|
———
|
Table of Contents
Postfix+Dovecot tutorialThis tutorial is for mbox mailboxes which is default on centos. You could use Maildir - there are plenty of tutorials how to do that. References:
Add admin userAdd your first user and set system mail to go to it: useradd johnsmith then add this to /etc/aliases: root: johnsmith and run newaliases This will make all the mail generated by the OS go to this user. PostfixIn postfix configuration long lines can be split to multiple lines as long as you put leading blank space on the next line. First you need to remove sendmail and install postfix: yum erase sendmail yum install postfix This will make /usr/sbin/sendmail work as if sendmail was installed. Technically it makes symlink to /usr/sbin/sendmail.postfix which can be used in the same way as sendmail alternatives --set mta /usr/sbin/sendmail.postfix master.cfmaster.cf describes protocols and ports. You can also define milters or other options here # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - 80 smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #the next lines were there in default centos installation, so I leave them there: #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache /etc/postfix/main.cf#queue_directory = /var/spool/postfix #command_directory = /usr/sbin #daemon_directory = /usr/libexec/postfix #mail_owner = postfix myhostname = mail.example.com mydomain = example.com myorigin = $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydestination = $myhostname mynetworks = 192.168.0.0/24, 127.0.0.0/8 inet_interfaces = all #inet_protocols = all inet_protocols = ipv4 relay_domains = #home_mailbox = mail virtual_alias_domains = /etc/postfix/local-host-names virtual_alias_maps = hash:/etc/postfix/virtusertable, hash:/etc/postfix/aliases, hash:/etc/postfix/virtual canonical_maps = hash:/etc/postfix/canonical # NIS overrice alias_maps = mailbox_command = /usr/bin/procmail smtpd_helo_required = yes disable_vrfy_command = yes #inet_interfaces = 127.0.0.1, 1.1.1.1, 1.1.1.2 mynetworks = 127.0.0.0/8, 1.1.1.1
Enable authenticationAdd this to your /etc/postfix/main.cf file: # enable SASL authentication smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination and enable saslauthd service: /bin/systemctl enable saslauthd.service /bin/systemctl start saslauthd.service Start postfixIf you have systemd-based OS: systemctl enable postfix.service systemctl start postfix.service Configure SSLFirst you need to create certificate. edit /etc/pki/tls/openssl.cnf and change following parameters: # expire after 20 years default_days = 7300 countryName_default = BG stateOrProvinceName_default = Sofia Grad localityName_default = Sofia 0.organizationName_default = Nicksoft Solutions Ltd organizationalUnitName_default = Mail Server Then run: cd /etc/pki/tls/certs make postfix.pem DAYS=7300 To check the certificate run: openssl x509 -noout -in /etc/pki/tls/certs/postfix.pem -text Add this to your main.cf file: # TLS parameters smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.pem smtpd_tls_key_file=/etc/pki/tls/certs/postfix.pem smtpd_use_tls=yes smtpd_tls_auth_only = yes smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous Then restart postfix: /bin/systemctl restart postfix.service FinetuningDovecotInstall dovecotFirst you need to remove sendmail and install postfix: yum install dovecot Condigure dovecotEdit /etc/dovecot/dovecot.conf and uncomment following lines: protocols = imap pop3 lmtp listen = * Edit /etc/dovecot/conf.d/10-auth.conf and change the auth mechanisms: auth_mechanisms = plain login Edit /etc/dovecot/conf.d/10-mail.conf add/uncomment following line. On centos : mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u Edit /etc/dovecot/conf.d/10-master.conf and switch to postfix auth:
service auth {
#....
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
#....
}
Edit /etc/dovecot/conf.d/20-pop3.conf and uncomment/add : pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls oe-ns-eoh Make sure that SSL is required. Edit 10-ssl.conf ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Setup certificateBy default there should be a dovecot certificate installed in your OS: openssl x509 -noout -in /etc/pki/dovecot/certs/dovecot.pem -text However it's set to expire one year after dovecot install. If you are like me and you don't want to renew the certificate every year you could create a new one with longer validity period. To do that edit /etc/pki/dovecot/dovecot-openssl.cnf and enter your details in it - country, city … etc. You don't have to do that, but your mail client will ask you if you accept the mail certificate and it will show these details to you. However you should at least change CN to match your mail server's hostname or you will get a warning every time you