Mail Server: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (31 intermediate revisions by 2 users not shown) | |||
| Line 4: | Line 4: | ||
<syntaxhighlight lang="bash">apt-get install cyrus-admin cyrus-clients cyrus-common cyrus-doc cyrus-imapd cyrus-nntpd cyrus-pop3d cyrus-sasl2-doc libcyrus-imap-perl</syntaxhighlight> | <syntaxhighlight lang="bash">apt-get install cyrus-admin cyrus-clients cyrus-common cyrus-doc cyrus-imapd cyrus-nntpd cyrus-pop3d cyrus-sasl2-doc libcyrus-imap-perl</syntaxhighlight> | ||
==== Install Sasl auth ==== | ==== Install Sasl auth ==== | ||
<syntaxhighlight lang="bash">libauthen-sasl-perl libgsasl7 libsasl2-2 libsasl2-modules libsasl2-modules-db sasl2-bin</syntaxhighlight> | <syntaxhighlight lang="bash">apt-get install libauthen-sasl-perl libgsasl7 libsasl2-2 libsasl2-modules libsasl2-modules-db sasl2-bin</syntaxhighlight> | ||
=== Validate / Adjust the configuration === | === Validate / Adjust the configuration === | ||
| Line 24: | Line 24: | ||
tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key | tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==== /etc/cyrus.conf ==== | |||
=== Security === | |||
* Create user cyrus in Sasl Database | |||
<pre>saslpasswd2 -c cyrus </pre> | |||
* Add group sasl and ssl-cert to cyrus | |||
<pre>usermod -a -G sasl,ssl-cert cyrus</pre> | |||
== Postfix == | == Postfix == | ||
Web site [http://www.postfix.org PostFix] | Web site [http://www.postfix.org PostFix] | ||
=== Installation === | === Installation === | ||
<syntaxhighlight lang="bash"apt-get install postfix</syntaxhighlight> | <syntaxhighlight lang="bash">apt-get install postfix postfix-pcre</syntaxhighlight> | ||
=== Configuration === | === Configuration === | ||
# main.cf | # /etc/postfix/main.cf | ||
< | <syntaxhighlight lang="bash">mailbox_transport = cyrus</syntaxhighlight> | ||
# master.cf | # /etc/postfix/master.cf | ||
< | <syntaxhighlight lang="bash"> | ||
# The Cyrus deliver program has changed incompatibly, multiple times. | # The Cyrus deliver program has changed incompatibly, multiple times. | ||
cyrus unix - n n - - pipe | cyrus unix - n n - - pipe | ||
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m "${extension}" ${user} | flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m "${extension}" ${user} | ||
</ | </syntaxhighlight> | ||
< | <syntaxhighlight lang="bash"> | ||
mailbox_transport = lmtp:unix:/var/run/lmtp | mailbox_transport = lmtp:unix:/var/run/lmtp | ||
lmtp unix - - n - - lmtp | lmtp unix - - n - - lmtp | ||
</ | </syntaxhighlight> | ||
<syntaxhighlight lang="bash">adduser postfix mail</syntaxhighlight> | |||
=== Security === | |||
* Add group sasl opendkim spamass-milter | |||
<syntaxhighlight lang="bash">usermod -a -G sasl,opendkim,spamass-milter postfix</syntaxhighlight> | |||
=== Certificate === | |||
[[Certificate | Certificat SSL]] | |||
=== Validate Smtp server === | |||
* Connect with openssl tp port 25 | |||
<syntaxhighlight lang="bash"> | |||
openssl s_client -starttls smtp -connect smtp.objclt.ca:25 | |||
</syntaxhighlight> | |||
* Say Hello ! EHLO | |||
** EHLO mail.yahoo.com | |||
** MAIL FROM:victim@gmail.com | |||
** RCPT TO:nosuchuser@objclt.ca | |||
** Result should be 550 User unknown | |||
<syntaxhighlight lang="bash"> | |||
ehlo mail.yahoo.com | |||
250-mail.objclt.ca | |||
250-PIPELINING | |||
250-SIZE 104857600 | |||
250-ETRN | |||
250-AUTH PLAIN LOGIN | |||
250-ENHANCEDSTATUSCODES | |||
250-8BITMIME | |||
250-DSN | |||
250 SMTPUTF8 | |||
mail from:nicolas_rollin@yahoo.com | |||
250 2.1.0 Ok | |||
rcpt to:nouser@objclt.ca | |||
