User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
email:install-admin [2025/03/03 08:47] – created willyemail:install-admin [2025/03/19 19:57] (current) – [Finalization] willy
Line 1: Line 1:
-===== Installation: servers =====+====== E) Installation: postfixadmin web gui ======
  
-Install Postfix and Dovecot+PostfixAdmin is a neat web GUI that let's you monitor, create domains, accounts and much more on your web server.
  
-USE flags: 
-<code bash> 
-echo "*/* maildir dovecot sasl" >> /etc/portage/package.use/mailserver 
-echo "net-mail/dovecot managesieve sqlite lz4" >> /etc/portage/package.use/mailserver 
-echo "mail-mta/postfix dovecot-sasl sqlite -sasl" >> /etc/portage/package.use/mailserver  
-echo "dev-lang/php imap" >> /etc/portage/package.use/mailserver  
-</code> 
  
-Emerge the servers: +===== USE flags =====
-<code bash> +
-emerge -vp postfix dovecot +
-</code>+
  
 +PostfixAdmin is a PHP application which you will be running with NGINX + PHP-FPM.
  
-===== Installation: user, permissions & storage ===== +Ensure your PHP has the **imap** USE flag enabled:
- +
-Since different pieces of the email infrastructure will need to interoperate, it is a good idea to create a specific user to store all the emails on the filesystem. This user will own the email storage folders which i assume will be located under **/home/vmail**. I choose UID and GID 5000 since the ones <1000 are reserved for system users: +
 <code bash> <code bash>
-groupadd -g 5000 vmail +echo "dev-lang/php imap" >> /etc/portage/package.use/mailserver 
-useradd -m -d /home/vmail -s /bin/false -u 5000 -g vmail vmail +
-chmod 2770 /home/vmail/+
 </code> </code>
  
-The resulting permissions should look like: 
-<code bash> 
-ls -ld /home/vmail 
-drwxrws--- 3 vmail vmail 4096 Aug 2 07:24 /home/vmail 
-</code> 
  
-FIX QUI I PERMESSI DEL DB+===== Manual Installation =====
  
-Now create the database: +PostfixAdmin is available in portage, but installing via emerge would be not really inline with how i manage the webapps on my external serverwill show you how i have installed it manually, which is not that difficult at all.
-<code bash> +
-su - vmail +
-mkdir db +
-sqlite3 db/vmail.sqlite3 +
-sqlite> .databases +
-main: /home/vmail/db/vmail.sqlite3 r/w +
-sqlite> .tables +
-sqlite> .exit +
-</code> +
- +
- +
-===== Installation: postfixadmin web gui ===== +
- +
-postfixadmin and roundcube will be installed manually and not via Gentoo portage, to avoid upgrade issues.+
  
 Download latest release of **postfixadmin** from [[https://github.com/postfixadmin/postfixadmin/releases|here]] and decompress in a folder accessible to the **web** user, since i use the **web** user to run all PHP based software on the external webserver: Download latest release of **postfixadmin** from [[https://github.com/postfixadmin/postfixadmin/releases|here]] and decompress in a folder accessible to the **web** user, since i use the **web** user to run all PHP based software on the external webserver:
Line 65: Line 32:
 </code> </code>
  
-Now, configure it by creating a file called **postfixadmin/config.local.php** with the following content (see postfixadmin/config.inc.php for all available stuff to configure): 
-<file - config.local.php> 
-<?php 
-$CONF['database_type'] = 'sqlite'; 
-$CONF['database_name'] = '/home/vmail/db/vmail.sqlite3'; 
-$CONF['encrypt'] = 'dovecot:SHA512'; 
-$CONF['postfix_admin_url'] = 'https://mail.mydomain.com'; 
-$CONF['admin_email'] = 'postmaster@mydomain.com'; 
-$CONF['default_aliases'] = array ( 
-    'abuse' => 'abuse@mydomain.com', 
-    'hostmaster' => 'hostmaster@mydomain.com', 
-    'postmaster' => 'postmaster@mydomain.com', 
-    'webmaster' => 'webmaster@mydomain.com' 
-); 
-$CONF['transport'] = 'YES'; 
-$CONF['configured'] = true; 
-/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */ 
-</file> 
  
