sudo apt-get update sudo apt-get dist-upgrade sudo reboot
sudo ufw allow smtp sudo ufw allow submission sudo ufw allow imaps
MAIL_DOMAIN=example.com MAIL_HOST=mail.$MAIL_DOMAIN MAIL_SMTP=smtp.$MAIL_DOMAIN MAIL_IMAP=imap.$MAIL_DOMAIN
cat > /tmp/san.cnf << EOF [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = $(hostname --fqdn) DNS.2 = $MAIL_HOST DNS.3 = $MAIL_SMTP DNS.4 = $MAIL_IMAP EOF MAIL_KEY=/etc/ssl/private/mail.key MAIL_CERT=/etc/ssl/certs/mail.pem
sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -config /tmp/san.cnf \ -keyout $MAIL_KEY -out $MAIL_CERT
sudo openssl req -nodes -days 365 -sha256 -newkey rsa:2048 -config /tmp/san.cnf \ -keyout $MAIL_KEY -out /tmp/cert.csr
Install NGINX to handle the ACME challenges. Set the environment variable DOMAIN to match the main domain name that the mail server will handle and then Configure NGINX to use Let's Encrypt for SSL Certificates. with the exception of creating the certificate and the SSL NGINX configuration file.
MAIL_KEY=/etc/letsencrypt/live/$MAIL_HOST/privkey.pem MAIL_CERT=/etc/letsencrypt/live/$MAIL_HOST/cert.pem sudo ufw allow http
After NGINX and Certbot are installed:
sudo certbot certonly --no-eff-email --webroot --agree-tos --email you@example.com -w /var/www/letsencrypt \ -d $MAIL_HOST -d $MAIL_SMTP -d $MAIL_IMAP
sudo DEBIAN_FRONTEND=noninteractive apt-get -y install postfix sudo postfix stop sudo rm -f /etc/aliases echo postmaster: root | sudo tee -a /etc/aliases echo mailer-daemon: postmaster | sudo tee -a /etc/aliases echo hostmaster: root | sudo tee -a /etc/aliases echo abuse: root | sudo tee -a /etc/aliases echo root: $USER | sudo tee -a /etc/aliases sudo newaliases sudo postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name' sudo postconf -e "mydomain = $MAIL_DOMAIN" sudo postconf -e 'myorigin = $mydomain' sudo postconf -e "mydestination = \$myhostname, `hostname`, localhost.localdomain, , localhost, $MAIL_DOMAIN" sudo postconf -e 'delay_warning_time=3h' sudo postconf -e 'maximal_queue_lifetime=2d' sudo postconf -e 'bounce_queue_lifetime=1d' sudo postconf -e "home_mailbox = Maildir/" sudo postconf -e "mailbox_command = " # Increase the message size limit from 10MB to 128MB. sudo postconf -e 'message_size_limit=134217728' # Who can send mail to us? sudo postconf -e 'smtpd_sender_restrictions=permit_sasl_authenticated,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org' sudo postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rhsbl_reverse_client dbl.spamhaus.org,reject_rhsbl_helo dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org' # Enable SASL Authentication sudo sed -i 's/START=no/START=yes/' /etc/default/saslauthd # Prevent non-authenticated users from sending mail sudo postconf -e 'smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' sudo postconf -e 'smtpd_sasl_type=dovecot' sudo postconf -e 'smtpd_sasl_path=private/auth' sudo postconf -e 'smtpd_sasl_auth_enable=yes' sudo postconf -e 'smtpd_sasl_security_options=noanonymous' sudo postconf -e 'smtpd_sasl_local_domain=$myhostname' #sudo postconf -e 'smtpd_sasl_application_name=smtpd' sudo postconf -e 'broken_sasl_auth_clients=yes' # Enable TLS for SMTPD and SUBMISSION sudo postconf -M submission/inet="submission inet n - - - - smtpd" sudo postconf -P "submission/inet/smtpd_sasl_auth_enable=yes" sudo postconf -P "submission/inet/syslog_name=postfix/submission" sudo postconf -P "submission/inet/smtpd_tls_security_level=encrypt" sudo postconf -P "submission/inet/smtpd_tls_ciphers=high" sudo postconf -P "submission/inet/smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4" sudo postconf -P "submission/inet/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3" sudo postconf -e 'smtp_use_tls=yes' sudo postconf -e 'smtpd_use_tls=yes' sudo postconf -e 'smtp_tls_note_starttls_offer=yes' sudo postconf -e 'smtpd_tls_received_header=yes' sudo postconf -e 'smtpd_tls_security_level=may' sudo postconf -e 'smtpd_tls_auth_only=yes' sudo postconf -e "smtpd_tls_cert_file=$MAIL_CERT" sudo