open your mail. If you also change other things make sure to uncomment them first. Also you might want to change default_bits to at least 2048 to enhance security a bit (default is 1024). Example: [ req ] default_bits = 2048 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=BG # State or Province Name (full name) ST="Sofia Grad" # Locality Name (eg. city) L="Sofia" # Organization (eg. company) O="NickSoft Solutions" # Organizational Unit Name (eg. section) OU="IMAP server" # Common Name (*.example.com is also possible) CN="mail.apptizer.net" # E-mail contact emailAddress="postmaster@nicksoft.com" [ cert_type ] nsCertType = server Technically you can run /usr/libexec/dovecot/mkcert.sh to create the key/certificate, but it'll force 365 days expiry. What I like to do is: root@example dovecot# openssl req -new -x509 -nodes -config /etc/pki/dovecot/dovecot-openssl.cnf -out /etc/pki/dovecot/certs/dovecot.pem -keyout /etc/pki/dovecot/private/dovecot.pem -days 7300 Generating a 2048 bit RSA private key .....................................................................................+++ .......+++ writing new private key to '/etc/pki/dovecot/private/dovecot.pem' ----- root@example dovecot# openssl x509 -subject -fingerprint -noout -in /etc/pki/dovecot/certs/dovecot.pem subject= /C=BG/ST=Sofia Grad/L=Sofia/O=NickSoft Solutions/OU=IMAP server/CN=mail.apptizer.net/emailAddress=postmaster@nicksoft.com SHA1 Fingerprint=B6:92:A6:5C:4D:36:83:28:08:84:29:5F:82:E1:9F:B6:54:40:44:57 Where -days 7300 is 365 days/year * 20 years Now check the certificate:
root@los dovecot# openssl x509 -noout -in /etc/pki/dovecot/certs/dovecot.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a5:86:76:24:5e:35:e1:a2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BG, ST=Sofia Grad, L=Sofia, O=NickSoft Solutions, OU=IMAP server, CN=mail.apptizer.net/emailAddress=postmaster@nicksoft.com
Validity
Not Before: Jan 1 11:10:45 2020 GMT
Not After : Dec 27 11:10:45 2039 GMT
Subject: C=BG, ST=Sofia Grad, L=Sofia, O=NickSoft Solutions, OU=IMAP server, CN=mail.apptizer.net/emailAddress=postmaster@nicksoft.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:e4:bb:82:ba:b8:53:9c:fd:a2:ef:b5:43:d3:
61:82:a2:1f:f7:d2:2d:ab:cc:ba:4e:01:4c:c6:20:
7c:77:02:eb:0c:9c:e4:0f:81:84:1d:fd:e6:8d:2e:
96:a0:08:5e:29:50:a7:51:2f:6a:9e:21:ee:c9:62:
82:81:0e:2b:1d:0c:4f:ea:ef:d3:7b:5e:eb:72:d8:
b5:6f:91:c9:7e:b6:92:c6:c8:42:2f:29:31:ed:38:
a5:85:d3:bf:5d:f6:f9:72:aa:76:b8:f1:20:68:9f:
7e:fc:53:2d:df:27:b5:71:b9:19:dd:f1:3f:e4:b8:
73:de:d7:aa:99:a2:f6:e2:de:e7:3e:d2:51:21:76:
c7:ac:dd:57:d7:08:7e:fd:5f:70:7a:32:8a:cb:b8:
c8:95:c3:00:32:08:66:04:65:3a:f9:2b:b1:0c:05:
f5:e7:72:c3:2a:bd:41:25:72:3c:4f:db:f6:88:37:
76:8f:7f:54:d5:98:91:64:75:3b:d1:9a:66:ad:17:
0c:a4:dc:2b:73:c7:67:f5:21:21:86:c7:c0:0b:1b:
11:2b:a2:6c:0b:aa:5a:fb:c3:7f:84:96:cb:b3:d5:
7b:91:65:ff:2f:26:36:de:cc:47:4a:fd:d4:a4:0c:
16:8c:48:c7:c6:c6:06:4e:52:cf:61:c7:05:2e:4f:
4c:69
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
Signature Algorithm: sha256WithRSAEncryption
39:20:48:53:ea:e2:18:96:2b:dd:2d:91:23:e6:b6:f2:ff:7a:
0f:38:5e:a6:a1:8e:4a:e8:a1:84:56:e6:5a:b6:87:42:0f:ae:
fc:1f:6c:1b:b3:e6:eb:d2:a4:3a:53:75:61:90:aa:83:73:82:
0e:6f:6a:ba:57:2f:23:b9:43:98:f9:30:48:c2:94:9c:4f:7b:
ef:3e:2c:fd:71:32:c2:b4:d6:40:d8:ce:07:d0:84:ce:f7:ee:
2b:84:39:d5:1b:4d:5c:0e:46:cb:e9:bf:eb:48:05:08:0e:a7:
f7:30:15:41:a0:2b:37:da:5b:40:61:99:e7:07:d2:a1:b6:c5:
eb:a2:8c:81:86:5a:0b:f8:92:14:68:b7:46:b8:95:ab:1f:f9:
6c:48:d0:cf:34:a9:4a:f1:45:e1:5d:a1:10:90:cd:e4:7b:1e:
b6:1c:52:33:cd:0f:a1:d6:ea:4e:67:58:3a:df:18:8d:6f:5f:
6b:62:5a:a3:b7:f1:98:a9:8a:21:fa:49:3a:f4:ff:2a:aa:3b:
cd:c7:43:d8:19:6f:1f:48:01:d9:15:63:30:96:cf:b1:1c:7b:
97:b3:ad:06:88:5c:b5:35:58:6a:32:0e:09:ae:f9:ff:5f:48:
bc:40:14:ce:b9:67:2b:03:79:7b:df:2f:5a:cf:e3:eb:80:0f:
6e:23:c4:31
Start dovecot/bin/systemctl enable dovecot.service /bin/systemctl start dovecot.service SpamassassinTroubleshootingDovecot: Operation not permittedThe problem - you can't authenticate with dovecot and you see this in log: Jan 1 13:25:08 los dovecot: imap(johnsmith): Error: fchown(/home/johnsmith/mail/.imap, group=12(mail)) failed: Operation not permitted (egid=1007(johnsmith), group based on /var/spool/mail/johnsmith - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm) What's causing it is that dovecot tries to set the same user/group as your inbox file - /var/spool/mail/johnsmith which by default on centos has mode 660 and group mail. That's not ideal because other users on the same system can ready your mail in some cases. So the solution is: chmod 600 /var/spool/mail/* The problem is that every time you create a new user it'll have these permissions. To avoid that you can edit /etc/default/useradd and comment this line: #CREATE_MAIL_SPOOL=yes |