-Now setup NGINX to point to it. You need of course to setup a certbot certificate, then (see [[selfhost:nginx|this page]]) configure your NGINX to use PHP-FPMSee the following **postfixadmin.conf** file as reference:+ 
 +===== Reverse Proxy ===== 
 + 
 +Of course PostfixAdmin will need to be behind the reverse proxy, both for security and to wrap it with HTTPS. 
 +See [[selfhost:nginx|this page]]) for more detail on NGINX setup. 
 + 
 +For reference, here is my specific configuration:
 <file postfixadmin.conf> <file postfixadmin.conf>
 server { server {
Line 96: Line 51:
                  
         root /home/web/postfixadmin/postfixadmin/public;              root /home/web/postfixadmin/postfixadmin/public;     
-  
-# Uncomment the following lines only AFTER setup is complete!          
-#        location ~ /(setup.php) { 
-#                deny all; 
-#                alias /home/web/postfixadmin/postfixadmin/public; 
-#        } 
              
         location ~ /.*\.php$ {         location ~ /.*\.php$ {
Line 113: Line 62:
 </file> </file>
  
-restart NGINX and go to the URL **https://mail.mydomain.com/setup.php** and follow the on-screen instructions to create a password hash that you need to add to the above config.local.php file, then reload the page itself. 
  
-Also don't forget to create a superadmin-account. I suggest you call it **user@mydomain.com** and set a password you will not forget.+===== Finalization =====
  
-Go back, uncomment the lines in the NGINX config file to disable the setup.phpand restart NGINX.+Restart NGINX and go to the URL **https://mail.mydomain.com/setup.php** and follow the on-screen instructions to create a password hash that you need to add to the above config.local.php file, then reload the page itself.
  
-__note:__ when adding new domains, choose "virtual" as transport, and 0 as password expiry.+Also don't forget to create a superadmin-account. I suggest you call it **user@mydomain.com** and set a password you will not forget.
  
-At this point, you can already create all the mail domains and user accounts you want.+Installation is now complete.
  
