====== Install and Configure Postfix as a Simple Mailbox Server ======
- Make Sure All of the Latest Patches Are Installed:
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot
- Set Firewall up:
sudo ufw allow smtp
sudo ufw allow submission
sudo ufw allow imaps
- Next, configure some variables:
MAIL_DOMAIN=example.com
MAIL_HOST=mail.$MAIL_DOMAIN
MAIL_SMTP=smtp.$MAIL_DOMAIN
MAIL_IMAP=imap.$MAIL_DOMAIN
- Get a SSL/TLS Certificate ready for secure communication:
=== Use Your Own Certificate ===
* First, create the OpenSSL configuration:
cat > /tmp/san.cnf << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $(hostname --fqdn)
DNS.2 = $MAIL_HOST
DNS.3 = $MAIL_SMTP
DNS.4 = $MAIL_IMAP
EOF
MAIL_KEY=/etc/ssl/private/mail.key
MAIL_CERT=/etc/ssl/certs/mail.pem
* Create a self-signed test certificate:
sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -config /tmp/san.cnf \
-keyout $MAIL_KEY -out $MAIL_CERT
* Use A Certificate From a Certificate Authority:
sudo openssl req -nodes -days 365 -sha256 -newkey rsa:2048 -config /tmp/san.cnf \
-keyout $MAIL_KEY -out /tmp/cert.csr
=== Use Let's Encrypt Certbot and NGINX Certificates ===
[[linux:nginx:|Install NGINX]] to handle the ACME challenges. Set the environment variable DOMAIN to match the main domain name that the mail server will handle and then [[linux:nginx:letsencrypt|]] with the exception of creating the certificate and the SSL NGINX configuration file.
MAIL_KEY=/etc/letsencrypt/live/$MAIL_HOST/privkey.pem
MAIL_CERT=/etc/letsencrypt/live/$MAIL_HOST/cert.pem
sudo ufw allow http
After NGINX and Certbot are installed:
sudo certbot certonly --no-eff-email --webroot --agree-tos --email you@example.com -w /var/www/letsencrypt \
-d $MAIL_HOST -d $MAIL_SMTP -d $MAIL_IMAP
- Install Postfix:
sudo DEBIAN_FRONTEND=noninteractive apt-get -y install postfix
sudo postfix stop
sudo rm -f /etc/aliases
echo postmaster: root | sudo tee -a /etc/aliases
echo mailer-daemon: postmaster | sudo tee -a /etc/aliases
echo hostmaster: root | sudo tee -a /etc/aliases
echo abuse: root | sudo tee -a /etc/aliases
echo root: $USER | sudo tee -a /etc/aliases
sudo newaliases
sudo postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name'
sudo postconf -e "mydomain = $MAIL_DOMAIN"
sudo postconf -e 'myorigin = $mydomain'
sudo postconf -e "mydestination = \$myhostname, `hostname`, localhost.localdomain, , localhost, $MAIL_DOMAIN"
sudo postconf -e 'delay_warning_time=3h'
sudo postconf -e 'maximal_queue_lifetime=2d'
sudo postconf -e 'bounce_queue_lifetime=1d'
sudo postconf -e "home_mailbox = Maildir/"
sudo postconf -e "mailbox_command = "
# Increase the message size limit from 10MB to 128MB.
sudo postconf -e 'message_size_limit=134217728'
