly solid set down CRON=1
Save too Exit from file 10E- Enable Database Scan SpamAssassin nether Amavis volition alone banking concern check post service that's determined to live arriving for local delivery. There are a duad of ways to state Amavis which mails are for local delivery, but hither we'll laid it upwardly to banking concern check the database laid upwardly past times Postfix Admin. Edit /etc/amavis/conf.d/50-user to await similar this: root@mail:/home/amar# vi /etc/amavis/conf.d/50-user
Changes equally follows:
use strict; # # Place your configuration directives here. They volition override those inward # before files. # # See /usr/share/doc/amavisd-new/ for documentation too examples of # the directives you lot tin john operate inward this file # # Three concurrent processes. This should fit into the RAM available on an # AWS micro instance. This has to tally the number of processes specified # for Amavis inward /etc/postfix/master.cf. $max_servers = 3; # Add spam information headers if at or higher upwardly that flat - this ensures they # are ever added. $sa_tag_level_deflt = -9999; # Check the database to run across if post service is for local delivery, too hence # should live spam checked. @lookup_sql_dsn = ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'mail', 'mailpassword']); $sql_select_policy = 'SELECT domain from domain WHERE CONCAT("@",domain) IN (%k)'; # Uncomment to bump upwardly the log flat when testing. # $log_level = 2; #------------ Do non modify anything below this line ------------- 1; # ensure a defined return Save too Exit from file
10E-
Next, brand certain the ClamAV database is upwardly to appointment past times running fresh clam. It should be: root@mail:/home/amar# freshclam
10F- Restart services root@mail:/home/amar# /etc/init.d/spamassassin restart
root@mail:/home/amar# /etc/init.d/clamav-daemon restart
root@mail:/home/amar# /etc/init.d/clamav-daemon restart
root@mail:/home/amar# /etc/init.d/amavis restart
Step 11: - Configure Postfix
Postfix handles incoming post service via the SMTP protocol, too its configuration files have be set upwardly to allow it to integrate amongst the diverse other packages nosotros convey installed so far. At a high level, nosotros desire Postfix to mitt off incoming post service to the spam too virus checkers before passing it on to Dovecot for delivery, too to communicate amongst Dovecot inward gild to authenticate virtual users who are connecting over SMTP inward gild to send the email.
11A- Create next files to allow postfix access fo Database.
root@mail:/home/amar# vi /etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
Add next lines
user = post service password = mailpassword hosts = 127.0.0.1 dbname = post service enquiry = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address=concat('%u', '@', alias_domain.target_domain) AND alias.active = 1 /etc/postfix/mysql_virtual_alias_maps.cf
user = post service password = mailpassword hosts = 127.0.0.1 dbname = post service tabular array = alias select_field = goto where_field = address additional_conditions = too active = '1'
/etc/postfix/mysql_virtual_domains_maps.cf
user = post service password = mailpassword hosts = 127.0.0.1 dbname = post service tabular array = domain select_field = domain where_field = domain additional_conditions = too backupmx = '0' too active = '1'
/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
user = post service password = mailpassword hosts = 127.0.0.1 dbname = post service enquiry = SELECT maildir FROM mailbox, alias_domain WHERE alias_domain.alias_domain = '%d' AND mailbox.username=concat('%u', '@', alias_domain.target_domain ) AND mailbox.active = 1 /etc/postfix/mysql_virtual_mailbox_maps.cf
user = post service password = mailpassword hosts = 127.0.0.1 dbname = post service tabular array = mailbox select_field = CONCAT(domain, '/', local_part) where_field = username additional_conditions = too active = '1'
/etc/postfix/mysql_virtual_sender_login_maps.cf
user = post service password = mailpassword hosts = 127.0.0.1 dbname = post service enquiry = SELECT goto FROM alias WHERE address='%s'
/etc/postfix/header_checks
/^Received:/ IGNORE /^User-Agent:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE /^x-cr-[a-z]*:/ IGNORE /^Thread-Index:/ IGNORE
11B- Modify main.cf file root@mail:/home/amar# vi /etc/postfix/main.cf
Changes equally follows
# See /usr/share/postfix/main.cf.dist for a commented, to a greater extent than consummate version # The showtime text sent to a connecting process. smtpd_banner = $myhostname ESMTP $mail_name biff = no # appending .domain is the MUA's job. append_dot_mydomain = no readme_directory = no # --------------------------------- # SASL parameters # --------------------------------- # Use Dovecot to authenticate. smtpd_sasl_type = dovecot # Referring to /var/spool/postfix/private/auth smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = smtpd_sasl_authenticated_header = yes # --------------------------------- # TLS parameters # --------------------------------- # The default snakeoil certificate. Comment if using a purchased # SSL certificate. smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key # Uncomment if using a purchased SSL certificate. # smtpd_tls_cert_file=/etc/ssl/certs/example.com.crt # smtpd_tls_key_file=/etc/ssl/private/example.com.key # The snakeoil self-signed certificate has no demand for a CA file. But # if you lot are using your ain