  
-===== Configuration: postfix ===== 
- 
-Link to SQL. 
- 
-File: **/etc/postfix/sql/virtual_mailbox_domains.cf**: 
-<file - virtual_mailbox_domains.cf> 
-dbpath = /home/vmail/db/vmail.sqlite3 
-query  = SELECT domain FROM domain WHERE domain = '%s' AND backupmx = '0' AND active = '1'; 
-</file> 
- 
-File: **/etc/postfix/sql/virtual_mailbox_maps.cf**: 
-<file - virtual_mailbox_maps.cf> 
-dbpath = /home/vmail/db/vmail.sqlite3 
-query  = SELECT maildir FROM mailbox WHERE local_part='%u' AND domain='%d' AND active='1'; 
-</file> 
- 
-File: **/etc/postfix/sql/virtual_alias_maps.cf**: 
-<file - virtual_alias_maps.cf> 
-dbpath = /home/vmail/db/vmail.sqlite3 
-query  = SELECT goto FROM alias WHERE address='%s' AND active='1'; 
-</file> 
- 
-Now, link it all in **/etc/postfix/main.cf**: 
-<code> 
-# A list of all virtual domains serviced by this instance of postfix. 
-virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf 
-# Look up the mailbox location based on the email address received. 
-virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf 
-# Any aliases that are supported by this system 
-virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf 
-</code> 
- 
- 
- 
-<file> 
-compatibility_level = 3.6 
- 
-# Prevent hard-bounces 
-soft_bounce = yes 
- 
-queue_directory = /var/spool/postfix 
-command_directory = /usr/sbin 
-daemon_directory = /usr/libexec/postfix 
-data_directory = /var/lib/postfix 
- 
-mail_owner = postfix 
- 
-# Usa gethostname() per default 
-#myhostname = gardiol.org 
- 
-mydomain = gardiol.org 
- 
-#myorigin = $mydomain 
-#inet_interfaces = all 
- 
-mydestination = localhost.localdomain 
-unknown_local_recipient_reject_code = 550 
- 
-mynetworks_style = host 
- 
-in_flow_delay = 1s 
- 
-home_mailbox = .maildir/ 
- 
-header_checks = regexp:/etc/postfix/header_checks 
- 
-smtpd_banner = $myhostname ESMTP NO UCE 
- 
-debug_peer_level = 2 
-#debug_peer_list = 127.0.0.1 
- 
-sendmail_path = /usr/sbin/sendmail 
-newaliases_path = /usr/bin/newaliases 
-mailq_path = /usr/bin/mailq 
- 
-setgid_group = postdrop 
-html_directory = no 
-manpage_directory = /usr/share/man 
-sample_directory = /etc/postfix 
-readme_directory = no 
-inet_protocols = ipv4 
-meta_directory = /etc/postfix 
-shlib_directory = /usr/lib64/postfix/${mail_version} 
- 
- 
-############################################ 
-########################################### 
-########################################### 
-disable_vrfy_command = yes 
-message_size_limit = 0 
-#20971520 
-biff = no 
- 
-local_transport = virtual 
-local_recipient_maps = $alias_maps $virtual_mailbox_maps 
- 
-virtual_transport = lmtp:unix:private/dovecot-lmtp 
- 
-virtual_uid_maps = static:999 
-virtual_gid_maps = static:999 
- 
-virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf 
-virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, 
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, 
-                     proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf 
-virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, 
-                       proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf 
- 
-# if you let postfix store your mails directly (without using maildrop, dovecot deliver etc.) 
-virtual_mailbox_base = /home/vmail 
- 
-# SASL 
-smtpd_sasl_type = dovecot 
-smtpd_sasl_path = private/auth 
-smtpd_sasl_auth_enable = yes 
-smtpd_sasl_security_options = noanonymous 
-smtpd_sasl_local_domain = 
-broken_sasl_auth_clients = no 
-smtpd_sasl_authenticated_header = yes 
-# Setup TLS 
-smtpd_tls_cert_file = /etc/letsencrypt/live/mail.gardiol.org/fullchain.pem 
-smtpd_tls_key_file = /etc/letsencrypt/live/mail.gardiol.org/privkey.pem 
-# abilita il debug... 
-smtpd_tls_loglevel = 0 
-# metti a "encrypt" per obbligare l'uso di TLS lato server (non fare, sconsigliato) 
-smtpd_tls_security_level = may 
-# Metti a yes per impedire AUTH non cifrata 
-smtpd_tls_auth_only = no 
-# Fai la cache delle sessioni 
-smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache 
- 
-# Some ANTISPAM 
-smtpd_delay_reject = yes 
-smtpd_helo_required = yes 
-smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit 
-smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_non_fqdn_sender, permit 
-smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient,  check_policy_service unix:private/policy-spf, permit 
-smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated 
-#, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net 
- 
-policy-spf_time_limit = 3600s 
- 
-smtpd_timeout = 60s 
-default_process_limit = 200 
- 
-smtputf8_enable = no 
-smtp_data_done_timeout = 1800 
- 
-smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock 
-non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock 
- 
-syslog_facility = mail 
-syslog_name = postfix 
- 
-body_checks = regexp:/etc/postfix/body_checks 
- 
-maximal_queue_lifetime = 60m 
-bounce_queue_lifetime = 60m 
-smtp_connect_timeout  = 15s 
-smtp_helo_timeout = 60s 
- 
-smtpd_relay_before_recipient_restrictions = no 
-</file> 
- 
- 
- 
- 
- 
-===== Installation: DKIM, SPF and DKIM ===== 
- 
-This step is **mandatory** and critical for proper email delivery. 
- 
- 
-===== Installation: Antispam ===== 
- 
-Install spamassassin & amavisd-new 
- 
- 
-FILE /etc/postfix/main.cf Binding UID and GID's to postfix 
-<code> 
-# Link the mailbox uid and gid to postfix. 
-virtual_uid_maps = static:5000 
-virtual_gid_maps = static:5000 
-  
-# Set the base address for all virtual mailboxes 
-virtual_mailbox_base = /var/vmail 
-</code>