Mailserver
Install
pacman -S postfix dovecot
Add User for Maildeamon
useradd -u 5000 -s /usr/bin/nologin -d /var/spool/mail/vmail/ -m vmail
mkdir -p /var/spool/mail/vmail/
Postfix
Create database
mysql -u root -p
CREATE DATABASE postfix;
CREATE USER “postfix_user”@“localhost” IDENTIFIED BY “blafoo”;
GRANT ALL ON postfix.* TO “postfix_user”@“localhost”;
FLUSH PRIVILEGES;
Create tables
Virtual domains
CREATE TABLE `virtual_domains` (
`id` INT NOT NULL AUTO_INCREMENT,
`name` VARCHAR(50) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Virtual users
CREATE TABLE `virtual_users` (
`id` INT NOT NULL AUTO_INCREMENT,
`domain_id` INT NOT NULL,
`password` VARCHAR(106) NOT NULL,
`email` VARCHAR(120) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `email` (`email`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Virtual aliases
CREATE TABLE `virtual_aliases` (
`id` INT NOT NULL AUTO_INCREMENT,
`domain_id` INT NOT NULL,
`source` varchar(100) NOT NULL,
`destination` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Create PFS DH files
openssl dhparam -out /etc/postfix/dh_2048.pem -2 2048
Create default config
/etc/postfix/main.cf
# General parameters
myhostname = mail.mydomain.de
mydomain = mail.mydomain.de.local
smtp_bind_address = 123.456.789.001
smtp_bind_address6 =
inet_protocols = ipv4
inet_interfaces = all
mynetworks_style = host
myorigin = $myhostname
smtpd_banner = $myhostname ESMTPSA
append_dot_mydomain = no
append_at_myorigin = yes
biff = no
recipient_delimiter = +
broken_sasl_auth_clients = yes
tls_preempt_cipherlist = yes
disable_vrfy_command =yes
# Local delivery parameters
mydestination = $myhostname localhost.$mydomain localhost $mydomain
relay_domains = $mydestination
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 1
mail_spool_directory = /var/spool/mail
message_size_limit = 0
mailbox_size_limit = 0
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
# Virtual parameters
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_mailbox_base = /var/spool/mail/vmail
virtual_mailbox_limit = 0
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
# SMTPD parameters
smtpd_sasl_type = dovecot
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_helo_required = yes
smtpd_tls_security_level = encrypt
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
smtpd_tls_CAfile = /etc/postfix/tls/fullchain.pem
smtpd_tls_key_file = /etc/postfix/tls/privkey.pem
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
reject_unknown_sender_domain,
reject_unauth_destination,
permit
# SMTP parameters
smtp_tls_security_level = encrypt
smtp_tls_loglevel = 1
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
Create config for virtuals
/etc/postfix/virtual_alias_maps.cf
user = postfix_user
password = blafoo
hosts = localhost
dbname = postfix
query = SELECT destination FROM virtual_aliases WHERE source='%s'
/etc/postfix/virtual_mailbox_domains.cf
user = postfix_user
password = blafoo
hosts = localhost
dbname = postfix
query = SELECT 1 FROM virtual_domains WHERE name='%s'
/etc/postfix/virtual_mailbox_maps.cf
user = postfix_user
password = blafoo
hosts = localhost
dbname = postfix
query = SELECT 1 FROM virtual_users WHERE email='%s'
Create Mailuser in DB
INSERT INTO `postfix`.`virtual_domains`
(`id` ,`name`)
VALUES
('1', '<domain>');
INSERT INTO `postfix`.`virtual_users`
(`id`, `domain_id`, `password` , `email`)
VALUES
('1', '1', '<sha512-crypt-password>', 'user@<domain>'),
INSERT INTO `postfix`.`virtual_aliases`
(`id`, `domain_id`, `source`, `destination`)
VALUES
('1', '1', 'webmaster@<domain>', 'user@<domain>'),
('2', '1', 'postmaster@<domain>', 'user@<domain>'),
('3', '1', 'admin@<domain>', 'user@<domain>'),
('4', '1', 'abuse@<domain>', 'user@<domain>'),
Activate SMTP(S)
/etc/postfix/master.cf
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
/etc/services
submissions 465/tcp ssmtp smtps
Dovecot
Create DH files
openssl dhparam -out /etc/dovecot/dh_4096.pem -2 4096
Create default config
/etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
service imap-login {
inet_listener imap {
#port = 143
port=0
}
inet_listener imaps {
port = 993
ssl = yes
}
vsz_limit = 512M
service_count = 0
process_min_avail = 1
process_limit = 15
client_limit = 300
}
service pop3-login {
inet_listener pop3 {
#port = 110
port=0
}
inet_listener pop3s {
port = 995
ssl = yes
}
vsz_limit = 512M
service_count = 0
process_min_avail = 1
process_limit = 15
client_limit = 300
}
auth_mechanisms = plain login
disable_plaintext_auth = yes
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
service auth {
unix_listener auth-client {
mode = 0660
user = postfix
group = dovecot
}
user = dovecot
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = dovecot
}
}
mail_home = /var/spool/mail/vmail/%d/%n
mail_location = maildir:/var/spool/mail/vmail/%d/%n
mail_privileged_group = vmail
ssl = required
ssl_dh=</etc/dovecot/dh_4096.pem
ssl_cert = </etc/postfix/tls/fullchain.pem
ssl_key = </etc/postfix/tls/privkey.pem
ssl_cipher_list = EECDH+aRSA+SHA384:EECDH+aRSA+SHA265:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4
auth_debug = no
auth_verbose = no
auth_debug_passwords = no
Create SQL config
/etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=postfix user=postfix_user password=blafoo
default_pass_scheme = SHA512-CRYPT
# Get the mailbox
user_query = SELECT '/var/spool/mail/vmail/%d/%n' as home, 'maildir:/var/spool/mail/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid FROM virtual_users WHERE email = '%u'
# Get the password
password_query = SELECT email AS user, password FROM virtual_users WHERE email='%u';
Create PW with Sha512-Crypt manualy
doveadm pw -s SHA512-CRYPT
Test config - Domain check
postmap -q <domain> mysql:/etc/postfix/virtual_mailbox_domains.cf
Test config - Mailaccount check
postmap -q user@<domain> mysql:/etc/postfix/virtual_mailbox_maps.cf
Test config - Alias check
postmap -q alias@<domain> mysql:/etc/postfix/virtual_alias_maps.cf