550 5.1.1 <nouser@objclt.ca>: Recipient address rejected: User unknown in local recipient table | |||
</syntaxhighlight> | |||
== Spamassassin == | == Spamassassin == | ||
Web site [http://spamassassin.apache.org/ SpamAssassin] | Web site [http://spamassassin.apache.org/ SpamAssassin] | ||
=== Installation === | === Installation === | ||
<syntaxhighlight lang="bash"apt-get install spamassassin</syntaxhighlight> | <syntaxhighlight lang="bash">apt-get install spamassassin spamass-milter</syntaxhighlight> | ||
<syntaxhighlight lang="bash">apt-get install pyzor razor</syntaxhighlight> | |||
Update /etc/spamassassin/local.cf | |||
<syntaxhighlight lang="bash"> | |||
# Enable Pyzor | |||
use_pyzor 1 | |||
# Path to Pyzor executable | |||
pyzor_path /usr/bin/pyzor | |||
</syntaxhighlight> | |||
Add prerequisite Perl Modules | |||
<syntaxhighlight lang="bash">cpan -i Archive::Tar Digest::SHA Net::DNS Net::DNS::Resolver::Programmable Mail::SPF Geo::IP Net::CIDR::Lite IO::Socket::IP \ | |||
IP::Country Net::Ident Net::Patricia IO::Socket::INET6 Compress::Zlib Mail::DKIM LWP::UserAgent HTTP::Date Encode::Detect ExtUtils::MakeMaker \ | |||
NetAddr::IP Mail::SpamAssassin::Plugin::Razor2 Razor2::Client::Agent IO::Socket::SSL DBI Sys::Syslog</syntaxhighlight> | |||
==== Validate the installation ==== | |||
<syntaxhighlight lang="bash">spamassassin -D --lint 2>&1 | grep -i failed</syntaxhighlight> | |||
==== Test the installation ==== | |||
<syntaxhighlight lang="bash">spamassassin -D < /usr/share/doc/spamassassin/examples/sample-spam.txt</syntaxhighlight> | |||
=== Setup === | |||
* /etc/default/spamassassin | |||
<syntaxhighlight lang="bash"> | |||
###Nr001ENABLED=0 | |||
ENABLED=1 | |||
###Nr001 OPTIONS="--create-prefs --max-children 5 --helper-home-dir" | |||
OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u spamass-milter" | |||
###Nr001 CRON=0 | |||
CRON=1 | |||
</syntaxhighlight> | |||
== Open DKIM == | == Open DKIM == | ||
Web site [http://www.opendkim.org/ Open DKIM] | Web site [http://www.opendkim.org/ Open DKIM] | ||
=== Installation === | === Installation === | ||
<syntaxhighlight lang="bash"apt-get install opendkim</syntaxhighlight> | <syntaxhighlight lang="bash">apt-get install opendkim</syntaxhighlight> | ||
=== Setup === | === Setup === | ||
* /etc/default/opendkim Modify Socket | |||
<syntaxhighlight lang="bash"> | |||
###Nr001 SOCKET="local:/var/run/opendkim/opendkim.sock" | |||
SOCKET="inet:12301@localhost" | |||
</syntaxhighlight> | |||
* /etc/postfix/main.cf add inet:localhost:12301 | |||
<syntaxhighlight lang="bash"> | |||
smtpd_milters = unix:spamass/spamass.sock, inet:localhost:12301 | |||
non_smtpd_milters = unix:spamass/spamass.sock, inet:localhost:12301 | |||
</syntaxhighlight> | |||
=== Add new domain === | |||
* Create folder <pre>mkdir /etc/opendkim/keys/domain_name </pre> | * Create folder <pre>mkdir /etc/opendkim/keys/domain_name </pre> | ||
* Update configuration file /etc/opendkim/KeyTable | * Update configuration file /etc/opendkim/KeyTable | ||
* Generate Key <pre>opendkim-genkey -s mail -d domain_name</pre> | * Generate Key <pre>opendkim-genkey -s mail -d domain_name</pre> | ||
* Change Owner <pre>chown opendkim: /etc/opendkim/KeyTable/domaine_name/mail.private</pre> | * Change Owner <pre>chown opendkim: /etc/opendkim/KeyTable/domaine_name/mail.private</pre> | ||
* Copy the key (mail.txt) into the dns record. | * Copy the key (mail.txt) into the dns record. <pre>mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIvWfISGYjLl57jqzZFgc+...jyQwIDAQAB"</pre> | ||
== batv-milter == | |||
WebSite [https://www.agwa.name/projects/batv-tools agwa.name] | |||
===Installation === | |||