# Who can send mail to us?
sudo postconf -e 'smtpd_sender_restrictions=permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org'
sudo postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rhsbl_reverse_client dbl.spamhaus.org,reject_rhsbl_helo dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org'
# Enable SASL Authentication
sudo sed -i 's/START=no/START=yes/' /etc/default/saslauthd
# Prevent non-authenticated users from sending mail
sudo postconf -e 'smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'smtpd_sasl_type=dovecot'
sudo postconf -e 'smtpd_sasl_path=private/auth'
sudo postconf -e 'smtpd_sasl_auth_enable=yes'
sudo postconf -e 'smtpd_sasl_security_options=noanonymous'
sudo postconf -e 'smtpd_sasl_local_domain=$myhostname'
#sudo postconf -e 'smtpd_sasl_application_name=smtpd'
sudo postconf -e 'broken_sasl_auth_clients=yes'
# Enable TLS for SMTPD and SUBMISSION
sudo postconf -M submission/inet="submission inet n - - - - smtpd"
sudo postconf -P "submission/inet/smtpd_sasl_auth_enable=yes"
sudo postconf -P "submission/inet/syslog_name=postfix/submission"
sudo postconf -P "submission/inet/smtpd_tls_security_level=encrypt"
sudo postconf -P "submission/inet/smtpd_tls_ciphers=high"
sudo postconf -P "submission/inet/smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4"
sudo postconf -P "submission/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3"
sudo postconf -e 'smtp_use_tls=yes'
sudo postconf -e 'smtpd_use_tls=yes'
sudo postconf -e 'smtp_tls_note_starttls_offer=yes'
sudo postconf -e 'smtpd_tls_received_header=yes'
sudo postconf -e 'smtpd_tls_security_level=may'
sudo postconf -e 'smtpd_tls_auth_only=yes'
sudo postconf -e "smtpd_tls_cert_file=$MAIL_CERT"
sudo postconf -e "smtpd_tls_key_file=$MAIL_KEY"
sudo postconf -e 'smtpd_tls_dh1024_param_file=/etc/ssl/certs/dh2048.pem'
sudo postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3'
sudo postconf -e 'smtpd_tls_ciphers=medium'
sudo postconf -e 'smtpd_tls_exclude_ciphers=aNULL,RC4'
sudo postconf -e 'smtpd_tls_received_header=yes'
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
sudo postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3'
sudo postconf -e 'smtp_tls_mandatory_protocols=!SSLv2,!SSLv3'
sudo postconf -e 'smtp_tls_ciphers=medium'
sudo postconf -e 'smtp_tls_exclude_ciphers=aNULL,RC4'
sudo postconf -e 'smtp_tls_security_level=dane'
sudo postconf -e 'smtp_dns_support_level=dnssec'
sudo postconf -e 'smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt'
sudo postconf -e 'smtp_tls_loglevel=2'
- Install Dovecot:
sudo apt install -y dovecot-imapd
sudo systemctl stop dovecot
sudo sed -i "s/#default_process_limit = 100/default_process_limit=$(echo "`nproc` * 250" | bc)/" \
/etc/dovecot/conf.d/10-master.conf
sudo sed -i \
"s/#default_vsz_limit = 256M/default_vsz_limit=$(echo "`free -tm | tail -1 | awk '{print $2}'` / 3" | bc)M/" \
/etc/dovecot/conf.d/10-master.conf
sudo sed -i "s/#log_path = syslog/log_path=\/var\/log\/mail.log/" /etc/dovecot/conf.d/10-logging.conf
echo fs.inotify.max_user_instances=1024 | sudo tee -a /etc/sysctl.conf
sudo sed -i "s/mail_location = mbox:~\/mail:INBOX=\/var\/mail\/%u/mail_location = maildir:~\/Maildir/" \
/etc/dovecot/conf.d/10-mail.conf
cat > /tmp/15-mailboxes.conf << EOF
namespace inbox {
mailbox INBOX {
auto = subscribe
}
mailbox Spam {
special_use = \Junk
auto = subscribe
}
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
mailbox Archive {
special_use = \Archive
auto = subscribe
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Junk {
special_use = \Junk
}
}
EOF
sudo rm -f /etc/dovecot/conf.d/15-mailboxes.conf
sudo mv /tmp/15-mailboxes.conf /etc/dovecot/conf.d
# Require passwords are only sent over TLS.
sudo sed -i "s/#disable_plaintext_auth = yes/disable_plaintext_auth = yes/" /etc/dovecot/conf.d/10-auth.conf
sudo sed -i "s/auth_mechanisms = plain/auth_mechanisms = plain login/" /etc/dovecot/conf.d/10-auth.conf
# Enable TLS
sudo sed -i 's/ssl = yes/ssl=required/' /etc/dovecot/conf.d/10-ssl.conf
sudo sed -i "s|ssl_cert = /tmp/99-imap.conf << EOF;
protocol imap {
mail_max_userip_connections = 20
}
EOF
sudo mv /tmp/99-imap.conf /etc/dovecot/conf.d
# Have Dovecot provide an authorization service that Postfix can access & use.
cat > /tmp/99-local-auth.conf << EOF
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
EOF
sudo mv /tmp/99-local-auth.conf /etc/dovecot/conf.d/
==== Now Start All Of The Services ====
sudo openssl dhparam -out /etc/ssl/certs/dh2048.pem 2048
sudo systemctl start saslauthd
sudo systemctl start postfix
sudo systemctl start dovecot