SSL certificate, so you lot in all probability convey # a CA certificate bundle from your provider. The path to that goes # here. # smtpd_tls_CAfile=/etc/ssl/certs/ca-bundle.crt # Ensure we're non using no-longer-secure protocols. smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # Note that forcing operate of TLS is going to displace breakage - most post service servers # don't offering it too so delivery volition fail, both incoming too outgoing. This is # unfortunate given what diverse governmental agencies are upwardly to these days. # # Enable (but don't force) all incoming smtp connections to operate TLS. smtpd_tls_security_level = may # Enable (but don't force) all outgoing smtp connections to operate TLS. smtp_tls_security_level = may # See /usr/share/doc/postfix/TLS_README.gz inward the postfix-doc bundle for # information on enabling SSL inward the smtp client. # --------------------------------- # TLS Updates relating to Logjam SSL attacks. # See: https://weakdh.org/sysadmin.html # --------------------------------- smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem # --------------------------------- # SMTPD parameters # --------------------------------- # Uncomment the adjacent line to generate "delayed mail" warnings #delay_warning_time = 4h # volition it live a permanent mistake or temporary unknown_local_recipient_reject_code = 450 # how long to proceed message on queue before render equally failed. maximal_queue_lifetime = 7d # max too minute fourth dimension inward seconds betwixt retries if connectedness failed minimal_backoff_time = 1000s maximal_backoff_time = 8000s # how long to hold off when servers connect before receiving balance of information smtp_helo_timeout = 60s # how many address tin john live used inward ane message. # effective stopper to majority spammers, accidental re-create inward whole address listing # but may limit intentional post service shots. smtpd_recipient_limit = 16 # how many mistake before dorsum off. smtpd_soft_error_limit = 3 # how many max errors before blocking it. smtpd_hard_error_limit = 12 # This adjacent laid are of import for determining who tin john send post service too relay post service # to other servers. It is real of import to teach this correct - accidentally producing # an opened upwardly relay that allows unauthenticated sending of post service is a Very Bad Thing. # # You are encouraged to read upwardly on what precisely each of these options accomplish. # Requirements for the HELO disceptation smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit # Requirements for the sender details. Note that the gild matters. # E.g. run across http://jimsun.linxnet.com/misc/restriction_order_prelim-03.txt smtpd_sender_restrictions = permit_mynetworks, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit # Requirements for the connecting server smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl # Requirement for the recipient address. Note that the entry for # "check_policy_service inet:127.0.0.1:10023" enables Postgrey. smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023, permit smtpd_data_restrictions = reject_unauth_pipelining # This is a novel selection equally of Postfix 2.10, too is required inward add-on to # smtpd_recipient_restrictions for things to piece of work properly inward this setup. smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023, permit # require proper helo at connections smtpd_helo_required = yes # waste matter spammers fourth dimension before rejecting them smtpd_delay_reject = yes disable_vrfy_command = yes # --------------------------------- # General host too delivery information # ---------------------------------- myhostname = mail.tony.in myorigin = /etc/hostname # Some people run across issues when setting mydestination explicitly to the server # subdomain, piece leaving it empty to a greater extent than oft than non doesn't hurt. So it is left empty here. # mydestination = mail.example.com, localhost mydestination = # If you lot convey a dissever spider web server that sends outgoing post service through this # mailserver, you lot may desire to add together its IP address to the space-delimited listing inward # mynetworks, e.g. equally 10.10.10.10/32. mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all mynetworks_style = host # This specifies where the virtual mailbox folders volition live located. virtual_mailbox_base = /var/vmail # This is for the mailbox location for each user. The domainaliases # map allows us to brand operate of Postfix Admin's domain alias feature. virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf # too their user id virtual_uid_maps = static:150 # too grouping id virtual_gid_maps = static:8 # This is for aliases. The domainaliases map allows us to brand # operate of Postfix Admin's domain alias feature. virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf # This is for domain lookups. virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf # Used inward conjunction amongst reject_authenticated_sender_login_mismatch to # verify that the sender is sending amongst their ain address, or amongst ane # of the aliases mapped to that address. smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_sender_login_maps.cf # --------------------------------- # Integration amongst other packages # --------------------------------------- # Tell postfix to mitt off post service to the Definition for dovecot inward master.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 # Use amavis for virus too spam scanning content_filter = amavis:[127.0.0.1]:10024 # Settings for checking SPF to cutting downwardly spam. policy-spf_time_limit = 3600s # --------------------------------- # Header manipulation # -------------------------------------- # Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/ header_checks = regexp:/etc/postfix/header_checks enable_original_recipient = no # getting rid of x-original-to Save too leave of absence from file
11C- Modify master.cf