* Download source from https://www.agwa.name/projects/batv-tools/ | |||
* Install prerequisite | |||
<syntaxhighlight lang="bash">apt-get install libmilter-dev</syntaxhighlight> | |||
* Build and install | |||
<syntaxhighlight lang="bash">make</syntaxhighlight> | |||
* Install | |||
<syntaxhighlight lang="bash">make install PREFIX=/usr</syntaxhighlight> | |||
=== Setup === | |||
==== Create /etc/batv ==== | |||
<syntaxhighlight lang="bash">mk dir /etc/batv</syntaxhighlight> | |||
==== Create /etc/batv/batv-milter.conf ==== | |||
<syntaxhighlight lang="bash"> | |||
# Path to the socket file. If you're using Postfix you may want | |||
# to put the socket file in /var/spool/postfix so it's accessible | |||
# even when Postfix is chroot'd. | |||
###socket /var/run/batv-milter/batv-milter.sock | |||
socket /var/spool/postfix/batv-milter/batv-milter.sock | |||
###socket /var/spool/postfix/var/run/batv-milter/batv-milter.sock | |||
# Socket file permissions. You should ensure that only your MTA has | |||
# access to the socket file. | |||
socket-mode 660 | |||
# Path to the key map file. See comments in this file for details. | |||
key-map /etc/batv/batv-keys.conf | |||
# batv-milter only signs outbound mail from authenticated senders and | |||
# "internal" hosts, as defined by the "internal-host" option. | |||
# You can specify IPv4 and IPv6 addresses, with an optional | |||
# prefix length (e.g. /24) for subnets. | |||
internal-host 127.0.0.0/8 | |||
internal-host ::1 | |||
#internal-host 192.168.1.0/24 | |||
#internal-host 2001:db8:8af4::/48 | |||
# Lifetime of address signatures, in days. 7 is the default. | |||
#lifetime 7 | |||
# By default batv-milter both signs outbound mail and verifies the signatures | |||
# of incoming mail. You can uncomment one of the following two lines to | |||
# adjust this behavior. | |||
#mode verify | |||
#mode sign | |||
# By default batv-milter uses the address meta-syntax specified by the draft | |||
# BATV standard. However, if you specify the sub-address-delimiter option, | |||
# then it will use a non-standard meta-syntax based on sub-addressing, using | |||
# the given sub-address delimiter (typically + or -) | |||
#sub-address-delimiter + | |||
# By default, batv-milter accepts invalid bounces. To reject them at | |||
# SMTP time, set "on-invalid" to "reject". | |||
#on-invalid reject | |||
# By default, batv-milter returns a temporary failure ("tempfail") if it | |||
# encounters an internal error. You can change this to "accept" or "reject". | |||
#on-internal-error accept | |||
</syntaxhighlight> | |||
==== Create /etc/batv/batv-keys.conf ==== | |||
<syntaxhighlight lang="bash"> | |||
# Sample batv-keys.conf file. | |||
# This file specifies a mapping from domain/address to key file. | |||
# BATV is only enabled for users/domains specified in this file. | |||
# Key files should consist of 64 bytes of random data, and can be | |||
# generated with: | |||
# dd if=/dev/random of=keyfile bs=1 count=64 | |||
# Blank lines and lines starting with '#' are ignored. | |||
# Typical mapping for the entire example.com domain: | |||
#@example.com /etc/batv-key.example.com | |||
# You can also specify individual address. These always take precedence | |||
# over domain mappings, regardless of order in this file. | |||
#andrew@example.com /etc/batv-key.andrew | |||
@objclt.ca /etc/batv/key/objclt.ca.key | |||
# You can specify an empty key file (e.g. /dev/null) to disable BATV | |||
# for a particular user: | |||
#bob@example.com /dev/null | |||
</syntaxhighlight> | |||
==== Create folder under postfix spool ==== | |||
<syntaxhighlight lang="bash"> | |||
