Mail Server: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 116: | Line 116: | ||
* Install | * Install | ||
<syntaxhighlight lang="bash">make install PREFIX=/usr</syntaxhighlight> | <syntaxhighlight lang="bash">make install PREFIX=/usr</syntaxhighlight> | ||
=== Setup === | |||
* Create /etc/batv | |||
<syntaxhighlight lang="bash">mk dir /etc/batv</syntaxhighlight> | |||
* Create file /etc/batv/batv-milter.conf | |||
<syntaxhighlight lang="bash"> | |||
# Path to the socket file. If you're using Postfix you may want | |||
# to put the socket file in /var/spool/postfix so it's accessible | |||
# even when Postfix is chroot'd. | |||
###socket /var/run/batv-milter/batv-milter.sock | |||
socket /var/spool/postfix/batv-milter/batv-milter.sock | |||
###socket /var/spool/postfix/var/run/batv-milter/batv-milter.sock | |||
# Socket file permissions. You should ensure that only your MTA has | |||
# access to the socket file. | |||
socket-mode 660 | |||
# Path to the key map file. See comments in this file for details. | |||
key-map /etc/batv/batv-keys.conf | |||
# batv-milter only signs outbound mail from authenticated senders and | |||
# "internal" hosts, as defined by the "internal-host" option. | |||
# You can specify IPv4 and IPv6 addresses, with an optional | |||
# prefix length (e.g. /24) for subnets. | |||
internal-host 127.0.0.0/8 | |||
internal-host ::1 | |||
#internal-host 192.168.1.0/24 | |||
#internal-host 2001:db8:8af4::/48 | |||
# Lifetime of address signatures, in days. 7 is the default. | |||
#lifetime 7 | |||
# By default batv-milter both signs outbound mail and verifies the signatures | |||
# of incoming mail. You can uncomment one of the following two lines to | |||
# adjust this behavior. | |||
#mode verify | |||
#mode sign | |||
# By default batv-milter uses the address meta-syntax specified by the draft | |||
# BATV standard. However, if you specify the sub-address-delimiter option, | |||
# then it will use a non-standard meta-syntax based on sub-addressing, using | |||
# the given sub-address delimiter (typically + or -) | |||
#sub-address-delimiter + | |||
# By default, batv-milter accepts invalid bounces. To reject them at | |||
# SMTP time, set "on-invalid" to "reject". | |||
#on-invalid reject | |||
# By default, batv-milter returns a temporary failure ("tempfail") if it | |||
# encounters an internal error. You can change this to "accept" or "reject". | |||
#on-internal-error accept | |||
</syntaxhighlight> | |||
* Create /etc/batv/batv-keys.conf | |||
<syntaxhighlight lang="bash"> | |||
# Sample batv-keys.conf file. | |||
# This file specifies a mapping from domain/address to key file. | |||
# BATV is only enabled for users/domains specified in this file. | |||
# Key files should consist of 64 bytes of random data, and can be | |||
# generated with: | |||
# dd if=/dev/random of=keyfile bs=1 count=64 | |||
# Blank lines and lines starting with '#' are ignored. | |||
# Typical mapping for the entire example.com domain: | |||
#@example.com /etc/batv-key.example.com | |||
# You can also specify individual address. These always take precedence | |||
# over domain mappings, regardless of order in this file. | |||
#andrew@example.com /etc/batv-key.andrew | |||
@objclt.ca /etc/batv/key/objclt.ca.key | |||
# You can specify an empty key file (e.g. /dev/null) to disable BATV | |||
# for a particular user: | |||
#bob@example.com /dev/null | |||
</syntaxhighlight> | |||
== Unbound == | == Unbound == | ||
Revision as of 23:13, 5 June 2016
Cyrus
Installation
Install Cyrus Package
apt-get install cyrus-admin cyrus-clients cyrus-common cyrus-doc cyrus-imapd cyrus-nntpd cyrus-pop3d cyrus-sasl2-doc libcyrus-imap-perl
Install Sasl auth
apt-get install libauthen-sasl-perl libgsasl7 libsasl2-2 libsasl2-modules libsasl2-modules-db sasl2-bin