postconf -e "smtpd_tls_key_file=$MAIL_KEY" sudo postconf -e 'smtpd_tls_dh1024_param_file=/etc/ssl/certs/dh2048.pem' sudo postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3' sudo postconf -e 'smtpd_tls_ciphers=medium' sudo postconf -e 'smtpd_tls_exclude_ciphers=aNULL,RC4' sudo postconf -e 'smtpd_tls_received_header=yes' # When connecting to remote SMTP servers, prefer TLS and use DANE if available. sudo postconf -e 'smtp_tls_protocols=!SSLv2,!SSLv3' sudo postconf -e 'smtp_tls_mandatory_protocols=!SSLv2,!SSLv3' sudo postconf -e 'smtp_tls_ciphers=medium' sudo postconf -e 'smtp_tls_exclude_ciphers=aNULL,RC4' sudo postconf -e 'smtp_tls_security_level=dane' sudo postconf -e 'smtp_dns_support_level=dnssec' sudo postconf -e 'smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt' sudo postconf -e 'smtp_tls_loglevel=2'
sudo apt install -y dovecot-imapd sudo systemctl stop dovecot sudo sed -i "s/#default_process_limit = 100/default_process_limit=$(echo "`nproc` * 250" | bc)/" \ /etc/dovecot/conf.d/10-master.conf sudo sed -i \ "s/#default_vsz_limit = 256M/default_vsz_limit=$(echo "`free -tm | tail -1 | awk '{print $2}'` / 3" | bc)M/" \ /etc/dovecot/conf.d/10-master.conf sudo sed -i "s/#log_path = syslog/log_path=\/var\/log\/mail.log/" /etc/dovecot/conf.d/10-logging.conf echo fs.inotify.max_user_instances=1024 | sudo tee -a /etc/sysctl.conf sudo sed -i "s/mail_location = mbox:~\/mail:INBOX=\/var\/mail\/%u/mail_location = maildir:~\/Maildir/" \ /etc/dovecot/conf.d/10-mail.conf cat > /tmp/15-mailboxes.conf << EOF namespace inbox { mailbox INBOX { auto = subscribe } mailbox Spam { special_use = \Junk auto = subscribe } mailbox Drafts { special_use = \Drafts auto = subscribe } mailbox Sent { special_use = \Sent auto = subscribe } mailbox Trash { special_use = \Trash auto = subscribe } mailbox Archive { special_use = \Archive auto = subscribe } mailbox "Sent Messages" { special_use = \Sent } mailbox Junk { special_use = \Junk } } EOF sudo rm -f /etc/dovecot/conf.d/15-mailboxes.conf sudo mv /tmp/15-mailboxes.conf /etc/dovecot/conf.d # Require passwords are only sent over TLS. sudo sed -i "s/#disable_plaintext_auth = yes/disable_plaintext_auth = yes/" /etc/dovecot/conf.d/10-auth.conf sudo sed -i "s/auth_mechanisms = plain/auth_mechanisms = plain login/" /etc/dovecot/conf.d/10-auth.conf # Enable TLS sudo sed -i 's/ssl = yes/ssl=required/' /etc/dovecot/conf.d/10-ssl.conf sudo sed -i "s|ssl_cert = </etc/dovecot/private/dovecot.pem|ssl_cert=<$MAIL_CERT|" /etc/dovecot/conf.d/10-ssl.conf sudo sed -i "s|ssl_key = </etc/dovecot/private/dovecot.key|ssl_key=<$MAIL_KEY|" /etc/dovecot/conf.d/10-ssl.conf sudo sed -i 's/#ssl_protocols = !SSLv3/ssl_protocols=!SSLv3 !SSLv2/' /etc/dovecot/conf.d/10-ssl.conf sudo sed -i 's/#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL/ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS/' /etc/dovecot/conf.d/10-ssl.conf sudo sed -i 's/#ssl_prefer_server_ciphers = no/ssl_prefer_server_ciphers = yes/' /etc/dovecot/conf.d/10-ssl.conf sudo sed -i 's/#ssl_dh_parameters_length = 1024/ssl_dh_parameters_length = 2048/' /etc/dovecot/conf.d/10-ssl.conf # Disable in-the-clear IMAP/POP sudo sed -i 's/#port = 143/port = 0/' /etc/dovecot/conf.d/10-master.conf sudo sed -i 's/#port = 110/port = 0/' /etc/dovecot/conf.d/10-master.conf # Make IMAP IDLE slightly more efficient. sudo sed -i 's/#imap_idle_notify_interval = 2 mins/imap_idle_notify_interval="4 mins"/' /etc/dovecot/conf.d/20-imap.conf cat > /tmp/99-imap.conf << EOF; protocol imap { mail_max_userip_connections = 20 } EOF sudo mv /tmp/99-imap.conf /etc/dovecot/conf.d # Have Dovecot provide an authorization service that Postfix can access & use. cat > /tmp/99-local-auth.conf << EOF service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } EOF sudo mv /tmp/99-local-auth.conf /etc/dovecot/conf.d/
sudo openssl dhparam -out /etc/ssl/certs/dh2048.pem 2048 sudo systemctl start saslauthd sudo systemctl start postfix sudo systemctl start dovecot