mkdir /var/spool/postfix/batv-milter | |||
chown postfix /var/spool/postfix/batv-milter | |||
</syntaxhighlight> | |||
== Unbound == | == Unbound == | ||
Latest revision as of 03:48, 17 October 2019
Cyrus
Installation
Install Cyrus Package
apt-get install cyrus-admin cyrus-clients cyrus-common cyrus-doc cyrus-imapd cyrus-nntpd cyrus-pop3d cyrus-sasl2-doc libcyrus-imap-perl
Install Sasl auth
apt-get install libauthen-sasl-perl libgsasl7 libsasl2-2 libsasl2-modules libsasl2-modules-db sasl2-bin
Validate / Adjust the configuration
/etc/default/saslauthd
START=yes
##Postfix Rooted
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
/etc/imapd.conf
admins: cyrus
sasl_mech_list: PLAIN LOGIN
defaultdomain: objclt.com
sasl_pwcheck_method: saslauthd
tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
/etc/cyrus.conf
Security
- Create user cyrus in Sasl Database
saslpasswd2 -c cyrus
- Add group sasl and ssl-cert to cyrus
usermod -a -G sasl,ssl-cert cyrus
Postfix
Web site PostFix
Installation
apt-get install postfix postfix-pcre
Configuration
- /etc/postfix/main.cf
mailbox_transport = cyrus
- /etc/postfix/master.cf
# The Cyrus deliver program has changed incompatibly, multiple times.
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m "${extension}" ${user}
mailbox_transport = lmtp:unix:/var/run/lmtp
lmtp unix - - n - - lmtp
adduser postfix mail
Security
- Add group sasl opendkim spamass-milter
usermod -a -G sasl,opendkim,spamass-milter postfix
Certificate
Validate Smtp server
- Connect with openssl tp port 25
openssl s_client -starttls smtp -connect smtp.objclt.ca:25
- Say Hello ! EHLO
- EHLO mail.yahoo.com
- MAIL FROM:victim@gmail.com
- RCPT TO:nosuchuser@objclt.ca
- Result should be 550 User unknown
ehlo mail.yahoo.com
250-mail.objclt.ca
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
mail from:nicolas_rollin@yahoo.com
250 2.1.0 Ok
rcpt to:nouser@objclt.ca
550 5.1.1 <nouser@objclt.ca>: Recipient address rejected: User unknown in local recipient table
Spamassassin
Web site SpamAssassin
Installation
apt-get install spamassassin spamass-milter
apt-get install pyzor razor
Update /etc/spamassassin/local.cf
# Enable Pyzor
use_pyzor 1
# Path to Pyzor executable
pyzor_path /usr/bin/pyzor
Add prerequisite Perl Modules
cpan -i Archive::Tar Digest::SHA Net::DNS Net::DNS::Resolver::Programmable Mail::SPF Geo::IP Net::CIDR::Lite IO::Socket::IP \
IP::Country Net::Ident Net::Patricia IO::Socket::INET6 Compress::Zlib Mail::DKIM LWP::UserAgent HTTP::Date Encode::Detect ExtUtils::MakeMaker \
NetAddr::IP Mail::SpamAssassin::Plugin::Razor2 Razor2::Client::Agent IO::Socket::SSL DBI Sys::Syslog
Validate the installation
spamassassin -D --lint 2>&1 | grep -i failed
Test the installation
spamassassin -D < /usr/share/doc/spamassassin/examples/sample-spam.txt
Setup
- /etc/default/spamassassin
###Nr001ENABLED=0
ENABLED=1
###Nr001 OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u spamass-milter"
###Nr001 CRON=0
CRON=1
Open DKIM
Web site Open DKIM
Installation
apt-get install opendkim
Setup
- /etc/default/opendkim Modify Socket
###Nr001 SOCKET="local:/var/run/opendkim/opendkim.sock"
SOCKET="inet:12301@localhost"
- /etc/postfix/main.cf add inet:localhost:12301
smtpd_milters = unix:spamass/spamass.sock, inet:localhost:12301
non_smtpd_milters = unix:spamass/spamass.sock, inet:localhost:12301
Add new domain
- Create folder
mkdir /etc/opendkim/keys/domain_name
- Update configuration file /etc/opendkim/KeyTable
- Generate Key
opendkim-genkey -s mail -d domain_name
- Change Owner
chown opendkim: /etc/opendkim/KeyTable/domaine_name/mail.private
- Copy the key (mail.txt) into the dns record.