Validate / Adjust the configuration
/etc/default/saslauthd
START=yes
##Postfix Rooted
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
/etc/imapd.conf
admins: cyrus
sasl_mech_list: PLAIN LOGIN
defaultdomain: objclt.com
sasl_pwcheck_method: saslauthd
tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
/etc/cyrus.conf
Security
- Create user cyrus in Sasl Database
saslpasswd2 -c cyrus
- Add group sasl and ssl-cert to cyrus
usermod -a -G sasl,ssl-cert cyrus
Postfix
Web site PostFix
Installation
apt-get install postfix
Configuration
- /etc/postfix/main.cf
mailbox_transport = cyrus
- /etc/postfix/master.cf
# The Cyrus deliver program has changed incompatibly, multiple times.
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m "${extension}" ${user}
mailbox_transport = lmtp:unix:/var/run/lmtp
lmtp unix - - n - - lmtp
adduser postfix mail
Security
- Add group sasl opendkim spamass-milter
usermod -a -G sasl,opendkim,spamass-milter postfix
Spamassassin
Web site SpamAssassin
Installation
apt-get install spamassassin spamass-milter
Setup
- /etc/default/spamassassin
###Nr001ENABLED=0
ENABLED=1
###Nr001 OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u spamass-milter"
###Nr001 CRON=0
CRON=1
Open DKIM
Web site Open DKIM
Installation
apt-get install opendkim
Setup
- /etc/default/opendkim Modify Socket
###Nr001 SOCKET="local:/var/run/opendkim/opendkim.sock"
SOCKET="inet:12301@localhost"
- /etc/postfix/main.cf add inet:localhost:12301
smtpd_milters = unix:/batv-milter/batv-milter.sock, unix:spamass/spamass.sock, inet:localhost:12301
non_smtpd_milters = unix:/batv-milter/batv-milter.sock, unix:spamass/spamass.sock, inet:localhost:12301
Add new domain
- Create folder
mkdir /etc/opendkim/keys/domain_name
- Update configuration file /etc/opendkim/KeyTable
- Generate Key
opendkim-genkey -s mail -d domain_name
- Change Owner
chown opendkim: /etc/opendkim/KeyTable/domaine_name/mail.private
- Copy the key (mail.txt) into the dns record.
batv-milter
WebSite agwa.name
Installation
- Download source from https://www.agwa.name/projects/batv-tools/
- Install prerequisite
apt-get install libmilter-dev
- Build and install
make
- Install
make install PREFIX=/usr
Setup
- Create /etc/batv
mk dir /etc/batv
- Create file /etc/batv/batv-milter.conf
# Path to the socket file. If you're using Postfix you may want
# to put the socket file in /var/spool/postfix so it's accessible
# even when Postfix is chroot'd.
###socket /var/run/batv-milter/batv-milter.sock
socket /var/spool/postfix/batv-milter/batv-milter.sock
###socket /var/spool/postfix/var/run/batv-milter/batv-milter.sock
# Socket file permissions. You should ensure that only your MTA has
# access to the socket file.
socket-mode 660
# Path to the key map file. See comments in this file for details.
key-map /etc/batv/batv-keys.conf
# batv-milter only signs outbound mail from authenticated senders and
# "internal" hosts, as defined by the "internal-host" option.
# You can specify IPv4 and IPv6 addresses, with an optional
# prefix length (e.g. /24) for subnets.
internal-host 127.0.0.0/8
internal-host ::1
#internal-host 192.168.1.0/24
#internal-host 2001:db8:8af4::/48
# Lifetime of address signatures, in days. 7 is the default.
#lifetime 7
# By default batv-milter both signs outbound mail and verifies the signatures
# of incoming mail. You can uncomment one of the following two lines to
# adjust this behavior.
#mode verify
#mode sign
# By default batv-milter uses the address meta-syntax specified by the draft
# BATV standard. However, if you specify the sub-address-delimiter option,
# then it will use a non-standard meta-syntax based on sub-addressing, using
# the given sub-address delimiter (typically + or -)
#sub-address-delimiter +
# By default, batv-milter accepts invalid bounces. To reject them at
# SMTP time, set "on-invalid" to "reject".
#on-invalid reject
# By default, batv-milter returns a temporary failure ("tempfail") if it
# encounters an internal error. You can change this to "accept" or "reject".
#on-internal-error accept
- Create /etc/batv/batv-keys.conf
# Sample batv-keys.conf file.
# This file specifies a mapping from domain/address to key file.
# BATV is only enabled for users/domains specified in this file.
# Key files should consist of 64 bytes of random data, and can be
# generated with:
# dd if=/dev/random of=keyfile bs=1 count=64
# Blank lines and lines starting with '#' are ignored.
# Typical mapping for the entire example.com domain:
#@example.com /etc/batv-key.example.com
# You can also specify individual address. These always take precedence
# over domain mappings, regardless of order in this file.
#andrew@example.com /etc/batv-key.andrew
@objclt.ca /etc/batv/key/objclt.ca.key
# You can specify an empty key file (e.g. /dev/null) to disable BATV
# for a particular user:
#bob@example.com /dev/null
Unbound
Web site Unbound
Not tested yet