root@mail:/home/amar# vi /etc/postfix/master.cf
Changes equally follows # Postfix master copy procedure configuration file. For details on the format # of the file, run across the master(5) manual page (command: "man v master" or # on-line: http://www.postfix.org/master.5.html). # # Do non forget to execute "postfix reload" afterwards editing this file. # # ========================================================================== # service type somebody unpriv chroot wakeup maxproc ascendancy + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd overstep - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy # SMTP amongst TLS on port 587. Currently commented. #submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_enforce_tls=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject # -o smtpd_sasl_tls_security_options=noanonymous # SMTP over SSL on port 465. smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous #628 inet n - y - - qmqpd pickup unix n - y sixty 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce delineate unix - - y - 0 bounce verify unix - - y - 1 verify level unix n - y 1000? 0 level proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq mistake unix - - y - - mistake retry unix - - y - - mistake discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be certain to examine the manual # pages of the non-Postfix software to disclose out what options it wants. # # Many of the next services operate the Postfix pipe(8) delivery # agent. See the pipe(8) human being page for information most ${recipient} # too other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify inward main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - piping flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions tin john operate the existing "lmtp" master.cf entry. # # Specify inward cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify inward main.cf ane or to a greater extent than of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify inward main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - piping # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old illustration of delivery via Cyrus. # #old-cyrus unix - n n - - piping # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - piping flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - piping flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - piping flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 piping flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - piping flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} # The adjacent 2 entries integrate amongst Amavis for anti-virus/spam checks. amavis unix - - y - three smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters # Integration amongst Dovecot - mitt post service over to it for local delivery, too # run the procedure nether the vmail user too post service group. dovecot unix - n n - - piping flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d $(recipient) # Integration amongst the SPF banking concern check package. policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf
Step 12- Restart all the services: root@mail:/home/amar# service postfix restart root@mail:/home/amar# service spamassassin restart root@mail:/home/amar# service clamav-daemon restart root@mail:/home/amar# service amavis restart root@mail:/home/amar# service dovecot restart
Step 13- Test Mail Server: Use setting below to configure your Email Client.
Use higher upwardly settings to configure E-mail Client.
Step 14- Setup SPF (Sender Policy Framework):
Example 1 Allow post service from all hosts listed inward the MX records for the domain:
v=spf1 mx -all
Example 2 Allow post service from a specific host: v=spf1 a:mail.example.com -all
Add the SPF policy agent to Postfix: Install next bundle first.
# apt install postfix-policyd-spf-python postfix-pcre
1- If you lot are using SpamAssassin to filter spam, you lot may desire edit to /etc/postfix-policyd-spf-python/policyd-spf.conf to alter the HELO_reject and Mail_From_rejectsettings to False.
root@mail: # vi /etc/postfix-policyd-spf-python/policyd-spf.conf
Your file looks similar below:
debugLevel = 1 TestOnly = 1 HELO_reject = False Mail_From_reject = False PermError_reject = False TempError_Defer = False
Save too leave of absence from file 2- Edit /etc/postfix/master.cf and add together the next line policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
Save too leave of absence from file 3-Edit /etc/postfix/main.cf and add together the next line to increase postfix agent policy timeout policyd-spf_time_limit = 3600
4- Edit /etc/postfix/main.cfand change smtpd_recipient_restrictions list smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023, permit
Save too leave of absence from file
5-Restart Postfix root@mail: # systemctl restart postfix
!!!Our E-Mail Server has been configured successfully!!!