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIvWfISGYjLl57jqzZFgc+...jyQwIDAQAB"
batv-milter
WebSite agwa.name
Installation
- Download source from https://www.agwa.name/projects/batv-tools/
- Install prerequisite
apt-get install libmilter-dev
- Build and install
make
- Install
make install PREFIX=/usr
Setup
Create /etc/batv
mk dir /etc/batv
Create /etc/batv/batv-milter.conf
# Path to the socket file. If you're using Postfix you may want
# to put the socket file in /var/spool/postfix so it's accessible
# even when Postfix is chroot'd.
###socket /var/run/batv-milter/batv-milter.sock
socket /var/spool/postfix/batv-milter/batv-milter.sock
###socket /var/spool/postfix/var/run/batv-milter/batv-milter.sock
# Socket file permissions. You should ensure that only your MTA has
# access to the socket file.
socket-mode 660
# Path to the key map file. See comments in this file for details.
key-map /etc/batv/batv-keys.conf
# batv-milter only signs outbound mail from authenticated senders and
# "internal" hosts, as defined by the "internal-host" option.
# You can specify IPv4 and IPv6 addresses, with an optional
# prefix length (e.g. /24) for subnets.
internal-host 127.0.0.0/8
internal-host ::1
#internal-host 192.168.1.0/24
#internal-host 2001:db8:8af4::/48
# Lifetime of address signatures, in days. 7 is the default.
#lifetime 7
# By default batv-milter both signs outbound mail and verifies the signatures
# of incoming mail. You can uncomment one of the following two lines to
# adjust this behavior.
#mode verify
#mode sign
# By default batv-milter uses the address meta-syntax specified by the draft
# BATV standard. However, if you specify the sub-address-delimiter option,
# then it will use a non-standard meta-syntax based on sub-addressing, using
# the given sub-address delimiter (typically + or -)
#sub-address-delimiter +
# By default, batv-milter accepts invalid bounces. To reject them at
# SMTP time, set "on-invalid" to "reject".
#on-invalid reject
# By default, batv-milter returns a temporary failure ("tempfail") if it
# encounters an internal error. You can change this to "accept" or "reject".
#on-internal-error accept
Create /etc/batv/batv-keys.conf
# Sample batv-keys.conf file.
# This file specifies a mapping from domain/address to key file.
# BATV is only enabled for users/domains specified in this file.
# Key files should consist of 64 bytes of random data, and can be
# generated with:
# dd if=/dev/random of=keyfile bs=1 count=64
# Blank lines and lines starting with '#' are ignored.
# Typical mapping for the entire example.com domain:
#@example.com /etc/batv-key.example.com
# You can also specify individual address. These always take precedence
# over domain mappings, regardless of order in this file.
#andrew@example.com /etc/batv-key.andrew
@objclt.ca /etc/batv/key/objclt.ca.key
# You can specify an empty key file (e.g. /dev/null) to disable BATV
# for a particular user:
#bob@example.com /dev/null
Create folder under postfix spool
mkdir /var/spool/postfix/batv-milter
chown postfix /var/spool/postfix/batv-milter
Unbound
Web site Unbound
Not tested yet